Here we are, yet again, back at Newsletter #14, wherein I brought up some of the problems with TikTok being controlled by the Chinese, and statements by the new CEO (who is an American), who asserts that they don’t send US user data to Chinese authorities, and moreover that they’d refuse if it were demanded. Things went a little crazy for TikTok over the last week or so. First, as I mentioned last week, India blocked TikTok; and, unrelatedly, TikTok pulled out of Hong Kong. The former was part of Indian statecraft to continue its desired balance of power between the US and China; the latter was a play by TikTok to avoid exactly the kind of reputation tarnish it has acquired this week.
What happened this week? Amazon ordered all of its employees to remove TikTok from devices that have access to corporate email (but then remanded that order), and the US government floated the idea that it was considering a ban of the app. All the hubbub comes down to whether you think TikTok is an app that is capturing too much personal data and occasionally makes mistakes (the same as you would think about Facebook or Instagram), or whether you think it’s secretly a front for data collection on foreign citizens by the Chinese government. If you believe what they say, the data that TikTok collect are not that different from most social-media apps (or, indeed, most apps). They’ll always collect your IP address, your device type, some amount of location data, your in-app browsing and search history, and the content of messages you exchange with other users of the service (NB: the fact that this exists means your data is not encrypted, so don’t think TikTok is anywhere close to the security level of WhatsApp). There’s an opt-in for additional data, and if you’ve selected it, they can collect your phone contacts, contacts from other social networks, exact location data via GPS, age, phone number, any UGC you post, payment information, and videos with which you interact (watch partially, watch all the way through, watch more than once, like, share, etc…).
I haven’t installed TikTok, nor do I intend to, but reading this opt-in part, it doesn’t really seem that optional — seems like a lot of this must be agreed to if you’re going to use the service at all. But still, not that different from what a lot of other apps do. This is enough to cause consternation with the U.S. government. Back in early 2019, the U.S. government forced the Chinese owner of gay-dating app grindr to sell to a U.S. owner, citing concerns that the Chinese could use knowledge of who in the government was homosexual as blackmail and constituted a national security risk. But this still isn’t what caused the recent uproar. The recent uproar dates to a security vulnerability in Apple iOS that was disclosed in February.
Because of the way MacOS and iOS use Universal Clipboard, if you copy something on your Mac (say, a video, or a password), an app on your iOS device can see it. Apple doesn’t actually consider this a security vulnerability — they consider it “cut and paste working as it should”. But in March, TikTok was caught grabbing data from the shared clipboard, completely inappropriately. At the time, they said it wasn’t really them, that it was based on their use of an outdated Google SDK that they were replacing. Fair enough — that’s actually a reasonable story. The real problem is, they’re still doing it, and they’ve changed their excuse. This is now in the “seriously sketchy behavior” category, and is why people are all freaked out about it. All of that said, it all comes down to who you trust, and why. Friday, an iPhone user in New York sued Microsoft over the LinkedIn app doing the exact same thing. And apparently there are at least 51 other apps doing the same thing. ¯\_(ツ)_/¯