
Why Are Creators Paying for TikTok’s Mistake? - panarky
https://www.eff.org/deeplinks/2019/03/why-are-creators-paying-tiktoks-mistake
======
tropdrop
It's mind boggling that they just "forgot" about COPPA.

Out of curiosity I browse the Snapchat scrolling feed from time to time, and
since a few months ago I have been inundated with TikTok ads. 90% of them seem
to be targeting teenagers, featuring pre- to early teens, dancing in front of
the camera and flicking rubber bands at folded pieces of paper with Sharpied
messages on them.

Something like - "to all the boys who think I'm cute..." (note 1, rubber band
flick) "wait till you see..." (note 2, flick to reveal third note, which is
covered up by the TikTok logo that prompts you to download to find out the
rest).

It seems more likely to me that they just followed the classic "move fast and
break things," gambling that no one noticed.

~~~
hombre_fatal
The last time I encountered a COPPA opt-in was on the register.php page of a
vBulletin forum where you had to enter your birthdate.

It doesn't boggle my mind. I'm sure very few services online would stand up to
scrutiny. It's just that such few platforms are ever in that position.

~~~
darkpuma
Are you sure your not just mentally filtering it out? I see _" [checkbox] I
agree that I am 13 years old or the legal guardian blah blah blah"_ pretty
frequently on signup pages.

~~~
hombre_fatal
That's possible, but not that I can tell. Neither Twitter.com, Reddit.com, nor
Pornhub.com ask, for example.

Though, TikTok is a video platform with immense popularity among children. Put
those two together and you're bound to be first on this sort of COPPA chopping
block, so I suppose I do see how OP's mind could be boggled after all. Maybe
it's "just" a fine of $5.7 million.

~~~
johnbatch
Reddit terms that you agree to when creating an account say:

“Children under the age of 13 are not allowed to create an account or
otherwise use the Services.”

[https://www.redditinc.com/policies/user-
agreement](https://www.redditinc.com/policies/user-agreement)

~~~
johnbatch
TikTok allows users under 13 with some requirement that the person signing up
should have their parent review these terms.

“If you are under age 18, you may only use the Services with the consent of
your parent or legal guardian. Please be sure your parent or legal guardian
has reviewed and discussed these Terms with you.”

[https://www.tiktok.com/en/terms-of-use](https://www.tiktok.com/en/terms-of-
use)

~~~
londons_explore
That IMO was TikToks downfall... They should have simply said "No children
under 13" and made a date of birth selector making it impossible to select a
date younger than 13.

Children would then have to ignore the terms and lie to the date of birth
screen (fraud) to gain access, yet I'm sure that wouldn't stop most of them.

TikToks as a company can publish age stats from the data 'proving' they have
nobody under 13, and all of the above should satisfy FTC

~~~
ramchip
> Children would then have to ignore the terms and lie to the date of birth
> screen (fraud) to gain access

Out of curiosity - is that really fraud? It doesn’t sound like it hurts the
company.

~~~
londons_explore
Falsifying information to trick a company into doing something illegal
(collecting data on a minor) for personal gain (ability to use service) sounds
like fraud to me.

~~~
oarsinsync
If you're considered too young to have the right judgement to vote, drink, die
for your country or be married off (excepting the US states that still allow
marriage from age 12[0]), you should also be too young to be held liable for
fraud.

[0][https://en.wikipedia.org/wiki/Age_of_marriage_in_the_United_...](https://en.wikipedia.org/wiki/Age_of_marriage_in_the_United_States)

~~~
pbhjpbhj
Isn't that the point, you pass off the legal liability to the user who can't
be held liable and so bypass the need to restrict your service to over-13s.

------
libraryatnight
Tangent: I don't trust TikTok. I notice "they" use bots on other media
platforms to post gifs/images with their logo (Imgur was getting this a lot)
to drive people to their platform.

Couple that with that we now know how Russia (and ostensibly others) are using
social media platforms for manipulation, and it just seems rather suspicious.

I'm probably just being tinfoil hat paranoid, but I feel like memes are
basically vehicles for propaganda and we should be cautious with where we
spend our time.

~~~
judge2020
> "they" use bots on other media platforms to post gifs/images with their logo

Are you sure these are bots? They might just be regular users that download
these videos through the app. No matter what, when you download a video on
TikTok, it downloads you a watermarked version.

~~~
libraryatnight
I can't speak for every post, but there are plenty that are bots. At first I
thought the same, because I noticed people leaving notes on these posts like
"Don't upvote, bot" (not that it ever mattered) but I wasn't sure - so
whenever I saw tiktok I started checking account histories and nearly every
time it was an account with no activity other than maybe one or two failed
tiktok posts, then one successful front page post. There'd also be posts that
took already successful FP content, and reposted it with the tiktok branding.

