I did a detailed privacy check of the app TikTok and its corresponding website. Multiple law infringements, trust, transparency and data protection breaches were found.

I provide all technical and legal details in this article. For a less technical view, read the article at Süddeutsche Zeitung (in german).

I used mitmproxy as my setup in order to re-route all app traffic for analysis. One can see in the video how the device information, usage time and list of watched videos are being sent to Appsflyer and Facebook.

It is hard to believe that this is covered by „legitimate interest“ and transparency: the search terms that I entered are being forwarded to Facebook:

The transfers to the two companies are clearly conflicting with the GDPR:

Facebook cannot comply with article 14 regarding the rights to deletion of information etc. for this data.



The data transfer to Appsflyer also lacks transparency as it is unknown to which of its more than 4500 partners the data might get transferred down the line. Bytedance’s answer to this: „We won’t show you the contracts.“ Did they even read article 26 of the GDPR?

Most importantly, fundamental rights are being violated since Personally Identifying Information (PII) is transferred to a server under the control of a company residing in an unsecure, non-european country. The location of the server is irrelevant – what is important is the location of the company deciding about the data, according to Malte Engeler. Bytedance’s headquarter is located in Beijing, China.

I also checked the website itself, which is important since all videos that are being shared via messenger or social media are getting viewed thereon. Any shortened URL for a video (like vm.tiktok.com/9uTpDV) gets resolved to an URL containing the installation ID. Thereby, TikTok is able to check who shared which video.

They also track who is watching the video. Besides conventional trackers (Google Analytics), the highly controversial method of device fingerprinting is performed to assign a unique hash value for a cookie variable named s_v_webid. This is being achieved by combining unique hardware and browser characteristics.

One of them: Canvas Fingerprinting. An image is being drawn in the background, using vector graphic commands. The image then gets rasterized to a PNG image, which in return gets saved. The so-created data is quite unique among different devices, and depends on diverse settings and features of the hardware used.

Audio fingerprinting is also being used to identify visitors. This doesn’t mean that microphone or speakers of the device are being used. Instead, a sound is generated internally and its bitstream is getting recorded. This will also generate different results, depending on the device being used. This is what it sounds like:

Bytedance states that these fingerprinting techniques are being used to identify malicious browser behaviour. Quite hard to believe, as the website still works as expected even if the corresponding script is being blocked. Furthermore, Akamai’s own server-side fingerprinting technology is equally being used (which is a complete different story waiting to get investigated).

There are several other issues, like Google Analytics being used without anonymizing the IP data. And to top this off, free software is being used without attributing proper licensing – Zepto.js from Thomas Fuchs, Murmur Hash from Austin Appleby and FingerprintJS from Valentin Vasilyev, just to name a few. How low can you go?

Those are however just PRIVACY-related problems of TikTok. Just a week ago, Netzpolitik published some detailed information about their CENSORSHIP-related problems. Read up on this in these three related articles, starting with https://netzpolitik.org/2019/discrimination-tiktok-curbed-reach-for-people-with-disabilities/

So is it a good idea if the german news magazine Tagesschau fosters TikTok’s ecosystem by publishing their news clips, which are getting paid for by germany’s citizens through the means of an obligatory and nation-wide broadcasting fee?

TikTok channel operators may also fall under joint controllership with TikTok, as the ECJ has ruled for Facebook fanpages. As a consequence, a channel on TikTok could be locked down if privacy rights are being infringed. Heiko Neuhoff, the DPO of the public broadcaster NDR told me, he is about to decide if this is applicable to the channel of Tagesschau.

My comment

TikTok is breaching the law in several ways whilst exploiting the data of its mainly teenage users. This should get addressed immediately in a swift and rigorous manner. The required legislation for this is in place. Don’t let them get away by breaking society, just as 10 years of Facebook did. Journalists should find a better place for their vertical video clips to get published.

(I first published this on Twitter/Mastodon and then later transferred it with minor corrections to this blog post. Special thanks to multimedial.de for corrections regarding my english.)