By the end of 2021, TikTok reached one billion monthly users, becoming one of the most popular social media platforms globally. In the United States, the platform was one of the few that significantly increased its share of users who said they regularly use the platform to get their news.

Whether you’re a journalist new to the platform or part of a long-time TikToking newsroom, understanding how to mitigate the potential dangers of the platform is key. In this guide, we'll focus on some of the most important security considerations — like account hijacking, data breaches and privacy — and give recommendations for navigating the platform securely.

Understanding concerns about the platform

The success of TikTok isn't random. As in many other social media, the algorithm that personalizes your experience on the platform is powered by data collection, analysis of interests and interactions and profiling of user behavior. Likewise, In late 2022, TikTok admitted they targeted journalists using the app to investigate their sources. All of this raises concerns among U.S. lawmakers, as the company has in the past been vague and evasive in explaining what specific information is collected about users and for what purposes.

TikTok is owned by the Chinese company ByteDance, but the platform has stated that none of its data centers are subject to Chinese law and that the platform doesn't remove content based on sensitivities related to China. However, leaked internal information revealed in 2022 that U.S. user data has been repeatedly accessed from China. Indeed, in a letter to the U.S. Senate the company has confirmed personal data on TikTok users who sign up to make money through the app is stored in China. While TikTok began negotiating a security deal with the U.S. government in 2022, some former national security officials and other experts believe users’ personal data would still be exposed to hacking and espionage.

In addition to concerns around the data collection and storage, a 2020 Apple update revealed that the TikTok app was constantly accessing the user's clipboard content on iOS. And in 2022, research discovered its in-app browser includes code that can be used to monitor user keystrokes on websites. We recommend using a trusted browser installed on your device like Chrome, Firefox or Brave instead.

As on other platforms, when creating content for TikTok be mindful of sharing information that you don't want public or that could put you or others at risk. This can be information about your daily routine, personal data about yourself or your loved ones or source information.

Fortunately, there are settings and security and privacy recommendations that can help create a safer experience on TikTok.

Securing your TikTok account

Use a unique and strong password

We know from publicly-available data breaches that many people use short, predictable passwords, and this introduces unnecessary risk to account safety. Regardless of whether it's a personal or institutional account, it must be protected by a unique and strong password. We recommend using passphrases (a sequence of random words or other types of text), as they are harder to guess and easier to remember. But you can also use a password manager to generate and securely store your passphrases while having access to them from multiple devices.

If you already have a TikTok account and want to change your password, you can do so at any time from within the app.

• Android users: Open TikTok > Settings and privacy > Account > Password
• iOS users: TikTok > Settings and privacy > Account > Password > Enter code > Enter new password

TikTok will send you a 6-digit code to enter in the app to validate your identity. After that, log your new password.

Adding two-step verification to your account

While TikTok doesn't support two-factor authentication methods like physical security keys or authentication apps, we still recommend to activate two-step verification on your TikTok account, which will add an extra layer of security. Once configured, you will be prompted for a 6-digit one-time code at login, right after validating your password.

• Android users: TikTok > Settings and privacy > Security > 2-step verification
• iOS users: TikTok > Settings and privacy > Security > 2-step verification > Choose phone, email, or additional password (must select 2) > Select “Turn on”

You will have to select at least two of the available methods (SMS, email, password) and click Turn on. Enter your password and click next to confirm.

Be aware of vulnerability to law enforcement data requests

Even if your TikTok account is secured with a strong, unique password and two-step verification, your data is still available to the company.

Note that direct messages aren't end-to-end encrypted and the company specifies in its law enforcement guidelines that it can disclose user data to government agencies, including direct message content. If you need to talk about sensitive topics that could put you or others at risk, don't use TikTok. We recommend moving the conversation to apps that use end-to-end encryption, like Signal or WhatsApp.

Privacy settings to consider

Account security is essential but it’s also important to weigh the available privacy options with how you want to use the app. A newsroom account may focus on maximizing the reach of its TikTok content, while a freelance journalist’s account may want to have more control over the interactions.

Do these permissions make sense for this app?

Many of the apps we use on our devices require multiple permissions to access information, such as location, storage and contacts. Sometimes the requested permission makes sense, like when a maps app needs access to your location. In other cases, the requested permission hints at potentially suspicious behavior, like when a calculator app requests access to your camera.

When you launch the app for the first time, it will ask you for permission to send notifications and access your contacts. If you don't feel comfortable letting TikTok access your contact list to recommend TikTok accounts of people you have in your directory, you can deny this permission or remove it.

• Android users (it might be slightly different, depending on your version): Settings > Privacy > Permission manager
• iOS users: Settings app > Scroll to “TikTok” in app list

Should I set my account to private or public?

For institutional accounts, using a Business Account gives access to more features like advanced statistics, post scheduler and auto-messaging, but Business Accounts need to be public.

• Android users: TikTok > Settings and privacy > Account > Switch to Business Account
• iOS users: TikTok > Settings and privacy > Account > Switch to business account

All public accounts will be viewable by other TikTok users, but you can make your account private at any time.

• Android users: TikTok > Settings and privacy > Privacy > Private account
• iOS users: TikTok > Settings and privacy > Privacy > Toggle private account on

Controlling interactions with your account and posts

Other privacy options are configurable in the app.

• Android users: TikTok > Settings and privacy > Privacy
• iOS users: TikTok > Settings and privacy > Privacy

From here, there are several privacy settings you can change.

• Activity status allows you to see when users you follow and follow you back are active or were last active on TikTok. Note that this will only work if you have both activated the activity status. Consider if you want others to be able to see when you are using the app, otherwise disable this option.
• The “suggest your account to others” feature allows other people to find you on TikTok. By default, TikTok suggests your account to people with whom you have mutual connections and those who opened or sent you links. If you don't want your account to be suggested by one or more of the above options, disable it. Just note that even if you disable all of the previous options, TikTok will still suggest your account to people you follow.
• Set who can comment on your videos and stories, and filter all comments, those containing specific keywords, or spam and offensive comments to be hidden unless you approve them.
• Control who can add mentions and tags of you to their videos, descriptions, stickers, comments, and stories.
• Decide who can send you direct messages. You can also set whether people can see when you've read their messages, and filter messages from accounts that TikTok think are suspicious.
• Set who can see your following list and liked videos, as well as whether you want to allow people you follow to be able to see that you've seen their posts or profiles and see which of your followers have seen yours.
• You also need to decide what other people can do with your posts. By default, TikTok allows anyone to download your videos, and other users to share your posts to their stories or use them in their posts with Duets and Stitch. Please note that disabling these options may reduce the reach and engagement of your posts.

Other things to keep in mind

If needed, you can always temporarily or permanently deactivate your TikTok account so that no one can see it or its content. If you decide to permanently delete your account you’ll have a 30-day waiting period in which you can reverse the request and fully restore your account.

• Android users: TikTok > Settings and privacy > Account > Deactivate or delete account
• iOS users: TikTok > Settings and privacy > Account > Deactivate or delete account

Need help? Let's chat

If you are looking for more recommendations and tools to improve your digital security, find more guides and blog posts on our website.

If you are a journalist or part of a news organization, contact our digital security team to learn about the bespoke training options we offer.