Not very scientific, but it was enough at the time for me to sort of take
note.

------
koala_man
>defaulted to putting in the current date while also not making crystal clear
to users why it needed that information and what could result

It's been years since I've worked with COPPA, but isn't it illegal both to 1.
default to e.g. 1970-01-01 so that accepting implies you're of age, and 2. for
your prompt to be "You must be 13+ to use this service. If you are under 13
your videos will be deleted. What is your birthday?" because you're basically
encouraging kids to lie?

~~~
mediumdeviation
Just leave it blank and force the user to explicitly enter something? I don't
see how defaulting to the current date is ever useful for date of birth from a
user interface design perspective.

~~~
londons_explore
Defaulting to the current date is just lazy coding - lots of date UI controls
do that by default.

~~~
raverbashing
Yes

Also whenever you ask for a birthdate _don 't use a datepicker_ (or use one
that allows selection of the year)

It's not fun dragging or scrolling the picker month by month until you get to
your birthdate

~~~
mcguire
Those of us with birthdates back in the '60s salute you.

------
josefresco
Having gone through this just recently I feel compelled to comment. I feel
this isn't being discussed more, because parents are ashamed they allowed
their children to use the service (I am not).

=====

My kids started on Musical.ly before other social media. Private accounts, IRL
friends only.

My daughter, a TikTok user was prompted one day to enter her birthdate.

Not thinking too much about it (and without asking me), she did so. She
entered her birth DAY but used the current year: 2018 (see the article).
Should be an easy fix right?

Despite this obvious error (do 5 month olds really use the app?) she was now
locked out.

 _tears_

We requested a copy of all her videos.

TikTok sent a text file to our email with a list of MP4 URLS.

I downloaded a browser extension to help auto-download this rather extensive
list.

My daughter now has a new account, with a _just old enough_ age to not get
locked out again. _sigh_

=====

TikTok literally built a billion dollar business on kids and are now giving
them the boot.

------
manfredo
Age requirements for any web app always struck me as a joke. I'm sure
_everyone_ is telling the truth when they click "I am over 13/18 years old".

~~~
zhte415
Somehow I'm reminded of the Leisure Suit Larry age check [0]... which for a
young teenager all those years ago was quite hard. You need to be a certain
age to get quite a lot of the answers.

[0] Sample questions here: [http://allowe.com/games/larry/tips-
manuals/lsl1-age-quiz.htm...](http://allowe.com/games/larry/tips-
manuals/lsl1-age-quiz.html)

~~~
manfredo
For a young teenager back then those were hard. For a mid-late 20 year old
today they're still hard.

I wonder what sort of questions one would ask to implement such a age
verification scheme these days. Ask, "what does AOL stand for?" or, "which one
of the following audio clips is 'the dial-up tone'?". Or how about "what is a
'hanging-chad'?". Heck that last one doesn't even work anymore, there are 18
years today born after the 2000 election... I'm getting old.

Although I guess Google and widespread internet adoption has rendered this
kind of age verification useless.

~~~
codetrotter
I know the answer to the first two of those, but I have never heard about a
“hanging-chad”. Is that something people from outside of the US (as I myself
am) would be likely to know?

Even AOL, which I happen to know about is something I think few people in my
country would be likely to know.

These questions strike me then as not purely relating to age but also to
culture.

And even the dial-up tone question could be difficult for some people to
answer. We had dialup at my child home but not everyone did.

And like you said, most questions can be Googled anyway.

~~~
manfredo
Hanging chad is a reference to disputed ballots in to 2000 presidential
election, Hence my reference to the year 2000 [1]. Definitely yes, these are
questions about culture rather than age and is more specific to Americans. The
same applies to the original Leisure Suite Larry age questions [2]. My post
was intended to be more humorous than practical.

1\.
[https://en.wikipedia.org/wiki/Chad_(paper)](https://en.wikipedia.org/wiki/Chad_\(paper\))

2\. [http://allowe.com/games/larry/tips-manuals/lsl1-age-
quiz.htm...](http://allowe.com/games/larry/tips-manuals/lsl1-age-quiz.html)

------
Smoosh
I keep getting SMS text messages from TikTok several times a week even though
I have never used the service. They are in the format:

[#][TikTok] 1234 is your verification code aBcDefGhij1

At first I assumed these were someone accidentally or deliberately giving
TikTok my phone number when registering. But if they never got the code, How
could they activate the account? So why would they (or others) keep using my
number? I read online that it may be a confirmation needed to delete an
account. But that implies that TikTok accepted my phone number without
verification. And again, if the person didn't get the code, what good did
using my phone number do them?

