
Privacy analysis of Tiktok’s app and website - ignoramous
https://rufposten.de/blog/2019/12/05/privacy-analysis-of-tiktoks-app-and-website/
======
graposaymaname
> Canvas Fingerprinting. They draw an image in the background using vector
> graphic commands. Afterwards they save the image to a rasterized PNG. This
> data is quite unique among different devices depending on settings and
> hardware.

> They also use audio fingerprinting to identify visitors. This doesn’t mean
> they actually use your microphone or speaker. Instead they generate a sound
> internally and record the bitstream, which also differs from device to
> device.

This really blew my mind. Correct me if almost all of them are doing this. If
it is so, the congress hearing last year, all those privacy suits, all went
into vain didn't they. (PS. bad english)

:/

~~~
hombre_fatal
99% of websites we visit do not need canvas or sound. And the few websites
that do can explain why you should click "Allow" when they prompt you for
access.

What's a charitable reason that stops even a supposedly privacy-concerned
niche browser like Brave from implementing opt-ins for these things?

I suppose one reason is that you would immediately unleash opt-in spam on your
users that don't know what these pop-ups mean since so many major websites use
these hacks, so the average user is just going to be conditioned to mindlessly
click "Allow All" every time they pop up like UAC on Windows Vista, punishing
the average person while doing nothing to enhance their security.

Doesn't help that legislators are absolutely clueless here. For example,
demonizing cookies when cookies are the most fair and transparent way to
implement tracking, and leading to the first wave of pointless opt-in spam
that plagues the internet. I'd rather they leave the internet alone and for
browser vendors to step up for us.

Of course, the problem also includes native apps like in TFA. I'm just more
optimistic about clients that run in web browsers.

~~~
iudqnolq
In Firefox, setting privacy.resistFingerprinting = true in about:config fixes
the canvas leak and possibly the audio leak. It's part of a push to bring into
Firefox privacy features from the TOR project.

[https://wiki.mozilla.org/Security/Fingerprinting](https://wiki.mozilla.org/Security/Fingerprinting)

~~~
stinos
I really want to do this, but last time I checked it also leads to FF sending
UTC time back to sites (or something like that), resulting in showing non-
local time for your own and other interactions on pretty much all sites like
github/slack/... Fairly annoying. I hope this becomes a separate setting at
one point.

~~~
arjunbajaj
I enabled it and Todoist would show me a dialog on every page reload to set my
timezone to UTC. After I realized that resistFingerprinting was causing it, I
had to disable it.

It would be nice if the settings inside resistFingerprinting were
configurable. I understand that the point of it is to make every browser look
the same to analytics engine, but having timezones and zoom levels reset is
not the best thing.

~~~
jmiserez
Or file a bug report with Todoist. Showing a dialog on every page is not very
user friendly of them.

------
harryf
Three of the main things he calls out are caused by embedding of the Facebook
SDK, the Google Analytics SDK and AppsFlyer SDK. The most worrying one IMO is
actually AppsFlyer - I doubt they have the resources to properly protect the
data they're collecting.

It might be more effective to go after the companies providing the SDKs rather
than individual apps, to have a real impact. But OK this was for a news story
about TikTok and that's what readers can relate to.

~~~
baybal2
Going back to Google's knowing and willing abetting of hardware ID abuse.

I heard it many times that Google knows that a lot of Chinese companies
violate their play store policy against using hardware IDs for advertising
purposes.

If they stand against it, why they added APIs for accessing them in the first
place?

I thought about that for a long time, and finally it struck me: Google very
well knows that GDPR prohibits them IDing people if they refuse, so they just
added those APIs to let other companies do it for them!

~~~
bagacrap
TFA goes into depth about how the fingerprinting is done and it does not rely
on any Android API.

------
sm4rk0
I'm using these four Firefox addons in addition to uBlock Origin and Cookie
AutoDelete:

(Canvas|WebGL|AudioContext|Font) Fingerprint Defender

They report and seem to block fingerprinting attempts.

[https://addons.mozilla.org/en-US/android/addon/canvas-
finger...](https://addons.mozilla.org/en-US/android/addon/canvas-fingerprint-
defender/)

[https://addons.mozilla.org/en-US/android/addon/webgl-
fingerp...](https://addons.mozilla.org/en-US/android/addon/webgl-fingerprint-
defender/)

[https://addons.mozilla.org/en-US/android/addon/audioctx-
fing...](https://addons.mozilla.org/en-US/android/addon/audioctx-fingerprint-
defender/)

[https://addons.mozilla.org/en-US/android/addon/font-
fingerpr...](https://addons.mozilla.org/en-US/android/addon/font-fingerprint-
defender/)

