Australian data is potentially compromised with Tik Tok’s admission that China can access US data
July 4, 2022 |
The phrase “six degrees of separation” should be truncated to “one degree of separation” when describing data flows. Personal information of Australians is held by many US companies and organisations courtesy of on line shopping, various subscription services and other connections.
The ABC in Australian user data security in doubt after TikTok admits US data accessible by China highlights the vulnerability of data relating to Australians can be as great as those of US individuals where third parties can access the US user data. And US users of Tik Tok have/can have their data accessed by Tik Tok Employees. Tik Tok admits that is employees in China have access to US user data. If they are both stored on the same servers the likelihood of harm can be as great.
There is a very real concern that norms about accessing information differ between Western democracies and China. The line between business and the state in China has rarely been clear and bright. And respected. There is little in the way of proportionality in the collection and use of data and respect for privacy. Which means using Chinese apps, web sites and even data collecting technology is fraught. That explains why, as the BBC reports in MPs call for UK ban on two Chinese CCTV firms, there is impetus not to use Chinese surveillance equipment. It is not that there is a known vulnerability that would enable Chinese state actors from using (and manipulating) CCTV cameras for their own use but it is impossible to discount that as a problem.
The ABC article provides:
Social media site TikTok is in hot water with the US government over user data security, and Australian data may be less than secure as well.
Some US senators have put questions to the Chinese-owned company regarding data security as the app undergoes a move to a “new advanced data security controls” with a server system based in the US, having previously used servers across regions, including in China.
TikTok acknowledged that China-based employees “can have access to TikTok US user data subject to a series of robust cybersecurity controls and authorisation approval protocols overseen by our US-based security team.”
Marsha Blackburn, a senator from Tennessee, said TikTok “should have come clean from the start but instead tried to shroud their work in secrecy.” She said TikTok needs to “come back and testify before Congress.”
Australian users’ data is stored in servers in the US and Singapore, which raises questions about whether that data is subject to the same security concerns.
Liberal Senator James Paterson has publicly put it to TikTok to address those concerns.
“Australian TikTok users deserve to know whether their private information is equally exposed,” Mr Paterson wrote on Twitter.
He asked whether Australian data can be, or has previously been accessed by China-based employees, and on what ground the social media company could refuse a request for data from the Chinese government.
Senator Paterson referenced a letter from TikTok to the Australian Parliament from 2020, in which TikTok’s director of public policy assured the previous government it would not bend to such a request from Beijing.
TikTok, owned by Chinese technology conglomerate ByteDance, is one of the world’s most popular social media apps, with more than 1 billion active users globally. It counts the United States as its largest market.
More than 7 million Australians spend time on TikTok, and according to a February report, scroll through the site for an average of almost 24 hours per month.
Shared algorithms
It is not the first time TikTok has admitted that employees in China have access to US user data.
In a 2020 blogpost, Roland Cloutier, TikTok’s chief information security officer, said, “Our goal is to minimise data access across regions so that, for example, employees in the APAC region, including China, would have very minimal access to user data from the EU and US.”
A BuzzFeed story in June showed ByteDance engineers in China had access to US data between September 2021 and January 2022.
The letter to Congress also said “ByteDance developed the algorithms for both Douyin and TikTok, and therefore some of the same underlying basic technology building blocks are utilised by both products.”
TikTok is known as Douyin in China. But TikTok’s business logic, algorithm, integration and deployment of systems is specific to the TikTok application and separate from Douyin, the letter said.
Reuters previously reported that while the code for the app, which determines the look and feel of TikTok, has been separated from Douyin, the server code was still partially shared across other ByteDance products. The server code provides basic functionality of the apps such as data storage, algorithms for moderating and recommending content and the management of user profiles.
The Chinese government took a stake and a board seat in a key ByteDance entity in 2021.
TikTok explained in its letter to the US senators that its acquisition of 1 per cent of Beijing Douyin Information Service Ltd was necessary to obtain a news license in China.