| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to tracking users' screen taps and keystrokes within the TikTok app has happened again within the same organization. Software engineer Felix Krause reported findings that TikTok can track users' screen taps and text inputs during in-app browsing [Article 131045]. This incident is similar to a previous report by Felix Krause, where it was revealed that TikTok's in-app browser can track every keystroke made by its users [Article 131234].
(b) The software failure incident related to tracking users' screen taps and keystrokes within the TikTok app has also happened at other organizations or with their products and services. Felix Krause tested the ability of other popular iOS apps, including Instagram, Facebook, Facebook Messenger, Amazon, Snapchat, and Robinhood, to harvest data from users' taps when they open a third-party website. While TikTok had the most extensive surveillance capabilities, Instagram, Facebook, and Facebook Messenger had a similar amount [Article 131045]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the articles. The incident involves TikTok's in-app browser having the capability to track every keystroke and screen tap made by its users when they visit external websites through the app. This functionality was embedded within the app, allowing TikTok to potentially track sensitive information like credit card numbers and passwords. The research highlighted concerns about the design of TikTok's in-app browser, as it could extract information from users' external browsing sessions, raising privacy and security issues [131234, 131045].
(b) The software failure incident related to the operation phase can be observed in the articles as well. TikTok's in-app browser, which had the capability to track users' keystrokes and screen taps, was operational within the app. Despite TikTok's statement that the feature was used for debugging, troubleshooting, and performance monitoring, concerns were raised about the operational aspects of the in-app browser tracking users' sensitive data during their browsing sessions. This raised questions about how the operation of the in-app browser could potentially compromise user privacy and data security [131234, 131045]. |
| Boundary (Internal/External) |
within_system |
(a) within_system:
1. The software failure incident reported in the articles is related to TikTok's in-app browser functionality that can track users' keystrokes and screen taps when they visit other sites through the TikTok iOS app [131234, 131045].
2. The issue originates from within the TikTok app itself, where code is injected to observe every keyboard input and screen taps during in-app browsing, potentially capturing sensitive information like credit card details and passwords [131234, 131045].
3. TikTok's in-app browser goes beyond typical tracking capabilities seen in other apps like Facebook and Instagram, as it can track each character entered by users, raising concerns about privacy and data security [131234].
4. The software failure incident involves the misuse of the in-app browser functionality by TikTok, which was initially claimed to be used for debugging, troubleshooting, and performance monitoring but raised concerns about potential data tracking and privacy violations [131234, 131045].
(b) outside_system:
1. The software failure incident does not involve contributing factors originating from outside the system but rather focuses on the internal functionality of TikTok's in-app browser and its tracking capabilities [131234, 131045].
2. The issue is related to how TikTok's in-app browser interacts with external websites and tracks users' activities, indicating that the failure lies within the software itself and its design choices [131234, 131045].
3. While there are concerns about the implications of TikTok's data practices and its ties to China, the immediate software failure incident is centered on the in-app browser's tracking features, which are part of TikTok's internal system [131234, 131045]. |
| Nature (Human/Non-human) |
non-human_actions |
(a) The software failure incident occurring due to non-human actions:
- The software failure incident reported in the articles is related to the TikTok app's in-app browser functionality that can track users' keystrokes and screen taps during in-app browsing on third-party websites [131234, 131045].
- This capability was embedded within the in-app browser of TikTok, allowing it to monitor every keyboard input and screen tap made by users, potentially including sensitive information like credit card details and passwords [131234, 131045].
- The tracking of keystrokes and screen taps was done through code injected by TikTok when users accessed external websites within the app, indicating a failure due to contributing factors introduced without human participation [131234, 131045].
(b) The software failure incident occurring due to human actions:
- The articles do not explicitly mention any human actions contributing to the software failure incident. The incident primarily revolves around the functionality of TikTok's in-app browser tracking users' activities during in-app browsing, which was enabled through code injected by the app itself [131234, 131045].
- The TikTok spokesperson mentioned that the code for tracking keystrokes and screen taps was solely used for debugging, troubleshooting, and performance monitoring, indicating that the intent behind the code was not malicious [131045].
- The research conducted by Felix Krause highlighted the technical aspects of the tracking capabilities but did not attribute the incident to any specific human actions [131234, 131045]. |
| Dimension (Hardware/Software) |
software |
(a) The articles do not mention any software failure incident related to hardware issues [unknown].
