In an age of isolation, video sharing platform TikTok has emerged as a bonding force for many. But recent headlines allege the service, owned by Beijing-based company ByteDance, is feeding users’ data to the Chinese Communist Party.

Earlier this week, the Herald Sun reported that an unnamed Australian MP was pushing for the app to be banned in the country. Following suit, Liberal senator Jim Molan said TikTok was being “used and abused” by the Chinese government, while Labor senator Jenny McAllister called on TikTok’s representatives to face the Select Committee on Foreign Interference Through Social Media.

TikTok has denied the accusations and rebuffed suggestions it should be banned in Australia. But why is the federal government examining this app so closely? And could it really be a tool used by the Chinese government to spy on citizens?

With a reported two billion downloads worldwide, TikTok’s Australian market is also significant. It has an estimated 1.6 million Aussie users, mostly aged 16-24 but with a growing number of older users too.

Simply, users generate short videos that are shared in the app, with many celebrities also signing up. But although TikTok seems to offer carefree entertainment, is there a darker side?

Play
Australian television presenter Andrew Probyn had an unexpected TikTok moment.

What information is collected?

When installed, TikTok asks users to grant several permissions, including the use of the camera, microphone and contact list. However, it may also collect location data, along with information from other apps on the device.

Last year, a proposed class action lawsuit filed against TikTok in California claimed the company gathered users’ data, including phone numbers, emails, location, IP addresses, and social network contacts.

The lawsuit also stated TikTok concealed the transfer of data – including biometric data – and continued to harvest it even after the app was closed. This would mean when a user shoots a video and clicks the “next” button, the video could be automatically transferred to servers without the user’s knowledge.

Where is the data stored?

While TikTok’s headquarters are in Beijing, Australian general manager Lee Hunter recently claimed Australian users’ data was stored in Singapore.

A major challenge in sorting the truth from fiction lies in how we define “data”. While TikTok users’ details and videos may be stored in Singapore, there’s still potential for data to be extracted from this video content and the device and sent to China’s servers, although this hasn’t been proven to have happened.

Hypothetically, it would then be possible for Chinese authorities to use biometric data to identify people using facial recognition. It would also be possible to map rooms and locations by using “feature extraction”, a machine learning method, on videos.

This could then aid the creation of new, advanced deepfake videos potentially targeting specific people.

While this may seem far-fetched, there have already been preemptive TikTok bans within major organisations to ensure sensitive information isn’t leaked.

For instance, the app has been banned from devices used by the Australian Defence Department, the US Department of Defence, and even entire countries – with the Indian government announcing a nationwide ban last month.

Privacy issues

ByteDance claims its data is stored in servers in the US and Singapore: “Our data centers are located entirely outside of China, and none of our data is subject to Chinese law.”

TikTok’s privacy policy is ambiguous. As of January, it states: “You should understand that no data storage system or transmission of data over the Internet or any other public network can be guaranteed to be 100% secure.”

From a user privacy perspective, TikTok has access to a device’s location and a user’s personal information. Although TikTok’s servers may be located outside China, it’s very difficult, if not impossible, to confirm where this data could end up, or what it could be used for.

While the location of servers can be important, possession of data is more relevant. Once data is obtained, it can be used. If data is stored on a server in Australia, for instance, Australian jurisdiction applies. But once it is sent to another country, that country’s laws take precedent.

And if a TikTok user decides to delete their content from their device, or if there is a government-imposed ban, data can’t be retrospectively erased. Once information is transferred, it’s impossible to retract without the cooperation of the organisation or agency concerned – in this case, TikTok.

More government bans?

The fact is, enforcing an Australia-wide ban on TikTok isn’t a simple prospect. While the federal government could request the app’s removal from the Apple App Store and Google Play Store, it could only do this for Australian regions and marketplaces.

Users in Australia would still be able to download TikTok from another region’s store, or via a third-party source. Also, banning the app won’t automatically remove it from devices on which it is already installed.

Blocking access to TikTok’s servers would be done in conjunction with internet service providers, such as Telstra and Optus, as they can block access to apps and websites. But users could still use proxies or Virtual Private Networks or VPNs to circumvent these controls.

And even if TikTok was banned, citizen data already handed over would remain stored, and could be accessed for the foreseeable future.

Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University. James Jin Kang, Lecturer, Computing and Security, Edith Cowan University.

This article first appeared on The Conversation.