The data TikTok is really collecting & what it’s doing with your information

Published Jan 19, 2023 by Xiph

Unless you’ve been living under a rock, chances are you’ve used or at least heard of TikTok ─ the video-sharing app with billions (yes, billions) of users worldwide. Most people use TikTok to find, share and create viral content, but users of the platform should be aware of its data practices and links to China. Here’s what you need to know about TikTok’s data harvesting, and how to keep your information safe.

How to stay safe from TikTok

What data does TikTok collect?

TikTok has alarming data harvesting methods. Besides information shared while creating your account, like your name, date of birth, phone number and email address, TikTok can also track your approximate location, mobile device ID and hardware information (i.e. CPU type, screen dimensions, disk space, RAM, etc.), IP address, metadata and browsing history.

TikTok’s privacy model and controls are similar to and consistent with other data vampires like Facebook, Instagram, YouTube, Twitter, and Google. However, TikTok’s data collection is far more extreme and problematic due to its Chinese ownership and potential use for espionage by the communist state. Analysis by Australian cyber security firm Internet 2.0 has revealed that TikTok can scan your entire hard drive and geolocate your device hourly.

The research also found that TikTok enables data collection permissions by default, which means you unknowingly give the app almost complete access to your phone’s content when using it. This includes access to your calendar, contact lists, photos, videos, camera, microphone, payment information and folders stored on your device, Wi-Fi connection, and even private messages. This means TikTok can easily collect biometric data including your face and voice print. Basically, TikTok gathers a whole lot of information about you, your files, and people saved on your device, before you even finish setting up your profile.

Does TikTok have connections to the Chinese government?

TikTok doesn’t have a direct link to the Chinese Communist Party (CCP) per se, but it’s owned by a Chinese tech company ByteDance, based in Beijing ─ which means all data collected by the video-sharing app is available to the CCP upon request. Security experts warn this poses not only huge privacy risks, but also a national security threat. These concerns have led the U.S. to ban TikTok on government-owned devices in several states, and a possible US-wide ban of the application has not been ruled out. India has gone to the extent of permanently banning TikTok, while other countries like Pakistan, Bangladesh, and Indonesia have also intermittently blocked the app in the past.

TikTok privacy concerns

TikTok has admitted that staff in mainland China can remotely access users’ private data (including that of Australian, European, and American citizens) subject to a ‘series of robust cyber security controls and authorisation approval protocols’, like for instance, checking on the functioning of algorithms. The company stated it minimised the number of people who can access data and limited it only to people who need that access to do their jobs, although the platform’s Terms of Service suggests otherwise ─ that your data will be shared with third-party providers, businesses and ‘enforcement agencies’ under the leadership of the government.

TikTok doesn’t protect your data

It’s hard to deny that TikTok's data collection puts your personal and proprietary information at risk. TikTok’s Privacy Policy states:

“We share your data with third-party service providers who help us to deliver the Platform, such as cloud storage providers. We also share your information with business partners, other companies in the same group as TikTok, content moderation services, measurement providers, advertisers, and analytics providers. Where and when required by law, we will share your information with law enforcement agencies or regulators, and with third parties pursuant to a legally binding court order.”

This likely means that TikTok users’ data and private information are accessible to the Chinese government should it request that information under Chinese law. The CCP can also access all the data that TikTok collects from a Chinese server. However, ByteDance claims that its data centres are located entirely outside of mainland China, and therefore that no user data is subject to Chinese law ─ which is doubtful. 

How to protect your data

While you do agree to TikTok’s Privacy Policy when you sign up, there are a few steps you can take to make your information more secure online. This includes using a Virtual Private Network (VPN) to encrypt your data and traffic and using an anonymous profile with a fake name, and an alias email address, like the kind you can create in Gmail or with Apple’s Hide My Email feature. 

You can also opt to browse TikTok without being logged in or having an account, although the app will still collect your data in guest mode, including your IP address and device information, but it does cut down on how much data it can gather.

How to delete your TikTok account

There’s an important caveat to mention. Deleting your TikTok account will stop the app from collecting further data about your online activity, but won’t erase any previous data collected like your personal information, browsing and location history, etc.

Here’s a step-by-step of how to delete your TikTok account:

  • Go to your Profile tab on the app (bottom right corner of your screen)
  • Tap Menu (the three-line icon)
  • Select Settings & Privacy
  • Tap Manage My Account & click Delete Account
  • Select your reason for leaving the app
  • Tap Delete account permanently.

A final word

TikTok’s aggressive data harvesting activities and Chinese roots have raised concerns about privacy and threats to national security, with many experts labelling the video-sharing app China's Trojan horse. The best way to protect your data and privacy is to do away with TikTok for good, and ensure you have a comprehensive security strategy to avoid further erosion of your privacy. For more information, contact us via email: enquiries@xiphcyber.com.


Posted in: Security