TikTok's Response to Misleading Industry Analysis

TikTok recently responded to an industry analysis conducted by the Malcore team at Internet 2.0. The analysis, which claimed to use an automated analysis tool called Malcore, was found to be misleading and biased.

TikTok's own researchers conducted a technical analysis of Malcore's findings and discovered several inaccuracies. The analysis lacked a detailed source code review, raising doubts about its validity.

In response to the findings, TikTok clarified its data collection practices. They do not collect certain user device information such as IMEI, SIM serial number, or integrated circuit card identification number. The current version of the app also does not use MAC addresses. TikTok encourages users to download the latest version of the app, which includes important security updates. They do not collect all accounts on a device, and in certain regions, precise or approximate GPS information is not collected. When users grant permission for GPS location information, it is collected based on the device's GPS data. For U.S. users using an older version of the app that allowed GPS collection and granted permission, TikTok may collect such information. However, users can always prevent their device from sharing this information or revoke previously granted permission through their device settings. TikTok uses location information to enhance the app experience, show users popular videos and content in their area, and display relevant ads. Users can choose to allow access to photos, contact lists, and device microphone and camera. Detailed information about the data collected is provided in TikTok's privacy policies and help center.

TikTok also addressed the software development kits (SDK) used in the app. Contrary to the Malcore analysis, TikTok does not use Pangle, Google CrashLytics, or Facebook Analytics SDKs. They use Facebook Login SDK and VKontakte SDK (available in only 8 countries) to allow users to login using their Facebook or VK credentials. Facebook Share enables users to share content from the app to Facebook. Facebook Bolts is an open source SDK for mobile app development. Appsflyer and Google Firebase Analytics are measurement and data analysis tools.

The scoring system used in the Malcore analysis was also questioned by TikTok. The report assigned scores to five factors: tracker/SDKs, dangerous permission, high severity warning for code analysis results, suspicious permission, and severity warning for code analysis results. However, there was no justification provided for why these factors were chosen or how the scores were assigned. The report also failed to provide external justification for the assigned scores. The weighting of SDKs received the highest score compared to other factors, which TikTok found to be skewed. The report acknowledged that trackers are legitimate SDKs used for app development and improvement, making the number of SDKs an unreliable factor to assess risk. TikTok concluded that the scoring system lacked coherence.

In conclusion, TikTok emphasized its commitment to the privacy and security of its users. They invest significant resources to safeguard user information and will continue to provide updates on their practices through their newsroom, help center, and privacy policies.