TikTok Engaging in Excessive Data Collection

TikTok has been engaging in excessive data collection and connecting to mainland China-based infrastructure, Internet 2.0 has claimed in a new white paper.

The latest report, overseen by Internet 2.0’s head security engineer Thomas Perkins, is an analysis of “the source code of TikTok mobile applications Android 25.1.3 as well as IOS 25.1.1”, with Internet 2.0 carrying out static and dynamic testing between 1 July to 12 July 2022 that focused on device and user data collection.

The report identified multiple instances of unwarranted data harvesting, including:

  • Device mapping
  • Hourly monitoring of device location
  • Persistent calendar access
  • Continuous requests for access to contacts
  • Device information

Intensifying the overreach issue is the sheer number of users on TikTok and its prominent market position, where according to the report the application has over 1 billion active users globally as of September 2021.

The whitepaper goes on to note that TikTok IOS 25.1.1 has a server connection to mainland China, which Internet 2.0 believe is run by Chinese cyber security and data company Guizhou Baishan Cloud Technology Co., Ltd. Despite TikTok asserting that user data is stored in Singapore and the US, the report found evidence of “many subdomains in the IOS application resolving all around the world”. This included Sydney, Adelaide and Melbourne (Australia), Utama and Jakarta (Indonesia), Kuala Lumpur (Malaysia), and Baishan (China). The report’s analysis could not confidently determine “the purpose for the China Server connection or where user data is stored.”

The paper concluded by stating that for TikTok to operate effectively, most of the observed access and device data collection is unnecessary, with the application able to run successfully “without any of this data being gathered.” From this, Internet 2.0 deduced that the sole purpose this information is being collected is for data harvesting. The report’s conclusion also noted the application’s persistent behaviour of asking for users to reverse their preference decisions to access sought-after data.   

Internet 2.0 put all of their research to TikTok for comment and verification. However, the application company refused to go on the record about the details of their China-based infrastructure.

What’s Hot on Infosecurity Magazine?