Breaking News
More () »

Inside TikTok's terms of service

CBS 8 wanted to break down what you’re really agreeing to when you download the app and start using the platform.

SAN DIEGO — You've heard it before: Don't trust TikTok

In 2020, then President Trump threatened to ban the app, owned by Beijing based ByteDance. 

TikTok agreed to transfer data to Oracles servers in the United States, but questions have remained about how much access the Chinese government has to do the data.

Recently, podcaster Joe Rogan read off TikTok's Terms of Service during The Joe Rogan Experience on Spotify and the clip went viral.

CBS 8 wanted to know what you’re really agreeing to when you download the app and start using the platform.

Matt Stamper is Chief Information Security Officer for Evotek and author of Data Privacy Program Guide. He serves on the board of directors for the for the San Diego Chapter of ISACA and is co-chair of the Telecommunications Sector for the San Diego chapter of InfraGard,  a partnership between the FBI and the private sector, working to prevent hostile acts against the U.S.  

Stamper believes there is no safe way to use TikTok. “Oddly enough, I don't typically agree with Joe, but he is absolutely spot on correct as it relates to TikTok,” Stamper said.

“It is, from my perspective, a clear and present danger in terms of the amount of data that is collected. It has elements within its terms of service that allow TikTok to share the information collected with anybody and everybody that they choose to up to and including potentially agencies within the Chinese government,” he continued.

Stamper says while you may have ignored all of the warnings until now, it's important to know what you're allowing TikTok to potentially access, including your IP address, geolocation related data, browsing and search history, your IP address, mobile carrier, model of your device, device system, and app and file names.

"You're effectively giving them everything that you have on your phone and they can use it for whatever purposes that they decide,” Stamper said. “The way the terms of services are written, they know your files, they know your data, they know your contacts," he added.

Perhaps the most nefarious data you might be handing over, he says, is the keystroke patterns or rhythms TikTok says it may collect. “Keystroke patterns and rhythms. That's a euphemism for keystroke logging,” Stamper said.

Software Engineer Felix Krause recently shared images on Twitter stating, “TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps.” He told CBS 8 that he’s not saying that TikTok does do that, but he’s saying that it could.

“This is how a lot of attacks end up occurring, where you can guess somebody's username and password by what they're inputting on their phone or how they're inputting detail into the URL or the browser or the application,” said Stamper.

As for the risk to national security, Stamper said, ”It's not just your information that they're collecting. They're also using what's in your profile, your contacts and other kinds of files and data. So, let's say, you know, somebody that works in law enforcement or national security, there's a risk of things like doxing where the identities of people that work in specialized areas are effectively conveyed.”

Stamper points to a recent cyber advisory from the House of Representatives' Chief Administrative Officer. 

It states “TikTok is a Chinese-owned company and any use of this platform should be done with that in mind.” It calls the app high risk, due to its terms of service, which state it "may collect biometric identifiers and biometric information” from its users, including “faceprints and voiceprints from videos users upload to their platform.”

"We do not recommend the download or use of this application due to these security and privacy concerns,” the advisory states.

Asked if there has been a breach of national security related to TikTok, Stamper said, “I think there are cases. I don't know how well publicized they are, but I think there's enough inference and enough risk, both from a legal perspective as well as from a functional perspective, that would suggest that TikTok is probably not an application that should be widely used.”

CBS 8 reached out to TikTok via email. A TikTok spokesperson replied, and addressed software engineer Felix Krause’s research which states Tik-Tok has tracking codes that can monitor keystroke. A TikTok spokesperson stated, 

"The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring."     

The spokesperson also shared a link to a statement about the Cyber Advisory and directed CBS 8 to their FAQ page.

It also shared links to their website on “Strengthening our commitment to transparency” and “Our approach to keeping US data secure”.

CBS 8 followed up by requesting an interview and clarification as to why the concerning verbiage is still in their terms of service if they're not doing anything about what cyber security experts say are concerning. 

At the time this article was published, CBS 8 has not heard back from TikTok.  

 WATCH RELATED: Hand signal from TikTok video helps save missing teen girl in Kentucky, what San Diego advocates say (Nov. 2021).

Before You Leave, Check This Out