Proton
An illustration of the Chinese government using TikTok to watch its users.

TikTok and the privacy perils of China’s first international social media platform

TikTok, the video-sharing platform owned by the Chinese social media giant ByteDance, is one of the most popular social media services in the world, with an estimated 800 million users. However, its zealous data collection, use of Chinese infrastructure, and its parent company’s close ties to the Chinese Communist Party make it a perfect tool for massive surveillance and data collection by the Chinese government. 

After reviewing TikTok’s data collection policies, lawsuits, cybersecurity white papers, past security vulnerabilities, and its privacy policy, we find TikTok to be a grave privacy threat that likely shares data with the Chinese government. We recommend everyone approach TikTok with great caution, especially if your threat model includes the questionable use of your personal data or Chinese government surveillance.

How much user data does TikTok collect?

As with just about every social media platform, the answer is: “a lot.” According to its privacy policy(new window), even if you just download and open the app but never create an account, TikTok will collect your:

  • IP address
  • Browsing history (i.e., the content you viewed on TikTok)
  • Mobile carrier
  • Location data if you are using a mobile device (including GPS coordinates and WiFi and mobile cell data)
  • Info on the device you used to access TikTok (for Android devices, this includes your IMEI number, which is essentially your device’s fingerprint so it can be identified, and potentially your IMSI number, which is used to track users from one phone to another)

To open an account, you must enter a phone number or email and your date of birth. Once you have created an account, TikTok asks your permission for access to your social media accounts (like Twitter, Instagram, Facebook, etc.), your phone’s contact list, and GPS data. 

Once you start using the app, TikTok logs details about:

  • Every video you upload
  • How long you watch videos
  • Which videos you like
  • Which videos you share
  • Any messages you exchange in the app

Finally, if you buy coins, the in-app currency you can use to support your favorite video creators, TikTok will store your payment information.

According to TikTok, if you delete your account, the company will delete your account data, videos, and information within 30 days. This claim is impossible to independently verify, as is the case with most social media companies. 

TikTok’s data collection is extreme, even for a social media platform that collects its users’ data to serve them with targeted ads. And TikTok explicitly states in its privacy policy that it shares your browsing data and email address with third parties so that it can serve you with targeted advertising. 

TikTok faces multiple class-action lawsuits in the US

On November 27, 2019, a group of TikTok users in California filed a class action lawsuit(new window) against TikTok and ByteDance, saying the TikTok app “includes Chinese surveillance software.” The lawsuit claims TikTok collects all videos shot on the app, even if the videos are not published or even saved. The lawsuit goes on to allege that TikTok uses the videos and photos users upload to collect biometric data (such as face scans) without user permission and that even after you close the app, TikTok continues to collect biometric data.

This lawsuit also alleges that TikTok surreptitiously sends user data to China, something we will address below. 

There is a similar class action lawsuit(new window) from users in Illinois. This suit also alleges that TikTok uses facial recognition technology and AI to collect users’ facial geometry without informing their users. Illinois has a strict law that requires companies to receive consent before they collect any biometric data.

Does TikTok share data with the Chinese government?

What distinguishes TikTok from other social media giants is that it is owned and operated by a Chinese company. ByteDance, the company that owns TikTok, is headquartered in Beijing and is worth over $100 billion. Chinese domestic laws and regulations, along with internal party politics, can make it hard to parse whether a company is independent or coordinating with the Chinese Communist Party.

Even if ByteDance wanted to resist Chinese Communist Party control, it would have little real prospect of doing so. China’s National Intelligence Law(new window), passed in 2017, allows the government to compel any Chinese company to provide practically any information it requests, including data on foreign citizens. Furthermore, Chinese laws also can force these requests to be kept secret and not disclosed via transparency reports. The lack of an independent judiciary system makes it almost impossible for a company to appeal a request from the Chinese government. On top of that, Chinese companies of any real size are legally required to have Communist Party “cells”(new window) inside them to ensure adherence to the party line.

However, there is little evidence ByteDance wants to resist the Chinese government. In fact, there are numerous examples that it is complicit in the Chinese Communist Party’s authoritarian policies. In 2018, ByteDance shut down Neihan Duanzi, a Chinese social media platform that was primarily used to share jokes and comedy, after state censors accused it of hosting “vulgar” content(new window). Afterward, ByteDance said that it would “deepen cooperation(new window)” with the Chinese communist party. It then hired 2,000 more “content reviewers(new window)” and stated that “strong political sensitivity” would be an asset for the position.

ByteDance has repeatedly made the case that TikTok is not available in China and that user data is not stored in China. This is misleading. In its privacy policy, TikTok explicitly reserves the right to share user information with other members of its “corporate group” (i.e., ByteDance). 

