Deliver Your News to the World

Mythbusting: The Facts On Reports About Our Data Collection Practices


We welcome legitimate review of our platform and know that staying ahead of next-generation cyber threats requires us to continuously strengthen the security of our platform and collaborate with industry-leading experts to test our defenses. Thatís why we partner with industry leaders such as HackerOne and itís also why we open the doors of our global Transparency and Accountability Centers for people to learn about source code and how our applicationís algorithm operates.

The Malcore team at Internet 2.0, which describes itself as a joint U.S. and Australian cybersecurity company, published an industry analysis that is at best misleading and at worst a severely flawed and biased analysis. According to the report, Malcore is an automated analysis tool designed to scan files and programs, detect malware and assess risk. Yet by their own admission, the Malcore team used the tool to perform an inconclusive analysis that didnít include a detailed source code review. Their results contained a number of inaccuracies that should cast doubt on the validity of their findings.

In response, we had our own researchers conduct a technical analysis of Malcoreís findings and below is what we found.

Our Data Collection Practices

  • TikTok does not collect user device IMEI, SIM serial number, or integrated circuit card identification number. The current version of the TikTok app does not use MAC addresses. We encourage users to download the latest version of the app, which includes important security updates.
  • TikTok does not collect all accounts on a device.
  • In regions outside the U.S., where Location Services is available, TikTok collects location information based on a deviceís GPS data, if Location Services is actively enabled by the user. We do not collect any GPS location data, whether precise or coarse, in the U.S. We use location information to help us improve the app experience and for reasons set out in our Privacy Policy, such as to show users videos and content that are popular in their area, and where applicable, more relevant ads.
  • Additionally, people can choose to allow the platform access to photos, contact lists and the device microphone and camera. We detail the information we collect in our privacy policies and in our help center.

Software Development Kits (SDK)

A SDK is a set of tools that help software developers create applications for a specific platform. We have a process to assess the overall security risk of any SDK integrated with TikTok. In three cases, the Malcore team incorrectly identified SDK integrations. TikTok does not use Pangle, Google CrashLytics, or Facebook Analytics SDKs. We use the remainder of the SDKs cited in the Malcore analysis in the following ways:

  • Facebook Login SDK and VKontakte SDK (available in only 8 countries) are used to allow users to login using their Facebook or VK credentials. Facebook Share allows users to share content from TikTok to Facebook.
  • Facebook Bolts is an open source SDK to help engineers develop mobile apps. Appsflyer and Google Firebase Analytics are measurement and data analysis tools.

Scoring & Weighting

The Malcore team has not offered any explanation of the scoring system that scored TikTok the highest (worst) at 63.1, as compared to the industry standard of 34 for all other major social media apps and average score of 28.8 for all 21 apps.

The report arbitrarily lists the assigned scores weights for five factors: tracker/SDKs, dangerous permission, high severity warning for code analysis results, suspicious permission, and severity warning for code analysis results. There is no explanation of why or how these five factors were chosen.

Additionally, thereís no explanation or external justification for why each factor is assigned the score itís been assigned, with tracker/SDKs given the highest score of 2.5 as compared to the second factor at 0.25 (10 times less) or the fifth factor (50 times less). Changing how any one category is scored would radically alter the risk scores for TikTok and the other apps.

Notably, the report itself acknowledges that ďtrackers normally are a legitimate software development kit (SDK) designed to help developers understand how their apps are being used, resolve potential issues and improve their software.Ē The skewed weighting of SDKs doesnít take into account, for example, that some companies use a master SDK, which would make the number of SDKs an even less meaningful factor to assess risk. In short, Malcoreís scoring system simply doesnít make sense.

At TikTok, the privacy and security of the people who use our platform are among our highest priorities. We take our responsibility to safeguard peopleís privacy and security seriously and devote considerable resources to achieve this goal. We plan to continue to provide updates on our practices in our newsroom, help center and our privacy policies.

( Press Release Image: )


This news content was configured by WebWire editorial staff. Linking is permitted.

News Release Distribution and Press Release Distribution Services Provided by WebWire.