How big of a cybersecurity and privacy threat is TikTok?

A special report on TikTok bans, addiction, data privacy, and surveillance

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

This is a special report on ByteDance’s TikTok, which is facing increasing pressure from the U.S. government. President Biden has signed a law forcing a sale of its app within a year if it hopes to stay in operation in the States. ByteDance has declared it’d prefer to completely exit the U.S. instead of selling or removing its algorithm.

TikTok won’t be sold, ByteDance confirms

ByteDance, the Beijing, China owners of TikTok, have confirmed that they will not sell TikTok to continue operating the social media app in the United States. The announcement comes as U.S. President Biden signed a law on Wednesday, April 24, that approved a foreign aid package and banned the app within the U.S. unless it’s sold within a year.

The defiant response from ByteDance came after a report from The Information claimed that the company was “exploring selling a majority stake in TikTok’s U.S. business” but would withhold including the app’s powerful algorithm in the sale.

According to a Reuters report with four confidential sources, ByteDance would prefer to shut down TikTok entirely in the U.S. rather than sacrifice its powerful algorithms and app.

Tiktok’s CEO, Shou Zi Chew (周受资), remains confident that the company will prevail in U.S. courts and that the app will continue operating for years.

"We are confident and we will keep fighting for your rights in the courts. The facts and the Constitution are on our side and we expect to prevail,” said Chew.


Response to TikTok Ban Bill

How big is TikTok? Big.

ByteDance downplays the app's success in the U.S., framing it as a “loss leader” and that losing an American user base wouldn’t significantly impact its business. That’s a bit deceptive, as TikTok has over 1.5 billion monthly active users (MAU) globally, making it the fifth most active social media platform. There are over 148 million monthly unique users in the U.S., the app’s largest single audience globally.

Creating the surveillance Trojan horse: make it addicting

With the high probability that TikTok will be banned within a year in the U.S., it may be a bit confusing how we got to this point for those not keeping track. To understand the threat, we need to go back to 2017.

TikTok has become a flashpoint across foreign relations between China and the U.S., including outspoken U.S. politicians on each side of the aisle. The move stems from fears among U.S. lawmakers that China could use the app for surveillance activities and to gather data on millions of U.S. citizens.

The app entered the radar of U.S. politicians once ByteDance purchased the karaoke app in 2017 and relaunched it as TikTok. Its short-form videos became a social media phenomenon, skyrocketing in popularity and usage. The app's use of popular or custom music combined with computer-generated voices, filters, or catchy templates seemed to penetrate every niche pop culture or interest.

TikTok was so successful that it has since been cloned by every major existing social media platform. Meta’s clone exists on Instagram as Reels; Snapchat cloned it as Spotlight; and YouTube created Shorts.

So, how did each clone possibly have a shot at competing? Easy: it paid its creators to do so with money. A lot of money.

Each platform offered creators substantial financial incentives to use their clone, compared to TikTok in 2021-2022: Meta invested $1 billion across Facebook, Instagram, and Reels to pay creators for creating viral content. Snap invested $250 million to pay its 12,000 creators on Spotlight. And not to be outdone, Google invested $100 million for creators on YouTube Shorts.

Despite Silicon Valley funding its army of clones, TikTok has remained the most popular social media app for Generation Z. Its algorithms are thought to be the most effective compared to Meta, Snap, Google, and others for showing endless examples of niche interests or chaining similar interests across categories. The result is a highly addictive, rabbit-hole-inducing social media experience that can keep users glued for hours a day.

According to Sprout Social, nearly 80% of youth between 12 and 17 use TikTok daily. The earliest surveyed use starts at just 3 years old.

As for monetizing the app, 49% of Generation Z TikTok users have purchased something on the platform, second only to Instagram. But it's far and away the most engaging platform, with an average engagement rate of 2.65%, with Instagram a distant second at just 0.70%.

But it’s not just Gen Z who have become addicted and power users of the app: the app’s largest age group is 18-24 (36.2% of its demographics), and across all demographics, average use is 53.8 minutes a day – king of all social media apps.

You’ve probably also seen the company's recent advertising campaigns, which claim to help everyone from nuns to farmers reach new audiences and customers across the country. It’s a desperate approach by ByteDance to appeal to typically conservative Republicans who would align with those examples as China hopes to keep its app inside the U.S. firewall.

TikTok has become so addicting to its power user base that it has been linked to increases in self-harm, suicide, and depression.

