Fact Check: TikTok Tracks 'Keystroke Patterns' While Using In-App Browser. Here's What That Means
Claim:
Social media app TikTok can monitor keystrokes or taps made by a user.
Rating:
What's True:
The research on which this claim is based shows that TikTok tracks inputs made while a person uses the app's built-in web browser on Apple's iOS, which TikTok does not allow users to disable. The company's privacy policy says "keystroke patterns or rhythms" are "automatically collected information," which users cannot opt-out from providing. However ...
What's False:
... TikTok said collecting "keystroke patterns or rhythms" is "fundamentally" different from collecting the actual content of what a user types. The company claims this data refers to the timing of when keys are pressed and not the specific keys that are pressed.
What's Undetermined:
It is unknown what TikTok does with the information collected, but the company claims it is for "performance related purposes, such as to verify the authenticity of an account, for risk control, debugging, troubleshooting, and monitoring for proper performance."
The Chinese-founded social media platform TikTok has been the target of the U.S. government over national-security concerns, with U.S. President Joe Biden signing a bill in April 2024 that bans the app unless its owner, ByteDance, sells it.
Privacy concerns on the internet are nothing new, but claims have circulated online since 2022 that TikTok is able to track all of its users' keystrokes and inputs. As one Reddit user put it, "I thought this was common knowledge. Unless people thought it was a conspiracy. In which case wow."
(user CyberMasterV on Reddit)
According to TikTok's privacy policy, which users must agree to before using the app, TikTok does collect some keystroke data, though the technical details are not as specific as the claim implies. While it's unknown what exactly the company does with this information, under the heading "Automatically Collected Information," the policy reads, in part:
We collect certain information about the device you use to access the Platform, such as your IP address, user agent, mobile carrier, time zone settings, identifiers for advertising purposes, model of your device, the device system, network type, device IDs, your screen resolution and operating system, app and file names and types, keystroke patterns or rhythms, battery state, audio settings and connected audio devices.
A spokesperson for TikTok told Snopes that "keystroke patterns or rhythms" is "fundamentally" different from tracking the specifics of what a user types. The spokesperson said this data does not include which keys are actually pressed, just the timing of when they're pressed. The person also confirmed to Snopes there is no way for a user to opt out of providing this data.
The statement read: "TikTok collects certain keystroke patterns or rhythms for security and performance related purposes, such as to verify the authenticity of an account, for risk control, debugging, troubleshooting, and monitoring for proper performance."
A representative directed us to a post on the TikTok website detailing the privacy policy in further detail, including a section on "keystrokes," which repeats the statement above and adds:
Prior to September 2022, when people used TikTok's in-app browser to browse a third party website, TikTok did not track which keys were pressed, only the fact that a key was pressed (a "key event") on a third-party website. Similarly, TikTok did not track which buttons were clicked on a third-party website, only the fact that a click had occurred (a "click event"), except in limited error scenarios. Moreover, starting in September 2022 for users using a current version of the App, no key events or click events were logged except when the IAB was used to view a TikTok-owned website.
The claim first surfaced when self-described "security and privacy researcher" Felix Krause published a report on his blog in August 2022 alleging that TikTok was able to track its users' keystroke inputs in the platform's in-app web browser. The claim was then reported on by outlets such as The New York Times, The Guardian and Forbes.
Krause wrote, "When you open any link on the TikTok iOS app, it's opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click." Snopes could not independently verify Krause's findings.
When opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input (which may include credit card details, passwords or other sensitive information)
TikTok also has code to observe all taps, like clicking on any buttons or links. pic.twitter.com/Dcv0N4ccKD— Felix Krause (@KrauseFx) August 18, 2022
The report followed up on a previous post Krause made about other social media platforms like Facebook and Instagram, which also track users' inputs when using an in-app browser. However, of these platforms, TikTok is the only one that does not allow users the option to use an external browser for increased security.
Krause created a website, inappbrowser.com, that can detect the code being used when opened within a social media app's web browser. Though the code is highly technical, Krause also provides a more rudimentary explanation through a Frequently Asked Questions section on his website.
