Cyber security copy writer, tech support with a degree in political science
This past weekend came as quite a shock to a vast amount of netizens in the United States. While having a conversation with reporters on Air Force 1, president Donald Trump mentioned banning TikTok in the U.S., a video sharing social platform with 165 million downloads in the region, that is accused of providing data to the Chinese government.
Presidents utterance sent waves across influencers, politicians, cybersecurity experts, going as far as Microsoft, that was in the early phase of negotiations to buy the software for, according to Reuters report, 50 billion dollars. The software is currently owned by ByteDance, a Beijing based I.T. company, that is accused by Trump administration of providing American citizen data to the Chinese government, a claim that the company vehemently denies.
TikTok is a video-sharing social networking platform that was first launched in China under Douyin name. The following year it was renamed to TikTok and introduced to global communities with great success. According to Sensor Tower Store Intelligence, in April 2020, the App crossed 2 billion downloads globally, and in October 2018, it was the most downloaded App in the U.S.
However, the rapid expansion of the social network and its ties to China have not been unnoticed. As early as 2019 TikTok has been accused of transferring user data to Chinese servers, when the Californian student Misty Hong filed a lawsuit on the basis that it sent users’ phone activities, as well as visited websites outside of the App, to China.
Another issue arose on September 25th when The Guardian published an article exposing how “the popular Chinese-owned social network, instructs its moderators to censor videos that mention Tiananmen Square, Tibetan independence, or the banned religious group Falun Gong.” This aroused suspicion among U.S. politicians that the App is being used to broaden Chinese political influences via the software, further deepening political tensions between the two countries, which were already tense after Donald Trumps executive order to ban Huawei products.
Finally, TikTok has been banned in India, after their relationship with China degraded earlier this year, after military standoffs along the Sino-Indian border. All of this, coupled with China's aggressive stance regarding Hong Kong political status, led to renewed discussions regarding China's influences, dragging TikTok to the middle of it.
This also brought TikTok under scrutiny by cybersecurity companies, and NordVPN was quick to warn the readers by a blogpost that something more is going on, than just short video sharing.
One thing for sure, for this, to be more than just a political clash, there must be something within the software itself to base accusations with facts. Even though it’s tough to be 100% sure (for that you would also need access to Chinese corporate as well as governmental servers, good luck getting that), TikTok has repeatedly shown suspicious behaviour.
For example, it was exposed by Forbes that TikTok had a design that granted access to users iOS clipboard. This was a broader issue for Apple products; however, TikTok was warned of suspicious behaviour, and even after iOS 14 fixed the bugs the clipboard tracking process on TikTok was still running.
Above mentioned Californian student Misty Hong has something similar to say. According to her, she downloaded the software but did not create an account. Months later she noticed the account was created for her anyway, with which she made several videos but never published or saved them. However, the lawsuit states that TikTok still gathered the video data and without her knowledge sent to servers in China.
However, one of the more convincing arguments comes from a discussion on Reddit, where a user Bangorlol claims to have successfully reverse-engineered TikTok. He or she claims to be a senior software engineer with 15 years of experience, but here we’ll just have to take a leap of faith. However, the findings were disturbing.
Reverse engineering is a skilful practice that, in a nutshell, means to take something apart and rebuild it from the very beginning. When it comes to software, it means digging deep into the code, taking separate functionalities apart, analyzing them and their ultimate purpose. This would reveal if TikTok is gathering excessive amounts of data and misuses it.
According to Baforlol, “TikTok is a data collection service that is thinly-veiled as a social network.” Tracked data goes way over video-sharing platform boundaries, such as CPU type, hardware I.D.s, information of other — even deleted — apps, router mac address, device mac address, wifi access point name, and so on. Read the screenshot below for the full scope.
Furthermore, reverse engineering in TikTok is complicated by a sophisticated code obfuscation that prevents reading particular function properties. Also, among other things, a few snippets of code on Android version were found that allow “downloading of a remote zip file, unzipping it, and executing said binary.” Which doesn’t make sense unless you consider compressed data transfers, and/or third party executables.
Online communities reacted swiftly with TikTok content creators launching an open letter to Mr Trump expressing support for Microsoft’s acquisition and ask to “remove the app from the CCP’s control while allowing it to remain a bastion of community in a world where we find ourselves so isolated.”
Yet another wave of TikTok users turned to the VPN market. Both Reddit and Twitter have surged with questions on how to unblock TikTok and suggestions to use NordVPN, ExpressVPN, or other VPN providers to bypass geographical restrictions. Furthermore, TechRadar reported that NordVPN informed them that after Donald Trump’s statement, search inquires from the U.S. increased by 15%.
To summarize, it’s too early to tell whether The States will eventually follow through on banning the service altogether and how, or Microsoft will manage to acquire it and buff up user data privacy protection features, or the service will remain in the ByteDance hands, or if the US Government will get a piece of the pie.
Donald Trump has given the green light for Microsoft-ByteDance deal, setting the deadline for negotiations to September 15. One thing for sure, this might be big when it comes to online privacy issues, and I.T. community will have some news to read with the morning coffee.