How TikTok collects your data, even if you don’t use TikTok

TikTok’s parent company ByteDance collects data on people who don’t even use the app, and those same trackers are showing up on government websites that banned TikTok from their networks, a new report found.

In a review of more than 3,500 company, organization and government websites, Canada-based Feroot Security found ByteDance tracking pixels on 30 state government websites in the U.S. Some of those trackers were found in states that don’t allow TikTok on government networks or devices.

The report was "eye-opening," Feroot Security CEO Ivan Tsarynny said, and shed new light on the "wild, wild West" of pixel tracking – or computer code that collects information on how a user interacts with a website.

READ MORE: Skeptical US lawmakers grill TikTok CEO over safety concerns

Pixel trackers are used by lots of companies and "have legitimate business reasons," Tsarynny explained, but questions over how ByteDance collects and shares information – and who the company shares it with – have been plaguing the social media giant for months.

bdb0ff60-

In this photo illustration, the TikTok app is displayed on an Apple iPhone on August 7, 2020 in Washington, DC. (Photo Illustration by Drew Angerer/Getty Images)

The platform, which has 150 million American users, has faced increased scrutiny over user privacy and its potential ties to China’s authoritarian government. It's been dogged by persistent claims that it threatens national security or could be used to promote pro-Beijing propaganda and misinformation.

The U.S. has reportedly threatened a federal ban on the app unless its Chinese owners divest their stake.

What is pixel tracking?

Pixel trackers are invisible graphics embedded into websites to collect a variety of information, often without the knowledge or consent of the website user or even the website’s owner.

"You know how a few weeks ago a giant spy balloon was shot out of the sky? Pixels trackers are just like that giant spy balloon, but they’re small versions of it," Tsarynny said.

READ MORE: Nearly half of Americans would support a ban on TikTok, poll finds

Much of the information is used to measure things like advertising success or help online advertisers reach their target markets, but Tsarynny cautioned they can track more.

"It can be used to track groups of people and individuals, like where the person or group visits, sometimes email addresses, date of birth and all kinds of other information. And that can be used for all kinds of purposes," he said. "Three quarters of everything loaded are from third parties from all over the world."

Other major internet companies have faced scrutiny over user privacy in the past, and 92% of the websites Feroot looked at had some kind of Google tracking pixel embedded. But Tsarynny said the difference between Google and TikTok is how the data is being used.

"When the data is misused, what you’ve seen historically is it’s misused for advertising, data creation, business analytics purposes where it was not intended to," Tsarynny said. "What we’ve seen with ByteDance, they were using the data to spy on journalists. That’s a completely different impact … That’s what is alarming."

GettyImages-1228542204.jpg

The headquarters of ByteDance, the parent company of video sharing app TikTok, is seen in Beijing on September 16, 2020. (Photo by GREG BAKER/AFP via Getty Images)

TikTok did not respond to a request for comment.

Feroot also found tracking pixels from other foreign-owned companies. Tencent Holdings Ltd., which owns WeChat, Weibo Corp., and Alibaba Group Holding Ltd., had trackers on some state-government websites, and Russian-owned pixels from cybersecurity company Kaspersky were also discovered. The Trump administration banned Kaspersky products from federal U.S. networks because of espionage concerns, according to the Wall Street Journal.

READ MORE: TikTok under federal investigation for spying on Americans: reports

But would a ByteDance sale of TikTok ease those concerns? It’s not likely, Tsarynny said.

"I don’t think it will make much of a difference if it’s banned, especially with our findings," he said. "You never have to use TikTok for it to have your data, and it has a presence on state government websites that have banned TikTok.

"It’s not really as much about ownership of the company or ownership of the data, it’s about control and vetting people who have control over the data, perhaps to the same extent as people who have access to the Pentagon or other sensitive institutions," he continued. "This data can have significant impacts on nation states."

How is TikTok responding?

TikTok CEO Shou Zi Chew testified before a congressional committee Thursday in a tense hearing as lawmakers make a bipartisan effort to reign in the power of the social media giant.

GettyImages-1475626519.jpg

TikTok CEO Shou Zi Chew testifies before the House Energy and Commerce Committee on March 23, 2023 in Washington, DC. (Photo by Chip Somodevilla/Getty Images)

Chew, a 40-year-old Singapore native, told the House Committee on Energy and Commerce that TikTok prioritizes the safety of its young users and denied allegations that the app is a national security risk. He reiterated the company’s plan to protect U.S. user data by storing all such information on servers maintained and owned by the software giant Oracle.

Under a $1.5 billion project dubbed Project Texas that's underway, data from U.S. users is being routed through servers controlled by Oracle, the Silicon Valley company it partnered with in an effort to avoid a nationwide ban.

READ MORE: University of Massachusetts sounds alarm on TikTok drinking trend after nearly 30 students taken to hospital

Older U.S. user data stored on non-Oracle servers will be deleted this year. Under this arrangement, there's no way for Beijing to access the data, Chew said in prepared remarks released ahead of the hearing.

TikTok has also sought to portray ByteDance as a global company, not a Chinese one. Executives have been pointing out that ByteDance's ownership consists of 60% big global investors, 20% employees and 20% Chinese entrepreneurs who founded the company. TikTok itself is headquartered in Singapore.

How is the U.S. responding? 

In addition to Thursday’s congressional hearing, the Committee on Foreign Investment in the U.S. — known as CFIUS and part of the Treasury Department — is also carrying out a review.

GettyImages-1475628259.jpg

House Energy and Commerce Committee member Rep. Buddy Carter (R-GA) questions TikTok CEO Shou Zi Chew during a committee hearing on March 23, 2023 in Washington, DC. (Photo by Chip Somodevilla/Getty Images)

White House officials have said there are "legitimate national security concerns with respect to data integrity."

Some U.S. senators urged CFIUS last year to quickly wrap up its investigation and "impose strict structural restrictions" between TikTok's American operations and ByteDance, including potentially separating the companies.

At the same time, lawmakers have introduced measures that would expand the Biden administration's authority to enact a national ban on TikTok. The White House has already backed a Senate proposal that has bipartisan support.

China’s Foreign Ministry has accused the United States itself of spreading disinformation about TikTok’s potential security risks.

How can you protect yourself? 

When you click on any website – like a state government site for jobseekers, for example – countless tools immediately start collecting information from you in real-time.

GettyImages-1246480383.jpg

Google homepage is displayed on a screen for illustration photo. Krakow, Poland on January 23, 2023. (Photo by Beata Zawrzel/NurPhoto via Getty Images)

If you start to fill out a form on a website, whatever you type will be collected by a third party, even if you don’t click the submit button.

READ MORE: White House gives federal agencies 30 days to remove TikTok from all government devices

That’s why Tsarynny recommends disabling the "autofill" feature in web browsers to give pixel trackers fewer opportunities to get your data.

"The pixels have already read your information, even if you never became a customer," he said.

The Associated Press contributed to this report.