TikTok tracked UK journalist via her cat's account

Robert Timothy/BBC Cristina CriddleRobert Timothy/BBC

Two days before Christmas, TikTok called London-based journalist Cristina Criddle to tell her two of its employees in China, and two in the US, had viewed user data from her personal account without her knowledge or consent.

"It was just really chilling and horrible and, personally, quite violating," she says.

"I was at my family home with my teenage sister, teenage cousins - and they all use TikTok all of the time. They were like, 'Whoa, should we be worried?'".

What happened to Cristina - a Financial Times technology correspondent and a friend and former colleague of mine - is what TikTok and its parent company, ByteDance, have consistently denied happens at all, which is why she has decided to tell BBC News about it.

'Real threat'

TikTok has confirmed members of its internal audit department looked at the location of Cristina's IP address - the unique number of a device - and compared it with the IP data of an unknown number of their own staff, to try to establish who was secretly meeting with the press. They "misused their authority" to do this and were acting unauthorised.

Cristina does not know for how long she was tracked, or how often, but she does know it happened last summer.

"If my location was being monitored 24/7, that's not just limited to my actions at work - which wouldn't be OK even if it was - but this was in my personal life as well," she says. It was when I was out with my friends, when I was going on holiday, all of that stuff's in there.

"The real threat and the real chilling thing is that I was just trying to do my job."

Cristina's TikTok account was on her personal mobile handset - and in the name of her cat, Buffy. Her own name and occupation were not mentioned in the bio.

She had about 170 followers and over three years or so had uploaded some 20 videos of Buffy, viewed, on average, a couple of hundred times.

Buffy TikTok videos
Cristina's cat on TikTok

Like most social-media networks, TikTok collects quite a lot of information about its account holders, including:

  • location data
  • "likes"
  • the device being used
  • online activity outside of the platform itself

Western users' data is never accessed or stored inside China, it says. And the staff responsible for the data breach of Cristina and a handful of other Western journalists, last year, were fired for misconduct.

TikTok owner Bytedance said it "deeply regrets" what was "significant violation" of its code of conduct and was "committed to ensuring this never happens again".

'Being tracked'

Last summer, Cristina had been talking to TikTok staff unhappy with company practices. The data breach had failed to identify her sources, TikTok said.

She says it may also have breached the EU's strict General Data Protection Regulation, which states users have to actively consent to how their data is used. There are large penalties for companies failing to comply.

For now, Cristina has kept her account open because she still needs to be able to access TikTok for work - but the app now lives on a dummy handset kept at her workplace. And she has curtailed both her own and Buffy's social-media use across other platforms as a result of what happened.

"I have really had to think about my safety - mostly my digital safety," she says.

"I'm super-careful now. I have to make sure that there is no chance that my devices are being tracked. I have to make sure that my sources are aware of the possible challenges to their safety as well."

'Extra digging'

Cyber-security expert Prof Alan Woodward, from Surrey University, said this level of tracking "cannot be described as accidental or even incidental".

"Someone had to do some extra digging to work out that the cat account was in fact Cristina," he said.

TikTok is fighting for survival in the US and there is restricted access to it on official devices in several other countries. ByteDance is headquartered in Beijing - although, it also has offices in Europe and the US - and there are concerns it could share Western users' data with the Chinese state if requested.

Nevertheless, it remains wildly popular, with more than 3.5 billion downloads worldwide.