For example:
Can in-app browsers read everything I do online? Yes, if you are browsing through their in-app browser they technically can.
Are companies doing this on purpose? Building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that's already been built into the iPhone for the past 7 years. Most likely there is some motivation there for the company to track your activities on those websites.
I opened InAppBrowser.com inside an app, and it doesn't show any commands. Am I safe? No! First of all, the website only checks for one of many hundreds of attack vectors: JavaScript injection from the app itself. And even for those, as of December 2020, app developers can completely hide the JavaScript commands they execute, therefore there is no way for us to verify what is actually happening under the hood.
According to the article in Forbes published Aug. 18, 2022, a TikTok representative gave a statement similar to the one given to Snopes:
Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes.
However, an article published in The New York Times the next day contradicted this statement — and seemingly TikTok's privacy policy — with a TikTok spokesperson claiming Krause's research was "incorrect and misleading" and saying, "Contrary to the report's claims, we do not collect keystroke or text inputs through this code."
TikTok confirmed to Snopes the privacy policy has been updated several times "for a variety of reasons" since the claim first emerged in 2022, but declined to comment on the discrepancy between the comments made to Forbes and The New York Times.
The company's privacy policy also adds that no "transmission of data over the Internet or any other public network can be guaranteed to be 100 percent secure."
TikTok's website has a page dedicated to explaining its efforts in data security, a program it refers to as "Project Texas," meant to address U.S. national security concerns.
Snopes has covered many claims related to internet privacy over the years, including claims that 23AndMe sold genetic data to the Chinese government, that Ovia's reproductive health app requires users to input their geographic location and that copying and pasting a particular message won't stop Meta from scraping user data.
Sources:
Allyn, Bobby. "President Biden Signs Law to Ban TikTok Nationwide Unless It Is Sold." NPR, 24 Apr. 2024. NPR, https://www.npr.org/2024/04/24/1246663779/biden-ban-tiktok-us.
"As TikTok Bill Steams Forward, Online Influencers Put on Their Lobbying Hats to Visit Washington." AP News, 12 Mar. 2024, https://apnews.com/article/tiktok-ban-bill-bytedance-divest-house-3f7dd623cbdce8b04af5cc483be9daa2.
"iOS Privacy: Announcing InAppBrowser.Com - See What JavaScript Commands Get Injected through an in-App Browser." Felix Krause, 18 Aug. 2022, https://krausefx.com//blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser.
"iOS Privacy: Instagram and Facebook Can Track Anything You Do on Any Website in Their in-App Browser." Felix Krause, 10 Aug. 2022, https://krausefx.com//blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser.
Nieva, Richard. "TikTok's In-App Browser Includes Code That Can Monitor Your Keystrokes, Researcher Says." Forbes, https://www.forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browser-research/. Accessed 3 Jan. 2025.
Paul Mozur, Ryan Mac and Chang Che. "TikTok Browser Can Track Users' Keystrokes, According to New Research." The New York Times, 19 Aug. 2022, TikTok Browser Can Track Users' Keystrokes, According to New Research.
Privacy Policy | TikTok. https://www.tiktok.com/legal/page/us/privacy-policy/en. Accessed 3 Jan. 2025.
Terms of Service | TikTok. https://www.tiktok.com/legal/page/us/terms-of-service/en. Accessed 3 Jan. 2025.
"TikTok Truths: A New Series on Our Privacy and Data Security Practices." Newsroom | TikTok, 16 Aug. 2019, https://newsroom.tiktok.com/en-us/tiktok-truths-a-new-series-on-our-privacy-and-data-security-practices.
Touma, Rafqa. "TikTok Can Track Users' Every Tap as They Visit Other Sites through iOS App, New Research Shows." The Guardian, 24 Aug. 2022. The Guardian, https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows.
"White House Backs Bipartisan Bill That Could Be Used to Ban TikTok." NBC News, 7 Mar. 2023, https://www.nbcnews.com/tech/tech-news/restrict-act-bill-tiktok-rcna73682.