Cybersecurity experts have warned Australian TikTok users that the Chinese government could use the app to harvest personal information, from in-app messages with friends to precise device locations.
The warnings follow a report by Australian-US cybersecurity firm Internet 2.0, which found the most popular social media app of the year collects “excessive” amounts of information from its users.
Here’s what you need to know about TikTok’s data harvesting, and how to keep your information safe.
What’s different about the way TikTok collects data?
TikTok’s data collection methods include the ability to collect user contact lists, access calendars, scan hard drives including external ones and geolocate devices on an hourly basis.
“When the app is in use, it has significantly more permissions than it really needs,” said Robert Potter, co-CEO of Internet 2.0 and one of the editors of the report.
“It grants those permissions by default. When a user doesn’t give it permission… [TikTok] persistently asks.
“If you tell Facebook you don’t want to share something, it won’t ask you again. TikTok is much more aggressive.”
The report labelled the app’s data collection practices “overly intrusive” and questioned their purpose.
“The application can and will run successfully without any of this data being gathered. This leads us to believe that the only reason this information has been gathered is for data harvesting,” it concluded.
Most of the concern in the report focuses on permissions sought on Android devices, because Apple’s iOS significantly limits what information an app can gather. It has a justification system so that if a developer wants access to something it must justify why this is required before it is granted.
“We believe the justification system iOS implements systematically limits a culture of ‘grab what you can’ in data harvesting,” the report states.
Does TikTok have connections with the Chinese government?
TikTok is owned by the Chinese multinational internet company ByteDance, which is headquartered in Beijing. Founder Zhang Yiming sits at No. 28 on Bloomberg’s billionaires index.
ByteDance has denied a connection to the Chinese government in the past, and called the claim “misinformation” after various leaks suggested it censors material that does not align with Chinese foreign policy aims or mentions the country’s human rights record.
“They are consistent in saying their app doesn’t connect to China, isn’t accessible to Chinese authorities and wouldn’t cooperate with Chinese authorities,” Potter said.
But he said Internet 2.0’s research found “Chinese authorities can actually access device data”. By sending tracked bots to the app, Internet 2.0 “consistently saw … data geolocating back to China”.
Potter has said it wasn’t clear what data was being sent, just that the app was connecting to Chinese servers.
This month TikTok Australia admitted its staff in China were able to access Australian data.
“Our security teams minimise the number of people who have access to data and limit it only to people who need that access in order to do their jobs,” Brent Thomas, the company’s Australian director of public policy, wrote in a letter. The letter was in response to questions from Senator James Paterson, the opposition’s cyber security and foreign interference spokesperson. Thomas said Australian data had never been given to the Chinese government.
Are you at risk?
Under China’s national security laws Chinese companies are, upon request from the government, required to share access to data they collect.
“You’re in a different digital ecosystem when you’re on a mainstream Chinese app,” Potter said. And “who you are” may determine the “level of risk” you are taking.
At an individual level, the average user might not be at immediate risk, Potter said. “But if you’re involved in something more sensitive or discussing topics that are sensitive … you’ve become very interesting to them very quickly.”
A dissident in the Chinese diaspora community, or a critic of the Chinese government, might be “extremely concerned about their personal cyber security” on TikTok, Paterson said.
TikTok told a 2020 Senate committee on foreign interference on social media that any request for Australian user data would need to go through a mutual legal assistance interfacing process.
Other governments also use their national security laws to gain access to user data from TikTok. TikTok publishes a half-yearly transparency report for data requests from governments.
China is not on the list of countries, but the list reveals Australian governments in the second half of 2021 made 51 requests for data related to 57 user accounts, with TikTok handing over data 41% of the time. The US made 1,306 requests for 1,003 accounts, with data handed over 86% of the time.
How can I keep my data safe?
TikTok is now the most downloaded mobile entertainment app in Australia, with 7.38 million users over the age of 18.
If you decide to keep using TikTok, Potter suggests being “specific and granular about the level of permissions shared with the app”.
Set permissions manually via in-app settings and in the device’s settings. Tom Kenyon, a director of Internet 2.0, also urged users to monitor those permissions regularly. “In any update, they can change access to permissions. It’s not set and forget.”
Potter said users should continue to “ignore requests for sharing information”. He also urged young people to avoid using TikTok for “general messaging”.
“If you want to share videos and look at cats, sure, go your hardest. If you’re going to have a conversation with your friends about your sexual orientation, or human rights, I’d be very wary.”
Kenyon said young people just starting their careers should think beyond the short term.
He also urged senior public servants, public officials and members of parliament to “delete TikTok and other social media”. While the data already collected will not disappear from TikTok’s database, deleting the application will stop data collection into the future. If they are wanting to continue activity across platforms, Kenyon suggested “a separate, dedicated phone”.
Should TikTok be banned?
Kenyon said that as it is an “avenue for data to flow to China … I absolutely think [TikTok] should be banned.”
But Potter said he is “very rarely in favor of bans”.
“I am in favor of better regulation.”
Potter said Australia must be clear “that we expect social media companies operating in Australia to respect our norms of privacy and freedom of speech”.
“They need to be clear about how they operate. And if caught lying consistently, we need to have some way of holding those companies to account.
The federal minister for home affairs and cyber security, Clare O’Neil, said in a statement that the Australian government “has this report and has been well aware of these issues for some years”.
“Australians need to be mindful… that they are sharing a lot of detailed information about themselves with apps that aren’t properly protecting that information.
“I hope it concerns Australians because it certainly concerns me.”
Australian influencers have vowed to stay on the app despite concerns about Chinese data harvesting.
The Internet 2.0 report will be presented on Monday to a US Senate hearing on TikTok. With 142.2 million users in North America, the US is “obviously the dominant market for this app.”
“I would expect TikTok will come under very hard questions about how the app operates,” Potter said.
What does TikTok say about the report?
TikTok has rejected the Internet 2.0 report as “baseless”.
A TikTok spokesperson said: “The TikTok app is not unique in the amount of information it collects … We collect information that users choose to provide to us and information that helps the app function, operate securely, and improve the user experience.
“The IP address is in Singapore, the network traffic does not leave the region, and it is categorically untrue to imply there is communication with China. The researcher’s conclusions reveal fundamental misunderstandings of how mobile apps work, and by their own admission, they do not have the correct testing environment to confirm their baseless claims.”
With Josh Taylor