Google and Meta may be the first names that come to mind when thinking of secretive online tracking of users, but another business is getting into the game in a very similar manner: TikTok.
The Chinese social media platform’s tracking pixels were found on a number of highly trafficked websites, including those owned by Planned Parenthood, the Arizona Department of Economic Security, WebMD, the Girl Scouts, sexual violence prevention organization RAINN, US pharmacy chain RiteAid, among others.
Like Meta’s Pixels and Google’s Analytics tags, what TikTok is harvesting is used to target ads, and it doesn’t limit itself to those who have signed up to the service.
According to Consumer Reports, which directed the investigation performed by web privacy firm Disconnect, hundreds of organizations share data with TikTok, gathering information that “can include your IP address, a unique ID number, what page you’re on, and what you’re clicking, typing, or searching for.”
According to a TikTok spokesperson who talked to Consumer Reports (TikTok did not respond to The Register’s questions), the company uses data to improve ad targeting, but said it doesn’t use the data to group people into interest categories for other advertisers to target. The spokesperson told Consumer Reports that TikTok only uses data from non-TikTok users for aggregated reports it sends to advertisers.
However, as Consumer Reports pointed out: “There’s no independent way for consumers or privacy researchers to verify such statements.”
Is TikTok a greater threat?
Patrick Jackson, CTO at Disconnect, expressed surprise that TikTok’s tracking pixels were already so widespread. “I think people are conditioned to think, ‘Facebook is everywhere, and whatever, they’re going to get my data.’ I don’t think people connect that with TikTok yet,” Jackson said.
The report claims that Meta and Google’s trackers are far more widespread than TikTok’s.
Meta, Google, and others have been spotted slurping data from the Scottish NHS’s online symptom checker, Meta has been caught harvesting sensitive data from US student financial aid websites run by the government, and even hospital patient portals have been spotted sharing data.
Those US-based companies have been under further fire since the US Supreme Court overturned Roe vs Wade earlier this year, ending the national guarantee to safe, legal abortion access. US senators have urged the Federal Trade Commission to protect user data from tech companies that could be used to build a case against someone seeking access to reproductive healthcare – a scenario that has already happened, though pixel-harvested advertising data wasn’t involved.
TikTok is making regular appearances in privacy headlines, including being investigated this year over whether its algorithms were promoting harmful content to children, and was recently fined £27 million ($29 million) in the UK for illegally harvesting the data of children under 13 and failing to protect their privacy. Beyond that, TikTok has also admitted to staff in China being able to access US data, which parent company ByteDance said it’s trying to resolve by moving its US user data to Oracle cloud servers located exclusively in the US. ®