What is my personal risk using Tik Tok?
April 11, 2023 9:00 AM Subscribe
It's become clear that Tik Tok knows what I'm doing online, even when I use an incognito tab. Should I really care?
So, I think it's fairly well known that Tik Tok tracks your web activity. I'm realizing that it uses this information to feed you content. Ok, whatever. But I'm a little in shock this morning because last night I opened an incognito tab to look at some porn (incognito tab because sometimes my eldest child opens my phone and I don't want any oopsies tabs open, or those searches to come up in search history). And Tik Tok knows what I was watching.
In case you're skeptical - this isn't a coincidence. I watch maybe one or two porn videos once a week. But this morning, about 5 videos in on my FYP, it's playing the beginning of an elevator sex clip - along with a sort of "Guess what weird thing happened in this elevator" teaser. I usually get very popular videos on my FYP - nothing like this, which has 14 likes. It's the beginning of the video I watched last night.
This is nuts to me. But on the other hand - do I really care? Even if my worst enemies knew I liked elevator porn - that's not very embarrassing. So if I don't care, am I possibly underestimating the risk of continuing to use this app? It's been so worthwhile for me in learning about being a woman with autism, about boundaries and parenting and cooking and crochet...
FWIW, my child is not allowed to watch Tik Tok - on my phone or theirs.
So, I think it's fairly well known that Tik Tok tracks your web activity. I'm realizing that it uses this information to feed you content. Ok, whatever. But I'm a little in shock this morning because last night I opened an incognito tab to look at some porn (incognito tab because sometimes my eldest child opens my phone and I don't want any oopsies tabs open, or those searches to come up in search history). And Tik Tok knows what I was watching.
In case you're skeptical - this isn't a coincidence. I watch maybe one or two porn videos once a week. But this morning, about 5 videos in on my FYP, it's playing the beginning of an elevator sex clip - along with a sort of "Guess what weird thing happened in this elevator" teaser. I usually get very popular videos on my FYP - nothing like this, which has 14 likes. It's the beginning of the video I watched last night.
This is nuts to me. But on the other hand - do I really care? Even if my worst enemies knew I liked elevator porn - that's not very embarrassing. So if I don't care, am I possibly underestimating the risk of continuing to use this app? It's been so worthwhile for me in learning about being a woman with autism, about boundaries and parenting and cooking and crochet...
FWIW, my child is not allowed to watch Tik Tok - on my phone or theirs.
My daughter just searched for some innocuous information on my phone (swans on the Charles River). The top result was a relevant Reddit discussion, which she tapped on. The link opened in the Reddit app on my phone, logged into my account. I have not joined any porn groups on Reddit, but if I had, it is possible she would have seen references to that. So it's not just about, "I don't let my child open TikTok on my phone." Other links or apps could potentially open TikTok.
posted by Winnie the Proust at 9:07 AM on April 11, 2023 [2 favorites]
posted by Winnie the Proust at 9:07 AM on April 11, 2023 [2 favorites]
If you're surprised by this then your mental model of Incognito might be wrong. To a first approximation, Incognito mode only stops your computer storing a record of what you do. It doesn't stop other computers seeing what you do (and connecting your browser with your TikTok account).
posted by caek at 9:14 AM on April 11, 2023 [6 favorites]
posted by caek at 9:14 AM on April 11, 2023 [6 favorites]
Did you do anything associated with TikTok on the incognito tab? If you logged into anything vaguely associated with TikTok the information could easily leak over. It might even be a programming bug, I've noticed that sometimes my Chrome Incognito activity on Twitter leaks over into my proper Twitter account. If any phone apps are involved it could auto log in without you realizing.
To your original question, it's difficult to know because TikTok's policies are different than actual reality. It came out during the congressional investigation that TikTok specifically spied on some reporters who used the service in ways that broke their own rules. They said they'd never do it again if course. I would assume that TikTok is aware of everything you do while the app is open, so I only use it for things where I don't care if they know about it.
posted by JZig at 9:14 AM on April 11, 2023
To your original question, it's difficult to know because TikTok's policies are different than actual reality. It came out during the congressional investigation that TikTok specifically spied on some reporters who used the service in ways that broke their own rules. They said they'd never do it again if course. I would assume that TikTok is aware of everything you do while the app is open, so I only use it for things where I don't care if they know about it.
