As the holiday season approaches, we encourage everyone to relax and share in joyful experiences with friends and family. However, we also want individuals to be mindful of what else they may be sharing, especially online.
In today’s digital society, the holidays are often chronicled through the lens of our camera phones and posted on social media platforms for our friends and followers to see. Although it’s a great way to spread holiday cheer with those who cannot be there in person, it can also lead to privacy concerns. Specifically, the usage of TikTok (the “Platform”) has received ample attention from privacy advocates and security experts alike.
It is important to note that TikTok is a social media platform that, like other similar applications, is intended to share data and information with a large network of users. However, the full extent of what is being shared is often misunderstood.
Our intent here is not to dissuade use; rather, it is to educate users on what information they are actually sharing on TikTok, with whom that information is being shared, and why the Platform is often regarded as a security risk.
TikTok - What Are You Actually Sharing?
TikTok was first launched internationally by parent company ByteDance in 2017, and as of Q3 of 2022, it has upwards of 1.5 billion active monthly users. TikTok expects that it will exceed 1.8 billion users by the end of 2022. With that, the prevalence of the Platform is evident. What is not, however, is the understanding of what information is being collected on the backend.
In addition to profile information, TikTok will collect any user-generated information that is uploaded within a user’s account, regardless of whether the post is saved or shared. This includes comments, photos, livestreams, audio and video. Additionally, the Platform can access (with permission) your device’s clipboard and collect any text, images or video that may be present.
TikTok can also access and collect information from any other login sources or those that are linked to a user’s profile. This can include Google, Facebook, Twitter or any other service used to authenticate users to TikTok. Furthermore, third-party services such as advertising partners, data providers and analytics providers can be leveraged by TikTok to collect information about its users.
Perhaps the most concerning issue from a security and privacy perspective is that TikTok collects audio and video information that can be used to pinpoint locations and specific demographics. Through analysis of audio and video context, TikTok can use collected data to identify “the objects and scenery that appear” or use “the existence and location within an image of face and body features and attributes” to identify users or the locations in which the content was created.
The stated reasoning for this is to enable effects on the video, moderate content, classify demographics and recommend content and advertisements. However, there could be additional uses of facial and environmental recognition not explicitly listed. TikTok may also generate and collect text of any words spoken in user content.
What Is Done with User Data on TikTok?
Other social media platforms arguably follow similar models of information collection and sharing. So, the question is, why is TikTok often singled out for it?
The combination of what information is collected, the algorithms used to moderate user content, and the presence of ByteDance is what causes concern among professional security and privacy communities.
Furthermore, all keystrokes logged within TikTok’s app and browser means that they have access to every password, credit card number, and other sensitive user data that is typed. Taxonomies of user data and behaviors are being chronicled and catalogued, to be exploited for financial gain or blackmail.
TikTok And National Security
In November 2022, FBI Director Christopher Wray testified to Congress that the FBI has national security concerns regarding the use of TikTok in the U.S. Director Wray cited that ByteDance being a Chinese company is concerning, primarily because this includes “the possibility that the Chinese government could use it to control data collection on millions of users, or control the recommendation algorithm which could be used for influence operations if they so choose, or to control software on millions of devices.”
Generally speaking, the concern is that TikTok can be used to influence American perception through data collection and content moderation.
The ability to moderate user content (i.e., controlling what users see) is typically justified by platforms for advertising or safety reasons. It can be argued that this is the case for TikTok as well, but the issue is that TikTok is used for more than just watching videos. A recent Forbes article cited that the number of U.S. adults who regularly access TikTok as a news source rose from 3% in 2020 to 10% by November 2022. Additionally, Pew Research found that 26% of all U.S. adults under the age of 30 routinely get their news updates from TikTok.
Overall, the amount of TikTok users who refer to the Platform as a regular news source rose from 22% in 2020 to 33% in 2022. It is important to note that other social media platforms have not seen such growth in this regard. In other words, TikTok is increasingly becoming a news source and with that comes the potential for a foreign entity to effectively control what news is being shared in the U.S.
Also, user information may be transmitted and stored in data centers that are outside of the U.S. With that, data can be stored anywhere and is accessible to anyone. The fact that user data is can be stored and viewed by agencies not listed naturally merits consideration from a risk management mindset.
We hope that you enjoy your holidays and can get some much-deserved time off. Share your holiday experience with friends and family, just be mindful of what else you may be sharing.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of expert practitioners offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.