Twitter | Search | |
Matthias Eberl
I did a detailed privacy check of the Tiktok app and website. You can read my article here (german): Tiktok commits multiple breaches of law, trust, transparency and data protection. Long thread⤵️
Gegen die Videoplattform Tiktok gibt es Vorwürfe wegen Zensur und Kritik am Umgang mit den Daten.
Süddeutsche Zeitung Süddeutsche Zeitung @SZ
Reply Retweet Like More
Matthias Eberl Dec 4
Replying to @MatthiasEberl
This is my setup: I used mitmproxy to route all app traffic for analysis. See in this video how device information, usage time and watched videos are sent to Appsflyer and Facebook.
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
Hard to believe that this is covered by "legitimate interest" and transparency: Entered search terms are sent to Facebook.
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
Transfers to both companies break different rules of the GDPR: Facebook can't fulfill Art. 14 (information, deletion etc.) on this data.
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
Transfer to Appsflyer lacks transparency as it's unknown to which of the 4500+ Appsflyer partners the data will be transferred afterwards. Bytedance: "We don't show the contracts." Did they even read Art. 26 GDPR?
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MalteEngeler
Most important: Fundamental rights are violated because PII is transfered to a company in an unsecure noneuropean country. The server location doesn't count, it is about where the company deciding about the data resides, says . Tiktoks Headquarter: Beijing 🇨🇳
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
I also checked the website which is important as all shared videos (via messenger or social media) are viewed there. The short URL e.g. vm[dot]tiktok[dot]com/9uTpDV will be resolved to a URL which contains the installation ID. Tiktok will be able to check who shared which video.
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
But they also track who is watching the video. Among common trackers (Google Analytics) they use the highly controversial method of device fingerprinting to set a mostly unique hash to the cookie s_v_webid. This is done by combining typical hardware and browser characteristics.
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
One of them: Canvas Fingerprinting. They draw an image in the background using vector graphic commands. Afterwards they save the image to a rasterized PNG. This data is quite unique among different devices depending on settings and hardware.
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
They also use audio fingerprinting to identify visitors. This doesn't mean they actually use your microphone or speaker. Instead they generate a sound internally and record the bitstream, which also differs from device to device. This is what it sounds like.
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
Bytedance told me that they use this fingerprinting to identify malicous browser behaviour. Does this make sense when the website still works if the script is blocked? 🤔 And they already use Akamai's fingerprinting technology on the server (yes: another story to investigate).
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
The same fingerprinting script and cookie is used on Bytedance's news site Toutiao. So: If someone shares a video, Bytedance can a.) tie the recipients of the video to the sender b.) track recipients subsequently on Tiktok and Toutiao even if cookies are deleted.
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @thomasfuchs
There are many other breaches e.g. Google Analytics is used without anonymizing the IP data. And they use free software without proper license, for example Zepto.js from , Murmur Hash from Austin Appleby and FingerprintJS from Valentin Vasilyev. How low can you go?
Reply Retweet Like
Matthias Eberl Dec 4
This are the PRIVACY problems with Tiktok. Last week published detailed information about CENSORSHIP problems. Read this 3 articles starting here So is it a good idea by to foster this system with videos paid by public money?
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @tagesschau
Channel operators may fall under joint controllership with Tiktok as the ECJ ruled for FB fanpages. A channel could be closed if Tiktok violates privacy. DPO of german public broadcaster NDR, Heiko Neuhoff told me he, will soon decide if this applies to the channel of
Reply Retweet Like
Matthias Eberl Dec 4
Replying to @MatthiasEberl
My comment: Tiktok is breaking the law in multiple ways while exploiting mainly teenagers data. This should be regulated quick and rigorous. We have all necessary laws. Don't let them break society like 10 years of FB. Journalists should find a better place for vertical video.
Reply Retweet Like
Matthias Eberl Dec 5
Replying to @MatthiasEberl
Thanks for all the positive comments. I transferred the thread to a blog post for more convenient reading. Please consider a donation to support my work, currently I'm not able to live from those articles.
Reply Retweet Like