(b) The software failure incident reported in the articles is related to software issues. The incident involves TikTok's iOS app being able to track users' screen taps and keystrokes when they visit other sites through the app's in-app browser. This tracking capability was discovered by privacy researcher Felix Krause, who found that TikTok's code could observe text input, including sensitive information like credit card details and passwords, during in-app browsing [Article 131234, Article 131045]. |
| Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident reported in the news articles is related to a potential malicious objective. The incident involves TikTok's in-app browser tracking users' keystrokes and screen taps when they visit other sites through the app, potentially capturing sensitive information like credit card details and passwords [131234, 131045]. The research findings by Felix Krause indicate that TikTok's code can observe every keyboard input and screen tap, which could be considered as a form of surveillance or data harvesting [131234, 131045]. The incident raises concerns about privacy and security implications, especially given TikTok's ownership by the Chinese internet firm ByteDance and the scrutiny it faces regarding data practices and ties to China [131234, 131045].
(b) The incident is also described as non-malicious by TikTok, which stated that the tracking capability in the in-app browser was used for debugging, troubleshooting, and performance monitoring purposes [131234, 131045]. TikTok denied collecting keystroke or text inputs through the code and emphasized that the feature was not intended for malicious activities [131234, 131045]. The company's response suggests that the tracking functionality was implemented for legitimate purposes related to app development and monitoring rather than with the intent to harm users or compromise their data security. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident related to poor_decisions:
- The software failure incident related to TikTok's in-app browser tracking users' keystrokes and screen taps during in-app browsing can be attributed to poor decisions made by TikTok in embedding such tracking capabilities within their app. This functionality raised concerns about potential privacy violations and data tracking practices that could endanger user security and privacy [131234, 131045].
(b) The intent of the software failure incident related to accidental_decisions:
- The software failure incident related to TikTok's in-app browser tracking users' keystrokes and screen taps during in-app browsing does not seem to be accidental. It appears to be a deliberate decision by TikTok to embed code that enables monitoring of user activities on third-party websites accessed through the app. The incident reflects a conscious choice rather than an accidental decision [131234, 131045]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the articles. The incident involves TikTok's in-app browser tracking users' keystrokes and screen taps, potentially compromising sensitive information like credit card details and passwords [131234, 131045]. This functionality was embedded within the app by the development team, indicating a lack of professional competence in terms of privacy and security considerations. Despite TikTok's claims that the feature was used for debugging, troubleshooting, and performance monitoring, the potential risk to user data privacy highlights a failure in ensuring robust security measures during the app development process.
(b) The software failure incident related to accidental factors is also apparent in the articles. The tracking of users' keystrokes and screen taps within TikTok's in-app browser may have been unintentional or introduced accidentally during the development process [131234, 131045]. While TikTok denies collecting keystroke or text inputs through the code and attributes it to debugging purposes, the potential implications for user privacy suggest an accidental oversight or lack of awareness regarding the extent of data tracking within the app. This accidental introduction of surveillance capabilities raises concerns about inadvertent data collection and potential misuse of sensitive information. |
| Duration |
permanent |
(a) The software failure incident described in the articles appears to be permanent. The incident involves TikTok's in-app browser tracking users' keystrokes and screen taps when they visit other sites through the app. This functionality was embedded within the app and was not a temporary glitch but a deliberate feature designed to monitor user activities for purposes such as debugging, troubleshooting, and performance monitoring [131234, 131045].
The articles highlight that TikTok's code allows it to observe every keyboard input, including sensitive information like credit card details and passwords, during in-app browsing. This tracking capability was not a one-time occurrence but a built-in functionality that could potentially compromise user privacy and security. The incident was not a temporary issue that occurred under specific circumstances but a permanent aspect of TikTok's in-app browser behavior. |
| Behaviour |
value, other |
(a) crash:
- The articles do not mention any instance of a crash where the system loses state and does not perform any of its intended functions [Article 131234, Article 131045].
(b) omission:
- The software failure incident described in the articles does not involve the system omitting to perform its intended functions at an instance(s) [Article 131234, Article 131045].
(c) timing:
- The incident does not relate to a failure due to the system performing its intended functions correctly but too late or too early [Article 131234, Article 131045].
(d) value:
- The software failure incident is related to the system performing its intended functions incorrectly, such as tracking keystrokes and screen taps without clear purposes or consent [Article 131234, Article 131045].
(e) byzantine:
- The incident does not involve the system behaving erroneously with inconsistent responses and interactions [Article 131234, Article 131045].
(f) other:
- The other behavior observed in the software failure incident is the potential overreaching behavior of the TikTok app in tracking users' sensitive information like credit card details and passwords during in-app browsing, raising concerns about privacy and data security [Article 131234, Article 131045]. |