hands of someone using TikTok on a phone

TikTok pays $92 million to end data theft lawsuit

TikTok, the now widely popular social media platform that allows users to create, share, and discover, short video clips has been enjoying explosive growth since it appeared in 2017. Since then, it hasn’t stopped growing—more so during the current pandemic

While we can no longer categorize TikTok as a kids’ app, most concerns about the app have been around the privacy of children. You can read more details about its track record in this field in our article Are TikTok’s new settings enough to keep kids safe?

Last year the app escaped a total ban in the US after rumors that it was sharing the data of US citizens with the Chinese government.

Now TikTok has agreed to pay $92 million to settle dozens of lawsuits alleging that it harvested personal data from users, including information using facial recognition technology, without consent, and shared the data with third parties.

What was TikTok accused of?

In fact, there were dozens of lawsuits alleging that the popular video-sharing app used personal data from users improperly. The suits were merged into one multi-district action in the Northern District of Illinois that cited violations of privacy laws in Illinois and California.

One lawsuit accused the social media platform of deploying a complex artificial intelligence (AI) system to scan for facial features in users’ videos, combined with algorithms to identify a user’s age, gender and ethnicity.

Another point brought forward, claims that TikTok doesn’t adequately disclose how user data is shared with entities outside the US. Since the owner of the app is the Chinese company ByteDance this behavior has already prompted some organizations—including Wells Fargo and some branches of the US military—to ask their employees to not use the app on devices that also contain data about them.

According to lawyers representing TikTok users, the app “clandestinely vacuumed up” vast quantities of private and personally identifiable data that could be used to identify and surveil users without permission. Even information from draft videos that were never shared publicly were mined by TikTok for data, the lawyers for the users alleged. Tiktok also shared information about users, without their consent, with Facebook, Google and other companies, the suit claims.

Code obfuscation

One of the arguments brought forward to prove their case was that investigators hired by the plaintiffs’ lawyers found that TikTok went to great lengths to obfuscate its data collection and sharing practices. It is worth noting here that obfuscation is not only done to hide illegal practices. Sometimes obfuscation is simply done to keep out the competition.

Did TikTok admit anything?

No. A spokesperson said:

Rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community.

So, they would rather spend their time elsewhere, rather than in court. Understandable, but $92 million is a hefty sum. And maybe, just maybe, they would like to keep their lawyers available for possible future actions against the company. Former President Donald Trump threatened to ban TikTok unless ByteDance sold the app to a US-based owner. The Biden administration has pulled back from that take on TikTok, instead launching a broader review of Americans’ use of Chinese technology.

TikTok has always denied the allegations of sharing data, arguing other competing social networks have similar data collection practices, and insisting the company does not ship American user data to foreign servers.

So, this is settled now?

Well, not completely. This part of the battle has taken the best part of a year. And a federal judge still needs to sign off on the $92 million agreement. If it is approved, the settlement money will be divided up among US-based TikTok users (it’s roughly one dollar per American TikTok user).

The proposed TikTok settlement follows a similar deal struck last year in which Facebook paid $650 million to resolve legal claims over collecting and storing the biometric data of millions of users.

Besides the monetary settlement, TikTok will no longer record users’ biometric information, including facial characteristics, nor track their locations using GPS data. TikTok also committed to stop sending US users’ data overseas, and the app said it would no longer collect data on draft videos before the content is published.

Biometric data

TikTok’s use of facial biometric data is interesting, but unexceptional. All across the world, governments and corporations are developing facial recognition technology. Facebook uses it, Apple Photos uses it, police forces all over the world use it.

There are many concerns, however. Lack of oversight, ethics, failures and false positives, and bias against marginalized groups are all pressing concerns. As a result, a backlash has started and bans or moratoriums on facial recognition are now being implemented or considered in many jurisdictions.

With increased scrutiny on the use of facial recognition, and on the use of Chinese technology, the use of biometrics and other personal data by social media with ties to foreign entities, especially China, is likely to attract a lot of attention from now on. Just ask Clubhouse.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.