Proton

TikTok’s in-app browser can track every button or link you tap and every keystroke you type, according to an iOS Privacy review article(new window) from tech privacy researcher Felix Krause. This goes beyond the standard data collection we’ve sadly come to expect from social media apps in this age of surveillance capitalism. The idea that one of the largest social media platforms in the world has the capacity to monitor and record every single thing you type is shocking. 

You should avoid in-app browsers

Pervasive tracking is unfortunately standard in many in-app browsers. In an earlier review of Facebook and Instagram in-app iOS browsers(new window), Mr. Krause discovered that they insert JavaScript code into the websites you visit, allowing them to create commands that alert it to all of your activity. Using this injected code, these browsers can track “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers”, according to Mr. Krause. However, these apps at least let you open links using your default browser.

TikTok’s in-app browser goes even further. It inserts JavasScript code to track all your interactions with a website, just like Facebook and Instagram, but it can also track your individual keystrokes. And unlike Instagram and Facebook, TikTok doesn’t give you the option to open links using your default browser. If you follow a link in TikTok, you must use its in-app browser (or copy the link and paste it into your default browser).

What does TikTok say about its keylogging?

TikTok confirmed that the features Mr. Krause found exist but said they do not actively monitor or record user activity or keystrokes.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes”, said TikTok’s spokesperson Maureen Shanahan in a statement to Forbes(new window).

Essentially, TikTok is admitting that it can track all your activity and keystrokes anytime it wants — it simply has chosen not to, and it’s asking us to trust that it won’t.

TikTok’s privacy problems

TikTok’s record doesn’t indicate that it has earned this level of trust. The discovery of keylogging is the latest in a series of privacy-related scandals that have plagued TikTok, the first Chinese social media platform to be used globally. 

All of these scandals spring from TikTok’s two core issues with privacy: 

  • It collects vast amounts of data.
  • it can be forced to share that data with the Chinese government on a whim. 

TikTok’s data overreach

The idea of a service’s in-app browser containing malware-like keyloggers might be shocking, but not if you read through TikTok’s US privacy policy(new window). Under “Information We Collect Automatically”, not only does it explicitly state that it can collect “keystroke patterns or rhythms”, it also includes: 

  • Your age range, gender, and interests — data TikTok infers “based on the information we have about you”
  • Your device’s IP address
  • Your search history on the platform
  • Your mobile carrier
  • Your device ID
  • Your connected audio devices
  • Your device’s operating system
  • Your time zone settings
  • The names and types of the files stored on your device

The US privacy policy also states that it “may also associate you with information collected from devices other than those you use to log-in to [TikTok]”. In other words, TikTok reserves the right to monitor information on devices it can tie to you even if you don’t use TikTok on that device. This is only a portion of the data the platform collects, but it is emblematic of the company’s drastic data surveillance overreach.

TikTok has already faced legal battles over its reckless approach to data collection. In 2021, the company agreed to a $92 million settlement(new window) to resolve a class-action lawsuit that alleged it collected data from 89 million US citizens, including minors, without their consent. This information was then shared with third parties, some of which were based in China. 

The Chinese government’s access to data

As we discussed in our previous article on TikTok(new window), TikTok is owned by ByteDance, a multi-billion dollar company based in China. Under China’s 2017 National Intelligence Law(new window), the Chinese government can compel any Chinese company to share any information it has on its users. 

In response to concern from Washington, TikTok began storing its US users’ information in data centers located in the US in 2021, hypothetically putting it outside the reach of the Chinese Communist Party. Dubbed “Project Texas(new window)”, it was ByteDance’s attempt to reassure US regulators that it takes data privacy seriously. 

In June 2022, however, BuzzFeed(new window) reported that leaked audio from over 80 internal TikTok meetings revealed that US user data was repeatedly accessed by ByteDance’s China-based employees. Excerpts from these conversations include “Everything is seen in China”, and “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting”.

How you can protect your privacy

If you’re worried about TikTok or Meta surveilling your online activity using their in-app browsers, your best step is to avoid them entirely. This isn’t as hard as it may sound, because Instagram and Facebook allow you to open apps using your default browser — which you should, every time, regardless of what page you are viewing. 

Even better, you can copy and paste the link from those platforms into your browser directly. If you use a privacy-focused browser(new window) (for example, Firefox or Brave) and Proton VPN(new window), you can prevent your online activity from being recorded.

TikTok makes things more difficult. TikTok doesn’t give you the option to open links in your default browser. To open a website from TikTok in your default browser, you need to:

  • Tap the link and open it in TikTok’s in-app browser.
  • Find another link on the website and long press it in TikTok’s in-app browser. This will bring up the option for you to copy that link or open it in your default browser.

TikTok will still see that you’ve visited the website, but they won’t be able to watch your browsing.

However, the best way to prevent TikTok from abusing your data is to prevent it from collecting it in the first place. While TikTok claims it’s using keylogging solely for debugging and performance monitoring, you have no way of knowing what data it’s collecting on you now — or could collect anytime in the future. We have a guide on how to delete your TikTok if you’re so inclined.

Learn how to delete TikTok and clear your data(new window)

Related articles

The cover image for a Proton blog, showing a phone screen with a lock logo and three password fields surrounding the phone
en
Here's what to look for when choosing an enterprise password manager to streamline collaboration and protect your organization's sensitive data.
en
  • Privacy guides
Learn how to unsend an email, how it’s useful for personal or business emails, and how Proton Mail can help.
Proton Mail and Proton Calendar winter product roadmap
en
  • Product updates
  • Proton Calendar
  • Proton Mail
Preview upcoming updates to Proton Mail and Proton Calendar, including performance boosts, new features, and enhanced privacy tools.
Gantt chart displaying Proton Drive plans and development of new features
en
Discover the tools, features, and improvements coming to Proton Drive’s secure cloud storage and document editor this winter and spring.
laptop showing Bitcoin price climbing
en
  • Privacy guides
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.