~~~
stfwn
I may be wrong, but these add-ons seem shady to me. The website pointed to as
the homepage is an add-ridden site that is supposedly a community for open-
source development, but all the links to 'fork me on GitHub' don't go
anywhere. I can't find the source at all. This topic comes up often but these
have never been posted and the add-ons have relatively few users (4k, 1.5k, 2k
and 0.7k).

I don't know anything about browser add-ons. Perhaps someone who does could
take a look and see what's up?

~~~
humaniania
I am extremely cautious about installing any sort of browser extension;
especially ones that request such intrusive permissions that could so easily
be severely exploited with any given update.

~~~
bredren
Particularly an extension that wants access to all websites an d their data.
Since the browser has very open permissions from the firewall, and these run
under those rules it is open season for an extension dev to send out data.

------
Jonnax
Sandboxing with randomisation is what we need.

Like a VM or a container to launch a browser. A canvas fingerprint needs to be
different everytime it's calculated.

~~~
the_pwner224
These sorts of features are added to JS because they enhance user interaction.
The audio API is an obvious example, and one of the big reasons canvas is used
is that it has good 2d performance and lets you draw arbitrary stuff easily -
good for game. You can't decouple this from the hardware; audio will need to
go through the sound card and removing GPU acceleration from canvas kills it.
The only thing that can be done is slightly fuzzing inputs the program
collects (the saved PNG or the listened audio) - but this again interferes
with real use cases, such as web audio editors and image editors, where this
method forces lossy editing and importing.

Already I have to use another browser to use games or other 3D content because
I have WebGL disabled in Firefox, and for 2d stuff the resistFingerprinting
option reduces timer accuracy, which messes with game loop timing and makes
the game totally unplayable. Making audio and video even harder to use is not
good.

The only solution is to not allow this stuff to happen in the first place by
using a permissions system. Adding more permissions popups is bad, so
permission needs to be implicitly allowed by the user. Autoplay is a good
example of this, calls to play() are blocked unless the call is being made in
response to a click handler. Permissions for really recording audio/video
through a webcam/mic also work well.

~~~
quotemstr
> You can't decouple this from the hardware; audio will need to go through the
> sound card and removing GPU acceleration from canvas kills it.

What you _can_ do is require that the hardware produce bit-identical output
for given input no matter how it's actually implemented, a bit like how HTML5
exactly defines rendering for any stream of input characters nowadays. Sure,
this level of exactness might impose a performance cost, but it would improve
privacy.

OTOH, you still have timing fingerprinting, so maybe you just can't win.

------
Yuval_Halevi
>Tiktok is breaking the law in multiple ways while exploiting mainly teenagers
data. This should be regulated quick and rigorous. We have all necessary laws.
Don’t let them break society like 10 years of FB. Journalists should find a
better place for vertical video.

Well done. I think that after this research, journalists will better
understanding of how TikTok actually breaks the law and they can cover this
story using the information from this article as a reference,.

------
commoner
If you're using Firefox, consider using the CanvasBlocker add-on to reduce the
effectiveness of canvas fingerprinting.

[https://addons.mozilla.org/en-
US/firefox/addon/canvasblocker](https://addons.mozilla.org/en-
US/firefox/addon/canvasblocker)

[https://github.com/kkapsner/CanvasBlocker](https://github.com/kkapsner/CanvasBlocker)

~~~
floatboth
Just enable privacy.resistFingerprinting in about:config, no addons needed

~~~
commoner
privacy.resistFingerprinting is even better since it covers more than just
canvas fingerprinting, but anyone who uses it should be aware of all of the
side effects.

