Cristina Criddle, a technology correspondent for the Financial Times, received a call from TikTok two days before Christmas, informing her that four employees (two in China and two in the US) had successfully accessed user data from her personal account without her knowledge or consent. Cristina found this experience "chilling," "horrible," and personally violating.
While She received the information she was at her family home with her teenage sister and cousins, all avid TikTok users who were concerned by the news. Despite TikTok and its parent company, ByteDance, consistently denying such occurrences, Cristina decided to speak with BBC News.
During the summer, TikTok's internal audit department tracked Cristina's IP address and matched it with the IP data of some staff members to identify who was meeting with the press in secret. TikTok acknowledged that this action was unauthorized and an abuse of authority.
Cristina is unsure about the duration and frequency of the tracking, but she knows her location was monitored around the clock, even in her personal life. For instance, when she was with friends or on vacation. Cristina feels that it is not acceptable to monitor her activities, whether work-related or not.
"I was at my family home with my teenage sister, teenage cousins - and they all use TikTok all of the time. They were like, 'Whoa, should we be worried?” said Cristina.
Cristina believes that the breach may have violated the European Union's stringent General Data Protection Regulation, which requires users to actively consent to how their data is used. Companies can face significant fines for failing to comply with the regulation.
Despite the breach, Cristina still needs to use TikTok for her work, so she has kept her account open. However, she now keeps the app on a dummy device at work. Additionally, she has reduced her and her dog Buffy's social media use on other platforms due to the incident.
According to cyber-security expert Prof Alan Woodward from Surrey University, the level of tracking performed on Cristina's account was not accidental or incidental. It required additional effort to identify her account, which is concerning. There are worries that ByteDance, which is based in Beijing but has offices in Europe and the US, could share user data with the Chinese state if required.
Despite these concerns, TikTok remains extremely popular, with over 3.5 billion downloads globally. However, the app faces challenges in the US and is not readily available on official devices in some other countries.