I did a detailed privacy check of the Tiktok app and website. You can read my article 忙t S眉ddeutsche Zeitung. Tiktok commits multiple breaches of law, trust, transparency and data protection. Here are the technical and legal details
Long thread猡碉笍

This is my setup: I used mitmproxy to route all app traffic for analysis. See in this video how device information, usage time and watched videos are sent to Appsflyer and Facebook.

Hard to believe that this is covered by "legitimate interest" and transparency: Entered search terms are sent to Facebook.

Transfers to both companies break different rules of the GDPR: Facebook can't fulfill Art. 14 (information, deletion etc.) on this data.

Transfer to Appsflyer lacks transparency as it's unknown to which of the 4500+ Appsflyer partners the data will be transferred afterwards. Bytedance: "We don't show the contracts." Did they even read Art. 26 GDPR?

Most important: Fundamental rights are violated because PII is transfered to a company in an unsecure noneuropean country. The server location doesn't count, it is about where the company deciding about the data resides, says @malteengeler. Tiktoks Headquarter: Beijing 馃嚚馃嚦

I also checked the website which is important as all shared videos (via messenger or social media) are viewed there. The short URL e.g. vm[dot]tiktok[dot]com/9uTpDV will be resolved to a URL which contains the installation ID. Tiktok will be able to check who shared which video.

But they also track who is watching the video. Among common trackers (Google Analytics) they use the highly controversial method of device fingerprinting to set a mostly unique hash to the cookie s_v_webid. This is done by combining typical hardware and browser characteristics.

One of them: Canvas Fingerprinting. They draw an image in the background using vector graphic commands. Afterwards they save the image to a rasterized PNG. This data is quite unique among different devices depending on settings and hardware.

They also use audio fingerprinting to identify visitors. This doesn't mean they actually use your microphone or speaker. Instead they generate a sound internally and record the bitstream, which also differs from device to device. This is what it sounds like.

Bytedance told me that they use this fingerprinting to identify malicous browser behaviour. I don't believe, because the website still works if the script is blocked. Also they use Akamai's fingerprinting technology already on the server (which is another story to investigate).

The same fingerprinting script and cookie is used on Bytedance's news site Toutiao. What I found out for sure: If someone shares a video, Bytedance can
a.) tie the recipients of the video to the sender
b.) track recipients subsequently on Tiktok and Toutiao.

There are many other breaches e.g. Google Analytics is used without anonymizing the IP data. And they use free software without proper license, for example Zepto.js from Thomas Fuchs, Murmur Hash from Austin Appleby and FingerprintJS from Valentin Vasilyev. How low can you go?

This are the PRIVACY problems with Tiktok. Last week Netzpolitik published detailed information about CENSORSHIP problems. Read this 3 articles starting here netzpolitik.org/2019/discrimin
So is it a good idea by Tagesschau to foster this system with videos paid by german households?



@rufposten ah yes, the best way to protect vulnerable people is to hide them from society, and not like, geez, idunno, speaking out in their support and making sure their needs are met

brutaldon 0 0 0
Sign in to participate in the conversation

锝冿綑锝傦綊锝咃綋锝愶絹锝冿絽: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!