Despite numerous scandals and calls for it to be banned, TikTok, the Chinese-owned app, continues to enjoy immense popularity in Australia.

ByteDance, the Beijing-based company that owns and controls TikTok, is currently under investigation by the US Justice Department for spying on citizens, including journalists. In September last year, European Union regulators fined TikTok €345 million ($560m) for violating data protection laws. That was after the UK data watchdog leveled a £12.7m ($24m) fine at the company for illegally processing the data of 1.4 million children under 13 who were using its platform.

But if you thought any of these rolling controversies would put a dent in the app’s meteoric growth, think again. Some 8.5 million Australians are active on the platform every month. That’s almost 40% of the adult population.

The most recent controversy, as reported by The Sydney Morning Herald, revolves around the app employing a tracking tool, ‘TikTok Pixel’, that logs individuals’ web history and personal information, even when they did not provide consent. That too has prompted an investigation, this time by the Office of the Australian Information Commissioner.

TikTok Pixel is a piece of code that can be added to a website to track its visitors’ activity. This is not new. TikTok is just the latest tech company to provide this service in a market historically ruled by Meta and Google. Many websites engage at least one of these companies to leverage the data collected on their visitors for analysis and online advertising purposes.

Once a website owner signs up to one of these services, they define what of their visitors’ events they are interested in tracking—like adding a product to a shopping cart or adding payment information—and then embed the ad platform’s tracking code on their webpages. The ad platform then uses the information gathered to help the websites measure how well their ads work and better target ads at potential customers. If you’ve ever been hounded from site to site by advertising banners for that new vacuum cleaner model you briefly looked into the other day, you’ve experienced these trackers in action.

Sometimes this tracking can be convenient, say if you get served an ad for that vacuum cleaner at a heavily discounted price. But sometimes it can be creepy, especially if those pixels are placed on webpages about sensitive issues like mental health or domestic violence, for example. That’s why there is often a pop-up box that users can tick to give their consent for their information to be hoovered up. What the Herald discovered was that TikTok simply wasn’t bothering to wait for any consent to be given.

The controversy has generated a series of headlines and a number of companies from Beyond Blue to Bunnings have now stopped using TikTok Pixel. But it would be naive to expect TikTok’s ad business in Australia to collapse or for there to be any significant exodus of users from the platform.

Let’s face it when it comes to protecting our privacy online, most of us have thrown in the towel. Conditioned after decades of surveillance capitalism, the prevailing mindset of those who use the app seems to be: ‘We give our data to everyone else, so what difference does it make if we hand it over to TikTok too?’

It’s an understandable point of view. Most of us mindlessly agree to obscure terms of service daily. According to a 2008 Carnegie Mellon study, it would take the average American 25 days to read through all the privacy policies on every website they visit in a year. In another study, 98% of people were oblivious enough to click ‘I agree’ to privacy policies that disclosed sharing data with spy agencies and their employers, as well as payment for the service by way of signing away their firstborn child. Thousands of others unwittingly signed away their ‘immortal soul’ to a gaming company one April Fool’s Day.

According to the Herald, TikTok wasn’t waiting for consent to be given before gathering data on web users. But given that most of us don’t read any of the related terms of service or privacy policies, or if we did, understand the dense legalese they deploy to outline how our data is exploited, no meaningful consent is ever likely to be given anyway. In this instance, TikTok has, apparently, just not bothered with the façade of it all.

To be clear, if TikTok has done as the Herald describes, it is quite possibly illegal. But it’s also the type of ethical arbitrage that we’ve come to expect from big tech ‘disruptors’. From ByteDance’s point of view, if consumers are already so inured to the invasive practices of surveillance capitalism, what’s the harm in pushing a few more ethically dubious growth hacking tricks on them, as long as it maximizes user acquisition? In the cut-throat competition for online attention, it’s almost always worth it to ask for forgiveness rather than permission.

Of course, there is a clear difference between Meta and Google’s data-gathering operations and TikTok’s. The data TikTok gathers is accessible by their engineers in the People’s Republic of China, and can therefore easily be accessed by the PRC’s intelligence services. We might not mind being targeted by a vacuum cleaner brand, but we should be concerned when a one-party state can access a steady stream of our personal information.

Unfortunately, there are no easy answers. Even if, overnight, TikTok were forced to sell to a non-Chinese entity, we wouldn’t be truly solving the problem. The private data of Australian citizens would continue to be exfiltrated to China. We’ve seen this show before. In 2019, the Committee on Foreign Investment in the United States (CFIUS) forced a Chinese company, Beijing Kunlun Tech, to sell the gay-dating app Grindr, apparently on national security grounds. But as ASPI fellow Tom Uren has noted, that didn’t stop a small publication in the US from cross-referencing Grindr user data it had acquired with the ‘pattern of life’ details of a Catholic priest to out him as gay a couple of years later. If a tiny Catholic publication can do that, you’d better believe China’s Ministry of State Security can too.

The fact is the way we deal with privacy is fundamentally broken. The business models that support the way we’ve become accustomed to use the internet have set a standard that makes it nearly impossible for consumers or governments to prevent data exfiltration to China and anywhere else, for that matter. When the regulators are too timid and the laws are not fit for purpose, it’s no wonder that consumers have become so apathetic.

Dealing with the national security risks posed by TikTok should be seen as an opportunity to create credible standards for all social media companies, no matter what their country of origin is. New laws should be designed to better safeguard individuals by restricting the collection, utilization, and exportation of data, even when user ‘consent’ is granted. When it comes to national security, it shouldn’t fall on individuals to read the fine print.

About the Author 

Fergus Ryan is a senior analyst at ASPI, and Jocelinn Kang is a program manager and technical specialist at ASPI.

This article was first published by The Australian Strategic Policy Institute.