What does TikTok know about you? What should you know about it?
Canada joins U.S., EU in banning app from government-issued devices
One of the hottest TikTok trends right now seemingly is Western governments banning the immensely popular app from their employees' phones and launching probes into its data collection practices.
This week, Canada joined the U.S. and the European Union in prohibiting the social media app on government-issued devices. Other Canadian jurisdictions and institutions are considering similar bans.
The move came just days after the federal privacy watchdog said it, along with three provinces, will investigate whether TikTok and its China-based parent company ByteDance are complying with Canadian privacy laws.
Agencies and Crown corporations that don't fall under the federal government's Policy on Service and Digital were informed of the decision on Monday and "strongly advised" to consider following suit, the Treasury Board of Canada Secretariat said in an emailed statement on Friday.
"CBC is a Crown corporation and not subject to the Policy on Service and Digital, and as such is not covered by this decision," the statement said.
However, several Crown corporations have voluntarily decided to leave TikTok — including the Bank of Canada, Trans Mountain Corporation, the National Capital Commission and the Standards Council of Canada.
But most TikTok users in this country aren't government employees and will continue to allow the app to access their personal data with every video they watch, like or comment on — even when they're not interacting with the app.
While most every social media application gathers and stores user data, the amount TikTok gathers, and how transparent it is about what it collects, is what concerns some cybersecurity experts — especially because of the perception that the Chinese government could access it.
What TikTok gathers from you
Once the app is downloaded and opened on your smartphone or tablet, it's getting to know a lot about you.
Its voluminous terms of service lay out what you're agreeing to; access to personal data like contacts, calendars, information about which device you're using, which operating system and your location.
Like other platforms, including Facebook and YouTube, TikTok also monitors the content you engage with and for how long.
But TikTok also monitors how you use your device and how it functions, including "keystroke patterns or rhythms, battery state, audio settings and connected audio devices," according to those terms.
It's also able to identify "the objects and scenery that appear [in your videos], the existence and location within an image of face and body features … and the text of the words spoken."
Ninety-nine per cent of people are not going to read the dozens of pages of terms of service," said Heidi Tworek, the Canada Research Chair and Director, of the Centre for the Study of Democratic Institutions at the University of British Columbia.
Precise GPS data
Social media business rely on such analytics to sell advertising, develop new versions of programs, and tailor content to users' habits.
But Robert Potter, the co-founder and co-CEO of the Canberra-based cybersecurity firm Internet 2.0, says TikTok isn't completely transparent with its more than 1.5 billion users.
His company examined social media apps including Meta-owned Facebook, Instagram and Whatsapp and found TikTok was "an outlier in the sheer amount of data it collects," he said.
For example, Potter says TikTok can collect "precise" GPS location data from users — much more precise than the company once admitted.
"It gives us a lot of pause to thinking exactly ... what other elements of scrutiny would we like to subject them to?" he said.
Not 'overtly malicious'
Paelleon Lin, a researcher for the University of Toronto's Citizen Lab, authored a 2021 report analyzing the security and privacy of TikTok and Douyin, the version of the app available in China (they even use the same icon).
That report said neither app "appear to exhibit overtly malicious behaviour" akin to malware; and only collected certain information with the user's permission.
Except that Douyin also acquired a device's Media Access Control (MAC) address; a unique, 12-digit identifier. Even if you completely reset a phone and wipe all of the personal information, the MAC address does not change and that information could still be used to identify a user, Lin said in an interview from Taipei.
Both Google and Apple prohibit third-party apps from collecting MAC addresses. (Douyin is not available in either company's app store.)
TikTok did not collect them, according to Lin's report. But it used to — according to a 2020 report in the Wall Street Journal that found TikTok "skirted a privacy safeguard" in Google's Android operating system to gather MAC addresses from millions of devices for more than a year. TikTok told the Wall Street Journal, at the time, that newer versions of the app do not collect MAC addresses such devices.
'Deeply concerning'
Douyin only needs to abide by Chinese law while TikTok — which stores its data in the U.S. and Singapore — must comply with the laws of individual countries.
Lin said his research did not find that the app connects to any servers in China directly, but couldn't rule out data being sent from one country to another and then onward to China.
TikTok and ByteDance insist no user information is stored in mainland China and that it does not provide user data to the Chinese government.
But Internet 2.0's Potter questions that.
"[China requires] TikTok and other companies that are headquartered there to cooperate with Chinese national security priorities and intelligence," he said, echoing a point that came up often during Ottawa's recent spat with Beijing over the telecom giant Huawei.
"They're required to not disclose their participation. So, that is deeply concerning."
He also cited a Buzzfeed report that said ByteDance employees in mainland China could access American user information — which Potter said "shows that there is a gap between what TikTok is telling the public and what it's actually doing on network."
Broader ban?
Ottawa worries that collection by TikTok of sensitive data from federal employees' devices could pave the way for cyberattacks.
The government has not indicated it wants to widen the ban but there are discussions in the U.S. about banning TikTok outright and preventing ByteDance from doing business there.
Kristen Csenkey, a PhD candidate at the University of Waterloo's Balsillie School of International Affairs, sees problems with this because of the app's roles as both a social platform and a source of income for millions of people.
"We need to consider what the implications are," she said. "It's not just a technology or an app that's just used for one purpose."
Google and Apple could, of course, effectively kill TikTok by booting it from their Play Store and App Store, respectively. But it's not clear what it would take for either company to take such a drastic step.
Protecting your privacy
On an individual level, the information TikTok collects from users isn't of huge value, according to Potter.
"It's really the aggregate, huge amounts of data," he said.
But for people who want to use it and are concerned about data collection, there are ways to protect one's privacy.
Matthew Johnson, the education for Ottawa-based MediaSmarts, says web browser plugins and smartphone applications such as Privacy Badger, DuckDuckGo and Disconnect can limit data collection.
He recommends taking a closer look at those terms of services that so many people blindly agree to, though he admits it's "not reasonable" to expect users to comb through every detail.
"They are written in such a way to satisfy lawyers rather than consumers," he said.
He also suggests using the website tosdr.org — which stands for "Terms of Service; Didn't Read" — which grades the terms of service of websites and applications and succinctly describes any concerns.
That site gives TikTok its lowest grade.
With files from Raffy Boudjikanian and Richard Raycraft