TikTok vs Douyin – A Security and Privacy Analysis

Tue, 2021-03-23 13:35

App developers operating in China face unique challenges due to laws and regulations that hold companies accountable for the content published or transmitted on their platforms. When Chinese app developers move beyond China and enter international markets, they must adapt their products to suit different user expectations and regulations while also  maintaining their user base in China and compliance with Chinese law. This balancing act can lead to users inside and outside of China having vastly different experiences with an application. 

ByteDance, a China-based technology company develops TikTok, a video-based social media platform which is the first Chinese-made social media platform that reached global popularity, crossing 2 billion accumulated downloads in April 2020. The app started in China under the name Douyin, and was released as TikTok tailored for the international market. The two versions continue to be maintained for these separate markets. TikTok and Douyin are both for sharing short videos and have similar interfaces. However, they are entirely separate apps that have access to two separate platforms.

The popularity and attention TikTok has gained poses key questions: Did ByteDance adapt its social media platform to the international market in alignment with industry norms? Or did it implement or retain some features that are required in the Chinese market that may present undesirable security and privacy risks to non-mainland China users?

These are complex questions that need to consider technical aspects and platform policies and practices. This report focuses on the technical characteristics of TikTok and Douyin through analysis of the source codes of TikTok and Douyin’s Android apps. The results of this analysis inform our understanding of how ByteDance develops the two apps for their respective markets. 

As an Information Controls Fellow, Pellaeon Lin worked with Citizen Lab at the University of Toronto to carry out research on the technical characteristics of TikTok and Douyin through analysis of the source codes of TikTok and Douyin’s Android apps. 

The research looked at the privacy, security and censorship aspects of TikTok and Douyin, which produced the following key findings:

  • *TikTok and Douyin do not appear to exhibit overtly malicious behavior similar to those exhibited by malware. We did not observe either app collecting contact lists, recording and sending photos, audios, videos or geolocation coordinates without user permission.
  • *Despite not exhibiting overtly malicious behavior, Duoyin contains features that raise privacy and security concerns, such as dynamic code loading and server-side search censorship. TikTok does not contain these features.
  • *TikTok and Douyin’s Android apps share many parts of their source code. We postulate that ByteDance develops TikTok and Douyin starting out from a common code base, and applies different customizations according to market needs. We observed that some of these customizations can be turned on or off by different server-returned configuration values. We are concerned but could not confirm that this capability may be used to turn on privacy-violating hidden features.
  • *Both TikTok and Douyin have source code for restricting search results for content labeled as “hate speech,” “suicide prevention,” and “sensitive.” We suspect the “sensitive” field restriction refers to content that is “politically sensitive” but could not confirm this.
  • *The evidence we collected is inconclusive about whether TikTok employs political censorship of user posts. We did not test for post censorship on Douyin. 
  • *Douyin restricts some political terms in search. TikTok did not restrict any of the keywords we tested. 

The full report can be found here, along with a FAQ.

About the program: OTF’s Information Controls Fellowship Program (ICFP) supports examination into how governments in countries, regions, or areas of OTF’s core focus are restricting the free flow of information, impeding access to the open internet, and implementing censorship mechanisms, thereby threatening the ability of global citizens to exercise basic human rights and democracy. The program supports fellows to work within host organizations that are established centers of expertise by offering competitively paid fellowships for three, six, nine, or twelve months in duration.