A review of TikTok

July 28, 2021

- Openly HQ

It’s the popular social media app that has generated plenty of headlines over the past twelve months. This week TikTok featured on an episode of Four Corners with follow-up pieces from the ABC, Australian Financial Review, Sydney Morning Herald and The Guardian.

This time, the spotlight has been placed firmly upon TikTok’s age restrictions, its algorithm and more broadly, its user’s privacy.

Here at Openly, we have been keeping an eye on TikTok for some time. Recently, we completed a detailed analysis of TikTok’s privacy policy & app onboarding experience. Here is what we found.

Onboarding

TikTok’s onboarding is slick. From the moment the app finishes downloading, users are only required to navigate through two screens to get full access to content within the home and discover feeds.

By simply tapping ‘agree and continue’ (more on this later), users are taken to a brief demo that shows how to use the home feed. With a quick tap of ‘start watching’ you enter the world of TikTok.

The Algorithm

We’ll leave the deep dive into the workings of TikTok’s algorithm to the experts. What we will say is that within ten swipes we received our first questionable piece of content, featuring a man asking Siri questions about various sexual acts. Once we had watched that piece of content, it kept flowing.

A video of two teens in bikinis, a video of a woman being slapped on the backside, a video of a man 'upskirting' a female, and a video of a man flashing a female while she was on the phone. Sure, we may have gone looking for this kind of content to prove a point, but we seemed to have a niche far quicker than we had anticipated.

Keep in mind that through all of this, we had still not been asked to confirm our date of birth. We hadn’t even been prompted to sign up.

Privacy Policy

Put simply: TikTok’s privacy policy is huge.

To add some level of perspective, TikTok’s privacy policy is roughly four times the length of Facebook’s privacy policy and half the length of Charlie and the Chocolate Factory by Roald Dahl.

Assuming a user does choose to read the privacy policy before tapping the ‘agree and continue’ button, they are met with this:

In total: 523 paragraphs containing 874 sentences and 16,101 words. 374 sentences contain more than 30 syllables.

If a user were to read TikTok’s privacy policy at 225 words per minute, it would take 71 minutes and 39 seconds to go from start to finish.

According to Readable, TikTok’s privacy policy is scored at an 8+ on the International English Language Testing System (IELTS). A grade of 6 generally means text will be understood by adults with conversational English. This is clearly a major problem.

We decided to add TikTok’s privacy policy into our Artificial Intelligence engine to visualise the extent of its data collection. This technology works by segmenting and scoring every clause to show key information about a policy.

Here is the output:

The consent collected is questionable, as users are shown a dialogue box cleverly overlayed atop a much more interesting screen.

The purpose of the consent dialogue is unclear. Merely asking a user to confirm that they have read the 16,101 word privacy policy does not absolve TikTok’s obligation to clearly outline its collection and disclosure practices. We fairly conclude that the privacy policy is not fit for its intended audience.

Given the level of data that is being siphoned out of the TikTok app, it would be technically possible to validate that a user has not clicked on, or read, the privacy policy. Although these numbers would never be shared publicly, it would be an interesting statistic to review.

Given that this is a video-led platform, it would make sense for TikTok to build a privacy policy in video form that follows the punchy and informative design seen throughout the rest of the app.

A child friendly video could alleviate some of the privacy risks by clearly explaining the risks versus the reward while highlighting some of the useful privacy settings available in-app.

These additions would be a welcome step toward true fairness and transparency.

Language Settings

Another major problem with the accessibility of TikTok’s privacy policy is the language settings.

According to the Australian Early Development Census (AEDC), 1 in 5 Australian children speak a language other than English at home. Despite this, TikTok displays its privacy policy in English by default.

While this default setting isn’t a problem in itself, TikTok’s privacy policy directs users to change their language, if required, in the language settings. On desktop computer, this change is relatively intuitive. By scrolling down to the bottom of the page a user can select from a broad list of languages.

Frustratingly, this option is not available within the privacy policy displayed in-app. It is impossible to change the language settings.

Even if we assume that the majority of English speaking users have the academic ability to read and understand TikTok’s complex privacy policy, based on the above data from AEDC, we must also assume 1 in 5 don’t understand any of it. This is a major accessibility problem that needs urgent rectification.

Age Restrictions

TikTok does make some effort to enforce its age restrictions. In our testing, we tried to register a user with a year of birth set as 2006. We were met with a banner telling us we weren’t eligible for to create an account. After clearing the cache and trying to sign in with Facebook, Apple and Twitter we continued to receive this banner notification.

The most puzzling thing we found in our review was that after entering the ineligible date of birth, we could still access the home feed and the discover page which allows for access to all of the content on offer. We couldn’t post content or access our message inbox, but despite knowing that we did not satisfy the age restrictions, TikTok still made videos available to us.

It appears that the ineligible date of birth is stored locally (only within the app) and is not linked to the user’s Apple ID or device footprint. This means that by simply deleting and reinstalling the app we were able to circumvent this banner and enter a ‘fake’ date of birth. This satisfied the age restrictions and allowed for an account to be created.

At a minimum, the ability to still consume content must be removed once a user has been identified as ineligible to create an account. Additionally, TikTok should implement stronger measures that prevent delete and download circumvention of its age restrictions.

Summary:

Even if we put aside its Chinese links and high levels of data collection, which have been refuted by senior Australian executives, TikTok is still a concerning example of failing at both privacy and safety by design.

The simple accessibility of content, when paired with the barely consumable privacy policy, makes for an extremely risky environment for children.

Based on our analysis we do not believe it is reasonable that a high percentage of TikTok’s users would access this privacy policy let alone understand it. Its lack of language accessibility is a major issue that requires immediate redress.

The age controls are also extremely weak, and several measures should be implemented very rapidly to reduce some of the risk to users. Content tagging that prevents users from seeing some of the videos we found without logging in would be a good starting point.

Of course, some blame must rest upon the app stores too. Apple knows the age of its users. Date of birth is a key piece of information that is collected from its users at signup, and the fact that apps with age restrictions are even made available to children within these app stores is concerning.

Changes are long overdue. It is time for TikTok to put its users first.

Psssst! We're about to start our seed funding round.

We're conducting an equity crowfunding round with Equitise. If you like what we're about, we'd like for you to own a part of us.

Find Out More

Always consider the offer document & general risk warning before investing: link.openly.com.au/1Dh6kw