TikTok Tracks You Across the Web, Even If You Don't Use the App

An anonymous reader quotes a report from Consumer Reports: A Consumer Reports investigation finds that TikTok, one of the country's most popular apps, is partnering with a growing number of other companies to hoover up data about people as they travel across the internet. That includes people who don't have TikTok accounts. These companies embed tiny TikTok trackers called "pixels" in their websites. Then TikTok uses the information gathered by all those pixels to help the companies target ads at potential customers, and to measure how well their ads work. To look into TikTok's use of online tracking, CR asked the security firm Disconnect to scan about 20,000 websites for the company's pixels. In our list, we included the 1,000 most popular websites overall, as well as some of the biggest sites with domains ending in ".org," ".edu," and ".gov." We wanted to look at those sites because they often deal with sensitive subjects. We found hundreds of organizations sharing data with TikTok.

If you go to the United Methodist Church's main website, TikTok hears about it. Interested in joining Weight Watchers? TikTok finds that out, too. The Arizona Department of Economic Security tells TikTok when you view pages concerned with domestic violence or food assistance. Even Planned Parenthood uses the trackers, automatically notifying TikTok about every person who goes to its website, though it doesn't share information from the pages where you can book an appointment. (None of those groups responded to requests for comment.) The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta. However, TikTok's advertising business is exploding, and experts say the data collection will probably grow along with it.

After Disconnect researchers conducted a broad search for TikTok trackers, we asked them to take a close look at what kind of information was being shared by 15 specific websites. We focused on sites where we thought people would have a particular expectation of privacy, such as advocacy organizations and hospitals, along with retailers and other kinds of companies. Disconnect found that data being transmitted to TikTok can include your IP address, a unique ID number, what page you're on, and what you're clicking, typing, or searching for, depending on how the website has been set up. What does TikTok do with all that information? "Like other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services," says Melanie Bosselait, a TikTok spokesperson. The data "is not used to group individuals into particular interest categories for other advertisers to target." If TikTok receives data about someone who doesn't have a TikTok account, the company only uses that data for aggregated reports that they send to advertisers about their websites, she says. There's no independent way for consumers or privacy researchers to verify such statements. But TikTok's terms of service say its advertising customers aren't allowed to send the company certain kinds of sensitive information, such as data about children, health conditions, or finances. "We continuously work with our partners to avoid inadvertent transmission of such data," TikTok's Bosselait says. What can you do to protect your personal information? Consumer Reports recommends using privacy-protecting browser extensions like Disconnect, changing your browser's privacy settings to block trackers, and trying a more private browser like Firefox and Brave.

The Solution

[blitz487]

There's no way really to stop others from tracking you across the internet. However, there is another way. Build RandomBrowserBot, that randomly clicks on URLs. Trackers want data? Bury them with useless, wrong, and crap data.

Re: The Solution

[Anonymouse Cowtard]

Tor does that. Dunno if theres an extension that does the same. Wouldn't surprise me.

Re:

[ShanghaiBill]

Build RandomBrowserBot, that randomly clicks on URLs.

It is not difficult to distinguish random data from human-generated data.

Try to generate random mouse movements that will defeat the "I am not a Robot" CAPTCHA.

Re:

[medv4380]

It's not about making a Robot look human. It's more about making humans look like robots. I can make my mouse movements and clicks appear instant like a robot. Just run the browser in a VM, and make the VM update the mouse only when I click, so it appears to teleport. Once I appear to be a robot, you'll just purge my data with all the other robots.

Re:

[Spamalope]

The plugin has to randomize reported mouse locations, then teleport to the clicked area for user input; P2P swap tracking cookies etc with other users; visit one random link on a random page for every real user click; swap browser fingerprint with other users on compatible systems (with setup to spoof that). You can pick the fly poop out of the sugar. Try getting it out of the pepper...

and yes, if this took off it'd be an arms race - then it's a fight instead of the abject total defeat for privacy we've g

Re:The Solution

[ClueHammer]

That is just not true. Using a tool like PI-Hole blocks the domains names associated with tracking. This removes 95% of them.

