Oops, TikTok Did It Again

by Adrian Yang

Oops, TikTok Did It Again

What is Keylogging?

TikTok is in trouble again, with a massive lawsuit alleging invasive data harvesting using techniques like keylogging, which is a form of surveillance of users which tracks users keystrokes on their devices. Independent research by coder Felix Krause found code hidden in the operating system which allowed it to monitor all keyboard inputs and tags.

Krause also explained on his blog, this could potentially include recording sensitive information such as passwords and credit card numbers. And because TikTok comes with an internal browser, this functionally gives the app the ability to monitor its users as they browse around third-party websites and services. (In strange but true news- It’s been well documented that TikTok is the go-to social app for Gen Z. However, a surprising statistic came out recently, showing that 40% of Gen Z users prefer using TikTok and Instagram for search over Google.)

For the record, TikTok is not alone in using data harvesting of its users. A previous post by Krause focused on tracking code within Meta’s Facebook and Instagram iOS apps. A recent survey of the top 100,000 most popular websites found that 1,844 logged an EU user’s email address without their consent, and 2,950 recorded a U.S. user’s email data in some form. The keylogging protocol has also been used as a way for employers to monitor the activity of remote employees. It’s important to note that keylogging is largely considered unethical, even in usage to monitor employees who are aware of the practice being employed.

While not necessarily a black hat practice, it’s still raising some eyebrows in the U.S., where the app–which is owned by the Chinese parent company ByteDance–has always operated under a dark cloud of suspicion. Allegations in 2019 that the app was stealing data from underage users and censoring content on behalf of China’s ruling Communist Party led to calls for investigations from high-profile politicians. In December of that year, just as TikTok was taking over as the world’s most downloaded app, the U.S. Department of Defense was recommending that all military personnel delete it from their phones.

Trump’s Ban Against TikTok Surveillance Reversed By Biden

In 2020, President Trump signed a series of executive orders banning U.S. companies from doing business with TikTok (as well as the Chinese-owned WeChat app). These orders were later reversed by the Biden administration, which nonetheless urged Americans handling sensitive information to consider the apps a “heightened risk.”

The House of Representatives’ Chief Administrative Officer (CAO) echoed these concerns just this week following the keylogging report, issuing a “cyber advisory” about security on TikTok, noting that, despite its Culver City headquarters, it’s still “a Chinese-owned company.”

So even a U.S. government that was initially inclined to be more TikTok friendly may be having second thoughts. Even Facebook, at the height of the Cambridge Analytica scandal was not as controversial, and it is worth noting that Chinese technology and espionage is a hot topic in today’s landscape, after the U.S has endured several intelligence related scandals over the past several years.

Plaintiff Austin Recht v. TikTok

Meanwhile, Plaintiff Austin Recht filed the class action lawsuit against TikTok Inc. and parent company ByteDance Inc. Nov. 25 in a California federal court, alleging violations of state and federal privacy and wiretap laws. According to the lawsuit, TikTok offers users an in-app website browser. That browser is in fact a “sophisticated data collection mechanism,” the TikTok surveillance class action alleges. Recht claims JavaScript code is used to intercept data about users, without their knowledge.

“The clear purpose of the JavaScript code inserted into these websites is to track every detail about TikTok users’ website activity,” the lawsuit claims. “Defendants have unlawfully intercepted private and personally identifiable data and content from TikTok users so that Defendants may generate revenue from use of this data.”

Through its “clandestine” tracking activities, TikTok violates wiretap laws, unlawfully intruded upon users’ privacy, violated their rights of privacy and unjustly profited from the activities, the TikTok class action alleges.

Recht says he downloaded the TikTok app and created his TikTok account in 2019. While using the TikTok app, he says he clicked on links to external, third-party websites. He also purchased merchandise from a website provided in an advertisement. The link took him to a third-party website via the in-app browser where he completed his purchase and entered his private data, including his credit card information, he says.

“Defendants surreptitiously collected data associated with Plaintiff’s use of third-party websites without his knowledge or consent, including his contact and credit card information provided during Plaintiff’s purchase of merchandise,” the TikTok class action alleges.

It still needs to be determined how much the government will intervene with social media, and the use of data collection, and this case may actually be a bellwether, like several others making their way through courts. Time will tell.

by Adrian Yang Dec 09, 2022