<img src="https://trc.taboola.com/1321591/log/3/unip?en=page_view" width="0" height="0" style="display:none">

Fact Check with Logically.

Download the Free App Today

Do You Know Where Your Children’s Data Is? Reverse-engineering a TikTok Moral Panic

Do You Know Where Your Children’s Data Is? Reverse-engineering a TikTok Moral Panic

On Wednesday April 8th, Reddit user tobrown05 posted a link to a YouTube video with the title “Not news, but tbh if you have tiktok, just get rid of it.” The video has been removed by YouTube, but the contents can be at least partially inferred from tobrown05’s submission title. Importantly though, a user named bangorlol replied a day later with a long and authoritative post culminating in the claim that “Calling it [TikTok] an advertising platform is an understatement. TikTok is essentially malware that is targeting children. Don't use TikTok. Don't let your friends and family use it.”

Bangorlol’s post, with over 26.5k upvotes and a litany of paid-for awards from other users, immediately generated a great deal of interest and conversation. However, it gained a second wind when it was screenprinted and tweeted it on June 28th with the text: “A guy on reddit reversed engineered #TikTok Here’s what he found on the data it collects on you. It’s far worse than just stealing what’s on your clipboard.” 

Dan Okopnyi, the Twitter user responsible for the second round of interest in the thread, has an impressive 15.3k followers, but the tweet went truly viral when it was picked up by YourAnonCentral on July 1st. This account, claiming to be an ‘official’ Anonymous comms channel, was instrumental in coordinating online activist efforts in the first weeks of protests following the murder of George Floyd and has 6.4m followers. YourAnonCentral added the following to Dan’s tweet: 

Delete TikTok now; if you know someone that is using it explain to them it is essentially malware operated by the Chinese government running a massive spying operation […] Tiktok is harvesting data on children/teens to monitor their market reach and political development; to find the best methodologies to coerce them within the next 5 - 10 years. This gives China an upper hand on the manipulation of large swaths of society across several countries.

This alarmist accusation, along with the considerable reach and cultural weight of Anonymous, resulted in an eruption of news coverage from Forbes, Dazed Digital, and a litany of tech coverage websites.

It is clear that Chinese apps, including and especially TikTok, are becoming a very pronounced geopolitical issue, with India banning it outright and the US “looking at” following suit. However, the conversation unfolding around bangorlol’s post and the discourse in its wake strike a more moral tone, especially with concerns around family members and children using the app. 

Reverse-Engineering the Claims

Bangorlol’s initial post claimed that TikTok gathered the following data (screenshotted here):

On the face of it, this is a list of user-specific information that seems quite excessive – and perhaps it is (more on that later) – but is this laundry-list of data proof that TikTok is a front to harvest information about Western children and teenagers, and to profile Gen-Z for nefarious political ends? To find out more, I got in touch with Peter Moorhead; a man with nearly a decade of coding and development experience under his keyboard and who is currently a lead developer for mobile apps.

In a nutshell, he explains that “this is mostly a pretty standard set of things for a smartphone app to gather, some of it seems a little odd like the proxy server, but nothing I'd balk at.” To break it down further, Peter explained that “in general, devs will collect as much information about your device/setup as we possibly legitimately can, because it's incredibly useful for debugging, especially for an internet-facing app.” Almost all apps access hardware and network information for debugging, as well as information on other apps you have “because many apps offer mutually integrated features.”

Some users on both Reddit and Twitter were also quick to point out that data collection in such a way was not unusually sinister. Reddit user sr71Girthbird (sorry) pointed out that GPS pinging is common in video streaming apps for a variety of reasons from tracking error rates to detecting password sharing. In addition, info security lawyer Whitney Merrill addressed the research in a Twitter thread, arguing that “TikTok’s data collection isn’t great, but it’s not unusual in the app space.”

The Penetrum Report

However, despite cooler heads attempting to explain the intricacies of data collection in the face of widespread worry directed at a single app, an investigation company called Penetrum published a report piggybacking off bangorlol’s initial post. There is scant information about Pentetrum, who have existed as a company since March 30th, but their breakdown of TikTok has been cited as providing even more damning evidence of the app’s sinister data harvesting at the behest of the Chinese government. 

