Use of TikTok at UBC

• Access your account through your web browser, versus downloading the app
• Update your privacy settings to control what information is collected and shared.
• Limit the personal information you share including birthdate, address, and phone number.
• Do not click on suspicious messages or links, even if they appear to be posted by someone you know.
• If you get a "Friend Request" from someone you think you are already friends with then think, don't click.
  • Check your account for that friend
  • If you are still connected to that friend then you can assume that the new request is a scam
  • Report the scam and notify your friend that someone is impersonating them
• Flag any posts or messages that appear to be scams.
• Use unique and complex passwords for your accounts.
  • Using a password generator can help you create strong passwords and will securely store them for you so you don't have to remember them on your own.
• Do not log in to your account while using public Wi-Fi
• Enable multi-factor authentication
  • TikTok
  • Instagram
  • Twitter
  • Facebook
  • Google (including YouTube)
  • LinkedIn

The TikTok mobile app is reported to collect data not only while using the mobile app, but on all activities across the device while the mobile app is installed, even if not in use. Of particular concern from a security perspective is the reference in TikTok's Terms of Service that the app may capture all keystroke patterns used on the device which would allow usernames and passwords to be exposed.

It is also believed that TikTok collects information about the use of the mobile device beyond the use of the TikTok application based on its Privacy Policy.

This data collection is similar to other social media platforms that collect a significant amount of data, however, some aspects identified in TikTok's Privacy Policy, such as keystroke logging, are unique to TikTok and pose a significant security risk. Additionally, there is concern that TikTok is sharing all of the data that it collects with its parent company ByteDance with the risk that it in turn could provide this data to China's government under its national security law. This could pose risks to UBC's broader systems and the personal data of its community, in addition to intellectual property rights, academic freedom, and reputation. In 2022 TikTok confirmed that employees in China have access to data, even if stored outside Canada.

By installing software such as social media apps on your mobile devices, you give these companies permission to access your phone's data including photos, videos, contact lists, and location information. Sometimes you can explicitly deny these permissions, but in order to use these apps to their fullest, you may not be given that option.

• Here are some risks that could impact you:
  • Identity theft. Many people consider their personal social media presence to be private. However, attackers can use personal information shared on these apps to impersonate you and access confidential data, such as bank account information. This is a powerful tool for those looking to commit financial fraud.
  • Privacy concerns. Depending on your privacy settings, personal information and communications posted on social media can be accessed by unintended readers or recipients.
  • Data leakage. The apps you install may contain spyware, resulting in the leakage of your important information, including credit card numbers, personal photos, or stored passwords.
  • Information sharing.Apps may collect your personal information in the background, such as where you shop, what you search for, and your travel patterns, and then share it with marketing firms or other agencies without your knowledge.

Since most of these apps, especially those on personal devices, are not vetted by UBC's privacy and information security teams, they may contain vulnerabilities that could be exploited and result in security incidents.

Due to the data collection and sharing policies of these apps, the University's confidential information is at risk of exposure to unauthorized users, which may result in reputational and privacy impacts to you and the UBC community.

These applications may be an entry point for social-engineering attacks such as phishing and ransomware, which may put the University, its community members, and their data at risk.

UBC's privacy and information security teams believe that TikTok does pose a risk to UBC's systems and its stakeholders based on the implied activity in the Privacy Policy. UBC's Privacy Impact Assessment (PIA) process recently evaluated the use of certain TikTok direct marketing features and determined they were not compliant with British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA) due to the sharing of personal information with TikTok without the required contractual protections on TikTok's use of the data. This Automatic Matching service is effectively already banned at UBC. However, UBC has not conducted a PIA on UBC's use of the TikTok platform for other direct marketing services; nor has it performed a security review of the app.