In 2025, in light of the US TikTok ban, ISL conducted an investigation into TikTok and the inherent privacy and safety risks in the app. In light of the recent announcement rehoming certain TikTok assets into the mostly (but not entirely) US-backed TikTok USDS Joint Venture LLC, we offer this updated analysis of the overall privacy risks for US citizens who use TikTok.
Understanding the programmatic privacy risks related to TikTok is more complex than just analyzing the TikTok iOS and Android apps. “TikTok” is more than a couple social media apps; it’s a portfolio of products owned and developed by a complicated network of US, Singapore, Chinese, and other entities. TikTok and its related entities have 66 mobile apps available on app stores worldwide and more than 16 on US app stores, including TV app stores (Google, Amazon, Samsung, and LG).
Additionally, our latest research shows that nearly 48,000 mobile apps share data with TikTok via TikTok’s published Software Development Kits (SDKs)[1]. Little has been discussed about the other TikTok apps, the 48,000 app developers’ duties or SDKs in general, vis a vis the Protecting Americans from Foreign Adversary Controlled Application Act.
The case of TikTok also exposes the confusion of complicated multinational corporate structures and issues of parent company access to digital assets. In this case, TikTok maintained several US companies such as ByteDance Inc., TikTok Byte Dance LLC, and TikTok Inc., all registered in California. But ByteDance Ltd. headquartered in China and registered in the Cayman Islands, is understood to be the ultimate parent of all the organizations[2]. According to CrunchBase, ByteDance Ltd. has 58 companies[3].
Now that TikTok’s corporate ownership is “safely” in the hands of a majority US-based owners, we revisit the reality of TikTok privacy risks under ownership of the new TikTok USDS Joint Venture LLC. We find very little has changed, and privacy risk has increased. Most strikingly, Bytedance Ltd. retains 19.9% ownership in the new venture. The new ownership also includes a UAE equity firm (15%) among mostly US-based others, two of which were (and remain?) stakeholders in Bytedance, Ltd. Oracle remains the cloud backend which it already was. Perhaps the most substantive change is that the US government has achieved its own kind of “golden share” of unfettered TikTok user data. In short, it might be the worst of all possible worlds.
Safety Risks of Social Media Platforms
Social media platforms pose several safety risks to users such as privacy risks, misinformation and disinformation risks, and risk of technology addiction. Privacy risk is multifaceted, with concerns about user data privacy (data sharing) as well as the platform’s AI-based translation of personal profiles into [ever smaller] micro-segments used for targeting, recommendations, and other predictive and decision-making functions. The latter behavior isn’t always recognized as a privacy risk, but it is perhaps the larger safety risk: pigeonholing people into undisclosed and unchangeable sensitive categories as designated and used (and shared?) secretly by the system. This risk is compounded by the fact that platform providers fail to disclose the extent to which the system can be manipulated either internally or by third parties to achieve political ends.
What is independently measurable when it comes to privacy risks? Data privacy with particular attention to data flow is readily measurable by independent auditors. Without access to the source code and architecture documents, it is extremely difficult to measure the inner logic of a machine learning system based on observable app and system behaviors.
What follows in this paper is a deep dive into measurable data privacy risks in TikTok apps as observed by the ISL team and an assessment of the overall safety risks
The original privacy concern unique to TikTok was that the Chinese government might have a 1% “golden share” in its parent company, ByteDance Ltd. thus enabling access to US Tiktok user data. But in 2023, TikTok claimed the Chinese government does not have access to it, and that it cannot compel ByteDance Inc. (a US company) to share data. It also denied that any user data was stored in China:
“Myth: Under its 2017 National Intelligence law, the Chinese government can compel ByteDance to share American TikTok user data.
Fact: TikTok Inc., which offers the TikTok app in the United States, is incorporated in California and Delaware, and is subject to U.S. laws and regulations governing privacy and data security. Under Project Texas, all protected U.S. data will be stored exclusively in the U.S. and under the control of the U.S.-led security team. This eliminates the concern that some have shared that TikTok US user data could be subject to Chinese law.
Myth: TikTok stores U.S. user data in China, where multiple Chinese nationals, including possible members of the CCP, have access to it.
