Social media giant TikTok under fire for tracking users

“When The Age and Sydney Morning Herald alerted us to this issue, we immediately commenced a review of our privacy policy and removed the TikTok pixel from our website. Our investigations are continuing as a priority.

Loading

“Like many health organisations, Beyond Blue uses tools such as pixels to help us deliver safe and relevant content to people online.”

A Sportsbet spokesman said: “We use advanced matching, and that’s consistent with targeting advertising methods that a lot of companies use. Our understanding is they don’t decrypt or use hashed data that has been shared with them.”

Kmart did not respond to requests for comment.

The tests conducted by this masthead found that for Google and Meta’s tracking pixels, email addresses and phone numbers were sent to Google and Meta only after a user had said they consented to the websites’ privacy policies.

According to TikTok’s website, the tracking pixel can “help you find new customers, optimise your campaigns and measure ad performance”.

“With the pixel, you can track website visitor actions, like view page or purchase, and create audience segments to re-engage previous site visitors or model lookalikes to find new customers,” TikTok says on its website.

The extent of data collected by TikTok’s pixel without user consent has sparked concern among Australian marketers. Marketing and advisory agency Civic Data has issued a warning to its clients recommending they remove the TikTok pixel from their websites on privacy grounds.

In the client bulletin sent on December 20 and obtained by this masthead, Civic Data director Chris Brinkworth said his company had “repeatedly observed non-consensual collection of personal data on Australian wagering, telco, finance, supermarket, e-commerce, charity and media organisations’ websites”.

Loading

“When TikTok receives this data, it can be matched against other datasets to enrich existing user profiles, enabling the tracking and storage of individual user behaviours and interests across websites and devices without the user’s knowledge, control or consent,” the letter reads.

“This raises serious privacy concerns regarding the lack of transparency, misuse of personal information and disregard for consent requirements under current regulations such as the Privacy Act 1988.

“Civic Data’s recommendation is that all Australian businesses consider removing the TikTok pixel and other TikTok integrations from their platforms if they cannot guarantee that the data usage matches the consent given by consumers.”

Civic Data’s clients include Xero, Ticketek, Carsales, RACV and BlueScope.

Senator James Paterson has called for an urgent probe by Australia’s information commissioner. Paterson, the Coalition’s cybersecurity spokesman, this year chaired a committee into foreign interference through social media which grilled TikTok executives.

“This is a very serious and potentially unlawful mass breach of the privacy of TikTok users, former users and non-users,” Paterson told this masthead.

“It would be concerning from any company but is particularly alarming given TikTok is beholden to the Chinese Communist Party [CCP] and has admitted its China-based employees frequently access Australian user data. There’s nothing to stop this industrial-scale unauthorised data collection being simply handed over to Chinese intelligence and security agencies, as TikTok and its employees are obliged to do under article 7 of China’s National Intelligence Law.

“The information commissioner must commence an urgent investigation into TikTok Australia and use their full range of enforcement powers to protect Australians from this extraordinary surveillance.”

Loading

A spokesman for the Office of the Australian Information Commissioner said it was actively monitoring issues relating to TikTok’s handling of personal information, particularly in light of the findings made by the UK Information Commissioner’s Office in its investigation into the company.

“The OAIC will give consideration to the information raised which alleges data scraping in regard to TikTok’s practices,” the spokesman said.

“Strong privacy protections are critical to addressing the privacy risks faced by Australians online. The OAIC considers reforms to the Privacy Act are a vital step to ensure Australia’s privacy framework is fit for the digital age.”

A TikTok spokeswoman rejected claims that the pixel breaches Australia’s privacy laws.

“We strongly reject the suggestions outlined by Civic Data and are disappointed that a company would deliberately try to mislead or scare companies without regard to current law or the information available,” a spokeswoman said.

“Pixel usage, which is voluntary for our advertising clients to adopt, is an industry-wide tool used to improve the effectiveness of advertising services. Our use of this tool is compliant with all current Australian privacy laws and regulations and we dismiss any suggestion otherwise.

“We also rely on our advertising clients to only share data with us through the Pixel, if they have in turn provided their customers with the necessary information and obtained the necessary permissions. As we have said publicly on many occasions, Australian user data is encrypted and stored in world-class data centres in the US and Singapore.”

China in 2016 designated big data as a “fundamental strategic resource”, and four years later its government designated data as the fifth “factor of production”, joining land, labour, capital and technology. Its national intelligence laws allow the ruling CCP to pull data upon request from companies based in the nation.

China’s National Intelligence Law of 2017 meanwhile requires all organisations and citizens to “support, assist and co-operate with the state intelligence work”, and the Australian government this year banned TikTok on government devices over security concerns related to China’s intelligence laws. Governments from the UK, Canada, France and New Zealand have also banned the app from official devices.

Jocelinn Kang, technical specialist at the Australian Strategic Policy Institute (ASPI), said that data from a tracking pixel could be aggregated across multiple websites, apps and social media platforms.

She said pixel tracking could identify users through their “browser fingerprint”, which is a combination of their IP address, browser, and system details.

“This information is often sufficient to uniquely identify a user based on probability. However, when more identifying data such as email and phone number is associated with a user, their web activity can be better linked, even across the Internet where the ad platform has visibility,” Kang said.

Loading

“As a result, TikTok’s pixel provides the option for advertisers to provide additional details about the user (their customer). These details may include hashed email, hashed phone number (previously allowed in clear text, but now changed), and a hashed unique identifier that the advertiser uses for that particular customer.”

ASPI researcher Samantha Hoffman told this masthead in an interview that the data collected by TikTok’s pixel is similar to that of US-based tech giants Google and Meta.

“The difference is in the intent,” she said. “Other companies are doing something similar. But advertising data has incredible propaganda value, and if you think about that, plus the access that TikTok is required to give the Chinese government, that’s the problem.”

Previously, TikTok said that any data collected by its servers could not be accessed by anyone in China, but in November 2022 it changed its privacy policy to make it explicitly clear that user data can be accessed by some employees from across the world, including China.

“When you look at the company’s privacy and security policies about overseas data collection, they talk about how even data collected overseas can be used by the company and its partners, and would be kept private unless security organisations make demands of it,” Hoffman said.

“That tells you right there that it doesn’t really matter where the data is located.

“I think a lot of the problem is that the toolkit doesn’t really exist to deal with these kinds of problems when it comes to data security … We need a long-term solution.”

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.