South China Morning Post
Advertisement
Advertisement
TikTok has an estimated 1.6 million Australian users, mostly aged 16-24 but with a growing number of older users too. Photo: EPA
Opinion
Paul Haskell-Dowland and James Jin Kang
Paul Haskell-Dowland and James Jin Kang

In Australia, concerns mount that China could use TikTok to spy on users

  • Hypothetically, the app could enable Chinese authorities to use biometric data to identify people using facial recognition
  • It could also be possible to map rooms and locations by using ‘feature extraction’ on videos
Paul Haskell-Dowland
James Jin Kang
Paul Haskell-DowlandandJames Jin Kang
Why you can trust SCMP
In an age of isolation, video-sharing platform TikTok has emerged as a bonding force for many. But recent headlines allege the service, owned by Beijing-based company ByteDance, is feeding users’ data to the Chinese Communist Party.

An Australian newspaper, the Herald Sun, this week reported that an unnamed federal MP was pushing for the app to be banned.

Following suit, Liberal Senator Jim Molan said TikTok was being “used and abused” by the Chinese government, while Labor Senator Jenny McAllister called on TikTok’s representatives to face the Select Committee on Foreign Interference Through Social Media.
TikTok has denied the accusations and rebuffed suggestions it should be banned in Australia. But why is the federal government examining this app so closely? And could it really be a tool used by the Chinese government to spy on Australians?

A growing following

TikTok has amassed a reported 2 billion downloads worldwide and its Australian market is also significant. It has an estimated 1.6 million Australian users, mostly aged 16-24 but with a growing number of older users too.

Users generate short videos that are shared in the app, with many celebrities also signing up. But although TikTok seems to offer carefree entertainment, is there a darker side?

When installed, TikTok asks users to grant several permissions, including the use of the camera, microphone and contact list. However, it may also collect location data, along with information from other apps on the device.

Last year, a proposed class action lawsuit filed against TikTok in California claimed the company gathered users’ data, including phone numbers, emails, location, IP addresses, and social network contacts.

The lawsuit also stated TikTok concealed the transfer of data, including biometric data, and continued to harvest it even after the app was closed. This would mean when a user shoots a video and clicks the “next” button, the video could be automatically transferred to servers – without the user’s knowledge.

Where is the data stored?

While TikTok’s headquarters are in Beijing, Australian general manager Lee Hunter recently claimed Australian users’ data was stored in Singapore.

A major challenge in sorting the truth from fiction lies in how we define “data”. While TikTok users’ details and videos may be stored in Singapore, there’s still potential for data to be extracted from this video content and the device and sent to China’s servers, although this hasn’t been proven to have happened.

High stakes as Australia tests foreign interference laws, with China in its sights

Hypothetically, it would then be possible for Chinese authorities to use biometric data to identify people using facial recognition. It would also be possible to map rooms and locations by using “feature extraction”, a machine learning method, on videos. This could then aid the creation of new, advanced deepfake videos potentially targeting specific people.

While this may seem far-fetched, there have already been pre-emptive TikTok bans within major organisations to ensure sensitive information isn’t leaked.

For instance, the app has been banned from devices used by the Australian Defence Department, the US Department of Defence, and even entire countries – with the Indian government announcing a nationwide ban last month.

Privacy issues

ByteDance claims its data is stored in servers in the US and Singapore: “Our data centers are located entirely outside of China, and none of our data is subject to Chinese law.”

TikTok’s privacy policy is ambiguous. As of January, it states: “You should understand that no data storage system or transmission of data over the Internet or any other public network can be guaranteed to be 100 per cent secure.”

From a user privacy perspective, TikTok has access to a device’s location and a user’s personal information. Although TikTok’s servers may be located outside China, it’s very difficult – if not impossible – to confirm where this data could end up, or what it could be used for.

As China’s beef with Australia hits its economy, will Canberra be cowed?

While the location of servers can be important, possession of data is more relevant. Once data is obtained, it can be used. If data is stored on a server in Australia, for instance, Australian jurisdiction applies. But once it is sent to another country, that country’s laws take precedent.

And if a TikTok user decides to delete their content from their device, or if there is a government-imposed ban, data can’t be retrospectively erased. Once information is transferred, it’s impossible to retract without the cooperation of the organisation or agency concerned – in this case, TikTok.

Can the government actually ban TikTok?

The fact is, enforcing an Australia-wide ban on TikTok isn’t a simple prospect. While the federal government could request the app’s removal from the Apple App Store and Google Play Store, it could only do this for Australian regions and marketplaces.

Users in Australia would still be able to download TikTok from another region’s store, or via a third-party source. Also, banning the app won’t automatically remove it from devices on which it is already installed.

Australia targeted in ‘malicious’ cyberattack by state actor, PM Morrison says

Blocking access to TikTok’s servers would be done in conjunction with internet service providers such as Telstra and Optus, as they can block access to apps and websites. But users could still use proxies or Virtual Private Networks (VPNs) to circumvent these controls.

And even if TikTok was banned, citizen data already handed over would remain stored, and could be accessed for the foreseeable future.

Paul Haskell-Dowland is associate dean of computing and security at Edith Cowan University. James Jin Kang is a lecturer in computing and security at Edith Cowan University. This article first appeared on The Conversation.

Post