Canada joins the U.S. and EU in saying that government-owned devices can’t have apps
One of the hottest things on TikTok at the moment seems to be Western governments are banning the very popular app from their employees’ phones and looking into how it gathers information.
This week, Canada joined the U.S. and the European Union in saying that government-owned devices can’t have the social media app on them. Other Canadian governments and institutions are thinking about putting similar bans in place.
Just days before, the federal privacy watchdog and three provinces said they would look into whether TikTok and its Chinese parent company, ByteDance, are following Canadian privacy laws.
But most TikTok users in this country aren’t government workers, and they’ll keep giving the app access to their personal information every time they watch, like, or comment on a video, even when they’re not using the app.
Most social media apps collect and store user data, but what worries some cybersecurity experts about TikTok is how much data it collects and how open it is about what it collects. This is especially true because some people think the Chinese government could access it.
WATCH | Why the feds banned TikTok:
What TikTok gathers from yo
When you download and open the app on your phone or tablet, it learns a lot about you.
Its long terms of service spell out what you’re agreeing to: access to personal information like contacts and calendars, as well as information about your device, operating system, and location.
TikTok, like Facebook and YouTube, keeps track of the content you watch and how long you watch it for.
But according to the terms, TikTok also watches how you use your device and how it works. This includes “keystroke patterns or rhythms, battery state, audio settings, and connected audio devices.”
It can also figure out “the objects and scenery that appear [in your videos], the existence and location of face and body features in an image, and the text of the words spoken.”
“Ninety-nine percent of people won’t read the dozens of pages of terms of service,” said Heidi Tworek, the Canada Research Chair and Director of the Centre for the Study of Democratic Institutions at the University of British Columbia.
WATCH | An ex-spy says that social media apps pose security risks.
Precise GPS dat
Businesses that deal with social media use analytics to sell ads, make new versions of programs, and make content fit the habits of users.
But Robert Potter, co-founder and co-CEO of the cybersecurity company Internet 2.0 in Canberra, says that TikTok isn’t totally honest with its more than 1.5 billion users.
His company looked at social media apps like Facebook, Instagram, and WhatsApp, which are all owned by Meta, and found that TikTok was “an outlier” in how much data it collected, he said.
For example, Potter says that TikTok can get “precise” GPS location information from users, which is a lot more precise than the company used to admit.
“It makes us stop and think a lot about what other kinds of scrutiny we would like to put them through,” he said.
WATCH | Is Ottawa’s ban about politics or security?
Not ‘overtly malicious
A 2021 report was written by Paelleon Lin, a researcher at the University of Toronto’s Citizen Lab.reportTaking a look at how safe and private TikTok and Douyin, the Chinese version of the app, are (they even use the same icon),
This report said that neither app “appears to act maliciously in a way that is obvious,” like malware, and that they only collected information with the user’s permission.
WATCH | A warning to TikTok users:
But Douyin also got a device’s Media Access Control (MAC) address, which is a unique 12-digit number that identifies it. Lin said in an interview from Taipei that a phone’s MAC address doesn’t change, even if all of the user’s personal information is erased. This means that the MAC address could still be used to find out who the user is.
Apple and Google both say that third-party apps can’t get MAC addresses. (Douyin is not available in the app stores of either company.)
Lin’s report says that TikTok did not get them. But it used to, says a report for the year 2020.Wall Street JournalTikTok “got around a privacy protection” in Google’s Android operating system to collect MAC addresses from millions of devices for more than a year. At the time, TikTok told the Wall Street Journal that newer versions of the app do not collect the MAC addresses of such devices.
‘Deeply concerning
Douyin only has to follow Chinese law, but TikTok, which stores its data in the U.S. and Singapore, has to follow the laws of each country.
Lin said that his research showed that the app doesn’t connect directly to any servers in China, but he couldn’t say for sure that data isn’t sent from one country to another and then to China.
TikTok and ByteDance say that they don’t store user information in mainland China and don’t give user information to the Chinese government.
But Potter of Internet 2.0 says that’s not true.
“[China] wants TikTok and other companies based there to work with Chinese national security priorities and intelligence,” he said, repeating a point that came up a lot during Ottawa’s recent fight with Beijing over the telecom giant Huawei.
“They have to keep their participation a secret.” “So, that is a very big worry.”
He also cited a Buzzfeedreport that said ByteDance employees in mainland China could access information about American users. Potter said this “shows that there is a gap between what TikTok is telling the public and what it’s actually doing on the network.”
WATCH | What TikTok users should worry about:
Broader ban
Ottawa is worried that TikTok’s collection of sensitive data from the devices of federal employees could lead to cyberattacks..
The government hasn’t said it wants to make the ban even stricter, but there are talks in the U.S. about outlawing TikTok and making it so ByteDance can’t do business there.
Kristen Csenkey, who is getting her PhD at the Balsillie School of International Affairs at the University of Waterloo, thinks this is a bad idea because the app is used by millions of people as both a social platform and a way to make money.
“We need to think about what this means,” she said. “It’s not just a single technology or app that can only be used for one thing.”
Google and Apple could kill TikTok for good by removing it from their respective Play Stores and App Stores. But it’s not clear what either company would have to do to make such a big change.
Protecting your privac
Potter says that the information TikTok gets from its users isn’t very useful on an individual level.
“It’s really the huge amounts of data added together,” he said.
But there are ways for people who want to use it but are worried about data collection to keep their privacy safe.
Matthew Johnson, who works in education for the Ottawa-based company MediaSmarts, says that web browser plugins and smartphone apps like Privacy Badger, DuckDuckGo, and Disconnect can limit the amount of data that is collected.
He says that people should take a closer look at the terms of service that so many of them agree to without reading, but he also says that it’s “not reasonable” to expect users to read every detail.
“They are written so that lawyers will be happy, not the customers,” he said.
He also says to check out the website.tosdr.org, which stands for “Terms of Service; Didn’t Read,” gives websites and apps a grade based on their terms of service and quickly explains any problems.
This site gives TikTok the worst grade possible.
Watch experts talk about the dangers the app poses to users: