ETHI Appearance on Social Media and Foreign Entities: Additional questions and answers

October 25, 2023

Age Assurance

Background: During the meeting on October 18, 2023, MP Damien Kurek (CPC) asked David Lieber, TikTok’s Head of privacy public policy for the Americas, about age assurance strategies. Lieber noted that this was something with which the social media industry was seized, and indicated that in the context of privacy implications, “there’s a broader conversation about the types of age assurance strategies that we can deploy as an industry to increase the likelihood and confidence that we know what age users are when they disclose that to us when they create an account.”
Age assurance is an evolving area and can raise challenges. It is a topic that data protection authorities and children’s protection advocates across the globe are discussing and examining to determine how to best protect children while also protecting individuals’ privacy.
Current digital age assurance systems use diverse technologies, analytical methods, and safeguards. Techniques vary and include methods such as self-declaration, AI and biometric-based systems, or hard identifiers such as a driver’s licence, for example. No two systems are identical: the design, implementation and potential for vulnerabilities may differ from one system to another. Moreover, the risks are constantly evolving. In our opinion, the key is to ensure that there are several lines of defence.
Organizations should undertake analysis and testing to ensure that a specific technical solution is sufficiently effective and appropriate in the circumstances. In any digital age assurance system, the principle of data minimization should be applied to reduce data matching and surveillance of individuals. The method chosen should also be proportionate to the risks. For example, in some circumstances it may be appropriate to use self-declaration to ask the child to confirm they are in a certain age bracket to help customize a learning game. For more adult content, such as tobacco products, more rigorous age verification may be needed or required by law.
Important safeguards that should form part of any age-assurance system include:
- Data minimization: collecting, using, and disclosing the minimum amount of information may reduce data linkage.
- Access controls: restrict who has access to user data.
- Encryption: strong encryption methods should be in place for data in use, in transit, and at rest. That said, encryption is not a foolproof method to eliminate the risk of user re-identification.
- Tokenization: tokens can substitute sensitive information with a random string of characters, which have no value.
- Age assurance information should not be repurposed for other uses.
- Ensure that the system is fit-for-purpose, including that it is appropriately trained or developed, is accurate, and avoids bias.
- Explain how individuals can challenge an inaccurate assessment of their age.
Some jurisdictions are undertaking important work on this topic:
- The UK Information Commissioner’s Office (ICO) has conducted research on age assurance as part of their work on the UK Children’s Code. This has included draft research and guidance for organizations on assessing whether an online service is likely to be accessed by children. In general, the ICO advises that if a provider concludes that children are likely to access the service and the service is not appropriate for children, the provider should apply age assurance measures to restrict access or to ensure that the service complies with the Children’s Code in a “risk-based and proportionate manner”.
- France’s data protection authority has also done work to assess the main types of age verification systems. They’ve provided some guidance on how organizations can fulfill legal obligations in that jurisdiction, but also found that current systems tend to be circumventable and intrusive. As a result, they have called for the implementation of more privacy-friendly models and have worked with a researcher to demonstrate the feasibility of a privacy-friendly version.

Canada Declaration on Electoral Integrity

Background: In his opening statement before the Committee on October 18, Steve de Eyre (Director, Public Policy and Government Affairs, Canada) noted that TikTok has built “constructive working relationships” with the federal government and pointed to work they had undertaken with Elections Canada during the last federal election. He also indicated that they had signed on to “the government’s declaration on election integrity online.”
The document to which he referred is “Canada Declaration on Electoral Integrity.” We note in a statement issued by the Minister of Democratic Institutions (Hon. Karina Gould) in 2021, there is an acknowledgement of the role social media and other online platforms play in promoting a healthy and resilient democracy.^{Footnote 1} To that end, the Declaration was developed which articulates principles of integrity, transparency and authenticity which support healthy and safe democratic debate and expression online, subject to Canadian laws and consistent with other legal obligations.
The OPC was not consulted during its development or issuance.
Item # 3 (under the “Integrity” sub-section) does relate to privacy, in committing platforms to “promote safeguards … and use its best efforts to safeguard privacy protection.”
It commits “platforms” (i.e., tech companies) to certain behaviours (e.g., “work to remove malicious abuses of platforms, such as fake accounts, coordinated inauthentic behaviour and malicious automated accounts.”)
The document also commits the Government of Canada to more general actions (e.g., “Work towards improving its communications methods on platforms to enhance the circulation of authoritative and verifiable government information in the Internet ecosystem.”)
As a communications product of PCO (listed as main point of contact), the other listed “Supporters” included Facebook, LinkedIn, Microsoft, TikTok, Twitter and YouTube.

