TikTok is the word that is on everybody's lips. The video-sharing social network has taken the world by storm and has amassed 800 million users worldwide. . Out of these 800 million users, 41% are aged between 16 and 24 . A key fact to consider is that the remaining 59% do not lie exclusively over 24, they can lie in the 15-and-under bracket. Popularity amongst young people is evident when looking at "Charli d'amelio", TikTok’s star creator. ‘Charli d’amelio’ has 80 million followers, has acquired 6 billion likes, and is only 16 years of age . It is reasonable to believe that such a young demographic frequents this app when the star creator is still a minor in her country of birth.
Through all the popularity that TikTok has received, there has been an ongoing concern about the surveillance tactics of the app. An Orwellian level of data acquisition is something that TikTok has fervently denied since its inception, but is something that has raised concern for a lot of users. What if there were ways that creators could unwittingly give away personal information without the need for app permissions?
My Name, My Age, My Favourite Colour…
TikTok users create videos using audio clips called “sounds”. Users are also free to record audio for other users to use as a “sound” in their video. These sounds can also take the form of “challenges” for users to take part in.
The challenge in this focus revolves around a song composed by "CHIS" named "Some things abt me" (sic) . The song features a male singer (with added harmonies), an acoustic guitar, and light-percussion. The song seems to be directed at the singer's love interest who is subjected to an outpouring of personal facts about the singer. (Slide 2). TikTok users use this song to reveal information about themselves (usually by pointing at an on-screen text box or via an accompanying picture/prop). This "challenge" seems innocuous at first but when the questions are all answered, it is clear how much personal information is revealed. (Slide 3).
You can see by the (fictitious) data that I have supplied that this is a dangerous amount of information to be broadcasting to the public. This information could lead to three malicious outcomes:
- Data farming - Through the monitoring of the information given in the video.
- Stalking and Doxxing - Name, age, physical description, nickname, location. These can pinpoint a user to a specific town/area/house (especially if the street is visible in a previous video). A malicious user can use this information to stalk and/or harm the creator.
- Password acquisition - The personal information supplied in the song can give an insight into the user's password or security questions.
To elaborate further, The Journal of Accountancy lists the following as "common" questions for password recovery :
- What is your mother's maiden name? - Could be found on social media platforms once the creator is identified.
- What is the name of your first pet? - "Do I have a pet and have I named it yet?"
- What was your first car? Could be found on social media platforms once the creator is identified.
- What elementary school did you attend? Could be found by googling schools in the area named in the song ("What's my nationality?")
- What is the name of the town where you were born? - "What's my nationality?"
A further cause for concern lies in the more "challenging" questions suggested on the website:
- When you were young, what did you want to be when you grew up? - "What I want to grow up to be"
- Who was your childhood hero? - High-profile stars from the interest (named in the song) that are relative to the creator’s age.
- Where was your best family vacation as a kid? - Could be found on social media platforms once the creator is identified.
The mere suggestion of these malicious ways of identifying creators should be met with trepidation and outrage. However, it should not be ignored. The suggestions (in bold) are an indicator of how personal information can be twisted from what can seem like a "sugar-coated" source. The soft tone of the song has masked the fact that users are being "challenged" to supply this information, and the fear of community exclusion could be enough to force users to join in with a challenge of this type.
Put a Finger Down
The "put a finger down" challenge revolves around the creator holding up 10 fingers to the camera as the audio asks specific questions. If the creator meets the criteria of a question then they put down a finger. The aim is to end the challenge with as few fingers remaining as possible. This challenge is malleable in that a user can record themselves asking any set of questions in any genre/life focus. One challenge, in particular, is the "relationship edition". The questions are as follows ("put a finger down..." will always precede the question):
- If you have ever been in love
- Ever been in a relationship that has lasted more than four months
- If you have been in more than 4 relationships
- Asked someone out
- Had a promise ring or given somebody one
- Made a gift for a girlfriend or boyfriend
- Been on a vacation with a girlfriend or boyfriend
- In a relationship right now
- Touch bracelet or love box
- Introduced your parents to a girlfriend or boyfriend
These questions are prompting the creator to divulge a significant amount of information about their romantic history. The user (as before) is also free to elaborate on answers with visual aids. Our fictional “Joel” has supplied the world with a plethora of information about his relationship status. "Joel" may have also given away visual information about his partner(s). The list is growing. (Slide 4).
Viewing this challenge may cause a user to simply move on with their day. Write the answers on paper and put them into context, and it takes on a more sinister form.
The acquisition of data in this example is a two-pronged attack.
The ambiguous nature of these questions is the trip-wire that the creator can not see until it is too late. If you were to ask a random person/user a direct question such as: "when is your date of birth?", this may be met with hesitation or refusal to answer. If this question were to be broken down into smaller, less direct approaches, such as: “What’s your age?" “What’s your star sign"? The person may be less guarded in their response. With the answer, you have now honed in their date of birth to within 30 days. Throw in a "quirky" question such as "Which child are you?" (In reference to the "Monday's Child" poem  - You now have their date of birth boiled down to one of 4 days.
Additionally, the idea of being “challenged” to do something is intoxicating. It takes creators back to the playground where they may have been “dared” to jump off the climbing frame. The mere mention of the word “challenge” also implies that there is a winner. By participating and completing the challenge, you can win.
Congratulations, you have won the challenge, but at what cost?
 - Digital 2020: A Global Review. Available at: https://datareportal.com/reports/digital-2020-global-digital-overview. Accessed 20/09/20
 - Is TikTok Setting the Trend for Music on Social Media?. Available at: https://blog.globalwebindex.com/trends/tiktok-music-social-media. Accessed 20/09/20
 - TikTok User: charlidamelio. Available at: https://www.tiktok.com/@charlidamelio?lang=en. Accessed 20/09/20
 - CHIS: Some Things Abt Me - Youtube Link: Available at: https://www.youtube.com/watch?v=IBDpzQQGGbM Accessed 20/09/20
 - Online Security: The Password Recovery Questions You Should be Answering. Available at: https://www.journalofaccountancy.com/issues/2018/mar/password-recovery-questions.html. 21/09/20
 - Popular Rhymes and Nursery Tales: A Sequel to the Nursery Rhymes of England. Available at: https://archive.org/details/popularrhymesan00philgoog/page/n10/mode/2up 22/09/20