Our TikTok Analysis
Please note this research was funded by TikTok for AUD70,000.
We have defended this research on Sky News Australia.
Entertainment in the Digital Age — An investigation into data leakage and privacy concerns of digital platforms.
By Professor Nigel Phair
Supported by Edward Farrell (Mercury Information Security Services)
Abstract
This report investigates the policy and technical aspects of data collection within the online ecosystem. It includes a comparative analysis of four leading online platforms’ privacy policies — those of Facebook (Meta), Google, Twitter and TikTok — and an analysis of these organisations’ cross-border data sharing practices. Whilst recent commentary has focused on the data collection and sharing practices of the TikTok platform in particular, this comparative analysis contextualises these practices, and shows that TikTok’s data practices are broadly in line with those of its peers. Specifically, from a privacy perspective, this report shows that each of the four applications seeks many data attributes, with Twitter and TikTok seeking the least.
Accompanying this report is a technical analysis, undertaken by Mercury Information Security Services, of a similar sample of popular social media and entertainment applications — Facebook, Instagram, Snapchat, TikTok and YouTube — which provides a richer analysis of app characteristics. From a technical perspective, Mercury’s analysis showed that each platform requested a significant number of permissions, with TikTok and YouTube requesting the least
Introduction
Online entertainment platforms have become a staple of our professional and social lives. For the purposes of this report, the terms “entertainment platforms”, “digital platforms” and “social media” are used interchangeably. What was once a fringe activity a few short decades ago has since become ubiquitous, enriching the lives of many, whilst also providing commercial entities with additional marketing opportunities.
The mainstreaming of smart mobile devices has enabled these opportunities for greater social and commercial engagement, along with other benefits like secure online banking. More than half of the world’s population uses social media (4.7bn — 59%), with 227 million new users within the last 12 months. The average daily time spent by Australians on social media is 2h 4m. The average time per month users spend on TikTok is 29h 36m, Facebook, 17h 48m, Instagram, 8h 36m, and WhatsApp, 5h 36m. TikTok reportedly reaches 37% of Australian adults, or around 7.38 million people, and is the world’s fifth most used social media platform, with more than a billion global monthly active users. In Australia, Facebook has 18.12 million active users, Instagram, 13.62 million active users, and Twitter, 6.96 million active users.
Online Entertainment Platform Data Collection
Personalisation is important to these platforms’ success at providing their users with an enjoyable and productive online experience. As users, we want to be served with content and advertising which is relevant. To provide this tailored experience, digital platforms collect a range of user and device data. For advertising-driven platforms like the four assessed, the utility of these data flows is symbiotic: advertisers want to pitch their goods and services to specific user demographics, and users typically prefer to have products marketed to them which are relevant.
The type of ads and sponsored or commercial content a user sees is based on the information the digital platform knows. An analysis — using 40 specific collection attributes — of the privacy policies of Facebook, Google, Twitter and TikTok revealed that each of the four platforms was within a close range of one another when it came to the number of data points collected. These ranged from Google, which was found to collect the largest number of data points (39 of 40), followed by Facebook/Meta (33 of 40), TikTok (31 of 40) and Twitter (29 of 40). A breakdown of these specific collection attributes is set out in Figure 1 below.
When assessing these findings, it should be noted that this analysis only considered the published privacy policies of each platform — not the device permissions sought. It should also be noted that the notices contained within these platforms’ respective privacy policies do not necessarily distinguish between device attributes which may be accessed by an app but require explicit user permission to do so (e.g. through an in-app prompt), and those attributes which are collected without the app seeking this additional, explicit permission from the user. Finally, when comparing the number of data points collected by each platform, it is important to note that platforms like Google offer a broader range of services than the other platforms assessed — such as email, maps and documents — which may explain the higher number of data points sought.
App Permissions
To properly function, apps require the user to grant permissions to certain device capabilities. For example, a photo app might need to use a phone’s camera, or a restaurant guide might use approximate location data to recommend nearby venues. The overall user experience of a platform can be thought of as a combination of the app design and the capability of the associated device.
