TikTok: The App That May Watch You Back

On September 3, 2022, several news outlets reported an alleged TikTok data breach affecting “billions of user accounts.”[1]  These claims first circulated on Twitter, with site members and cyber security analysts asserting that a third party stole both TikTok’s internal backend source code and two billion user records.[2]  Just days earlier, Microsoft Corporation’s Security research team posted an article warning TikTok users that Microsoft found a high-severity vulnerability that would allow attackers to access accounts with a single click.[3]  Although the popular social media app maintains that the breach rumor is unfounded, this is not TikTok’s first issue with managing user data.

Launched in September 2016, TikTok sent waves into the entertainment app industry, achieving notoriety for its bingeable, short-form video format.[4]  Headquartered in China, the social media app quickly gained popularity in overseas markets, with the company’s net value estimated at $50 billion.[5]  With nearly 1.2 billion monthly active users, it is no surprise that the app is vulnerable to bad faith actors looking to collect a wealth of user information.

This fear of a data breach caused the American government significant concern regarding user protections and data privacy on TikTok.[6]  Action against the popular app began two years ago when former President Trump attempted to ban the app from the U.S. market.[7]  On August 6, 2020, Trump issued Executive Order 13942, wherein he voiced concerns over TikTok’s ability to access information from its users, network activity data, user locations, and browsing and search histories.[8]  Trump claimed that the information “allow[s] the Chinese Communist Party access to Americans’ personal and proprietary information—potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.”[9]  After entering office in 2021, President Biden signed an executive order to revoke Trump’s TikTok ban, instead opting to commence an investigation into the app through the Secretary of Commerce.[10]

Unassuaged by the investigation, lawmakers are also working to prevent the spread of international propaganda, decrease the presence of extremist messages and satisfy national security concerns by attempting to regulate social media apps.[11]  Due to this present debate, TikTok contracted Oracle to oversee traffic for all U.S. user data to ease U.S. governmental concerns.[12]

But why does the entertainment app warrant such concern?  In early 2021, speculation arose that the app possesses the discretion and ability to access user data.[13]  TikTok’s CEO, Shou Zi Chew, all but confirmed this notion when he addressed user data concerns in a letter to nine Republican senators.[14]  In his letter, Zi Chew explained that the TikTok team has access to user data “subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team.”[15]  During the investigation by these Republican senators, commentary made by member of TikTok’s Trust and Safety department leaked, infamously stating “everything is seen in China.”[16] These cryptic quotes from the CEO and TikTok team warrant some further investigation into what the app collects or could collect.

On June 2, 2021, TikTok updated its privacy policy, adding changes to the user agreement and clarifying details on the information gathered and how it is used.[17]  Under the section “Images and Audio Information,” TikTok expressly states that the app “may collect users’ images and audio to enable filters and video effects, allow it to moderate content, and ‘for other non-personally-identifying operations.’”[18]  TikTok claims to collect the information to better determine the demographics of its users and to offer more targeted recommended advertisements.[19]  However, this is not the only amendment to the updated privacy policy. TikTok now purports to “collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content.”[20]  In addition to these changes, the app’s policy states that it may transmit user data to its foreign servers for storage or processing, as well as notifying users that the third parties it shares its user data with may also be located outside the U.S.[21]

The American Data Privacy and Protection Act

In an attempt to protect U.S. app users from TikTok and similarly situated apps, the House Energy and Commerce Committee proposed House Bill 8152, the American Data Privacy and Protection Act (“ADPPA”).[22]  As the first comprehensive data privacy bill, some of the ADPPA’s proposals include requirements to broaden categories of data that constitute sensitive information, update the standards regarding minors’ data, and expressly define specific, data-related terms.[23]  With a shocking bipartisan vote of 53-2, the House Committee on Energy and Commerce voted to pass the ADPPA and push to the House for further review and voting.[24]

Perhaps the most relevant portion of the bill, as it relates to TikTok, is the proposed heightened standards for minor accounts.  The ADPPA aims to protect children under the age of seventeen by banning targeted ads to minors and considering all minor-related data as “sensitive information.”[25]  These increased restrictions would also place more responsibility on social media apps to monitor the age of their users.

However, the bill is not without opposition. Businesses, states, and tech companies are dissatisfied with the way that the Legislature limits the manner of data collection and use of consumer information, arguing that it will likely negatively impact their operations.[26]  Several states expressed concerns over what they view as an unnecessary expansion of government power, arguing that the federal level protection needs to be lowered so that states may choose to increase data protection at their own discretion.[27]  The House Energy and Commerce committee responded to these concerned states by assuring them that the legislation will allow states to get involved in the process to legislate on privacy related matters.[28]  In light of the expansion of information that is collected by privacy policies, these new legislative restrictions could prove essential to protecting user data.

One thing is for certain, from a consumer’s perspective, this proposal is incredibly relevant, highly necessitated, and long overdue.  With the ever-present threat of data breaches, the Legislature’s new ability to protect user data, broaden the definition of sensitive information, and hold companies accountable for minor accounts will expand the present protections and help to prevent breaches.

What Can App Users Do?