[https://wiki.mozilla.org/Security/Fingerprinting](https://wiki.mozilla.org/Security/Fingerprinting)

For example, new Firefox windows will no longer open maximized, and users who
prefer maximized browser windows would need to maximize them manually.

~~~
inetknght
That shouldn't be necessary if the browser didn't report accurate window
sizing information

~~~
iudqnolq
Exposing the window size is needed for many festures. CSS media queries change
what's displayed based on the screen size, and pure css can cause effects that
can be independently measured (set a css property and the read it with JS and
log the result, or have the css load a background image with tracking data
embedded in ths url). Webapps that manually position elements using JavaScript
use the API as well.

It's also he extremely hard to prevent any way of getting at it. For example,
I could measure if a line of text overflows and by how much.

~~~
shakna
CSS media queries don't get handled by anything that has the capability to
send that information back, so window size reporting isn't needed for that.

The only place that needs it, are those JS apps that manually position items.

Measuring text overflow is only possible by the APIs exposed by the CSSOM set
[0], which also happens to include the window sizing elements. If we only
allowed a subset of that group, all those problems might evaporate or become
extremely difficult to successfully use.

[0]
[https://www.quirksmode.org/dom/w3c_cssom.html](https://www.quirksmode.org/dom/w3c_cssom.html)

~~~
gilfillan9
CSS media queries themselves don't have the capability to send any tracking
information back, but the effects they cause absolutely do. Consider:

    
    
      @media (min-width: 600px) { .pixel { background-image: url("/pixel?width=600"); } }
      @media (min-width: 700px) { .pixel { background-image: url("/pixel?width=700"); } }
    

You could add as many of these media queries as you like to increase the
resolution of your tracking. Combine this with the min-height media query and
you can get the absolute size of the view port.

~~~
shakna
That's still more finite than what JS can report, and can be easily broken by
browser prefetching. (And could have performance implications that could drive
users away.)

Whilst it's better-than-nothing fingerprinting, it is still far less effective
than JS having access to the window and height properties directly.

------
rshnotsecure
I think this says all we need to know: [http://pro-
tiktok.s3.amazonaws.com](http://pro-tiktok.s3.amazonaws.com)

Notice the file left in there by a previous explorer of the internet. This
gentleman has even found RCE exploits with TikTok, and they simply do not and
will not respond to their security line. Olivia Newton at NBC I believe even
reached out, and she could not get them to get back to her. I forwarded this
(really another bucket of equal content still lurking out there) several times
to Brian Krebs but he never responded. I only mention his name because it has
happened before and find it somewhat damaging to the community and it needs to
be called out (with fill acknowledgement that journalists get hit up by PR ppl
all the time and it’s a tough job).

~~~
lwf
Just because the bucket says "tiktok" in the name, doesn't mean it's in any
way associated with them. This appears to be ~1000 videos, anything
particularly interesting about it?

(My company gets many such reports; sadly researchers often strongly insist
otherwise)

~~~
rshnotsecure
It is associated with name. A domain held by them had a link record that
pointed to this bucket. Also previous acquisitions of TikTok have buckets,
currently open, and those have metadata which shows ownership.

Either way, TikTok won’t even respond, which is very sad and absolutely
deserves a response so the few researchers don’t have to waste time following
up.

NOTE: Your point makes sense though and I’ve run into this before. 100% agree
with you and I should have mentioned the anchor link found.

~~~
invisiblethreat
Do you happen to know that link?

~~~
rshnotsecure
Do you want to email me? You can find it if you have SecurityTrails
subscription, but that is like $500 a month also. I assume you mean the CNAME
record right??

------
john37386
The other day I saw my young nephew on Tiktok. There is this thing that
happens once in a while when you see two pictures of fashion and the child has
to point with its finger which one they prefer. This thing goes on for a
while. I found it weird and was wondering if other also noticed this?

~~~
jiofih
Pointing fingers in real life or in a video they are recording?

------
tomaskafka
Just don't use TikTok. The whole purpose of this app is to gather a huge
amount of behavioral data (about various themes and topics and how you react
to them), enabling China to do political message targetting on par with what
Cambridge Analytica did.

------
applecrazy
I'm curious what device data is sent from the app. Are they using any private
APIs to extract data from mobile users as well? That would be even more
insidious, since it's hard to analyze that.

I tried decompiling the Android version of the app, but I'm not a mobile dev
and don't know where to look to analyze its data collection behavior.