Fact: As of June 2022, 100% of U.S. traffic is routed to Oracle and USDS infrastructure in the United States, and today all access to that environment is managed exclusively by TikTok U.S. Data Security, a team led by Americans, in America. We have begun the process of deleting historic protected user data in non-Oracle servers; once that process is complete, it will effectively end all access to protected U.S. user data outside of TikTok USDS except under limited circumstances.”[4]
In our privacy risk assessments of companies, ISL assumes that parent companies do indeed have access to the data of their child companies—just like they have access to other assets of child companies. Thus, parent company ByteDance Ltd. may have access to ByteDance, Inc. [the parent company of TikTok Inc.] and thus TikTok user data. But this remains an open—and larger—question regarding whether parent companies are entitled to access (read? monetize?) the data of the platforms that they own in whole or in part.
The US government, however, also has a record of attempting to gain access to personal data repositories through requests to corporations[5], through data brokers[6], and of course, through direct collection as performed by the NSA’s Prism program, surfaced by Edward Snowden in 2013[7]. The second Trump administration has exhibited an even more overt thirst for amassing and aggregating personal information[8] and weaponization[9] of it, including Attorney General Pam Bondi’s most recent demand for Minnesota’s voter rolls and welfare data as a condition for removing ICE from the state.[10]
Perhaps an even greater risk of TikTok and other social media platforms is the ungoverned proliferation of misinformation and disinformation that is deployed at scale, which can influence elections and threaten democracy, witness the social media platform X’s role in the 2024 US election.[11] An analysis of the impacts of misinformation and disinformation is beyond the scope of this paper but is mentioned due to its importance.
Privacy Risks in Social Media Platforms
Measurable Privacy Risks: How social media platforms collect and share personal information
When ISL assesses the overall privacy risk of an app, we use the traditional impact * likelihood calculation. Impact is based on the sensitivity of the information that an app collects. Likelihood is based on the amount personal information sharing and monetization performed by the app. It’s important to have a baseline understanding of the ways that social media platforms collect and share personal data.
Data Collection
Social media platforms collect data in several ways—note that these methods are used by a wide variety of apps and platforms; these are not unique to social media platforms:
From first party apps:
Volunteered by the user while using the app,
Observed user behaviors recorded by the app.
Through the integration of Software Development Kits (SDKs) provided by the social media platform into third party apps.
Through the social media platform’s tracking pixels incorporated on many third-party websites.
Data Collection by First Party Apps
Social media platforms collect extensive personal information by design and therefore build vast longitudinal records of so-called “personally identifiable information” (PII) about people and their social relationships, including family. TikTok (like most social media platforms) collects a great deal of sensitive information including location, unique identifiers for the device and the person, access to camera and photo library, access to microphone, browser history, and more.
The most sensitive information shared in social media platforms is personal location data, which can be obtained by the platform via multiple methods including directly from the device, volunteered by users either by their tagging locations or communicated textually. Precise geolocation is also provided in the metadata of photographs and videos unless it is disabled or removed.[12]
Some of the most sensitive information shared through social media platforms is photographs, and video and audio recordings. The information gleaned from photographs and videos conveys far more personal information than people may realize. Beyond the metadata automatically captured with photos and videos, information in the visual scene can include sufficient detail to indicate location and identify other people. TV shows playing in the background can convey preferences, as can books and magazines. Background photographs convey additional personal relationships and information. AI image recognition tools can automatically catalog all this information, allowing social media platforms to store it in ever deepening knowledge graphs.
But this isn’t the greatest risk: audio and video recording and photographs capture biometric data such as voice recordings. These files are increasingly risky also due to AI-forged voice and video recordings, and photographs.
Given that TikTok is a video sharing platform, one should assume that all video content and its metadata are being analyzed, catalogued, and datafied. Note that this isn’t unique to TikTok; all social media platforms are likely to be doing this.
We were interested to see how TikTok compared to Facebook when it comes to data collection. We used the iOS versions of the two apps to compare the permissions accessed by each app. As can be seen in Appendix B, assuming the Apple Privacy Labels are accurate, Facebook collects significantly more personally connected data, including health information.
