Proton
An illustration of the Chinese government using TikTok to watch its users.

TikTok and the privacy perils of China’s first international social media platform

TikTok, the video-sharing platform owned by the Chinese social media giant ByteDance, is one of the most popular social media services in the world, with an estimated 800 million users. However, its zealous data collection, use of Chinese infrastructure, and its parent company’s close ties to the Chinese Communist Party make it a perfect tool for massive surveillance and data collection by the Chinese government. 

After reviewing TikTok’s data collection policies, lawsuits, cybersecurity white papers, past security vulnerabilities, and its privacy policy, we find TikTok to be a grave privacy threat that likely shares data with the Chinese government. We recommend everyone approach TikTok with great caution, especially if your threat model includes the questionable use of your personal data or Chinese government surveillance.

How much user data does TikTok collect?

As with just about every social media platform, the answer is: “a lot.” According to its privacy policy(nuova finestra), even if you just download and open the app but never create an account, TikTok will collect your:

  • IP address
  • Browsing history (i.e., the content you viewed on TikTok)
  • Mobile carrier
  • Location data if you are using a mobile device (including GPS coordinates and WiFi and mobile cell data)
  • Info on the device you used to access TikTok (for Android devices, this includes your IMEI number, which is essentially your device’s fingerprint so it can be identified, and potentially your IMSI number, which is used to track users from one phone to another)

To open an account, you must enter a phone number or email and your date of birth. Once you have created an account, TikTok asks your permission for access to your social media accounts (like Twitter, Instagram, Facebook, etc.), your phone’s contact list, and GPS data. 

Once you start using the app, TikTok logs details about:

  • Every video you upload
  • How long you watch videos
  • Which videos you like
  • Which videos you share
  • Any messages you exchange in the app

Finally, if you buy coins, the in-app currency you can use to support your favorite video creators, TikTok will store your payment information.

According to TikTok, if you delete your account, the company will delete your account data, videos, and information within 30 days. This claim is impossible to independently verify, as is the case with most social media companies. 

TikTok’s data collection is extreme, even for a social media platform that collects its users’ data to serve them with targeted ads. And TikTok explicitly states in its privacy policy that it shares your browsing data and email address with third parties so that it can serve you with targeted advertising. 

TikTok faces multiple class-action lawsuits in the US

On November 27, 2019, a group of TikTok users in California filed a class action lawsuit(nuova finestra) against TikTok and ByteDance, saying the TikTok app “includes Chinese surveillance software.” The lawsuit claims TikTok collects all videos shot on the app, even if the videos are not published or even saved. The lawsuit goes on to allege that TikTok uses the videos and photos users upload to collect biometric data (such as face scans) without user permission and that even after you close the app, TikTok continues to collect biometric data.

This lawsuit also alleges that TikTok surreptitiously sends user data to China, something we will address below. 

There is a similar class action lawsuit(nuova finestra) from users in Illinois. This suit also alleges that TikTok uses facial recognition technology and AI to collect users’ facial geometry without informing their users. Illinois has a strict law that requires companies to receive consent before they collect any biometric data.

Does TikTok share data with the Chinese government?

What distinguishes TikTok from other social media giants is that it is owned and operated by a Chinese company. ByteDance, the company that owns TikTok, is headquartered in Beijing and is worth over $100 billion. Chinese domestic laws and regulations, along with internal party politics, can make it hard to parse whether a company is independent or coordinating with the Chinese Communist Party.

Even if ByteDance wanted to resist Chinese Communist Party control, it would have little real prospect of doing so. China’s National Intelligence Law(nuova finestra), passed in 2017, allows the government to compel any Chinese company to provide practically any information it requests, including data on foreign citizens. Furthermore, Chinese laws also can force these requests to be kept secret and not disclosed via transparency reports. The lack of an independent judiciary system makes it almost impossible for a company to appeal a request from the Chinese government. On top of that, Chinese companies of any real size are legally required to have Communist Party “cells”(nuova finestra) inside them to ensure adherence to the party line.

However, there is little evidence ByteDance wants to resist the Chinese government. In fact, there are numerous examples that it is complicit in the Chinese Communist Party’s authoritarian policies. In 2018, ByteDance shut down Neihan Duanzi, a Chinese social media platform that was primarily used to share jokes and comedy, after state censors accused it of hosting “vulgar” content(nuova finestra). Afterward, ByteDance said that it would “deepen cooperation(nuova finestra)” with the Chinese communist party. It then hired 2,000 more “content reviewers(nuova finestra)” and stated that “strong political sensitivity” would be an asset for the position.

ByteDance has repeatedly made the case that TikTok is not available in China and that user data is not stored in China. This is misleading. In its privacy policy, TikTok explicitly reserves the right to share user information with other members of its “corporate group” (i.e., ByteDance). 

Additionally, a white paper(nuova finestra) by the cybersecurity firm Penetrum found that over one-third of the IP addresses the TikTok APK connects to are based in China. The majority of these IP addresses are hosted by Alibaba, another Chinese tech giant. These IP addresses are what led to the allegations in the California lawsuit that TikTok secretly sends data to China. According to the Penetrum report, “TikTok does an excessive amount of tracking on its users and that the data collected is partially if not fully stored on Chinese servers with the ISP Alibaba.

Alibaba works closely with the Chinese Communist Party and supports its invasive surveillance and censorship. It has a police post at its headquarters(nuova finestra) to facilitate data sharing with authorities and developed a popular Chinese propaganda app(nuova finestra)

The Chinese government has long used the data it collects from Chinese tech companies to monitor, censor, and control its citizens. The all-seeing surveillance system they have created to monitor Uyghurs in Xinjiang(nuova finestra) is just one example. It also maintains an Orwellian “blacklist”(nuova finestra) that the government uses to prevent over 13 million “untrustworthy” citizens from purchasing plane or train tickets. One can only imagine what the Chinese government would do if it were able to extend its data collection beyond its borders.

