TikTok's Commitment to User Privacy and Security

By Roland Cloutier, TikTok Chief Information Security Officer

Building technology security defenses is an ongoing effort that requires anticipation, planning, and reaction. Since I started my role as TikTok's Chief Information Security Officer three months ago, it has become evident that the TikTok team is fully committed to safeguarding user privacy and ensuring transparency in our security efforts.

Recently, we have been conducting a comprehensive review of our security processes and infrastructure. This review was prompted by a report earlier this year that highlighted how many popular apps, including TikTok, were requesting access to users' clipboards. While there are legitimate reasons for apps to access clipboard information, such as improving user experience, we understand that this raised concerns among our users.

In the case of TikTok, the clipboard access notification was triggered by the integration of the Google Ads SDK. Although TikTok did not receive this data, we acknowledge that this issue caused confusion and led some users to believe that TikTok was using their data for unclear purposes. It is worth noting that many other apps exhibited similar behavior due to the widespread use of third-party ad programs. To address this, we updated our app on April 16 to prevent the ad program from accessing users' clipboards.

More recently, with the release of Beta iOS 14, TikTok users encountered a similar notification when attempting to type comments on videos. This notification was also observed in other popular apps. While we cannot definitively explain why users saw notifications for other apps, we can clarify the situation with TikTok. We had been working on combating spam and instances where users repeatedly posted the same comments on multiple videos. Our technology allowed us to identify users who copied and pasted comments, indicating potential self-promotion or trolling behavior. To improve the user experience and combat spam, we introduced an anti-spam feature in the iOS version of the app released on May 22.

From a technical standpoint, this anti-spam feature performed a validation check on the clipboard to ensure that the inputted text matched the content within the app. No data was collected from the clipboard; it was solely a validation process similar to hashing validation. In simpler terms, the anti-spam program did not send user data outside of the device. However, we understand that the notification created the unintended perception that we were utilizing the clipboard for other purposes. To address this, we promptly removed the feature in an update to the App Store on June 27 (version 16.6.1). We encourage all users to update their TikTok app to the latest version.

It is important to note that the anti-spam feature was never implemented in the Android version of the app. We are currently working on addressing spam issues in both versions using alternative technologies that do not involve clipboard access.

The anti-spam feature that was active from May 22 to June 27 is similar to features found in numerous other apps that triggered notifications in iOS 14. However, we acknowledge that it would have been better to avoid introducing a feature that could raise questions about TikTok's clipboard access, especially shortly after addressing a similar issue. We understand that users have legitimate concerns about data usage by companies, and we strive to be a leader in the industry by prioritizing user safety, privacy, and transparency.

To further enhance our security measures, I am leading a sprint initiative that includes thorough and ongoing app security assessments, remediations, verifications, and pre-deployment tests. This initiative is our top priority, and we have the full support of our executive management team. We will dedicate a team of engineers to this project.

Additionally, we are reviewing our feature release processes to minimize the likelihood of similar issues arising in the future. As part of this review, we are examining all clipboard-related scenarios to identify any potential access actions that were not directly initiated by the user. For example, pasting information into TikTok is a user-initiated action that adds value to the user experience. We will collaborate with our third-party partners to complete this review and ensure that no other such scenarios exist. We will provide an update on our findings soon.

Our commitment is to develop an app that respects user privacy and to be transparent with our community. We will continue to share updates on how we are improving TikTok, and later this year, we will open our Transparency Center to provide experts with an inside look at our efforts to ensure user safety and privacy. Security is an ongoing endeavor, and we will continue to proactively build an experience that respects and protects our community.