Tick tock goes the clock. It seems that every day we find more examples of the ways some of the most popular social media apps are collecting data on users. Now TikTok itself seems to be wound up pretty tight about allegations they’re keylogging users using code found inside the in-app browser.
Krause shows his homework, relaying exactly what code he found that relates to keylogging. Any “keypress” or “keydown” functions track key presses. “Unload” events refer to when you navigate from one page to another, which means the app knows when you’ve moved on.
“One of the common factors is they don’t want you to go off the platform,” Lightman said. “Users often don’t find their way back, and [TikTok] can’t collect data when it wants to monetize the platform… this is how they monetize information—by collecting more of users needs, wants, and personality profiles.”
They have even said that daring to direct users to browsers outside their app would just be a bad experience for users, which is of course a very condescending argument that forgets anybody who owns their own device can choose to download whatever browser they think works best for them.
Though Lightman was also skeptical about TikTok’s reasoning here. Companies like the ByteDance-owned TikTok are “very adept at developing machine learning models. These things [like the company’s SDK] get tested, analyzed, and scrutinized very heavily,” which makes the idea that TikTok would just leave this code in there without using it “is a hard one to swallow.”
In a tweet statement last week, Meta spokesperson Andy Stone wrote that the researcher’s claims “misrepresent” how Meta’s in-app browsers work.
Apple did not immediately respond to Gizmodo’s request for comment whether they would change any of its iOS features to restrict apps from including keylogging script or otherwise stop apps from hiding the fact they were running such code.
TikTok has already taken massive amounts of heat from proponents of internet privacy and from lawmakers on both sides of the aisle (though, as you can expect, it’s for different reasons) after reports alleged TikTok staff were aware that U.S. data was being collected by Chinese government officials. A recent report from Gizmodo based on internal documents showed TikTok has been working overtime to downplay their new identity as the company that offers up user data to the giant data-collecting maw that is Beijing. Lawmakers on Capitol Hill could be on the verge of passing a massive data privacy law, but some are skeptical it will pass before deadlines close in.
“In the future we’re going to see privacy legislation and more auditing legislation to verify this,” Lightman said. “Within a verified platform, if they’re doing it for economic reasons, they have to stipulate that, if they’re doing it for user experience, that’s fine too. It’s being opaque with the rationality that gets people to say ‘wait a minute…’ You have to be open with what your plans are.”