TikTok privacy debate

That TikTok privacy debate in 10 questions

Image credit: Dreamstime

From pushing dangerous health fads to spying on US journalists, TikTok has attracted an impressive range of controversies for such a young app. Above all else, it is viewed with suspicion for its handling of user data. But is the fear justified? Here’s what you need to know about the TikTok privacy debate.

I live under a rock. What is TikTok?

TikTok is a social media app based around short-form video. It was launched internationally in 2017 and has since become one of the most popular social media apps with over one billion monthly active users, almost half of which are between the ages of 16 and 25. TikTok and its Chinese counterpart Douyin are owned by Beijing-based ByteDance.

I’m too old for TikTok. Do I have to think about this?

Even if you have never seen a TikTok video, the company can (and will) still gather your data. Like Facebook, it allows third parties to embed a tracker on their websites to gather activity data, which is aggregated and sent to advertisers. If you do use TikTok – even without an account – expect the company to collect data about all your activity on the platform.

What data does it collect from users?

Privacy policies vary between jurisdictions, but generally it collects date of birth, email address and/or phone number, profile information, device information (e.g. model, operating system, keystroke patterns), approximate location, IP address, and in-app activity including messages. In 2021, TikTok updated its privacy policy to make it possible to collect biometric data such as ‘faceprints and voiceprints’ in the US. If users opt in to access certain features, it can collect phone contacts, Facebook friends and payment information. It could also gather data from other sources, such as advertisers and third-party apps which use TikTok Developer Tools.

Why does TikTok want so much data?

TikTok’s success is largely thanks to the algorithm behind its recommendation system, which has mastered the art of keeping people consuming content. Its algorithm relies on data to make inferences about a user’s age, gender, interests and even state of mind. The more a platform knows about its users, the more it can personalise its advertising and the more advertising revenue it can generate.

Has TikTok ever gathered data inappropriately?

Mainly, TikTok has been in legal tangles over its collection of children’s data. In 2019, it was fined $5.7m by the US Federal Trade Commission for failing to seek parental consent before collecting data on under 13s. Last year, the UK’s Information Commissioner’s Office announced that TikTok could face a £27m fine over similar failures. It has also been fined by Dutch regulators for its handling of children’s data, and by French regulators for its online tracking practices. In one of the largest privacy-related pay-outs in US history, TikTok agreed to pay $92m to US users after being found to have violated data privacy laws, including by collecting biometric data without consent.

But is it worse than other social media apps?

It is not unusual for social media apps to gather huge volumes of data, including data which does not seem necessary for the app to function. TikTok is no exception. A University of Toronto study, which examined its source code, concluded that TikTok is no more intrusive than Facebook, although that is a low bar. What sets TikTok aside is not so much the quantity or type of data being gathered, but fear – ranging from reasonable caution about a hostile superpower known for extreme digital surveillance to irrational hostility towards anything vaguely Chinese – about where the data could go.

Where does user data go?

This year, TikTok plans to open a second European data centre in Ireland, along with a third in Norway, and begin transferring European user data to those sites: “A secure enclave for European TikTok user data.” Thus far, this data has been stored on servers in the US and Singapore, although a 2020 Washington Post investigation noted: “It’s possible (and likely) that data transmitted to these servers are transferred to other locations.”

The main concern is that user data could find its way to mainland China, where TikTok’s parent company ByteDance is based. TikTok states that user data may be shared with the rest of its corporate group, presumably including ByteDance. This possibility was supported by a 2021 CNBC report which quoted former TikTok employees who said the boundary between TikTok and ByteDance was so blurred as to be practically non-existent, and a 2022 report from cyber-security firm Internet 2.0 which found the app connecting to a server in mainland China.

Whether or not there is a trove of European user data actually stored on a Chinese server is unknown; it is certainly possible to access such data from China – last year, TikTok confirmed that employees in China can remotely access European user data. Ireland’s Data Protection Commission is investigating what this means for GDPR.

So, could the Chinese government access my data?

What sets TikTok apart from the likes of Facebook and Google is its Chinese ownership. According to China’s 2017 National Intelligence Law, organisations based in the country can be forced to hand over their data to intelligence agencies – this was used to argue that Shenzhen-based Huawei could not be trusted, resulting in it being excluded from 5G networks by the US and its allies.

Experts are divided as to whether TikTok would share user data with Chinese authorities. In 2020, the CIA said there was no evidence of it, but this year FBI director Christopher Wray characterised TikTok as “ultimately within the control of the Chinese government”.

UK policymakers are reportedly doubtful that TikTok would be able to refuse a demand to share data. Others are more relaxed about the app, pointing out that there are many other ways the Chinese government could access this sort of data if it wished, whether stealing it in an Equifax-like hack or simply buying it from a data broker. A recent national security threat analysis from the Georgia Institute of Technology concluded that it is ‘not a tool of the Chinese state’ and rejected the idea that it is uniquely threatening. TikTok has asserted repeatedly that it has not, does not, and will not share user data with Chinese authorities.

Will TikTok be banned in the UK?

The app has already been restricted in many parts of the world, including a total ban in India. The US House of Representatives, European Commission, EU Council, European Parliament, and Canadian government have banned it from official devices, and the UK government followed suit recently. These restrictions appear to be motivated by geopolitical factors, unless evidence has emerged – and not been announced – that TikTok is indeed a security threat.

At this point, there is no serious suggestion that TikTok could be banned altogether in the UK. However, the UK tends to follow the example of the US in these matters, and a US ban appears to be a real possibility. US President Joe Biden previously reversed a decision by his predecessor to ban the app, but in recent weeks there has been a bipartisan effort to grant Biden the powers necessary to ban TikTok via the ‘RESTRICT’ Act.

Can I still use TikTok and protect my privacy?

The most private – but also limited – way to use TikTok is without an account, accessed on a browser with anti-tracking tools like a VPN. Using an anonymous TikTok account connected to a burner email address is a less extreme option. If you have a Tiktok account, you can switch off contact syncing and restrict what topics are used to customise ads by heading to the ‘Privacy’ options. Other steps that can limit data collection include avoiding linking a TikTok account with other social profiles, and making full use of whatever iOS and Android anti-tracking features are available.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles