With over 1 billion monthly active users, TikTok has become one of the most popular social media platforms in the world. However, concerns around data privacy and security have followed its meteoric rise. Recent reports indicate that the Chinese government may be able to access sensitive user data through TikTok’s parent company, ByteDance. This has raised alarm bells in the U.S. government, with some officials calling for a nationwide ban of the app.
But how much of a threat does TikTok really pose? Does the fun, lighthearted app secretly harvest vast amounts of personal data? Or are the security fears overblown?
This article examines the data TikTok collects, its privacy policies, evidence of data misuse, and steps users can take to protect their information. With TikTok under intense scrutiny, users deserve to understand the risks and make informed choices about using the platform.
What Data Does TikTok Collect?
According to its privacy policy, TikTok collects a wide range of user data, including:
- User content like videos, images, and audio
- Device information like OS version, mobile network, and device settings
- User activity information like how users interact with content, ads, and search queries
- Location data if location services are enabled
- User information like username, bio, profile image, and social connections
- Payment information for purchases on TikTok
TikTok also collects some data automatically from user devices even if users don’t post or share anything. This includes IP address, device IDs, cookies, and more. Some researchers have also found TikTok collecting data from external websites through tracking pixels.
TikTok’s Data Policies
TikTok’s privacy policy states that they collect different types of data from users including:
- Registration data such as age, username, password, email address, phone number, and profile photo
- User content such as videos, comments, messages, and information users add to their profile
- Device data and log data such as IP address, browser type, operating system, unique device identifiers, and activity data such as liking videos and following users
- Location data if users opt-in to sharing their location
- Cookie data and similar technologies that uniquely identify users’ browsers and devices
Per TikTok’s January 2023 privacy policy, they state they may share user data with third parties for purposes such as advertising, security, legal compliance, and operating their services globally. However, they claim not to sell or share personally identifiable user data with third parties https://www.tiktok.com/legal/privacy-policy-row.
TikTok’s policy says they store and process user data in the U.S. and other countries, including China. They state compliance with GDPR for EU users and CCPA for California users. Users can request data deletion or correction.
Concerns Around TikTok’s China Ownership
One of the biggest concerns around TikTok is the fact that its parent company, ByteDance, is based in China. ByteDance purchased Musical.ly in 2017 and merged it into TikTok in 2018. This means user data that was previously with Musical.ly is now controlled by a Chinese company.
Under China’s national intelligence laws, companies are required to hand over any data that the government deems a threat to national security or the interests of the Chinese Communist Party. There is fear that TikTok user data could be easily accessed and exploited by the Chinese government through ByteDance [1].
Specifically, critics argue China could use TikTok’s data for surveillance of foreign citizens, monitoring of dissidents, censorship, manipulating public opinion, intellectual property theft, and espionage [2]. The type of data collected by TikTok is quite extensive, including user locations, messages, contacts, interests, browsing data, and more.
While there is no direct evidence of mass data exploitation by China thus far, the potential access and lack of oversight has raised alarms. TikTok denies that the Chinese government has any involvement or access to user data, but experts argue the legal and political power structure in China makes user data vulnerability inherent.
Evidence of Data Misuse
There have been a few incidents that point to potential misuse of TikTok user data. In 2022, TikTok was fined nearly $6 million by the U.S. Federal Trade Commission for illegally collecting personal information from children under age 13 without parental consent. The app had marketed itself as appropriate for ages 12 and up, but still knowingly collected children’s data in violation of the Children’s Online Privacy Protection Act.
In January 2023, TikTok was fined $15.9 million by UK regulators for failing to protect children’s privacy on the app in several ways, including not providing parental controls and exposing underage users to inappropriate content. While not proven data misuse, it demonstrated vulnerabilities in TikTok’s approach to young users’ data.
Most concerns around TikTok data use stem from its ownership by the Chinese company ByteDance and the possibility of data sharing with the Chinese government. However, there is no publicly available evidence thus far that TikTok has provided Chinese authorities access to international user data.
How TikTok Data Could Be Used
While no evidence has emerged of TikTok data being exploited, experts have raised concerns about how the data could potentially be misused:
Targeted advertising – Like other social media platforms, TikTok could use its trove of user data to build detailed profiles and serve hyper-targeted ads. This raises privacy concerns, especially for younger users.