Additionally, a white paper(new window) by the cybersecurity firm Penetrum found that over one-third of the IP addresses the TikTok APK connects to are based in China. The majority of these IP addresses are hosted by Alibaba, another Chinese tech giant. These IP addresses are what led to the allegations in the California lawsuit that TikTok secretly sends data to China. According to the Penetrum report, “TikTok does an excessive amount of tracking on its users and that the data collected is partially if not fully stored on Chinese servers with the ISP Alibaba.

Alibaba works closely with the Chinese Communist Party and supports its invasive surveillance and censorship. It has a police post at its headquarters(new window) to facilitate data sharing with authorities and developed a popular Chinese propaganda app(new window)

The Chinese government has long used the data it collects from Chinese tech companies to monitor, censor, and control its citizens. The all-seeing surveillance system they have created to monitor Uyghurs in Xinjiang(new window) is just one example. It also maintains an Orwellian “blacklist”(new window) that the government uses to prevent over 13 million “untrustworthy” citizens from purchasing plane or train tickets. One can only imagine what the Chinese government would do if it were able to extend its data collection beyond its borders.

TikTok and censorship

There are also concerns that the Chinese government and ByteDance are using TikTok as a tool to extend China’s censorship. American employees reported to the Washington Post(new window) that they were pressured by administrators in Beijing to restrict any political content.

The Guardian(new window) reported on TikTok guidelines that require moderators to block videos that “distort” historic events, such as “Tiananmen Square incidents.” In one example, a teenage girl from Florida had her account shut down(new window) after she brought attention to the plight of the Uyghurs, a Muslim minority in China. (TikTok later reinstated her, claiming her ban was an error.)

Is TikTok secure?

In December 2019, the cybersecurity researchers at Check Point Research(new window) discovered multiple vulnerabilities, including ones that would allow attackers to delete user videos, make hidden videos public, or upload unauthorized videos. The researchers worked with the TikTok team, and they say that these vulnerabilities have now been resolved. 

In April 2020, security researchers(new window) discovered that some versions of the TikTok app for Android and iOS rely on HTTP connections. By not using HTTPS, TikTok makes it easy for attackers to monitor user activity and even alter the videos the user sees without their knowledge. 

TikTok says a fix is already underway, but this certainly isn’t a strong track record when it comes to security.

TikTok and children

Given the demographics of TikTok users and the amount of data TikTok collects, the company has faced criticism for collecting data from children. In February 2019, Musical.ly, the Chinese social media app that ByteDance bought and then merged with TikTok, paid a $5.7 million fine to the FTC(new window) to settle allegations that it violated the Children’s Online Privacy Protection Act (COPPA) by letting children under 13 sign up to its platform without their parents’ consent. 

In May 2020, 20 advocacy groups(new window) alleged that TikTok is still violating COPPA. They said the company never deleted the personal information it collected from children under 13 prior to the 2019 FTC settlement, is still not obtaining parents’ consent before collecting children’s personal info, and does not allow parents to review or delete the personal information it collects from their children.

Scrutiny of TikTok increases

Since February, politicians in Australia have been calling for greater scrutiny(new window) of the company’s data collection and possible censorship. On June 29, the Indian government banned TikTok(new window), along with over 50 other Chinese apps. And now, the US government(new window) is also weighing whether they should impose a ban on the app.  

As one US lawmaker said to the Wall Street Journal(new window), “all it takes is one knock on the door of their parent company [ByteDance], based in China, from a Communist Party official for that data to be transferred [from TikTok] to the Chinese government’s hands, whenever they need it.

Recently, US politicians have floated the idea of ByteDance selling TikTok(new window) as one way for the social media company to avoid questions over what it does with its users’ data. However, Chinese infrastructure and control are clearly deeply integrated into TikTok’s system, and it would be extremely hard for any company that purchased it to undo. 

Our take on TikTok

We stand for freedom of expression, and we want everyone to be able to voice their opinion. However, social media giants from TikTok to Facebook demand troves of personal data in exchange for the use of their platform. Often this data collection verges into the extreme. Does TikTok need access to your device’s ID number to deliver its service?

The fact that TikTok is owned by a Chinese company, one that has explicitly said it would deepen its cooperation with the Chinese Communist Party, makes this excessive data collection even more concerning. The Chinese government has a history of strong-arming and co-opting Chinese tech companies into sharing their data and then using this data to intimidate, threaten, censor, or engage in human rights abuses.

For these reasons, it is our opinion that, from a security and privacy standpoint, TikTok is an extremely dangerous social media platform. Its potential for mass collection of data from hundreds of millions of adults, teenagers, and children poses a grave risk to privacy. We believe that TikTok should be viewed with great caution, and if this concerns you, you should strongly consider deleting TikTok(new window) and its associated data. 

You can get a free secure email account from Proton Mail here(new window).

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN(new window) are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.


Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Related articles

pixel tracking: here's how to tell which emails track your activity
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.
A cover image for a blog announcing that Pass Plus will now include premium SimpleLogin features
We're changing the price of new Pass Plus subscriptions, which now includes access to SimpleLogin premium features.