#FYP - Data Privacy and TikTok
- CyberSpeak Labs
- Dec 29, 2024
- 10 min read
Starting at the end of January 2025, TikTok is expected to face a nationwide ban in the United States. Unsurprisingly, this announcement has sparked division, with strong opinions from both supporters and critics of the decision.
At the heart of the debate are critical questions:
Do users truly understand what data privacy entails?
Are they aware of the risks associated with how their data is collected, stored, and used?
Why should they care about safeguarding their data?
Data privacy isn’t a new concept. It has been a point of discussion since the 19th century. However, the evolving focus is on how data is stored, protected, and used in today’s digital landscape. As technology advances, so do the complexities of data regulation and the responsibilities of organizations handling user information.
This newsletter aims to provide valuable insights into the realm of online data:
What constitutes personal data online?
The importance of understanding how your data is managed.
Practical steps users can take to better protect themselves in a rapidly changing digital world.
Whether you are for or against the ban, this is an opportunity to deepen your understanding of data privacy and take control of your digital footprint.
Understanding and Managing Your Data
Imagine you live in a house or apartment. Inside your home, you have various items that make up your living space: a couch, a TV, a bed, kitchen appliances, and basic plumbing. You also have personal items like a toothbrush, credit cards tucked in a drawer, or sensitive documents like your social security card or passport.
Your home is your safe space. A place where you have control over who enters and how much access they have to your belongings. Sometimes, you might invite people in: family, close friends, or even complete strangers. Each visitor interacts with your home differently based on the level of trust and familiarity:
Family and Close Friends
These visitors know their way around. They know where you keep the cups and plates, the snacks, and the TV remote because they visit often and have your trust.
Strangers Strangers could be a friend of a friend at a social gathering or a salesperson at your door. Strangers don’t have the same level of access. They might sit on your couch or use the bathroom, but it would be awkward and intrusive for them to open your cabinets or rummage through your pantry.
So, how does this all map to online data usage? Having an analogy can assist in relating technical topics at a usable level, for example:
Basic Living Accessories = Behavioral Data The plumbing, kitchen appliances, and daily essentials represent your browsing habits. How you interact with the internet, such as visiting websites, clicking on ads, or using apps. This is considered behavioral data, collected to improve your experience or personalize services. This data ensures your internet experience is catered to you.
Limited Access Items = Identifiable Data Items like your dishware or the TV remote, which close friends know how to find, symbolize identifiable data. This includes information like your name, phone number, or address. Details that identify who you are. While not always secret, this data is shared selectively and should be treated with care.
Private Belongings = Sensitive Data The secrets in your bedside drawer, where the credit cards are kept, your passport, or other valuables represents sensitive data. This type of information, such as health records, political affiliations, or religious beliefs, can cause significant harm if misused. It’s the kind of information you’d only trust with a few select people or organizations.
When putting this in perspective, we wouldn't want just anyone, to be accessing specific data or belongings. Just like the internet itself, websites often collect and use your information. However, privacy policies, which are meant to inform you about how your data is handled, can be difficult to understand for anyone without expertise in data management or legal reading. These policies are often overly complex, filled with technical jargon, or written in a way that makes them inaccessible to the average user.
This creates significant challenges for users trying to grasp the importance of their personal data and why protecting it is so critical. Just as you wouldn’t want strangers rifling through your private belongings, you wouldn’t want a website collecting sensitive information and sharing it indiscriminately with unknown parties.
Understanding how your data is collected, used, and shared is key to maintaining control over your digital identity and safeguarding your privacy in an increasingly interconnected world.
The Anatomy of TikTok's Data Privacy
Disclaimer: This article provides a factual analysis of how data is used by TikTok. It does not include political or personal opinions. All information presented is
based on open-source intelligence and is intended solely for educational purposes.
Now let's go over how TikTok truly uses data. You can view TikTok's data privacy here. For the scope of this breakdown, Children's Data Privacy Policy will not be reviewed.
Research will be used through a FireFox Extension. This extension is used to assist on discovering how data is interpreted in TikTok's data privacy.
Data Usability - PrivacyCheck
PrivacyCheck Results
Note: 100% could verify that no data is collected or used. This is not a goal, but the scoring assists potential risks for users or an area they should focus on how data is used.
