TikTok Tracks More than 10% of U.S. Websites Users via Its Analytics Tool

More than 10 percent of all United States consumer websites have added a TikTok component to reinforce their marketing efforts, according to research from Reflectiz. While TikTok was a relatively anonymous app in 2020, it grew exponentially in 2021.

TikTok experienced initial growth among the younger global population and has since attracted users of all ages. In light of that, many of the largest U.S. consumer-focused and global enterprises, retailers, and publishers have added TikTok to their mix of marketing channels. It has even surpassed Google in Cloudflare’s Web Traffic Ranking.

TikTok, like other tools, is actively tracking user behavior, analyzing their activities, location, past website visits, and cookies.

Unlike Google or Facebook, a major issue with TikTok is that the control is somewhat “gray.” It is owned by ByteDance, a very influential company in China. It is common knowledge in the cybersecurity world that Chinese threat actors are very active in cyberespionage for both political and financial gain. To put this plainly: U.S. enterprises that have implemented TikTok components in their website may have granted a Chinese entity open access to their users’ private data, while never knowing what the entity is actually doing with the information.

The threat that most people might miss is that even if the user doesn’t use TikTok, the simple fact that the person is browsing a website that includes a TikTok-owned component means that it gathers their personal information. Not only that, but even businesses with strict privacy and security policies are unknowingly exposing their own users’ PII (e.g., UserAgent, IP address, etc.) once they visit websites that have implemented TikTok components. According to BuiltWith, TikTok has shown exponential growth in popularity during the recent year, making it a very attractive target for Chinese threat actors.

“The problem with TikTok is that it is very hard to trace what they are doing with your customers’ data,” said Ysrael Gurt, CTO & co-founder of Reflectiz. “It’s common to have tags and trackers on a website, but we can’t really know what they do with the data they collected. However, we do know that TikTok already has the technical and personal data about most of the internet users right now, so the question that remains is: Who has access to this data, and how will they use it?”

“It’s important to remember that even free tools are paid with the users’ data – your website users’ data,” he adds. “In this instance, websites all across the U.S. are paying with their user’s data to a Chinese enterprise, never knowing where this information will end up.”

This article was originally published at Global Security Mag on January 13, 2022.