TikTok’s biannual transparency reports

Background: When questioned by MP René Villemure (BQ) as to whether TikTok would give the Chinese Communist Party access to data in the report, Steve de Eyre (Director, Public Policy and Government Affairs, Canada) noted that all such disclosures would be outlined in their biannual disclosure reports, which are intended to operate as a transparency mechanism.
TikTok began producing these reports in late 2019. Their last available transparency report was May 2023, covering the period between July 1, 2022, and Dec. 31, 2022.^{Footnote 2}
In that period, for Canada, there were a total of 242 government requests, with breakdown as follows: 37 pursuant to a legal demand (i.e., warrant or production order), 144 emergency requests, and 61 preservation demands.
Notably, these reported figures are demands from Canadian authorities to the company for data in their possession; the citizenship of individuals subject to these demands is not specified.
Furthermore, the reporting does not appear to specify when foreign authorities are requesting information about Canadians specifically (e.g., no information at all is presented on demands from authorities in China).^{Footnote 3}

French Senate Report investigation

Background: During the meeting on October 18, 2023, MP Matthew Green (NDP) referred to the French Senate Commission of inquiry into the use of TikTok and the use of the data and strategy to influence. Mr. Green stated that one of the conclusions in the report included a finding that the Communist Party and the Chinese intelligence agencies could potentially have access to data collected on TikTok on its users around the world.^{Footnote 4}
On February 8, 2023, the French Senate approved a commission of inquiry into TikTok to look into its use and strategy of influence, as well as the platform’s obligations in terms of protecting personal data. They began their work on March 1, 2023, with 19 members of the Senate.
- The report is the outcome of the four-month-long ad hoc investigations committee, which included the hearing of the French Digital Minister and French TikTok executives.
On July 6, 2023, the Senate published a nearly 200-page report titled "La tactique TikTok: opacité, addiction et ombres chinoises" (Report only available in French)
The report is highly critical of TikTok’s strategic influence in France and makes the case that the platform may amount to a national security threat. The report speaks of evident risks that China purposely uses TikTok as a vehicle for cognitive warfare and fails to meet its obligations under the EU’s GDPR, collecting a vast amount of data, the use of which remains opaque. The report includes opinions from the CNIL,^{Footnote 5} especially on options for age verification.
The report led to 21 recommendations, the principle of which would be a full suspension of the app by January 2024 if TikTok fails to send senators further information on the financial make-up of the firm, and its data handling practices. Although the report covered many topics beyond protection of personal information, privacy-related recommendations included enhancing transparency of the platform, implementing strategies for tackling dis- and misinformation, for the European Commission to develop of a response scheme for uncooperative online platforms, maintaining the possibility for national supervisory authorities to monitor compliance with the future “ePrivacy” regulations, and requiring TikTok to implement an effective age verification system.
When contacted by French media outlet EURACTIV, TikTok stated it disagreed with the report findings.
Summary (French only)

What is Douyin?

