TikTok Trackers Embedded in U.S. State-government websites, review finds

A review of the websites of more than 3,500 companies, organizations and government entities by the Toronto-based company Feroot Security found that so-called tracking pixels from the TikTok parent company were present in 30 U.S. state-government websites across 27 states, including some where the app has been banned from state networks and devices. Feroot collected the data in January and February of this year.

The presence of that code means that U.S. state governments around the country are inadvertently participating in a data-collection effort for a foreign-owned company, one that senior Biden administration officials and lawmakers of both parties have said could be harmful to U.S. national security and the privacy of Americans.

Site administrators usually place such pixels on the government websites to help measure the effectiveness of advertising they have purchased on TikTok. It helps government agencies determine how many people saw an ad on the social-media app and took some action—such as visiting a website or signing up for a service. The pixels’ proliferation offers another vector for data collection beyond TikTok’s popular mobile app, which is increasingly under fire in Washington as a possible way for the Chinese government to collect data on Americans.

TikToks pixels “can be watching and recording you when you’re renewing your driver’s license, paying your taxes or filling out doctors’ forms,” said Ivan Tsarynny, chief executive of Feroot, adding that they should be removed from websites of government agencies and companies that collect personal information.

“Like other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services,” a TikTok spokeswoman said in a statement. “Our terms instruct advertisers not to share certain data with us, and we continuously work with our partners to avoid inadvertent transmission of such data.”

TikTok has previously emphasized that its user data is stored in the U.S., not China. The company has pledged to spend $1.5 billion on a program to safeguard U.S. user data and content from Chinese government access or influence.

Tracking pixels, also called web beacons, are ubiquitous on commercial websites. The free bits of software code are intended to support digital marketing and advertising by logging a visitor’s interactions with the site, such as what is clicked on and the duration of a visit.

Such pixels are typically created by social-media platforms such as Meta Platforms Inc., which owns Facebook and Instagram, or advertising-technology giant Google, a unit of Alphabet Inc. But in recent years, as TikTok’s popularity has grown, ByteDance has been building an advertising business aimed at competing with U.S. social-media services, and its pixel has started appearing in numerous websites aimed at U.S. consumers.

While the web-tracking pixels ostensibly aim to better pinpoint advertising, they also pose threats for privacy, security experts have said. They can sometimes be configured to collect data that users enter on websites, such as usernames, addresses and other sensitive information. With enough pixels on enough websites, the companies running them can begin to piece together the browsing behavior of individual users as they move from domain to domain, building detailed profiles on their interests and online habits.

The Wall Street Journal was able to replicate a sampling of Feroot’s findings, identifying a TikTok tracking pixel in the code of a Maryland Department of Health Covid website and a Utah government website aimed at helping job seekers. Both states issued executive orders in recent months banning the app from state-owned devices and networks, but the tracking pixel remained embedded in the two official websites as recently as last week.

Utah and Maryland removed the pixel after being contacted by the Journal.

“We work with an advertising agency to run educational campaigns that inform Utahns about how to access programs that could help them get a better job—things like getting additional training or earning a GED,” a spokeswoman for the Utah Department of Workforce Services said. The pixel was used in such a campaign, she said.

A spokesman for the Maryland Department of Health said the pixel on its site was part of an ad campaign launched in August and the state was investigating why it remained on the website after that campaign ended. It was removed as of March 17, the spokesman said. In December, departing Gov. Larry Hogan issued an emergency cybersecurity directive ordering the removal of ByteDance’s software from state networks and devices.

The presence of the TikTok tracking code on government websites underlines the challenge for those who deem the China-owned app a potential data-security threat. Lawmakers in both parties are considering a nationwide ban, but simply uprooting the app from U.S. smartphones wouldn’t stop all data-tracking activities. Consumer Reports last year identified the presence of TikTok’s pixel on an Arizona government website, among other sites.

Beyond TikTok, Feroot also found tracking pixels from Chinese-owned companies such as Tencent Holdings Ltd., which owns WeChat, Weibo Corp., and Alibaba Group Holding Ltd. on some state-government websites, as well as Russian-owned pixels from companies such as from cybersecurity company Kaspersky, which had its products banned from civilian and military federal U.S. networks during the Trump administration due to espionage fears.