Data Collection Through Software Development Kits
Every social media platform leverages the power of mobile app software developer kits (SDKs) to allow people to easily read and write from/to their network from other [non-TikTok] apps. SDKs are modules of code that can be integrated directly into any mobile app. Social media platforms usually have at least three freely available SDKs for app developers to use serving three distinct functions:
Login SDK: Allows people to log into an app using their social media credentials (typically called “federated ID”). From a privacy perspective, this functionality allows the social media platform to collect information about the variety of other apps a person uses. People may not realize how much sensitive information is gleaned from simply knowing the names of the apps—examples such as period tracker apps, dating apps, and other health care apps.
Share SDK: Allows people to share to their social media network from a myriad of other apps—not just the social media app.
Display Social Media Content SDK: Allows apps to display content from social media platforms directly in their apps. In the case of TikTok, this takes the form of an SDK that allows app developers to embed TikTok videos in their apps.
Since many social media platforms have their own ad networks, two other common SDKs are used to display ads from the social media company’s ad network and track advertising “events” to measure ad efficacy, etc.
It is important to highlight the privacy risk that SDKs have access to any data and permissions that the app has access to; examining the permissions of the apps including these SDKs is for future study.
TikTok: TikTok has all of these kinds of SDKs. According to AppFigures (a mobile analytics service), nearly 48,000 apps include TikTok SDKs. More than 47,500 of these apps are for use in the US (among other many other countries). Little has been mentioned of these 47,500 apps for use in the US. Presumably they were also governed by the US TikTok ban, but there were no reports of these apps disabling TikTok functions.
When we contemplate the privacy risks posed by TikTok, we must also consider that nearly 48,000 other apps are feeding personal information into TikTok servers. TikTok is vast personal data harvesting machine.[13]
Most apps that use the TikTok SDK are Android apps (47.3K) with only 521 iOS apps using it.
The apps that include the TikTok SDK have, in total, billions of downloads.
The apps are written by developers from all over the world.
The apps include education, sports, finance, weather, health and fitness, dating, communication and business apps.
1,755 (3.67%) of the apps are educational apps.
Nearly 10,000 of the apps that include the TikTok SDK are for children under the age of 18.
[14]
6,560 apps are rated either for “Everyone”, “4+” or “9+”.14
Data Collection Through Tracking Pixels and Cookies
TikTok has 7 tracking pixels[15] designed to be added to third-party websites. Per TikTok developer documentation, their pixels mainly collect data to understand ad performance, but the pixels collect more than just ad data.[16] The following data collected by TikTok tracking pixels are personally identifiable information:
IP address,
User agent,
Cookies – TikTok has first- and third-party cookies; the latter are on by default,
Metadata & button clicks, which, per the documentation, “can also be used to personalize ad campaigns for people on TikTok”, meaning the data is correlated and saved with TikTok user records.
Compared to Facebook which has 6 tracking pixels, TikTok pixels are found much less frequently in third-party sites (Table 1).
Table 1: TikTok and Facebook Trackers
Data Sharing
There are at least four channels for sharing data with and by social media platforms.
From the social media mobile app directly. Compared to other types of apps audited by ISL, social media apps like TikTok are generally less “leaky”, meaning that they mostly share collected personal information from the app with domains controlled by their corporate owners (also known as “first parties”). This is mainly because platforms like Facebook and TikTok have their own ad networks, so they don’t communicate with other adtech and martech platforms directly from the mobile app.
TikTok: ISL recently took a closer look at the communication in and out of the main TikTok mobile apps (iOS and Android versions). We tested using two profiles: one of an adult, and one of a child. Key questions were:
How much data “leakage” was happening, i.e. how much data was being shared with unexpected third parties?
What TikTok or ByteDance servers were involved, and what can we determine about the ownership and location of the servers?
In both test profiles, there was very little data “leakage” to spurious third parties. We observed only two third-party advertising related domains: (1) a cross-site Facebook tracker, and (2) a domain associated with the AppsFlyer SDK. Both of these make sense, as the app integrates Facebook SDKs for login and sharing, and also the AppsFlyer SDK (among others).
The communication was nearly 100% between the app and TikTok owned servers or obvious data processors for TikTok like Akamai. In terms of data sharing from the app, TikTok is very much like Facebook.
