It’s not in a great spot, I’ll put it that way.

To start off, the Chinese government has a habit and history of having back doors into a lot of products made by companies that have their home there. For example, Huawei, a company known for phones and servers was ~~discovered a a few years back to have been putting gov. back doors into server chips used by American companies.~~ Under heavy suspicion by American companies and others for having backdoor in their systems after various security flaws were found.

On top of that, most analysis of the app itself have set off quite a few red flags, such as requiring way more security permissions than it should need, their Terms of Service requiring you to allow them to “build a full profile,” on you including who you interact with and every bit of info about you, and IIRC was found to be uploading keystrokes or copied clipboard data at frequent intervals, which is a great way to get someone’s passwords and/or other sensitive data.

So we’re at the point of “it’s doing a lot of weird shit that it shouldn’t be, but we can’t *prove* it’s doing anything malicious with it… yet.”

EDIT: Because I’m seeing it here **a lot** I’m going to clear this up. No, this is not the same thing as Google, Instagram, Facebook, etc. in the US. Here in the US (and most western countries) we not only have privacy laws that protect us from certain breaches, but more importantly the government and company are two separate entities, and are even frequently at each-other’s throats. While all those companies certainly collect data, they are *not* responsible for handing it directly to their government outside of official process such as warrants and subpoenas. In China it’s the opposite, companies over a certain size are required to by law to allow the government to access and have direct control over large sections of the companies operations. The problem worsens when we remember that China isn’t really the best of friends with a lot of western nations, and giving *them specifically* control over what large numbers of western people (especially youth) see and interact with is not great for national security. Should you still always keep privacy in mind with the western companies? Absolutely, but the two issues are worlds apart.

Edit 2: Cool that so many of you have opinions and thoughts on this. Got a little distracted by all of them and the pasta I was cooking now has the consistency of oatmeal 😅. Great having all the discussion, but getting lots of notifications still, so I’m going to mute notifications on this thread. Ttyl

By default a lot of apps can collect a lot of information with your specific permission by the user agreement, and not by your specific permission by sucking other data off your phone. People who use TikTok are sharing at least some of their personal information with the app, but along with locational data and your face etc it can easily be stored and analyzed. Are they after YOU? Probably not. But what if it’s someone of influence or a family member of someone of influence – perhaps a company executive, or a government official, or military folks. Are they tracking your travel? Your conversations? Is the app “listening” to sound in an ambient environment, like what Alexa does? What else does someone do on their phone that the app can access?

These are the kinds of real or potential red flags that people are concerned about.

Tiktok collects as much data as they can about their users, their habits, location, interests, some people say they can also activate your microphone while using the app, they can track you across websites and there’s evidence that they inject tracking code if you visit a link from their app.

Then there’s the algorithm that suggests new content. Since so many young people spend so much time on the app it’s easy for China to sway public opinion by pushing content that aligns with their goals.

This is nothing new, other social media platforms do this too, but for the US and its allies it’s a huge risk when it’s rival major power doing it.

That’s not the concern, not really.

There’s three concerns:

1. TikTok is known to do some relatively aggressive user data collection. Lots of other apps also do this. On its own, not great, but not uniquely bad either.
2. TikTok is known to be able to make its data available to the Chinese government. China has laws that require any Chinese national to turn over any trade secrets to the government if the government asks. This is also what’s driving most of the semiconductor industry out of China.
3. TikTok isn’t available in China, but the same developer has a very similar app which is only available in China. It’s never a great sign when a country exports a product they make illegal domestically.

Taken together, the concern is that China can use TikTok as a pretty powerful influence campaign tool. They can figure out what users it wants to target. They have access to a per-user algorithm through which to target those people. There’s little risk of the app targeting their own people because they’ve banned the app internally.

There’s two main concerns about how it might be used:

1. Targeting of Chinese expats to either turn them against Chinese interests, such as Taiwan. Witness the church shooting about 2 miles from my house where a ~~Chinese expat~~ *Taiwanese expat* attacked a Taiwanese congregation because he was angry about the lack of reunification between the two countries. China could use TikTok as a radicalization pipeline given the 3 above items.
2. Targeting of the general public for influence campaigns. We know that at least some of the conservative anti-mask/anti-vax campaign originated by Russian intelligence services, that the GOP unwittingly bought into. This shows the potential damage that social media driven influence campaigns can do, especially if it results in hundreds of thousands of deaths. Brexit may have been driven by an influence campaign. We just learned the other day that the head FBI counterterrorism agent in the NY office was involved in an influence campaign to affect the outcome of the 2016 presidential election.

Influence campaigns are no joke, and the US works closely with social media companies to combat them (or, at least they used to with Twitter – pretty sure that’s completely busted now). Having a social media outlet like TikTok that is not responsive to US intelligence concerns is a problem.

[Correction] I originally wrote ‘Chinese expat’ as struck out above, when the individual was a Taiwanese expat. As I was writing the comment I searched and [read this article](https://www.thedailybeast.com/laguna-woods-gunman-identified-as-david-chou-of-las-vegas) which incorrectly labeled Chou as a Chinese national. Replies corrected me and asked that I correct this post.

This is from u/bangorlol, here’s a [link](https://www.reddit.com/r/videos/comments/fxgi06/comment/fmuko1m/?utm_source=share&utm_medium=web2x&context=3) to the comment itself where the use has hyperlinks to citations.

