Social media companies in general aren’t clear on how long they keep information users thought they’d deleted, but TikTok is less transparent than others. Law enforcement is ready to take advantage.
The FBI said it used cell-tower data earlier this year to link seven bank robberies in five states to a phone number used by a suspect named Fernando Enriquez and possible associates. According to a search warrant discovered by Forbes, by crosschecking the phone number and the name with other police databases, the agency used that information to retrieve email addresses and Google, Instagram and TikTok accounts belonging to Enriquez. That unearthed a photo on TikTok of Enriquez standing in front of a Chevrolet SUV that resembled the getaway vehicle, the FBI said. Photographs also showed tattoos that appeared to match those from bank surveillance footage, according to investigators. Later, the FBI sought to get more information direct from TikTok, including any deleted information on his account.
While the warrant shows just how surveillance beginning with a so-called “cell tower dump” can lead cops to targeting all manner of other social media accounts, the FBI’s search warrant also showed confusion over how long TikTok retains information and what can be accessed by police once a user has chosen to delete it.
When it comes to other social media giants, the rules are more clear. According to its policy, Google keeps a user’s data two months after deletion, though that can extend to six months if the data has been stored on an encrypted backup. Facebook policy is a little more complicated. It says it retains data depending on its “nature” and the relevant legal requirements. “For example,” the policy says, “when you search for something on Facebook, you can access and delete that query from within your search history at any time, but the log of that search is deleted after six months. If you submit a copy of your government-issued ID for account verification purposes, we delete that copy 30 days after review, unless otherwise stated.” It doesn’t go into all the different kinds of information people give to Facebook. It does, however, say that once a Facebook account is deleted, all the information will be wiped forever within 90 days.
How long TikTok keeps deleted information and how U.S. law enforcement can get such data from the China-based company is less transparent. From the Enriquez case, it appears the FBI believes it can get all manner of information from ByteDance’s huge social network – from messages to videos to location data – even if deleted by TikTok users.
The FBI’s request for information on Enriquez, who was suspected of robberies in Arizona, Texas, New Mexico, California and Mississippi, went to an address in Culver City, California, where TikTok set up a West Coast office in 2020. As the FBI agent who wrote the search warrant notes in the court filing, “even if … content is removed, locked or deleted, often social media companies retain the data on their information systems.” TikTok, the agent wrote, “appears to store data that has been made private, locked or deleted by users.”
Enriquez was indicted in April in both Arizona and Texas. He hasn’t filed a plea in Arizona, though he pleaded not guilty in Texas.
“People confuse deleted and erased,” said Professor Alan Woodward, an encryption and security expert at the University of Surrey in the U.K. “True secure erasure has always required overwriting the storage and memory with unrelated data to remove the original. Many messenger apps make claims but the devil is in the detail, and forensic techniques can recover to an extraordinary level of detail.”
When Forbes asked TikTok how it handled user data and when it’s deleted, the company pointed to public documentation, which showed user information is stored across servers in the U.S. and Singapore. As for what it does with deleted data, that’s a little less clear.
This is relevant because, according to TikTok’s most recent transparency report, law enforcement is increasingly interested in getting information from the company. Government requests for TikTok user data jumped from just under 2,000 in the first half of 2021 to nearly 3,500 in the following six months. Just three years ago, it received 1,000 requests for all of 2019.
The only previous time the veil was lifted on the dynamic between U.S. law enforcement and TikTok was in the so-called BlueLeaks files. Published by DDoSecrets in 2020 after a cyberattack on the Washington Metropolitan Police Department, it only showed that TikTok could provide granular information on a user, such as their phone number, smartphone model, a list of IP addresses used to access TikTok and any linked social media accounts. It wasn’t clear about the availability of deleted information.