On March 22, 2021 the Citizen Lab published a comparative analysis of security, privacy, and censorship issues in TikTok and Douyin. In this explainer, we discuss the findings with Pellaeon Lin, the report’s lead author.
What was the Motivation Behind this Research?
In the last few years, TikTok, an app for making and sharing short videos, has grown to be one of the most popular new social platforms. This is a significant accomplishment for its developer ByteDance, a China-based company.
TikTok’s popularity in North America in particular has put it under increased scrutiny especially following the attempt from the Trump Administration to ban the app in the U.S. due to alleged national security concerns stemming primarily from it being owned and operated by a Chinese company. Other countries—including India, Pakistan, Indonesia, and Bangladesh—have also put forth government enforcements to restrict or outright ban the usage of TikTok.
Despite these actions, there has been limited technical research on TikTok. Even less attention has been given to Douyin, the version of TikTok made for the Chinese market.
Previous research has shown that apps developed by Chinese companies that serve both Chinese and international markets may have different features that have implications for privacy and security, especially around content regulation. Laws and regulations in China restrict a broad range of speech online, and companies are held liable for the content on their platforms. Doing analysis of these differences can bring a better understanding of how developers are tailoring applications to different markets and potential issues for user privacy and security.
Our project sets out to do a comparative analysis of privacy, security, and censorship issues in the two applications to assess if there is a technical basis for the concerns raised by governments and the media.
What’s the difference between TikTok and Douyin?
TikTok and Douyin are both apps for making and sharing short videos.
Bytedance first launched the video sharing app as Douyin for the Chinese market. It then made a different version called TikTok for markets outside of China. While the concept is similar, the apps are entirely separate. However, our analysis of the Android versions of the apps show that they share many parts of their source code. These similarities are likely because ByteDance develops TikTok and Douyin starting out from a common code base, and applies different customizations according to market needs.
Do the apps have privacy issues?
TikTok and Douyin do not appear to exhibit overtly malicious behaviour similar to those exhibited by malware. We did not observe either app collecting contact lists, recording and sending photos, audio, videos, or geolocation coordinates without user permission. However, there are many ways that an app may invade user privacy. What we have found provides an overview of what data these apps collect but is not an exhaustive list of data collection on TikTok and Douyin.
In comparison to other popular social media platforms, TikTok collects similar types of data to track user behaviour and serve targeted ads. TikTok collects information about your device (model, serial numbers, etc.) and your usage patterns. Some of the collected information is sent directly to TikTok servers while some is first sent to third parties such as Facebook and Google. TikTok also tells Facebook about the specific posts that you have viewed and whenever you like a post or follow a user. All of this information allows TikTok and their partners to learn about your interests and behaviour. When combined with information collected through other means and channels, TikTok and their partners may be able to track your viewing history across different platforms.
While the level of user data collected by TikTok is similar to other major social media platforms, the general privacy standards for social platforms is not a high bar. Social platforms generally do not adhere to data minimization principles. The device information and usage patterns they collect are not necessary to provide the core functions of the apps. The social media industry also largely profits from targeted advertising, which relies heavily on data collected by social platforms.
In comparison to TikTok, Douyin collects more information about your device and your usage patterns. Some of the collected information is sent directly to Douyin servers, some is sent to other Chinese companies, including: Aliyun, Umeng, Xiaomi, and Taobao. Using proprietary encryption, Douyin collects the device’s MAC address, which is a unique identifier that comes with the device and cannot be reset. This level of data collection goes beyond what is typically collected by popular international platforms. Collection of MAC address data has been found in other Chinese apps, such as popular browsers.
How does TikTok’s data collection compare to other popular social media platforms such as Facebook?
TikTok and Facebook collect similar amounts of user data. Both apps collect device information and usage patterns. Device information includes device identifiers, technical specifications (such as screen resolution), network address, and hardware model names. Device information can be used to identify and track a user when they are not logged-in. Device information may also be cross-referenced in other data sets (such as data collected by other platforms) to piece together a user’s behaviour across platforms. Usage pattern data collection involves recording a user’s behaviour on the platform, such as the posts liked by a user. There is no evidence of TikTok or Facebook recording audio and video, accessing user files, or reading contact lists without user permission.
Do the apps censor content?
Since Douyin is made for the Chinese market, it is expected that the application will have content controls to comply with Chinese law and regulations that make companies liable for the content hosted on their platforms. To follow these regulations, companies must invest in technology and personnel to filter content according to government guidelines.
There have been previous reports of censorship on TikTok but how the controls work and the extent to which they are implemented is not clear. In our research, we ran a series of tests on both platforms to measure censorship.
