December 26, 2023
Monday 26 December 2023
The Sydney Morning Herald
Some of Australia’s largest and best-known brands are being urged to remove a tracking tool from Chinese-owned social media giant TikTok, amid revelations it is harvesting Australians’ data including email addresses, mobile phone numbers and browsing histories without their knowledge or consent, in a potential breach of the nation’s privacy laws.
TikTok’s tracking tool, known as a pixel, is an invisible piece of code that tracks a user’s web history and personal information, even if the user doesn’t have a TikTok account. The pixel can then track a user across the internet and piece together their identity including their email, phone number and buying habits – even if they don’t have TikTok on their phone.
Marketers often use tracking pixels for legitimate purposes, including re-targeting campaigns and to deliver more relevant ads that follow users across websites. Tech giants such as Meta (owner of Facebook) and Google have their own tracking pixels. But tests show the pixel from TikTok, owned by Beijing-based parent company ByteDance, doesn’t wait for user consent and is more aggressive in how it scrapes the data – data that may be made available for sharing with other Chinese corporations and the Chinese government.
The revelations have prompted calls for Australia’s information commissioner to urgently launch an investigation and for websites to remove TikTok’s tracking pixel.
Tests run by this masthead found TikTok’s pixel scrapes a user’s email address and mobile phone information across some of Australia’s most-visited websites, including Kmart, Sportsbet and Beyond Blue, often taking the information even before a user has clicked “I agree” or “I consent” on an online form.
The tests found the pixel sends that information back to TikTok’s servers, along with the user’s location, the device they’re using and their actions on the page, including in some cases what they have added to their shopping cart. The email addresses and phone numbers are “hashed”, meaning they aren’t being stored in their original form, but are easily decrypted.
A user might, for example, go online to buy a weight-loss drug, make a bet on a cricket match, then search for mental health conditions. TikTok is told about all of it.
National mental health organisation Beyond Blue removed the TikTok pixel from its website after being alerted to the tracking issue.
“Beyond Blue takes privacy and security extremely seriously, and we apologise for any concern this has caused,” said a spokeswoman for the organisation.
“Like many health organisations, Beyond Blue uses tools such as pixels to help us deliver safe and relevant content to people online.”
A Sportsbet spokesman said: “We use advanced matching, and that’s consistent with targeting advertising methods that a lot of companies use. Our understanding is they don’t decrypt or use hashed data that has been shared with them.”
Kmart did not respond to requests for comment.
The tests by this masthead found that for Google and Meta’s tracking pixels, email addresses and phone numbers were sent to Google and Meta only after a user had consented to the websites’ privacy policies.
According to TikTok’s website, the tracking pixel can “help you find new customers, optimise your campaigns and measure ad performance”.
“With the pixel, you can track website visitor actions, like view page or purchase, and create audience segments to re-engage previous site visitors or model lookalikes to find new customers,” TikTok says on its website.
The extent of data collected by TikTok’s pixel without user consent has caused concern among Australian marketers. Marketing and advisory agency Civic Data has issued a warning to its clients recommending they remove the pixel from their websites on privacy grounds.
In the client bulletin on December 20, which was obtained by this masthead, Civic Data director Chris Brinkworth said his company had “repeatedly observed non-consensual collection of personal data on Australian wagering, telco, finance, supermarket, e-commerce, charity and media organisations’ websites.
“This raises serious privacy concerns regarding the lack of transparency, misuse of personal information and disregard for consent requirements under current regulations such as the Privacy Act 1988. Civic Data’s recommendation is that all Australian businesses consider removing the TikTok pixel and other TikTok integrations from their platforms if they cannot guarantee that the data usage matches the consent given by consumers.”
Civic Data’s clients include accounting software company Xero, Ticketek, Carsales, RACV and BlueScope.
Senator James Paterson has called for an urgent probe by Australia’s information commissioner.
Paterson, the Coalition’s cybersecurity spokesman, this year chaired a committee into foreign interference through social media that grilled TikTok executives.
“This is a very serious and potentially unlawful mass breach of the privacy of TikTok users, former users and non-users,” he told this masthead.
“It would be concerning from any company but is particularly alarming given TikTok is beholden to the Chinese Communist Party and has admitted its China-based employees frequently access Australian user data. There’s nothing to stop this industrial-scale unauthorised data collection being simply handed over to Chinese intelligence and security agencies, as TikTok and its employees are obliged to do under Article 7 of China’s National Intelligence Law.
“The information commissioner must commence an urgent investigation into TikTok Australia and use their full range of enforcement powers to protect Australians from this extraordinary surveillance.”
A spokesman for the Office of the Australian Information Commissioner said the agency was monitoring issues relating to TikTok’s handling of personal information, particularly in light of the findings made by the British Information Commissioner’s Office in an investigation into the company.
“The OAIC will give consideration to the information raised which alleges data scraping in regard to TikTok’s practices,” the spokesman said.
A TikTok spokeswoman denied the pixel breaches Australia’s privacy laws.
“We strongly reject the suggestions outlined by Civic Data and are disappointed that a company would deliberately try to mislead or scare companies without regard to current law or the information available,” she said.
“Pixel usage, which is voluntary for our advertising clients to adopt, is an industry-wide tool used to improve the effectiveness of advertising services. Our use of this tool is compliant with all current Australian privacy laws and regulations, and we dismiss any suggestion otherwise.”
In 2016, China designated big data a “fundamental strategic resource”, and four years later its government designated data as the fifth “factor of production”, joining land, labour, capital and technology. Its national intelligence laws allow the ruling Communist Party to pull data upon request from companies based in the nation.
China’s National Intelligence Law of 2017 requires all organisations and citizens to “support, assist and co-operate with the state intelligence work”, and the Australian government this year banned TikTok on government devices over security concerns related to China’s intelligence laws. Governments from Britain, Canada, France and New Zealand have also banned the app from official devices.
Jocelinn Kang, technical specialist at the Australian Strategic Policy Institute, said data from a tracking pixel could be aggregated across websites, apps and social media platforms.
She said pixel tracking could identify users through their “browser fingerprint” – a combination of their IP address, browser and system details.
“However, when more identifying data such as email and phone number is associated with a user, their web activity can be better linked,” Kang said.
Strategic Policy Institute researcher Samantha Hoffman said the data collected by TikTok’s pixel was similar to that of US-based tech giants Google and Meta, but the difference was “the intent”.
Advertising data had “incredible propaganda value”, she said.
“If you think about that, plus the access that TikTok is required to give the Chinese government, that’s the problem.”
“They talk about how even data collected overseas can be used by the company and its partners, and would be kept private unless security organisations make demands of it,” Hoffman said.
The tool kit does not exist to deal with these kinds of problems around data security, she said.
“We need a long-term solution.”