According to the Feroot report, pixels present in many top websites, whether government or corporate, often transfer data to foreign locations, including China. About 5% of tracking pixels on the websites Feroot examined are coded by foreign companies, the report said. The flow of data to U.S. adversary countries—especially in jurisdictions where authoritarian governments can compel access to bulk data from private companies—poses a threat to the privacy of Americans, officials say.

Feroot found that the average website it studied had more than 13 embedded pixels. Google’s were far and away the most common, with 92% of websites examined having some sort of Google tracking pixel embedded. About 50% of the websites the firm examined had Microsoft Corp. or Facebook pixels. TikTok had a presence in less than 10% of sites examined.

Privacy advocates have long raised concerns about the proliferation of pixels, whatever their provenance. Alan Butler, the executive director of the Electronic Privacy Information Center, said the data can be used to identify individuals, track them physically and digitally, and subject them to common cybersecurity threats, such as phishing attempts and disinformation.

“Any social media platform, data broker, or ad service that is using tracking pixels to monitor people’s browsing across the web is violating the privacy of users visiting those websites,” Mr. Butler said. “This is especially troubling on government websites where individuals are being tracked even as they try to access information and services that are essential.”

U.S. adversaries such as China and Russia routinely use shell companies and proxies to extract marketing and consumer information from the advertising exchanges that deliver the display ads, according to people familiar with the matter. Such advertising exchanges have code running on nearly every cellphone on earth and can collect information about many of those devices. A TikTok ban wouldn’t address many of these data-collection concerns, because so much data is available commercially and the U.S. lacks a comprehensive privacy law.

In many cases, such data can be used to obtain the precise geolocation of devices based on location information they have provided to apps like weather or games. In other cases, it can be used to extract useful information that can be used to target more sophisticated cyberattacks. Countries can also use such systems to deliver targeted malware, according to people familiar with intelligence capabilities and documents viewed by Journal.

Advertising technology has increasingly drawn concern from state and federal lawmakers for its potential both to violate privacy and to weaken national security when used by adversaries such as China and Russia.

As part of a major defense bill passed in January, Congress ordered the intelligence community to conduct an assessment of “tracking by foreign adversaries through advertisement technology data.” The report hasn’t yet been delivered to Congress, according to a congressional official.

A review of the websites of more than 3,500 companies, organizations and government entities by the Toronto-based company Feroot Security found that so-called tracking pixels from the TikTok parent company were present in 30 U.S. state-government websites across 27 states, including some where the app has been banned from state networks and devices. Feroot collected the data in January and February of this year.

The presence of that code means that U.S. state governments around the country are inadvertently participating in a data-collection effort for a foreign-owned company, one that senior Biden administration officials and lawmakers of both parties have said could be harmful to U.S. national security and the privacy of Americans.

Site administrators usually place such pixels on the government websites to help measure the effectiveness of advertising they have purchased on TikTok. It helps government agencies determine how many people saw an ad on the social-media app and took some action—such as visiting a website or signing up for a service. The pixels’ proliferation offers another vector for data collection beyond TikTok’s popular mobile app, which is increasingly under fire in Washington as a possible way for the Chinese government to collect data on Americans.

TikToks pixels “can be watching and recording you when you’re renewing your driver’s license, paying your taxes or filling out doctors’ forms,” said Ivan Tsarynny, chief executive of Feroot, adding that they should be removed from websites of government agencies and companies that collect personal information.

“Like other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services,” a TikTok spokeswoman said in a statement. “Our terms instruct advertisers not to share certain data with us, and we continuously work with our partners to avoid inadvertent transmission of such data.”

TikTok has previously emphasized that its user data is stored in the U.S., not China. The company has pledged to spend $1.5 billion on a program to safeguard U.S. user data and content from Chinese government access or influence.

Tracking pixels, also called web beacons, are ubiquitous on commercial websites. The free bits of software code are intended to support digital marketing and advertising by logging a visitor’s interactions with the site, such as what is clicked on and the duration of a visit.

Such pixels are typically created by social-media platforms such as Meta Platforms Inc., which owns Facebook and Instagram, or advertising-technology giant Google, a unit of Alphabet Inc. But in recent years, as TikTok’s popularity has grown, ByteDance has been building an advertising business aimed at competing with U.S. social-media services, and its pixel has started appearing in numerous websites aimed at U.S. consumers.

