Post ATgvbxFBUt1FM0LUVk by monkeyninja@mastodon.cloud
(DIR) More posts by monkeyninja@mastodon.cloud
(DIR) Post #ATgvbs2woxGBEba9FA by monkeyninja@mastodon.cloud
2023-03-17T01:19:44Z
0 likes, 1 repeats
(1/5) I’m not sure if any other #infosec folks have tackled explaining the security issues around TikTok so it’s approachable by someone who doesn’t do this for a living so I thought I’d take a stab at it. The question I see most folks ask is “Is TikTok any worse than any other social media platform out there?” That’s a very easy “Yes” and I’ll go into why. There’s two pieces to data privacy - 1. What information is gathered? 2. What is the company legally allowed to do with that data?
(DIR) Post #ATgvbsesXvbL8FKRMm by monkeyninja@mastodon.cloud
2023-03-17T01:19:45Z
0 likes, 0 repeats
(2/5) So lets start with the “what” question. What data does TikTok gather? It collects everything you do in the app obviously. So that’s what you watch, who you follow, what videos you comment on, your private messages, etc. In addition it also gathers your clipboard data, your typing rhythm, your location data, a list of all your phone’s contacts, information from linked social media accounts, and biometric data like your face and voice. That’s a lot right? But is it worse than others?
(DIR) Post #ATgvbtJI7fvZ9aEiMC by simon@fedi.simonwillison.net
2023-03-17T01:30:19Z
0 likes, 0 repeats
@monkeyninja Do you have a feel for how that differs from platform to platform? I'm an iPhone user, so I always assume that iOS is protecting me from some of that stuff - location data, clipboard access, contact list shouldn't be provided if I haven't granted that explicitly to the app in question
(DIR) Post #ATgvbxFBUt1FM0LUVk by monkeyninja@mastodon.cloud
2023-03-17T01:19:45Z
0 likes, 0 repeats
(3/5) It’s definitely one of the worst but it’s actually almost tied with YouTube for sheer volume of data. Now, professionals are rightfully wary of all of that and that’s because of question 2, what are they legally allowed to do with your data? Facebook, Google, etc. they all have to adhere to the privacy laws for the countries in which they operate. While US privacy laws aren’t fantastic, there still there. A warrant is still needed to access certain kinds of data, you have some protections.
(DIR) Post #ATgvbz2Up23evEQO0m by monkeyninja@mastodon.cloud
2023-03-17T01:19:45Z
0 likes, 0 repeats
(4/5) China has no such privacy laws and TikTok is based in China. Wait a second, don’t they also have to adhere to the privacy laws of the countries in which they operate? Yes, but the problem is the owning company ByteDance has a history of passing data to the Chinese government irrespective of the privacy laws in the countries they operate. They also sell the data to a lot of third parties so where YouTube gathers tons of data, it uses it internally to monetize you. TikTok passes it around.
(DIR) Post #ATgvc0gwg80Y2yMChM by monkeyninja@mastodon.cloud
2023-03-17T01:19:46Z
0 likes, 0 repeats
(5/5) I think that covers the big talking points and hopefully in a way most folks can process. I’m happy to dig into it more though if there’s anything that doesn’t make sense or needs clarification. Also, I’m not perfect so if I got any of the information wrong here, definitely let me know as I don’t want to steer anyone wrong.
(DIR) Post #ATgvc1IWQQ47vVwDGi by simon@fedi.simonwillison.net
2023-03-17T01:31:20Z
0 likes, 0 repeats
@monkeyninja The face and voice stuff is definitely interesting: I have a single draft post that I haven't published, but that means they do have my face stored on their server now - which I guess means they could add me to a huge facial recognition dataset if they wanted to
(DIR) Post #ATh4YMprJ1Br9ardLM by 22@octodon.social
2023-03-17T03:15:22Z
0 likes, 0 repeats
@simon @monkeyninja similarly if I use the app just to view videos, not create them, and don’t let it access my contacts, the “what can they get” is no worse than Instagram right? (If I had to hazard a guess, it’d be that 50% of users of the iOS app use it like this?)Also, is it accurate to say that while Google/Youtube and Meta/Insta might not sell 100% of whatever data they harvest, TikTok will like apps as disparate as DoorDash to Grindr absolutely resell every scrap of data, to Google/Meta as well as government security organizations?Given this breakdown, I still am having a hard time understanding how it’s worse than social and dating apps.
