From mid-March, staff and elected officials of the European Parliament and the European Commission will no longer be allowed to use TikTok on their professional devices. In Canada, the government has already banned the very popular app from the mobile devices it provides to its staff. As for the United States, a law ratified at the beginning of January prohibits the downloading and use of this micro-video platform on the devices of federal state officials, while a bill brought to Congress could lead to its total ban. The video platform also worries France, where senators set up, Wednesday, March 1, a commission of inquiry into the application owned by the Chinese company ByteDance.

At the heart of the concerns of the States, the possibility that the Chinese government can access the data of their nationals and spy on them. TikTok is indeed one of the few social platform behemoths not born in a Silicon Valley company. The online service, which started in China in 2016, has offices in several cities around the world, including Paris, but the headquarters of ByteDance, its parent company, remains in Beijing. Several reasons for concern also flesh out these accusations, which concern, among other things, certain practices that are not the prerogative of this social network.

According to a recent global study by Qustodio, a company specializing in parental controls, minors spent an average of one hour forty-seven minutes a day on TikTok, zapping from suggested videos to suggested videos. If TikTok (like all the giants of the Net) keeps the secret of its very effective recommendation algorithm, the social network explained, in a communication in 2020, that it was traditionally based on user interactions (likes, shares, messages, etc.) and video metadata such as captions, hashtags and songs used; the app also takes into account the parameters saved by the Internet user, such as the language of use or the country where he is located. Recently, the social network announced the deployment for minors of a warning after one hour of use and the limitation of abusive consultations.

Not only are there suspicions about the platform’s addictiveness, there are criticisms about TikTok’s moderation in recent months. Several reports from research centers or companies specializing in disinformation point to the ease with which users can find themselves confronted with false or misleading information about elections or the pandemic. In December 2022, in the United States, a report by the Center for Combating Online Hate demonstrated how harmful content, for example videos relating to self-harm and eating disorders, was recommended by the social network’s algorithm to its young users.

Similar grievances have already been leveled at other platforms, including Facebook, YouTube and Instagram. The fact that ByteDance has deployed two distinct versions of its application – Douyin, exclusive to the Chinese market, TikTok for the rest of the world – however reinforces suspicions and fantasies around the latter.

To function, display targeted advertisements or relevant videos, TikTok first requires extensive access to its users’ devices. On the website of the ToSDR association, which simplifies and analyzes the general conditions of use of different applications and services, TikTok achieves an E score, the worst score in the ranking. Its terms and conditions are however quite similar to other social networks: always on ToSDR, neither Facebook, Twitter, Instagram or Snapchat do better.

In terms of tracking tools embedded by TikTok, the application is also close to its competitors. The Exodus Privacy association, which analyzes Android applications, notes that TikTok requests a large number of permissions from the user: the application has access to the device’s microphone, contacts, camera, storage or even geolocation data.

The Chinese app asks for more than seventy-six permissions from its users to run on an Android device, some of which, in theory, allow TikTok to spy on all the keystrokes the user typed – a feature that ByteDance acknowledged existence, while ensuring that it was not used. For comparison, Instagram’s Android app requires forty-six permissions on the user’s phone, as does Twitter, while Snapchat requires sixty.

The exact extent of the data collected by TikTok remains difficult to estimate with certainty: according to security researchers, the application employs numerous techniques which legitimately limit the risks of industrial espionage, but which, de facto, also make it possible to conceal the exact scope of data collection.

This appetite for TikTok has earned it the attention of data protection authorities. In France, the CNIL has already sanctioned the parent company of TikTok for not respecting the rules regarding the deposit of cookies on its website (and not the application). In parallel, the Irish Data Protection Authority opened an investigation in 2021 to determine whether TikTok was transferring users’ personal data to China – which TikTok finally admitted in November 2022, pressed by several investigations from the American press. The company, however, assures that the data is secure and that only a select few employees can access it.

In December 2022, TikTok admitted that, as revealed by Forbes, several of its employees had spied on journalists thanks to the geolocation enabled by the application. TikTok admitted its mistake, and the employees responsible for this spying were fired. The episode has reinforced mistrust against him. In 2020, Donald Trump already wanted to ban the application in the United States, accusing it of spying on behalf of Beijing – without however providing any evidence.

If the subject is so sensitive, it is because the company ByteDance, owner of TikTok, is subject to the Chinese law of 2017 on intelligence. This law, of which Huawei has, for example, already paid the price, specifies that Chinese companies and enterprises are required to collaborate with the intelligence services of the country when they request them. This measure also extends to Chinese companies operating outside the national territory and could therefore in theory apply to data collected by TikTok.

In a context of tense international relations with Beijing, it is understandable that caution dictates the position of European institutions. It should nevertheless be remembered that the United States has had a fairly similar legislative arsenal since 2018, the Cloud Act, which allows American intelligence to access data hosted or stored by a national player, such as Microsoft or Amazon.