When TikTok first exploded onto the scene, it was celebrated as a new kind of social media—short, addictive videos powered by an algorithm that seemed to know you better than you knew yourself. But behind the entertainment lies a different story: TikTok is also one of the most aggressive data collectors among major apps, and its parent company’s location in Beijing has raised persistent concerns about who ultimately controls that information.
How TikTok Gathers Data
Like any social platform, TikTok requires some basics: your name, birthday, email address or phone number. But the collection does not stop there. The app identifies your device, tracks your IP address, notes your mobile carrier, and fingerprints your hardware. Researchers have also documented its ability to monitor keystroke inputs and Wi-Fi details in ways that go beyond what’s necessary for a video feed.
What truly sets TikTok apart is how carefully it records behavior. Every video you watch, how long you linger, whether you pause or replay, the speed of your scrolling—these small signals are harvested to build a model of your interests. The famous “For You” page doesn’t appear by magic. It is driven by one of the most sophisticated surveillance-based recommendation systems ever deployed at scale. This system is not unique in kind—Facebook, YouTube, and others do the same—but TikTok’s intensity and success with teenagers and young adults make it more powerful than most.
The Question of Biometrics
Less obvious, and more troubling, is the company’s policy on biometrics. In the United States, TikTok admits that it “may” collect faceprints and voiceprints for features such as filters or effects. While the company stresses that this data is used locally, the wording leaves the door open for much broader use. Privacy advocates argue that once biometric data is captured, it is almost impossible to guarantee it will never be repurposed.
ByteDance, TikTok’s Chinese parent, has repeatedly promised that American user data is stored in the United States. Under a program known as “Project Texas,” U.S. operations are supposed to run separately, with Oracle and American regulators providing oversight. Yet evidence has shown that data flows are not so easily contained. TikTok claims “all new U.S. user data” since July 2022 is stored in Oracle’s U.S. cloud, ByteDance employees in China have remotely accessed U.S. user data as late as 2022–2023.
Internal reporting revealed that ByteDance employees in China accessed U.S. user data through an internal platform called Lark. In 2023, the Department of Justice alleged that sensitive data, including information about Americans’ views on religion, abortion, and gun rights, had been collected and viewed by Chinese-based staff. Even if TikTok’s corporate spokespeople insist those episodes were mistakes, they show the difficulty of enforcing strict borders between databases.
Regulators Respond
These concerns are not just hypothetical. In Europe, TikTok was fined roughly $600 million for improperly transferring user data to China in violation of the EU’s privacy law. In Washington, Congress passed the Protecting Americans from Foreign Adversary Controlled Applications Act in 2024, giving the president the authority to ban or force the sale of apps like TikTok if they are deemed a national security risk.
TikTok has challenged these measures in court, and the legal fight continues. But the fact that a consumer video app has reached this level of geopolitical importance underscores how much more is at stake than silly dances or comedy skits.
🍁 Make a One-Time Contribution — Stand Up for Accountability in Vermont 🍁
TikTok’s Defense
To its credit, TikTok does not hide what it collects. The company’s U.S. privacy policy is clear—if lengthy—about categories of data, including device identifiers, browsing behavior, and even biometric information like faceprints and voiceprints. Executives stress that no evidence has ever shown TikTok directly funneling U.S. data to Beijing for government intelligence. They also argue that the company’s practices mirror what Silicon Valley firms like Meta or Google have long normalized.
But context matters. TikTok’s parent company, ByteDance, is based in China, where several national laws give the state sweeping authority over data and corporate behavior. As detailed in September 2024 testimony before the U.S. Senate Homeland Security Committee, these following laws collectively compel Chinese firms and citizens to cooperate with state intelligence and restrict the flow of data abroad:
- The National Intelligence Law of 2017 requires all organizations and citizens to “support, assist and cooperate with state intelligence work.”
- The Counter-Espionage Law, first passed in 2014 and revised in 2023, prohibits organizations from refusing requests for assistance in investigations, while broadening the definition of what counts as espionage.
- The Data Security Law of 2021 expands the Chinese Communist Party’s control over companies and their data, including how and whether data can flow outside China.
These legal frameworks mean that even if TikTok executives in Los Angeles or Singapore wanted to resist sharing data, ByteDance could still be compelled by the Chinese government. U.S. officials cite this point, warning that the risk is structural, not about catching TikTok in the act.
Where Legally Required . . .
Meanwhile, in the United States, the legal safeguards are patchy. TikTok’s own policy admits it may collect biometric identifiers “such as faceprints and voiceprints” and that it will only seek consent “where required by law”. Only a handful of states—Illinois, Texas, and Washington—have biometric privacy statutes that force companies to ask permission first. Illinois’s Biometric Information Privacy Act (BIPA) is considered the most stringent, requiring informed written consent before collection. But in most states, including Vermont, there is no such requirement. Vermont recently passed a Consumer Data Privacy Act, set to take effect in 2026, but it does not impose explicit restrictions on biometric data.
In practice, this means that a Vermont user can open TikTok, record a video, and have their facial and voice data processed without any special prompt for consent. Combined with ByteDance’s obligations under Chinese law, it highlights why American lawmakers continue to question whether U.S. user data can truly be walled off from foreign access.
What This Means for Users
So, what is the truth? TikTok is not spyware in the science-fiction sense—it doesn’t secretly activate your microphone or camera without permission. But it is a highly optimized data-collection engine that extracts vast amounts of behavioral, device, and even biometric information. And while most of that is used for advertising and recommendation, the track record shows that walls between U.S. and Chinese access have not always held.
For the average user, the decision comes down to trade-offs. If you install TikTok on your main phone, you are giving the company extraordinary insight into your habits. Using the web interface or a separate device can reduce the risk. But short of abstaining entirely, there is no way to guarantee that the data you generate on TikTok will never be viewed abroad.
The bottom line: enjoy TikTok if you like, but do so with eyes open. Understand that the platform is not free in the usual sense—it is paid for with information about you. And in TikTok’s case, that information may be traveling further than you realize.
Dave Soulia | FYIVT
You can find FYIVT on YouTube | X | Facebook | Instagram
#fyivt #tiktokprivacy #datasecurity #infosec
Support Us for as Little as $5 – Get In The Fight!!
Make a Big Impact with $25/month—Become a Premium Supporter!
Join the Top Tier of Supporters with $50/month—Become a SUPER Supporter!
Subscribe to RSS
Leave a Reply