Is TikTok Spying on You? The Data Tracking Controversy, Explained
It‘s hard to open your phone these days without being bombarded by TikTok videos. The wildly popular app, known for its endless stream of short clips featuring everything from dance challenges to cooking hacks to comedy sketches, has taken the world by storm. TikTok now boasts over 1 billion monthly active users worldwide, with particularly strong appeal among young adults and teenagers.
But beneath the surface of the addictive content lies a troubling reality: TikTok appears to be engaging in extensive tracking of user data and activity, often through questionable means like keystroke monitoring, in-app browser tracking, and clipboard access. The scope and granularity of TikTok‘s data collection go beyond what‘s necessary for the core functions of the app, according to privacy experts.
"TikTok is shaping up to be one of the most invasive consumer apps when it comes to collecting user data," said privacy researcher Inti De Ceukelaire. "Its thirst for user information poses risks to privacy, security, and transparency."
Why does it matter if TikTok hoovers up your data? For one, the app‘s ownership by Chinese company ByteDance means there‘s a risk that sensitive user information could end up in the hands of the Chinese government, which has a history of surveillance overreach. There are also concerns about how TikTok or third parties could exploit the data for targeted advertising, behavioral profiling, identity theft, and more.
In this deep dive, we‘ll unpack the various facets of TikTok‘s data tracking practices, cutting through the noise to explain what we know, what‘s still murky, and what it all means for your privacy as a user.
Tracking Allegations: Keystrokes, Websites, and More
Over the past year, several independent researchers have made alarming discoveries about the extent of TikTok‘s ability to monitor users‘ digital activity. Let‘s break down some of the key findings and what they mean.
In-App Keystroke Monitoring
In August 2022, software engineer Felix Krause published a report alleging that TikTok can track every keystroke a user types in its in-app browser, including sensitive information like passwords and credit card numbers.
Krause developed a tool that detects when apps use JavaScript commands to monitor keystroke events. When he tested it on TikTok‘s iOS app, he found that it was subscribing to all keyboard inputs and taps in the app‘s built-in browser.
"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app," Krause wrote. "This can include passwords, credit card information and other sensitive user data."
In response, TikTok claimed the JavaScript code was used for "debugging, troubleshooting, and performance monitoring" and denied that it collects keystroke data. However, the fact that TikTok has the technical ability to intercept everything users type in its in-app browser is concerning, even if the company pinky swears not to use it for nefarious purposes.
Website Tracking via In-App Browser
Krause also found that TikTok injects code into third-party websites loaded in the app‘s browser, enabling granular tracking of user activity on those sites.
When a user clicks a link in the TikTok app, it typically opens in TikTok‘s own custom browser. Krause‘s analysis shows that TikTok inserts scripts into external websites that can log user interactions like taps, text selections, and screenshots.
For example, if you click a link to an online store in the TikTok app and browse products or add items to your cart, TikTok‘s tracking code could vacuum up your activity. TikTok could match this off-platform data to your TikTok profile to create an even more detailed picture of your interests and behavior.
By comparison, other apps Krause tested like Instagram and Facebook only tracked a minimal amount of web activity in their in-app browsers for advertising purposes and crash reporting.
Universal Clipboard Access
Back in 2020, TikTok faced backlash when researchers discovered it was regularly accessing users‘ clipboards on iOS devices, potentially capturing sensitive data like passwords that users had copied.
TikTok claimed the clipboard access was an anti-spam measure and removed it in a later update. But the revelation underscored how TikTok‘s app can leverage technical loopholes and security vulnerabilities to extract user information in unexpected ways.
"The real issue here is the lack of transparency and informed consent," said mobile security researcher Mike Murray. "Users have no real way of knowing the extent of TikTok‘s surveillance unless they go digging through technical documentation. That‘s not how privacy should work."
To summarize the key data tracking allegations against TikTok:
| Tracking Method | Description | Data at Risk |
|---|---|---|
| Keystroke monitoring | TikTok‘s in-app browser can log every keystroke a user types on third-party websites | Passwords, credit card numbers, and other text inputs |
| In-app website tracking | TikTok injects scripts into external websites to track user interactions like taps and screenshots | Browsing history, clicks, and other web activity |
| Universal clipboard access | TikTok previously captured content copied to the clipboard on iOS devices | Sensitive data like passwords or personal info copied from other apps |
TikTok‘s China Problem
Beyond the technical specifics of how TikTok tracks user data, a major source of scrutiny is the company‘s ties to China and the Chinese government.
TikTok is owned by ByteDance, a Chinese technology company founded in 2012. ByteDance operates a separate version of the short-form video app called Douyin within China, while TikTok is available in most other markets worldwide.
U.S. officials have repeatedly raised concerns that TikTok could be compelled to hand over the data of American users to Chinese authorities under the country‘s national security laws. The U.S. military banned TikTok on government devices in 2019, and the Trump administration attempted to force a divestment of TikTok‘s U.S. business in 2020 over spying fears (though the deal never materialized).
TikTok has denied that it shares user data with the Chinese government and says it would not do so if asked. The company has taken steps to wall off U.S. operations and data storage from ByteDance as part of an initiative called "Project Texas."
