TikTok, Targeting, and Why You Should Care

BLUF: The Chinese Communist Party (CCP) is probably using TikTok as a digital targeting tool to aid in Beijing’s espionage efforts in the government and commercial spaces. Personal data collected from the app can be used to conduct network analysis, identify key individuals, exploit personal vulnerabilities, and aid collections initiatives in the defense, intelligence, and technology sectors.

 

WHAT HAPPENED

 

Eight years after TikTok’s launch, it seems the West is no longer asleep at the wheel. The end of 2022 saw a run of bipartisan legislation banning TikTok on federal government devices and a growing list of state government devices, which now includes bans in 20 states.1 Legislation was introduced in the House and Senate in early December to ban the app in the United States altogether.2

 

At its core, TikTok is a CCP data scraping tool and a vehicle for low-grade influence operations. The app’s unassuming facade and lighthearted content are appealing, and in the social media space where users are all too willing to trade privacy for attention, Beijing and ByteDance (TikTok’s parent company) are happy to capitalize on the ignorance and apathy of its one billion users.

 

The platform’s mindless content and the company’s practices of data harvesting and systematic censorship of free speech aren’t much different from tech giants like Google, Facebook, and the “old” version of Twitter. The problem is who is capturing user data and policing the content. TikTok isn’t beholden to Silicon Valley overlords or federal law enforcement dictating what one can or can’t say or see on social media. Rather, China’s state intelligence apparatus is using the platform like a two-way radio: its transmissions are a passive CCP mouthpiece where platform content and news are moderated to promote Party objectives. The app also receives user data by way of access to the digital content of its 100 million American users.4

 

TikTok is like most other social media platforms in that it collects information on how you consume content, for how long, your preferred categories, and uses that feedback to adjust the algorithm for the app’s primary feed.5   But the app is uniquely aggressive in that it can track device location, the user’s calendar, contacts, browser activity, and other running applications – all while the TikTok app isn’t in use.67

 

With no barriers between the Communist Party and private industry, it would be naïve to assume user data sits safely on a server in Guizhou.8 China’s National Intelligence Law, passed in 2017, requires all citizens and foreign and domestic firms operating in the country to “support, assist, and cooperate” with national intelligence efforts – meaning data must be shared with the government upon request.9 This implies the CCP has broad authority to collect intellectual property, commercial data, and personal data at will.

 

WHY IT MATTERS

 

TikTok’s access to users’ geolocational data, contacts, calendar, and browser history means the CCP has access to the same data. The implications of what is unwittingly being collected, where the data goes, and what it’s used for should be enough to keep TikTok’s users up at night.

 

The terabytes of information harvested by ByteDance are likely processed by China’s cyber and signals intelligence entities. This includes geolocational data captured using the connections your device makes with local cellular towers. These time-stamped latitudes and longitudes (also known as “goes”) reveal a lot about you and your habits. Everyone will have some distinct anchor points, like your home where you probably spend 12 hours every weekday and most of the weekend. Same goes for your workplace (if you’re not working remotely) where you can probably be found for at least eight hours a day, five days a week. Even your zip code and your behavior when you get to work can reveal a lot about you: do you live in a ritzy McLean, Virginia neighborhood or a stone’s throw from a known US government facility? Do you turn off your phone before you reach your workplace parking lot or leave your phone in the car for eight hours a day? Are you taking selfies and uploading videos in the workplace? We’re all creatures of habit, and associating geolocational patterns with known habits of high-value occupations is an easy lift for a targeter.

 

Access to a contact list – especially that of someone with notable placement, access, or influence – is a powerful capability. It’s unclear whether the TikTok app can monitor SMS texts or conversations using unencrypted or poorly encrypted messaging apps. But a key individual and his associations can be used to map the human terrain associated with a particular industry, also known as social network analysis. (Think the big spider charts with solid and dashed lines between individuals to annotate their associations.) Overlay enough of these networks with the assistance of analytical software and you can get a comprehensive snapshot of someone’s associations and the nature of those relationships. Associations can be just as valuable as the primary target; if someone is deemed to have intelligence value or access to valuable intellectual property, then some of that individual’s contacts are bound to run in the same circles.

 

But say you’re not an intelligence officer or an aerospace engineer; say you’re an accountant or in sales. Why does access to your contact list matter? It matters because the names and phone numbers in your device are data points. Chances are, some of your non-TikTok-using contacts are in high-priority occupations and their information (e.g., names, phone numbers, addresses, employers) can be used to fill in gaps in the social network analysis.

