In an interview with WIRED Wednesday, Roland Cloutier, TikTok’s global head of security, declined to address questions about China directly, but stressed that TikTok was committed to maintaining robust security practices, including allowing outside firms to audit its technology. “What I can talk about is facts, and the facts are quite simple,” Cloutier said. “We use multiple external third parties [and] internal security teams to test and validate and beat on our product on a daily basis to look at potential vulnerabilities.” Cloutier joined TikTok earlier this year, after stints as head of security at the software firm ADP and after spending a decade in the US military and Department of Veteran Affairs.
Mobile security experts say TikTok’s data collection practices aren’t particularly unique for an advertising-based business, and largely resemble those of its US-owned competitors. “For the iOS app available to Western audiences, it appears to collect very standard analytics information,” says Will Strafach, an iOS security researcher and creator of the privacy-focused Guardian Firewall app. That includes things like a user’s device model, their screen resolution, the operating system they use, and the time zone they’re in. “Most data collection by apps concerns me, I don’t like any of it. However, in context, TikTok appears to be pretty tame compared to other apps,” he says.
Dave Choffnes, a computer science professor and mobile networking researcher at Northeastern University, wasn’t able to assess the Android version of TikTok firsthand, but relied on an analysis posted to Reddit, which many of TikTok’s critics have cited. Based on that, Choffnes says TikTok appears to be “in the same league” as other social media apps, which often collect extensive data about their users, including their precise location. Just because these practices are common, Choffnes says, doesn’t mean TikTok is totally benign. “Users should be questioning whether installing and using the app is worth handing over extensive data over to yet another company,” he says.
Like other apps, security researchers have found bugs inside TikTok, which were later patched. More recently, some users were alarmed when they learned TikTok was requesting access to their clipboards, which could potentially expose sensitive data like passwords. TikTok says the functionality was part of an anti-spam feature that detected when users tried to post the same comment on different videos over and over again, and that it never retained data from anyone’s clipboard. The feature has since been disabled.
The main thing distinguishing TikTok from other apps is its ownership. Unlike in other parts of the world, China experts say the Communist Party could easily pressure ByteDance to hand over data from TikTok. But it’s not clear that it has any good reason to do so. “Xi Jinping leadership has said, ‘We want tech companies that can be global brands that can compete in markets outside of China,’” says Samm Sacks, a cybersecurity policy and China digital economy fellow at the think tank New America. TikTok is one of China’s few truly global tech companies, and any suspicious behavior from Beijing, if uncovered, would jeopardize that.
“I think the incentives are lined up for them not to just ride roughshod over privacy,” says Kaiser Kuo, co-founder of the China affairs podcast Sinica and a former communications executive at the Chinese tech giant Baidu. It’s also unclear how valuable the personal data of TikTok’s overwhelmingly teenage user base would be to a government that has, according to US intelligence agencies, obtained highly sensitive information about millions of Americans through hacking the Office of Personnel Management, Anthem health insurance, and more.