I also considered using mitmproxy (like the OP) to analyze transmitted data
from the app on my phone, but I'm on a university network that blocks inbound
connections to devices (so I can't connect to my laptop from my phone). Hope
somebody else can publish an analysis.

~~~
sjy
If you’re interested in exploring this, the university network shouldn’t be a
problem if you create a private network between your laptop and phone and
connect the phone to the internet using NAT on the laptop. The Internet
Sharing feature in macOS makes this pretty easy.

~~~
applecrazy
Thanks, I forgot about this. Looking to explore and report findings post-
finals

------
colorincorrect
is there a similar analysis of google/facebook/instagram?

~~~
seppin
Yes, they don't give the data they harvest to an authoritarian government that
already has proven they will use said data to target and ID people for
arrest/detention/torture.

Which is an important distinction.

~~~
bduerst
TikTok has said that their TikTok _China_ and TikTok _elsewhere_ apps keep
their app and user data completely separate (in both data centers and policy).

Kind of like how Apple complies with iCloud _China_ and Apple iCloud
_everywhere else_.

Source: [https://www.reuters.com/article/us-usa-tiktok-army/army-
exam...](https://www.reuters.com/article/us-usa-tiktok-army/army-examines-
tiktok-security-concerns-after-schumers-data-warning-idUSKBN1XV2N6)

~~~
Beefin
How is it possible that there be two separate silos when I can follow someone
in China despite being in the US

~~~
yorwba
The person in China can use TikTok (international) or you can use Douyin
(Chinese), putting the two of you in the same silo.

~~~
seppin
Are you seriously implying the Chinese government doesn't have access to both
of these sets of data?

~~~
yorwba
I was answering the question about following someone in the other silo (not
possible), not implying that the siloing makes data exfiltration absolutely
impossible.

Note however that for the Chinese silo, they can just open the front door,
whereas doing the same for the international version would endanger their
profits. Profit is an incentive the CCP responds to very well. For the
surveillance agencies, hacking the database is probably easier than setting up
an official channel that too many people would have to know about and agree
to.

------
gambler
_" They draw an image in the background using vector graphic commands.
Afterwards they save the image to a rasterized PNG. This data is quite unique
among different devices depending on settings and hardware."_

Why the fuck does this still work? People are complaining about all those
websites that use it, but ignore the fact that it can be mostly fixed by
changing 2 applications (Chrome and Firefox).

~~~
floo
Well, I don't know the details. But AFAIK canvas drawing is GPU accelerated.

So I would guess you are effectively fingerprinting the combination of browser
and GPU. And that does not sound like its easy to fix on the browser side.

------
burtonator
It's insane to me that canvas and audio fingerprinting actually work.

Are there any strategies that allow us to keep canvas without it being a
security risk?

------
mrlanderson
If anyone wants to work on a project that works against this in a completely
different way, shoot me an email.

We are growing a community of people who don't trust our fragile governments
to figure this out, and instead want to democratize these tools and level the
playing field rather than attempting prohibition yet again..

------
ChaseT
Does this violate any of the Google or Apple's Play Store TOS? People are
calling for the government to step in but a quicker move would be to remove
them from the app store; at least if there's a violation.

~~~
judge2020
All SDKs _should_ be respecting 'limit ad tracking' and should respect when
you reset the advertising ID, but these fingerprinting techniques are fishy.

------
yding
The GDPR law is complex, but I'm 99% sure that this guy is misinterpreting it
here.

Sending data to Google, FaceBook and AppsFlyer (and other American companies)
is generally legal under GDPR.

All three companies are covered under the US-EU Privacy Shield framework:
[https://www.privacyshield.gov/participant_search](https://www.privacyshield.gov/participant_search)

Furthermore, sending PII data to a non-EU country is also allowed under GDPR
as long as the company in question obeys the GDPR rules. Like I said, those
rules are complex, and there could very well be some technical violations by
TikTok, but that's not demonstrated here.

Browser/device fingerprinting for anti-fraud is a well established industry
practice. Browser makers don't like this practice and have taken steps to make
it harder, but the truth is that it's used across the industry.

