The Rise of TikTok

2020 has been an incredibly turbulent year. COVID-19 has upended the global economy and continues to alter daily life in the US. As colleges and schools closed down, students returned home, classes and workplaces moved online, university and professional sports were cancelled or postponed, many people were forced to find new forms of socially distant entertainment. 

As a result, many people joined TikTok, a highly addicting video sharing, social media app. You may be familiar with its predecessor, Vine, another video sharing application. Unlike Vine, which was owned by Twitter or Youtube, the most popular video sharing application and a Google subsidiary, TikTok is owned by a Chinese company called ByteDance based in Beijing. It is this connection to China that has been the cause of recent uproar. 

Distribution of US TikTok Users by Age as of June 2020

Screen Shot 2020-09-03 at 4.22.27 PM

Source

Prior to the coronavirus pandemic, TikTok was steadily gaining a large amount of attention. When the Coronavirus pandemic hit globally in March 2020, TikTok’s downloads increased significantly. According to Senor Tower’s “Q2 2020 Store Intelligence Data Digest,” TikTok is the only application downloaded over 300 million times in consecutive quarters – Q1 and Q2 2020. The app captured the attention of young and older folks alike. All this newfound attention brought about concerns about TikTok’s cybersecurity and data collection methods.

Screen Shot 2020-09-03 at 4.24.29 PM

Source

Screen Shot 2020-09-04 at 1.45.42 PM

Prominent lawmakers and politicians have argued that TikTok presents a national security issue. The concern is that TikTok is owned by a Chinese company and the Chinese government can access millions of American’s user data and exploit it for its own agenda. 

Others have also voiced concern, In late 2019, a California student sued TikTok for its data usage. A reddit user in early April 2020 reportedly reversed engineered the app itself, claiming that “TikTok is a data collection service that is thinly-veiled as a social network.” This build of publicity, paired with tense Chinese-American relations, led to the unprecedented decision by Donald Trump to sign an executive order prohibiting all transactions with TikTok’s owner Bytedance by American organizations. 

Does TikTok really pose a major threat to the average American user? Is it any different than the other social media applications with regards to privacy policies, trackers or requested permissions? I do my best to answer these questions here. 

Personal User Data

Personal user data is any kind of information that can directly or indirectly identify you as a user or individual. This can include information such as your name, username, phone number, address, and IP address. This information allows companies to identify and analyze the preferences of specific consumers. In turn, companies can target individuals with specific products or services that they are confident resonate with a consumer based on indicators such as age, interests, online activity, and correlating trends to other similar demographics. 

Personal data can be easily abused if it falls in the hands of the wrong people. Marketing tactics aside, there is a darker, more manipulative side of personal data collection. In the 2018 Cambridge Analytica scandal, millions of Facebook users’ personal data were leaked and harvested without consent by Cambridge Analytica. The information was subsequently used by Ted Cruz and Donald Trump’s political campaigns. Larger, more detrimental attacks such as foreign influence on elections, the targeting of prominent activists, and surveillance of minorities have also been brought-to-light in the Russian Interference Investigation last year. 

How did TikTok end up in the Hot Seat? (The History of TikTok)

TikTok stemmed from the 2014 app Musical.ly, a video sharing, lip syncing app. Musical.ly was also founded by a Chinese company based in Shanghai. In 2018, Musical.ly was acquired by ByteDance, and merged with its already established, lip syncing app (Douyin 抖音) and later renamed to TikTok. 

Most recently, TikTok has been criticized for its data collection methods and its alleged connection to the Chinese government. Both TikTok US and TikTok India, on separate occasions, have come out with statements emphasizing that TikTok has never shared the user data of their respective countries with the Chinese government. It is difficult to verify the claims that the Chinese government has access to TikTok user information, but we can more easily analyze TikToks data collection methods. To begin, let’s look at the privacy policy. 

Privacy Policies

Any website or platform that gathers information on its users is required to have a privacy policy. Privacy policies create transparency regarding how a company will collect, store, and utilize user data. That being said, it’s important to recognize that these policies do not guarantee that companies will follow the claimed privacy policies closely. 

