As the US Congress votes (again) whether or not to ban or force a sale of Chinese-owned TikTok, some people may think to themselves … “Well I just don’t use TikTok. TikTok doesn’t have my data. TikTok doesn’t know what I’m doing. Why should I care?”

Unfortunately, those people are wrong. Even if you are not a TikTok user, have never downloaded the TikTok app, never watched a TikTok from the web … TikTok still intimately collects your information from thousands of businesses online.

TikTok’s Intelligence Collection on Users and Non-Users

There’s a certain level a social media platform reaches when its user base becomes large enough where it begins to function less like a social media network and more like a marketing, advertising, and intelligence collection platform with a neat little app attached. TikTok grew to and flew past this level long, long ago.

Like many of the large digital advertising networks, TikTok allows businesses to enrich their advertising experience by voluntarily submitting their user activity data to TikTok’s APIs (specifically in this case, their Events API). This allows the business to directly target specific users of their products who also are subject to the advertising network (in this case, their users who are also users of TikTok).

In order to do so, a website (or mobile app) owner typically sends along three things:

1. event data (such as the action taken & information about the action)
2. user data (typically the email & phone number of the user doing the action, but also potentially IP address, user agent, and other identifying information), and
3. event source (where the action occurred, for ex. mobile, on-the-web, in-person).

In response to concerns about user privacy, many advertising networks say these risks are mitigated by using SHA256 hashes instead of plain-text for user data (emails, phone numbers, etc). TikTok says this themselves in their documentation: “As per standard industry practice, customer emails and phone numbers will be hashed with SHA256 before reaching TikTok servers for matching.” (source)

However given that the hashing algorithm is known (SHA256), the plain-text format is known (a target’s email or phone number), and no secure salting measures are used, the hashing approach is therefore susceptible to a Rainbow Table attack making the hashes useless to privacy from a service operator such as TikTok. In any means, the hashes are meant to be of a known plain-text pattern for TikTok so that they can match to known users on their platform, so this claim of privacy is entirely bogus.

The types of activity data collected can also vary wildly depending on the type of service. See TikTok’s Supported Events article in their Events API documentation for a list of built-in event types, such as: AddToCart, Search, ViewContent, LoanApplication, AddPaymentInfo, LaunchAPP, etc. And the activity data includes intimate details about the specific action, such as search query, the product ID viewed, the payment info added, etc.

Users often blindly consent to the sharing of this information with TikTok when allowing the websites they browse to or apps they use to share data with their “advertising partners”, or users may also be implicitly consenting to this by accepting a website’s or mobile app’s general terms of service.

Additionally, in order to assure the function of advertising & marketing, this activity data is often shared via server-side event tracking and not client-side where ad-blocking software would typically provide controls for privacy-mindful users.

And finally, as a coup de grâce, users of a service who are not also users of TikTok still have their activity data sent to TikTok in the hopes that they can be targeted later if they become a user.

So therefore … TikTok is effectively tracking everyone (no matter if you’re a user of their app or not) everywhere online (and sometimes offline) all of the time. They know what you’re searching for off TikTok, what you’re buying off TikTok, when you called your favorite business’s support desk last, when you last applied for that loan with Affirm to buy that PlayStation, when you last confirmed your prescription with your pharmacist … they know it all and they know it was you.

I urge Congress and the President to move expeditiously to block the reach of TikTok and similar Chinese-intelligence gathering operations within the United States.

The Caveat

The general privacy concerns of TikTok having access to the activity history of users who are not even users of its own platform are very genuine, however the same apply to operators of other large digital advertising networks such as Google, Facebook, Amazon, Adobe, Microsoft, etc.

Related reading from Karl Bode via TechDirt on this point, “Once More With Feeling: Banning TikTok Doesn’t Do Much If We Don’t Regulate Data Brokers And Pass A Privacy Law”.

TL;DR

• TikTok collects information about user activities from thousands of popular web services (pharmacies & medical services, support desks, online ordering, file management software, etc) in ways which are not blockable by ad-block or similar.
• This information collection includes users who are not (and will never be) users of TikTok’s services.
• TikTok (and by extension, the Chinese government) can use this information to spy on the off-platform activities on any specific persons of interest, targeting and correlating activity data based on phone number, email address, IP address, or user agent.
• These off-platform activities include things like search queries, viewing or purchasing items or services, applying for a loan. Actvitiy data includes intimate details about the action, such as search queries, addresses, payment details, credit histories, etc.
• It is estimated TikTok regularly receives off-platform activity data for potentially tens of millions of non-TikTok users, if not more, from web services integrating with the TikTok Ads & Marketing Events API.