However, leaked internal materials known as the "TikTok Master Admin" have cast doubt on these assurances. The documents, obtained by BuzzFeed News, describe how ByteDance employees in China repeatedly accessed nonpublic U.S. user data over several months in 2021.
"Everything is seen in China," said a member of TikTok‘s Trust and Safety department in a September 2021 meeting, according to BuzzFeed.
The risk is that the Chinese government could exploit TikTok‘s vast trove of user data – including biometric info, location history, network contacts, and more – for espionage, influence operations, or other nefarious purposes. Even if that worst-case scenario doesn‘t pan out, China‘s authoritarian system and abysmal record on human rights and privacy make any potential access to U.S. user data a major red flag.
How TikTok‘s Data Practices Stack Up
While TikTok is hardly the only mobile app engaging in invasive data tracking, research suggests it stands out both in the breadth of user info it hoovers up and its lack of transparency around data practices.
A 2022 study by URL Genius found that 37% of the 100 most popular iOS apps use in-app browsers to track user activity on external websites, but TikTok is unique in its ability to monitor keystrokes and text inputs.
TikTok‘s privacy policy discloses that the app collects a laundry list of user data, including:
- Profile information (username, profile pic, age, etc.)
- User-generated content and engagement metrics
- Device and network identifiers
- Geolocation data
- Contacts and social connections
- Payment information
- Cookies and other tracking technologies
However, the policy is vague about how exactly this data is collected, used, and shared. A 2021 investigation by Consumer Reports found that TikTok‘s privacy disclosures were broad and opaque compared to other major social platforms.
Contrast this with Meta‘s in-app browsers for Facebook and Instagram, which include specific language about limiting off-platform data collection to actions related to ads.
"TikTok‘s approach seems to be ‘collect first and answer questions later,‘ which is the wrong way to handle people‘s personal information," said Justin Brookman, director of privacy and technology policy at Consumer Reports. "We need stronger rules restricting apps from gathering data that‘s not essential for their services."
The U.S. currently lacks a comprehensive federal privacy law that would rein in invasive tracking by apps like TikTok. The EU‘s General Data Protection Regulation (GDPR) and some state-level laws like the California Consumer Privacy Act (CCPA) provide certain rights like the ability to access and delete your data.
But the onus is still largely on users to navigate a patchwork of company privacy policies and take proactive steps to protect themselves.
What TikTok Users Can Do
If you‘re a TikTok user concerned about the app‘s data tracking, there are a few key steps you can take to minimize your digital footprint:
-
Avoid logging into sensitive accounts via TikTok‘s in-app browser. If you click an external link in TikTok, consider copying it and pasting it into your regular mobile browser instead to avoid TikTok‘s website tracking scripts.
-
Opt out of ad personalization. Go to your TikTok profile settings and toggle off "Ads based on data received from partners" and "Ads based on your activity on TikTok." This won‘t stop data collection entirely but can limit invasive targeting.
-
Be selective about TikTok permissions. When TikTok prompts you to allow access to your camera, microphone, location, or contacts, choose "Don‘t Allow" unless the permission is truly necessary. You can manage permissions in your device settings.
-
Submit a data access request. TikTok allows users to request a copy of their personal data under certain jurisdictions. To submit a request, go to your app settings and navigate to "Privacy" > "Personalization and data" > "Download TikTok Data."
-
Consider using TikTok in a web browser. You can access a limited version of TikTok at tiktok.com in your mobile or desktop browser, which may reduce some data exposure compared to the native app. Just beware that TikTok can still employ browser tracking like cookies.
Ultimately, using TikTok while maintaining robust data privacy is a challenge given the app‘s sweeping and opaque tracking practices. If you‘re not comfortable with TikTok‘s approach to user data, your best bet may be to limit your usage or consider alternative short-form video apps like YouTube Shorts or Instagram Reels.
The Way Forward on App Privacy
The TikTok data controversy illustrates the urgent need for stronger privacy protections and greater accountability in the mobile app ecosystem. As our lives become increasingly digitized, the amount of personal information we entrust to apps like TikTok will only grow – making the consequences of privacy failures more and more dire.
At a minimum, apps should be required to provide clear, specific disclosures about their data practices and obtain explicit consent from users before engaging in invasive tracking like keystroke monitoring. Broad, take-it-or-leave-it privacy policies are not sufficient in an era of ubiquitous digital surveillance.
We also need tougher penalties for apps that misuse or mishandle user data. The current patchwork of sectoral privacy laws is woefully inadequate to address the complex tracking methods employed by modern apps. A robust federal privacy law in the U.S., ideally with a private right of action, would help level the playing field.
Finally, as an industry, tech companies need to embrace privacy as a core value and competitive advantage, not an obstacle to be skirted around. Apple‘s App Tracking Transparency feature and Google‘s plans to phase out third-party cookies in Chrome show how platform gatekeepers can lead the way on privacy-forward practices when motivated.
Absent these changes, controversies like TikTok‘s invasive data tracking will only become more frequent and egregious. We‘re at an inflection point for digital privacy rights – it‘s time to demand better from the apps we use every day.
