TikTok - Defensive Computing

TIKTOK

I have no personal experience, with TikTok.

March 2, 2023: TikTok spies on people much like Facebook does. We Found 28,000 Apps Sending TikTok Data. Banning the App Won't Help. by Thomas Germain for Gizmodo
--"Joe Biden gave federal agencies 30 days to remove TikTok from government devices earlier this week. Until now, most politicians intent on punishing TikTok have focused solely on banning the app itself, but ... federal agencies must also 'prohibit internet traffic from reaching the company.' That’s a lot more complicated than it sounds."
-- The article is wrong about this, for a competent techie this is not difficult at all. DNS makes it fairly easy, more on this below.
--"Gizmodo has learned that tens of thousands of apps ... use code that sends data to TikTok. Some 28,251 apps use TikTok’s software development kits, (SDKs), tools which integrates apps with TikTok’s systems - and send TikTok user data" Many websites also send data to TikTok.

December 22, 2022. TikTok Spied On Forbes Journalists by Emily Baker-White for Forbes. The author covers TikTok. She was leaked information about the company from someone who works there. TikTok did not like what she wrote, so they set out to find her source. They spied on her location, and then, after another leak, they lied about doing this. One way they tracked the reporter's location was by her public IP address, so use a VPN when using TikTok. And, as the section below says, use their website rather than their app to limit the amount of spying they can do. Make sure that either the browser or the Operating System has no access to your location. That means, using a VPN from an Ethernet-connected device. If the device supports WiFi or GPS, turn them both off.

USE THE WEBSITE, NOT THE MOBILE APP
1. TikTok Browser Can Track Users' Keystrokes, According to New Research by Paul Mozur, Ryan Mac and Chang Che for the New York Times (August 2022). Quoting: "The web browser used within the TikTok app can track every keystroke made by its users, according to new research ..."
2. More on this from Felix Krause: iOS Privacy: Announcing InAppBrowser.com - see what JavaScript commands get injected through an in-app browser (August 2022).
3. FBI director says he's 'extremely concerned' about China's ability to weaponize TikTok by Suzanne Smalley for Cyberscoop (November 2022). Quoting: "Chinese companies are forced to 'basically do whatever the Chinese government wants to do in terms of sharing information or serving as a tool of the Chinese government ... APIs in TikTok could be harnessed by China to control software on millions of devices, meaning the Chinese government could conceivably technically compromise Americans' personal devices ... China could 'control data collection of millions of users or control the recommendation algorithm, which can be used for influence operations.' "
4. If you do use the website, do it in private browsing mode. Better still, use a Chromebook in Guest Mode.
The safest first step is to use the tiktok.com website without having an account.
CREATE AN ACCOUNT WITH MAXIMUM PRIVACY
1. Instead of your regular/main email account, use one that is auto-forwarded and not used anywhere else. For more on this see, the page on multiple email addresses.
2. Do not give TikTok your phone number, it is not needed to create an account.
3. Do not put your real name in your profile
4. Give you account a nickname that is not used anywhere else
SETTINGS FOR MAXIMUM PRIVACY
1. Make your account Private so that you can approve who follows you: Settings and Privacy -> Privacy -> turn on Private Account
2. Make it hard for people to find you: Settings and Privacy -> Privacy -> Suggest Your Account to Others -> Turn off the four toggles
3. Hide the people that you follow: Settings and Privacy -> Privacy -> Safety section -> Following List -> Only Me
4. Hide the videos you like: Settings and Privacy -> Privacy -> Safety section -> Liked Videos -> Only Me
5. Ad Personalization: Settings and Privacy -> Privacy -> Ads Personalization -> Use of Off-TikTok Activity for Ad Targeting -> turn off
6. Do not share your contacts/friends: Settings and Privacy -> Privacy -> Sync Contacts and Facebook Friends. In addition, both Android and iOS should let you block the app from being able to access your contacts.
Turns Out TikTok Does Have an Alarming Level of Access to Your Phone by Asha Barbaschow (July 2022). TikTok requests almost complete access to the contents of a phone while the app is in use. That data includes calendar, contact lists and photos.
Senators Ask FTC to Investigate TikTok for Deceptive Conduct Regarding Chinese Access to U.S. User Data by Raquel Leslie and Brian Liu for Lawfareblog.com (July 2022)
TikTok privacy settings to change now by Heather Kelly for the Washington Post (January 2022). The social media app is all about your personal data, likes and habits. Here’s how to limit what it gathers about you. Focused on the mobile app, not the website.
TikTok Is Watching You - Even If You Don't Have an Account by Riccardo Coluccini for Vice (January 2021). The reporter submitted a request under the GDPR, and was shocked to see what data the app had been recording. No defense offered. You can ask TikTok for the data it has on you. In the mobile app: Settings -> Privacy -> Download your Data.
A TikTok Quick Guide for Parents from Connect Safely (2 page PDF). Last Updated May 2021
Privacy and Security on TikTok from TikTok. Undated.
BLOCKING TIKTOK
1. If you can control DNS, then block not only tiktok.com and www.tiktok.com, but also block ads.tiktok.com and analytics.tiktok.com.
2. If you can control DNS generically, then block these domains, as per Steve Gibson in his Security Now podcast from March 7, 2023
  *.tiktok.com
  *.tiktok.org
  *.tiktokv.com
  *.tiktokcdn.com
  *.musical.ly
  *.p16-tiktokcdn-com.akamaized.net
  *.TikTokcdn-com.akamaized.net