posted by JZig at 9:14 AM on April 11, 2023
Response by poster: Yeah, just to be clear - and because I think it's good for others to know what's going on here - this is what I did:
1. Open incognito tab
2. Googled 'porn for women'
3. Picked my fav site from results
4. Clicked on a video category
5. Clicked on video that caught my eye
So, there's no way for this to have happened unless it is reading video URLs or whatever video metadata.
posted by kitcat at 9:19 AM on April 11, 2023 [1 favorite]
1. Open incognito tab
2. Googled 'porn for women'
3. Picked my fav site from results
4. Clicked on a video category
5. Clicked on video that caught my eye
So, there's no way for this to have happened unless it is reading video URLs or whatever video metadata.
posted by kitcat at 9:19 AM on April 11, 2023 [1 favorite]
Unless you're using a VPN or other method of masking identity, whoever served you the video (which could be a third party service the site uses to host things) knows approximately who you are based on IP and browser metadata. They could be selling that information to any number of other services, and TikTok could be buying that information and correlating it with your logged in info. I don't know if they are actually doing that on purpose, but it's definitely possible.
There's no way to know for sure but my guess is that your video watching was recorded on the server (not in your browser) as "people in your neighborhood watched videos like this" and then TikTok uses info like this to tweak search results. It might have shown that same video to someone else nearby at a similar time because TikTok uses a lot of weird things to try to make viral trends happen.
posted by JZig at 9:33 AM on April 11, 2023 [5 favorites]
There's no way to know for sure but my guess is that your video watching was recorded on the server (not in your browser) as "people in your neighborhood watched videos like this" and then TikTok uses info like this to tweak search results. It might have shown that same video to someone else nearby at a similar time because TikTok uses a lot of weird things to try to make viral trends happen.
posted by JZig at 9:33 AM on April 11, 2023 [5 favorites]
Best answer: So, there's no way for this to have happened unless it is reading video URLs or whatever video metadata.
Your mental model of how ad tracking works seems incomplete. Very roughly it works like this: Website A records the details of its visitors. "Details" here means "a fingerprint that allows that user to be reidentified, and some information about what they were looking for on website A". Importantly, the fingerprint works pretty well whether or not the user happens to be using incognito mode. Website A effectively uploads that information to a shared database which allows any other website to look up visitors by fingerprint and find out what they've shown an interest in recently. Website B now has access to that information, and uses it to show the same user (which it can identify by the fingerprint) personalized content when they visit website B. This is complicated by the measures some browsers take to prevent this, and privacy regulations. But this is the basic idea.
In your case, website A is the porn website and website B is TikTok. It felt spooky because the personalized content TikTok showed you was unusually "relevant", but the techniques were completely standard, and are fundamentally how advertising works on the web, e.g. this could have happened on Facebook or Twitter.
posted by caek at 9:39 AM on April 11, 2023 [12 favorites]
Your mental model of how ad tracking works seems incomplete. Very roughly it works like this: Website A records the details of its visitors. "Details" here means "a fingerprint that allows that user to be reidentified, and some information about what they were looking for on website A". Importantly, the fingerprint works pretty well whether or not the user happens to be using incognito mode. Website A effectively uploads that information to a shared database which allows any other website to look up visitors by fingerprint and find out what they've shown an interest in recently. Website B now has access to that information, and uses it to show the same user (which it can identify by the fingerprint) personalized content when they visit website B. This is complicated by the measures some browsers take to prevent this, and privacy regulations. But this is the basic idea.
In your case, website A is the porn website and website B is TikTok. It felt spooky because the personalized content TikTok showed you was unusually "relevant", but the techniques were completely standard, and are fundamentally how advertising works on the web, e.g. this could have happened on Facebook or Twitter.
posted by caek at 9:39 AM on April 11, 2023 [12 favorites]
Best answer: In terms of personal risk - probably not? While it would be embarrassing to have our search results / browser history made public, that's probably true for the majority of the population, and there's no reason why someone who knows your secrets would spend a bunch of effort trying to blackmail you or something sinister. Embarrassment just isn't worth that much.
Unless you are a person of interest, of course. This could mean anything from being an investigative journalist or someone high up politically.
