Security firm Internet 2.0 cracked the source code for the popular video sharing platform – downloaded by more than 7.5million Aussies – to uncover how an array of data is being targeted without the user being aware.
The Beijing-backed app taps into smartphone calendars, contacts list and scans the device’s ID and hard drive to monitor all other apps that have been installed.
TikTok also checks the device’s location at least once an hour and will persist in seeking data from contacts even if permission is denied, according to the report.
Mainly used by young people under the age of 18, the platform which beat out Google to become the globe’s most popular website in 2021, largely consists of short dance videos and is widely viewed as harmless.
But with the communist superpower a world leader in data collection, AI and facial recognition software, there are fears TikTok is being used by Beijing to spy on young people in the west.
Australians are being warned to delete TikTok from their phone after a new report by cyber security experts discovered that sensitive information is being sent back to China (stock image)
Robert Potter Internet 2.0 CEO accused TikTok and its parent company ByteDance of being deceptive.
‘Their source code is at odds with their public statements about how their app functions,’ he told the Nine network.
TikTok says all user data for the region is hosted in Singapore and only accessed by a small number of people who need it to maintain the site.
‘The IP address is in Singapore, the network traffic does not leave the region and it is categorically untrue to imply there is communication with China,’ the company said in a statement.
However, Mr Potter said his team had identified that on Apple smartphones the app was connecting with servers in China, however they could not say what information was being sent.
‘There was significant amounts of traffic flows to servers in China,’ he said.
In the report, that has been circulated to Australian and US politicians, Internet 2.0 said TikTok was not transparent about the data it requested and where it went.
The Beijing-backed app taps into users’ smartphone calendars, contacts list and scans the device’s ID and hard drive to monitor all other apps that have been installed
‘During analysis we could not determine with high confidence the purpose for the connection or where user data is stored,’ the report said.
‘The China server connection is run by Guizhou Baishan Cloud Technology, a cloud and cybersecurity company.
‘The subdomain connected to the China server connection resolved in multiple locations around the world including in China.’
TikTok also requested access to external storage in a manner deemed ‘excessive’.
‘This is a standard command for a social media application to store video and images,’ the report said.
‘The aspect we list as excessive is TikTok doesn’t just retrieve the ability to see folders, it retrieves a list of everything available in the external storage folder.’
The report stated the app gathered more information than it needed to work.
‘The TikTok mobile application has been built with a culture that does not place privacy as a principle as most of the permissions and device information being collected are above necessary for the application to function,’ the report said.
China is a world leader in data collection, AI and facial recognition software and there are fears TikTok is being used by Beijing to spy on young people in the west. Pictured: Chinese President Xi Jinping
TikTok said the information it gathers is in line with standard industry practices and is securely encrypted.
Mr Potter pointed out that as the company was based in China it is governed by Chinese laws and would be forced to hand over any data requested by the Communist Party.
‘Because it is domiciled and is a Chinese company its governed by Chinese law first, which means it operates in a very different privacy culture,’ he said.
Under Chinese law organisations and individuals are required to ‘support, assist and co-operate with the state intelligence work’.
TikTok has stated its employees would never share information with the Chinese government and have never been asked to.
Liberal Senator James Paterson called on the government to act and ban the app.
‘It was already worrying enough to recently learn user data is being accessed in mainland China,’ Mr Paterson said.
‘It is frankly alarming to discover exactly what data is being collected from TikTok users, and how much of it is unnecessary.
‘It’s hard to think of an innocent reason excessive data is being collected especially given it is obtainable by the Chinese government.’
‘The Albanese government must stop sitting on its hands and act to protect Australians cybersecurity and privacy.’
Information sharing with TikTok can be limited through phone settings and is more restricted on PCs.
Liberal Senator James Paterson (pictured) has expressed alarm at TikTok’s collection of data and its potential use by China
However, some experts say the only the sure way to stop the app collecting data is to get rid off it.
ANU data encryption expert Vanessa Teague said the app could gather financial and payment information, messages, photos and videos; audio and sound recordings plus web browsing history.
Even blocking location information to the app wouldn’t work if videos were tagged with the GPS location.
Dr Teague had pithy advice for those concerned over privacy.
‘Delete the app,’ she told SBS.
‘TikTok is less transparent … than Facebook [and] tends to come under less scrutiny (as it’s) based in a less democratic country.’
Daily Mail Australia has contact TikTok for further comment.