By the end of 2021, TikTok reached one billion monthly users, becoming one of the most popular social media platforms globally. In the United States, the platform was one of the few that significantly increased its share of users who said they regularly use the platform to get their news.
Whether you’re a journalist new to the platform or part of a long-time TikToking newsroom, understanding how to mitigate the potential dangers of the platform is key. In this guide, we'll focus on some of the most important security considerations — like account hijacking, data breaches and privacy — and give recommendations for navigating the platform securely.
The success of TikTok isn't random. As in many other social media, the algorithm that personalizes your experience on the platform is powered by data collection, analysis of interests and interactions and profiling of user behavior. Likewise, In late 2022, TikTok admitted they targeted journalists using the app to investigate their sources. All of this raises concerns among U.S. lawmakers, as the company has in the past been vague and evasive in explaining what specific information is collected about users and for what purposes.
TikTok is owned by the Chinese company ByteDance, but the platform has stated that none of its data centers are subject to Chinese law and that the platform doesn't remove content based on sensitivities related to China. However, leaked internal information revealed in 2022 that U.S. user data has been repeatedly accessed from China. Indeed, in a letter to the U.S. Senate the company has confirmed personal data on TikTok users who sign up to make money through the app is stored in China. While TikTok began negotiating a security deal with the U.S. government in 2022, some former national security officials and other experts believe users’ personal data would still be exposed to hacking and espionage.
In addition to concerns around the data collection and storage, a 2020 Apple update revealed that the TikTok app was constantly accessing the user's clipboard content on iOS. And in 2022, research discovered its in-app browser includes code that can be used to monitor user keystrokes on websites. We recommend using a trusted browser installed on your device like Chrome, Firefox or Brave instead.
As on other platforms, when creating content for TikTok be mindful of sharing information that you don't want public or that could put you or others at risk. This can be information about your daily routine, personal data about yourself or your loved ones or source information.
Fortunately, there are settings and security and privacy recommendations that can help create a safer experience on TikTok.
We know from publicly-available data breaches that many people use short, predictable passwords, and this introduces unnecessary risk to account safety. Regardless of whether it's a personal or institutional account, it must be protected by a unique and strong password. We recommend using passphrases (a sequence of random words or other types of text), as they are harder to guess and easier to remember. But you can also use a password manager to generate and securely store your passphrases while having access to them from multiple devices.
If you already have a TikTok account and want to change your password, you can do so at any time from within the app.
TikTok will send you a 6-digit code to enter in the app to validate your identity. After that, log your new password.
While TikTok doesn't support two-factor authentication methods like physical security keys or authentication apps, we still recommend to activate two-step verification on your TikTok account, which will add an extra layer of security. Once configured, you will be prompted for a 6-digit one-time code at login, right after validating your password.
You will have to select at least two of the available methods (SMS, email, password) and click Turn on. Enter your password and click next to confirm.
Even if your TikTok account is secured with a strong, unique password and two-step verification, your data is still available to the company.
Note that direct messages aren't end-to-end encrypted and the company specifies in its law enforcement guidelines that it can disclose user data to government agencies, including direct message content. If you need to talk about sensitive topics that could put you or others at risk, don't use TikTok. We recommend moving the conversation to apps that use end-to-end encryption, like Signal or WhatsApp.
Account security is essential but it’s also important to weigh the available privacy options with how you want to use the app. A newsroom account may focus on maximizing the reach of its TikTok content, while a freelance journalist’s account may want to have more control over the interactions.
Many of the apps we use on our devices require multiple permissions to access information, such as location, storage and contacts. Sometimes the requested permission makes sense, like when a maps app needs access to your location. In other cases, the requested permission hints at potentially suspicious behavior, like when a calculator app requests access to your camera.
When you launch the app for the first time, it will ask you for permission to send notifications and access your contacts. If you don't feel comfortable letting TikTok access your contact list to recommend TikTok accounts of people you have in your directory, you can deny this permission or remove it.
For institutional accounts, using a Business Account gives access to more features like advanced statistics, post scheduler and auto-messaging, but Business Accounts need to be public.
All public accounts will be viewable by other TikTok users, but you can make your account private at any time.
Other privacy options are configurable in the app.
From here, there are several privacy settings you can change.
If needed, you can always temporarily or permanently deactivate your TikTok account so that no one can see it or its content. If you decide to permanently delete your account you’ll have a 30-day waiting period in which you can reverse the request and fully restore your account.
If you are looking for more recommendations and tools to improve your digital security, find more guides and blog posts on our website.
If you are a journalist or part of a news organization, contact our digital security team to learn about the bespoke training options we offer.