TikTok and censorship

There are also concerns that the Chinese government and ByteDance are using TikTok as a tool to extend China’s censorship. American employees reported to the Washington Post(nuova finestra) that they were pressured by administrators in Beijing to restrict any political content.

The Guardian(nuova finestra) reported on TikTok guidelines that require moderators to block videos that “distort” historic events, such as “Tiananmen Square incidents.” In one example, a teenage girl from Florida had her account shut down(nuova finestra) after she brought attention to the plight of the Uyghurs, a Muslim minority in China. (TikTok later reinstated her, claiming her ban was an error.)

Is TikTok secure?

In December 2019, the cybersecurity researchers at Check Point Research(nuova finestra) discovered multiple vulnerabilities, including ones that would allow attackers to delete user videos, make hidden videos public, or upload unauthorized videos. The researchers worked with the TikTok team, and they say that these vulnerabilities have now been resolved. 

In April 2020, security researchers(nuova finestra) discovered that some versions of the TikTok app for Android and iOS rely on HTTP connections. By not using HTTPS, TikTok makes it easy for attackers to monitor user activity and even alter the videos the user sees without their knowledge. 

TikTok says a fix is already underway, but this certainly isn’t a strong track record when it comes to security.

TikTok and children

Given the demographics of TikTok users and the amount of data TikTok collects, the company has faced criticism for collecting data from children. In February 2019, Musical.ly, the Chinese social media app that ByteDance bought and then merged with TikTok, paid a $5.7 million fine to the FTC(nuova finestra) to settle allegations that it violated the Children’s Online Privacy Protection Act (COPPA) by letting children under 13 sign up to its platform without their parents’ consent. 

In May 2020, 20 advocacy groups(nuova finestra) alleged that TikTok is still violating COPPA. They said the company never deleted the personal information it collected from children under 13 prior to the 2019 FTC settlement, is still not obtaining parents’ consent before collecting children’s personal info, and does not allow parents to review or delete the personal information it collects from their children.

Scrutiny of TikTok increases

Since February, politicians in Australia have been calling for greater scrutiny(nuova finestra) of the company’s data collection and possible censorship. On June 29, the Indian government banned TikTok(nuova finestra), along with over 50 other Chinese apps. And now, the US government(nuova finestra) is also weighing whether they should impose a ban on the app.  

As one US lawmaker said to the Wall Street Journal(nuova finestra), “all it takes is one knock on the door of their parent company [ByteDance], based in China, from a Communist Party official for that data to be transferred [from TikTok] to the Chinese government’s hands, whenever they need it.

Recently, US politicians have floated the idea of ByteDance selling TikTok(nuova finestra) as one way for the social media company to avoid questions over what it does with its users’ data. However, Chinese infrastructure and control are clearly deeply integrated into TikTok’s system, and it would be extremely hard for any company that purchased it to undo. 

Our take on TikTok

We stand for freedom of expression, and we want everyone to be able to voice their opinion. However, social media giants from TikTok to Facebook demand troves of personal data in exchange for the use of their platform. Often this data collection verges into the extreme. Does TikTok need access to your device’s ID number to deliver its service?

The fact that TikTok is owned by a Chinese company, one that has explicitly said it would deepen its cooperation with the Chinese Communist Party, makes this excessive data collection even more concerning. The Chinese government has a history of strong-arming and co-opting Chinese tech companies into sharing their data and then using this data to intimidate, threaten, censor, or engage in human rights abuses.

For these reasons, it is our opinion that, from a security and privacy standpoint, TikTok is an extremely dangerous social media platform. Its potential for mass collection of data from hundreds of millions of adults, teenagers, and children poses a grave risk to privacy. We believe that TikTok should be viewed with great caution, and if this concerns you, you should strongly consider deleting TikTok(nuova finestra) and its associated data. 

You can get a free secure email account from Proton Mail here(nuova finestra).

We also provide a free VPN service(nuova finestra) to protect your privacy.

Proton Mail and Proton VPN(nuova finestra) are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(nuova finestra). Thank you for your support.


Feel free to share your feedback and questions with us via our official social media channels on Twitter(nuova finestra) and Reddit(nuova finestra).

Articoli correlati

how to write a professional email
en
Easy steps and examples for writing a professional email. See how Proton Mail can make your emails stand out.
Email etiquette: What it is and why it matters |
en
Find out what email etiquette is with key rules and examples, why it is important, and how Proton Mail can help.
A cover image for a blog about how to create an incident response plan that shows a desktop computer and a laptop with warning signs on their screens
en
Do you have an incident response plan to protect your business from financial and reputational damage? Find out how Proton Pass for Business can help you stay safe.
Shared with me in Proton Drive for desktop user interface
en
  • Per le aziende
  • Aggiornamenti dei prodotti
  • Proton Drive
We've improved Proton Drive for Windows to make it easier to securely collaborate with others from your desktop.
Smart glasses that have been modified for facial surveillance and dox you in real time, finding your personal information after seeing your face.
en
Students modified smart glasses to find someone’s personal data after just looking at them. This is why we must minimize data collection.
The cover image for a blog explaining what password encryption is and how Proton Pass helps users with no tech experience benefit from it
en
Password encryption sounds complicated, but anyone can benefit from it. We explain what it is and how it’s built into Proton Pass for everyone to use.