TikTok tracked a cat’s account to spy on its owner. Is your privacy at risk?

Of all the people who value their own privacy and the privacy of their business contacts, journalists are perhaprs at the top of the list. If they fail to protect the anonymity of people who have confided in them, often at great personal or professional peril, their reputation and their confidants will suffer. It’s expected of a journalist, and a tech journalist at that, covering Chinese social giant TikTok to put extra effort into flying under the radar.

Christina Criddle, the tech reporter for the Financial Times, went that extra mile and created a TikTok account not in her name but in the name of her cat, Buffy. That, however, was not enough to protect her from being spied on by TikTok employees.

The purr-fect spying target

Last year TikTok admitted that four of its employees, two in China and two in the US, gained access to the IP addresses and other data of Criddle and Forbes’ Emily Baker-White, as well as that of their TikTok contacts. Both women reported on TikTok and were in contact with insiders who provided them with damaging information about the company, such as exposing its ‘toxic’ work culture.

For a long time there were only scant details about that privacy breach. But recently Criddle has shed some light on how supposedly ‘rogue’ TikTok employees were able to keep tabs on her: it was by tracking… her cat.

Criddle revealed that she created a TikTok account for her cat, Buffy, using her personal mobile phone. To sign up with TikTok, you have to be at least 13 years old and a human, not a cat, so Criddle had to give the platform her email address, not Buffy’s, or a phone number to do so. The journalist did not put her own name or occupation on Buffy’s account, which reportedly had only about 20 videos and a modest 170 followers. That means TikTok employees had to do some digging to link this account to her.

But given how much information TikTok — much like any other social network — collects on its account holders, including device information and off-platform online activity, this did not prove to be much of a stumbling block.

The cat’s out of the bag…

The TikTok employees who did the spying were later revealed to be part of the internal audit and risk team at TikTok’s parent company, ByteDance. They acted on their own volition (that is, if you take TikTok at its word) and in violation of the company’s policies when they decided to track journalists in the hopes of uncovering the source(s) of the leaks. To do this, they used internal tools to access their personal data, in particular location, to see if the journalists had ever been near ByteDance employees.

The effort was reportedly a flop (that is, if we still take TikTok at its word): no sources were unmasked, and the offending employees were fired in disgrace. TikTok played up the incident as a one-off, never to be repeated.

…but it is still scratching at the truth

Recounting her interactions with TikTok post ‘cat-gate’, Criddle said that the company failed to respond to her many inquiries about the specific times and dates when she was tracked, as well as the exact nature of the data that was obtained and how it was used. She said that TikTok “has never fully answered” her questions.

According to TikTok’s privacy policy, the company may collect information about your “approximate location based on your SIM card and/or IP address.” The policy also states that “current versions of the app do not collect precise or approximate GPS information from US users.” An “older” version of the app that can still collect such information, TikTok notes, was last released in August 2020. This raises the question of how TikTok’s “spies” hoped to pinpoint Criddle’s location in the summer of 2022, assuming that knowing an approximate location is hardly enough to determine whether she was in the immediate vicinity of a ByteDance employee in London.

ByteDance told the New York Times that the four rogue employees accessed “historical data,” that had not yet been deleted from outside the Oracle cloud where all the US data is currently being migrated and where it will be stored. The migration of the data is part of the initiative, codenamed Project Texas, to address some of the US national security concerns and prevent the app from being banned in the US. Until Project Texas is completed, TikTok employees in Beijing could theoretically access US user data.

Following the revelations about spying on journalists, the US Justice Department and the FBI have launched an investigation into a breach of user privacy by ByteDance. Some, however, say that TikTok has been unfairly singled out by the US authorities because of its Chinese origin. What is certain is that TikTok is not the first social media platform to have employees who abuse their access to user data. As for the TikTok ‘spies,’ they are only following in the footsteps of their many other predecessors in US-based social media companies.

Big Cats Tech and their bad litter

TikTok is by far not the only cat in the alley that has been spying on users and having rogue employees. Here are some other examples.

In 2019, two former Twitter employees, Ahmad Abouammo and Ali Alzabarah, were accused of abusing their access to user data to spy on Saudi dissidents on Twitter and pass their personal information to Riadh for money. Abouammo was sentenced to 3.5 years in last December, while Alzabarah managed to escape the country. That same year, 2019, Motherboard revealed that “multiple” Snapchat employees had abused a set of internal tools, including one called SnapLion, to spy on users. The employees reportedly nicknamed SnapLion, originally designed to help process police requests, “the keys to the kingdom.” Those keys allowed them to view sensitive user information such as location data and saved Snaps.

Google, the ‘Big G,’ fired around 80 employees between 2018 and 2020 for misusing internal tools. This included accessing user or employee data. The list would not be complete without Meta, a serial privacy violator that boasts a less than an enviable record when it comes to privacy and security, or lack thereof. As recently as this past November, Meta fired or disciplined two dozen workers for abusing an internal tool, called ‘Oops,’ to take over user accounts, sometimes in exchange for bribes. However, this perhaps pales in comparison with the time (then still) Facebook fired 52 people for misusing employee access to spy on people. Among those given a boot was a Facebook engineer who tracked down a woman after she stopped answering his calls.

There is a problem, but is there a solution?

Few would argue that virtually every company has “bad apples” in its midst. And the larger the company, the greater the number of bad apples. What makes the likelihood of data breaches at TikTok and other social media companies so high is the bulk collection of user data that they do to survive: The livelihood of every social media platform, including TikTok, depends on advertising, which in turn requires data collection. The more they know about their users, such as where they live, what they like, and who they follow, the better they can target them with ads that match their interests. And when an ad is relevant to the user, they are more likely to click on it, which is what advertisers want.

Tech companies that handle this sensitive data have a responsibility to protect it and prevent its misuse, but the unbridled access that many employees seem to have to this data makes this task almost insurmountable.

So what can we do to protect ourselves? One possible solution is to have a separate phone for your socials, as Criddle did by having a ‘dummy’ phone for TikTok after finding out that it was spying on her through her cat’s account. Having a separate phone can restrict the access of social media apps to your main device’s features, your contacts and location. However, it won’t stop tracking completely: social media platforms will still be able to collect and share your data with other parties, such as advertisers.

It’s also important to be aware of privacy policies and permissions you give your apps, adjust your settings to limit data collection, use anti-tracking and ad-blocking tools on all devices, and be suspicious of any unusual activity, such as attempts to log in your apps from an unfamiliar location. While there’s no foolproof way to protect yourself from falling prey to spying, the less sensitive information you share on social media platforms, the safer you generally are.