We found that both TikTok and Douyin have source code for restricting search results for content labeled as “hate speech,” “suicide prevention,” and “sensitive.” We suspect the “sensitive” field restriction refers to content that is “politically sensitive” but could not confirm this. We also tested searching for political terms in Douyin and TikTok, which showed that Douyin restricted some of the keywords while TikTok did not restrict any of the keywords we tested.
For censorship of user posts on TikTok, we did detect a portion of posts that became unavailable after their initial availability. However, we were not able to determine whether the posts were spontaneously taken down by the users or the platform. We also did not find a clear pattern dictating why some posts became unavailable while similar ones remained available. In summary, the evidence we collected is inconclusive about whether TikTok employs political censorship of user posts.
We did not test for censorship of user posts on Douyin. Douyin’s platform policy already forbids the user from posting politically sensitive contents. Since Douyin is a China domestic platform, it must also comply with Chinese laws to remove politically sensitive contents.
Does TikTok share data with the Chinese government?
Our research shows that there is no overt data transmission to the Chinese government by TikTok. In our testing, TikTok did not contact any servers within China. This finding could mean that TikTok’s user data is not stored in China. However, it is also possible that the non-China servers that receive user data transfer them to servers in China afterwards. If any user data is actually stored in China, it increases the likelihood that the Chinese government could gain access to it.
In TikTok’s Law Enforcement Data Request Guidelines, there are separate rules for certain Asian countries and regions. A notable difference in the rules are the responsible company entities. For a number of Asian countries (e.g., Cambodia, Hong Kong, Indonesia, Laos, Philippines, Singapore, Thailand, Japan, Korea, Taiwan, Vietnam, Malaysia, Macau), TikTok Pte. Ltd is responsible; for other countries, TikTok Inc. is responsible. Presumably, China is not in the former list because TikTok does not offer service to China.
It is unclear from TikTok’s policy how it will respond to data requests from the Chinese government. None of TikTok’s three Transparency Reports show any data requests from China. It could be that TikTok did not receive any data requests from China, or they do not record the number for China.
The Chinese government might also use unconventional ways to obtain user data; for example, by using the domestic National Security Law on TikTok’s parent company ByteDance, which is headquartered in Beijing, to turn over data. This scenario, while plausible, is speculative. Currently, there is no evidence that shows the Chinese government has used these means to pressure ByteDance.
Does TikTok pose a threat to US national security?
TikTok’s program features and code do not pose a threat to national security. It also does not appear to harm national security by being uncooperative with government data requests or by spreading information favorable to the Chinese government. However, TikTok competes with existing social media platforms in the international market. The business advantage and control of valuable personal data lost to TikTok, a foreign company, could potentially negatively impact national security. These issues are relevant to the US and any other country that is assessing the use of the application.
On the technical level, we did not find TikTok to exhibit malware-like behaviour or contain malware-like code. In terms of local law compliance, TikTok appears to be mostly cooperative to government data requests, as can be seen from its Transparency Report. (TikTok only published its first Transparency Report in December 2019, covering the first half of 2019.)
On the business side, TikTok is a strong foreign contender to the current US dominance in the social media industry. This potentially is an area that can be viewed as threatening US national security, as it decreases a US business advantage and the influence it could exert by controlling the content distribution channels of the Internet.
There are also concerns that TikTok could be used to spread views favorable to the Chinese government. Systematically studying content related to the Chinese government on TikTok was outside the scope of our study. However, based on casual use of the app, the TikTok curation algorithm seems to favor local content on the “For You” curated feed. Therefore, it seems unlikely that TikTok is currently spreading views overtly favorable to the Chinese government. There is also no business advantage for TikTok to spread this type of content to international users, especially if there is obvious bias towards the Chinese government. TikTok could be doing subtle content manipulations, but it would be difficult to prove or disprove that this is the case.
Our experience with Douyin’s content feed is very different. When tested from a Canadian network address, the app still shows content local to China. Much of this content shows positive images of the country, such as government officials visiting disaster-struck areas. This type of content is expected because Douyin only targets the China market, and its Terms of Service lists seven principles that all uploaded content should adhere to: laws, socialist system, national interest, legal rights of citizens, public order, morality, and truthfulness (法律法规、社会主义制度、国家利益、公民合法权益、社会公共秩序、道德风尚和信息真实性).
Should I use TikTok?
The security and privacy situation of an application can change at any time and independent security research is always needed to help better assess the safety of applications.
Should I use Douyin?
Douyin has a number of features and issues that raise privacy and security concerns. You should understand these issues before deciding if you are comfortable using the application.
Like any app in the Chinese marketplace, Douyin includes features for blocking content. The app may also manipulate content to present content that is favorable to the Chinese government. It also collects more personal data than TikTok, such as your device MAC address. Douyin’s code contains unusual features, such as silent background updates, which could allow Douyin to execute any code pushed by its servers. Similar content controls and privacy issues have been found in other popular Chinese applications, including Web Browsers and chat applications.