June 13, 2024

States Sending Data to TikTok from Government Websites Despite Concerns

By Yash Parikh and Mihir Kshirsagar

While some states like Montana are trying to ban data collection by TikTok, other states like Missouri are actively – and perhaps, unknowingly – sending their citizen’s data to TikTok. Yash Parikh, a Princeton computer science student, conducted research that reveals that at least one Missouri government website – covidvaccine.mo.gov – actually leaks data to TikTok. His research addresses the broader phenomenon of government websites embedding trackers that send data to TikTok, Google, Facebook, and other data collectors.

Parikh detected this leak using Blacklight, an inspection tool created by the data journalist Surya Mattu when he was at The Markup, and who now leads the Digital Witness Lab at CITP. Blacklight, in turn, is built on OpenWPM, an open-source tool for web privacy measurement developed at CITP. 

The Blacklight site inspection shows that covidvaccine.mo.gov, Missouri’s official COVID website that helps people locate vaccine and testing locations and find important health information, has embedded third party tracking cookies run by TikTok. The inspection reveals that TikTok has three cookies on the site, all related to personalizing users’ advertisements on the TikTok app. These cookies do not expire for over a year, meaning that TikTok can identify returning visitors. This data also concerns potentially sensitive health-related information. The full inspection results for the website can be found here.

Unfortunately, Missouri is not the only state where government websites host third party trackers. This likely happens because the state uses web developers who deploy off-the-shelf designs and commercial services that have third-party tracking built into the infrastructure. It takes some care and attention when building such sites to remove these trackers.

We recommend that states should develop proactive processes to inspect their websites and scrub all third party marketing trackers to ensure they do not compromise their citizens’ privacy.