Privacy Violation: the hottest TikTok trend --- by Letizia Stefani '22
TikTok has a basic interest in collecting personal data, including biometric data such as face recognition and voiceprints. “Biometric data, together with genetic and health data, are at the top of the personal data scale of sensitivity: they represent the highest level of invasiveness with regard to personal identity, confidentiality, and private life,” says Rosario Imperiali, a lawyer specialized in Italian and international data protection legislation. The dissemination of this data is generally prohibited. “There is the highest level of invasiveness with regard to confidentiality and [from a] privacy right standpoint,” says Imperiali.
TikTok, the Chinese video-sharing social media platform is owned and developed by ByteDance, a Chinese multinational internet technology company. It has gained much popularity around the globe; as the most downloaded social media app, the community has grown rapidly surpassing the 1 billion users in August 2020. It may have gained a ton of users, but also a plethora of security infractions.
In July 2020, TikTok was accused by Anonymous, a collective of hackers and activists waging cyberwar against oppression and corruption, of being malware and spyware designed by the Chinese government to monitor millions of people. Since then, many countries, including the United States, Italy, Ireland, France, the United Kingdom, and the Netherlands, have sought to have this app banned or force it to at least monitor its privacy policies and their enforcement. Last year, TikTok was banned in India over national security issues because it was considered a threat to the sovereignty and security of the country. According to former US President Trump, there is credible evidence that ByteDance could take actions that threaten to compromise the national security of the United States due to the massive data collection of US citizens. “There was a potential erosion of the US democratic system controlled by China,” says Imperiali. He states that the case of the United States against the Chinese social media platform can be interpreted as a political and economic issue.
Social networking sites (SNSs) such as TikTok have revolutionized traditional information-sharing methods. They are used as a platform for daily communication to share information and create user-generated content of many forms. The technology of social networks is a double-edged sword that triggers users sharing a significant amount of personal information that they would have preferred to remain private. Concerns have arisen in regards of users’ ethical behavior and conventions as well as the social network site administrators’ moral duty, due to the rapid technological advancement and the remarkable growth and popularity of online social networks.
The consumption of the Internet and social media networks is deeply embedded in all aspects of society. The advent of the Internet has defined a set of network standards for interconnecting networks and computers, giving people communications power and information-gathering capacities. The Internet has a worldwide broadcasting capability for sharing information and knowledge. As the Internet and digitally dependent activities develop and adapt, so do cyber security practices. Hackers can gain access to individual devices that link to the Internet or other networks. According to Cytelligence, a leading international cybersecurity company, hackers attacked smart home and Internet of Things (IoT) devices (such as smart TVs, voice assistants, connected baby monitors, and cellphones). Hackers who obtain access to a connected home's Wi-Fi credentials may also gain access to the user's personal information, such as medical records, bank statements, and website login information. Data storage on personal devices like laptops and cellphones makes it easier for cybercriminals to gain access to a network via personal device.
Users and their privacy are vulnerable and subject to secondary use from SNSs service providers, third-party applications, users from SNSs users' social networks, or other malicious attackers such as identity thieves, phishing attacks, and deepfakes. Introduced in late 2017, the phenomenon of deepfakes was initiated by a user of Reddit, a social news webiste, who created a space where the community shared pornographic videos that used open-source face-swapping technology. Deepfakes refers to a specific form of synthetic media where a person in an image or video (also known as AI-generated media) is swapped with another person’s likeness. This application of deep learning technology can be used to manipulate and threaten individuals and corporations. Fake audio or image and video content could be used for a variety of purposes, including defamation, impersonation scams, and even identity theft.
According to a recent study, published in the journal Crime Science, funded by the Dawes Centre for Future Crime at University College London (UCL), deepfakes are the most serious criminal threat posed by artificial intelligence based on the harm they could cause. The phenomenon of deepfakes is among the top 20 concerns for criminal facilitation in the next 15 years as means of creating realistic-looking still images of (fake) individuals, by using their biometric data - such as the ones TikTok collects.
The audience of social media platforms, such as TikTok, is dangerously faced with massive datafication of its personal and sensitive data that we deliberately induced (the so-called forced consent). Let's remember that datafication was introduced only in 2013 by Mayer-Schönberger, Professor of Internet Governance and Regulation at the Oxford Internet Institute, and Kenneth Cukier, American journalist and author of books on technology and society. The term describes those technologies and processes used "to datafy a phenomenon [...] in quantified form so that it can be tabulated and analyzed." Few people even know about this term whic brings us to wonder how people can even understand the problem if they do not have the words to define it.
“There is no privacy online anymore,” says Marie-Louise Cognard, a finance and HR manager at Wikimedia CH and active member of DataLimits, a global non-profit data protection organization. The social media services are apparently free of charge when instead they exploit the users’ data collection for commercial and marketing purposes. Rather than a ‘free online service,’ companies take “all your data and your privacy,” Cognard remarks. Users' data privacy represents a significant challenge for online users worldwide. Privacy protection responsibility depends primarily on users' levels of personal information disclosure and concerns and knowledge of protection methods. Protecting data privacy is also ensuring data security, a matter that is essential and urgent, despite being complex. This protection is necessary because of the ubiquity of the technology-driven and information-intensive environment as well as the discrepancies between legislation’s requirements and lack of transparency of SNSs’ terms and conditions.
Highly vulnerable users and consumers in an online context are children whose self-determination is very fragile.
