TikTok Is Spyware for the Chinese Regime, Cyber Experts Warn

TikTok Is Spyware for the Chinese Regime, Cyber Experts Warn
A TikTok logo is displayed on a smartphone in this illustration taken January 6, 2020. (Dado Ruvic/Illustration/Reuters)
Cathy He

TikTok, the short-video app used by millions of mostly young Americans, can’t be trusted, due to its links to the Chinese regime and should be banned, cybersecurity experts warned.

The app, owned by Beijing-based internet giant Bytedance Technology Co., has come under intense scrutiny after the Trump administration confirmed that it was mulling a ban on TikTok and other Chinese apps’ U.S. operations on security grounds. Critics warn that the app could be used as a spying tool for the Chinese Communist Party (CCP), and users’ content could be censored if the Party deems them politically sensitive.
The company has denied these claims and sought to distance itself from its Beijing owner, pointing to its American board members and new chief executive. It says its servers are located in the United States and Singapore, and that it would not share user data with the Chinese regime if requested.

Not to Be Trusted

Chinese security laws compel companies to cooperate with intelligence agencies when asked.

Casey Fleming, CEO of intelligence and security strategy firm BlackOps Partners, described TikTok’s claim that it could simply refuse to comply with such laws as “propaganda and gaslighting.”

U.S. companies operating in China are required to abide by local intelligence and security laws, he told The Epoch Times.

Fleming said Americans commonly make this mistake when viewing the Chinese regime: “We believe China is the same as the U.S. or the free world. We believe that their intentions and goals are the same.”

But this “could not be more wrong,” he said. The CCP has a handle on every aspect of society in China, and is engaged in a program of “unrestricted warfare” to supplant the United States to become the world’s sole superpower, according to Fleming.

“All technology coming out of China—either manufactured in China, created in China—is controlled by the CCP,” he said.

Mark Grabowski, an associate professor specializing in cyber law and digital ethics at Adelphi University, described TikTok as “Chinese government malware masquerading as a social media app.”

He noted that the app’s privacy policy is expansive, allowing it to collect and access vast swathes of information on a user’s phone. It collects a range of data including a user’s web browsing history, geolocation data, and what other apps a user is running.

“The app collects way more data than it needs to,” Grabowski said in an email. “For example, it’s odd that TikTok does GPS [Global Positioning System] tracking since TikTok videos don’t display location information.”

Gary Miliefsky, a cybersecurity expert and publisher of Cyber Defense Magazine, agreed: “When I look at the features of TikTok, I would say that they don’t need all those permissions.”

In 2014, Miliefsky discovered that many of the top mobile flashlight apps in the Google Play store were designed by cybercriminals or linked to China and Russia. In the case of one of those apps, he found that it was turning on the user’s microphone and connecting to servers in Beijing. Miliefsky believes TikTok is a scaled-up version of these flashlight apps: “It is probably a very robust piece of spyware.”

“If you want to spy on a country, why send in a spy the old-fashioned way? Why not just send in a great app and make it go viral?” he told The Epoch Times.

TikTok did not respond to a request for comment about security concerns.

Growing Opposition

Governments and organizations have started taking action against the app.
India in June banned TikTok and 58 other Chinese apps, saying they posed threats to the country’s “security and sovereignty.” The Pentagon last December ordered military personnel to delete TikTok from government devices. U.S. lawmakers in March introduced a bill to bar federal employees from using the app on government-issued phones.

Wells Fargo recently instructed employees to remove TikTok, while the Democratic and Republican national committees have warned their staff against using the app.

Meanwhile, a U.S. panel is conducting a national security review of ByteDance’s $1 billion acquisition of social media app Musical.ly—which was rebranded to TikTok—in 2017.

In 2019, TikTok paid a $5.7 million fine to settle U.S. government charges that it had illegally collected personal information from users under the age of 13 in violation of child privacy laws. Federal agencies are currently looking into whether the company has complied with this agreement, according to Reuters. South Korea recently fined TikTok over similar privacy breaches.

Elements of activist hacking group Anonymous also recently turned its attention on the social media app. A Twitter account linked to the group posted on July 1: “Delete TikTok now; if you know someone that is using it, explain to them that it is essentially malware operated by the Chinese government running a massive spying operation.”

The tweet shared a Reddit post by an engineer who claimed to have reverse-engineered the app and found that it was collecting an enormous amount of personal information—much more than other social media apps like Facebook and Twitter—and went to great lengths to hide this. This information has not been confirmed by security researchers. The Reddit user “bangorlol” has since created a subreddit to share data for independent researchers to investigate.
A report by security research firm Penetrum found that the app does an “excessive amount of data harvesting.”

“From our understanding and our analysis it seems that TikTok does an excessive amount of tracking on its users, and that the data collected is partially if not fully stored on Chinese servers with the ISP [internet service provider] Alibaba,” the report said. Alibaba is a major internet company in China.

Recently, TikTok users ran an iPhone software that lets them know when an app is collecting their data, and found that TikTok was copying their keystrokes every few seconds. The company said it was actually an “anti-spam” feature and issued an update removing it. Back in March, it was caught by security researchers doing the same thing, and had said it would stop the practice within “a few weeks.”

Feeding Big Data

Fleming said that personal data collected by TikTok and other Chinese apps is being “absorbed into big data and scraped with artificial intelligence by the CCP.” This massive pool of information can then be tapped into to carry out economic or political espionage, he said.

In recent years, the regime has stolen huge amounts of Americans’ personal data.

In 2014, Chinese hackers stole from the U.S. Office of Personnel Management sensitive personal information detailed in the security clearances of millions of current and former federal employees. That same year, Chinese hackers breached Anthem Inc., a health insurance company, to steal the personal records of 80 million people. This year, four Chinese military officers were indicted for the 2014 hack of credit-reporting agency Equifax, which resulted in the theft of 145 million Americans’ financial records.

Grabowski said among the tens of millions of young TikTok users in America, many are targets that the CCP is keen to spy on or exploit for blackmail. These include “congressional staffers, Silicon Valley engineers, research lab assistants, and journalists,” he said.

“They potentially have access to sensitive government, industry and R&D information—and so does TikTok by extension,” Grabowski added.

Fleming said that TikTok as well as any other Chinese-developed app—such as video conferencing app Zoom, a U.S. company whose software is developed in China—should be banned in the United States.

Citing the Chinese regime’s actions over the past six months, including its coverup of the CCP virus outbreak, implementation of a draconian security law in Hong Kong, and growing aggression in the South China Sea and toward Taiwan, Fleming posed the question, “Do these actions speak to you of a trusted technology partner?”

Cathy He is the politics editor at the Washington D.C. bureau. She was previously an editor for U.S.-China and a reporter covering U.S.-China relations.
Related Topics