Re: The Solution

[Anonymouse Cowtard]

Yep, also Diversion with dnsmasq

Re:

[Opportunist]

You'll never catch all of them, some will always slip through the cracks.

No, poisoning the data well is the better approach. Drown them in bogus data, if they can't tell good data from fake, they have to throw out the whole batch.

Go hybrid

[Midnight Thunder]

Maybe a combination of both? You try to reduce the ability to track you, while mixing up with bad data. Neither is perfect, but together they lead to something even more capable.

Re:The Solution

[slazzy]

At my house I currently crawl about 250 million URLs a month just for fun. May as well do something with all that unlimited data.

Re:The Solution

[Spamalope]

Yes! We need fun browser plugins with a diversity of methods. Adblock, but it accepts the cookies it can 100% identify as trackers (aka, safe for this trick), then peer-to-peer share with other participants to randomly swap the cookies between folks who agree. A plugin that alters real user input so as far as the website sees, the mouse teleports etc so real input looks like bots. Then then also add automated clicks and it's harder to tell wtf is real.

Re:

[geekmux]

There's no way really to stop others from tracking you across the internet. However, there is another way. Build RandomBrowserBot, that randomly clicks on URLs. Trackers want data? Bury them with useless, wrong, and crap data.

Now THAT is what I call an excellent use of bots.

Lot better than watching someone attempt to find a use for a YT live chat feed, which is like pointing a webcam at a rhino's ass these days.

Re:

[DrXym]

Well there are ways. e.g. Firefox has a Facebook container so that sites embedding shit coming from any Facebook domain are not contributing information back to your Facebook account. Seems like this idea should be extended to other social media services which are abusing things like hidden pixels, scripts, like buttons or whatever.

Re:

[qubezz]

You absolutely can. Block any request to a non-domain site. RequestPolicy used to do this. Firefox changed its plug-in framework that allowed users to control their experience, specifically to make it harder to block profiteers and miners like Google, a criminal backend conspiracy. One must use SeaMonkey fork.

I haven't seen any tiktok trackers.

[Anonymous Coward]

But I have seen twitter, facebook and google on pretty much every website. What domain are they using to track?

Re: I haven't seen any tiktok trackers.

[sonoronos]

Yup. As you have surmised, the tiktok stories are mostly FUD.

I guess you can already see who is starting the anti tik tok battle :)

trackers, trackers everywhere

[Anonymouse Cowtard]

We're running ASUS-Merlin. Last night I was browsing data use by service and website in the logging console. A member of our household had hits to pornhub, xhamster and another one. Only 50 - 150kB each, so obviously not watching anything or even browsing via 80/8081. I was wondering what was going on. It's trackers applied by affiliated sites. You might not look at pr0n, but if you're on some other semi popular but fringe or controversial site, chances are it's owned by or associated with a pr0n advertiser or publisher. One vice to rule them. Another to fool them.

Correction

[93 Escort Wagon]

TikTok tracks Chrome users across the web, even if they don't use the app.

Safari and Firefox block that sort of behavior by default.

Re:Correction

[caseih]

At least for now Privacy Badger works in chrome and blocks all this.

Re:

[atherophage]

UMatrix blocks; breaks; makes surfing difficult. It reveals all the background behind-the-scenes machinations sites use to follow and track -> allows the option to block those not essential. After awhile one learns what scripts are required and which are not to view a site. It is both useful and educational: a real eye-opener. It's web browsing with a standard transmission.

what major website don't

[renegade600]

Just about every single major websites track users who do not have accounts. So not surprising.

Put in effort to protect yourself and you can

[metrix007]

1) Use Waterfox

2) Copy many of the options from the Tor Browser config for privacy. They have a page that explains their config really well.