(DIR) Post #AThxP7pRE5S3U3H05Y by deafferret@octodon.social
2023-03-17T13:29:58Z
0 likes, 0 repeats
@simon @monkeyninja presumably “iOS is protecting you” in that Apple is collecting all that data to sell it / profit from it themselves, not allow others to cut them out of those profits. Like mafia “protection.”
(DIR) Post #ATi2RAjLuLESpkDp8i by simon@fedi.simonwillison.net
2023-03-17T14:26:29Z
0 likes, 0 repeats
@deafferret @monkeyninja Apple have built so much of their brand around being the privacy-focused platform that I tend to trust them
(DIR) Post #ATi72T23E25c7t0Vzk by monkeyninja@mastodon.cloud
2023-03-17T15:18:08Z
0 likes, 0 repeats
@simon There were some early reports that it was bypassing security constraints but the reality seemed to be just basic code obfuscation many folks use to avoid reverse engineering and not nefarious. The clipboard access has also been curtailed by a recent iOS update. So the shot of it is that the concern should really be on what they do with your data, not that they’re breaching the sandbox in some way.
(DIR) Post #ATiAm8c9lmDJz9MerA by 22@octodon.social
2023-03-17T15:59:51Z
0 likes, 0 repeats
@simon I do like @deafferret’s point because it seems like it’s probably only a matter of time till a profit-focused Apple product manager angling for promotion pitches, “sure reselling customer data is much less profitable than selling phones, but let’s do it” and the bean counters ok it. I agree not an issue right now but it’s one of those things that in the fullness of time will happen suddenly overnight (a gray swan)?@monkeyninja
(DIR) Post #ATiAyJgWR5JVnKDIyu by simon@fedi.simonwillison.net
2023-03-17T16:01:52Z
0 likes, 0 repeats
@22 @deafferret @monkeyninja Yeah I have to admit some of the profit-chasing stuff they've done with the App Store has shaken my trust in them quite a bit
(DIR) Post #ATiBAr95r4qd2wYatE by 22@octodon.social
2023-03-17T16:02:18Z
0 likes, 0 repeats
@simon racking my brain to remember—did I have the phone in airplane mode to test out the filters and did I delete the app immediately afterwards? Or gulp did I forget and just gave the world’s biggest data vacuum cleaner high-res scans of my face?? 🤦 I couldn’t have been that silly could I 😝 @monkeyninja
(DIR) Post #ATiDMIf062ilTX48v2 by deafferret@octodon.social
2023-03-17T16:26:48Z
0 likes, 0 repeats
@simon @22 @monkeyninja Without strict privacy laws with teeth, and strong whistle-blower protection incentivizing people to come forward I don't know how we'd ever know if any company is doing whatever the hell they want or not. Most employees don't know either, they just do their jobs. I'm under the impression the US has neither of those things, so it's all just us users guessing / hoping / suspecting?
(DIR) Post #ATmaCViJmfsSdsl4rI by seth@s3th.me
2023-03-19T19:04:46Z
0 likes, 0 repeats
@monkeyninja great run down. Thanks for writing that up!
(DIR) Post #ATnKoMgEPnTtWKlqHA by ngo@techhub.social
2023-03-20T03:45:48Z
0 likes, 0 repeats
@simon @monkeyninja me too, and Apple TV has similar issues. I was at best happy, at worst resigned to pay my ‘Apple Tax’ to avoid advertising. Current trends are not good. It’s like I now need them to add an extra extra subscription service to remove ads, kind of like an iCloud max.