TikTok has confirmed it will not introduce end-to-end encryption for direct messages on its platform. The company says the decision is deliberate, designed to keep users, especially younger ones, safe from harm.
The announcement, reported by the BBC this week, makes TikTok one of the last major social platforms to hold this position, and the company is not apologizing for it.
TikTok’s messages are encrypted in transit, meaning they are protected as they travel across the internet, but TikTok holds the key.
That means the company can read your messages, and so can any government or law enforcement agency that arrives with a valid legal request.
End-to-end encryption, however, works differently. The message is scrambled the moment it leaves your device and can only be unscrambled by the person you sent it to.
READ: Meta Sued over ‘False’ WhatsApp Encryption Claims
The platform carrying it cannot read it, and neither can anyone else, regardless of what they are asked or ordered to do.
WhatsApp, Apple iMessage, Signal, Facebook Messenger, Google Messages, and Snapchat all work this way by default. TikTok does not and has now said it will not.
TikTok’s official answer centers on child safety. The platform has a massive young user base, and the company argues that being able to review flagged messages is essential for catching predators and stopping the spread of abuse material.
If messages are fully encrypted, that work becomes nearly impossible.
It is not a hollow argument. Child safety advocates have long warned that platforms rushing to encrypt everything can inadvertently hand bad actors a shield, making it harder to detect and act on abuse before it escalates.
ByteDance, TikTok’s parent company, is based in China, where end-to-end encryption is not the norm and where technology platforms are legally required to cooperate with government data requests.
TikTok’s approach has real benefits as harmful content can be addressed more quickly, and law enforcement can get help without long legal disputes over access.
When a teenager reports that someone is harassing or grooming them, TikTok can actually read what was said, build a case, and act. On a fully encrypted platform, that same report often leads nowhere because the evidence is locked away from everyone, including the people trying to help.
The downside is that TikTok becomes a much more attractive target. If TikTok can read your messages, so can anyone who breaks into its systems.
A breach on a platform that stores readable conversations does far more damage than one on a platform where the messages are scrambled and useless to anyone who intercepts them.
READ: Kenya’s Push to Regulate TikTok Might Be About More Than Just Safety
What this means in practice is that any message you send on TikTok can be read by the company and can be handed to a government that comes with a legal request. That is not a hidden risk buried in the terms and conditions; it is simply how the platform works.
Ironically, some governments will be relieved by TikTok’s position. Regulators in the UK and the US have spent years pressuring tech companies to preserve access to encrypted communications for law enforcement purposes, a battle they have largely been losing.
TikTok, by default, gives them what they want.
However, data protection authorities operating under frameworks like the EU’s General Data Protection Regulation (GDPR) require platforms to apply security measures proportionate to the sensitivity of the data they hold.
Private messages are about as sensitive as personal data gets. Choosing to remain below the current industry standard, by design, is a position that could attract scrutiny, especially if a breach ever occurs.
Kenya’s Data Protection Act of 2019 requires that personal data be processed with security measures appropriate to the risk involved. The law does not name specific technologies, but it expects organizations handling sensitive data to meet a reasonable standard of care.
Choosing to offer less protection than the rest of the industry, knowingly, is a hard position to defend if a Kenyan user’s messages are ever exposed or accessed by a foreign government.
TikTok is at least open about what it does and does not do, which satisfies the Act’s requirement that users understand how their data is handled.
Whether openness alone is enough, when better options exist and have not been taken, is a question Kenya’s data regulator may eventually have to answer.
