Data collection cheat sheet: how Parler, Twitter, Facebook, MeWe’s data policies compare

CyberNews researchers analyzed data from multiple social platforms like Parler, Twitter, Facebook, MeWe’s to compare data policies.

Original Post at https://cybernews.com/privacy/how-parler-twitter-facebook-mewe-data-policies-compare/

Alternative social media platforms, also known as “alt” or alt-tech, were catapulted into the spotlight near the end of 2020 due to US President Donald Trump’s claims of election interference. 

Twitter-alternative Parler in particular is in the spotlight after being banned from Google’s Play store and Apple’s App Store. Its hosting provider, Amazon Web Services, has also removed the platform from its services, meaning that at this moment, Parler’s platform is inaccessible.

To make matters even worse for the platform, a security researcher was able to collect more than 70 terabytes, which equals 70,000 gigabytes, of Parler users’ messages, videos, audio, and all other activity. Due to this breach, it will be important to see whether promises made in Parler’s privacy policy will hold up with the data it actually collected and maintained in its servers.

While these alt platforms largely position themselves as “free speech” alternatives, we at CyberNews were also interested in how these alt social platforms compare in terms of data collection. 

Therefore, for this research, we aimed to see how the mainstream platforms compare to their logical alt pairings:

  • Twitter and Parler 
  • Facebook and MeWe 
  • Twitter and Parler 
  • YouTube and Rumble 
  • Reddit and Voat (offline) 
  • Tiktok and Triller  

As of this writing, Voat has been taken offline, apparently after an investor backed out in Marchand Parler is inaccessible while it searches for hosting alternatives.However, our investigation will include their analysis as well.

The biggest takeaway? Mainstream social platforms collect more data at the moment than alt-social platforms, but that is likely because mainstream social platforms have already reached their stable monetization phase and are selling ads. Only one alt-social platform, MeWe, makes promises to never sell ads. 

Highlights

Here are the biggest takeaways from analyzing these 10 social platforms:

  • Parler is the only platform that asks for a government-issued ID to verify its users’ general accounts (although unverified accounts can interact limitedly on the platform). While most platforms state they will disclose personal information in response to legal requests, Parler will also disclose information “for the avoidance of doubt” if the user posts “objectionable content”
  • Parler, Reddit, Voat, Triller and TikTok (US) do not provide clear data retention policies, including how long they retain data after it has been deleted by the user
  • Triller is the only social platform that outsources all messaging functionality to a third party service provider, Quickblox. Users would need to read both Triller’s and Quickblox’ privacy policies to get a good idea of how their data is being collected and processed.
  • Triller ignores Do Not Track requests, a practice it claims is similar for “many websites and online services”
  • Mainstream social platforms have data collection policies that are 6605 words in length on average, which would take roughly 50 minutes to read. 
  • Alt-social platforms’ policies are 4420 words in length on average, taking roughly 34 minutes to read.
  • Facebook explicitly states that it collects data on users, including device and activity information, even if they don’t have an account
  • The alt-social platforms don’t have an easy way for users to download all the data the platforms have on them. However, neither does TikTok, which tells users to send written “requests” to access their data
  • Facebook and Twitter data collection policies do not have explicit sections or statements dedicated to security
  • Along with the standard ways that these platforms collect and use the user’s data, both YouTube (Google) and TikTok also use publicly available information online to build a user’s profile on their platform 
  • TikTok makes 47 requests, the most of all platforms, when the Android app is launched, while Parler makes only 2

How this data was collected and processed

In order to undertake this research, we analyzed all the data collection policies for a given platform. For most, we could get a comprehensive view of their data collection practices from the primary data collection document – their privacy policy. 

However, others required analyzing in addition their relative Terms of Use/Service document, and others, such as YouTube (Google) and Facebook, required even more documents.

Besides analyzing the text, we also looked at word length for the given documents and the average reading time and difficulty of text. We also checked how many requests each platform’s app makes when it is launched.

A common framework

We took a common framework for analyzing privacy policies, which consists of the following sections (adapted for this research):

  • First party collection or use
  • Third party sharing or collection
  • User choice and control
  • User access, edit and delete
  • Data retention
  • Security

We then looked at each platform’s primary data collection document, its privacy policy. In cases when the privacy policy did not provide a good overview of its data collection practices, we looked at supporting documents like its Terms of Use, and other platforms required even more document analysis.

When possible, we looked at the US versions of these data collection documents.

