Privacy and security concerns surrounding TikTok

Launched in 2017, TikTok has been one of the fastest-growing apps worldwide. With more than 1.6 billion downloads in the first quarter of 2020, TikTok continues to attract more and more users. However, its success is overshadowed by privacy and security concerns that put not only the company’s image at risk but also its operations in key markets. In the United States, the app risks being banned, and ByteDance, the Beijing-based company behind TikTok, is under intense scrutiny. What privacy and security issues does TikTok have, and what can you do to stay safe on the platform?

What are TikTok’s major privacy issues?

TikTok has its origins in Musical.ly, a karaoke lip-syncing app that attracted mainly children and teenagers. After ByteDance acquired Musical.ly in 2017 and merged it with its own TikTok app, the user base grew significantly, but teenagers remained the most prominent demographic group. Globally, 41% of TikTok users are aged between 16 and 24, and more than 50% of users are below 34, according to Omnicore statistics.

The Federal Trade Commission (FTC) in the United States began to investigate Musical.ly before the merger as they received thousands of complaints from parents concerned about the data their children were sharing via the app. The app asked all users to provide a name, profile picture, email address, and phone number, without requiring underage users to get parental consent before sharing this data. In February 2019, the FTC found that the app was violating children’s privacy laws, and a settlement was reached. The investigation ended after ByteDance acquired Musical.ly, so TikTok started its journey in the U.S. with a bad reputation and a $5.7 million fine for violating the Children’s Online Privacy Protection Act (COPPA).

Since then, TikTok adapted and refined its privacy policy for younger users and created different variants to ensure compliance with regional laws. But the company is still facing challenges: Reuters recently reported that the U.S. Justice Department and the FTC are investigating whether TikTok complied with the agreement reached in 2019.

What kind of personal data does TikTok collect?

TikTok collects a significant amount of personal data to fine-tune its content recommendation algorithm: IP address, geolocation-related data, unique device identifiers, browsing and search history using cookies and web beacons. A complete and accurate user profile is vital for any social platform that aims to offer a personalized user experience and ads tailored to users’ interests. TikTok, like many other apps, reserves the right to use your email or other login information to monitor your activity on the platform across devices. Business partners, affiliates, and advertisers have access to your data and use it to display ads that (supposedly) fit your interests and preferences. The difference between TikTok and other social apps is that TikTok does not offer options for enhancing your privacy.

TikTok does not offer the option to adjust your ad preferences. A few social apps allow users to get more control over the ads. For example, Facebook collects a lot of data for serving ads but provides a few useful options to help you get more control over the ads you see. You can exclude specific topics and adjust your interests on the ad preferences dashboard. If you’d like to learn more about the privacy options available on Facebook, you can download our Guide to privacy in the era of Big Tech.

Are TikTok messages private?

When it comes TikTok’s messaging functionality, you should keep in mind that the messages are not encrypted and the app collects not only meta-information but also the content of the messages sent through the app. Unencrypted messages can be read by the service provider and by third parties. TikTok’s privacy policy is completely transparent about what kind of information is being collected and processed: “the content of the message and information about when the message has been sent, received and/or read, as well as the participants of the communication.”

As of this point, there are no plans to introduce end-to-end encryption, a crucial feature for keeping communication private. If you use any messaging app without end-to-end encryption, do not share content that you wouldn’t be comfortable sharing in public. The company restricted direct messaging to users over 16 in late 2019, following numerous discussions about children’s safety on the platform.

How to protect your privacy on TikTok

TikTok does offer a set of privacy features, which you should explore if you plan on using the app. By default, all information you upload is public, from your account to your videos. To change these settings, you need to go to Privacy settings and make a few adjustments.

All accounts are public by default, but you can make your account private. However, your profile information will remain public, so any user will be able to see your username, bio, and profile picture. Even with a private account, your account might still be recommended to other users, especially if you have friends in common. To change this, adjust the option Allow others to find me. You can also turn off Allow download to prevent users from downloading your videos. To make videos completely private or accessible only to friends, you can use the option Who can view this video.

What are TikTok’s major security issues?

A considerable security flaw is the absence of two-factor authentication. TikTok provides the option to log in with a verification code sent to your phone, but this is a one-time access code. Single-factor authentication is, unfortunately, quite common on social platforms. Coupled with a weak password, it’s a recipe for disaster as it can easily lead to phishing or ransomware attacks, among other threats. Some social platforms – LinkedIn, Snapchat, Facebook – now offer two-factor authentication.

Until recently, TikTok used unencrypted HTTP to download media content from the company’s Content Delivery Networks (CDNs). HTTP connections pose severe threats and have been replaced for a long time by secure HTTPS connections, but they are still supported to maintain backward compatibility. Check Point Research discovered multiple vulnerabilities and simulated attacks that allowed them to change content on existing TikTok accounts, upload unauthorized videos, make private videos public, and reveal personal information (email addresses, phone numbers).

Developers from Mysk.co ran similar tests, exploiting the HTTP vulnerabilities. In April 2020, in the midst of the COVID-19 pandemic, they were able to use a fake server to switch a video in the feed of the World Health Organization with a fake one, showing how easy it is to spread false information and pointing out that “using HTTP the way TikTok does is a cybercrime.” Following these reports, TikTok acted swiftly, fixing the security flaws, and committed to rolling out HTTPS secure connections for users in all markets.

How to stay safe on TikTok

Considering that the app has far from perfect security track record, you might want to consider limiting the amount of information you share on the app. For example, you could avoid linking your other social accounts such as Instagram or Facebook on TikTok. You should also carefully consider the potential risks before opening TikTok links outside the platform, for example, via SMS.

Some Android users recommend using a sandboxing app to isolate TikTok on your system. One of the most popular apps, Shelter, is an open-source sandbox app that uses Android’s Work Profile feature to provide an isolated space where you can install or clone apps. Other users go as far as to recommend using TikTok on a separate phone with a different Google account than the one you regularly use.

TikTok is taking privacy and security concerns seriously. The company recently hired a Chief Security Officer and a Global General Counsel to oversee the legal department and assure compliance with regional laws. It also launched a Transparency Center for moderation and data practices. Like many companies registering immense growth in the early stages, TikTok has been focusing on rapidly deploying features and expanding to new markets. Now, it’s time for TikTok to focus on security and privacy features.

Avira logo

Protect your devices with Avira Free Security