Canada·CBC Explains

What does TikTok know about you? What should you know about it?

One of the hottest TikTok trends right now seemingly is Western governments banning the immensely popular app from their employees' phones and launching probes into its data collection practices. 

Canada joins U.S., EU in banning app from government-issued devices

A person's holds an iPhone, showing the startup page of the TikTok app.
The TikTok startup page is displayed on an iPhone in Ottawa on Monday. The federal goverment this week joined the U.S. and European Union in prohibiting the social media app from government-issued devices. (Sean Kilpatrick/The Canadian Press)

One of the hottest TikTok trends right now seemingly is Western governments banning the immensely popular app from their employees' phones and launching probes into its data collection practices. 

This week, Canada joined the U.S. and the European Union in prohibiting the social media app on government-issued devices. Other Canadian jurisdictions and institutions are considering similar bans.

The move came just days after the federal privacy watchdog said it, along with three provinces, will investigate whether TikTok and its China-based parent company ByteDance are complying with Canadian privacy laws.

Agencies and Crown corporations that don't fall under the federal government's Policy on Service and Digital were informed of the decision on Monday and "strongly advised" to consider following suit, the Treasury Board of Canada Secretariat said in an emailed statement on Friday.

"CBC is a Crown corporation and not subject to the Policy on Service and Digital, and as such is not covered by this decision," the statement said.

However, several Crown corporations have voluntarily decided to leave TikTok — including the Bank of Canada, Trans Mountain Corporation, the National Capital Commission and the Standards Council of Canada.

But most TikTok users in this country aren't government employees and will continue to allow the app to access their personal data with every video they watch, like or comment on — even when they're not interacting with the app.

While most every social media application gathers and stores user data, the amount TikTok gathers, and how transparent it is about what it collects, is what concerns some cybersecurity experts — especially because of the perception that the Chinese government could access it.

WATCH | Why the feds banned TikTok:

Ottawa to ban TikTok from all government-issued devices

1 year ago
Duration 2:30
The federal government is removing and blocking the video-sharing platform TikTok from all federal government devices, citing security reasons.

What TikTok gathers from you

Once the app is downloaded and opened on your smartphone or tablet, it's getting to know a lot about you. 

Its voluminous terms of service lay out what you're agreeing to; access to personal data like contacts, calendars, information about which device you're using, which operating system and your location.

Like other platforms, including Facebook and YouTube, TikTok also monitors the content you engage with and for how long.

But TikTok also monitors how you use your device and how it functions, including "keystroke patterns or rhythms, battery state, audio settings and connected audio devices," according to those terms. 

It's also able to identify "the objects and scenery that appear [in your videos], the existence and location within an image of face and body features … and the text of the words spoken."

Ninety-nine per cent of people are not going to read the dozens of pages of terms of service," said Heidi Tworek, the Canada Research Chair and Director, of the Centre for the Study of Democratic Institutions at the University of British Columbia. 

WATCH | Social media apps pose security risks, former spy says:

Your whole network can be target of social media apps, says former CSIS agent

1 year ago
Duration 1:51
Social media apps like TikTok can use your device as a conduit to other people's personal information, says Michel Juneau-Katsuya, a former senior intelligence officer with the Canadian Security Intelligence Service.

Precise GPS data

Social media business rely on such analytics to sell advertising, develop new versions of programs, and tailor content to users' habits.

But Robert Potter, the co-founder and co-CEO of the Canberra-based cybersecurity firm Internet 2.0, says TikTok isn't completely transparent with its more than 1.5 billion users.

His company examined social media apps including Meta-owned Facebook, Instagram and Whatsapp and found TikTok was "an outlier in the sheer amount of data it collects," he said. 

For example, Potter says TikTok can collect "precise" GPS location data from users — much more precise than the company once admitted.  

"It gives us a lot of pause to thinking exactly ... what other elements of scrutiny would we like to subject them to?" he said.  

WATCH | Is Ottawa's ban about security or politics?:

Government's TikTok ban 'overly political,' tech expert says

1 year ago
Duration 5:06
Vass Bednar, the executive director of McMaster University's master of public policy program, questioned the decision to remove and block TikTok from all federal government devices while not asking similar cybersecurity questions about other apps.

Not 'overtly malicious'

Paelleon Lin, a researcher for the University of Toronto's Citizen Lab, authored a 2021 report analyzing the security and privacy of TikTok and Douyin, the version of the app available in China (they even use the same icon).

That report said neither app "appear to exhibit overtly malicious behaviour" akin to malware; and only collected certain information with the user's permission.