Keeping it simple

In order to keep the analysis clear, we assessed each practice based on a three-point scale: 

  1. Bad 
  2. OK 
  3. Good 

Therefore, while cookie collection would get an “OK” in terms of first party collection, not having a clear data retention policy would get a “Bad.” Having a section dedicated to security would get a “Good” (unless the section is useless by containing no information at all).

table 1

There are two important considerations to make:

  1. These privacy policies are assessed based on an average user having a “good idea” of the specific platform’s data collection policies, which in an optimal case means the average reader would need to read the policy only once
  2. Some privacy policies, like Voat’s, are extremely sparse. However, just because Voat does not state that it collects, for example, user generated content, does not mean that it does not collect that data. In cases like these, we have to use common sense and not merely what’s stated in the data collection policies.

For ease of understanding the differences between mainstream and alt social platforms, we’ll analyze them in their most logical pairs:

  • Facebook and MeWe 
  • Twitter and Parler 
  • YouTube and Rumble 
  • Reddit and Voat (offline) 
  • Tiktok and Triller 

Common sense analysis

When looking at the varying sections, it’s important that we apply practical or common sense to the analyses. 

For “First party collection and use,” the less data collected, the better it is. However, it’s logical for any social media platform to collect the following data:

  • Account creation information
  • Engagement activity
  • User generated content (UGC) and metadata
  • Messaging (although optimally this would be end-to-end encrypted)
  • Feature-related data (related to camera, microphone, etc.)
  • Device information

The major difference then would be how much of the different types of data they collect, as well as any other interesting data collection practices. 

For “Third party sharing,” the less data shared, the better it is. However, it is expected that platforms will have service providers, such as hosting, and marketing and statistics, such as Google Analytics. They will share data if legally required, and send payment information to a third party if payments occur on their sites. 

For “User choice and control,” users should be able to control their account’s privacy settings, who gets to see their content, and have opt outs for ads or other tracking.

For “User access, edit and delete,” users should be able to easily edit, update, retrieve or delete their accounts. They should also be able to easily delete their UGC. Optimally, they will be able to easily download all their account data.

For “Data retention,” it is expected that data will not be deleted immediately. However, platforms should state how long data is stored after a delete request. 

For “Security,” we are not assessing the security of the particular platform. We are only looking at whether a platform discusses security-related issues, such as security measures used or breach notifications.

Apple’s App Store privacy labels

Apple recently introduced privacy labels to its App Store which helps to show what kind of data is being collected by apps. These are done in three different categories:

  • Data Linked to You
  • Data Used to Track You
  • Data Not Linked to You

We checked the data points being collected by the five mainstream and five alt social platforms by doing a simple count of the total number of data points. We were able to collect data on Parler before it was removed from the App Store:

App data collection according to the App Store

One thing that’s clear from this data: Facebook’s data collection eclipses most other mainstream social media platforms, and especially alt social platforms.

One important thing to note however is that this data is self-reported, and it explicitly states that Apple has not reviewed these:

8 YYMH1qaHzA5VvXhyYKU4obkAROv KbzGJdHtLH8LOZQODznFuA6JMR 5In96xMQRETe50ZP P iWu0nwxwjMyXkstI2wESxotJu34V1MaGTVjDiqbAb vJ7bXWUAwkfhPzMbFm
Example for MeWe

This could lead answers for some interesting insights, such as Rumble apparently collecting no data on its iOS users. Furthermore, some apps like YouTube have not yet reported their data handling:

H19DAj3r I0GITra bagSH8biqDexrmcjvc1vNt iBNag1 TEtU4 9X 4jVjrHtBjGCh9J12 qLdcgXTLKQTLBALbVyVwWL8bXNyfFrbVqEahxSI6M8571VD7m0Qaq9b7 edXNmd

Tedium at a glance: average lengths and times

We totaled the word counts or all documents that a user would have to read in order to get a “good idea” of a platform’s data collection policies. For some platforms, like Facebook, this includes three separate documents, while for most platforms this included only the privacy policy. 

Some platforms, like TikTok, included multiple versions of the privacy policies within one document, so we only counted length and time for the US version of the privacy policy.

Average reading time was calculated using Grammarly’s Words to Time tool.

chart 1

As you can see, Facebook, YouTube and Triller had the highest lengths and reading times. What is interesting, however, is that for Facebook and YouTube, this is made up of multiple documents. However, Triller’s word count and average reading time come from just one document. 

With the exception of Triller, all alt social platforms had lower word counts and reading times.

Text difficulty: English vs Legalese

We measured the difficulty of the text using Flesch-Kincaid readability tests, which score difficulty from 0 – extremely difficult, understood by university graduates — to 100 – extremely easy, understood by an average 11-year old — so that a text with a higher score is easier to read. For social platforms with more than one text, we took the average. 