Surveillance – TikTok’s ownership by a Chinese company raises fears that data could be accessed by the Chinese government for surveillance purposes. Experts warn user data could be used to identify and monitor dissidents or critics of China.
Political influence – The platform’s powerful algorithm and detailed user data could allow it to surface certain content and shape narratives to benefit particular parties, viewpoints or political agendas.
Manipulation – Granular insight into users’ interests and habits empowers the platform to drive engagement and usage. Critics argue this could lead to overuse or even addiction.
While speculative, these hypothetical risks highlight why TikTok’s data practices warrant scrutiny. However, no evidence indicates such exploitation has occurred to date.
TikTok’s Rebuttals
TikTok acknowledges that the company has faced privacy issues and scandals in the past. However, TikTok states that many of these issues stemmed from the company’s early days and rapid growth, and claim that they have taken significant steps to improve data practices and transparency (An update for our TikTok community).
In response to concerns about Chinese government access to TikTok data, TikTok maintains that no governments have direct access to their systems. They state that moderation efforts are led by US-based teams without influence from China, and US user data is stored in Virginia with strict controls (Statement on TikTok’s content moderation and data security practices).
While acknowledging past missteps, TikTok asserts they have taken concrete actions like bringing in outside experts to conduct security audits, establishing a US data security team, and being more transparent about how the app works (An update for our TikTok community). They maintain their commitment to protecting user data and being accountable.
Independent Audits
In response to ongoing concerns, TikTok has hired the cybersecurity firm NCC Group to conduct independent audits on its data controls and protections (1). This “Project Clover” aims to provide transparency into TikTok’s data security practices and enhance user trust.
NCC Group will verify that TikTok’s controls around access, encryption, and data flow follow industry best practices (2). The audit results are expected to be published in early 2023. While details are still emerging, this move represents a step towards reassuring regulators and users that stringent safeguards are in place (3).
However, some experts argue that audits alone are insufficient without addressing the core issues around China-based ownership and potential government influence (1). The scope and rigor of the audits will also determine how credible the results are in evaluating real data risks. But overall, independent verification of security practices is a positive development.
(1) https://www.reuters.com/technology/tiktok-hires-britains-ncc-auditing-data-security-2023-09-05/
(2) https://dig.watch/updates/tiktok-hires-ncc-for-independent-data-security-audit-amid-growing-concerns
(3) https://www.forbes.com/sites/federicoguerrini/2023/09/06/tiktok-takes-steps-to-reassure-europe-with-new-data-center-and-audits/
Steps Users Can Take
There are several steps TikTok users can take to better protect their privacy on the platform:
Turn off data sharing with third parties. Go to “Privacy and Safety” settings and disable “Share analytics data” to opt out of data sharing (TikTok, 2022).
Make account private. Set your account to “Private” so only approved followers can view videos. Go to “Privacy and Safety” settings and enable “Private account” (CyberGuy, 2022).
Limit data collection. Disable targeted ads to limit data gathering. Go to “Ads” settings and toggle off “Personalized ads” (TikTok, 2022).
Be selective in sharing. Carefully consider what personal information to share publicly or with followers.
Use strong privacy settings. Enable all privacy settings like comments filters, restrict messages to followers, etc.
Periodically clear watch history and liked videos to limit data saved. This can be done in “Privacy and Safety” settings.
The key is being proactive in limiting data access and carefully considering what information is shared publicly or with TikTok.
Conclusion
Based on the evidence presented, while TikTok’s data collection policies are quite broad and concerning, there is currently no definitive proof that TikTok is misusing user data in any significant way beyond standard advertising targeting practices. However, given its ownership by a Chinese company and China’s data privacy laws, there are reasonable risks and concerns that should not be ignored. Users, parents, regulators, and TikTok itself should continue being vigilant and pushing for more transparency and accountability. Independent audits, giving users more granular data control, and ensuring strong encryption seem particularly important next steps.
In conclusion, while the risks are real, the jury is still out on the extent of TikTok’s data misuse. Continued scrutiny, safeguards, and public pressure are warranted to help ensure user privacy and data security.