Any discussion of intent is always going to be speculation. All we can think about is what such a thing would be capable of if it were somehow malicious.
The first possibility that comes to my mind would be sniffing Ethernet MAC addresses because it could be done without any sort of device-specific support built in to the app. Assuming your local devices’ manufacturers are following Da Rulez, the first part of their MAC address usually tells you the company, and the second part tends to be individualized/serialized.
That would, for example, let TikTok derive when certain users are together IRL if they both show up scan-adjacent to a unique MAC. Or maybe it could let them derive multiple accounts belonging to a single person if one is used on VPN-only to discuss political or personal topics that person might not want associated with their IRL identity.
If I was a state intelligence service I would love TikTok. Especially if it was legally banned in my country so was used almost exclusively by foreigners. One better was if the government had a controlling stake in the company [0] and laws requiring the company to be virtually transparent to demands from state security agencies [1].
Not only does TikTok have a ton of overt data about users but also contemporaneous data like usage patterns and physical location. Then using the app to collect and exfiltrate information about all manner of foreign networks. I can pass off that data to my government run hacking [2] groups [3] as well as regime-favored businesses for some really great market research.
The only actual issue with this setup for citizens of the US is that US citizens like to be the people with access to the data and doing the spying. What you have described, a state intelligence service with access to loads of user data that they happily use for spying is what the US has normalized. Collecting all this data is par for the course (Snowden exposed that pretty conclusively) and non US citizens have no rights as far as the US is concerned. Are they (china) doing it, probably not, seems like a lot of effort for very little gain I mean you find out that I like puppy videos and mostly stay in my house. It's a fun app though :) - also to the original person's tweet, most of the apps on my iphone pop this up from time to time, so if we are going to accuse TikTok of spying on me we should be accusing Calm and Insight Timer too (to randomly pick two).
AFAIK Calm and Insight don't have hundreds of millions of users nor is the CCP on their corporate boards. But with explanations provided by the apps as to why they want network device access they probably shouldn't be trusted.
As for the data collection, TikTok/ByteDance is definitely going to store it. They wouldn't collect it otherwise. To the utility of the data, if they've got MAC addresses of devices on your home network they can tell many of the brands of devices you own. They know when you get a new computer even if you never use TikTok on it. If you launch the app at your office they get the same information about your office network. In aggregate their network scanning will collect vast amounts of data.
The TikTok app is turning every user into a passive network scanner. Even if you want to ignore the CCP's influence on ByteDance I don't think there is any reason to give them the benefit of the doubt about their data collection. They'll sell their users and anyone around them. I have the same problem with Facebook and their damn shadow profiles and covert data collection.
My point is that this just appears to be xenophobia and is completely hypocritical. Nearly every app on my phone asks to access the local network.It's a thing. It's not unusual in the slightest. The problem seems to be that this company is based in China. And we don't like China. Maybe that is not what you in particular don't like (I get that you don't like FB) but that is the reason why this is a topic conversation at all. So in effect what the people in this thread are saying is that American companies (and by direct link the US gov) are allowed to spy on people, but foreign governments should not be allowed. That seems like a huge double standard. For the record, I personally would prefer no governments were spying on me - but that doesn't seem to be on the table.
Nearly every app?! What apps do you actually use? I’ve only ever seen the prompt a few times, and always for pretty obvious reasons (UniFi, Prompt, VLC, etc.)
> The problem seems to be that this company is based in China.
You're misrepresenting the situation because you want to frame the whole issue as some xenophobia on my part. The problem is TikTok is a social network with millions of users whose parent company literally has the CCP as a board member and is subject to China's extremely invasive state security laws (requiring warrantless access to corporate data). The app was already an intelligence gold mine and now they've added a vein of platinum.
The only double standard is contained within the strawman you've created. I have the same problem with Facebook or Twitter apps scanning my local network for no reason than to increase their data harvesting. But since TikTok is the subject of the thread I specifically pointed out problems with TikTok. Facebook and Twitter have their own problems, some of them overlap with problems that exist with TikTok.
Neither I or anyone else needs to list the myriad problems with every social network when criticizing any one of them. You're trying to use a tu quoque [0] argument claiming xenophobia and hypocrisy (where none exists) in hopes that distracts from the points being made.
You can also just take the collection of devices typically on the network, hash the MAC addresses all together, and now you have a unique identifier for a household
But devices would join and leave the network in a household - especially phones. Maybe you could have a listening period, e.g. a week, where you build a set of witnessed devices and then hash that for a household id?
Of course you can. Look up VPN routing / split tunneling. It’s not uncommon for corporate VPNs to only route intranet traffic for instance; and LAN is usually whitelisted.
Besides corporate VPNs, typical consumer VPNs are also set up to allow LAN access. Your average joe-smoe would be annoyed if their network printer stopped working every time they turned on their VPN to watch netflix movies or whatever.
IPSEC VPNs (and others) have the remote networks defined in the protocol as part of the security association (SA). The SAs define which networks are available over the tunnel.
Saying "all RFC1918 addresses are available over here" is quite a cocky and obviously broken thing to do, unless you're dealing with a corporate device which is paranoid about leaking traffic to other networks.
You no more need Bluetooth permissions to use AirPlay than you do to for AirPods because the OS is deciding the output device per the users instructions[1].
Also: TikTok doesn’t support AirPlay or Chromecast.
[1] Per the user’s instructions on a good day at least.
Trusting companies not to abuse the simple explanation of Chromecast is dead in the water, though. Why on earth would you trust a company _not_ to abuse that?
I don't see chromecast or apple tv called out as a capability, and I'm not installing it to find out. I also don't really see the LAN access reasons there either.
https://apps.apple.com/us/app/tiktok/id835599320
I saw the same message yesterday from Spotify when I tried to use Chromecast. At least it prompted me for the permissions when I took that action, so it was clear why.
My charitable guess is they're adding support for chromecasting behind feature flags/AB testing, but don't yet have it correctly enabled/disabled. There was a lot of uproar over instagram immediately using the microphone/camera constantly, when they actually just always had the API initialized to make swiping to the camera snappier.
That could also explain why they didn't bother to provide in the notification to the user why they're requesting this access: because they weren't intending to request it (yet).
I find the conspiracy theories more compelling, but less likely.
If this just start popping up and without an explanation string, my guess is they included some 3rd party SDK that is doing fingerprinting on the local LAN, much like FB SDK's used to do.
If it only connects to multimedia devices, and if my OS lets me know that TikTok is using my multimedia devices, then I'd be OK with it, but I don't TikTok. Like MicroSnitch, which warns you when a mic/camera becomes active (macOS only).