So I can personally weigh in on this. I reverse-engineered the app, and feel confident in stating that I have a very strong understanding for how the app operates (or at least operated as of a few months ago).

TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it.Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)

Everything network-related (ip, local ip, router mac, your mac, wifi access point name)Whether or not you’re rooted/jailbroken

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC

They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

The scariest part of all of this is that much of the logging they’re doing is remotely configurable, and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function. They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing. There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.

They provide users with a taste of “virality” to entice them to stay on the platform. Your first TikTok post will likely garner quite a bit of likes, regardless of how good it is.. assuming you get past the initial moderation queue if thats still a thing. Most users end up chasing the dragon. Oh, there’s also a ton of creepy old men who have direct access to children on the app, and I’ve personally seen (and reported) some really suspect stuff. 40-50 year old men getting 8-10 year old girls to do “duets” with them with sexually suggestive songs. Those videos are posted publicly. TikTok has direct messaging functionality.

Here’s the thing though.. they don’t want you to know how much information they’re collecting on you, and the security implications of all of that data in one place, en masse, are fucking huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can’t see what they’re doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.

For what it’s worth I’ve reversed the Instagram, Facebook, Reddit, and Twitter apps. They don’t collect anywhere near the same amount of data that TikTok does, and they sure as hell aren’t outright trying to hide exactly whats being sent like TikTok is. It’s like comparing a cup of water to the ocean – they just don’t compare.

tl;dr; I’m a nerd who figures out how apps work for a job. Calling it an advertising platform is an understatement. TikTok is essentially malware that is targeting children. Don’t use TikTok. Don’t let your friends and family use it.

I see a lot of technical answers, so there is the actual ELI answers:

1. The app collects and egregious amount of data from the user, much more than an app of it’s type should. The company in China is beholden to share this data with the chinese government. The vast amount of data can be used for very large data models about the behavoirs, interests, likes, and trends in young people around the world, which will inform Chinese government decision making.
1. Now add in the ability for Artificial intelligence like ChatGPT to create an infinite amount of content catered to those users based on the data collected; the ability for social engineering on a national level is insanity.
2. The app was deliberately designed to be as addictive as possible, and they know it. Why? because the version of the app available to us, isn’t available in mainland china. Rather, their version has controls built in for amount of use in the day.
3. Tech folks have pulled it apart, and there’s plenty of in built features, such as encrypted communications channels, and access to unnecessary features on our phones; that a social media app doesn’t need. That implies it’s primary use isn’t a social media app, but a data collection tool.
4. “It does nothing that Facebook and Google don’t do” – a common cope out. The vast difference is two-fold: US companies often work with the US government, but are not *legally required* to (Re: Apple fighting against the FBI), in china they are; and China is an extremely repressive and possibly genocidal dictatorship that ultimately seeks to re-order the world system in it’s own image; the US/Western world is… well, not that. The vast troves of data from TikTok give the Chinese government insights into global trends that let them make high level decisions.
5. “Is china spying on ME? Why do I care?” – Not likely you in particular, unless you’re a anti-communist activist, or a Chinese expat. It’s scooping your meta data, you and a billion other people. Does that impact you? Probably not. But you’re a contributing data point to their world plans now, and your personal information is in the Chinese government’s hands.

One of the biggest issues is TikTok has admitted that their employees get to control what goes viral.

All it takes is the Chinese government to promote some conspiracy theories to completely destabilize an election, which is something one of our political parties in particular has been trying to do for a very long time.

Answer: It is a foreign based company that has a lot of access to your phone’s records and data. More than is needed by most experts estimations. We don’t know what the app is doing so that makes experts worry about security.

Additionally I’m of the tinfoil opinion that the “TikTok is Chinese spyware” narrative is amplified by its competitors, namely Meta/Facebook. Make no mistake Facebook/IG/Snap/WhatsApp is US spyware as much as TikTok.

All social media platforms are spyware, that’s basically their business model.

The app collects everything it can about you. Obvious things like what you view and who/what you interact with on their platform. But also less obvious things like location data, contacts stored on your phone, mac addresses of devices your wifi can see.

They can build a very detailed profile about you. It can get pretty crazy once they cross reference data from different profiles, matching contacts, and devices. They don’t just know who you know, they know when you’re near then, what your routines may be. They know where you work and where you live without them explicitly telling them. They know where you get coffee in the morning, and they know the people who are typically there when you are, even if you’ve never actually noticed them.

Even people that don’t use their app have a profile. You have their contact on your phone. You’re around them so your phone can see their phone. It can cross reference profiles and location data to get a pretty good guess what the MAC address of their phone is and build around that.

Again, this is something every social media company is trying to do. The difference is TikTok is owned by a Chinese and the Chinese government is well known to have a hand in everything everyone over there does. Especially in the tech space. I don’t know if there is any evidence of it for Bytedance, but chinese companies get a lot of subsidies from the government. Its a very safe bet that people in the CCP have access to this data.

Anyone remember the free app that was in fashion 2 or 3 years ago which would ‘age’ a selfie to show how the 25 year old subject would look at 65 for example?

Then we learnt it was the CPC’s way to harvest enough data to fine tune facial recognition security systems.