News

|

National Security

TikTok inquiry over data concerns

December 28, 2023

Thursday 28 December 2023

Sumeyya Ilanbey

The Sydney Morning Herald

Australia’s privacy commissioner has launched an inquiry into TikTok’s handling of personal information to determine whether the social media giant that is harvesting the data of Australians without their consent will need to be formally investigated.

The Office of the Australian Information Commissioner will probe whether TikTok breached the nation's privacy laws when it used a tool, known as a pixel, to collect users’ data, including email addresses, mobile phone numbers and browsing histories without their knowledge or consent even if they don’t have a TikTok account. An inquiry is the step before a formal investigation is initiated.

“We are making inquiries relating to TikTok’s handling of personal information following the findings made by the UK Information Commissioner’s Office in its investigation into the company,” commissioner Angelene Falk told this masthead in a statement.

“The [Office of the Australian Information Commissioner] is also making inquiries following this recent information which alleges data scraping in regard to TikTok’s practices in order to determine whether to investigate.”

The inquiry was triggered after this masthead revealed on Tuesday that some of Australia’s largest and best-known brands were being urged to remove TikTok's tracking tool over privacy concerns. The move comes as the government considers reforms to the Privacy Act, including strengthening the protection of personal information.

The British Information Commissioner’s Office in April fined the owners of the viral video app £12.7 million ($23.7 million) for breaching a number of data protection laws, including failing to use children’s personal data lawfully.

Its investigation found more than 1 million UK children under 13 were on TikTok in 2020, contrary to its terms of service, and that the company “did not do enough” to check who was using their platform or take sufficient action to remove underage children.

TikTok has been under increased scrutiny across the globe due to its parent company ByteDance’s ties to the Chinese Communist Party and China’s National Intelligence Law of 2017 that requires organisations and citizens to “support, assist and co-operate with the state intelligence work”.

The Australian government this year banned TikTok on government devices over security concerns related to China’s intelligence laws. Governments from Britain, Canada, France and New Zealand have also banned the app from official devices.

A TikTok spokeswoman on Tuesday denied the pixel breaches Australia’s privacy laws.

“Pixel usage, which is voluntary for our advertising clients to adopt, is an industry-wide tool used to improve the effectiveness of advertising services. Our use of this tool is compliant with all current Australian privacy laws and regulations, and we dismiss any suggestion otherwise,” the spokeswoman said.

But TikTok’s aggressive harvesting of personal data is only the “tip of the iceberg” that should finally wake Australians up to the dangers of big technology companies tracking users’ online behaviour, according to David Vaile, chair of the Australian Privacy Foundation and executive director at the University of NSW’s Cyberspace Law and Policy Centre.

He said while Chinese-owned social media giant TikTok’s tracking tool was egregious, Australians had become far too blasé about protecting their privacy online.

“There’s no doubt that the Chinese operation is a very explicit form of internet censorship and a very thorough internet tracking and surveillance,” Vaile said.

“But Western countries, particularly the United States [where big tech companies are often based], has never really accepted the global standard of privacy protections. There are a lot of reasons to criticise TikTok and China, but the difference between what they do and what various Western entities do is nowhere near as big … TikTok is just the tip of the iceberg.”

Marketing and advisory agency Civic Data director Chris Brinkworth said organisations trying to keep pace with changing technology was like playing a game of whack-a-mole.

“Unfortunately it moves so fast and the digital world has changed so rapidly over the last five to six years,” Brinkworth said. “The way data can be collected and used – it’s very hard for any one person to stay on top of.”

Marketers often use tracking pixels for retargeting campaigns and to deliver more relevant ads that follow users across websites after a user has consented to the privacy policies of websites.

Vaile said the vast majority of Australians were not providing informed consent, and that online companies were obfuscating and obscuring as much as possible to make it harder for users to detect and completely understand what they were consenting to.

“You get long pages, thousands of words, legalese, and the reality is most people aren’t going to read it, but they click a box saying they have read it, they understand it and they agree,” Vaile said.

“So they haven’t read it, they don’t understand it because they haven’t read it, and they can’t agree because they don’t know what they’re agreeing to. The implication is that all consent is the same … and that is a widely abused mechanism to improve the legal situation of the people behind it on the other side of the contract.”

Attorney-General Mark Dreyfus is in the middle of another round of consultations on the “right to request erasure” proposals and 115 other reforms put forward by his department in the review of the Privacy Act, commissioned by the former Morrison government.

A key theme of the review was bringing Australia’s law into line with global standards of information privacy protection, with the report landing after the data of millions of Australians was stolen in cyberattacks on Optus and Medibank Private last year. In response to the hacks, the government increased fines for serious or repeated breaches of the Privacy Act from $2.2 million to $50 million.

“The right to erasure is one of many proposals that are being considered as part of the reform process,” a spokesman for the attorney-general said.

“The government is also alive to the fact that many privacy policies are far too complex and lengthy – leading many Australians to ‘tick a box’ in order to receive goods and services without necessarily understanding what they are agreeing to. To tackle this, the government is considering the introduction of new rules to ensure that the collection, use and disclosure of personal information is always fair and reasonable.”

Falk said reforms to the Privacy Act were vital to ensure Australia’s privacy laws were fit for the digital age.

“Reforms will also provide a greater range of enforcement powers to the [Office of the Australian Information Commissioner] which will increase our ability to take regulatory action on behalf of the Australian people in a flexible and proportionate way, and to identify systemic privacy issues,” she said.

Civic Data’s Brinkworth and opposition cybersecurity spokesman James Paterson welcomed the commissioner’s decision to launch an inquiry into TikTok.

“This is a serious mass breach of Australians’ privacy, including those who have never even downloaded the app,” Paterson said. “We must ensure Australian privacy law is robustly enforced, particularly for companies beholden to foreign authorities governments, like TikTok.”

Recent News

All Posts