 

Your calendar is also a useful data repository for a targeter. It’s a log of your activities and responsibilities, and it can reveal a great deal about who you are and what you do. If you’re diligent about populating events, locations, times, and with whom you’re meeting, it’s another valuable dataset in mapping human terrain.

 

The same goes for your professional and personal browser history and the other apps on your phone. Your browser activity tells a story about your interests and vulnerabilities, both of which could be ripe for exploitation. Multiple landings on your company page or logging into your company’s website pinpoints your employer. Regarding your personal online activity, what are you Googling? What are you shopping for on Amazon? Where are you planning to travel? What are your spending habits? Exactly how much access TikTok has to your other apps and your keystrokes is unclear, but the potential to pull details like usernames, passwords, and account numbers from your online banking transactions should be enough to make any TikTok user reevaluate his risk tolerance.

 

If you fall into one of the high-risk categories and you’re considering going off the grid, keep in mind the inverse is true: the lack of a digital signature and the excessive use of precautions can be equally damning. If I’m the only one of thousands in my demographic that’s not on social media of any kind, that’s a clue. If I’m the only one with disabled cookies, using a protonmail email account, using a DuckDuckGo search engine, and running a virtual private network (VPN) on my smartphone, the behavior is anomalous. Look at it like this: the CCP is watching a digital herd of wild horses, none of which are taking security precautions. Then along comes one zebra in the pack using a VPN, a secure browser, and an encrypted email. The zebra is interesting and worth a second look.

 

True, those in the intelligence and defense communities and high-risk industries generally have the wherewithal to steer clear of TikTok and exercise some basic digital safeguards. But there are always rogue wild horses amongst the zebras.

 

We all have a digital footprint and going unnoticed by malicious actors is easier said than done. But even those with few privacy needs and high-risk tolerances should exercise basic precautions like steering clear of outed collection platforms like TikTok and not oversharing online. Basic digital security and some common sense can protect those in your contact list and ensure that you are one fewer datapoint in a Chinese targeter’s dataset.

 


 

Citations 

  1. Pritchett, Elizabeth. “Indiana Blocks TikTok from State Devices, Joins 19 Other States in Legislation against the App.” Fox News. FOX News Network, December 30, 2022. https://www.foxnews.com/us/indiana-blocks-tiktok-state-devices-joins-19-other-states-legislation-against-app.
  2. Treisman, Rachel. “The FBI Alleges TikTok Poses National Security Concerns.” NPR. NPR, November 17, 2022. https://www.npr.org/2022/11/17/1137155540/fbi-tiktok-national-security-concerns-china.
  3. Dellatto, Marisa. “Tiktok Hits 1 Billion Monthly Active Users.” Forbes. Forbes Magazine, November 9, 2022. https://www.forbes.com/sites/marisadellatto/2021/09/27/tiktok-hits-1-billion-monthly-active-users/?sh=3445d01844b6.
  4. Whitehead, Ben. “GOP Congressman Calls on Americans to Delete Tiktok, Explains Dangers of Using the App.” The Daily Wire. The Daily Wire, December 18, 2022. https://www.dailywire.com/news/gop-congressman-calls-on-americans-to-delete-tiktok-explains-dangers-of-using-the-app.
  5. “TikTok’s Ties to China: Why Concerns over Your Data Are Here to Stay.” The Guardian. Guardian News and Media, November 8, 2022. https://www.theguardian.com/technology/2022/nov/07/tiktoks-china-bytedance-data-concerns.
  6. “TikTok’s Ties to China: Why Concerns over Your Data Are Here to Stay.” The Guardian. Guardian News and Media, November 8, 2022. https://www.theguardian.com/technology/2022/nov/07/tiktoks-china-bytedance-data-concerns.
  7. Altus, Kristen. “Security Expert Reveals the TikTok Setting That Exposes Your Data – and How to Turn It Off.” Fox Business. Fox Business, November 16, 2022. https://www.foxbusiness.com/technology/security-expert-reveals-tiktok-setting-exposes-data-how-turn-off.
  8. “TikTok’s Ties to China: Why Concerns over Your Data Are Here to Stay.” The Guardian. Guardian News and Media, November 8, 2022. https://www.theguardian.com/technology/2022/nov/07/tiktoks-china-bytedance-data-concerns.
  9. Kharpal, Arjun. “Huawei Says It Would Never Hand Data to China’s Government. Experts Say It Wouldn’t Have a Choice.” CNBC. CNBC, March 5, 2019. https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html.