From a legal perspective, under the threshold of 13 years old, they are considered not capable of self-determination. For this reason, their consent online is substituted by parental consent which represents the legal basis for processing children’s personal data. According to COPPA law (the USA Children’s Online Privacy Protection Act), any organizations or people operating online services, including social media services, are not allowed to collect personal information of anyone under the age threshold without parental permission. To avoid the requirement for parental consent, most apps and online services ask users an age verification question upon registration. Even with age verification technologies in place, it might be difficult to ensure that these minors do not create profiles under multiple age categories in order to obtain access to websites intended for a general audience. Although COPPA establishes tight guidelines to safeguard children from having their personal information collected, the federal law loses its effectiveness if kids create profiles claiming to be 13 or older.
“You cannot protect privacy rights by violating privacy rights,” says Imperiali in regards to the importance of companies and institutions taking care to apply tools or any other mechanisms for verifying the age. Children under the age of 13, are legally incapable of expressing their consent, so the role of parents as guardians in their substitution is essential; it is a delicate process because they give consent on behalf of the child, exposing them to major risks of cybersecurity and attacks.
These rules around age relate to privacy as well as safety.
“Minors have not the appropriate knowledge on how to use the Internet and how to protect themselves online and sharing sensitive data like videos or even just their faces online with million users,” says Mariliza (Maria-Elissavet) Baka, data protection officer and privacy manager at PrivIntelligent Solutions Sagl in the management and protection of personal data industry worldwide. Since users do not have any control over who can have access to these images, videos, voices, then they, especially minors, just face imminent danger. “They do not know who might download this content because there is no notification of downloading content and they can do whatever they want with it,” says Baka.
TikTok has misleading practices relating to children’s personal data protection. There is poor evidence of the protection of children. For this reason, Italy blocked the Chinese platform earlier this year. The Italian data protection Supervisory Authority [Garante per la Protezione dei Dati Personali] issued an immediate restriction on TikTok's data processing from users whose age could not be determined with confidence.
The Garante had already reported several infringements to TikTok in December 2020, including a lack of care to minors' protection, the easy circumvention of the company's registration ban for children under the age of 13, non-transparent and unclear information provided to users, and default settings that fall short of privacy requirements. TikTok was forced to take further steps to improve its ability to detect and block underage minors, including the development of AI techniques to assist in detecting when children are using the service. TikTok has removed more than 550k underage minors’ accounts. However, it is not clear how many of the removed accounts definitively belonged to under 13-year-olds.
“The only thing you can do for [these kids] is giving them this big bucket [of knowledge, information, and education] - no matter where they go [it] is going to be with them; after that, it is up to them to open it and see what it is in it and use it or keep it sealed and forget about it. It is an effort, it is a matter of trust,” says Cognard. Children need support and education to develop the skills to manage their social media platforms responsibly. It is vital to talk with them about their social media use, potential harms, and threats of inadequate and inappropriate use of the Internet as well as their rights to privacy.
But, this piece of the puzzle is still missing in the educational plan of institutions.
Data privacy protection is based on the principle of territoriality. TikTok has servers, where the data is maintained and located in China, which means that Chinese laws will be applicable. Perhaps just a global law can resolve this international issue of data privacy, characterized by various discrepancies and a lack of transparency of terms and conditions. The latter is the main cause of the violation of consent as a legal basis to process personal data.
Laws are governed by the principle of territoriality; privacy and data protection laws are no different whilst, due to the widespread use of the internet, personal data processing has become global and transnational. Presently, there is a patchwork of local legislations. This risks jeopardizing the objective of protecting the rights of the data subject, irrespective of territorial boundaries, that is a general aim that legislators pursue.
Unfortunately, there is no evidence of an international legal treaty that can address such a global issue.
The European regulation (General Data Protection Regulation - GDPR) poses special attention and protection on biometric data, allowing flexibility to the Member States, in case they enforce or guarantee further protections by introducing new rules. Its entry into force has triggered a worldwide standardization process. GDPR enhances individuals' control and rights over their personal data, considering data protection as a fundamental human right. We are increasingly witnessing the approval of national laws that are approaching or even trying to re-propose the GDPR model. This is beginning to implement that process of regulatory homogenization required by the world of the internet without borders.
Major corporations adopt a ‘take it or leave it’ strategy (the so-called forced consent), requiring customers to fully accept both their privacy policies and terms in order to continue using their services. Article 8 of the EU Charter of Fundamental Rights, which stipulates that "everyone has the right of access to data collected concerning him or her," including the concept of transparency. Individuals have the right to be informed about any processing actions involving their personal data as a result of this. "Such [personal] data must be treated fairly for specified purposes and on the basis of the permission of the person concerned or some other legal ground laid down by law," according to the EU Charter. This means that any processing of personal data should be based on the consent of individuals or on another legal basis. The GDPR defines consent as "any freely given, precise, informed, and unequivocal expression of the data subject's desires by which he or she expresses approval to the processing of personal data relating to him or her by a statement or by a clear affirmative action."
Individuals who have granted their approval for a certain personal data processing activity have the right to withdraw their consent at any time. Revoking consent must be as simple as giving it. Consent is supposed to be freely granted; however, when a user accepts an initial offer to use an online service, it becomes extremely difficult to later withdraw that consent due to the technological difficulty of changing settings, particularly when it comes to marketing rights.
Data privacy is universally recognized as a fundamental freedom and human right; thus it must be understood, respected, protected, and applied as an inalienable right that belongs, without any distinction, to every individual by reason of his or her human condition. Data privacy is significantly essential to human dignity, survival, and development; it should not be jeopardized by economic, political, or marketing interests.
“The Internet was one of the most fantastic tools ever brought to humanity for free,” says Cognard. “It still should remain free and safe, and not be used as a means to make money and to use people like lemons.”
This article is part of an assortment of student-written journalistic pieces from Fall ‘21 semester’s “Issues of Journalism” course with Professor Elettra Fiumi.
Learn more on this exciting project here.