The open source license violations could be actual civil, but not criminal,
violations. TikTok does maintain a list of open source licenses here:
[https://www.tiktok.com/legal/open-
source?lang=en](https://www.tiktok.com/legal/open-source?lang=en) It looks
like it's only for its app and not its website though. Violations of the
MIT/BSD license by using a npm package and forgetting to include it in the
documentation, unfortunately is pretty common across the industry. That
doesn't make it right, and we should hold big companies to a higher standard
of compliance, but if anybody wanted to make a complaint it would have to be
the copyright holder.

TL/DR: I don't think the author demonstrated anything illegal here or out of
line with normal industry practice. You can argue about the morality of
certain industry practices (like fingerprinting) but TikTok is far from an
outlier here.

~~~
munk-a
As someone who worked in a field that necessitated some significant anti-fraud
measures nope to

> Browser/device fingerprinting for anti-fraud is a well established industry
> practice. Browser makers don't like this practice and have taken steps to
> make it harder, but the truth is that it's used across the industry.

If it's that important to you switch off of the web into an App, require sign-
ons against an internal system for authentication and policy people actively.
Falling back on fingerprinting is a BS excuse used by folks that want to
minimize user barriers and maximize the profits they're extracting by push
authentication and identification off onto public resources - it isn't ever
necessary and it isn't okay.

~~~
yding
I bet you've never worked on an e-commerce system then because none of your
suggestions work against e-commerce fraud, and you'd literally lose all of
your money:

switch off of the web into an App: Can't just shut down your website. Also,
device farms and VM farms are super common so it won't even help.

require sign-ons against an internal system for authentication: Sure, you can
require your users create an account. Accounts can be created by the thousands
by bots. Even if you use captchas, captchas don't work, and even if they did I
can find you 100 people who will sign up for accounts manually and sell them
to you for 10 cents a piece.

policy people actively: I assume you mean police people effectively. Kind of
hard to "police" your customers when a huge percentage of them sign up once,
buy something, and maybe only come back 3 years later. In the meantime, their
super simple passwords may have been hacked and leaked 10 times already. Maybe
you should require your customers all use 2FA. Let's see how many customers
you have remaining once you turn that on.

~~~
munk-a
But here's the thing - it does cost money and customers to properly
authenticate people. 2FA will lead to less sign ups but it will give you a
more secure user base - in a world where DAU is the number to live and die by
then security is compromised in order to help float that DAU stat. For sign-
ons collect a per account activation fee or subscription fee - if your goal is
to only have real users then enforce that with money, if your goal is to allow
people to freely browse your site unless they're abusing your site then yea -
that's where fingerprinting comes in, and it comes in because that isn't a
solvable problem. If you want to know who your users are you need to be
upfront about collecting that information securely and if you want any old joe
who gets a link to immediately get sucked into browsing your site and looking
at ads then just stop basing your business off of dark user patterns - deliver
value, charge fairly for that value, realize that lots of potential business
ideas would never be profitable because people simply can't be bothered to
actually put out money for that service.

This whole fingerprinting debacle is part of the ad-support web assumption,
and the assumption that websites can be entirely ad supported is false outside
of exceptional circumstance and certainly highly limiting and concerning for
free speech - expecting a business to be ad supported, that's pretty much an
impossible dream, we're living in a bubble where advertisers and marketers
continue to sell lies about the ratios of converting views to actual sales.

~~~
yding
Like many things in life, the fight between good actors and bad actors online
is a state of dynamic equilibrium.

Everybody loses money to fraud, but as long as they invest enough money and
resources they can keep those fraud losses to an acceptable level. Because
criminals are infinitely creative, the problem will never be "solved." There
will always be new moves and new countermoves.