There were two TikTok and ByteDance domains in the network traffic, that do appear to be owned by the US based companies. Note that, despite multiple mentions that TikTok uses Oracle, we observed only one domain observed that was owned by Oracle.
Details on the communication to/from the app can be seen in the ISL Safety Labels for the apps:
Android TikTok app:
https://appmicroscope.org/app/1729/
iOS TikTok app:
https://appmicroscope.org/app/1728/
But Wait, There’s More
People may think that there are only a few TikTok apps available. This is not the case[17]. According to AppFigures, there are 66 apps provided by TikTok or its related entities, worldwide, up from 47 in 2025 [18]. Of those, 32 TikTok apps are available in the US. In the US there are TikTok apps available for Android TV, Amazon, LG TVs and Samsung TVs as well. There are also:
a wallpaper app called “TickTock – TikTok Live Wallpaper” with an estimated 100M downloads worldwide5
a “lifestyle/social” app called Lemon8 – Lifestyle Community with an estimated 10M downloads worldwide5
and a shopping app called “TikTok Shop Seller Center” with an estimated 10M downloads worldwide.
The TV apps present a serious privacy concern as they may collect viewing history; it would be prudent to assume they do. The TikTok for Android TV app has an estimated 10M downloads.
Also of particular concern are two VPN apps, which would have access to all network traffic to and from the phone. Neither appear to be available in the US, and if they were ISL would recommend staying away from them.
See Appendix A for a list of the TikTok apps available in various app stores worldwide.
Via Software Developer Kits (SDKs): As mentioned earlier, SDKs have access to all the data the encompassing app has access to. Since these apps may read data from the social media platform to present to the users of their app, they also have access to the user’s social media content. The apps are bound, however, by the developer agreement terms established by the SDK provider which prohibit such use, as TikTok’s does
[19].
From the social media company [servers] to Customer Data Platforms and Identity Resolution Platforms: Social media platforms often share bulk personal data with marketing and advertising platforms called Customer Data Platforms (CDPs) and Identity Resolution Platforms (IDRPs). This is accomplished using the CDP’s or IDRP’s published application programming interfaces (APIs), which communicate server-to-server, not from the mobile app. Customer Data Platforms and Identity Resolution Platforms are platforms designed to ingest and share personal information at scale. ISL has identified over 300 such companies
[20] worldwide and continues to research them to determine risks to consumers of this commercial surveillance infrastructure. For instance, nearly 40% of identity resolution platforms are registered data brokers and it’s likely more of them should be registered as data brokers. One of the key objectives of this commercial surveillance infrastructure is to personalize the experience of all “visitors”—i.e. not just existing customers but anyone who visits a website
[21].
TikTok: TikTok does indeed have at least one such integration with an identity resolution platform: LiveRamp, one of the largest identity resolution platforms. TikTok likely has other integrations that would be performed by back-end servers.
Through advertising: Since TikTok has its own ad network, it is also capable of receiving personal information directly from the real-time bidstream (RTB).
How Large of a Privacy Risk is TikTok, Used as Intended?
From a commercial surveillance perspective, TikTok may be less risky than Facebook, for example, which has access to and uses much more personal and sensitive information for 3rd party advertising and its own purposes (see Appendix B).
From a government surveillance perspective, there is a non-zero risk that user data was combined across all ByteDance Ltd. properties. There was also a non-zero risk that TikTok user data was accessible by the Chinese Communist Party (CCP). ISL is unable to further quantify the risk based on publicly available information. These risks now apply to the US government.
TikTok in Education & Social Engineering Data Breaches
TikTok is widely used in classrooms in the US and around the world as a teaching and engagement tool. As noted earlier, the TikTok SDK is also integrated into more than 1700 education apps. Teachers find the platform to be a good way to communicate with students, and to inspire creativity[22]. At the time of this writing there were 5.9M TikTok posts tagged #teachersoftiktok, illustrating the level of teacher use of TikTok[23]. TikTok also funded a “Creative Learning Fund” with $50M in 2020.[24]
Social Engineering-Facilitated Data Breaches
Note that the use of TikTok has been connected to at least one school district data breach[25]. Any accessible data on social media platforms can be used in social engineering-based security attacks.
