Disconnect Research Featured by Consumer Reports: TikTok Tracks Your Sensitive Web Activity, Even if You Don't Use TikTok
TikTok tracks everyone who visits popular websites linked to extremely personal health, financial, or education data.
TikTok is a massive and growing surveillance and propaganda threat—we launched a dedicated category to protect against TikTok tracking.
TikTok has literally exploded in popularity over the last several years. Their app has been downloaded more than any other over the past 18 months, now has more than 1.6 billion monthly active users, and was the world's most visited site in 2021. According to the New York Times one-third of TikTok's users are reportedly 14 and under.
Users aren't just downloading TikTok and using it once in a while. In fact, on a per users basis people spend more time on TikTok than the notoriously addictive Facebook and Instagram apps combined. Kids, especially, just can’t seem to stop watching TikTok.
Because of the short video format found on TikTok, the company receives a massive amount of signals from its users. Not just the type of video that you watch, but whether and how much you re-watch, pause, zoom, comment, follow, share, scroll past, skip, etc. These micro-signals when combined with your location data, allow TikTok to gain deep insights into who you are and not only what videos will keep you watching, but what type of advertisements and messaging you'll respond to.
Relying on surveillance to target advertisements at its users, TikTok has recently turned on the money firehose and is on track to make $12 billion or so in revenue this year. Still a private company with no public reporting or transparency, TikTok's last valuation of $360 billion reflects investor confidence in not only TikTok's growth trajectory and engagement but in its ability to monetize user data.
Our research reveals that TikTok tracks highly sensitive data about everyone who visits popular websites.
We recently partnered with Consumer Reports to investigate TikTok tracking pixels embedded in websites. You can and should read Consumer Reports excellent story featuring our research.
Our results show that thousands of popular websites, including major websites that have a heightened expectation of privacy - like WebMD, the Mayo Clinic, Planned Parenthood, RiteAid, several financial and educational sites, even the Girl Scouts - embed TikTok's tracking pixel. For every website visitor, even those who have never used the TikTok app, TikTok may receive a user identifier (IP address plus digital fingerprint) and the exact page that was visited, what a person clicked on, typed, or searched for depending on the website.
As we show below and highlight in the articles above, the nature of information TikTok collects is incredibly sensitive and should absolutely not be collected without explicit user notice and permission. Yet none of the sites we analyzed that integrated the TikTok tracking pixel gave any actual heads-up to the user about TikTok's data collection.
As our Chief Technology Officer Patrick Jackson told Consumer Reports: “The only reason this works is because it’s a secret operation. Some people might not care, but people should have a choice. It shouldn’t be happening in the shadows.”
We are publishing some of our research to highlight the incredibly sensitive nature of the information collected by TikTok (and many other trackers)
Our initial task was to scan about 20,000 websites to detect the use of the TikTok pixel. Out of the 100s of websites we identified, we were then asked to focus on 15 websites and dig into exactly what data TikTok was receiving from these sites.
Here are some examples of what we found.
Rite-Aid: TikTok able to collect searches, every product page viewed, cart, checkout
- On RiteAid (http://riteaid.com) we observed 16 network connections to TikTok during every page load.
- All user activity while on TikTok is logged to TikTok. For example, when a
user searches “Plan B”, every step the user takes (searching “Plan B”,
viewing product page, adding to cart, checking out) is logged to TikTok
with no user opt-in or even acknowledgement that TikTok is collecting
WebMD: TikTok able to collect searches, page views
- On WebMD (http://webmd.com) we observed 14 network connections to TikTok on the homepage.
- Not all pages will trigger connections to TikTok, but when a user
navigates to a page that does, it can leak previously navigated pages by
sending the page’s referrer. Because of this, TikTok collects which symptoms users are searching for. For example, when a user searches for “erectile dysfunction”, TikTok also collects that information.
- Also, searching “heavy periods” and then clicking on the top menu to view information about cancer, TikTok can see previous viewing information about heavy periods.
