The Federal Trade Commission (FTC) in the United States began to investigate Musical.ly before the merger as they received thousands of complaints from parents concerned about the data their children were sharing via the app. The app asked all users to provide a name, profile picture, email address, and phone number, without requiring underage users to get parental consent before sharing this data. In February 2019, the FTC found that the app was violating children’s privacy laws, and a settlement was reached. The investigation ended after ByteDance acquired Musical.ly, so TikTok started its journey in the U.S. with a bad reputation and a $5.7 million fine for violating the Children’s Online Privacy Protection Act (COPPA).
TikTok collects a significant amount of personal data to fine-tune its content recommendation algorithm: IP address, geolocation-related data, unique device identifiers, browsing and search history using cookies and web beacons. A complete and accurate user profile is vital for any social platform that aims to offer a personalized user experience and ads tailored to users’ interests. TikTok, like many other apps, reserves the right to use your email or other login information to monitor your activity on the platform across devices. Business partners, affiliates, and advertisers have access to your data and use it to display ads that (supposedly) fit your interests and preferences. The difference between TikTok and other social apps is that TikTok does not offer options for enhancing your privacy.
TikTok does not offer the option to adjust your ad preferences. A few social apps allow users to get more control over the ads. For example, Facebook collects a lot of data for serving ads but provides a few useful options to help you get more control over the ads you see. You can exclude specific topics and adjust your interests on the ad preferences dashboard. If you’d like to learn more about the privacy options available on Facebook, you can download our Guide to privacy in the era of Big Tech.
As of this point, there are no plans to introduce end-to-end encryption, a crucial feature for keeping communication private. If you use any messaging app without end-to-end encryption, do not share content that you wouldn’t be comfortable sharing in public. The company restricted direct messaging to users over 16 in late 2019, following numerous discussions about children’s safety on the platform.
TikTok does offer a set of privacy features, which you should explore if you plan on using the app. By default, all information you upload is public, from your account to your videos. To change these settings, you need to go to Privacy settings and make a few adjustments.
All accounts are public by default, but you can make your account private. However, your profile information will remain public, so any user will be able to see your username, bio, and profile picture. Even with a private account, your account might still be recommended to other users, especially if you have friends in common. To change this, adjust the option Allow others to find me. You can also turn off Allow download to prevent users from downloading your videos. To make videos completely private or accessible only to friends, you can use the option Who can view this video.
A considerable security flaw is the absence of two-factor authentication. TikTok provides the option to log in with a verification code sent to your phone, but this is a one-time access code. Single-factor authentication is, unfortunately, quite common on social platforms. Coupled with a weak password, it’s a recipe for disaster as it can easily lead to phishing or ransomware attacks, among other threats. Some social platforms – LinkedIn, Snapchat, Facebook – now offer two-factor authentication.
Until recently, TikTok used unencrypted HTTP to download media content from the company’s Content Delivery Networks (CDNs). HTTP connections pose severe threats and have been replaced for a long time by secure HTTPS connections, but they are still supported to maintain backward compatibility. Check Point Research discovered multiple vulnerabilities and simulated attacks that allowed them to change content on existing TikTok accounts, upload unauthorized videos, make private videos public, and reveal personal information (email addresses, phone numbers).
Developers from Mysk.co ran similar tests, exploiting the HTTP vulnerabilities. In April 2020, in the midst of the COVID-19 pandemic, they were able to use a fake server to switch a video in the feed of the World Health Organization with a fake one, showing how easy it is to spread false information and pointing out that “using HTTP the way TikTok does is a cybercrime.” Following these reports, TikTok acted swiftly, fixing the security flaws, and committed to rolling out HTTPS secure connections for users in all markets.
Considering that the app has far from perfect security track record, you might want to consider limiting the amount of information you share on the app. For example, you could avoid linking your other social accounts such as Instagram or Facebook on TikTok. You should also carefully consider the potential risks before opening TikTok links outside the platform, for example, via SMS.
Some Android users recommend using a sandboxing app to isolate TikTok on your system. One of the most popular apps, Shelter, is an open-source sandbox app that uses Android’s Work Profile feature to provide an isolated space where you can install or clone apps. Other users go as far as to recommend using TikTok on a separate phone with a different Google account than the one you regularly use.
TikTok is taking privacy and security concerns seriously. The company recently hired a Chief Security Officer and a Global General Counsel to oversee the legal department and assure compliance with regional laws. It also launched a Transparency Center for moderation and data practices. Like many companies registering immense growth in the early stages, TikTok has been focusing on rapidly deploying features and expanding to new markets. Now, it’s time for TikTok to focus on security and privacy features.