TikTok is connecting with Chinese servers, says Aussie cybersecurity company

A deconstruction of the TikTok source code reveals that phones running the short video app are communicating with Chinese servers despite promises that user data is being stored only outside China, a report released by an Australian cybersecurity company shows.
Internet 2.0 published a technical analysis of the TikTok application on both android and iOS devices, which breaks down what data the company has access to on usersโ phones.ย It observed the Apple version of the application connecting to a server run by Chinese security company Guizhou BaishanCloud Technology Co Ltd, located in mainland China.
โWe could not determine with high confidence the purpose for the connection,โ the report says.
TikTokโs parent company, ByteDance, denies the connection. In a statement toย Crikeyย it rubbished the report:
The IP address is in Singapore, the network traffic does not leave the region, and it is categorically untrue to imply there is communication with China. The researchersโ conclusions reveal fundamental misunderstandings of how mobile apps work, and by their own admission, they do not have the correct testing environment to confirm their baseless claims.
The appโs communication with a Chinese server is not proof that ByteDance is sending user data to China. Similar applications such as Facebook or Telegram send server requests all over the world for myriad reasons, including for operating advertising networks or, indeed, sending and receiving user data. How and where apps send data can be extremely convoluted and difficult to entangle โ even for people with access to the full source code.
However, the uncertainty about the purpose of this connection denied by ByteDance will feed concerns about the Chinese-owned app and the lack of transparency. Internet 2.0โs co-CEO Robert Potter toldย Crikeyย its analysis found the appโs infrastructure appeared to be less separate from China than it has said publicly.
โTikTok has a history of not being clear about what it does,โ he said. โThey have to give Australians assurances that their data is being respected and their privacy is protected.โ
The report also details what it calls โexcessive data harvestingโ by the TikTok application. This includes hourly checking of the deviceโs location; the deviceโs unique identification details, calendar and contacts; a mapping of all the other applications on the phone; and more. These details are not required to run the app, but it does ask users for permission for this access.
The company defended its data collection as being in line or less than its competitors: โWe collect information that users choose to provide to use and information that helps the app function, operate securely and improve the user experience.โ
Last week TikTok Australia confirmed that ByteDance employees โย including those in China โย can access Australiansโ data despite it being stored in US and Singapore servers. As Fergus Ryan wrote inย Australian Strategic Policy Instituteโsย The Strategist, the serverโs whereabouts are essentially irrelevant: โThe location in which any data is stored is immaterial if it can be readily accessed from China.โ
These new revelations prompted opposition spokesman on cybersecurity and countering foreign interference James Paterson to ask the federal government to โinvestigate all possible regulatory responses to protect Australiansโ privacy and cybersecurityโ.
Home Affairs Minister Clare OโNeil said the government has seen the report and urged individual caution.
โAustralians need to be mindful of the fact that they are sharing a lot of detailed information about themselves with apps which arenโt properly protecting that information,โ she said. โI hope it concerns Australians because it certainly concerns me.โ
This article was first published by Crikey.
Comments