All very dubious.

~~~
kapitalx
I remember years ago, at a startup, we had a person complaining that they were
getting SMSs from us several times a day. It turned out that we had a test
that wasn't properly mocked, it also used a 'fake' number which was actually a
real person (should always use 555 numbers in tests). So every time the tests
were run, this user would get an SMS similar to what you are getting.

~~~
klntsky
> should always use 555 numbers in tests

...And don't give your test suite access to the real world.

------
bredren
This reminds me of a great quote from Tropic Thunder: "Behold, God's mistake!"

Anyhow, interesting to see the eff getting in on what it perceives as a dark
UI pattern. I ran through this age check screen and had no problem.

I do not see a profound issue with creators that rushed through it having to
submit gov ID. If the account is that valuable, teenagers can get ID. Frankly,
they should probably have one anyway.

------
helloindia
Related: “New hunting ground for paedophiles: Chinese apps”
[https://m.timesofindia.com/india/new-hunting-ground-for-
paed...](https://m.timesofindia.com/india/new-hunting-ground-for-paedophiles-
chinese-
apps/articleshow/66758462.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst)

------
roonyh
>The FTC required TikTok to “destroy” the “personal information” of any
account belonging to someone currently 13 or under...

If they are required to "destroy" the data, how can they restore it after
proving age using a government ID?

~~~
GunlogAlm
I thought that too, but perhaps only personal data is deleted irrecoverably,
allowing them to retrieve other/periphery account data; maybe an account's
"fans" aren't considered personal data, for instance? I'm not familiar with
TikTok, admittedly.

Otherwise, perhaps there was some delay on account deletion?

~~~
londons_explore
A 30 day delay on deletion is commonplace

------
rayraegah
The problem isn't they forget, it's more along the lines of their culture. In
China, they do the {thing} first then apologise.

On a related note, TikTok is just a rebranded version of DouYin [0] which was
originally built by a small group of young programmers called Beijing Shaking
Youth [1]. It wasn't until their recent funding [2] they sent up an office in
the USA by which time the damage had already been done. Not only do they
violate laws their app is riddled with dark patterns by US standards (all of
which btw is normal in China).

If you go on LinkedIn and look up Jobs in Los Angeles you'll notice TikTok has
1200+ open positions. You'll also notice they're hiring people specifically to
develop policies for each region.

[0] [https://Douyin.com](https://Douyin.com)

[1]
[https://www.reddit.com/r/OutOfTheLoop/comments/9iy84y/whats_...](https://www.reddit.com/r/OutOfTheLoop/comments/9iy84y/whats_up_with_the_app_tik_tok/e6o2iwx)

[2] [https://techcrunch.com/2018/08/08/bytedance-is-
raising-2-5b-...](https://techcrunch.com/2018/08/08/bytedance-is-
raising-2-5b-3b/)

~~~
voldacar
>their app is riddled with dark patterns by US standards (all of which btw is
normal in China)

I've never used tiktok, could you give a few examples?

------
fouc
The mistake here is not the prior lack of COPPA compliance.

The mistake here is their rushed implementation of the compliance.

Why do I feel like many companies, in the exact same situation, would have
also messed up?

Aggressively deleting accounts of even older users due to messing up birthdate
collection, with no recourse is such a bone headed move. Falling back to
defensively asking for government ID can't really be counted as recourse.

------
Benjammer
This is the same exact thing that happened to Dinesh and PiperChat on Silicon
Valley...

------
kccqzy
Seems to me that they totally forgot about COPPA when designing the app, and
then hastily added the age verification in response to the FTC fine. Didn't
test the change properly, rolled it out, and disaster ensued.

------
kazinator
> _We hope online service providers of all stripes learn from TikTok’s
> mistakes._

Right; heaven forbid the _users_ should learn a lesson about stuffing content
into someone's walled garden.

------
leowoo91
When I get into Youtube from a private browser, it shows videos in my country.
What if I'm under 13? Clearly it's using my IP and it doesnt ask whether I'm
13 or older?

~~~
DanBC
COPPA isn't about banning people under 13 from the app. It's about gathering
personal information from those users, and about letting them delete their
content.

This means if you're under 13 you can watch videos on YouTube, but you can't
create an account or use notifications or subscriptions.