Background: During the meeting on October 18, 2023, concerns were raised regarding the potential for Tik Tok to share the data it collects with the Chinese Communist Party. MP Michael Barrett asked about the connection between Tik Tok and Douyin. He noted that the Chinese government has employed its regime’s restrictions on Douyin and asked if the same efforts are being employed with Tik Tok. One of the witnesses present, Steve de Eyre, Tik Tok’s Director of Public Policy and Government Affairs, Canada responded that both apps are owned by ByteDance and Douyin is Tik Tok’s equivalent in Mainland China. He also noted that he does not work for Douyin but that Tik Tok’s Head of Trust and Safety responsible for content modernization is located in Dublin, Ireland, and he would share Tik Tok’s Community Guidelines Enforcement Report with the committee.

Douyin is a video sharing app created and owned by Chinese parent company ByteDance, which also owns Tik Tok.
Douyin is often considered Tik Tok’s counterpart in Mainland China. Douyin was launched in China in 2016 before TikTok, and it is only available to users located in China averaging 600 million users a day.
Douyin and Tik Tok are separate apps. However, they are owned by the same parent company, use the same base code, and Douyin’s algorithm served as the foundation for TikTok’s creation and global success.
Douyin is not available outside of China. TikTok is not available in China and never has been.
In 2017, ByteDance bought a privately owned video startup based in the US and created TikTok as the “version” of Douyin for markets outside of China. In 2018, ByteDance purchased another app called musical.ly, a lip-syncing app, and merged it to be part of TikTok. As of 2021, TikTok had over 1 billion users around the world.
Douyin and TikTok appear to be very similar, given that:
- Douyin and TikTok are both video sharing apps that can host short videos ranging from 15 seconds to 10 minutes on Douyin and 15 seconds to 3 minutes on TikTok (10 minutes if uploaded to the app).
- Any user can create and share videos with the ability to have their videos go viral in China (Douyin) or around the world (TikTok) and become a social media influencer.
- Both apps use an algorithm that personalizes users’ feeds.
However, Douyin and TikTok operate according to different rules and features, and have different privacy implications:

Censorship:

Douyin is required to follow China’s strict censorship rules. Any content or keyword searches deemed politically sensitive, and any kind of dissent is blocked. For example, when CNN conducted a search on Douyin using the terms “Tiananmen 1989” no results were generated. The same search done on TikTok generated many results including users discussing it on video.
Both apps have the ability apply censorship features. Douyin does employ political censorship and restricts some search keywords. Tik Tok does not restrict search keywords, but according to Citizen Lab it is unclear if Tik Tok applies any kind of political censorship.

Minors:

Douyin must also abide by China’s restrictions for minors. Any user under the age of 14 is limited to 40 minutes of use daily, cannot access the app at all between 10 pm and 6 am, and can only access content the app deems safe for children.
Tik Tok takes a much more relaxed approach when it comes to content and use accessible to minors.
In March 2023 Tik Tok introduced a default setting for users under the age of 18 that limits their use to 1 hour. Teenagers do have the option to remove this limit in their settings.

Other Features:

Douyin has an automatic beauty filter that smooths out one’s facial features and changes its shape which is applied to content created by users to adhere to China’s beauty standards.
Tik Tok’s beauty filters are optional and can be applied by the user at their own discretion.
Douyin hosts a major online shopping market. Products are livestreamed with prices and discounts displayed on the video screen. Users can make purchases instantly with a simple swipe.
While users and influencers can market or review products on Tik Tok, it does not have the same kind of shopping market feature.

Privacy Implications:

According to a privacy and security analysis^{Footnote 6} conducted by Citizen Lab, Douyin and Tik Tok have the following privacy implications:
- Both apps collect first and third-party data. Douyin collects slightly more first party data than Tik Tok does. They also use different third-party data service providers. Douyin uses Chinese service providers and Tik Tok uses various global service providers.
- Douyin collects MAC addresses, Tik Tok does not.
- Douyin contains a dynamic code loading feature.
- Citizen Lab did not find evidence that either app collects user files, contact lists, audio, recordings and photos, videos, or geolocation coordinates without permission from the user.
- Both apps can turn on customized code features but there is no evidence that either app is turning on hidden features that could violate user privacy.