Total security is an illusion. Everyone who's worth hacking or worth
defrauding will get hacked or defrauded sooner or later. The people who have
made the necessary investments are able the contain the damage. The other
ones, or the really unlucky ones, end up dying off.

~~~
munk-a
Total security is possible but unrealistic. In our modern world we have
_terrible_ baseline security, we can do better with some trivial adjustments
that the market is countering with a strong disincentive because we as a
society haven't placed a clear value on security (outside EU where GDPR has
flaws but is an attempt to reward good actors).

This is essentially equivalent to a tragedy of the commons mixed in with a
race to the bottom - companies are currently _penalized_ for practicing good
security, they are voluntarily accepting lower profit margins in exchange for
something nobody cares about, they're also losing access to some supplemental
revenue through reselling customer data. If we add decent incentives and make
it economical to follow a "good" path we can increase our baseline of
security, hacks will always happen but we can minimize the costs of those
hacks and their frequency with best practices.

Heck - my standard line with companies w.r.t. PII is that "Your proposal is
essentially to collect everyone's alarm code into your safe, your safe has
gone from something nobody is interested in to something that, if compromised,
could lead to a bunch of people being burglarized." the issue is that over-
collecting PII and then, shucks, losing it in that completely unavoidable
security compromise, doesn't lead to appreciable punishment for the company -
in the real world it sure does (if your locksmith copies your key an extra
time then gets burglarized and the burglar uses that extra key to burgle your
house the locksmith is absolutely liable and may be found to be a
conspirator). It's anomalous that these two worlds are in contrast.

All that said, I absolutely agree that it's a balance and there aren't super
simple answers here, but it's important to reject the thought that being as
vulnerable as most businesses are is acceptable.

------
RiOuseR
Got a confirmation code via sms the other day to confirm the set up of my
account... that I never signed up.

Either a bot is making accounts, or Tik Tok got a list of phone numbers and is
making accounts for people.

~~~
hamhand
After seeing all those sketchy or even fraudulent mobile ads by TikTok's
company, I won't be surprised if that's a bait.

But pretty much everybody does it in China, Baidu etc, like "You phone has 8GB
of garbage, download us to clean it", "Download us to boost your signal by 4
times immediately", "This cutie just sent you a message, download us to
repsond", basically anything to make you download their apps, and only
political problems go punished.

------
duxup
Interesting although I'm having trouble unpacking GDPR discussion from what
the app actually does on a granular level and what that could mean for
privacy. GDPR is not exactly how I think of those things.

------
tcd
As more time passes I begin to fundamentally believe the modern Internet isn't
compatible with the GDPR or privacy as a whole.

Simply the act of enabling JS within the browser is enough to have your
privacy violated in thousands of different ways and data sucked up by everyone
who wants it.

Simply by installing an app on your smart phone you invite SDK's that are
happy to report back all the information the OS freely allows access to
because why not? Data storage is cheap and collecting that data is free of
charge.

But yes, data about children is collected in the millions, and the truth is
there is no possible law that can prevent this from happening because it will
happen anyway. One example: If FB detects a baby photo you upload, should it
be deleted? I mean that baby cannot possibly consent, and you'd have thought
the GDPR or some law meant uploading baby photos is _impossible_ , but that's
not the case, FB/Google WILL perform facial recognition on that baby.

Your data will be processed, used, sold and manipulated for as long as you
generate it.

The GDPR helps, a little, in some ways, but it's really had very very little
effect overall (apart from some damn annoying "we respect your privacy" pop-
ups on websites).

If the GDPR was serious, it wouldn't be possible to collect this data _at the
OS level_ , like, at all, JS would return nothing, Android apps would return
nothing (or fake data, at least).

But the GDPR is not serious, at least in some ways.

~~~
Wowfunhappy
> The GDPR helps, a little, in some ways, but it's really had very very little
> effect overall (apart from some damn annoying "we respect your privacy" pop-
> ups on websites).

That's because—as far as I can tell—the EU has not become serious about
enforcing the law. At least not yet.

It is absolutely possible to pass a law that says "you can't track people",
and that's what the GDPR does. It has a semi-loophole for people who
explicitly provide knowing consent to be tracked, but there are several big
caveats—it must be opt in, you can't trick people to opting in, and you can't
punish people who don't opt in. (And really, after all of those caveats, what
percentage of your userbase will agree to be tracked?)

Unless there's some aspect of GDPR which I don't understand—and please educate
me if there is!—95% of the "cookie notices" currently on the web are obvious
GDPR violations.

~~~
jandrese
Are cookies violating if they don't leave the website? It doesn't seem to be a
problem as long as the cookie is only used within the context of your site.
It's when they're used on other websites that the tracking capabilities exceed
what you can otherwise glean from the server logs.

Plus, they're kind of important for sites that provide logins, or have
shopping carts, or a variety of other legitimate uses for cookies.

~~~
Wowfunhappy
Cookies aren't inherently against GDPR if they're used explicitly for
necessary site functionality—you don't even need to tell users about them in
that case.

What's not allowed is user tracking.