Below is the breakdown of PrivacyCheck's findings at a high-level:
Data Type | High-Level Findings |
Email Address | Ask for it, but only for intended purposes. |
Credit Card and Home Address | Ask for it, but only for intended purposes. |
Social Security Number | They do not ask for it. |
Marketing | They do use your PII information for ads and marketing, but do not sell/share it with third parties. |
Location | They track it, but use it only for intended services. |
Sharing With Law Enforcement | They require Warrant/Subpoena. |
Privacy Policy Change | They post new policies but you cannot opt out. |
Control of Your Data | You cannot edit your information. |
Aggregated Data | They aggregate data but remove PII first. |
TikTok is a big platform with a wide range of audiences and intended use for Data. To breakdown the information at a usable level, researchers submitted the findings and concerns from these extensions to ChatGPT. ChatGPT then summarized, provided layman's terms, and additionally added data classifications. For disclosure, ChatGPT is not 100% accurate with information, when reading the submitted request, please ensure you verify any information that was provided below:
Privacy Policy Updates
Data Privacy Type: Informational
Data Privacy Concern: Users might be concerned about sudden changes to the policy that could impact how their data is used or shared.
Impact if Concern is True: If policy changes occur without adequate user consent or awareness, it could lead to unwanted sharing or use of personal data, or make users feel their privacy is being compromised.
Risk Scenario: Imagine you’ve consented to the collection of your basic information, but a policy change allows the app to sell your personal data to advertisers. Without your knowledge, your sensitive data is shared with third parties, resulting in your email address being sold and used for spam or unsolicited marketing.
Information We Collect
Account and Profile Information: Name, username, password, email, phone number, etc.
Data Privacy Type: Sensitive, Informational
Data Privacy Concern: Users might be concerned about the collection of personal, sensitive information and how it's stored or shared.
Impact if Concern is True: If personal information is mishandled or shared without proper consent, it could result in identity theft, data breaches, or unwanted solicitations.
Risk Scenario: After signing up for an app, your email and phone number are leaked in a data breach. Your inbox is flooded with phishing emails, and you start receiving unsolicited calls, some of which are scams attempting to steal money or personal details.
Messages: Content, send/receive times, participants.
Data Privacy Type: Sensitive, Behavioral
Data Privacy Concern: Users may worry about their private communications being accessed or shared without their consent.
Impact if Concern is True: Unauthorized access to private messages could lead to personal information being exposed, harassment, or the misuse of sensitive content.
Risk Scenario: You send a private message discussing personal health issues with a friend. However, the app accidentally exposes your message to an unintended third party, leading to embarrassment and discomfort as your private conversation is shared.
Clipboard Information: Access to clipboard data with permission when sharing content.
Data Privacy Type: Behavioral
Data Privacy Concern: Users may be concerned about their clipboard data being accessed or shared without their explicit permission.
Impact if Concern is True: If clipboard data is accessed or used without user consent, it could lead to the inadvertent sharing of private or sensitive information, such as passwords or financial details.
Risk Scenario: While copying a password or bank details to share in a secure message, the app unintentionally accesses and sends that clipboard data to a third-party advertiser, compromising your security and personal information.
Phone/Social Network Contacts: Information from contacts for matching users.
Data Privacy Type: Behavioral
Data Privacy Concern: Users might worry about their contacts' information being shared or used without their permission.
Impact if Concern is True: The privacy of contacts is compromised if their information is collected or shared without consent, potentially resulting in unwanted outreach or exposure.
Risk Scenario: You sync your contacts to the app to find friends, but unbeknownst to you, the app shares your contacts' information with advertisers. Now, your friends are receiving targeted ads, and some of them express concern about their information being exposed without their consent.
Verification Information: Proof of identity or age.
Data Privacy Type: Sensitive
Data Privacy Concern: Users might be concerned about providing sensitive information, such as identity or age, and how securely it is handled.
Impact if Concern is True: If sensitive verification information is exposed or used improperly, it could lead to identity theft, fraud, or unauthorized access to age-restricted content.
Risk Scenario: You upload a picture of your ID to verify your age, but the platform experiences a security breach, and your ID data is accessed by hackers. Your personal details, including your birthdate and address, are stolen, and used for fraudulent activity or identity theft.
Third-party Sign-ins: Data from third-party services like Facebook, Instagram, etc.
Data Privacy Type: Informational
Data Privacy Concern: Users may be concerned about how third-party services access and use their personal information shared with TikTok.
Impact if Concern is True: Unauthorized access or misuse of data shared via third-party services could lead to privacy violations, data leaks, or exposure of personal activities and preferences.
Risk Scenario: You sign in with your Meta account, and the app gains access to your personal information. Later, you discover that this information was used by third-party advertisers without your permission, exposing your interests and browsing history to strangers.