Most social media platforms have three main sections of the privacy policy: What data they collect from their users, how they use such data internally, and how they share it. Let’s consider the policies of TikTok, Facebook, and Google.

  • Data collected from users

There are three general types of data that are collected about users. 

First, information provided by the user – name, username, password, phone number, and email. 

Second, information collected from users’ interactions with the platform. There are two levels to this. The first level I’ll call direct interactions – usage information (content and ads you engage with, search queries, crash reports). The second level I’ll call indirect interaction, which includes details that are more personal to you as a user such as: 

  1. Location data – IP address, wifi access points, cell towers. 
  2. Device data – device model, mobile carrier, operating system.
  3. Other unique identifiers. 

Within the conversation of data collection, indirect interaction data is the most controversial. Many people oppose being closely monitored and analyzed both online and off, and view this component as a violation of personal privacy. Indirect interactions through the use of device IDs, IP addresses, and other unique identifiers are able to specifically identify you as a user even without the information you provided willingly. With all major platforms collecting this kind of information, it raises a cause for user concern. 

Lastly, information collected from partners and 3rd party sources. Platforms will collect information on their users from publicly available sources, advertising partners, analytics providers, app developers, and any accounts you may link together. For example, using Facebook to sign into other platforms such as LinkedIn.

TikTok, Facebook, and Google collect both direct and indirect interaction data, and it is clearly stated in their privacy policies. This gives them the ability to create detailed and insightful profiles for each of their users. Your interaction data allows them to know when you use the platform, where you’re located and what content you’re looking at, along with a myriad of other things. These profiles can also include more sophisticated user information based on other specific pieces of data they collect. For example, TikTok collects keystroke patterns and Facebook collects mouse movements, which have both been known to be used as biometric identifiers. Google collects voice and audio information, which is also a biometric identifier that has been used as a tool by the NSA or other intelligence agencies. 

  • How platforms use users’ information

Most generally, user data is primarily used to customize content, improve, and develop their platform. Targeted advertisements, products, and services are also a result of how user data is utilized on platforms. Beyond what is written in their privacy policies, specific algorithms and other uses of data are not generally made public. 

  • How platforms share users’ information

TikTok, Facebook, and Google state in their privacy policies that they share their user data with their “service providers, business partners, and other 3rd party partners.” It is not specified who these people or companies are, and who these platforms choose to share with, we as users ultimately have no control over this. This lack of control creates an easy opportunity for misuse of user data: AT&T (2015), law enforcement databases (2016), Deep Roots Analytics (2017), Facebook and Cambridge Analytica (2018), Facebook (2019), Zoom (2020)

Permissions and Trackers 

Permissions are access rights to an application. You see such permissions when asked to access a function on your device, such as accessing the camera, microphone, location, your contacts, location, etc. Some permissions must be manually granted by the user, but some permissions are automatically granted at download after agreeing to the privacy policy.

Screen Shot 2020-09-04 at 11.59.43 AM

Trackers are pieces of software that gather information on the user and the device(s) the application is used on. Trackers are usually created by companies as SDKs (Software Development Kits) developed by the owning platform. Trackers are developed to make it easier for application developers to monitor users. These set of tools not only help developers with their code but also give advertisers and various marketing companies a glimpse into our personal information. 

The amount of trackers or permissions in an app doesn’t necessarily correlate to an app being more or less dangerous. Rather, it illustrates to what extent an application can have access to your data, allowing platforms to better tailor advertisements based on your user activity and behavior. 

In order to evaluate the level of access an application has to your data we used Exodus Privacy. Exodus Privacy analyzes privacy concerns in Android applications by tracking how many trackers and permissions are embedded in Google Play store apps.

Using Exodus Privacy, one can collect tracker and permission data on our 3 major applications from the Google Play store. Based on the most recent Exodus Privacy reports, Facebook has the greatest number of trackers on their platform at 8 with TikTok having the second most at 7. Google has the greatest number of permissions at 93 with TikTok also placing second with 67. 

