The clock is tick tocking. Some of the most popular social media apps are collecting data on users in many different ways. TikTok seems to be very concerned about the allegations that they are keylogging users using the in-app browser.
One very popular app in particular seems to be the most troubling since there are multiple apps that are modifying pages using Javascript. The code found in the bowels of TikTok has the ability to monitor all keyboard and tapping inputs.
TikTok doesn't allow users to open links on their browser. The researcher said that since TikTok doesn't do much to quantify user activity, it's not a big deal. Using a tool he developed, he was able to spot additional Javascript code that could record every text input and click. The keylogging code can be used to record passwords or even credit card information when you click on a link. As long as you are using the in-app browser, it will be able to track what you click on.
He shows his homework and explains what he found. Key presses can be tracked by any function. When you navigate from one page to another the app knows when you have left.
According to TikTok, the code is front loaded in the app, but they don't use it unless they need to. The report's conclusions about TikTok are incorrect and misleading according to a TikTok spokesman. The researcher admits they have no way of knowing what kind of data our in-app browser collects. The report claims that we collect keystrokes and text inputs through this code, but we do not.
Ari Lightman, a professor of digital media and marketing at Carnegie Mellon University, told Gizmodo in a phone interview that he doesn't believe the claims that TikTok is selling. Social media companies make a good amount of their profits from advertising, and user data is a big part of that, but there are certainly security and user- experience components to why this code exists.
Lightman said that they don't want you to leave the platform. TikTok can't collect data when it wants to monetize the platform because users don't find their way back
The company says that the Javascript code is part of a software development kit and that they don't use it remotely. According to the company, the keylogging code was built by a third party and hasn't been used in the company's existing capabilities.
They said that it would be a bad experience for users to be forced to use browsers outside of their app, which is a very condescending argument that ignores the fact that anyone who owns a device can choose to use whichever browser they want.
Lightman was not sure about TikTok's reasoning. TikTok, owned by Byte Dance, is very proficient at developing machine learning models. The idea that TikTok would just leave this code in there without using it is difficult to swallow.
The fact that it exists puts extra onus on companies that have shown they can't be trusted with user data. When using in-app web browsers, the researcher wrote about how to use JavaScript code to track all user activity. The code can be used to monitor all interactions, even when you click on an ad. The researcher found that the app subscribes to every button press and link that is rendered in the app. When you select a text field on a third party website, it knows.
Stone wrote that the researcher's claims "misrepresent" how Meta's in-app browsers work.
As if this wasn't concerning enough, Krause wrote that these apps have the ability to hide their JavaScript using already established iOS tools. If any of these companies wanted to hide their activities from the public, they could.
"Tech companies that still use custom in-app browsers will very quickly update to use the new WKContentWorld isolated Javascript system, so their code becomes invisible to us."
Gizmodo asked Apple if they would change any of its features to restrict apps from including keylogging script or otherwise stop them from hiding the fact they were running it.
TikTok has taken a lot of heat from proponents of internet privacy and from lawmakers on both sides of the aisle after it was reported that staff were aware that U.S. data was being collected by Chinese The company that gives up user data to the giant data-collecting maw that is Beijing has been working overtime to downplay their new identity, according to a recent report. Some are skeptical that a massive data privacy law will be passed before the end of the year.
Privacy legislation and more auditing legislation will be in the future. If they are doing it for economic reasons, they need to make sure that they are doing it for user experience as well. You have to be open with what you are going to do.