TikTok's settings allow unauthorized users to obtain the personal contact details of other users who have not made their details public.
Social media and chat apps have long been a cause of concern for parents and adults, as well as a source of viral online warnings about the dangers to children of cyber-predators.
Sexual predators and pedophiles do use such apps to target and contact children and young teens (as we have examined previously), but the claims made in viral Facebook warnings are often overstated or even erroneous — children can usually protect themselves from the unwanted attention of strangers by using the privacy settings that come with most popular apps, as well as by taking a general approach of caution and skepticism about would-be contacts or “friends.”
In early 2019, a viral Facebook message warned about the purported dangers of TikTok, the most popular example of a recent wave of short-video social media apps, including Snapchat, Dubsmash and (prior to 2016) Vine:
“If your child has MUSICALLY/TIK TOK, make them delete it now! Friday night, [my daughter] got a text from a Pennsylvania number. They knew her name, age, where she lived and her email. We took her phone to Verizon and they said it was the most dangerous app. Even with her account being set to private, they can still access all of her information.”
This warning was further promulgated on Facebook when it was re-posted on 12 February:
It is possible for someone to obtain a phone number, email address, or other personal information about a TikTok user, but only if the TikTok user in question shares such information. As such, the February 2019 viral Facebook message was fundamentally mistaken in the focus of its warning, suggesting as it did that the app’s settings — rather than the actions of its users — allowed potentially predatory adults to access contact details that a child did not allow to be shared.
TikTok is a wildly popular mobile app that allows users to record and share videos of up to 15 seconds in length. In August 2018, it replaced the rebranded Musical.ly app in the United States after that app was acquired by the Chinese company ByteDance. TikTok is especially popular among teens, who typically use it to post videos of themselves singing along to their favorite songs, short comedy sketches, or a variety of viral “challenges.”
Some commentators have praised TikTok as being genuinely good fun and inclusive of eclectic interests and subcultures, and the New York Times hailed it for its relatively low levels of bullying and harassment, saying TikTok “might well be the only truly pleasant social network in existence.”
However, others have pointed out that the fame-seeking, music-video ethos of the app has given rise to an uncomfortable trend of young teens’ engaging in sexually suggestive dancing and behavior, and still others have highlighted the fact that TikTok’s relatively young user base means sexual predators and pedophiles have been known to pose as teens and engage in grooming on the app.
Privacy and safety
When signing up for a TikTok account, a user is asked to provide their phone number or email address, as well as their date of birth. (The app does not allow users who state their age as being under 13 years old to register.) TikTok does not request the user’s city, state, or country of residence. The app texts or emails the user a four-digit verification code in order to complete the account setup.
TikTok users can follow and add each other as friends and send each other private messages, but one user cannot successfully send another user a message until both users have “followed” each other and thereby become “friends.” Users cannot attach videos or photographs to private messages. (We tested these restrictions using two dummy accounts.)
After the registration process is complete, a TikTok user’s account is set to “public” by default. This means that any videos that user might post will, in principle, be visible to any other users, except for those whom the posting user has blocked.
However, a TikTok user can switch their account to private (which means only approved users can view their videos), and they can adjust their privacy settings in other ways — for example, determining whether everyone can leave comments under their videos, whether only friends can comment, or whether no one can:
Most important, a TikTok user’s “bio” — which typically contains a brief description of the user, their age, and their interests — is visible to everyone even if the user’s account is set to “private,” but the user alone decides what information to include in their bio.
The phone number or email address that a user employed to register an account does not automatically show up in their TikTok profile or in their bio. That personal information is only used by TikTok or verification purposes in setting up the account in the first place.
The February 2019 warning
For all the reasons we have outlined, the suggestion made in the viral February 2019 Facebook warning is simply not plausible. TikTok’s privacy and security restrictions do not allow for one user’s personal information — such as age, email address, phone number. or location — to become obtainable to another user on TikTok, unless the first user shared that information (whether knowingly or inadvertently).
We tested this by setting up two dummy TikTok accounts, giving both the most permissive privacy settings available, and causing each to add the other as a friend. Despite that combination, neither account was able to view the phone number, email address, location, or date of birth/age relating to the other account.
We then went even further, linking one TikTok account to an existing Instagram account and YouTube account. The second TikTok account was still not able to view the email address, phone number, or date of birth associated with the first TikTok account’s now-linked Instagram account, nor the location associated with the first TikTok account’s now-linked YouTube account.
A spokesperson for TikTok confirmed these findings. We asked whether it was possible, under any privacy setting, for one TikTok user to obtain the email address, phone number, age, or location of another TikTok user simply because the second TikTok user provided that information to the app when setting up an account. The spokesperson wrote in response that “No privacy setting would enable or facilitate this.”
We asked whether linking one TikTok account to an Instagram or YouTube account could conceivably mean that the personal information pertaining to the Instagram or YouTube account would then become available to someone viewing the user’s TikTok account. In reply, the company’s spokesperson wrote: “No, this scenario would not be possible. When you move from TikTok to another app, like Instagram or YouTube, you follow the settings of that app, including the user’s account privacy settings.”
Of course, someone could obtain the phone number, age, email address, or location of a TikTok user if that TikTok user posted the information in their bio, in a comment, in a video, or in a private message. A user might even inadvertently share their personal information by, for example, having an envelope or piece of paper containing their phone number or address visible in the background of a video. However, in such a scenario the sharing of the personal information would be due to the actions of the TikTok user, not the app’s settings.
We contacted the woman who originally posted the warning to Facebook on 11 February. She confirmed that her daughter had been texted by an unrecognized number and that this action formed the basis of her Facebook post. When we inquired how she was able to determine that this text contact had been the result of details shared via TikTok, the woman answered it was “because that is the only ‘social media’ app she has.” The woman added that she was “100% positive that [her daughter] did not give out her number.”
We cannot determine what happened in the case of the woman’s daughter, but it is possible that the person who texted her acquired her phone number, first name, and location from a third party or mutual acquaintance. But as far as we could determine, it is not possible that the person who texted the girl obtained her personal contact details simply by viewing her TikTok profile unless the girl had herself made those details publicly available.