Tracking side discussion: Tiktok isn't secretly reading data from other apps on your phone/computer. Every time you go to any web site or use any app, you (your computer) sends information to tracking networks (probably multiple). The information sent includes your IP address, browser fingerprint (things like the size of your window, fonts installed, browser version, etc.), the page you are on, your guessed demographic, etc. This data is then made available to others for a price. Incognito mode makes no difference, because cookies and local browser history aren't being used at all, the data is stored and referenced on the tracking companies' computers. Sometimes the tracking companies get it wrong and you get weird ads - but you don't notice these as much as when they get it perfectly right.
The way to "fight" this is to stop sending companies this data, which you can achieve somewhat via ad-blocking.
posted by meowzilla at 9:41 AM on April 11, 2023 [2 favorites]
Unless you are a person of interest, of course. This could mean anything from being an investigative journalist or someone high up politically.
Tracking side discussion: Tiktok isn't secretly reading data from other apps on your phone/computer. Every time you go to any web site or use any app, you (your computer) sends information to tracking networks (probably multiple). The information sent includes your IP address, browser fingerprint (things like the size of your window, fonts installed, browser version, etc.), the page you are on, your guessed demographic, etc. This data is then made available to others for a price. Incognito mode makes no difference, because cookies and local browser history aren't being used at all, the data is stored and referenced on the tracking companies' computers. Sometimes the tracking companies get it wrong and you get weird ads - but you don't notice these as much as when they get it perfectly right.
The way to "fight" this is to stop sending companies this data, which you can achieve somewhat via ad-blocking.
posted by meowzilla at 9:41 AM on April 11, 2023 [2 favorites]
Browser fingerprinting is pretty effective at narrowing down to a specific user even without tracking cookies. If you want to avoid having your public persona connected to your naughty self, using a separate browser entirely is a decent mitigation, since cross browser finger printing is harder. Switch over to firefox private mode to indulge in less savoury online adventures, and never use firefox for your normal online life.
posted by dis_integration at 10:30 AM on April 11, 2023 [4 favorites]
posted by dis_integration at 10:30 AM on April 11, 2023 [4 favorites]
The way to "fight" this is to stop sending companies this data, which you can achieve somewhat via ad-blocking.
If you log into website via a web browser, then how you interact with that website can be seen by that website. There really isn't a way around that that doesn't involve disabling Javascript, which generally breaks the modern web. Browsers can do their best to mitigate what third parties can see (Ad blockers, Firefox lets you block third-party cookies, a few other things in that vein I'd be happy to detail) but fundamentally, TikTok can see, in a pretty granular way, that - and how - you using TikTok.
posted by mhoye at 10:35 AM on April 11, 2023
If you log into website via a web browser, then how you interact with that website can be seen by that website. There really isn't a way around that that doesn't involve disabling Javascript, which generally breaks the modern web. Browsers can do their best to mitigate what third parties can see (Ad blockers, Firefox lets you block third-party cookies, a few other things in that vein I'd be happy to detail) but fundamentally, TikTok can see, in a pretty granular way, that - and how - you using TikTok.
posted by mhoye at 10:35 AM on April 11, 2023
Best answer: You've already gotten some good resources on fingerprinting, but a very concrete useful resource that may be helpful to understand this is EFF's cover your tracks (formerly "panoptoclick"), which will try to estimate your identifiability; you could open it in incognito mode for whatever browser you are using.
There are various tracker prevention scripts/tools you can run (see here for some suggestions), though this kind of technique is always an arms race. Firefox specifically does provide some limited tracker protection in incognito mode (chrome does not). Personally I (indirectly) mitigate a lot of tracking by running noscript, though this is high-effort and only handles some cases. I do think it's worth mitigating somehow, because there are definitely some extremely pervasive trackers out there this days to enable "retargeting" (which happened to you) and are often deeply integrated with social media, e.g. the meta pixel is a fairly notorious one (prev. called the facebook pixel).
posted by advil at 10:54 AM on April 11, 2023 [8 favorites]
There are various tracker prevention scripts/tools you can run (see here for some suggestions), though this kind of technique is always an arms race. Firefox specifically does provide some limited tracker protection in incognito mode (chrome does not). Personally I (indirectly) mitigate a lot of tracking by running noscript, though this is high-effort and only handles some cases. I do think it's worth mitigating somehow, because there are definitely some extremely pervasive trackers out there this days to enable "retargeting" (which happened to you) and are often deeply integrated with social media, e.g. the meta pixel is a fairly notorious one (prev. called the facebook pixel).
posted by advil at 10:54 AM on April 11, 2023 [8 favorites]
involve disabling Javascript, which generally breaks the modern web.