THis does create weird things though. Children like that notification bell,
and so they use their parent's accounts. This means advertisers think the
person viewing the videos is over 18, and that it's okay to show ads for
alcohol or gambling.

That's not ok in the UK, and the regulator tells advertisers to be more
careful when placing ads.

------
justforfunhere
I think COPPA applies to US only. TikTok is doing fine elsewhere in the world.
Anyway, I wonder how big a market US is for TikTok?

------
sigi45
Oh yes someone is asking the real questions here!

Wait

------
caymanjim
Creators are paying for TikTok's mistake because TikTok made even more
mistakes in attempting to comply with COPPA.

Why does the EFF care about this?

~~~
GunlogAlm
Why _wouldn 't_ the EFF concern itself with the careless and disorganised
response of a digital company to online privacy legislation?

~~~
jessaustin
I support EFF from time to time, but ISTM this case could have inspired some
reflection on the not-completely-graceful COPPA regulation itself, in addition
to the low-calorie castigation of the latest Chinese-origin USA moral panic.
How effective is COPPA in meeting its stated goals? Could it be more
effective, with fewer undesirable side effects like those described here?

------
ratling
"Users logging in for the first time after the order were prompted to give
their birthdate, but TikTok’s own interface defaulted to putting in the
current date while also not making crystal clear to users why it needed that
information and what could result."

If you can't work a birthdate field in 2019 you should not be on the internet.

~~~
josefresco
My daughter did this by accident - she'd run rings around you on the Internet.

------
darkpuma
It seems to be TikTok should be castigated for the first two mistakes
(allowing children on their platform, and implementing the birth date dialog
poorly.) However their response to that second error seems sane to me. If
they're going to reactivate accounts closed for being too young, shouldn't
they make an attempt to verify the age of the person reopening the account? I
doubt the FTC would be amused if TikTok started permitting 12 year olds to
reopen their accounts with no form of attempted verification.

Also I'm not quite sure I buy the argument that the birth date dialog was
bugged. Defaulting it to the current date is dumb, but was it _really_ non-
functional for some users? _Really?_ Or did some users just click past it
unthinking, annoyed that they were being asked something without bothering to
stop and look at what they were being asked? The later seems more likely to
me. These users would doubtlessly be annoyed, but what really can be done
about that scenario? Those users should take it as a learning experience and
be thankful TikTok is a thoroughly frivolous platform so they lost nothing of
worth _this time_.

~~~
tfehring
If it's possible to click through a form with all defaults retained, you
should assume that some users will do so. It's probably also safe to assume
that deleting their account and all of their uploaded content is not the
typical user expected behavior from doing so.

I don't think the problem was defaulting to the current date. No default is
probably better in general for this sort of thing, and in hindsight it
definitely would have been better in this case. But for a field for which you
really need the user to provide a value, if you're going to set a default,
that default should be obviously and universally invalid (the current date
qualifies for that when you're asking for DOB), and you should have logic in
place to deal with obviously invalid inputs.

~~~
darkpuma
Sure. But even if they did that form right, they'd still have some adults flip
the year a few years, some falling short of 13. At that point they get banned
because that's what the FTC requires, so what procedure do you use to let them
appeal? Asking for an ID seems reasonable to me.

~~~
tfehring
I agree that the appeals decision is a little bit tricky and that asking for
an ID is probably the best option in those cases. But I'd bet that some very
basic, sensible validation would have reduced the number of those cases by
orders of magnitude.

~~~
darkpuma
You could ask for a CC or something like that, which wouldn't be bulletproof
but probably reasonably good enough. But I think you'd still have the EFF
complaining that not everybody has a credit card, particularly teenagers, just
like they object to the photo ID requirement.

Asking for a photo ID was probably easier for them than asking for a credit
car though, since with the credit card method they now have to worry about PCI
compliance. Getting themselves out of one regulatory shithouse by walking into
another probably wasn't something they were eager to do.

They could ask the appealing user to upload a quick video of themselves
requesting the appeal, and then use common sense to grant the appeal to people
who reasonably appeared to be adults. That might make the FTC upset with them
a second time though, since you'd doubtlessly have kids filming and uploading
appeal videos, which would probably put TikTok back in violation of COPPA...

I don't think asking for a link to other social media like facebook would
help, because even though Facebook is presumably in compliance with COPPA,
somebody having an account on Facebook and being in compliance with COPPA
doesn't necessarily mean they are >13 years old; their parent or legal
guardian could have given them permission to use facebook, but not tiktok. So
you can't assume that control of a facebook account means they're >13 or have
parental approval to use _your_ service.

There might be other ways out of this mess, but I can't think of any at the
moment.

