Introduction
NCC Group was contracted by TikTok Technology to conduct independent data collection assessments in order to identify user information collected by TikTok applications, and the locations to which the data was sent.
Scope
The assessment was carried out using TikTok applications, to investigate the following:
- What user data was collected through Android, iOS and web versions of TikTok applications
- If any of this data was not listed in TikTok's Privacy Policy for users in the European Economic Area, Switzerland, and United Kingdom (TikTok European Privacy Policy)
- Identify the endpoints to which this data was sent
Methodology
NCC Group performed the assessment with European TikTok user accounts created by NCC Group's technical team based in Spain. In addition, analysis of user location data was conducted in the United Kingdom and Spain using accounts created by our teams.
NCC Group built an analysis system to perform the data collection assessment, with the purpose of storing and analysing the data more granularly, including an HTTP intercepting proxy, self-built data processing software, a database system, and self-built scripts. Using our bespoke system, we determined what, if any, user data is collected in each network traffic connection, classified it, and determined its destination location.
NCC Group is able to directly access most of the data using its testing accounts, but, in some cases, it relies on TikTok to decrypt data to support the assessment. NCC Group is working to create a solution for this type of user data to remove the need to rely on support from TikTok for future iterations of our data collection assessments.
Once the network traffic connections and data are in an analysable format, it is analysed using additional tools to determine what is being collected. Where data leaves the device, NCC Group also identifies the end-point and countries to where that data is sent. Where location data is present, it is compared to the actual location of the individuals conducting the assessment to identify how precise it is.
Findings
- All data gathered by the application was described in TikTok's European Privacy Policy (1), either by explicit reference to the particular data entity or through broader data categories (for example, time zone settings are captured under the category of Technical Information)
- The TikTok application on Android is configured to gather only approximate location, and precise location cannot be enabled.
- On iOS, the default location setting is also approximate location, but iOS location settings can be overridden by the user at the device level to allow precise location. However runtime analysis showed that even with precise location enabled by the user in iOS settings, the application did not gather precise location.
- In both iOS and Android, analysis of the data sent to the backend showed it only included Approximate Location, and the application did not gather precise location.
- The TikTok application only accesses the clipboard when the user manually opens the copy/paste menu while using the TikTok application or manually copies text from the TikTok application.
- During our assessment, data was found to be sent to endpoints in Belgium, France, Germany, Ireland, Poland, Portugal, Spain, the Netherlands, United Kingdom and the United States.