A lot of people have sent me the Tiktok privacy & data “research”. Mobile privacy was one of my focuses in my masters CS program. I wrote a paper on data collection & nonpermissioned APIs! Here’s my take:

The research fails to present the data objectively–It’s also Android only.

I personally reverse engineered the top 2700 apps in the Google Play store at the time (top 100 from each of the major categories). Data collection practices should be looked at holistically to understand common collection techniques and to understand how unusual something is.

While I don’t think apps should collect that much information about my device (I should be able to control this at the OS level), I can think of many legit reasons to collect: device hardware and network info.

Collecting a list of applications or clipboard info without permission? Gross, but this is not new and it’s widely abused, especially by ad network packages.

The app ecosystem is a privacy nightmare, especially on Android.

Collecting a list apps on a phone has been banned in iOS for a while (at least 2014), but it’s still allowed on Android.

What’s the solution? I should be able to control what data is shared at the OS level.

Either these APIs need to become user permissioned or disallowed.

And Apple gets this. Changes to iOS14 demonstrate this. The whole reason Tiktok clipboard was because someone downloaded ios14 beta (which permissioned clipboard access) and it glitched out.

Present privacy research objectively. We need to understand the why and the structure of APIs when we criticize.

APIs aren’t always narrowly tailored to just the information you want to collect.

If we want the ecosystem to be better- let’s be thoughful in the criticism.

We need OS developers to be more thoughtful about what they allow and enable app developers to do. Apple has decided to disallow the collection of a list of apps by app developers, Google has not.

Some of these practices, which are either ignored or excused from other app developers, need to be stopped, called out & regulated. But lately it’s just bc it’s a Chinese owned app, which feels, frankly, racist bc US companies haven’t proved to be more ethical (cough...Facebook).

TLDR: Tiktok’s data collection isn’t great, but it’s not unusual in the app space. Mobile OS developers need to take responsibility to reform the ugly, privacy invasive, app space.

Also all these practices should be compared to what they say in their privacy policy. Where’s the disclosure about collection of apps or clipboard content in the policy?

Since a bunch of folks asked: Here’s the paper, which focuses on “PackageManager.getInstalledApplications()” on Android. And what you can find out about a person as a result of that data. It was researched/published in 2015/2016. http://soterisdemetriou.com/blog/wp-content/uploads/2016/08/demetriouNDSS16.pdf

I will also add that if devs are doing collecting a list of applications in iOS it's to work around the fact that Apple doesn't have a public API for it. They use "hacks" to try to figure out what apps you've installed.

I'm pretty sure you'll get banned from the App Store if Apple finds out you're collecting a list of applications via the private API or other methods. See e.g. https://techcrunch.com/2015/10/19/hundreds-of-apps-banned-from-app-store-for-accessing-users-personal-information/