WATCH | A warning to TikTok users:

Cybersecurity head warns TikTok users to protect their data

1 year ago
Duration 2:58
The head of the Canadian Centre for Cyber Security is warning users of the popular social media platform TikTok to be cautious with their data and what they share with the app.

Except that Douyin also acquired a device's Media Access Control (MAC) address; a unique, 12-digit identifier. Even if you completely reset a phone and wipe all of the personal information, the MAC address does not change and that information could still be used to identify a user, Lin said in an interview from Taipei. 

Both Google and Apple prohibit third-party apps from collecting MAC addresses. (Douyin is not available in either company's app store.)

TikTok did not collect them, according to Lin's report. But it used to — according to a 2020 report in the Wall Street Journal that found TikTok "skirted a privacy safeguard" in Google's Android operating system to gather MAC addresses from millions of devices for more than a year. TikTok told the Wall Street Journal, at the time, that newer versions of the app do not collect MAC addresses such devices.

'Deeply concerning'

Douyin only needs to abide by Chinese law while TikTok — which stores its data in the U.S. and Singapore — must comply with the laws of individual countries.

Lin said his research did not find that the app connects to any servers in China directly, but couldn't rule out data being sent from one country to another and then onward to China.

TikTok and ByteDance insist no user information is stored in mainland China and that it does not provide user data to the Chinese government.

But Internet 2.0's Potter questions that. 

"[China requires] TikTok and other companies that are headquartered there to cooperate with Chinese national security priorities and intelligence," he said, echoing a point that came up often during Ottawa's recent spat with Beijing over the telecom giant Huawei.

"They're required to not disclose their participation. So, that is deeply concerning." 

He also cited a Buzzfeed report that said ByteDance employees in mainland China could access American user information — which Potter said "shows that there is a gap between what TikTok is telling the public and what it's actually doing on network."

WATCH | What should worry TikTok users:

Breaking down TikTok security concerns

1 year ago
Duration 6:58
The National's Ian Hanomansing asks cyber security experts Brian Haugli and Alana Staszcyszyn about how worried TikTok users should be about having the app on their devices.

Broader ban?

Ottawa worries that collection by TikTok of sensitive data from federal employees' devices could pave the way for cyberattacks.

The government has not indicated it wants to widen the ban but there are discussions in the U.S. about banning TikTok outright and preventing ByteDance from doing business there. 

Kristen Csenkey, a PhD candidate at the University of Waterloo's Balsillie School of International Affairs, sees problems with this because of the app's roles as both a social platform and a source of income for millions of people.

"We need to consider what the implications are," she said. "It's not just a technology or an app that's just used for one purpose."

Google and Apple could, of course, effectively kill TikTok by booting it from their Play Store and App Store, respectively. But it's not clear what it would take for either company to take such a drastic step.  

Protecting your privacy

On an individual level, the information TikTok collects from users isn't of huge value, according to Potter. 

"It's really the aggregate, huge amounts of data," he said.

But for people who want to use it and are concerned about data collection, there are ways to protect one's privacy. 

Matthew Johnson, the education for Ottawa-based MediaSmarts, says web browser plugins and smartphone applications such as Privacy Badger, DuckDuckGo and Disconnect can limit data collection. 

People walk past a grey brick building with lighted words in English and Chinese characters on the facade.
People walk past the headquarters of ByteDance, TikTok's parent company, in Beijing in September 2020. (Greg Baker/AFP/Getty Images)

He recommends taking a closer look at those terms of services that so many people blindly agree to, though he admits it's "not reasonable" to expect users to comb through every detail. 

"They are written in such a way to satisfy lawyers rather than consumers," he said. 

He also suggests using the website tosdr.org — which stands for "Terms of Service; Didn't Read" — which grades the terms of service of websites and applications and succinctly describes any concerns.

That site gives TikTok its lowest grade.

WATCH | Experts explain the risks the app poses to users: 

Should you delete TikTok?

1 year ago
Duration 7:36
With multiple governments banning TikTok on their devices, tech security experts Shruti Shekar and Vass Bednar explain what risks the app poses to the average person and whether you should be concerned about your privacy while using it.

ABOUT THE AUTHOR

Nick Logan

Senior Writer

Nick Logan is a senior writer with CBCNews.ca based in Vancouver. He has worked as a multi-platform reporter and producer for more than a decade, with a particular focus on international news. You can reach out to him at nick.logan@cbc.ca.

With files from Raffy Boudjikanian and Richard Raycraft

now