August 1, 2022
Australia’s privacy watchdog is looking into TikTok’s data collection and permissions requests after fresh analysis of its source code raised alarm about the viral video app’s information gathering practices.
Two weeks ago, The Australian Financial Review reported analysis by Canberra-based cybersecurity and intelligence firm Internet 2.0 that revealed TikTok checks its users’ device location at least once an hour; continuously requests access to contacts even if the user originally denies; maps a device’s running apps and all installed apps; and more as part of broad permissions asked of users.
Office of the Australian Information Commissioner (OAIC) said: “We are considering privacy concerns raised in the Internet 2.0 report in line with our regulatory action policy.”
The OAIC said platforms and apps must be transparent in how they treat their users’ data and protect their privacy, particularly for vulnerable users such as children, and should only collect information that is reasonably necessary to deliver the service.
“In regards to consent, individuals need to be provided with genuine choices around how their personal information will be handled, and those choices need to be inherently fair. Members of the public should also review their privacy settings regularly,” the OAIC said.
TikTok said: “We reached out to the OAIC with whom we are now in correspondence. Given the many inaccuracies and mistakes in Internet 2.0’s report, we look forward to providing a clearer and more accurate picture to the commissioner.”
Internet 2.0 countered, stating: “We reviewed the claims of TikTok about our research and found that they sit at odds with both their own privacy policies and source code”.
“As a result, we think that TikTok should be more open with researchers and journalists. Our research, on the other hand, is open to external review and our work is held in the highest regard by our peers in the field.”
Internet 2.0’s analysis also found TikTok queries Android device GPS location at least once an hour, and found that it requests access to user contacts. If the user denies the request, Internet 2.0 said the user was continuously asked on a loop until access was granted.
“It is normal for an application to initially request access to contacts but TikTok’s persistent, endless harassment for user contacts access is abnormal. It reflects a culture that does not prioritise privacy or a user’s preferences for privacy,” the report said.
Internet 2.0’s analysis also found TikTok collected a range of device information. However, the social media company denied some of these findings.
“Internet 2.0 misstates the amount of data we collect. For example, we do not collect user device IMEI, SIM serial number, active subscription information, or integrated circuit card identification number. We do not have automatic clipboard access, though it may be initiated by a user,” TikTok said.
“Unlike other apps, we do not collect precise GPS location, but use approximate location information like IP addresses to make broad inferences that help us comply with local laws in the markets where we operate. It also helps us support fraud prevention and detection, and prevent inauthentic spam or bot-like behaviour on our platform.”
Liberal Senator James Paterson said he welcomed the independent OAIC stepping forward to investigate TikTok.
“It is recognition that the privacy and cybersecurity issues recently revealed are serious. But we also need the Albanese government to step up and take action - these problems will not fix themselves,” he said.
Social media apps, in general, collect huge amounts of data, much deemed unnecessary by many privacy experts, largely to profit from driving further engagement and selling targeted ads. For example, Facebook Messenger was singled out by OpenDemocracy for its excessive data collection, which included name, email, location, user ID, iMessage, photos and videos, health and fitness, and more.
However, earlier this month, the Financial Review revealed that TikTok, in a letter to senator Paterson, admitted Australian user data could be accessed by the staff in mainland China.
Although executives at the social media company stressed that strict protocols overseen by its US security team tightly restricted access based on need, politicians and security experts remain concerned about the safety of that information.
This is because of reports and research on the links between ByteDance, TikTok’s parent company, and the Chinese Communist Party, the spreading of propaganda and censorship, as well as China’s National Intelligence Law of 2017, which requires organisations and citizens to “support, assist and co-operate with the state intelligence work”.