TikTok App's Data Snooping Similar to Facebook or Snapchat, Cyber Expert Says

As TikTok faces a possible U.S. ban, one cybersecurity researcher has said the app's data sharing appears no worse than its social media rivals.

Politicians critical of the TikTok app have repeatedly suggested the company's Chinese ownership means American user data is at risk of being siphoned off by a foreign state, and President Donald Trump indicated last Friday that a ban is now imminent.

While led by American CEO Kevin Mayer, a former Disney streaming executive, TikTok is currently owned by Beijing-based technology company ByteDance.

Microsoft has confirmed it is exploring a potential acquisition of the app's operations in the U.S., Canada, Australia and New Zealand. President Trump has reportedly given its CEO Satya Nadella 45 days to complete the deal, as Reuters reported.

Last month, Secretary of State Mike Pompeo fueled speculation that TikTok was about to face restrictions in the U.S., saying that citizens should only use the app if they want their private information "in the hands of the Chinese Communist Party."

Now, one cyber researcher who spent time analyzing the app's code, Baptiste Robert, told Newsweek there was no unusual data-sharing visible during an initial probe.

"In its current state, TikTok doesn't have suspicious behavior and is not exfiltrating unusual data. Getting data about the user device is quite common in the mobile world and we would obtain similar results with Facebook, Snapchat, Instagram and others," the researcher, who uses the alias "Elliot Alderson," wrote in a blog post.

According to the analyst's report, the aims were simple: to find out what data TikTok was logging after being downloaded on a device, and where that data is sent.

The researcher found that the app directs log content to its servers every five minutes, holding information about the user's device (type of phone and if it runs Android or iOS, for example), language, region of use, app build number and ID codes.

"While that might sound surprising to you, it really isn't," he wrote, reiterating that other social smartphone apps are similar. "Such practice is pretty standard and you can be assured that most apps you use have the same data-retrieval process."

Encrypted content, the researcher added, included data about when the app was last opened, event logs and more information about the device running the software.

Robert said data can be sent to seven possible servers, identified as: China, America, America HTTP, SIG AWS, SIG ALIYUN, Musically, Mussically HTTP.

But the inclusion of China is not necessarily a red flag, the researcher told Newsweek, as TikTok was using a content delivery network called Akami that would reroute U.S. data to a server in America, appearing to back-up TikTok's own claims.

Vanessa Pappas, the general manager of TikTok U.S. previously said the app stores "all U.S. user data in the United States, with backup redundancy in Singapore." TikTok's data centers are "located entirely outside of China," Pappas added.

In a statement over the weekend after Trump's ban threat, a TikTok spokesperson said: "U.S. user data is stored in the U.S. with strict controls on employee access."

Microsoft stated in its blog yesterday that if a TikTok purchase were to go ahead it would ensure all U.S. data is stored domestically. It said: "To the extent that any such data is currently stored or backed-up outside the United States, Microsoft would ensure that this data is deleted from servers outside the country after it is transferred."

Robert told Newsweek the app analysis appeared to back up the TikTok's assertion but it should be noted the U.S. has not released any technical details that it holds.

While there may be other collection or influence factors at play with TikTok, the analysis suggested the logs may collect a lot of data—but that's not unusual in 2020.

"It doesn't mean data is not transferred to another server after, but when a U.S. user is sending logs to this address, they are sending it to a server located in the U.S." Robert told Newsweek via Twitter message today, calling the log results "pretty standard."

PS: Some people commented: "but the servers are in China 🤪". Well, it's not that simple. TikTok is using @Akamai, a CDN provider, for https://t.co/L3wqODo7Ff. So if you are in the US, it will resolves to an US IP, in France, a French IP, etc. pic.twitter.com/itjrAFQOVn

— Elliot Alderson (@fs0c131y) August 3, 2020

"The biggest finding is that TikTok doesn't have suspicious behavior when it uploads logs," he said. "The logs don't contain personal data or at least nothing unusual."

A second cybersecurity researcher, who uses the alias x0rz online, told Newsweek the TikTok app was "privacy invasive, sure" but then added, "just like Facebook app."

TikTok is displayed on the screen of a smartphone in front of a Chinese flag on December 26, 2019 in Paris, France. Chesnot/Getty