TikTok has made efforts to be more transparent about its practices and to distance itself from Beijing, including pulling out of Hong Kong, where a sweeping national security law imposed by China went into effect last month. During the first three months of this year, ByteDance spent $300,000 on lobbying in Washington, according to the Center for Responsive Politics, where it hasn’t received a warm welcome from US lawmakers. Last fall, a number of senators raised security concerns about the app, and the Committee on Foreign Investment opened an investigation into ByteDance’s purchase of Musical.ly, a lip-syncing platform it later combined with TikTok. And in December, the Pentagon ordered military personnel to delete TikTok from their devices.
In an interview with WIRED Wednesday, Roland Cloutier, TikTok’s global head of security, declined to address questions about China directly, but stressed that TikTok was committed to maintaining robust security practices, including allowing outside firms to audit its technology. “What I can talk about is facts, and the facts are quite simple,” Cloutier said. “We use multiple external third parties [and] internal security teams to test and validate and beat on our product on a daily basis to look at potential vulnerabilities.” Cloutier joined TikTok earlier this year, after stints as head of security at the software firm ADP and after spending a decade in the US military and Department of Veteran Affairs.
Mobile security experts say TikTok’s data collection practices aren’t particularly unique for an advertising-based business, and largely resemble those of its US-owned competitors. “For the iOS app available to Western audiences, it appears to collect very standard analytics information,” says Will Strafach, an iOS security researcher and creator of the privacy-focused Guardian Firewall app. That includes things like a user’s device model, their screen resolution, the operating system they use, and the time zone they’re in. “Most data collection by apps concerns me, I don’t like any of it. However, in context, TikTok appears to be pretty tame compared to other apps,” he says.
Dave Choffnes, a computer science professor and mobile networking researcher at Northeastern University, wasn’t able to assess the Android version of TikTok firsthand, but relied on an analysis posted to Reddit, which many of TikTok’s critics have cited. Based on that, Choffnes says TikTok appears to be “in the same league” as other social media apps, which often collect extensive data about their users, including their precise location. Just because these practices are common, Choffnes says, doesn’t mean TikTok is totally benign. “Users should be questioning whether installing and using the app is worth handing over extensive data over to yet another company,” he says.
Like other apps, security researchers have found bugs inside TikTok, which were later patched. More recently, some users were alarmed when they learned TikTok was requesting access to their clipboards, which could potentially expose sensitive data like passwords. TikTok says the functionality was part of an anti-spam feature that detected when users tried to post the same comment on different videos over and over again, and that it never retained data from anyone’s clipboard. The feature has since been disabled.