With its short viral videos, catchy songs, and popular dances, TikTok has become one the world’s fastest growing social media platforms. TikTok reached 1.5 billion users in 2023, a 16% increase on the previous year, making it a dominant force in social media.
However, TikTok’s rapid growth and Chinese ownership by ByteDance has raised concerns about national security risks and data privacy. Some fear that TikTok could be compelled by China to hand over sensitive user data or censor certain content. There are also worries that users’ personal information may not be sufficiently protected from hackers or reused in worrying ways without their consent. These concerns have sparked discussions around whether TikTok’s data collection practices and security controls are as stringent as major US platforms, and if further oversight or regulation is necessary.
What kind of data does TikTok collect?
TikTok collects a large amount of data from its users, including user data like name, age, phone number, email address, and location (https://dot.la/what-data-does-tiktok-collect-2657689460.html, https://pirg.org/articles/demystifying-tiktok-data/). This allows the app to build detailed user profiles.
TikTok also gathers device data such as operating system, IP address, and unique device identifiers that allow tracking across apps and websites (https://www.cnn.com/2023/03/24/tech/tiktok-ban-national-security-hearing/index.html).
The app records extensive activity data including videos watched, searched for, liked, and shared. It tracks user engagement metrics on videos as well as profiles viewed. This data enables TikTok to understand users’ interests and preferences in order to recommend personalized content.
Does TikTok share user data with China?
TikTok is owned by Chinese company ByteDance, which leads to concerns that the Chinese government could access user data. However, TikTok has stated that data from US users is stored on servers in the US and Singapore, not China.
In congressional testimony in 2022, TikTok CEO Shou Zi Chew stated that TikTok has never been asked by the Chinese government for data on US users and would refuse any such request (CNN).
TikTok’s privacy policy states that data from US users is stored in the US and Singapore and not shared with China. However, TikTok acknowledged in 2022 that some US user data may be accessible by ByteDance employees in China under strict controls (Forbes).
While TikTok claims to keep US user data protected, concerns remain about potential access by Chinese authorities given the ownership of ByteDance and China’s data security laws.
TikTok’s data security practices
TikTok states that it stores U.S. user data on servers in the United States and Singapore. The company says it employs physical and logical access controls to limit employee access to TikTok user data based on region, job function, and need.
According to TikTok’s privacy policy, certain elements of user data are encrypted using industry standard algorithms while in transit and at rest. The encryption keys are stored in TikTok’s key management system with limited employee access. TikTok states that the content of users’ private messages is also encrypted.
While TikTok is owned by Chinese company ByteDance, the company claims that “China-based employees can only access a low-security network that does not include U.S. user data.” TikTok’s U.S. security team oversees authorization protocols to access U.S. user data. However, concerns remain over potential data access by Chinese authorities due to local laws.
Third-party analytics and advertising
TikTok uses third-party services like Google Analytics to collect data on user behavior, such as how long users spend on the app and what content they engage with (source 1). This allows TikTok to analyze usage patterns and improve the user experience. However, it also means user data is shared with third parties like Google.
Much of the data collection by TikTok is for the purposes of targeted advertising. User information like age, gender, interests, watch history, and location can be used to serve users highly customized ads. TikTok’s privacy policy states that they share non-personally identifiable information with advertisers and partners to “deliver, analyze, and improve advertising” (source 2). While the user’s identity may be anonymized, the detailed profiles built from their usage still allow for precise ad targeting.
The extensive data collection for advertising is concerning to privacy advocates. Users have little visibility into what is tracked and shared from their normal use of TikTok. The company has access to detailed insights about individuals’ interests and habits through their analytics and advertising partnerships.
Past security vulnerabilities
TikTok has experienced some security weaknesses that exposed user data in the past. According to a report from cybersecurity firm ISS, researchers discovered multiple vulnerabilities that allowed attackers to manipulate user data and reveal personal information.