Mayo Clinic: TikTok able to collect searches and page views
- On Mayo Clinic (https://www.mayoclinic.org/) homepage load sends 14 network requests to TikTok.
- TikTok collects when users do private searches like "abortion".
- After being contacted by Consumer Reports, we verified that Mayo Clinic did remove TikTok pixel.
Planned Parenthood: TikTok able to collect data on nearly all pages
- On Planned Parenthood (https://plannedparenthood.org) initial page load sends 16 network requests to TikTok. – TikTok data collection detected on most pages tested (notably no TikTok tracking found on pages related to booking abortion appointments).
- Sensitive pages that include TikTok data collection, include but not limited to, learning about birth control, donating, and taking an emergency contraception quiz.
RAINN ("The nation's largest anti-sexual violence organization"): TikTok able to collect data on nearly all pages
- On Rainn (https://www.rainn.org/) TikTok was observed collecting data on almost every page loaded.
- Every page load tested sends at least 30 network connections to TikTok.
- Many sensitive pages on website would send data to TikTok. For example, a person viewing Rainn’s guidance for what to do after a sexual assault, would have that data sent directly to TikTok.
- Loading the donation page to Rainn also sends this data to TikTok.
Collected data used for more than ads: mind control is sometimes the aim
TikTok, like other social media apps, is obsessed with growth, user engagement, and revenue generation through advertising. Ad space is sold to pretty much anyone with a credit card. Advertisers could be selling a product, but they could just as easily be trying to influence what people think or how they act. Ads aren't just bought by companies, but also by government-sponsored actors. In addition, government-created accounts or accounts controlled by a government may act to influence their audiences on behalf of the government.
Government influence operations via social media are prevalent because social media ad networks provide the ability to target users very effectively based on all the data large social media companies collect about their users, including online activity, social graph, location, purchases, etc. One recent high-profile example includes the Russian disinformation campaigns in support of Trump's 2016 election via Facebook, Twitter, and other major social platforms. More recently, Meta/Facebook says it removed "China-based propaganda targeting the US midterm elections". In addition, to China and Russia, the US, Iran, and other large nation-states have had government sponsored influence campaigns taken down by Facebook, Twitter, Google, Snap, and more.
TikTok operates under control of Chinese government, but is banned in China
TikTok is owned by Chinese company ByteDance, however the government doesn't allow TikTok - like Facebook, Twitter, and many other social media companies - to operate in China. Although people in China may not have access to using TikTok, under their laws the Chinese government is able to access TikTok's data basically at will. Recent investigative reports make clear that the Chinese government "has access to everything" inside TikTok and is able to act as a "Master Admin".
No matter your politics, most would agree that the Chinese and US governments are adversaries in many respects. Chinese strategic goals most certainly include weakening the US and strengthening its own interests. TikTok is seen as an increasingly powerful tool for China to influence the minds of US-based users, especially children.
Professor Scott Galloway, calling for a ban on TikTok, puts it this way: "The tip of China’s propaganda spear is TikTok, which has a direct connection to the midbrain of a billion people, including nearly every U.S. teenager and half their parents . . . now China commands the most powerful propaganda tool." Galloway argues that the Chinese government can and likely does use TikTok to subtly influence the minds of users on a range of topics that are in the interests of the Chinese state. Some of these topics could be fomenting political or social discord in the US, working to undermine democracy and capitalism, and of course, censoring any videos that reflect poorly on China while promoting videos that portray China in a positive light.
We have a new category dedicated specifically to blocking TikTok tracking
Based on our research, we are excited to announce that we now have a specific category dedicated to blocking TikTok tracking in websites and apps not owned by TikTok. By default when you use our apps and browser extensions, we block the primary TikTok tracking pixel. If you're using one of our great iOS apps, we also give you the power to ratchet up the protection to Aggressive or Strict blocking.
Our mission at Disconnect is to put you back in control of your privacy. Giving you the power to block TikTok tracking is another way we help you enjoy a safer internet!