The Australian-US cybersecurity company that last year revealed the extent of TikTok’s data collection says the social media company has increased what location information it collects to include altitude, which could tell it what floor of a building a user is on.
Last year Internet 2.0 released a study on the data TikTok attempts to collect on user devices, which includes contact lists and calendars, and its scanning of hard drives and geolocating devices on an hourly basis.
At the time TikTok described the report as “baseless” and said it was no different to the data other social media apps seek.
After the report a number of western countries, including Australia, banned the app from government-issued devices amid fears about whether the Chinese government could access data under national security law.
The director of Internet 2.0, David Robinson, on Thursday told a Senate committee hearing on foreign influence on social media that TikTok had never directly addressed the issues his firm had raised in the report.
“[TikTok] have never come back to us and argued the points about the data and their source code,” he said. “So it’s their word against the source code.
“They’ve called us names. They said we don’t understand what the code is. But they’ve never come back and qualified or quantify their position.”
He said the company had undertaken another analysis of the updated source code and discovered that in addition to latitude and longitude data from a user’s device, the app was now seeking altitude information.
“So if you’re in a high-rise building, they can tell what floor you’re on now,” Robinson said. “And that wasn’t previously in their code last year.”
A spokesperson for TikTok rejected the claim, saying GPS data was not collected in Australia, and only collected overseas where users enabled it.
“We do not collect GPS location data from users in Australia, nor do we seek permission for this,” they said. “To clarify, in other regions where a user has enabled and grants access to location services, TikTok collects this information based on device GPS data.”
The spokesperson said Internet 2.0 admits their analysis is “not conclusive and doesn’t include a detailed source code review, which they admit is the best way to assess data collection practices”.
after newsletter promotion
“What’s been presented are misleading, inconsistent results based on a flawed and biased analysis that lacked any real depth.”
Robinson said with other apps where Internet 2.0 had analysed the source code – such as with Telegram and Proton – the companies explained their code or provided more evidence as to what the code does. He said TikTok had never approached it that way.
“No one’s perfect,” he said. “But to be honest about it, and go, ‘Yes, we’ve had an issue. We didn’t know about it, we’re checking it, we’re fixing it’ – that’s normal behaviour, that’s trustworthy behaviour, in our opinion.
“But to call us names and basically never, never, never show your code and explain it makes me not trust them.”
The hearing continues on Friday.