It also infers social graphs. I'm sure it has the option to collect contacts, but even without it, even the links you share are unique and embed your profile information (there is no easy way to share a canonical link to a video that doesn't link back to your own profile). It also no doubt does a lot of tracking based on IP addresses to find out which users are in close proximity or even share the same internet connection.
You can do a lot with residential IP addresses and home wifi/router connections, since very often a typical DHCP residential internet customer does not change IPs very much. Or at all. DHCP renewal request often comes back for the same IP.
Or only changes IPs to another address in a very small /24 to /26 sized block that's assigned to a router in one very specific geographic area.
Or you have a case like a bunch of customers all behind one cgnat exit point to the internet that also does not change in geographic scope/scale of how many cgnatted customers are behind it. As commonly seen on LTE networks.
Even if you have not granted GPS location permission to an app there is a very high likelihood that other people in the same small netblock have, which greatly improves a third party's correlation of netblock-to-lat/long.
I wouldn't be surprised if they use the video data provided by their users to build said social graph (face recognition), even including people who never used the app and just appear somewhere in the background.
At least the way I use tiktok, it would be terrible at this. 90% of my tiktok 'friends' are people I have never met IRL nor ever expect to interact with outside of the app. The UX encourages you to follow back strangers, so they are intentionally poisoning their own data.