Digital Assets and Corporate Ownership
There are three key questions with respect to corporate ownership of a restructured TikTok: (1) where are the servers located and which country’s data privacy laws apply, (2) will ByteDance Ltd. retain access to the TikTok data/ training set, and (3) how much access do all owners have to the personal data repository?
Corporate Ownership
Corporate ownership—in part or whole—means having access to the assets of the company including access to the digital assets, such as databases of personal information amassed by the company’s products and services.
In 2023 there was considerable confusion over both the corporate ownership of TikTok and the Chinese government’s access to TikTok user data. Sources including TikTok[26] and Poynter[27] explained that ByteDance Ltd., a Cayman Islands registered company based in China, was majority owned (60%) by a worldwide consortium of equity partners, including large at least two named US private equity firms (Susquehanna International Group and General Atlantic); 20% was owned by the founder, Zhan Yiming, a private individual living in China, and 20% was employee owned by TikTok employees around the world. What was less clear, however, was whether the Chinese government owned a 1% “golden share”. TikTok’s explainer9 indicates that the Chinese government did not own a 1% in ByteDance, but in ByteDance subsidiary, Douyin Information Service Co., Ltd. Presumably, Douyin Information Service Co., Ltd was not included in the sale of TikTok to newly formed TikTok USDS Joint Venture LLC and remains with ByteDance Ltd. While the US Digital Services (USDS) is part of the entity name, the US is reported to not have a stake in the venture. It is disturbing that a government agency is named in the new venture. We have every reason to assume that data sharing with the US government was a condition of the sale.
Figure 1 below shows the estimated ownership by country location in 2023 and 2026[28]. Of note, Chinese-based ownership appears unchanged in size, but importantly, in 2023, 20% was owned by Zhang Yiming and now ByteDance Ltd. owns about 20% of the company. The authors are not legal experts but this sustaining partial ByteDance Ltd. ownership leaves open the original concerns about the CCP’s access to US citizens’ data.
The chart makes some assumptions about the distribution of ownership based on publicly available information. We don’t know how much of the 40% of worldwide owners (in 2023) were equity firms based in the US. It is possible that the 2023 US ownership was higher than 40%, possibly even higher than 50%.
Figure 1: Estimated TikTok ownership 2023 and 2026
Digital Assets
Based on our analysis it appears that TikTok is a relatively separate infrastructure, including at least three separate TikTok corporate entities noted earlier, but we can’t be sure that there isn’t a centralized or even decentralized but networked user database.
Cloud Storage
Ostensibly, the original TikTok-related executive order was largely fueled by concern over where user data was stored and who had access to it. Reports vary, but TikTok has been using Akamai, a US company, as a content delivery network for TikTok since about 2020 and possibly as early as 2016. Our research confirms network traffic to Akamai servers.
Oracle began providing secure cloud storage technology to TikTok Global in 2020[29] including a 12.5% stake in TikTok Global. We do not know however if data was shared extraterritorially.
The most important privacy issue here, however, is that Oracle is a registered data broker in states that require such registration, meaning that it monetizes the sale of personal information, including location information. Companies that monetize personal information have an incentive to harvest as much personal information as possible and there is an open class action suit against Oracle’s data collection and selling practices.[30]
Can a data broker be the “trusted” entity to ensure the integrity of vast amounts of sensitive personal information? Perhaps this has never been about the safety and privacy of the data.
Whose data do TikTok owners have access to?
The TikTok sale press release implies that the sale only covers the US market, the “more than 200 million Americans and 7.5 million businesses” that use TikTok[31]. Presumably, the non-US markets’ data and technology assets stay with ByteDance Ltd. Recent TikTok user numbers show Chinese TikTok (called Douyin) users comprise nearly half of the 1.5B monthly TikTok users. https://www.statista.com/statistics/1299807/number-of-monthly-unique-tiktok-users/
Table 2: TikTok Users (Source: Statista[32])
Conclusions
Troves of personal information are risky for consumers in any corporation’s hands. No current regulation prevents this from happening. Additionally, no regulation adequately prevents the commercial trading of personal information. Until these are addressed, consumers and nation states face unreasonable risks of sensitive information such as location data being systematically shared with data brokers and thus, being available for sale to anyone who wants it, including adversary countries. Social media platforms of all kinds should hold a duty of loyalty to the data subject for the personal information they retain, but they currently do not. Therefore, social media platforms present unique risks due to the volume of highly sensitive personally identifiable information they hold.
