A billion here, a billion there, and pretty soon you're talking real money.

The above screenshot is from a timeseries database left exposed by ByteDance, the company that owns Tiktok, also known as Douyin in China. There are some interesting schemas here, but the one that is most significant is simply called "device-info" and has 752,864,303 records for a total size of 166.8 gb.

Below is a screenshot of what data the index "device-info" has. We specifically queried for US data, which we see returns a pretty hefty 32,654,217 records. If you were to search for Germany, there would be at least 60,000 records. That is floor though, maybe it was 3,000,000. Or perhaps that was France. As the above quote indicates, the numbers really run together after a while.

The data here is pretty basic, and couple of things make it sensitive. At a low level you could argue the users phone, model, and exact screen size allow some level of association and targeting. Certainly they make hacking easier by knowing in advance what platform you are targeting. The MAC addresses, which we don't capture here, certainly would do that, however most manufacturers are randomizing those today for privacy. The IMSI, or International Mobile Subscriber Identity number, was developed originally as a sort of way to identify users with SIM cards on 3G networks. Additionally because it could be used to track phones cross-borders, it was thought to in the beginning be a solution for cutting down on phone thefts. However because surveillance started to emerge as the major issue of this decade, the benefits were thought to be much less compared to the consequences of globally tracking someone.

The IDFA field stands for "Identifier for Advertisers" and is a random device identifier assigned by Apple to a user's device. Advertisers use this to track data. We do not have time to go into it but it is quite significant and it will be interesting to see Apple's response.

In short, this data is extensive, it is meant to be private, and many people have tried to contact to no avail about this as well as other issues we know of. And there has been no response. This would be shocking to me except for the fact Facebook has not responded to my requests regarding vulnerabilities either. Perhaps it is just all social media companies that are like this. If that is the case they should know that the legal power of the state only flows from the social contract in society, and they have broken it many many times. Anything their lawyers are telling them isn't true, and judges are very open to being persuaded, at certain times, by popular demand. It is likely some, even at American companies, will go to prison.