Advertiser/Partner Information: Data about your activities outside the Platform.
Data Privacy Type: Behavioral
Data Privacy Concern: Users may worry about how their data is shared with third-party advertisers, tracking their activities outside the platform.
Impact if Concern is True: Users may feel their behavior is excessively monitored, leading to a loss of trust and increased unwanted advertisements or tracking.
Risk Scenario: After browsing a few online stores, you notice that you’re suddenly bombarded with targeted ads for items you’ve already purchased or searched for elsewhere. It feels as though every movement you make online is being tracked, leading to a loss of privacy and increased annoyance.
Device Information: IP address, device model, system, battery state, etc.
Data Privacy Type: Informational, Behavioral
Data Privacy Concern: Users may be concerned about tracking of their devices, location, and usage patterns.
Impact if Concern is True: If device information is used to track users across platforms without consent, it could lead to unwanted profiling and potential misuse of personal data.
Risk Scenario: You access the platform from various devices, and later realize that your location and device-specific behavior are being tracked and sold to advertisers, leading to personalized ads that feel intrusive.
Metadata: Information connected to User Content, like creation time and hashtags.
Data Privacy Type: Informational
Data Privacy Concern: Users might be concerned about their content being traced back to their identity through metadata.
Impact if Concern is True: If metadata is misused or exposed, it could reveal the user’s identity, location, or personal connections, causing privacy risks or unwanted attention.
Risk Scenario: You post a photo on the platform and later find out that metadata attached to the photo reveals your exact location and the time it was taken, making it easy for someone to trace your movements and invade your privacy.
Cookies and Similar Technologies: Used to measure interaction and improve ads.
Data Privacy Type: Behavioral
Data Privacy Concern: Users may be concerned about their online behavior being tracked for targeted advertising, especially if they're unaware of how it's done.
Impact if Concern is True: If users are tracked without consent, it could lead to feeling constantly monitored, loss of anonymity, and potentially unwanted advertising or data sharing.
Risk Scenario: You visit a shopping website, and days later, you notice the same items are being advertised to you on various other platforms. You feel that your every click is being tracked for the sake of advertising. Also referred to as, "my phone is listening to me."
How We Use Your Information
Data Privacy Type: Behavioral
Data Privacy Concern: Users may feel uncomfortable with how their data is being used to customize ads or influence content they see.
Impact if Concern is True: Users may feel manipulated or alienated by targeted content, leading to dissatisfaction with the platform and potential withdrawal of consent to use their data.
Risk Scenario: You notice the app starts showing ads for products or services you were talking about with friends in private. You realize that your behavior is being analyzed and monetized without your knowledge, leading you to lose trust in the app.
Sharing Your Information With Third-Party Services For Login, Sharing, and Content Suggestions.
Data Privacy Type: Informational
Data Privacy Concern: Users might be concerned about their personal data being shared with third-party companies, especially if they don't understand the full extent of the sharing.
Impact if Concern is True: Excessive or not transparent sharing with third-parties could lead to unauthorized exposure of user data, possibly violating user trust.
Scenario: You use a social network login to access an app, but later realize that your data, including posts and preferences, is being sold to advertisers without your knowledge or consent.
With corporate affiliates to enable specific platform features.
Data Privacy Type: Informational
Data Privacy Concern: Users may worry about how their data is accessible by multiple entities within the corporate group, which could increase the risk of data misuse.
Impact if Concern is True: If data is shared with affiliates without sufficient safeguards, it could lead to the mishandling of user information or breaches of privacy.
Risk Scenario: After sharing your data for personalized content, you learn that it was also shared with other companies within the same corporate group, resulting in more aggressive marketing campaigns that you didn't sign up for.
With advertisers for tailored ad targeting and marketing.
Data Privacy Type: Behavioral
Data Privacy Concern: Users might be uncomfortable with advertisers using their personal data to target them with tailored ads, potentially infringing on their privacy.
Impact if Concern is True: Personalized advertising can make users feel uncomfortable or intruded upon, potentially damaging their relationship with the platform.
Risk Scenario: You search for a new car, and instantly, every app you open starts showing ads related to car loans and dealerships. It feels like every action you take is being used to sell you something, leading to frustration and a sense of invasion of privacy.
Security education is important at all levels. Data Privacy will be a growing topic as more technologies services start to surface. CyberSpeak Labs LLC is always looking for comments on data privacy or the Tik Tok topic itself. What are your opinions or thoughts?
Comments