HONG KONG—The computer code underlying TikTok doesn’t pose a national security threat to the U.S., according to a new study by university cybersecurity researchers.
Released Monday by the University of Toronto cybersecurity group Citizen Lab, the report comes after government officials in multiple countries, including in the administration of former President Donald Trump, suggested the popular Chinese-owned short-video app could aid Beijing in spying overseas.
Citizen Lab, which releases regular reports on censorship and surveillance by Chinese social media apps, found no evidence of “overtly malicious behavior” after a technical analysis of TikTok, which is owned by Beijing-based ByteDance Ltd.
The app, built around addictive algorithms that serve up streams of short videos, is no more intrusive than
when it comes to data collection, the researchers found.
The researchers warned that there could be security issues they didn’t find. They also said the Chinese government could use “unconventional ways” to force ByteDance to hand over data using the country’s national security laws.
Nevertheless, the study didn’t find “immediate security issues with TikTok,” said
lead author of the research, which also noted that no evidence has surfaced of Beijing using extraordinary measures to access data on TikTok users.
An effort by the Trump administration last summer to ban TikTok kicked off a monthslong saga that included retaliatory regulations from the Chinese government and a last-minute deal to sell the app’s U.S. operations to
that was indefinitely shelved after Mr. Trump lost re-election.
The Biden administration is currently evaluating whether the national security threat cited by its predecessor continues to warrant the ban.
Mr. Trump’s argument, laid out in an executive order, asserted that TikTok posed a national security threat because the Chinese government could use it to steal the personal data of the app’s 100 million or so American users. The executive order also cited the risk of TikTok censoring content deemed politically sensitive by the Chinese government and spreading disinformation.
Representatives for Mr. Trump didn’t immediately respond to a request for comment.
The app has also drawn scrutiny from other governments around the world. Last June, after deadly border clashes with China, the Indian government banned TikTok and dozens of other Chinese apps citing cybersecurity concerns. Pakistan, a longtime ally of Beijing, has also levied temporary bans on TikTok over what it has called indecent content.
In both instances, ByteDance said it was committed to working with authorities to resolve their concerns.
The app reached around 2.5 billion installs globally as of last week, according to app analytics firm Sensor Tower, though the number of new installations since January has dropped 54% year-over-year, likely due to the India ban and other regulatory restrictions enacted in 2020.
These bans have “numerous political motivations,” said Citizen Lab in its report, adding that the research team wanted to analyze privacy and security issues in TikTok and its Chinese equivalent, Douyin, from an “evidence-based technical” perspective.
Throughout last year, Citizen Lab analyzed the Android versions of TikTok and Douyin by tracking what data the apps collected from users, how and where it was sent, and censorship of content within the apps.
Neither app appeared to collect contact lists, or record or send photos, videos, and location data without user permission, the researchers reported, citing network traffic data collected between January and September 2020.
The amount of data collected by TikTok is comparable to the practices of other major social media platforms, the report noted. Both Facebook and TikTok collect users’ device information, which can be deployed to identify and track users when they aren’t logged in, and in-app behavior, such as liking posts.
The researchers also paid attention to similarities between Douyin and TikTok, given the concerns about Beijing potentially accessing TikTok’s data and censoring content at the behest of the Chinese government, such as concerning pro-democracy protests in Hong Kong, which the company has denied.
The two apps share a lot of code, the report found, but there are stark differences in how they handle moderation of certain content on the app, such as search results.
TikTok didn’t appear to censor the things users search for on the app that are considered taboo in mainland China, though it was unclear whether posts themselves were treated similarly, said Citizen Lab, which used a list of 5,420 keywords previously blocked on the widely used Chinese messaging app
as search queries. When researchers tested 392 of those keywords on Douyin, they found that around 40 percent were censored.
ByteDance didn’t immediately respond to requests for comment on Douyin.
Last year, The Wall Street Journal reported that TikTok content- moderation employees in the U.S. had clashed with Beijing executives over restrictions on videos showing cleavage, arguing that such rules punished certain women on the platform.
One TikTok user told the Journal last year said she was temporarily banned from TikTok after kissing her girlfriend on the cheek during a livestream. When her account was reinstated, she was notified that she had been blocked for “serious pornography.”
A TikTok representative said that “LGBTQ+ creators are part of one of the most active and dynamic communities on TikTok,” and that the app has invested heavily in its moderation practices over the past few years, including the creation of an external council that advises TikTok on such policies.
Citizen Lab researchers said they were not able to test the apps in every circumstance or conduct a comprehensive analysis because of the vast code base. Their study was designed to detect any overt security and privacy issues, they said. The researchers also didn’t investigate the potential for disinformation beneficial to the Chinese government to spread on TikTok.
“It’s super complicated to prove the absence of something, especially on such a big application,” said Baptiste Robert, a French security researcher who published an analysis of TikTok’s code last year and came to the same conclusion as Citizen Lab about the app’s safety and data-collection practices.
“It’s important for technical people to take back this debate, to wade into the debate with our skills and with facts,” he said.
cited TikTok in arguing during a high-level conference in China on Saturday that concerns over commercial espionage were exaggerated.
“Even if there was spying, what would the other country learn and would it actually matter?” said Mr. Musk, who was responding to recent Chinese government restrictions on Tesla cars by sensitive personnel because of data security concerns. TikTok’s videos mostly show people “just doing silly dances,” he said.
Write to Eva Xiao at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8