Logo of TikTok smartphone screen showing study on national security threat

Is TikTok Really a National Security Threat? New Report From University of Toronto Says No

One of the hottest social media discussion topics of late 2020 was the Trump administration’s proposed ban of popular social media platform TikTok as a national security threat. With 80 million active monthly users in the United States, and a fair share of them making a living from the platform, it was naturally a very contentious idea.

The ban eventually sputtered out without ever really being enforced; the Biden administration has the whole affair on pause pending a broader review of the previous administration’s China policy. Though the Beijing-based app may well still end up being sold to an American company due to Trump’s pressure (the odd tandem of Oracle and Walmart being the frontrunners at present), the framing of TikTok as national security threat was always much more speculative than tied to concrete evidence of spying. While independent reverse engineering of the app raised some questions about its capabilities, the concern was based more on China’s national intelligence laws which compel any private business within its borders to turn over data to the government upon request.

Cybersecurity researchers from the University of Toronto’s Citizen Lab have tackled the question of TikTok’s trustworthiness by comparing its code to Douyin, the version made available in China. The researchers found that Douyin collects a greater amount of personal information and sends it to a variety of servers in China, but TikTok does not share that code. While that does not preclude the possibility of stored data being handed over in other ways, the researchers conclude that TikTok is not a direct or overt national security threat as it is presently constructed.

TikTok doesn’t present a direct national security threat, but some questions remain

The research builds on prior work (published in May of 2020) which found that WeChat, China’s most popular messaging app and also named for a ban by the Trump administration, contained a hidden censorship algorithm that scanned non-Chinese accounts to train itself for automated filtering of what Chinese users see on the platform.

The report notes that ByteDance created Douyin first, initially launching it as A.me in September 2016. It was used as a base for TikTok, but TikTok stands on its own as an entirely separate app and does not communicate with Douyin (or its userbase) in any way. The analysis finds that the two apps share many pieces of a common source code base, but differ in fundamental ways when it comes to personal information collection.

The research finds that while neither app behaves in a way consistent with malware, each collects personal information and Douyin distributes it more widely to a variety of Chinese companies (such as Xiaomi and Taobao). The researchers characterize TikTok as collecting about the same amount of information that Facebook and Google routinely do with their services; these companies are also among the handful of Western third parties that TikTok shares its information with.

Both apps collect the sort of usage pattern information that is useful to digital marketers, as well as device information such as model and serial number. While this information allows one to make a positive identification of a device across multiple platforms with high confidence, Douyin differs from TikTok in that it collects the ultimate identifier: each device’s unique MAC address. Douyin is also able to dynamically load code, something that TikTok has not been observed doing.

The research found that both apps have code that allows for restricting search results based on content, but only Douyin was found to actively restrict certain search terms. This is openly known in China as government laws require the removal of certain political content from the platform.

Not passing data “directly” to Chinese government

In terms of data sharing and national security threat, the researchers found that TikTok is not communicating with any servers based in China. So it appears that user data from outside of China is not stored directly on servers in the country, but things get muddy from there. This does not preclude the possibility that data sent to other servers is later moved to storage in China, for example. TikTok issues periodic transparency reports that document the sources of data requests and do not list any from China, but the report notes that there would be no real penalty for simply not listing requests made by the Chinese government. It is also possible that while TikTok itself may not directly share user data with China, it may pass it on to parent company ByteDance in Beijing which then subjects it to national intelligence requests.

The report thus does not completely settle the question of whether TikTok is a national security threat. It provides a strong indication that the app itself is not misbehaving and not passing data directly to Chinese servers, but it does not preclude the possibility that data could find its way to the Chinese government by other routes that cannot be directly tracked. And while it is considered “relatively” safe, that means relative to services that scoop up a tremendous amount of personal data that could present a national security threat in the wrong hands. As Ilia Kolochenko, Founder and Chief Architect for ImmuniWeb, points out: “Today, many social networks deploy borderline data collection practices that defy the very purpose of privacy protection, while staying lawful from a formalistic viewpoint. Likely, during the next 2-3 years we will see a sunrise of user privacy in most civilized countries that will terminate any dubious practices of social networks and monopolistic IT companies.”

One item that is confirmed by the report is that TikTok is employing device fingerprinting to track users, specifically canvas fingerprinting. That process will soon be forbidden on Apple devices as part of the new iOS 14 privacy package, but it remains to be seen if ByteDance and other Chinese companies will comply.