TikTok as a surveillance and data collection app for China

Much has been reported on TikTok as a social media platform to be leveraged for data collection and surveillance of U.S. persons.

On its privacy and security page, TikTok states that “TikTok user data is stored in protected data centers in the US, Malaysia, and Singapore, and we’ve announced plans to establish a data center in Ireland.”

It continues, “Certain elements of user data are encrypted at rest and in-transit using industry standard algorithms. The encryption keys are maintained in our key management system which is operated by our US-based security team.”

So what’s the big concern?

The U.S. government has said it’s worried China could use its national security laws to access the significant amount of personal information that TikTok collects from its U.S. users, like most social media applications.

Chinese national security intelligence laws require “any organization or citizen” in China to “support, assist and cooperate with state intelligence work,” without defining what “intelligence work” means. The legalese is intentionally broadly scoped and promotes information collection to guard against “foreign threats” to China.

The Federal Bureau of Investigation has continued investigating ByteDance for using TikTok as a spying and surveillance tool against journalists.

Plot Twist: U.S. TikTok Creator user data isn’t stored in the United States after all

Oracle has hosted some American TikTok data on its servers since 2022, and TikTok has previously claimed all U.S. user data resided at that location.

However, multiple reports emerged in 2022 proving Beijing has accessed U.S. user data. Finally, TikTok came clean:

Employees outside the US, including China-based employees, can have access to TikTok US user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our US-based security team.

TikTok CEO Shou Zi Chew, July 2022 (source)

Shockingly, TikTok admitted under oath at a Congressional hearing in 2023 that some U.S. users it flags as “creators” that participated in the TikTok Creator Fund are held outside of U.S. soil, potentially within the reach of the Chinese government.

No one from TikTok or ByteDance would state where precisely the participating U.S. TikTok Creator Fund account user data resides. Lawmakers pressing the companies for answers were met with convenient non-answers.

“We were asked about, and our testimony focused on, the protected user data collected in the app—not creator data,” stated TikTok officials in a June 16, 2023 response memo to the U.S. Senate.

The remaining non-Creator Fund TikTok U.S. user data isn’t even primarily stored in Texas on Oracle infrastructure but in Virginia and Singapore.

TikTok Bans spread globally

TikTok CEO Chew asserts that TikTok’s parent company ByteDance is “a private company” that is “not owned or controlled by the Chinese government” in a U.S. Congressional hearing last year.

He claimed that the platform promotes “safety for teenagers, firewall protection for U.S. user data, transparency, and no foreign government influence.”

But that didn’t convince any party-line-abiding conservative Republicans and even some Democrats.

“Your assurances are worthless,” said House Representative Marc Veasey (D-Texas). “You have done nothing to earn our trust.”

Chew also admitted under testimony that former NBA player Enes Kanter Freedom was banned on TikTok. Freedom is an outspoken critic of China, and the country has a close financial partnership with the NBA.

Multiple bans have persisted across the globe as security and privacy-conscious governments grow continuously uncomfortable with the app’s potential weaponization.

  • United Kingdom - The UK banned TikTok from government devices in March 2023

  • European Union Parliament, European Commission, and EU Council have banned TikTok on staff devices

  • France - the French government banned TikTok, Netflix, and Instagram on civil servant smartphones

  • Australia - TikTok is banned on all federal government-owned devices

  • Estonia - Estonia’s outgoing minister of IT and foreign trade, Kristjan Järvan, stated TikTok is banned on smartphones issued by the state to public officials

Who wants to buy TikTok?

Chew remains confident TikTok isn’t going anywhere.

Multiple opportunistic billionaires and holding companies aren’t convinced and are willing to throw their cash on the table to buy the platform.

According to Business Insider and Time, potential buyers include:

  • Former Activision CEO Bobby Kotick

  • Former Treasury Secretary Steve Mnuchin

  • Entrepreneur and investor Kevin O’Leary

  • Oracle co-founder Larry Ellison and Walmart

  • Microsoft

  • McCourt Global founder and former CEO Frank McCourt

Unanswered questions include who will own the U.S.-based TikTok entity, the infamous algorithm, and whether the app will be forced to exit the U.S. market entirely.

We’ll find out by January 19, 2025.

Do you use TikTok despite any potential privacy or cybersecurity concerns?

Login or Subscribe to participate in polls.

Until next time…

Rob Waters
The Breach Report + Cybersecurity Careers Blog

Join the conversation

or to participate.