I did a detailed privacy check of the Tiktok app and website. You can read my article æt Süddeutsche Zeitung. Tiktok commits multiple breaches of law, trust, transparency and data protection. Here are the technical and legal details
Long thread⤵️

This is my setup: I used mitmproxy to route all app traffic for analysis. See in this video how device information, usage time and watched videos are sent to Appsflyer and Facebook.

Show thread

Hard to believe that this is covered by "legitimate interest" and transparency: Entered search terms are sent to Facebook.

Show thread

Transfers to both companies break different rules of the GDPR: Facebook can't fulfill Art. 14 (information, deletion etc.) on this data.

Show thread

Transfer to Appsflyer lacks transparency as it's unknown to which of the 4500+ Appsflyer partners the data will be transferred afterwards. Bytedance: "We don't show the contracts." Did they even read Art. 26 GDPR?

Show thread

Most important: Fundamental rights are violated because PII is transfered to a company in an unsecure noneuropean country. The server location doesn't count, it is about where the company deciding about the data resides, says @malteengeler. Tiktoks Headquarter: Beijing 🇨🇳

Show thread

I also checked the website which is important as all shared videos (via messenger or social media) are viewed there. The short URL e.g. vm[dot]tiktok[dot]com/9uTpDV will be resolved to a URL which contains the installation ID. Tiktok will be able to check who shared which video.

Show thread

But they also track who is watching the video. Among common trackers (Google Analytics) they use the highly controversial method of device fingerprinting to set a mostly unique hash to the cookie s_v_webid. This is done by combining typical hardware and browser characteristics.

Show thread

One of them: Canvas Fingerprinting. They draw an image in the background using vector graphic commands. Afterwards they save the image to a rasterized PNG. This data is quite unique among different devices depending on settings and hardware.

Show thread

They also use audio fingerprinting to identify visitors. This doesn't mean they actually use your microphone or speaker. Instead they generate a sound internally and record the bitstream, which also differs from device to device. This is what it sounds like.

Show thread

Bytedance told me that they use this fingerprinting to identify malicous browser behaviour. I don't believe, because the website still works if the script is blocked. Also they use Akamai's fingerprinting technology already on the server (which is another story to investigate).

Show thread

The same fingerprinting script and cookie is used on Bytedance's news site Toutiao. What I found out for sure: If someone shares a video, Bytedance can
a.) tie the recipients of the video to the sender
b.) track recipients subsequently on Tiktok and Toutiao.

Show thread

There are many other breaches e.g. Google Analytics is used without anonymizing the IP data. And they use free software without proper license, for example Zepto.js from Thomas Fuchs, Murmur Hash from Austin Appleby and FingerprintJS from Valentin Vasilyev. How low can you go?

Show thread

This are the PRIVACY problems with Tiktok. Last week Netzpolitik published detailed information about CENSORSHIP problems. Read this 3 articles starting here
So is it a good idea by Tagesschau to foster this system with videos paid by german households?

Show thread

Channel operators may fall under joint controllership with Tiktok as the ECJ ruled for FB fanpages. A channel could be closed if Tiktok violates privacy. DPO of german public broadcaster NDR, Heiko Neuhoff told me, he will soon decide if this applies to the channel of Tagesschau.

Show thread

My comment 📝: Tiktok is breaking the law in multiple ways while exploiting mainly teenagers data. This should be regulated quick and rigorous. We have all necessary laws. Don't let them break society like 10 years of FB. Journalists should find a better place for vertical video.

Show thread

Thanks for all the positive comments. I transferred the thread to a blog post for more convenient reading.

Please consider a donation to support my work, currently I'm not able to live from those articles.

Show thread

jesus fucking christ, what layer of hell is this
(no this isn't my first time)

@rufposten Thanks for your work and for revealing all this.

@rufposten I feel sorry for the generation for which being accepted implies using all these apps.

@rufposten I teach young students and TikTok is all the rage right now ... I have done work with my students (age:11) around privacy and data exploitation but your work here is an eye-opener beyond even that ... Thanks for sharing ... I need to continue my conversations with kids and parents ... Is there a single place where you have compiled your analysis? Or is it just in this thread?


@rufposten ah yes, the best way to protect vulnerable people is to hide them from society, and not like, geez, idunno, speaking out in their support and making sure their needs are met

@rufposten naja aber die Zielgruppe von Tiktok wird das herzlich wenig interessieren.

@rufposten would you mind providing a link to that article?

@rufposten Wow! Ich wusste ja das TikTok Müll ist...aber...Wow. Vielen Dank für deine Arbeit.

@rufposten so does facebook, instagram, twitter... and nobody gives a shit, so why care here?

Ah, yeah, right... it's from the China which is "the enemy"...

@musicmatze Even if this whataboutism isn't of help in most cases: Do you even know how many critical articles I wrote about facebook inc?

Just resarch a minute and think before you judge.

@rufposten I did not mean to judge you or your articles at all! Sorry if that was unclear.

My post was rather targeted towards the whole hype around "TikTok is so bad"... because (at least in my bubble) there seems to be a hype around the whole topic. And I think that hype is really dishonest, because most people yell at this company but in the same moment do not care about facebook and the others, plus from what I see, that is only reasoned with "It's China". And that's ridiculous, IMHO.

@musicmatze @rufposten TikTok just entered the news from what I can see, Facebook's bullshit has been going on for years now. People don't care about old news.

@rufposten Could you put this into a blog post, so that it's not as ephemeral as a toot thread? I would love to be able to share the reference elsewhere.

@rufposten Wow. Amazing work. I am deeply impressed by this thorough analysis! At the same time I know so many young people that don't see the argument for privacy and it just depressed me.

@phel @rufposten How can we best explain to people that the #protection of #private information in our world is very important?

@odyssey @rufposten Well I guess that's the question. I think Snowden has a nice approach in his book, but since the concept is kind of abstract and doesn't immediately show results it's hard to explain... imho

@odyssey @phel
Well explaining is our, the journalists job. I would be grateful if more people could support independent journalism, be it in donations or a classic subscription.

But I also think that there is a much more effective and quick way: If in europe, file a complaint about every privacy violation you notice. You will be surprised how fast things will change.

Thanks for your work. The little one asked to install the App on their phone and we said "no" because of addictiveness and the App development company being in China, which gave me a bad feeling. Reading this I'm glad we made the right decision.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!