Yeah it does, but you can usually get sketchy sites to work ok by only allowing some tiny portion of the zillions of scripts run. NoScript is the add-on I use for this purpose. Some trial and error is necessary to figure out what is necessary and what is not, but eg scripts from places like doubleclick.net are pretty obvious as marketing/tracking oriented and disabling them usually still allows the site to work. I'd wager both TikTok and the porn site could have a decent number of scripts stopped with Noscript while still working fine, and it may cut down on this kind of thing.
posted by SaltySalticid at 11:32 AM on April 11, 2023 [1 favorite]
Yeah it does, but you can usually get sketchy sites to work ok by only allowing some tiny portion of the zillions of scripts run. NoScript is the add-on I use for this purpose. Some trial and error is necessary to figure out what is necessary and what is not, but eg scripts from places like doubleclick.net are pretty obvious as marketing/tracking oriented and disabling them usually still allows the site to work. I'd wager both TikTok and the porn site could have a decent number of scripts stopped with Noscript while still working fine, and it may cut down on this kind of thing.
posted by SaltySalticid at 11:32 AM on April 11, 2023 [1 favorite]
Since you used the term "Incognito" and "Googled", I think it's safe to assume you were using Chrome and Google Search, both made by a company that makes its money tracking people and reselling that data. It's been a long time since its "Don't Be Evil" days.
If you wanted to decrease the likelihood of being spied on, I'd use Firefox, with all the privacy controls turned up and the uBlock Origin and Privacy Badger plug ins enabled. Also use a different search engine for your private searches, not just to avoid Google, but to keep that data a little more distant from the profile Google is building about you.
posted by advicepig at 11:38 AM on April 11, 2023 [3 favorites]
If you wanted to decrease the likelihood of being spied on, I'd use Firefox, with all the privacy controls turned up and the uBlock Origin and Privacy Badger plug ins enabled. Also use a different search engine for your private searches, not just to avoid Google, but to keep that data a little more distant from the profile Google is building about you.
posted by advicepig at 11:38 AM on April 11, 2023 [3 favorites]
I find the privacy help given by DuckDuckGo is useful, especially on my phone: https://duckduckgo.com/spread
uBlock Origin and Privacy Badger are also really necessary nowadays; seeing ads has become a rarity with those installed (avoid the generic 'uBlock' that's not 'Origin', it's a sell-out)
posted by anadem at 2:06 PM on April 11, 2023 [3 favorites]
uBlock Origin and Privacy Badger are also really necessary nowadays; seeing ads has become a rarity with those installed (avoid the generic 'uBlock' that's not 'Origin', it's a sell-out)
posted by anadem at 2:06 PM on April 11, 2023 [3 favorites]
It's worth noting that some of the suggestions you're getting, particularly those referring to browser extensions/plug-ins, are suitable only for computers and you have stated you are using a mobile phone.
It's significantly easier to control your privacy on a computer and although using a different browser on your phone for activities you don't wanted tracked might help, it's not a simple decision. You can install Firefox with an ad-blocker on Android, for example, but it isn't as secure as Chrome so although it can reduce the risk of fingerprinting it can increase other risks.
Ideally, view websites you'd rather keep private on a computer rather than a phone but I appreciate that might not work for your living arrangements. I have recently started using the Mullvad browser combined with a VPN for times I want to enhance my privacy and reduce the risk of browser fingerprinting.
posted by Busy Old Fool at 6:28 AM on April 13, 2023
It's significantly easier to control your privacy on a computer and although using a different browser on your phone for activities you don't wanted tracked might help, it's not a simple decision. You can install Firefox with an ad-blocker on Android, for example, but it isn't as secure as Chrome so although it can reduce the risk of fingerprinting it can increase other risks.
Ideally, view websites you'd rather keep private on a computer rather than a phone but I appreciate that might not work for your living arrangements. I have recently started using the Mullvad browser combined with a VPN for times I want to enhance my privacy and reduce the risk of browser fingerprinting.
posted by Busy Old Fool at 6:28 AM on April 13, 2023
« Older Car rental between NYC and Poconos? | Where can I download high resolution videos of... Newer »
This thread is closed to new comments.
I’m not saying one way or another on TikTok (I don’t know that it’s collecting any more than any other app) but I do think the browser distinctions are good to know
posted by raccoon409 at 9:05 AM on April 11, 2023 [2 favorites]