Cloud Hosting

Cybersecurity experts have warned Australian TikTok users that the Chinese government could use the app to harvest personal information, from in-app messages with friends to precise device locations.

The warnings follow a report by Australian-US cybersecurity firm Internet 2.0, which found the most popular social media app of the year collects excessive amounts of information from its users.

Heres what you need to know about TikToks data harvesting, and how to keep your information safe.

TikToks data collection methods include the ability to collect user contact lists, access calendars, scan hard drives including external ones and geolocate devices on an hourly basis.

When the app is in use, it has significantly more permissions than it really needs, said Robert Potter, co-CEO of Internet 2.0 and one of the editors of the report.

It grants those permissions by default. When a user doesnt give it permission [TikTok] persistently asks.

If you tell Facebook you dont want to share something, it wont ask you again. TikTok is much more aggressive.

The report labelled the apps data collection practices overly intrusive and questioned their purpose.

The application can and will run successfully without any of this data being gathered. This leads us to believe that the only reason this information has been gathered is for data harvesting, it concluded.

Most of the concern in the report focuses on permissions sought on Android devices, because Apples iOS significantly limits what information an app can gather. It has a justification system so that if a developer wants access to something it must justify why this is required before it is granted.

We believe the justification system iOS implements systematically limits a culture of grab what you can in data harvesting, the report states.

TikTok is owned by the Chinese multinational internet company ByteDance, which is headquartered in Beijing. Founder Zhang Yiming sits at No. 28 on Bloombergs billionaires index.

ByteDance has denied a connection to the Chinese government in the past, and called the claim misinformation after various leaks suggested it censors material that does not align with Chinese foreign policy aims or mentions the countrys human rights record.

They are consistent in saying their app doesnt connect to China, isnt accessible to Chinese authorities and wouldnt cooperate with Chinese authorities, Potter said.

But he said Internet 2.0s research found Chinese authorities can actually access device data. By sending tracked bots to the app, Internet 2.0 consistently saw data geolocating back to China.

Potter has said it wasnt clear what data was being sent, just that the app was connecting to Chinese servers.

This month TikTok Australia admitted its staff in China were able to access Australian data.

Our security teams minimise the number of people who have access to data and limit it only to people who need that access in order to do their jobs, Brent Thomas, the companys Australian director of public policy, wrote in a letter. The letter was in response to questions from Senator James Paterson, the oppositions cyber security and foreign interference spokesperson. Thomas said Australian data had never been given to the Chinese government.

Under Chinas national security laws Chinese companies are, upon request from the government, required to share access to data they collect.

Youre in a different digital ecosystem when youre on a mainstream Chinese app, Potter said. And who you are may determine the level of risk you are taking.

At an individual level, the average user might not be at immediate risk, Potter said. But if youre involved in something more sensitive or discussing topics that are sensitive youve become very interesting to them very quickly.

A dissident in the Chinese diaspora community, or a critic of the Chinese government, might be extremely concerned about their personal cyber security on TikTok, Paterson said.

TikTok told a 2020 Senate committee on foreign interference on social media that any request for Australian user data would need to go through a mutual legal assistance treaty process.

Other governments also use their national security laws to gain access to user data from TikTok. TikTok publishes a half-yearly transparency report for data requests from governments.

China is not on the list of countries, but the list reveals Australian governments in the second half of 2021 made 51 requests for data related to 57 user accounts, with TikTok handing over data 41% of the time. The US made 1,306 requests for 1,003 accounts, with data handed over 86% of the time.

TikTok is now the most downloaded mobile entertainment app in Australia, with 7.38 million users over the age of 18.

If you decide to keep using TikTok, Potter suggests being specific and granular about the level of permissions shared with the app.

Set permissions manually via in-app settings and in the devices settings. Tom Kenyon, a director of Internet 2.0, also urged users to monitor those permissions regularly. In any update, they can change access to permissions. Its not set and forget.

Potter said users should continue to ignore requests for sharing information. He also urged young people to avoid using TikTok for general messaging.

If you want to share videos and look at cats, sure, go your hardest. If youre going to have a conversation with your friends about your sexual orientation, or human rights, Id be very wary.

Kenyon said young people just starting their careers should think beyond the short term.

He also urged senior public servants, public officials and members of parliament to delete TikTok and other social media. While the data already collected will not disappear from TikToks database, deleting the application will stop data collection into the future. If they are wanting to continue activity across platforms, Kenyon suggested a separate, dedicated phone.

Kenyon said that as it is an avenue for data to flow to China I absolutely think [TikTok] should be banned.

But Potter said he is very rarely in favour of bans.

I am in favour of better regulation.

Potter said Australia must be clear that we expect social media companies operating in Australia to respect our norms of privacy and freedom of speech.

They need to be clear about how they operate. And if caught lying consistently, we need to have some way of holding those companies to account.

The federal minister for home affairs and cyber security, Clare ONeil, said in a statement that the Australian government has this report and has been well aware of these issues for some years.

Australians need to be mindful that they are sharing a lot of detailed information about themselves with apps that arent properly protecting that information.

I hope it concerns Australians because it certainly concerns me.

Australian influencers have vowed to stay on the app despite concerns about Chinese data harvesting.

The Internet 2.0 report will be presented on Monday to a US Senate hearing on TikTok. With 142.2 million users in North America, the US is obviously the dominant market for this app.

I would expect TikTok will come under very hard questions about how the app operates, Potter said.

TikTok has rejected the Internet 2.0 report as baseless.

A TikTok spokesperson said: The TikTok app is not unique in the amount of information it collects ... We collect information that users choose to provide to us and information that helps the app function, operate securely, and improve the user experience.

The IP address is in Singapore, the network traffic does not leave the region, and it is categorically untrue to imply there is communication with China. The researchers conclusions reveal fundamental misunderstandings of how mobile apps work, and by their own admission, they do not have the correct testing environment to confirm their baseless claims.

With Josh Taylor

Link:
TikTok has been accused of aggressive data harvesting. Is your information at risk? - The Guardian