The report opens revealing that just over 37% of IP address pings for the app are for Chinese servers hosted by Alibaba.com, before highlighting security concerns around Alibaba’s operation due to a data breach in 2019. This is, as it stands, an entirely reasonable criticism. However, Penetrum’s writers constantly edge into alarmist rhetoric, while stopping short of outright accusing TikTok of being a tool of the government. For example, using “now, we are not saying…” before putting exactly what they are not saying in print, in this case that they are “using these things for nefarious purposes in any way.”

Their smoking guns come in the form of their teardown of the app’s code, replete with plenty of screenshots. I ran some of their findings by Peter to see if they had found more than further examples of data also collected by Western apps. The first thing of note was their explanation of an IMEI number (a unique identifier for a mobile phone) and the alarming revelation that TikTok collects this data (while purely speculating that they also collect IMSI data – an identifier of a user’s sim). When I asked if there was good reason for an app to collect this data, Peter explains: 

It's one of the strongest pieces of data available for uniquely identifying a user for analytics purposes. IMEI is just one of the things you can request from the Telephony Manager class. It's all permission gated but are we honestly going to pretend IMEI is more alarming than your entire call history? However, if you were, for example, building a third-party dialler app then that's a legitimate request to make of the OS.

The report then moves to a string of screenshots showing imported Webview packages which, to the uninitiated, looks like an alarming stack of something happening with your phone.

These images were captioned explaining that the “code is just an example of how many times webview and reflection is used within TikTok.” According to Peter, this is “a fundamentally dishonest and sensationalist way to describe what is in the screenshots as importing does not at all equate to using.” Penetrum’s fixation on the inherent security risks of using webview to build apps (perhaps because it makes for some scary looking screenshots) seems misplaced when Facebook, Evernote, Instagram, LinkedIn, Uber, Slack, Twitter, Gmail, and the Amazon Appstore (to name a few) all use webview or an equivalent.

No true dynamite exists in Penetrum’s report. They rely on the average reader having very little understanding of the technical language and coding they display. Their language pulls in both misrepresentation and sensationalism. Despite this, their report does bring a common thread through the TikTok saga into stark relief and poses a far more significant question: if we’re worried about TikTok stealing our children’s data, but the amount of data they request is the industry norm, then why aren’t we just as worried about standard industry practices?

The Real Data Crisis

Looking carefully at the reports which forms the basis of the claims by Anonymous and others that TikTok is a Chinese government spying operation reveals two key points. First, is that it isn’t sinister spyware being used to shape young minds in a geopolitical info-war; or at least, that if it is, nothing in its data collection practices is evidence to that effect. The second is a more general, pernicious issue in how little we understand about the technology we use. Your average user has very little understanding of how apps work under the hood, how much data is being taken from their phone by apps in general or how that data is then used.

Videos showing TikTok copying keyboard input and accessing clipboard data caused further panic on Twitter, yet this same data is accessed by LinkedIn and plenty of other apps (enabling the functionality to paste a link from one app text box to another). The data collected by phones can be used unethically, but so can the data we give out freely on a daily basis. A door-to-door survey taker can squirrel away your phone number. A waiter can jot down your credit card numbers. The issue turns to trust and understanding of data collection as a whole.  

The ethics of software development and data collection should be at the forefront of this conversation as it develops. The real issue, as Peter puts it, has two prongs:

A) do Google and Apple have sufficient security measures in place, permission-gate sensitive data effectively enough, and communicate to users the inherent risk of those permissions? B) who watches the watchmen with regards to software ethics as a whole - how far do you trust the people setting the standards for what data is sensitive and how it gets protected? Even if TikTok is Chinese spyware, it should mean nothing if we have sufficient safeguards in place.

We should be aware of how much data we freely give through our smartphones in general. TikTok is the hot button issue right now – fuelled due to its popularity with younger generations and its apparent indecipherability to older ones, and its connections to China at a time of increasing geopolitical tension. However, the conversation to be had with your children isn’t to delete TikTok, but to understand the realities of data collection and privacy. The wider conversation to be had more widely should be to find a way to turn our black box understanding of software a little more transparent.

Related Articles