TikTok could still access information held on Australian government devices if public servants and politicians continue to use the app on their personal mobile devices, according to a legal academic from the University of New South Wales.
Dr Katharine Kemp, who focuses on consumer law and has researched a wide variety of privacy policies for digital apps, said the loophole could limit the effectiveness of the ban on TikTok from government devices.
“If the employee uses their personal email address to log into apps on both their work phone and their personal phone, TikTok and the other company could match data from the two separate phones,” she said.
This kind of data sharing is not exclusive to TikTok, and social media companies defend it as typical across the industry. Kemp said through collecting multiple data points related to a device, companies can then uniquely identify that device and track it in what is called “fingerprinting”.
TikTok declined to comment, but the company’s privacy policy indicates information can be shared from other social media platforms in cases where that account is used to log in to TikTok, as is common practice with Facebook, Twitter, Instagram and Google accounts.
Last week the federal attorney general, Mark Dreyfus, announced that federal public servants and politicians with government-issued phones must delete the Chinese-owned app from their devices as soon as possible, and would not be permitted to install it except in limited circumstances.
In announcing the ban, the government stated TikTok “poses significant security and privacy risks to non-corporate commonwealth entities arising from extensive collection of user data and exposure to extrajudicial directions from a foreign government that conflict with Australian law”.
Last week the government faced criticism from the Greens for focusing on TikTok alone rather than the privacy concerns of all social media apps. Kemp said in order for the TikTok ban to be effective, the government would also need to ban data-matching between the apps.
“Data security and privacy choices can’t be addressed by removing an app from a particular device,” she said. “TikTok and other digital platforms don’t just collect personal data from a single digital ‘location’.
“They have collection points all over the place that feed information back to the platform, even when you use different devices for different apps.”
A spokesperson for Dreyfus directed Guardian Australia to the department. The department spokesperson did not directly address the issues raised, but said the existing government device ban would “minimise the security and privacy risks posed by the TikTok application”.
The opposition spokesperson on cybersecurity, Senator James Paterson, said the government ban was the first step.
“Removing it was important but is not a panacea,” he said. “A comprehensive response which encompasses risks like these and also those posed by other applications is clearly necessary. I hope the Albanese government is doing that work right now.”
The move to ban TikTok from government devices followed similar bans in other parts of the world including the UK, Canada, New Zealand and the US. The latter is contemplating a nationwide ban on the app.
TikTok this week quietly launched an app for select Android-based TVs in Australia.