← Social Media
F

TikTok

'Everything is seen in China.' Keylogger in the browser. Reads your clipboard. Drives teens to suicide content in 20 minutes. Banned by the Supreme Court.
Fail
ByteDance · 🇨🇳 China
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.zhiliaoapp.musically
Manufacturer: ByteDance

⚠️ The bottom line

TikTok said your data stays in America. Leaked recordings proved Beijing engineers could see everything. An employee said 'everything is seen in China.' They told EU regulators they don't store data in China -- got fined EUR 530 million when caught lying, then admitted it happened again. A researcher proved TikTok's browser watches every key you press on every website -- including passwords and credit cards. TikTok said it doesn't collect keystrokes, but their own privacy policy says it collects 'keystroke patterns.'.

Legal jurisdiction
🇨🇳 China (headquarters)
National Intelligence Law read more →
Company must secretly hand data to Chinese intelligence on request
Data Security Law read more →
State can classify any data as 'important' and demand access for national security
🇸🇬 Singapore (data storage)
PDPA read more →
Data protection law with broad national security exemption — govt agencies are entirely excluded
🇺🇸 United States (data storage)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
4/4 EXTREME
Is someone spying on me?
Kids at risk
Data Sharing
4/4 EXTREME
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
4/4 EXTREME
Can I trust what they say?
Kids at risk
REPLACE Extreme risk. Look for alternatives or lock down hard.
11Contradictions
8Critical
3High
0Medium
13Sources
Findings by concern
Spying 4/4 EXTREME 5 findings
⚠️ criticalfirmware analysis vs policy claims
A researcher proved TikTok's browser watches every key you press on every website -- including passwords and credit cards. TikTok said it doesn't collect keystrokes, but their own privacy policy says it collects 'keystroke patterns.'

What they claim: 'We do not collect keystroke or text inputs through this code.'

What we found: Felix Krause (2022): in-app browser injects JavaScript subscribing to ALL keyboard inputs -- 'equivalent of installing a keylogger.' Forced all links through this browser. TikTok's own privacy policy: collects 'keystroke patterns or rhythms.' Snopes confirmed key event tracking.

⚠️ criticalfirmware analysis vs policy claims
TikTok secretly read your clipboard -- passwords, bank details, private messages -- every few keystrokes, even in other apps. They promised to stop. Three months later Apple proved they hadn't. They wouldn't say where the data went.

What they claim: 'Clipboard access was an anti-spam feature.'

What we found: Mysk researchers found silent clipboard reading (March 2020). iOS 14 revealed reading every 1-3 keystrokes, even in other apps. Nearby Apple devices via Universal Clipboard affected. ByteDance promised to stop March 2020, caught still doing it June 2020. Declined to say where data went.

⚠️ criticalfirmware analysis vs policy claims
TikTok gave itself the right to scan your face and voice with a loophole covering most Americans. Already paid $92 million for collecting children's face data. A professor warned: you can't change your face like a password.

What they claim: 'We will seek required permissions' for biometric data.

What we found: Privacy policy: 'faceprints and voiceprints' with 'where required by law' loophole. Most US states have no biometric law. $92M BIPA settlement for children's facial data. Carnegie Mellon: 'you cannot change your face.' Only in US policy, not EU.

⚠️ criticalfirmware analysis vs policy claims
Researchers pretending to be 13-year-olds got suicide recommendations within 20 minutes. TikTok's own research says 35 minutes creates addiction and causes 'loss of analytical skills, memory, and empathy.' Fourteen states are suing.

What they claim: 'Our algorithm shows you content you're interested in.'

What we found: Amnesty (2023): 13-year-old accounts got suicide content within 3-20 minutes. Over half of videos were mental health struggles. Multiple videos in one hour romanticised suicide. Internal research: 'compulsive usage correlates with loss of analytical skills, memory, empathy.' 260 videos (~35 min) to form habit. 14 AGs sued.

⚡ highfirmware analysis vs regulatory findings
ByteDance spied on the journalists exposing it -- tracking their locations through the app. Coordinated across two countries. The Department of Justice opened a spying investigation.

What they claim: 'The journalist incident was isolated misconduct.'

What we found: ByteDance tracked IP addresses of FT and BuzzFeed journalists to find sources. Coordinated across US and China. 4 fired including chief auditor. DOJ opened spying investigation.

Data Sharing 4/4 EXTREME 4 findings
⚠️ criticalpolicy claim vs regulatory finding
€530 million. The largest GDPR fine ever against a social media company. Ireland's DPC found TikTok was transferring EU user data to China. TikTok had claimed — publicly, repeatedly, under the banner of "Project Clover" — that EU data stayed in Europe. During the investigation, TikTok admitted it had stored EU data on Chinese servers. The entire data sovereignty campaign was a lie. TikTok appealed. The Irish Supreme Court let them keep transferring data to China while the appeal plays out. Half a billion euro fine and they're still doing it.

What they claim: TikTok has repeatedly claimed EU user data is stored in European data centres under "Project Clover."

What we found: Ireland's Data Protection Commission fined TikTok €530 million in May 2025 for transferring EU user data to China — the largest GDPR fine against a social media company. During the investigation, TikTok admitted it had stored EU user data on Chinese servers despite claiming otherwise under Project Clover. TikTok appealed. In April 2026, the Irish Supreme Court ruled TikTok could continue transferring data to China during the appeal. The company that built an entire PR campaign around EU data sovereignty admitted it was storing EU data in China the whole time.

