TikTok & Privacy: It’s Not Just About Mewing Kittens

By Trevor Morgan

Designed for short video clips of content, TikTok is a new form of social media consumption that has taken the world by storm. This quickly growing China-based app has been at the forefront of smart-phone entertainment as of late, specifically during quarantine. If you’re a regular Hg follower on social media, you’re in the know about our love of dogs. If ever you are in need of a good laugh and a warm sense of calm, might we suggest scrolling through TikTok’s For You page where you could stumble upon such cuddly kittens like this:

@pawsofozChatterbox 😻 ##petsoftiktok ##tiktokcats ##kittens ##fosterkitten ##catsoftiktok ##fyp♬ original sound – pawsofoz

In all seriousness, however, after reviewing the content some users post, thoroughly examining TikTok’s privacy policy, and understanding its international implications, some laughing may fall to the wayside. From an open source intelligence perspective, this novelty app provides researchers and investigators with a plethora of knowledge and useful information. On the user end, it might not be all fun and games.

In this new blog series, Hg’s investigative analyst Trevor Morgan walks readers through TikTok basics and then discusses concerns related to surface level data, privacy breaches, and global security.

Privacy Concerns

A quick read of TikTok’s privacy policy and a general understanding of its vulnerabilities may give potentially new users pause moving forward. This brings us to our second category: General privacy concerns. Per TikTok’s policy, TikTok has access to users’ direct messages and location. If authorized, TikTok also has permission to collect contact information. Since TikTok is a relatively new application, it has not gone through years of security measures and testing, making it an excellent target for hackers to explore. If successfully hacked, the aforementioned identifiers can potentially be at risk.

Earlier versions of the app had more lenient and lax privacy restrictions. In February 2019, the Federal Trade Commission (FTC) filed a claim with a United States District Court regarding TikTok’s handling of users under the age of 13. Allegedly the parents of these users were unable to deactivate the accounts without a formal written request. Despite TikTok removing these accounts, they did not remove the data attached to each child user. Naturally, this raised some red flags amongst parents and guardians. In response, TikTok incorporated the parent-child feature, in which a parent has the ability to monitor their child’s account. However, a process to verify an adult monitoring the profile was never implemented. To make matters worse, profiles were automatically set to public and provided an optional list of users within a 50-mile radius to gain connections, opening a dangerous door for unsolicited messages from close proximate adults. These concerns were clear violations of the Children’s Online Privacy Protection Act (COPPA):

§312.3 Regulation of unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.
General requirements. It shall be unlawful for any operator of a Web site or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under this part. Generally, under this part, an operator must:

(a) Provide notice on the Web site or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (§312.4(b));

(b) Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children (§312.5);

(c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (§312.6);

(d) Not condition a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (§312.7); and

(e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (§312.8).

TikTok settled with the FTC for over $5 million and agreed to change its policies. FTC chair Joe Simons stated, “This record penalty should be a reminder to all online services and websites that target children: We take enforcement of COPPA very seriously, and we will not tolerate companies that flagrantly ignore the law.” However, in May 2020, the New York Times reported that TikTok allegedly broke this agreement, failing to continually protect children’s privacy.

On September 20, 2020, Oracle and Walmart acquired a 20% stake in TikTok’s global business as part of a pre-IPO financing round, as reported by Forbes. In a press statement, Oracle CEO Safra Catz noted,

Oracle will quickly deploy, rapidly scale, and operate TikTok systems in the Oracle Cloud. We are a hundred percent confident in our ability to deliver a highly secure environment to TikTok and ensure data privacy to TikTok’s American users, and users throughout the world. This greatly improved security and guaranteed privacy will enable the continued rapid growth of the TikTok user community to benefit all stakeholders.

Hg’s Word to the Wise

Since its 2016 creation, TikTok has left a rather substantial footprint on modern day social networking. The clout-chasing teenager likely considers this a positive. Viewed through an analytical, research-focused lens, it could be potentially dangerous. With your TikTok account, be wary of the content you post and data you share. If you are planning to use it as an open source intelligence (OSINT) tool, remember the tips mentioned in this blog series and always dissect the videos for hidden bits of intelligence. If you use TikTok only to watch cute puppies and dance along to viral video trends, then cheers to you.

Hg’s Pro OSINT Tip of the Week: blackbookonline.info

Access to public-record information is imperative for investigations and research. Black Book Online is a great resource that locates online record searches specific to the United States. As of this writing, it has access to over 37,000 public record databases. Similar to BRB Publications, this site provides links to specific county, state, and court websites. On the home screen, a search by specific city and state or public record type may be performed. For example, typing Dallas, TX will provide databases specific to that region. Each result provides a brief description, its location, data source, record type, and a user rating.

Are you an analyst or investigator looking for advanced OSINT training on risk assessment and risk monitoring? If so, check out Hg’s webinar series on social media investigative training, where you can attend live sessions and receive CEUs or watch previously recorded sessions to beef up your investigative skills.

Are you concerned about your company’s or employees’ points of vulnerability through online and open sources? Our skilled analysts are experts at removing personal information that puts you, your business partners, and your family at risk. Learn how our team can assist you in assessing and monitoring your risks.

Trevor is an investigative analyst at Hetherington Group, where he uses his open source research skills to extract data from social media accounts, conduct risk assessments, and monitor subjects for clients in pharma, tech, retail, and entertainment. He is a contributing writer to Hg’s Data2Know, Industry Undercover, and OSINT Slack channels. On his lunch break, he can be found outside playing frisbee with his four-legged colleagues.