While the web-tracking pixels ostensibly aim to better pinpoint advertising, they also pose threats for privacy, security experts have said. They can sometimes be configured to collect data that users enter on websites, such as usernames, addresses and other sensitive information. With enough pixels on enough websites, the companies running them can begin to piece together the browsing behavior of individual users as they move from domain to domain, building detailed profiles on their interests and online habits.

The Wall Street Journal was able to replicate a sampling of Feroot’s findings, identifying a TikTok tracking pixel in the code of a Maryland Department of Health Covid website and a Utah government website aimed at helping job seekers. Both states issued executive orders in recent months banning the app from state-owned devices and networks, but the tracking pixel remained embedded in the two official websites as recently as last week.

Utah and Maryland removed the pixel after being contacted by the Journal.

“We work with an advertising agency to run educational campaigns that inform Utahns about how to access programs that could help them get a better job—things like getting additional training or earning a GED,” a spokeswoman for the Utah Department of Workforce Services said. The pixel was used in such a campaign, she said.

A spokesman for the Maryland Department of Health said the pixel on its site was part of an ad campaign launched in August and the state was investigating why it remained on the website after that campaign ended. It was removed as of March 17, the spokesman said. In December, departing Gov. Larry Hogan issued an emergency cybersecurity directive ordering the removal of ByteDance’s software from state networks and devices.

The presence of the TikTok tracking code on government websites underlines the challenge for those who deem the China-owned app a potential data-security threat. Lawmakers in both parties are considering a nationwide ban, but simply uprooting the app from U.S. smartphones wouldn’t stop all data-tracking activities. Consumer Reports last year identified the presence of TikTok’s pixel on an Arizona government website, among other sites.

Beyond TikTok, Feroot also found tracking pixels from Chinese-owned companies such as Tencent Holdings Ltd., which owns WeChat, Weibo Corp., and Alibaba Group Holding Ltd. on some state-government websites, as well as Russian-owned pixels from companies such as from cybersecurity company Kaspersky, which had its products banned from civilian and military federal U.S. networks during the Trump administration due to espionage fears.

According to the Feroot report, pixels present in many top websites, whether government or corporate, often transfer data to foreign locations, including China. About 5% of tracking pixels on the websites Feroot examined are coded by foreign companies, the report said. The flow of data to U.S. adversary countries—especially in jurisdictions where authoritarian governments can compel access to bulk data from private companies—poses a threat to the privacy of Americans, officials say.

Feroot found that the average website it studied had more than 13 embedded pixels. Google’s were far and away the most common, with 92% of websites examined having some sort of Google tracking pixel embedded. About 50% of the websites the firm examined had Microsoft Corp. or Facebook pixels. TikTok had a presence in less than 10% of sites examined.

Privacy advocates have long raised concerns about the proliferation of pixels, whatever their provenance. Alan Butler, the executive director of the Electronic Privacy Information Center, said the data can be used to identify individuals, track them physically and digitally, and subject them to common cybersecurity threats, such as phishing attempts and disinformation.

“Any social media platform, data broker, or ad service that is using tracking pixels to monitor people’s browsing across the web is violating the privacy of users visiting those websites,” Mr. Butler said. “This is especially troubling on government websites where individuals are being tracked even as they try to access information and services that are essential.”

U.S. adversaries such as China and Russia routinely use shell companies and proxies to extract marketing and consumer information from the advertising exchanges that deliver the display ads, according to people familiar with the matter. Such advertising exchanges have code running on nearly every cellphone on earth and can collect information about many of those devices. A TikTok ban wouldn’t address many of these data-collection concerns, because so much data is available commercially and the U.S. lacks a comprehensive privacy law.

In many cases, such data can be used to obtain the precise geolocation of devices based on location information they have provided to apps like weather or games. In other cases, it can be used to extract useful information that can be used to target more sophisticated cyberattacks. Countries can also use such systems to deliver targeted malware, according to people familiar with intelligence capabilities and documents viewed by Journal.

Advertising technology has increasingly drawn concern from state and federal lawmakers for its potential both to violate privacy and to weaken national security when used by adversaries such as China and Russia.

As part of a major defense bill passed in January, Congress ordered the intelligence community to conduct an assessment of “tracking by foreign adversaries through advertisement technology data.” The report hasn’t yet been delivered to Congress, according to a congressional official.