Uninstall ToTok, the Government Surveillance Tool Posing as a Chat App: Report

While, yes, your messaging apps are indeed spying on you, to argue that they were developed specifically for that purpose might seem like a stretch. But life is stranger than fiction in the year of our lord 2019, and now you can thank ToTok for making your worst dystopian surveillance state nightmares come true.

(That’s ToTok, by the way. Not to be confused with TikTok, the viral video app that’s already knee-deep in its own mess when it comes to user privacy concerns).

What millions of users thought was a free chat app is believed to be a surveillance tool that leaks data to government officials in the United Arab Emirates, U.S. intelligence officials told the New York Times Sunday. Apple and Google have since removed ToTok from their respective stores, but it’ll continue to keep spying away if you already have it on your phone. So TLDR: Delete ToTok.

Per the report, the UAE government used ToTok to learn location data (which was required to access information on the weather), voice and text conversations, and online social connections of its users. Most of the app’s userbase live in the UAE though it’d been gaining popularity worldwide and recently cracked the charts in America. Just in November, it racked up more than half a million downloads.

But while ToTok advertised itself as a “fast and secure calling and messaging app,” its privacy policy never actually promises end-to-end encryption, only referencing data storage: “Messages: all data is stored heavily encrypted so that local ToTok engineers or physical intruders cannot get access.”

One particularly strong selling points it touted among UAE users was, unlike more ubiquitous chat apps like Skype and Whatsapp, ToTok didn’t require a VPN and could circumvent restrictions put in place by the Emirati government. Thus allowing (seemingly) no-strings-attached video chatting and messaging with anyone anywhere in the world so long as they also had an internet connection.

And ToTok’s developer, Breej Holding, is apparently similarly shady. They’re a proverbial ghost on the internet, per the Times report, and likely a front for the cyber intelligence agency DarkMatter. The company has a history of contracting with the Emirati government and employing ex-intelligence agents and has already attracted scrutiny from U.S. intelligence officials for purported hacking crimes. The software itself—basically a copy and paste job of the Chinese app YeeCall—is also linked to a data-mining company with ties to Dark Matter that shared a building with the UAE’s intelligence agency for a bit.

Right about now, you should be feeling a cold, inexplicable chill up your spine and a sudden impulse to be more careful with your private information. Because ToTok isn’t secretly scrapping your data, it didn’t need to use viral Deepfake challenges to access an unsettling amount of personal information. It doesn’t have to. To access every bit of its users’ online identity, ToTok asked for all the same permissions you’d expect of a social media app on your phone. And hoped people didn’t look too closely at its privacy policy.