Skip to content

Newspaper Column

PCPD in Media

Social media users must realise 'free' apps have a price-- Privacy Commissioner's article in South China Morning Post (April 2021)

The use of social media, including instant messaging apps, is certainly part of everyday life for people in Hong Kong. Nonetheless, such use also carries inherent, non-negligible privacy risks in relation to their personal data.

According to a survey commissioned by my office last year, 77 per cent of respondents had an account with a social media platform and 48 per cent used that platform on a daily basis. In addition, 93 per cent of respondents used smartphones, of which 98 per cent had installed instant messaging apps.

It is interesting to note that, among those who had installed instant messaging apps, 77 per cent were aware that those apps had access to the contact information on their phones. Nevertheless, 35 per cent of the respondents considered such access an invasion of their privacy and 34 per cent considered it a serious invasion.

Although most social media platforms provide their services for free, it is important for users to recognise that, almost invariably, they are giving up or sharing their personal data to the relevant platforms or apps in return for the use of their services. This data includes information about their online behaviour, browsing habits and so on.

Personal data has been monetised upon registration or through user activities, and this data is collected, used and often shared by service providers with others for various purposes, including targeted advertising. Platforms’ ability to track someone online might be considered creepy. However, businesses know exactly where to place their adverts through the data they collect from users via their digital footprints.

Social media users who frequently share information such as photos, stories, locations and opinions could unwittingly disclose more personal data than they anticipate. Tagging friends to posts or photos might end up sharing other people’s personal data without their knowledge or consent.

When pieced together, this kind of innocuous data can be used to profile the users, and even for cyberbullying, doxxing or perpetuating frauds.

Personal data disclosed on social media platforms can also be collected by “data scraping” – mass collection of data from the internet by computer programs – and used to perpetrate other crimes. Alarms go off when there is improper disclosure of personal data, such as the recent breaches on Facebook and LinkedIn.

Police figures show about 13,000 cybersecurity incidents in 2020, a more than fivefold increase from around 2,000 cases in 2011. Financial losses suffered by victims totalled about HK$3 billion (US$386 million). The situation is most concerning.

Social media users must not assume that others are necessarily real people who match their online profiles. They should be vigilant about online scams that come in the form of unsolicited benefits, job opportunities that are too good to be true or hyperlinks that request people to log in or provide personal data. During the pandemic, users should also stay alert for fraudulent messages regarding Covid-19 and vaccines.

Problems with child users are also exacerbated by the pandemic as children spend more time online to learn, play and communicate. A survey conducted in September and October 2020 showed that nearly 90 per cent of the parents interviewed let their children go online unsupervised. More than 80 per cent of the parents were worried that their children might be tricked into sending lewd images.

The growing use of social media by children and the increasingly apparent accompanying problems call for greater attention and resources to be devoted to ensuring the safety of children online, in particular as regards the protection of their personal data.

As recently as last week, an international coalition of public health and child safety advocates urged Facebook to abandon plans to launch a new version of Instagram for children under the age of 13.

Against this background, it is not surprising for some tech giants to enhance the transparency of their data collection policies. Some are considering pulling the plug on tracking cookies and others are pushing back on how much data apps can collect by giving users the option to turn off online tracking, explicitly agree to what data each app can collect and switch it on and off at will.

While their businesses flourish, hopefully tech giants will not shy away from their social responsibilities and join the privacy protection bandwagon to respect and protect their users’ privacy.

In light of the privacy risks outlined above, the Office of the Privacy Commissioner for Personal Data has issued a “Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps”. I urge social media users to exercise greater vigilance when they are navigating online.

Lastly, by way of comparison with social media platforms from a privacy protection perspective, I will make a few observations about the “Leave Home Safe” app, introduced for contact tracing. While I appreciate the concerns about privacy risks related to the app, it is noteworthy that the app has no location tracking function and downloading does not involve registration of users’ personal data.

The access permissions required for the app to function are less than a quarter of those required by many commonly used social media platforms. From the perspective of protecting personal data, storing one’s own data in one’s mobile phone by using “Leave Home Safe” is better than providing the data to the operators of different premises every day.