Trackers and Permissions of TikTok, Facebook, and Google.Screen Shot 2020-09-03 at 4.43.06 PM

What makes up this gap of permissions? 

Comparison: TikTok vs. Google Permissions

Screen Shot 2020-09-04 at 12.51.25 PM

Based on the Google and TikTok permissions lists, only 26 permissions are shared between the two. This includes permissions such as access to location, camera, flashlight, as well as contacts and settings. When you isolate Google’s other 67 permissions, we can see that the Google app has significantly more permissions relating to functionality of the whole device, rather than only functionality within the Google app itself. This access includes bluetooth functionality, voice access, calendar, SMS, wallpaper, fingerprint, writing contacts, alarms, and activity recognition. The remaining 41 TikTok permissions do not relate as heavily to functions of the phone outside the app.

Screen Shot 2020-09-03 at 4.46.50 PM

Source

The top 10 trackers utilized by applications are owned by Google and Facebook. It is highly likely that Google and Facebook have access to all potential user data when android apps implement these trackers on their platforms. With Google and Facebook dominating the majority of trackers used, this raises many concerns. Does Facebook and Google have a potential path to information through dating apps, financial institutions, healthcare providers, and genealogy websites? The answer is grimly unsurprising. Using exodus privacy, we can see that Tinder, Bumble, Citi Mobile, Capital One, MyChart, 23andMe, and Ancestry, among others, all utilize Google or Facebook trackers to different extents. 

Arguably, the main issue comes down to what platforms do with the information that they collect, but this is a difficult question to answer. Based on the information that Facebook and Google are transparent about collecting, we can reasonably assume that TikTok engages in similar analyses, algorithms, and activities. In reality, platforms have the ability to give their information to whomever they want, but their overall access to data can differ greatly. Google and Facebook have shown that their reach extends extremely far through the establishment of partnerships and connections. In order to use an app, we surrender our user data. If platform developers want to maximize their potential engagement, they may utilize Google or Facebook trackers, and we surrender our data in agreement. 

The Bottom Line

Based on TikTok’s privacy policy, trackers, permissions, and their overall reach, we can reasonably assume that TikTok in a vacuum is no more of a threat to American users than other applications. TikTok does collect data on its users and that’s clearly laid out in their privacy policy. But like the other ubiquitous applications, it’s impossible to know where that data goes when left unchaperoned. 

When we agree to use a website or application or platform, it becomes a tradeoff, access to the service in exchange for your information. That user information is used in algorithms that are not specified in the privacy policies. These have a huge impact on the digital environments provided to us. For example, the potential matches we receive on dating apps, or the news perspectives or opinions we see on social media apps. 

As alarming and grim this appears to be, there are steps you can take to protect your data. Some applications and websites allow you to manage different settings such as: disabling or limiting cookies, managing or opting out of advertising preferences, turning off GPS location services, limiting the amount of personal information you share on a platform, revoking permissions, or simply deleting your account. 

You can also use Exodus Privacy to see what trackers and permissions are on apps in the Google play store. Additionally, Android users can also utilize Classy Shark to inspect applications installed on your device or F-Droid, an open source Android app marketplace that offers FOSS (Fully Open Source Software) apps with zero trackers.

Cyber security is an issue that should be taken very seriously, not only by the average user, but by companies providing online platforms, and the government. As an average user, it’s unlikely we can know where our data is going and how it’s being used. Nations are constantly trying to gather intel, and it would be naive to assume that governments don’t have their own, hidden methods of accessing user data. It is entirely plausible that the Chinese government may have access to US user data, but based on TikTok’s digital presence, their overall reach for user data is relatively small. Facebook and Google on the other hand, as we have discussed above, have extremely extensive reaches into user data through their vast network and partnerships. It’s important to keep all these concerns in mind when navigating through this data challenge, or even better, offering solutions to move forward. 

 

 

Data collected from: 

Exodus Privacy