One of the most serious vulnerabilities involved TikTok’s API. ISS found that they could intercept API calls and inject malicious JavaScript code to pull user profile information, including usernames, birthdays, and profile pictures. By exploiting this flaw, attackers could gather data on TikTok users and misuse it for identity theft or other cyber attacks. TikTok patched this API vulnerability after being alerted by ISS.
Another research report by Check Point revealed vulnerabilities that allowed hackers to retrieve personal information from TikTok user accounts, including private emails and birthdays. These flaws stemmed from insufficient data encryption and access control issues. After Check Point privately disclosed the vulnerabilities, TikTok resolved them to prevent further data leaks.
While TikTok fixed these weaknesses after they were uncovered, the incidents highlighted the platform’s past security gaps. However, TikTok claims it has strengthened its defenses and undergoes regular cybersecurity auditing to identify and address emerging risks.
Actions by governments
Two of the most high-profile government actions involving TikTok have been in India and the United States.
In June 2020, the Indian government banned TikTok and dozens of other Chinese apps over data security concerns. According to Reuters, India’s Ministry of Electronics and Information Technology said the apps were “stealing and surreptitiously transmitting users’ data.”
In the United States, policymakers have also considered banning TikTok over fears that data could be obtained by the Chinese government. According to BBC News, a potential TikTok ban was proposed in 2020 under the Trump administration but never implemented. More recently in December 2022, Congress banned TikTok from most U.S. government-issued devices as part of a spending bill.
While a full ban has not occurred, the actions demonstrate ongoing data security concerns surrounding TikTok by major world governments.
Lawsuits and investigations
TikTok has faced several lawsuits and government investigations related to its data practices. In 2019, TikTok settled a lawsuit with the U.S. Federal Trade Commission over allegations that the app illegally collected personal information from children under 13 without parental consent. TikTok was fined $5.7 million for violating the Children’s Online Privacy Protection Act (source).
In 2020, TikTok users in Illinois filed a class action lawsuit alleging the app’s unauthorized collection and use of their biometric data violated state law. In 2021, TikTok settled the case for $92 million (source). However, TikTok still faces ongoing government investigations related to national security concerns over its data practices. Multiple U.S. agencies, including the FBI and FTC, are examining whether TikTok poses risks by potentially sharing U.S. user data with the Chinese government (source).
Best practices for users
There are several steps TikTok users can take to protect their privacy and security on the platform:
First, limit the amount of personal information shared in your profile and videos. Don’t reveal private details like your full name, address, phone number, or other sensitive information (TikTok still irresistible? 5 steps to ratchet up your family’s privacy).
Also adjust your privacy settings by making your account private and limiting who can see your videos and interact with you. Enable the “Restricted Mode” under account settings to limit mature or inappropriate content (Privacy and Security | TikTok).
Finally, be vigilant against potential scams and fake links that may appear in TikTok comments or messages. Do not click suspicious links or provide any login or financial information.
Conclusion
Based on our analysis, TikTok does collect a substantial amount of user data, including location information, browsing history, and device identifiers. However, it remains unclear exactly how much of this data is accessed by ByteDance, TikTok’s parent company in China, versus remaining within TikTok and being used for analytics and advertising purposes.
While TikTok claims that Chinese regulators do not have access to TikTok’s data on US users, there are still concerns about potential vulnerabilities, security loopholes, or undisclosed data sharing agreements that could expose user information to the Chinese government. Several governments have banned or restricted TikTok out of data privacy concerns.
There is also uncertainty around whether TikTok’s practices fully comply with privacy laws like GDPR and COPPA when handling data from European and teenage users. Ongoing lawsuits and investigations may reveal more about how carefully guarded TikTok keeps user data.
Users concerned about privacy may want to avoid sharing sensitive information on the platform and adjust TikTok privacy settings to limit data collection. Given the remaining uncertainties, a cautious approach to sharing personal data on TikTok is recommended until more details emerge.