​The Chinese group that owns the TikTok mobile application reacted on Thursday to the state’s intention to ban the use of the application in public institutions and authorities in Romania, accusing the SRI of inaccurate information. The Chinese claim that it would be false that they collected data such as keystrokes, device IMEI, SIM serial number or GPS location, but the app’s terms of use say otherwise.

TikTok advertises unreliable information: data is securely stored in the US, Singapore and Malaysia

According to a view provided to HotNews.ro via The Practice, a PR agency that works with TikTok in Romania, a company official charged that the recommendation to ban the app from public institutions due to cybersecurity risks would rely on inaccurate information.

• “We are disappointed by this recommendation, which appears to be based on inaccurate information about our platform and what data we do or do not collect. Independent security experts have repeatedly concluded that we collect no more data than other conventional applications.
• Both the information users choose to provide to us and the information that helps the app work are collected to help us operate securely and improve the user experience.
• Our users’ data is securely stored in the US, Singapore and Malaysia, and we are opening new data centers in Europe.
• We are committed to being transparent about our practices and detailing what data we collect and how we use it.
• In addition, we have already spoken to the relevant authorities to provide them with the necessary information and we are still open to discussions to clarify any concerns.” said an unnamed TikTok representative.

What data does TikTok say it won’t collect, according to SRI

In addition, the company claims that “most of the points mentioned in the report (not the SRI technical report) are already transparently disclosed by TikTok in its privacy policy, privacy and security center and quarterly transparency reports and do not differ from industry practice.”

• “Some of the information in the report describing the data that TikTok allegedly collects (such as keystrokes, device IMEI, SIM serial number or GPS location) is not true, as we have explained in a few lines in the past.” According to the official representative of TikTok.

However, approximate GPS location and keystrokes are collected. How to secure TikTok

HotNews.ro checked what personal data TikTok claims it does not collect and noted that the privacy policy says it collects both keystroke information and the GPS-based approximate location of the mobile phone running the app. There:

• “We collect certain information about your device and network connection when you access the Platform. This information includes the device model, operating system, keystroke patterns or rhythms, IP address and language of your system. (..)
• We automatically collect information about your approximate location (such as country, state or city) based on your technical information (such as your SIM card and IP address).
• In addition, if you enable location services for TikTok in your device settings, we will collect approximate location information from your device.” it says in TikTok’s privacy policy.

According to the information presented in the Google Play Store, TikTok makes the following statements:

• Approximate location (as collected by TikTok) is the physical location of you or your device in an area greater than or equal to three square kilometers, such as the city in which you are located.
• Exact location is the physical location of you or your device within an area of ​​less than three square kilometers.

After HotNews.ro reported the existence of this collected data directly in the terms of use of the application, TikTok representatives are back with new clarifications:

About GPS data collection:

• “The TikTok app does not collect precise location information, whether based on GPS technology or otherwise.
• TikTok collects approximate location data based on device or network information, such as SIM cards or IP addresses. The TikTok app does not collect precise information about the location of users in the US, UK, EEA and Switzerland, whether based on GPS technology or otherwise.
• In regions where Location Services are available, users can enable Location Services for TikTok in their device settings to allow TikTok to collect approximate location information from the device using GPS location information.” This was reported to HotNews.ro by representatives of TikTok.

About keystroke data collection:

• “As we have already clarified, TikTok does not keep a log of keystrokes. TikTok uses keystroke information to detect unusual patterns or rhythms, such as if each letter you type is pressed exactly 1 key per second. This helps protect against fake logins, spam comments, or other behavior that could threaten the integrity of our platform.
• Keystroke pattern recognition is a well-known network and system security technology used to protect systems and data by evaluating the speed and rhythm of keystrokes to identify malicious entities (such as bots) without capturing the content of input.
• Keystroke logging is another technology used to record content written by a person, and TikTok does not record that.” This was also reported to HotNews.ro by representatives of TikTok.

SRI has identified cyber security risks in the TikTok application / Recommendation to ban the application in government institutions

Minister of Digitalization Sebastian Burdugia announced on Wednesday that the Cyberint Center of the Romanian Intelligence Service (SRI) tested the TikTok app and found that it can provide access to the user’s personal data, the creation of a user profile and access to third-party devices with which the app user interacts online. – environments.

During a meeting of the Cyber ​​Security Operational Council (COSC) on Wednesday, as an advisory body under the strategic coordination of the CSAT, Minister Burduja presented a technical report on the cyber security risks associated with the installation and use of the TikTok app, namely:

• under the Terms of Use, the program is allowed to collect advertising information directly from its own sites by integrating TikTok Advertising-type utilities such as the TikTok Pixel;
• the application can collect a large amount of information about the user’s device, including: Wi-Fi SSID, phone model number, SIM serial number, IMEI, SMS reading, device MAC address, phone number, GPS data, details of other connected accounts on the device , full access to the clipboard (which can create cybersecurity risks because a large number of Password Manager applications use the clipboard);
• the program tracks users even if they have activated the “Do Not Track” option;
• the application automatically collects data such as device model, operating system, keystroke patterns and rhythms, IP, location, tracked content, search history, email content characteristics, gender profile, age, etc.;
• the application reserves the right to share data with government bodies;
• the application collects information about other services and applications that are installed on the device;
• can remotely debug the application, including launching new processes;
• executes commands in the Webview (may cause malware files to be downloaded to the device hosting the application);
• the app has its own built-in browser with Javascript features and any input can be controlled.

Technical report presented by the Minister of Digitalization was developed by the National Cyber ​​Center of the Romanian Intelligence Servicebased on data and information from testing the Tiktok app.

The COSC decided that each public authority should conduct its own analysis of the risks, vulnerabilities and cyber security threats associated with the installation and use of the TikTok app.

This analysis must be passed within a week. Until then, the National Cyber ​​Security Directorate (DNSC) will issue a recommendation to central and local government authorities and institutions to remove and ban the TikTok app from service devices.

The Ministry of Digital Affairs also recommended that citizens “take a balanced and careful position regarding the use of the TikTok application, taking into account the cyber security risks associated with its use.

“There is no mention of banning the use of the TikTok application by Romanian citizens on personal devices, but we draw attention to the fact that its use may lead to the application accessing the user’s personal data, creating a user profile and accessing third-party devices with which the user of the application interacts in the cyber environment,” the ministry said.

Photo source: Justlight / Dreamstime.com