TikTok, the widely used Chinese video sharing social networking app, does not seem to protect children that use the app. Such findings have been revealed by the Dutch Foundation for Market Information Research (SOMI), which will continue its research into the business model and practices of the TikTok app. Moreover, the app most likely also gathers unauthorised personal information from its users, especially from minors. If these findings were found to be correct, then this would mean that TikTok would be violating the European General Data Protection Regulation (GDPR) regulations. If they decided to follow up on this, SOMI could potentially stand up against the app’s apparent disregard of the European regulations and also introduce increased supervision measures while children use the app to reassure parents that are concerned.
Cor Wijtvliet, the Co-Founder of SOMI stated, “Europe has created the GDPR to give consumers control over their personal data and to protect minors in the digital world. TikTok consistently violates similar standards in countries outside the EU on several counts. That is a major cause for concern; not only because it happens without the user’s consent or even their knowledge, but especially because the company is known to have committed such offences in the past. Children are insufficiently protected against unwanted contacts with unknown adults online. That’s why we decided to make a stand.”
Mass claim
SOMI has since its investigation encouraged parents to contact the organisation if their children have been using the TikTok app. On its website, Tiktokclaim.org, SOMI has made a participation form and when consumers fill in the form, they effectively give SOMI permission to look into the breaches of the app obtaining users’ personal data without their consent or knowledge. This way there will be sufficient data and evidence that will be compiled where a collective claim can then be put in against the Chinese company by the Netherlands jurisdiction, which may also be put into effect all around the world where the app is in use. In addition to giving explicit permission, the participation form created by SOMI also allows consumers to consider the option where they can immediately pass on their claims for collection in order to take legal action against TikTok.
“The first step is thorough research. Only then can we build a potentially successful claim. To this end, we are now collecting user data and research reports. However, the purpose of our public action is not so much to obtain monetary compensation; that is just the cherry on the cake. Our primary objective is to make sure that children are well protected online and that individual consumers are not powerless against the producers of popular apps. Together, we are stronger and the claim more powerful,” says Cor Wijtvliet.
In violation as per the European GDPR regulation
In 2019, TikTok did receive a stark warning that children who use the app are not sufficiently protected against being contacted online by a stranger and that the supervision over children may be severely inadequate. By applying the European GDPR Regulation, the violations and objections of the TikTok app are stated as follows:
The unlawful processing of personal data of minors
Obtaining minors’ personal data firstly requires explicit permission from a guardian. Users of the TikTok app are allowed to create an account from the age of 13, which is under the legal age in many countries in Europe. Furthermore, users can easily bypass this particular security measure by entering a false age.
The unlawful processing of sensitive personal data
The TikTok app also collects sensitive personal data of its users, such as information pertaining to the device which the app is being used on, location information and general user activity. Such data is also collected even when the user has exited the app. Further investigation has additionally revealed that the app installs browser trackers that then collects data on the users’ online habits and preferences.
Transparent information, communication and further rules for exercising the rights of the data subject
It is still not entirely certain which data from users it then passes onto third parties, such as Facebook for example, who those third parties are and what they then do with that data. Although TikTok does track the users’ online activity and behavior, they do not provide an option to them to delete that data.
Data protection through design and through default settings
The design and default setting of TikTok do not ensure the data protection purposes as referred to in the GDPR regulations. TikTok has not taken the appropriate and effective measures to guarantee that solely certain personal data that is needed to complete certain actions are being processed at that time. In fact, the design and default settings of the app are made to gather as much data as is can from its users.
Security surrounding data processing
As stated in the GDPR regulations, ‘the controller and processor shall take appropriate technical and organisation measures to ensure risk-appropriate security.’ However, as revealed by the investigation conducted by SOMI, TikTok’s security seems to blatantly disregard this particular regulation. Moreover, the recent findings have uncovered several weaknesses within the app, which include:
- Web view and remote web view that are enabled by default and can also therefore be used to gain access by third parties;
- The app appears to be taking text as commands and then processes these texts straight to Java;
- Java reflection is also in use by the app, which helps to cut the VM loading time. This specific vulnerability in this feature can be taken advantage of by users with bad intentions, which can lead to a CVE score of 8.8 (which means ‘high’ risk);
- Further weaknesses in the app include unexplained glitches and the display of information by the app
The transfer of data outside of the EU
The research led by SOMI has suggested that 37.7 percent of IP addresses by TikTok are from China and be particularly linked to the Chinese company named Alibaba. Taking into account the GDPR regulations, China is deemed a unsafe third country. Due to this, Tiktok would need special permission in order to process the personal data of EU citizens outside of the European Economic Area.
TikTok’s bad reputation
The operation of TikTok is now being questioned all around the world. Investigations into the app’s violations have been beginning in Europe and the US. An independent European body named the European Data Protection Board (EDPB) has made a statement that it will form a task force to begin an investigation into TikTok’s data processing practices. Research that has also been conducted by an American company Penetrum has discovered that the TikTok app does have data collection and tracking functions and that the app also communicates digital profiles and personal/sensitive user information to China.
About SOMI
The Foundation for Market Information Research (SOMI – Stichting Onderzoek Marktinformatie) is a Netherlands-based non-profit organisation set up to identify issues of social importance and influence decisions relating to these issues. SOMI focuses on the functioning of markets in the areas of privacy, the elderly, housing and care.
In 2016 and 2017, SOMI conducted legal and econometric research into the cartel formation of large banks on the Dutch mortgage market. The action was unique in that the participants were also invited to act as knowledge workers (crowd resourcing). The study lead to the creation of an online calculator outlining financial consequences of cartel formation for individual homeowners.
In addition to alleged violations by TikTok, SOMI is currently also investigating possible violations of the European GDPR by the Zoom Communications video conferencing app.
Source: The Dutch Foundation for Market Information Research (SOMI)