Cybersecurity experts continue to voice their concerns over TikTok and its ever-growing list of permissions.[29]  Some refer to TikTok’s data-harvesting as excessive, overly intrusive, and aggressive.[30]  Several recommend against using the app for messaging or viewing and discussing sensitive, personal material—while others recommend deleting TikTok completely.[31]

Many app users may wonder what they can do to protect their personal information and privacy.  Of course, refraining from using social media apps such as TikTok is the most successful method.  However, that is unrealistic in today’s ever-advancing technological society. In response to the recent TikTok breach claims, experts suggest that users ensure that their accounts are accessible only through the two-step authentication process.[32]  Since this setting is automatically disabled, two-step authentication must be activated manually in the app menu.[33] This can be accomplished by (1) clicking on your profile, (2) selecting “Security and Login” and, (3) tapping on the “2-step verification” button.[34]  If users feel concerned about the information TikTok collected from their account, they may also request to access or delete this data.  To do this, TikTok’s privacy policy explains that users may send their requests to the e-mail or physical address under the “Contact” section of its website.[35]

The reality is that modern app users are constantly assenting to privacy agreements without reading them, forgetting to reject browser cookies, and insufficiently protecting their accounts.  With the expansive and intrusive range of rights conferred to modern entertainment apps, it is evident that users require greater privacy protections in order to keep their information safe.

[1] Davey Winder, TikTok Denies Breach After Hacker Claims ‘2 Billion Data Records’ Stolen, Forbes (Sept. 6, 2022, 2:44 AM), https://www.forbes.com/sites/daveywinder/2022/09/06/has-tiktok-us-been-hacked-and-2-billion-database-records-stolen/.

[2] Mansoor Iqbal, TikTok Revenue and Usage Statistics (2022), Bus. of Apps, https://www.businessofapps.com/data/tik-tok-statistics/ (last updated Aug. 19, 2022); @BeeHiveCyberSec, Twitter (Sept. 4, 2022, 1:22 AM), https://twitter.com/BeeHiveCyberSec/status/1566340883959746562.

[3] Microsoft 365 Defender Research Team, Vulnerability in TikTok Android App Could Lead to One-Click Account Hijacking, Microsoft (Aug. 31, 2022), https://www.microsoft.com/security/blog/2022/08/31/vulnerability-in-tiktok-android-app-could-lead-to-one-click-account-hijacking/.

[4] Iqbal, supra note 1; see also Jamie Tarabay, Claim of TikTok Breach Spotlights Viral App’s Lure as Target, Bloomberg (Sept. 5, 2022, 4:54 PM). https://www.bloomberg.com/news/articles/2022-09-05/claim-of-tiktok-breach-spotlights-viral-app-s-lure-as-target?leadSource=uverify%20wallhttps://www.bloomberg.com/news/articles/2022-09-05/claim-of-tiktok-breach-spotlights-viral-app-s-lure-as-target?leadSource=uverify%20wall.

[5] John Csiszar, TikTok’s Net Worth: How Much Is TikTok Worth Right Now?, Nasdaq (Aug. 26, 2022, 1:13 PM), https://www.nasdaq.com/articles/tiktoks-net-worth%3A-how-much-is-tiktok-worth-right-now.

[6] Meghan Bobrowsky, TikTok Exec Says Agreement with U.S. Government to Address Concerns over User Data, Wall St. J.(Sept. 14, 2022, 7:37 PM), https://www.wsj.com/articles/tiktok-exec-says-agreement-with-u-s-government-to-address-concerns-over-user-data-11663198654.

[7] Id.

[8] Exec. Order No. 13942, 85 Fed. Reg. 48,637, 48,639 (Aug. 11, 2020).

[9] Id. at 48,637.

[10] Exec. Order No. 14034, 86 Fed. Reg. 31,423, 31,424 (June 11, 2021).

[11] Bobrowsky, supra note 6.

[12] Id.

[13] Christianna Silva & Elizabeth de Luna, It Looks Like China Does Have Access to U.S. TikTok User Data, Mashable (July 2, 2022), https://mashable.com/article/tiktok-china-access-data-in-us.

[14] Id.

[15] David McCabe, TikTok Tells Republican Senators How It Plans to Keep American Data Away from China, N.Y. Times (July 1, 2022), https://www.nytimes.com/2022/07/01/technology/tiktok-tells-republican-senators-how-it-plans-to-keep-american-data-away-from-china.html.

[16] Silva & de Luna, supra note 13.

[17] Legal – Privacy Policy, TikTok, https://www.tiktok.com/legal/privacy-policy-us?lang=en (last updated June 2, 2022).

[18] Id.; see also Amanda Yeo, TikTok’s Updated Privacy Policy May Let It Collect Your Biometric Data, Mashable (June 4, 2021), https://mashable.com/article/tiktok-privacy-policy-biometric-data.

[19] Yeo, supra note 18.

[20] Privacy Policy, supra note 17; Yeo, supra note 18.

[21] Yeo, supra note 18.

[22] Bobrowsky, supra note 6.

[23] Joseph Duball, American Data Privacy and Protection Act Heads for US House Floor, iAPP (July 21, 2022), https://iapp.org/news/a/american-data-privacy-and-protection-act-heads-for-us-house-floor/.

[24] Id.

[25] Bobrowsky, supra note 6; see also H.R. 8152, 117th Cong. (2021-2022).

[26] John D. McKinnon, Data-Privacy Bill Advances in Congress, but States Throw up Objections, Wall St. J. (July 20, 2022), https://www.wsj.com/articles/data-privacy-bill-advances-in-congress-but-states-throw-up-objections-11658347139.

[27] Id.

[28] Id.

[29] Winder, supra note 1.

[30] Judy Sanhz, How to Secure Your TikTok Account with Two-Step Verification, Technipages (Nov. 22, 2021), https://www.technipages.com/how-to-secure-your-tiktok-account-with-two-step-verification.

[31] Id.

[32] Privacy Policy, supra note 17.

[33] Rafqa Touma, TikTok Has Been Accused of ‘Aggressive’ Data Harvesting. Is Your Information at Risk?, The Guardian (July 19, 2022, 12:19 AM), https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk.

[34] Id.

[35] Id.