(United States) TikTok's use of the HTTP protocol for personal data is "inherently unsafe and a privacy risk". SC Magazine reports as follows:
TikTok’s continued use of HTTP to move sensitive data across the internet is allowing the videos and other content being sent by the app’s users to be tracked and altered, according to two web developers.
Talal Haj Bakry and Tommy Mysk noted in a blog that the CDN used by TikTok still uses unencrypted HTTP for data transfers instead of HTTPS creating a gap in their security that can be exploited.
“While this [using HTTP] improves the performance of data transfer, it puts user privacy at risk. HTTP traffic can be easily tracked, and even altered by malicious actors,” they said.
TikTok’s high risk factor has already pushed the U.S. military to ban its members from using the Chinese-owned app due to its privacy and security issues. The company has rejected those claims, but the app’s activity has spurred some legal action. In early 2019, the Federal Trade Commission said Musical.ly, TikTok’s earlier iteration, illegally gathered and used children’s personal data, and levied a $5.7million fine on the app for violating the Children’s Online Privacy Protection Act (COPPA).
Part of the problem is TikTok takes advantage of the fact that Apple and Google still allow developers to not use HTTPS, a loophole that allows for backward compatibility. But the Bakry and Mysk said doing so should be a rare exception and not for such a heavily used app. The versions of TikTok for iOS, 15.5.6, and Android, 15.7.4, still send content to their CDN using HTTP.
“Consequently, TikTok inherits all of the known and well-documented HTTP vulnerabilities. Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that a user has downloaded and watched, exposing their watch history. Public Wifi operators, Internet Service Providers, and intelligence agencies can collect this data without much effort,” they wrote.
(Privacy press clipping sourced via SC Magazine)
Jurisdiction: United States
As pointed out by SC Magazine, TikTok’s operators have previously received a privacy fine in the US – US$ 5.7 million in 2019 from the Federal Trade Commission. This fine concerned the failure to obtain parental consent for users under the age of 13.
Privacy laws typically require companies to take appropriate technical and organizational measures to protect personal data. This is the point of Article 32 of the GDPR and Section 24 of the PDPA 2012 (Singapore).
The question is whether the use of the HTTP protocol by TikTok would fall short of this standard. Most would say it would – given that communications on the protocol can be easily tracked and recorded. Apps that still transfer personal data on HTTP, particularly sensitive personal data, may be exposed to regulatory action in the future. Regulators will ask whether the continued use of HTTP is a reasonable or appropriate precaution for the protection of data relating to individuals.