Nebulous privacy and censorship criticisms about video social-media app TikTok have been swirling for months. Security analysts from CitizenLab are the first to collect real data on the platform’s source code, and reported that TikTok meets reasonable standards of security and privacy.
The platform, they figured out, is a customized version of more intrusive versions of the application used by TikTok’s parent company, China-based parent ByteDance, across East and Southeast Asia, minus the limitations in access or privacy.
CitizenLab explained that the controls ByteDance has put in place for the version of TikTok available in the U.S. are sufficient, “nor [contain] strong deviations of privacy, security and censorship practices when compared to TikTok’s competitors, like Facebook,” the report said.
There are lingering concerns, however, that the source-code capabilities to censor speech on the various ByteDance apps could be “turned on” in the U.S. version of TikTok down the line.
TikTok is the first social-media platform to come out of the Communist country and explode across the globe. TikTok’s rise has been so meteoric, last year it posted the most downloads in a single quarter for any app ever, and crossed more than 2 billion users worldwide.
Last summer, former President Trump threatened to ban TikTok from the U.S., where it has more than 100 million users, and even signed an executive order to block it from app stores due to what he called “national-security concerns.” Then-Commerce Secretary Wilbur Ross added at the time that TikTok allowed “China’s malicious collection of American citizens’ personal data.” Plans to block TikTok were abandoned at the last minute, but questions have lingered.
It turns out those accusations were unfounded, according to these new findings from CitizensLab.
“TikTok and Douyin do not appear to exhibit overtly malicious behavior similar to those exhibited by malware,” the report said. “We did not observe either app collecting contact lists, recording and sending photos, audio, videos or geolocation coordinates without user permission.”
ByteDance: TikTok & Douyin
ByteDance operates two distinct platforms, TikTok and Douyin. ByteDance launched in China with Douyin. In China, it’s understood companies are required to moderate content to comply with government speech restrictions, under threat of being shut down, the report explained.
ByteDance later launched TikTok for markets outside China, in June 2018. Both Douyin and TikTok share much of the same source code, with a few regional distinctions.
“We postulate that ByteDance develops TikTok and Douyin starting out from a common code base and applies different customizations according to market needs,” the CitizenLab report said. “We observed that some of these customizations can be turned on or off by different server-returned configuration values. We are concerned but could not confirm that this capability may be used to turn on privacy-violating hidden features.”
ByteDance acquired Musicl.ly in Nov. 2017.
“It is likely that both apps already accumulated their own user base, and after the merger it was easier to simply upgrade both apps to the new merged-code version, instead of asking users to install another app,” the report said. That left three distinct versions of ByteDance code, Douyin, and two versions of TikTok — known as “Trill” and “Musically.”
“For the parts which we have examined, the differences between Musically and Trill are fewer than the differences between Douyin and the other two,” the report said. “This is expected because Douyin serves a China-only platform separate from the global platform served by regional variants Trill and Musically.”
The Trill version of TikTok is used in East and Southeast Asia and provides tighter privacy and access controls than the Musically version of TikTok, which is available in the West.
“This version distinction is also used to adjust interfaces and provide user settings tailored to the targeted regions,” the report explained. “Users are only given the ability to opt out of ad personalization in Musically, which is likely due to the requirements of the European General Data Protection Regulation (GDPR).”
Other distinctions that the researchers found include the fact that Douyin collected data which could identify a users’ location, while TikTok doesn’t, according to the report.
Dormant Source Code
But rather than these differences being written into the code itself, all three services were set up with controls hard-coded into the internal configuration, leaving dormant strings of code defining privacy and search parameters for other platforms, which could be, in effect, turned on later.
“In the small portion of code which we had examined, we did not find any case in which undesirable features could be enabled by server-returned configuration values,” the researchers said. “However, we are still concerned that this dormant code originally meant for Douyin may be activated in TikTok accidentally, or even intentionally.”
Another potentially problematic aspect of Douyin is that it’s able to update itself via the internet, bypassing the operating system and user control, the research found. TikTok however doesn’t include this capability.
“Overall, TikTok includes some unusual internal designs, but does not otherwise exhibit overtly malicious behavior,” CitizenLabs’ findings concluded. “Douyin’s dynamic code-loading feature can be seen as malicious, as it bypasses the system installation process, but this feature is also commonly seen in Chinese apps and generally accepted in the Chinese market.”
TikTok Censorship Accusations
While the team admits their testing was limited to only the “most popular” posts on TikTok, they were able to conclude the “platform does not enforce obvious post censorship, and if post censorship was enforced at all it would subtly only apply to unpopular posts,” the report added.
Proposed bans on TikTok and WeChat were met with skepticism by some in the security community when early accusations of TikTok abuse emerged, because no evidence ever materialized.
“TikTok hasn’t been shown to collect any more data than other social-media apps,” Paul Bischoff, privacy advocate with Comparitech, told Threatpost last September. “It sets a dangerous precedent of censorship in the U.S. We’re banning a Chinese app but adopting a Chinese censorship policy. The latter is much more concerning.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)