It is the provision of this user experience, the combination of device capability and app features, which necessitates the collection of data attributes by platforms. While data collection can be framed in negative terms (i.e. in terms of privacy risks), this activity is also the means through which digital platforms enhance their service offering for consumers.
The technical analysis undertaken by Mercury Information Security Services showed that each of the applications assessed requested a significant number of permissions, with TikTok, Instagram and YouTube requesting the least. A summary of these findings is set out in Figure 2 below.
Use of Data
Partly due to their growing popularity, and partly due to prominent data breaches across the broader digital economy, recent public discussion has focused on the risk of consumer data leakage from online entertainment platforms. TikTok has regularly been singled out in this regard. However, there are examples from other digital platforms which have occurred at great scale. For example, in 2018 Facebook allowed app developers to collect data not only about app users but also their Facebook friends, and data from friends of users if their privacy settings allowed access to that information, including name, birth date, location and gender. This data collection gave rise to the Cambridge Analytica scandal, as a result of which the data of as many as 87 million Facebook users was collected without their consent.
More recently, in October 2022, Meta announced that their security researchers had discovered more than 400 malicious Android and iOS apps in the past year that were designed to steal Facebook login information and compromise users’ accounts. These apps were listed on the Google Play Store and Apple’s App Store and were disguised as photo editors, games, VPN services, business apps and other utilities to trick people into downloading them.
Less malicious, but no less important, is the income digital platforms receive through selling user data in the form of aggregated and anonymised usage patterns. For example, Twitter sells advanced access to its API, which companies can use to view all historical tweets and filter, sample and batch them. This makes up around 11% of Twitter’s revenue.
Sharing user information with Government
In Australia and around the world, there are legislative frameworks in place allowing governments to request platform user information for law enforcement and national security purposes. Although the legal requirements differ from jurisdiction to jurisdiction, broadly speaking these processes require the agency requesting access to obtain a subpoena or warrant, but may stipulate narrow circumstances (for example, when the data subject is in imminent physical danger) in which these requirements may be waived.
In pursuit of their investigative activities, law enforcement and intelligence agencies seek access to all available avenues of inquiry. Considering how much rich data is collected by social media companies, it is little surprise that these agencies consider the data collected by digital platforms to be a valuable information-gathering tool. The platforms analysed for this report all have policies, standards and protocols which mandate how they support law enforcement and national security efforts, and public reporting mechanisms through which this activity is periodically disclosed. A summary of the government requests for user information reported by the four platforms over 2021 is set out in Figure 3 below:
Assessing these statistics, and disambiguating the US and Australian figures, reveals a number of interesting trends. Whilst Google is the clear leader globally, these publicly disclosed figures suggest that Facebook is where US and Australian government agencies go to for user data. Requests of Twitter and TikTok over this period were statistically insignificant. While these reported figures cannot tell us the extent to which governments exploit platforms’ user information for intelligence-gathering purposes (which are, by their nature, carried out covertly), the quantity of publicly reportable user access requests may provide an indication of the richness of the data collected by the platforms in the first place, which in turn may provide an approximate indication of the relative potential value of these platforms’ data to law enforcement and intelligence-gathering efforts.
Access by Overseas Jurisdictions
Economies of scale and the advent of cloud storage technologies have meant that most multinational companies have long since stopped storing their data “on-premises”. However, the data still resides somewhere (and often in many locations), so consideration needs to be given to the jurisdiction(s) in which a platform’s data is housed. Significant discrepancies in data protection and privacy regimes between jurisdictions mean that the country in which data is stored can have significant commercial consequences for a business. For example, some organisations may be concerned about the regulatory burdens of storing data in Europe due to the cost of GDPR compliance.
The GDPR lays down rules relating to the protection of natural persons regarding the processing of personal data and rules relating to the free movement of personal data. It also protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
When deciding where to store data, organisations may also have regard to the host nation’s intelligence collection, oversight and data surveillance regimes. In the United States, the Foreign Intelligence Surveillance Act provides judicial and congressional oversight of foreign intelligence surveillance activities while maintaining the secrecy necessary to effectively monitor national security threats. It was this law which enabled the US PRISM program, through which the National Security Google, Facebook, Apple and other US companies, without having to obtain individual court orders.
