(30th June 2020) By Roland Cloutier, TikTok Chief Information Security Officer
Building technology security defences is a constant effort to anticipate, plan, and react. What has been clear since I started this job almost three months ago is that the team at TikTok is fully committed to protecting the privacy of our users and providing transparency on our overall security efforts. As I wrote a few weeks ago, my team of security experts and I are undertaking a broad review of our security processes and infrastructure. With this in mind, I would like to update the community on some recent developments.
First let me start with some background. Earlier this year a report noted that many prominent apps, including TikTok and other major entertainment as well as news apps, were requesting access to users' clipboards. There are many legitimate reasons why something like this would occur. For example, if you copy text for a website in one app and then open a browser, most browsers will ask if you want to paste the text and go to the URL directly. This is an example of how browsers attempt to make your user experience better, but it requires the app to know that a URL is sitting on the clipboard. There are dozens of other reasons why apps might want to see if information is sitting on a user's clipboard.
In the case of TikTok, this notification had been triggered by integration of the Google Ads SDK. While this type of data was not sent to TikTok, we appreciate that this issue was confusing to many users and could have led them to believe that TikTok itself was using the data for unclear purposes. Further, the ubiquitous nature of third party ad programmes helps explain why so many other apps indicated similar behavior. In response, on April 16 we updated our app so the ad programme would not be able to access users' clipboards.
Last week, following the launch of Beta iOS 14, TikTok users saw a similar iOS notification when they tried to type comments on a video. Users also saw notifications on a number of other popular apps. While I can't know for sure why users saw notifications for other apps, I can explain why this happened with TikTok, how this occurred shortly after a similar issue, and what we are doing to stop it again, given the perception that this type of action might compromise user security.
We are constantly building new features to improve the experience on TikTok. In this case, we had been working to address the problem of spam and incidents where users sometimes post the same comments on hundreds of videos. Our technology allowed us to identify users who were copying comments and placing them over and over in the comment section for different videos. We took this as a signal that the user had an agenda, such as promoting themselves to gain followers, or trolling other users.
We launched an anti-spam feature so that we could quickly detect spam and improve the experience for our community. This feature was added in the iOS version of the app released on May 22.
From a technical point of view, this anti-bot defence technology performed a string matching validation from the clipboard. Its only function was to validate whether matched text inputted into the application came from the clipboard. There was no collection of any data on the clipboard, simply a validation against data input into the app, like hashing validation.
In layman's terms, the anti-spam programme never sent user data off the user's device. Nonetheless, we understand that the notification had the unintended consequence of making it appear as though we might be doing more with the feature. Last week we sent an update to the App Store removing this feature, and it has been resolved in version 16.6.1 of the TikTok app, which appeared in the Apple App Store on June 27. As always, we encourage all of our users to update their apps to the latest version.
The anti-spam feature was never added to the Android version of the app, and we are now addressing the issue of spam in both versions through other technology that does not involve the clipboard.
The anti-spam feature that was operational from May 22-June 27 is similar to other types of features that dozens, if not hundreds, of different apps have that triggered notifications from iOS 14. At the same time, we appreciate that it would have been better to avoid adding a feature that would raise questions about TikTok's access to the clipboard in any scenario, particularly so shortly after we had worked to eliminate this type of access for a different feature.
We also understand that while many apps are triggering this type of notification, often for innocuous reasons, users have legitimate questions about what companies are doing with data. We fully accept that and strive to be a leader in the industry, not only working every day to protect the safety and privacy of our users, but also being transparent and forthright about our practices.
With this in mind, I am leading a sprint initiative to conduct thorough, ongoing app security assessments, remediations, verifications, and pre-deployment tests and validation prevention efforts. This is the highest priority for the team, and we have the full support of our executive management team to conduct our analysis and take action. We will have a team of engineers fully dedicated to this project.
Further, we are conducting a review of our feature release processes to help limit the possibility that such issues might arise in the future when we roll out new features.
As part of this, we've undertaken a full review of all clipboard issues to consider other possible scenarios where this could occur. In particular, we looked at scenarios where there could be any type of clipboard access action that was not directly initiated by the user. For example, pasting information into TikTok would be a user-initiated action, and it brings value to the user. Over the next several days, we will work with our third-party partners to complete that review and confirm that no other such scenarios exist. We will report back on our findings shortly.
We're committed to building an app that respects the privacy of our users and to being more transparent with our community. We'll continue to update you about ways we are improving TikTok, and later this year, we'll open our Transparency Center to give experts a behind-the-scenes look at how we keep people safe and protect their privacy. Security is a job that is never finished, but I can tell you we'll continue to aggressively build an experience that respects and protects our community.