Date: January 20, 2025

Compiled by: Krypt3ia

Executive Summary

TikTok, a social media platform owned by the Chinese company ByteDance, has been at the center of cybersecurity concerns due to its potential use as a tool for espionage, data harvesting, and disinformation campaigns. These concerns stem from its ownership, links to the Chinese government, and technical forensics evaluations of the app. Governments worldwide, including the United States, have raised alarms over TikTok’s ability to collect user data on a massive scale, track user behavior, and possibly promote narratives favorable to Beijing. Below is a detailed analysis of these issues, based on research from cybersecurity experts, forensics evaluations, and open-source intelligence (OSINT).

Ownership and Governance Risks

Concerns Around ByteDance and CCP Influence

ByteDance, headquartered in Beijing, operates under China’s regulatory framework, including the National Intelligence Law (2017). This law mandates that Chinese companies and citizens cooperate with intelligence agencies when requested. This legal obligation raises significant concerns that TikTok data could be accessed by the Chinese government for espionage or other national interests.

Government and Military Bans

• The U.S., Canada, the EU, India, and Australia have restricted or banned TikTok on government and military devices due to national security concerns.

• India outright banned TikTok in 2020, citing concerns about data security following skirmishes with China.

• The U.S. passed the RESTRICT Act, a legal framework to address risks posed by foreign-controlled technologies, targeting TikTok as a primary concern.

ByteDance Internal Practices

Reports from The New York Times, Forbes, and whistleblower allegations have indicated that ByteDance employees in China have had access to U.S. user data. One such incident, dubbed “Project Texas,” involved ByteDance attempting to create an independent U.S.-based data storage system via Oracle; however, this effort has not assuaged critics.

Forensics Evaluations of TikTok

Technical Findings

Independent analyses of TikTok’s application by cybersecurity firms and researchers have revealed several technical security concerns:

Extensive Data Collection:

TikTok collects:

• Geolocation data (even when location services are disabled).

• Keystroke patterns (raising concerns about potential keylogging capabilities).

• Device metadata, such as IMEI numbers, SIM details, and network information.

Code Obfuscation:

TikTok’s codebase contains obfuscated routines that make it difficult for security analysts to evaluate its full functionality. This obfuscation has raised red flags about the app’s true intentions and whether malicious payloads or backdoors could be deployed.

Permissions Abuse:

Researchers from Citizen Lab and Penetrum have found that TikTok requests permissions unrelated to its primary function, including microphone access, clipboard data, and detailed sensor information, such as accelerometer and gyroscope data.

Behavior Similarities to Malware:

Evaluations by Talos Intelligence and Abuse.ch suggest TikTok behaves in a manner similar to some spyware, gathering sensitive user data far beyond what’s typical for most social media apps.

Comparisons to Western Apps

While Western apps like Facebook and Instagram also engage in data collection, TikTok’s connections to the Chinese government, combined with its data harvesting at scale, make it a unique geopolitical threat.

Espionage Potential

User Data as an Intelligence Asset

TikTok collects an extensive amount of user data, including:

• Behavioral data: Time spent watching specific videos, search histories, likes, and content interactions.

• Location tracking: Continuous monitoring even when not using the app.

• Demographic profiling: Age, language, device type, and application usage patterns.

This wealth of data could be exploited in several ways:

• Targeting Government or Corporate Officials: Through advanced analytics, TikTok could profile users of interest, such as government personnel, corporate executives, or individuals with access to sensitive information.

• Facilitating Phishing Campaigns: Data from TikTok could help design spear-phishing attacks using behavioral insights about high-value targets.

Potential for Cross-App Tracking

TikTok has been accused of bypassing app-tracking restrictions implemented by Apple’s iOS and Google’s Android platforms. Research indicates TikTok may utilize device-level fingerprinting techniques to continue monitoring users across applications, raising further concerns about its ability to compromise user privacy.

Misinformation and Disinformation Campaigns

Content Moderation Concerns

TikTok’s algorithm for promoting content is opaque and has raised fears that it could amplify Chinese state narratives or suppress dissenting views. Evidence has been documented of:

• Censorship: Content critical of the Chinese government, such as posts about the Hong Kong protests or Uyghur detentions, has reportedly been suppressed.

• Algorithmic Manipulation: The platform could artificially amplify content favorable to Beijing, particularly during geopolitical events such as Taiwan-related crises or U.S. elections.

Deepfake and Propaganda Dissemination

With TikTok’s popularity as a video-based platform, it is highly suited for the dissemination of deepfakes and propaganda. State actors could use TikTok to distribute convincing disinformation, such as manipulated videos of politicians or falsified event footage.

Influence on Youth and Public Opinion

TikTok’s dominance among younger audiences makes it a powerful tool for shaping narratives. By curating content, TikTok could influence political opinions, exacerbate societal divisions, or discourage civic engagement in adversarial nations.

