Love it or hate it, TikTok is here to stay. In fact, a recent estimation from research firm Higher Visibility is predicting that by 2025, there will be nearly 2.6 billion daily users – 106-times the population of Australia. This is based on the simple maths of there being eight new users join TikTok every second.
But with that frightening news out of the way, it’s time to discuss the next one: that using TikTok on your phone gives it access to your personal information.
New analysis by Australian cybersecurity firm Internet 2.0 has found TikTok requests almost complete access to the contents of a phone while the app is in use. That data includes calendar, contact lists and photos.
Appearing on ABC News, Internet 2.0 co-founder and co-CEO Robert Potter explained that he and his team pulled apart the app’s source code to asses how exactly it was functioning on a phone.
“When we did that, we saw the permission layer that the phone was requesting was significantly more than what they said they were doing publicly,” Potter told the ABC. “When the app is in use, it has the ability to scan the entire hard drive, access the contact lists, as well as see all other apps that have been installed on the device.”
Potter reckons these permissions are “significantly more” than what a social media site needs access to.
While the research has been talked about proving TikTok is ‘harvesting’ data, Potter said that because Internet 2.0 could only see parts of how the app was functioning, it doesn’t have visibility of what’s been pulled exactly.
“All we can say, is that TikTok grants itself permission to pull that data,” he clarified.
He said when Internet 2.0 raised this issue with TikTok, they weren’t clear what exactly they were using those permissions for, but, they are there, and it’s alarming.
The thing is, users give the app permission to do this, but they’re basically forced to in order to be able to use the app. It also isn’t totally clear what terms and conditions you’re signing up for (something the ACCC is looking into on a broader scale).
In September 2020, when TikTok was becoming a household name, the company told an Australian Senate Select Committee that the personal data it collects from Aussie users is stored on servers located in the United States and Singapore.
“We have strict controls around security and data access … TikTok has never shared Australian user data with the Chinese government, nor censored Australian content at its request,” the company told the committee as part of its inquiry into Foreign Interference Through Social Media.
But Potter said his company’s probe into TikTok also looked at how the app communicates with the rest of TikTok’s infrastructure.
“Under closer examination we saw it connecting to servers around the world, including in China,” he said.
TikTok stood by its claim, and Potter said it isn’t clear what exactly is being sent to China, only that “the phone regularly connects to servers in China”.
Potter said Internet 2.0 threw over a dozen cybersecurity products at the app and every single time, saw the app connecting to servers in China.
“For the TikTok application to function properly most of the access and device data collection is not required,” the report says in conclusion. “The application can and will run successfully without any of this data being gathered.
“This leads us to believe that the only reason this information has been gathered is for data harvesting.”
In response, TikTok told Gizmodo Australia that its app is not unique in the amount of information it collects. In fact, it put forward that it is less than many popular mobile apps.
“In line with industry practices, we collect information that users choose to provide to us and information that helps the app function, operate securely and improve the user experience,” a TikTok spokesperson added regarding the phone access claims.
The spokesperson also reiterated that TikTok user data is stored in Singapore and the U.S., and that the company has been “clear and vocal” about employing access controls like encryption and security monitoring to secure user data, with the access approval process overseen by its U.S.-based security team.
“The IP address is in Singapore, the network traffic does not leave the region, and it is categorically untrue to imply there is communication with China,” TikTok said.
“The researcher’s conclusions reveal fundamental misunderstandings of how mobile apps work, and by their own admission, they do not have the correct testing environment to confirm their baseless claims.”
This article has been updated since it was first published to include comment from TikTok.