A class action lawsuit was filed in California against TikTok, the Chinese social media platform developer, in November 2019. The lawsuit claimed that the TikTok app was designed to “covertly tap into a massive array of private and personally-identifiable information” and used “non-standard encryption to conceal the transfer of such data from users’ devices to Defendants.”
The 46-page lawsuit text contained details about the data types that TikTok was collecting, including user-generated video content and messages sent through phone and social network contacts; technical details such as WiFi MAC address, the phone’s IMEI and IMSI number, and device ID; as well as browsing history, metadata and “precise physical location based on SIM card, cell towers and/or GPS.”
Perhaps more damning, the lawsuit claimed that the data was exfiltrated to a set of domains and subdomains in China that were owned by TikTok or affiliated companies. These included Musical.ly-owned domains musemuse.cn, zhiliaoapp.com, its subdomains xlog-va.musical.ly and log2.musical.ly, and other Chinese websites: bugly.qq.com, mob.com, and umeng.com.
The specifics in the lawsuit seem to make a strong case against TikTok, but the lawsuit cited no sources for its technical claims. The case is made somewhat ambiguous by the fact that TikTok’s headquarters office is supposedly in Los Angeles, and Musical.ly (merged into TikTok in 2018) has its headquarters in Santa Monica. If the details in the suit are proven to be true, it will be hard for TikTok and ByteDance, its parent company in Beijing, to maintain the stance that no TikTok user data is sent to China.
Link to the full TikTok lawsuit report: Wapack Labs IR Misty Hong v TikTok 191231.pdf