The intelligence community in multiple countries, particularly in the United States, has weighed in on TikTok and expressed significant concerns regarding its potential for national security threats. The concerns largely center around data collection, Chinese government influence, and the platform’s ability to influence public opinion. Below are some key statements and assessments from intelligence agencies and officials:

U.S. Intelligence Community Assessments:

FBI

• Christopher Wray, FBI Director (November 2022):

Wray testified before Congress and warned about TikTok’s potential risks, stating:

• The app could be used by the Chinese government for espionage purposes, including collecting sensitive personal data of millions of users.

• TikTok poses risks of manipulating content and influence operations, potentially allowing Beijing to subtly shape public discourse in the U.S.

• He emphasized concerns about algorithmic manipulation, which could allow ByteDance to suppress or amplify certain narratives.

ODNI (Office of the Director of National Intelligence)

• ODNI has included TikTok in broader discussions about China’s digital espionage strategy, which prioritizes data collection on a massive scale.

• In its Annual Threat Assessment (2023), ODNI highlighted TikTok’s role in providing Beijing access to a vast trove of data that could be used to influence foreign citizens or profile individuals of interest.

Department of Homeland Security (DHS)

• DHS, through its Cybersecurity and Infrastructure Security Agency (CISA), has warned that TikTok’s data-collection practices could be exploited to gather intelligence on U.S. citizens and critical infrastructure personnel, particularly those employed in government, defense, and technology sectors.

NSA (National Security Agency)

• Former NSA Director Paul Nakasone (March 2023) stated that TikTok poses a “genuine national security challenge” due to its ability to aggregate and analyze large volumes of user data, particularly the sensitive behavioral and location data of U.S. citizens.

Canadian Intelligence

• CSIS (Canadian Security Intelligence Service):

CSIS has flagged TikTok as a potential vector for foreign interference, including data collection and influence operations. Canada banned TikTok on government devices in February 2023, aligning with concerns from U.S. intelligence agencies.

UK Intelligence

• GCHQ (Government Communications Headquarters):

The UK’s cybersecurity agency has raised concerns over TikTok’s ability to transfer user data to China and highlighted the app as a potential tool for Beijing’s surveillance and information operations.

• In March 2023, the UK banned TikTok from government devices following internal recommendations from the National Cyber Security Centre (NCSC).

European Intelligence

• The EU Agency for Cybersecurity (ENISA) and intelligence communities in member states have warned about TikTok’s capacity to collect and transfer sensitive data to China. The European Commission banned TikTok on official devices in February 2023, citing intelligence assessments about data security and state influence.

Australia’s Intelligence Community

• ASIO (Australian Security Intelligence Organisation):

ASIO has echoed warnings similar to those of the U.S. and UK, suggesting TikTok could be used for data harvesting and influence campaigns. Australia banned TikTok on government devices in April 2023, driven by intelligence assessments.

Key Intelligence Concerns Highlighted Globally

Data Collection for Espionage:

Intelligence agencies believe TikTok’s access to device data (e.g., location, contacts, keystrokes) could allow the Chinese government to build comprehensive profiles on individuals, including government officials, corporate executives, and military personnel.

Algorithmic Manipulation:

Intelligence officials are concerned that TikTok’s algorithm could be used to:

• Suppress anti-China content.

• Amplify Chinese propaganda or divisive narratives.

• Spread misinformation during key political events (e.g., elections, international crises).

Lack of Transparency:

Agencies have criticized TikTok’s opaque content moderation practices and its inability to provide assurance that U.S. or other foreign user data is not being accessed by ByteDance employees in China.

Legal Obligations Under Chinese Law:

Intelligence officials cite China’s National Intelligence Law (2017), which requires Chinese companies to cooperate with government intelligence requests. This creates a legal avenue for Beijing to access TikTok user data.

Public Statements by Key Intelligence Leaders

• Mike Pompeo (Former CIA Director and U.S. Secretary of State):

In 2020, Pompeo was one of the first high-ranking U.S. officials to suggest that TikTok should be banned outright, describing it as a “Trojan horse” for Chinese espionage.

• Avril Haines (U.S. Director of National Intelligence, 2022):

Haines highlighted the risks of Beijing weaponizing data collected through TikTok to target U.S. interests, including via disinformation campaigns.

Conclusion

TikTok represents a multifaceted cybersecurity challenge. The platform’s vast reach, combined with its aggressive data harvesting practices and potential susceptibility to Chinese government influence, make it a potent vector for espionage, user data exploitation, and the dissemination of propaganda. As the geopolitical landscape evolves, addressing these concerns will require continued vigilance from governments, private organizations, and cybersecurity professionals.

However, the rhetoric around this application and it’s ownership has become a political football due to the new presidency and the transactional nature of the president. On the whole, the use of this application and the potential for misuse by the Chinese state, does not present a clear and present danger to the masses as it has been spun in the press and from the US government. In reality, the use of this application should definitely be barred on government assets, but, the general populace being denied access due to ownership by the Chinese is not an assessment that should have been made unilaterally.

Sources Consulted:

• InfraGard intelligence updates

• Abuse.ch forensic reports

• Citizen Lab and SANS Internet Storm Center findings

• Open Threat Exchange (OTX) alerts

• CrowdStrike and Recorded Future analyses

• CISA advisories