By Victoria Kelly-Clark and Daniel Teng
A report commissioned by Chinese social media giant TikTok supposed to dampen its security issues, has been criticised by cybersecurity firm Internet 2.0.
Robert Potter, head of the firm, said the third-party report, compiled by Prof. Nigel Phair, missed vital details.
“Certain data access points, such as clipboard access, advertisement ID, and biometric data, have been omitted in Prof. Phair’s work. This does not provide a complete and accurate picture of the app’s data access practices,” he wrote on Twitter.
Certain data access points, such as clipboard access, advertisement ID, and biometric data, have been omitted in Prof. Phair’s work This does not provide a complete and accurate picture of the app’s data access practices. 2
— Robert Potter (@rpotter_9) April 27, 2023
Potter also compared the analysis with that completed by Internet 2.0 malware Malcore. He said Malcore found that TikTok accessed all data points in the app.
“It produces an automated, agnostic report which has repeatedly found TikTok to be one of the larger collectors of user data. This is in contrast to the process Prof Phair used,” Potter said in an additional Twitter post.
However, the Phair report did find that despite its consistent denials, TikTok was actually using GPS tracking to monitor users—a point Internet 2.0 has consistently pressed.
“Here is TikTok’s code, we assess based on these lines you can collect location data, including longitude, latitude, altitude, speed and; bearing,” Internet 2.0 said in a media post on March 27.
Meanwhile, FCC Commissioner Brendan Carr has warned that TikTok could not be trusted to keep data from the Chinese Communist Party (CCP) and that the company’s claims on its privacy were nothing short of “gaslighting.”
“With TikTok, we’ve had this years-long approach that strikes me as sort of nothing short of gaslighting in terms of their misrepresentations. That’s why I say there’s something very unique there. That requires serious action,” Carr said.
He even doubted recent plans by TikTok to restructure its company so that U.S. data was stored with Texas-based company Oracle.
“Project Texas has been floated. One of the most significant things was at a recent congressional hearing; you have the Democrat ranking member of the House Committee said that he was doubtful that even if we put Project Texas in place, it would have sufficient protections against the CCP having control over TikTok, and he’s right,” Carr added.
TikTok is Not the Only Firm Sharing Data With Governments
The report, released on April 27, alleged that TikTok was less dangerous than its social media competitors in terms of data collection and that its methods of data sharing were no different to that of the four major banks in Australia.
“An analysis—using 40 specific collection attributes—of the privacy policies of Facebook, Google, Twitter and TikTok revealed that each of the four platforms was within a close range of one another when it came to the number of data points collected.
“These ranged from Google, which was found to collect the largest number of data points (39 of 40), followed by Facebook/Meta (33 of 40), TikTok (31 of 40) and Twitter (29 of 40),” the report stated.
Further, Phair argued that concerns around user data security and the risk of unauthorised access by intelligence services was an unfair accusation aimed at TikTok.
“These concerns often fail to take account of the fact that many Australian organisations share data with overseas jurisdictions, including the United States and China. This includes each of Australia’s largest four banks, the two largest telecommunication providers, and a number of high-profile tech companies.”
Phair also noted that in terms of overseas data access, ANZ Bank, Westpac, the National Bank and the Commonwealth Bank share users’ personal data with authorities in China, Hong Kong, Japan, the United Kingdom (UK), the Netherlands, New Zealand, the United States of America (U.S.), Fiji, India, Singapore, and the Philippines
Additionally, Telstra and Optus will share user information with over 27 governments, including Canada, Chile, China, Hong Kong, countries within the European Union, India, Japan, Malaysia, Moldova, New Zealand, Philippines, Poland, Romania, Russia, Singapore, South Africa, South Korea, Sri Lanka, Taiwan, the United Arab Emirates, Ukraine, UK, U.S., Israel, Iceland, New Zealand and Vietnam.
Buy now, pay later giant, AfterPay, also shares data with authorities in the United States, United Kingdom, Canada, China, New Zealand, and parts of Europe.
“It would be safe to assume that the vast majority of Australians have had their personally identifiable information shared with overseas-based entities in a range of foreign jurisdictions, including China, irrespective of their social media usage.”