3) Install extensions like NoScript, uBlock, Trace, LocalCDN, Leakuidator, CookieAutoDelete, ReferrerControl, etc

4) Spoof/randomize as much as you can, but do so carefully. Doing so incorrectly will make you *easier* to trace.

An additional pro-tip would be to setup a script to create a ramdrive and copy your waterfox install to it and run it from there, intermittently copying back extension settings, history, whatever else you want to persist. This had an amazing performance impact as Waterfox now never writes to disk, and it doesn't take any additional memory since all the files it needs are already in memory, and the OS is smart enough to realize that.

There is of course MUCH much more you can do, but even with those basic steps you're going to be resistant to 90% of tracking.

Re:

[Spamalope]

While laudable, it's hard not to stand out doing that. (I'm all for ramdisk storage for software that may track) What about a plugin that P2P swaps trackers; randomizes reported mouse cursor location until you click so you look like a bot; then add random browsing automated fake traffic on that? Maybe randomize your apparent config as well.

Re:

[metrix007]

There is no concern about standing out. With what I suggest many sources of tracking are never loaded and with what they can obtain (much of which is spoofed) they can't pin it to an individual.

The ramdrive thing is purely for performance. It would guard against hard drive examination but that's out out scope for this article's point.

Re:

[geekmux]

You've provided many excellent examples as to why vendors spend billions fighting over the default settings.

Configuring privacy, isn't the hard part. Getting lazy users to give a shit enough to change default settings, is. That's why it's worth billions.

For now....

[the_skywise]

You can use something like Brave with ScriptSafe or NoScript

But this goes completely away with Google's Manifest V3 which blocks these blockers and enforces tracking.

Don't be evil my ass.

Re:For now....

[1s44c]

"Don't be evil" has long been abandoned by Google. They are the same profit seeking amoral mess that every other publicly listed company legally has to be.

Re:

[codebase7]

They are the same profit seeking amoral mess

You mean immoral.

A corporate "person" is just a legal fiction who's decisions and actions are made by real people. Real people who have very much thrown away any and all sense of morality and ethics to indulge their greed just a little bit more.

every other publicly listed company legally has to be.

Legally? Nope. There are laws against this kind of immoral and unethical behavior. The laws are simply not enforced because the enforcers are just as immoral and unethical as the lunatics running the companies.

Tracking pixels

[peppepz]

The article is presenting tracking pixels as if they were a devilish new gimmick from the cunning foreigners, when in fact Google have been using them since the 90s.

Re:

[1s44c]

The whole story is just a repeat of what Facebook was doing 10 years ago. Remember the stories about Facebook tracking people who were logged out across the web?

But yeah, Chinese owners, so lets pretend they invented evil instead of copying it from US companies.

TikTok is the new Facebook

[kmoser]

It's the app everybody loves to hate.

nothing new

[nicubunu]

"TikTok Tracks You Across the Web, Even If You Don't Use the App " - so exactly the same as Facebook and Google? No, really? I am shocked!!!

If you can't beat them,

[diffract]

taint their reputation i guess

Like all the rest of them

[nospam007]

That's why we have tracker-blockers.

as usual...

[sxpert]

it's the facebook pixel all over again...
good thing firefox will not remove manifest v2 support, and adblockers work properly there...

How to Stay Private

[guest reader]

https://restoreprivacy.com/bro... [restoreprivacy.com]

Everybody will know everything anybody does

[La Onza]

I suspect that everything a person does online is known by some group or another. Eventually down the road, everybody will know everything everybody does online. Then eventually after that, everything will be “online” and everybody will know everything anybody does.

Is this different than anyone else?

[jvkjvk]

Just wondering if this is any different than any of the other trackers out there by various companies like Google or Facebook that track you across the web.

I guess it is news that TikTok also does it, but probably not very big news.

"There he is! Stay two car lengths behind ..."

[Babel-17]

That's for when you avoid them on the web, because they aren't playing games! lol