In recent years, concerns have been raised around the security of platforms’ user data and the perceived risk of unauthorised access by the host nation’s intelligence services. This has been an argument frequently pointed at TikTok, notwithstanding their statements that TikTok user data is housed in Singapore and the US. These concerns often fail to take account of the fact that many Australian organisations share data with overseas jurisdictions, including the United States and China. This includes each of Australia’s largest four banks, the two largest telecommunication providers, and a number of high-profile tech companies. To illustrate this reality, set out in Figure 4 below are direct statements from some of these organisations’ privacy policies which detail their relevant overseas data sharing practices Agency obtained access to user data from
Figure 4: Privacy policy extracts
Sometimes we need to share your information with overseas organisations. The most common reason is because some of our ANZ companies are located overseas and are contracted to support our technology, operational and customer service teams. These entities are located in the following countries:
- China
- Fiji
- India
- New Zealand
- The Philippines
Sometimes, we may send your information overseas, including to:
- CommBank Group members that are located in China, India, Hong Kong, Singapore, Japan, the United Kingdom, the Netherlands, New Zealand and the United States of America
- service providers or third parties who store data or operate outside Australia
- complete international transactions, such as currency exchanges
- organisations we partner with to provide products and services
- comply with laws and help government or law enforcement agencies. If we do this, we make sure there are appropriate privacy, data handling and security arrangements in place to protect your information.
We run our business in Australia and overseas. We may need to share some of your information (including credit information) with organisations outside Australia. Overseas organisations may be required to disclose information we share with them under a foreign law. In those instances, we will not be responsible for that disclosure.
Where you are interacting with the Westpac Group in countries other than Australia, the privacy statement applicable to that country as shown below applies to you, along with any other applicable privacy notices provided to you.
In some cases, the organisations that we may share your information with may be based outside the location where the information is collected. For example, we may share your information with other parties in Australia, Canada, Chile, China, Hong Kong, countries within the European Union, India, Japan, Malaysia, Moldova, New Zealand, Philippines, Poland, Romania, Russia, Singapore, South Africa, South Korea, Sri Lanka, Taiwan, the UAE, Ukraine, United Kingdom, the United States of America and Vietnam.
Where we do this, we require these parties to take appropriate measures to protect that information and to restrict how they can use that information.
In some cases, we may share your information with organisations (including some Singtel Group companies, service providers and third parties) located overseas for the purposes listed above — Singapore, India, Philippines, USA, Canada, the European Union (including the UK), the Bailiwick of Jersey, Mexico, Malaysia, Japan, Israel, Iceland and New Zealand.
Please note that these third parties may be in other countries where the laws on processing Personal Information may be less stringent than in your jurisdiction. When we disclose your Personal Information overseas, we will take all reasonable measures to ensure that your information is held, managed and accessed in accordance with appropriate standards for the handling of Personal Information.
To facilitate our global operations we may share personal information with Afterpay and our affiliates and related companies, including those based in Australia, United States, United Kingdom, Canada, China, and New Zealand, and where we operate in Europe. We are bound by an Intercompany Personal Data Transfer Agreement that contains Standard Contractual Clauses.
As can be seen from the publicly available policies above, these organisations all state that they may share Australians’ personal data with overseas-based entities, including in China. Given the significant market share of these organisations, which include some of Australia’s largest banks and telecommunications providers, it would be safe to assume that the vast majority of Australians have had their personally identifiable information shared with overseas-based entities in a range of foreign jurisdictions, including China, irrespective of their social media usage.
Conclusion
Online entertainment platforms, and indeed the broader global online ecosystem, are still very much evolving. The analysis conducted for this report, including the detailed technical investigation comprising static and dynamic application analysis, suggests that the four digital platforms considered are similar in their collection of data. In light of these similarities, and the ubiquitous nature of overseas data flows, the case for singling out digital platforms based solely on their country of origin appears misconceived. To the contrary, these findings suggest that a platform-agnostic approach is a necessary precondition to any mature discussion about contemporary privacy risks in the online environment.