⚠️ criticalprivacy policy vs regulatory
€530 million fine. TikTok spent €12 billion on "Project Clover" to keep European data in Europe. The Irish DPC found data was still going to China anyway. €12 billion on a project that didn't work. The data still went where it always went.

What they claim: TikTok claims EU user data is protected under GDPR with Project Clover data localisation

What we found: The Irish DPC fined TikTok €530 million in May 2025 for unlawful EU-to-China data transfers. Despite TikTok's €12 billion "Project Clover" to localise European data, the DPC found data was still being transferred to China. TikTok obtained a stay from the Irish High Court allowing transfers to continue during appeal. The largest GDPR fine of 2025.

⚡ highregulatory findings vs firmware analysis
TikTok spent $1.5 billion on a data safety plan. The DOJ said it wasn't enough. The Supreme Court unanimously agreed TikTok is a security risk. The new deal still has ByteDance's algorithm running via license from Beijing.

What they claim: 'Project Texas ensures US data security.'

What we found: DOJ rejected as inadequate. Oracle: 3 years to review code. DOJ: 'resources far beyond what government and Oracle possess.' Supreme Court unanimously upheld ban. TikTok dark 12 hours. ByteDance retains algorithm IP via licensing in new JV.

⚡ highpolicy vs third party research
TikTok used to promise it didn't track your precise GPS location. Then it got sold to a US company in January 2026 for $14 billion — supposedly to protect Americans. The very first thing the new owners did was add precise GPS tracking, AI data collection, and off-platform ads to the privacy policy. A Harvard Law lecturer said the sale "made the problem even worse."

What they claim: TikTok's previous privacy policy explicitly stated the app "does not collect precise GPS information."

What we found: After the January 2026 divestiture to TikTok USDS ($14B deal), the new privacy policy introduced precise GPS location tracking, AI interaction data collection, and an expanded off-platform advertising network. Harvard Law lecturer Timothy Edgar said the new structure "in some ways made the problem even worse."

Security 3/4 HIGH 1 finding
⚠️ criticalpolicy claims vs firmware analysis
TikTok said your data stays in America. Leaked recordings proved Beijing engineers could see everything. An employee said 'everything is seen in China.' They told EU regulators they don't store data in China -- got fined EUR 530 million when caught lying, then admitted it happened again.

What they claim: 'US user data is stored in the US and Singapore.'

What we found: BuzzFeed leaked audio from 80+ meetings: 14 statements confirming China access. 'Everything is seen in China.' Beijing 'Master Admin' with 'access to everything.' DPC fined EUR 530M for storing EU data in China while denying it. TikTok admitted it happened again in 2025.

Honesty 4/4 EXTREME 1 finding
⚠️ criticalfirmware analysis vs regulatory findings
TikTok's own documents say kids can't control screen time. Their fix reduced usage by 90 seconds. They measured success by press coverage, not child safety. Reviewers spent 5-7 seconds per account. 1.4 million British children under 13 were on the platform. The FTC called it 'flagrant.'

What they claim: 'We are proud of our efforts to protect children.'

What we found: DOJ/FTC (Aug 2024): 'flagrant' COPPA violation. Millions of under-13 accounts. 5-7 second reviews. UK ICO: 1.4M under-13s, GBP 12.7M fine. DPC: EUR 345M children's data. Internal: 'minors lack executive function.' Safety tools reduced usage by 1.5 minutes, measured by PR not protection.

Latest Risks & Threats
New developments that compound existing privacy concerns. 3 active threats.
THREAT Precise GPS tracking under new US ownership ⚠️ Surveillance Expansion Launched 2026-01-22
New TikTok USDS privacy policy adds precise geolocation, AI interaction data collection, and expanded off-platform advertising network. Previous ByteDance-era policy explicitly did not collect precise GPS.
Sources
THREAT TikTok Banned, Then Sold — ByteDance Keeps 19.9% ⚠️ Privacy Launched 2026-01-22
The Supreme Court unanimously upheld the TikTok ban on January 17, 2025. The app went dark for Americans two days later. After four deadline extensions, TikTok USDS Joint Venture LLC — owned by Oracle (15%), Silver Lake, MGX, and existing ByteDance investors — took control in January 2026. ByteDance retained 19.9%. The $1.5 billion "Project Texas" morphed into a $14 billion forced divestiture. Oracle now hosts US data, but lawsuits already challenge whether ByteDance's residual IP ties make "independence" real. Algorithm migration will take 12-18 months.
Sources
THREAT TikTok Shop Combines Viewing Habits with Purchase Data 💰 Finance Launched 2023-09-12
TikTok launched a full e-commerce platform inside the app. Your viewing history — every video you watched, how long you watched it, what made you stop scrolling — is now combined with what you buy, your payment details, and your shipping address. The algorithm that knows your insecurities, your desires, and your impulse triggers now also has your credit card. ByteDance, required by Chinese law to share data with intelligence services on request, now has the financial data of millions of Western consumers.
Sources
Recent Events Live

Events detected by our automated monitoring of CVE databases, regulatory agencies, and breach trackers.

high Vulnerability 2026-04-29
CVE-2026-40518: ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerab
Sandbox escape vulnerability in ByteDance DeerFlow allows arbitrary code execution. Demonstrates ongoing security issues in ByteDance infrastructure.
Source →
View all privacy alerts →
Sources