Minister Champagne’s amendment letter

Background: In response to requests from members of the INDU Committee, on October 23, 2023, INDU published a letter from Minister Champagne outlining proposed amendments to C-27 to which he referred in his testimony.
My Office is in the midst of conducting a detailed analysis of the proposed amendments to Bill C-27 submitted to INDU by Minister Champagne, as published by the Committee on Monday of this week.
I can say the following based on our initial assessment:

Privacy as a fundamental right

We are pleased with the proposed amendment to the preamble and purpose clause providing that the right to privacy of individuals is a fundamental right in Canada.

Best interests of the child

We welcome the addition of the language proposed for the preamble and to section 12 specific to minors, as it provides a welcome acknowledgement that children are worthy of special protections.
That said, we continue to recommend that the preamble recognize that the processing of personal data should respect the privacy of minors and the best interests of the child. Adding our proposed language to the preamble would help to ensure that the best interests of children and minors are prioritized, and that the legislation is interpreted in a way that is consistent with the best interests of the child [an important child rights principle derived from Article 3 of the UN Convention on the Rights of the Child].

Appropriate purposes

In addition to the amendment to section 12 specific to the consideration of the special interests of minors, we are pleased that the Minister is proposing an amendment in line with a recommendation made by my Office to provide important flexibility in the consideration of factors as part of an assessment of appropriate purposes. We have recommended that the list of factors should be non-exhaustive as there may be other relevant contextual factors that should be considered and not all of the factors currently listed in Bill C-27 will be relevant in all circumstances.

Compliance agreements

We are pleased to see greater flexibility to allow for entry into a compliance agreement outside of an investigation.
We are also pleased to see the possibility of compliance agreements including payment of a specified amount. We continue to recommend, however, that for greatest clarity and flexibility, compliance agreements be allowed to include any other negotiated measures, such as those that could be ordered by a court.
We are still considering views regarding the proposed suspension of the time limit for completing an inquiry during compliance agreement negotiations.
Finally, we continue to recommend that compliance agreements be given the same effect as a court order, to ensure that compliance agreements do, as intended, result in expeditious remedies for Canadians.

Private right of action

While we appreciate that a complainant’s access to the private right of action is no longer generally extinguished if an inquiry is settled through a compliance agreement, we remain concerned that the OPC is put in the position of gatekeeper to the courts, since only matters that terminate via an inquiry decision or compliance agreement would trigger a private right of action.

Footnotes

Footnote 1

Canada Declaration on Electoral Integrity Online.

Return to footnote 1

Footnote 2

Note that the OPC’s firewall blocks this URL.

Return to footnote 2

Footnote 3

TikTok releases 'transparency report' amid scrutiny over Chinese ownership

Return to footnote 3

Footnote 4

CONSTAT N° 1 : LES ENTREPRISES DU NUMÉRIQUE NÉES EN CHINE NE PEUVENT PAS SE DÉVELOPPER SANS UN SOUTIEN AFFIRMÉ DES AUTORITÉS CHINOISES : The report states that digital economy companies, of which TikTok is the latest flagship, are key players in China’s influence strategies. It furthermore asserts that the Chinese Communist Party exercises tight control over them by various means, from the creation of to the purchase of "golden shares", and has developed a strategy of "cognitive warfare".

Return to footnote 4

Footnote 5

CNIL’s recommendations can be found in the report under section C.4.b) Un système de vérification d’âge à mettre en place par TikTok, en suivant les recommandations de la CNIL (p.133). Regardless of the system chosen, CNIL stresses the importance of independent third-party verifier to provide the best possible protection for personal data, along the lines of what is envisaged for access to pornographic sites.

Return to footnote 5

Footnote 6

TikTok vs Douyin, A Security and Privacy Analysis By Pellaeon Lin, March 22, 2021.

Return to footnote 6

Date modified:: 2024-03-07

Language selection

Search and menus

Search