Tik Tok, currently the world’s most downloaded iPhone app, under fire over lack of privacy settings
Protections for users pale in comparison with rivals Facebook and Instagram, cybersecurity professionals say
The world’s current most downloaded iPhone app has come under fire from cybersecurity experts for a lack of privacy settings, just days after a Post investigation found hundreds of Hong Kong children as young as nine exposing their identities on the platform.
Despite its parent company being a tech pioneer valued at more than US$20 billion, protections for users of Tik Tok pale in comparison with rivals Facebook and Instagram, experts said.
Its sister app, Musical.ly, has already sparked concern in the United States and Australia over its failure to protect children from harassment, according to one of three experts interviewed by the Post.
Their warning came a week after an investigation found Hong Kong primary-school children were placing themselves at risk by exposing their identities on the app, which has taken the city by storm in the past year.
“I think it does a lousy job of protecting child users’ privacy and safety compared with other mainstream platforms,” Hong Kong Information Technology Federation councillor Eric Fan Kin-man said after testing the app.
“It doesn’t seem to have any screening of underage users because eight out of 10 selfie videos I just saw are obviously by children.”
Both Tik Tok and Musical.ly – which lets users create short lip-synching music videos – are owned by Chinese firm Bytedance. Founded in 2012, it is one of the country’s fastest-growing tech start-ups and is known for its use of algorithms and artificial intelligence to select news, videos and other content for readers.
Its flagship product is AI-powered news aggregator Toutiao, also known as Today’s Headlines, which claimed to have 120 million daily active users as of July last year.
The firm had not responded to requests for comment as of Sunday evening.
According to Tik Tok’s service agreement, the app is not for users under 16 years old and the firm will terminate accounts where necessary.
However, the Post earlier revealed that the personal information of hundreds of child users was being exposed publicly on the platform. Selfie videos with sexually suggestive themes or actions implying self-harm were discovered on the app, along with adults using the platform to stalk and court teenage girls.
The app only allows users two settings when posting: for videos to be completely private – meaning they are for the creator’s viewing only – or for clips to be entirely open to the public. In the privacy settings offered by Tik Tok, users can only choose if friends, or anyone, can send them private messages, and block specific users. There is no friends-only sharing option. Users are also not able to delete their accounts themselves but must do so by email request.
Lawmaker Fernando Cheung Chiu-hung said he planned to write to the Security Bureau and the Preparatory Committee for the Establishment of a Commission on Children, which is headed by Hong Kong leader Carrie Lam Cheng Yuet-ngor, to urge them to look into Tik Tok.
“It’s dangerous for children to post on Tik Tok and expose their personal information if they can’t control privacy [settings],” Cheung said.
“The authorities should evaluate and think about legislation if necessary. But right now the government is doing nothing on this issue.”
Three cybersecurity experts said it would not be difficult for the platform to add further options to allow users to remove accounts on their own. They also urged Tik Tok to try and screen for children.
Young Wo-sang, convenor of the Internet Security and Privacy Working Group at the Internet Society Hong Kong, said the app could do a better job verifying age when users registered for an account, and should apply facial recognition technology to selfie videos to help do so.
“It may not be 100 per cent accurate, but it can be helpful,” Young said. “For a technology company like Bytedance, it should not be a problem.”
Tik Tok uses the recognition technology to detect facial expressions and add special effects to users’ faces to make them look cute or funny. In February Bytedance acquired augmented reality selfie app Faceu for US$300 million.
But concerns have grown about the risks younger users may be exposing themselves to when they post videos to the app.
In Japan people have been found uploading embarrassing or sexual clips saved from Tik Tok to other platforms to make fun of the creators or attract clicks.
“Kids don’t understand that videos can’t really be deleted online,” Fan said. “Before they delete, others may have saved the videos on their phones, as everybody can see and download from this platform, and Tik Tok’s servers store the data.”
Former Australian police officer Susan McLean, a cybersecurity expert, has been warning the public about the safety risks to children of sister app Musical.ly, which is popular among young people in the US, Europe and Australia.
According to media reports, predators were found to be sending messages to children on Musical.ly asking for nude photos, including to one eight-year-old girl in Melbourne and a seven-year-old in the US.
“It would not be hard for Tik Tok to offer options for users to share videos with their friends only,” McLean said. “But they don’t want to make it easy for users to go away.
“If Tik Tok and Musical.ly really care about children, they should be proactive, not reactive [in coming up with safety measures].”
Billy Wong Wai-yuk, executive secretary of the Hong Kong Committee on Children’s Rights, said she was worried Tik Tok would become a place abused by predators to harm children. She called on the government to learn from the experience of other countries.
For example, the Australian government created the post of e-safety commissioner in 2015, Wong said. It coordinates and leads online safety efforts among the government, industry and NGOs, deals with cyberbullying complaints from young people, identifies and removes illegal online content, and tackles image-based abuse.
“Currently, there’s no specific government department in Hong Kong that deals with children’s safety and privacy protection online,” Wong said. “It needs the government and experts from the internet industry to work together to work out a mechanism to protect children.”
Tik Tok’s developer is Singaporean company Bytemod Pte Limited, incorporated in July last year. The firm, along with its Hong Kong division, is ultimately held by Bytedance Limited, which is registered in the Cayman Islands.
Bytedance founder and CEO Zhang Yiming previously told mainland Chinese media that platforms built by tech companies had become a form of public infrastructure akin to water and electricity, owing to their huge impact on society.
“So these companies should take their social responsibility seriously, including by actively improving transparency and communicating about regulations,” he said.
Hong Kong’s Privacy Commissioner for Personal Data Stephen Wong Kai-yi declined to comment on Tik Tok, but said social media platform operators should ensure child users understand the privacy implications of posting content, including that other users may easily copy and repost the information to other public platforms, over which they have no control.
Karen Lee Hon-fun, a senior associate advising on data privacy law at Mayer Brown JSM, said Hong Kong lacked hardline laws to protect children online. There was no single overarching law placing clear responsibility on social media platforms such as Tik Tok, she said.
“It’s all piecemeal ... You have to try and rely on the Personal Data (Privacy) Ordinance, defamation, intellectual property rights, and so on, in order to try and hold social media platforms accountable for any harm done to kids,” she said.
The Post used Tik Tok’s reporting function last Thursday to flag three child users suspected of being underage, but had not received any feedback by Sunday or seen the accounts terminated.