Is it reasonable to suggest that a US company is a better corporate custodian of a massive trove of personal information? Certainly, ensuring that US citizens’ data stays out of the hands of any foreign government is worthwhile. Whether or not that’s possible in the current reality of hundreds of networked, global commercial surveillance entities is an open question with a likely depressing answer of, “No.” Additionally, the US doesn’t currently have a federal privacy law, and the US-based technology industry continues to operate in a general spirit of lawlessness (e.g. training machine learning models with scraped data).
Is the new ownership a safer configuration for people as both consumers and citizens? No. With nearly 20% ByteDance Ltd. ownership in the joint venture, the new structure fails to eliminate concern over the Chinese government having access to the data of US citizens. Moreover, now a UAE based private equity firm also has ownership (15%) and access to the assets. It’s unclear precisely how connected to the US government the new venture is, but it seems clear given this administration’s behaviors over the past 12 months that the new joint venture facilitates use of citizen data by the US government. Finally, Oracle, a data broker with a spotty privacy reputation is now the primary authority for data privacy over the personal information of hundreds of millions of US citizens. TikTok has already changed its privacy policy to collect precise (instead of just coarse) location data[33], and to collect “AI interactions”.[34]
Overall, what has changed with the sale of select TikTok assets to the new TikTok USDS Joint Venture LLC? If the previous ownership by ByteDance Ltd. was truly the reason for fearing CCP access to US TikTok users’ data, that threat remains with ByteDance Ltd. retaining 19.9% ownership in the joint venture. It is hard to not regard this years’ long campaign as anything other than a money, personal data, and power enrichment strategy for select US tech oligarchs and the US government. This administration’s unrestrained thirst for personal data—from DOGE, to Palantir, to Flock—is strong evidence that TikTok data will be used in support of the administration’s militarized “remigration” and government propaganda purposes, further destabilizing the US’s withering democracy.
Appendix A – TikTok Apps Available Worldwide
Table 3: TikTok Apps in 2025
Table 4: TikTok Apps in 2026
Appendix B TikTok vs. Facebook iOS App Permission
B.1 DATA USED TO TRACK YOU
B.2 DATA LINKED TO YOU
B.2 DATA NOT LINKED TO YOU
[1] Data obtained from AppFigures https://appfigures.com/
[2] Laura He, “Wait, is TikTok really Chinese?”, CNN, March 28, 2024, https://www.cnn.com/2024/03/18/tech/tiktok-bytedance-china-ownership-intl-hnk/index.html
Note that TikTok asserts that Bytedance Ltd. is not strictly based in China:
“Myth: TikTok’s parent company, ByteDance Ltd., is Chinese owned.
Fact: TikTok’s parent company ByteDance Ltd. was founded by Chinese entrepreneurs, but today, roughly sixty percent of the company is beneficially owned by global institutional investors such as Carlyle Group, General Atlantic, and Susquehanna International Group. An additional twenty percent of the company is owned by ByteDance employees around the world, including nearly seven thousand Americans. The remaining twenty percent is owned by the company’s founder, who is a private individual and is not part of any state or government entity.” “Myth vs Facts”, TikTok U.S. Data Security, https://usds.tiktok.com/usds-myths-vs-facts/ , accessed on 2/2/25.
[3] https://www.crunchbase.com/hub/bytedance-portfolio-companies
[4] “Myths vs Facts”, TikTok U.S. Data Security, https://usds.tiktok.com/usds-myths-vs-facts/, accessed on 1/26/26.