~~~
sjy
So why display the cookie warning? I assume it’s an attempt to obtain
“consent” to something that would otherwise be prohibited by the GDPR, and in
relation to consent the GDPR says:

“Consent should not be regarded as freely given if the data subject has no
genuine or free choice or is unable to refuse or withdraw consent without
detriment ... Consent is presumed not to be freely given if it does not allow
separate consent to be given to different personal data processing operations
despite it being appropriate in the individual case, or if the performance of
a contract, including the provision of a service, is dependent on the consent
despite such consent not being necessary for such performance.”

I agree with the grandparent that many cookie warnings seem at odds with the
GDPR in this respect.

------
wufufufu
I've always assumed I have zero privacy on all social media apps. I am more
worried that if the next few major social media apps are all Chinese, then the
Communist Party of China will control what the world sees and believes.

~~~
teknologist
They seem to only be able to do this by copying existing platforms that were
successful. TikTok is essentially a carbon copy of the discontinued app Vine.
I cannot imagine that the pool of discontinued apps that otherwise would be
runaway successes is large.

------
JimmyRuska
GDPR allows you to capture logs as long as there's some reasonable business
case explanation. Security is the easiest because you can easy all identity
tracking is for catching fraud, bots or hackers. The explanation can always be
hand-wavy and legislation is not specific on the details.

------
cubbic
Even without any analysis it's quite clear what a company based in Beijing who
censors everything on the party's whim is doing, though reading about the
methods of fingerprinting was quite fun.

~~~
dragonelite
Aren't they censoring all political content, not only the china based
political content? At least that is what i was told/remembered not sure which
source it was.

~~~
bduerst
This is true, though they aren't doing a very good job of it. There's a ton of
trending content under political # that get popular and left alone.

------
Razengan
I wonder if Facebook and Google are pushing all these articles about/against
Tiktok because it’s a threat to them.

~~~
chki
And I wonder whether comments like yours are spread by the Chinese Government
to undermine trust in our media/democracy.

~~~
Razengan
If I could prove I'm not associated with China in any way, and in fact don't
like what they do, could it be proved that the wave of Tiktok-related posts
has nothing to do with Facebook/Google?

~~~
chki
I'm 99% sure that you are not affiliated with the Chinese Government. I just
wanted to show that accusations like these are not really helpful. It's not
the responsibility of Goole/Facebook to prove that they aren't sponsoring bad
faith anti-TikTok articles. It's your responsibility as a commentator to show
at least some proof (beside a convincing motive). I think the bar for that
proof should be rather low, but there needs to be something. Otherwise we are
switching from a commenting system based on a reason to a commenting system
based on feelings/opinions.

------
billfruit
"Personal Identifying Information (PII) is transfered to a server that is
under control of a company in an unsecure noneuropean country. The server
location doesn’t count, it is about where the company deciding about the data
resides."

I find problematic that such a restriction is in place, what of PII was sent
to a European company, is that a problem? What if the ownership of the company
changes?

This kind of data localization requirements go against the concept of an open
internet.

~~~
bagacrap
I assume this law effectively bars certain mergers or acquisitions as illegal.

------
samstave
I posted the following to /r/ but it was removed... (hmmm)

There was a statement that was made that China has been seeking to build the
largest face recognition db... (obv FB has that embedded not only in their
name, but their userbase -- and what China wants to do is compete with FB on
this front for their own means...)

\---

TikTok is a face recognition harvesting platform WITH sentiment!

Hear me out.

So TikTok is literally focused (on multiple levels) of the users face being in
a very contrived space and detail - its largely wide with younger ppl...
however

IT ALREADY HAS 50% of the FB population:

[https://www.oberlo.com/blog/tiktok-
statistics](https://www.oberlo.com/blog/tiktok-statistics)

[https://futurism.com/the-byte/tiktok-facial-
recognition](https://futurism.com/the-byte/tiktok-facial-recognition)

'500 MM users'

in less than a 3rd of the time....

TikTok vs FB combined is the new Digital Cold War.

\--

I have recently disabled my phone. But obv - I post to HN and .r. and I will
not be able to off-grid without significant effort.

Conclusion: Privacy is not only dead, it has both necromancers and
necrophiliacs fucking you in the shadows forever without recourse.