[5] https://www.forbes.com/sites/emmawoollacott/2024/08/28/us-government-requests-most-user-data-from-big-tech-firms/
[6] Elizabeth Goitein, “The Government Can’t Seize Your Digital Data. Except by Buying It.” Brennan Center for Justice, April 28, 2021, https://www.brennancenter.org/our-work/analysis-opinion/government-cant-seize-your-digital-data-except-buying-it
[7] Glenn Greenwald and Ewen MacAskill, “NSA Prism program taps into user data of Apple, Google and others”, The Guardian, June 8, 2013, https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data
[8] https://www.brookings.edu/articles/privacy-under-siege-doges-one-big-beautiful-database/
[9] https://www.404media.co/ice-taps-into-nationwide-ai-enabled-camera-network-data-shows/
[10] https://www.democracynow.org/2026/1/26/headlines/attorney_general_bondi_demands_access_to_minnesotas_voter_rolls_and_welfare_data
[11] Kanishka Singh and Sheila Dang, “Musk and X are epicenter of US election misinformation, experts say”, Reuters November 4, 2024, https://www.reuters.com/world/us/wrong-claims-by-musk-us-election-got-2-billion-views-x-2024-report-says-2024-11-04/
[12] This can and should be disabled. Instructions are readily found through an internet search.
[13] For comparison purposes: more than 414,000 apps include Facebooks four SDKs: 311.7K apps include Facebook Login, 275.5K apps include Facebook Share, 139.9K apps include Facebook Ads. Source: Appfigures, accessed 1/26/26.
[14] Per the app store content rating.
[15] https://www.ghostery.com/whotracksme/search
[16] https://ads.tiktok.com/help/article/tiktok-pixel
[17] Jake Peterson, “All the Apps ByteDance Operates in the US: It’s not just TikTok”, LifeHacker, January 29, 2025. https://lifehacker.com/tech/apps-bytedance-operates-in-united-states
[18] Includes TikTok Ltd., TikTok Pte. Ltd, and Tsingtao TikTok Information Technology Company Limited; AppFigures, accessed on February 2, 2025.
[19] “TikTok Developer Terms of Service”, Last modified March 21, 2024, TikTok, https://www.tiktok.com/legal/page/global/tik-tok-developer-terms-of-service/en
[20] https://internetsafetylabs.org/resources/references/identity-resolution-and-customer-data-platform-companies/
[21] Lisa LeVasseur, “Worldwide Web of Human Surveillance: Identity Resolution and Customer Data Platforms”, Internet Safety Labs, https://internetsafetylabs.org/wp-content/uploads/2024/07/Worldwide-Web-of-Human-Surveillance-Identity-Resolution-and-Customer-Data-Platforms.pdf
[22] Deidre Olsen, “TikTok in the Classroom: The Good, The Bad, and the In-Between”, TEACH Magazine, May/June 2023 Issue, https://teachmag.com/archives/22904 ; “How to Use TikTok to Engage Students in Learning”, Children’s Health Council, https://dev.chconline.org/resourcelibrary/how-to-use-tiktok-to-engage-students-in-learning/
[23] https://www.tiktok.com/tag/teachersoftiktok
[24] https://newsroom.tiktok.com/en-us/investing-to-help-our-community-learn-on-tiktok
[25] Internet Safety Labs, “Another School District Hacked”, Internet Safety Labs, November 16, 2023, https://internetsafetylabs.org/blog/research/another-school-district-hacked/
[26] https://newsroom.tiktok.com/the-truth-about-tiktok?lang=en-AU
[27] https://www.poynter.org/fact-checking/2024/who-owns-tiktok-bytedance-china-ban/
[28] https://www.nytimes.com/2026/01/22/business/media/tiktok-investors-oracle-mgx-silver-lake-bytedance.html#:~:text=What’s%20notable?,to%20comment%20on%20its%20investment.
[29] https://www.oracle.com/news/announcement/oracle-chosen-as-tiktok-secure-cloud-provider-091920/
[30] In 2024, Oracle settled a class action suit alleging that the company “improperly captured, compiled and sold individuals’ online and offline data to third parties without obtaining their consent.”[30] The settlement has been appealed and the case is ongoing.
[31] https://usdsjv.tiktok.com/
[32] https://www.statista.com/statistics/1299807/number-of-monthly-unique-tiktok-users/
[33] Note that the app nutrition label in the Apple store still only notes coarse location data collection.
[34] https://www.wired.com/story/tiktok-new-privacy-policy/
The post TikTok’s Real Privacy Risks appeared first on Internet Safety Labs.