We noticed that all of the social platforms, regardless of length, scored within the 30-50 range, are difficult to read and normally require a college degree to fully understand:

chart 2

Rumble had the most challenging text, coming in at 36.6, and YouTube (Google) had the easiest text, coming in at 50.3. 

Network request for each platform’s app

Lastly, we checked the network requests that these platforms’ mobile apps made immediately when the app was first launched (with no further interaction). Generally, the more network requests an app makes, the more data is being sent from your device to the platform.

Note that Voat had no mobile app to analyze:

chart 3

TikTok had the most network requests on app launch (47), while Parler had the least with 2. In general, alt social platforms had fewer requests than their mainstream counterparts. 

Comparing the social platforms

We will compare each pair of social platforms (the mainstream version and the alt version) and highlight interesting or noteworthy aspects of their various data collection policies.

We rank each platform based on how well they perform in the specified categories, and at the end give a summary of the comparison and a final ranking.

Twitter and Parler

Parler is possibly the most popular alt social platform for conservatives and conspiracy theorists, with a look and style much like Twitter. Parler was said to have 10 million users (4 million active) as of November 2020.

A false image circulated showing US President Donald Trump officially moving to Parler after he was temporarily suspended from Facebook and Twitter following posts that incited the US Capitol riots.  After the riots, Parler was removed from multiple online services, including Google’s and Apple’s app stores, Amazon’s hosting, Twilio’s authentication, and others. At the moment, the alt social platform is inaccessible.

Twitter Parler
Document [1] [1]
Words 5549 2157
Reading time 83.8 16.6
Reading ease 46.3 46.2
Network requests 9 2

First party collection and use

  • Twitter: OK
  • Parler: bad

Twitter, for the most part, collects the standard personal information, content and device information. Twitter collects not only the search terms you submitted, but the ones you didn’t submit (typed, but didn’t hit ‘search’).

Interestingly, Twitter, unlike Facebook, allows and even supports users creating multiple accounts:

”You can also create and manage multiple Twitter accounts, for example to express different parts of your identity.”

Parler’s policy is a bit different. While other social platforms have some sort of verification, Parler’s verification, although optional, seems to be needed for basic platform features. For example, this FAQ suggests that users without a verified account will be unable to send private messages.

In order to get verified, users will need to provide scans of their government-issued photo IDs, plus a selfie. Parler promises that it deletes the front and back scans of these IDs when they are no longer needed, retaining a “hash corresponding to the information the identification document contains.” The platform also retains the selfie but claims to store it “securely, in encrypted form” without mentioning which encryption is used.

Additionally, Parler allows users to monetize their content through its “Influencer Network.” For that reason, they will “collect information on form W-9 as required by the IRS.”

Third party sharing and collection

  • Twitter: OK
  • Parler: OK

Twitter shares data with third parties:

  • Vendors (such as hosting) and analytics
  • Payment providers
  • Ad engagement (anonymized data)
  • Aggregated statistics for the platform (such as trending topics)
  • In response to legal requests

Parler’s documentation is less specific, but in general they share data with vendors and analytics, in response to legal requests, etc. It makes a point to “never rent, sell, or share information about you with nonaffiliated third parties for their direct marketing purposes unless we have your affirmative express consent.”

User options

  • Twitter: good
  • Parler: bad

Twitter users have many options through their privacy settings. They are able to opt-out of location sharing, targeted advertising, interest-based ads, etc. 

Twitter allows its users to easily access or delete their content or accounts. Twitter users are also able to download all the data that Twitter has collected on them.

Parler’s documents don’t offer much in the way of user options. In terms of user choice and control, Parler users are only able to control limited aspects via their privacy settings. Users can also delete their accounts, but the platform doesn’t allow for them to download all the data collected on them.

Data retention and security

  • Twitter: OK
  • Parler: OK

Twitter keeps log data for up to 18 months. It offers users a standard 30-day period to reactivate their accounts. However, it doesn’t offer more specific information, such as Facebook offers, about how long it will take to delete content from its servers. 

Parler, on its part, also doesn’t offer any specific information about its data retention practices. It only notes the aforementioned government ID deletion information, but again without any time frame. 

While Twitter has no mention of its security practices, Parler has dedicated a two-sentence paragraph related to platform security. However, these sentences provide no real meaning or information:

“We make reasonable efforts to protect your information by using physical and electronic safeguards designed to improve the security of the information we maintain. However, as our Services are hosted electronically, we can make no absolute guarantees as to the security or privacy of your information.”

Summary

  • Twitter: average
  • Parler: bad

Twitter is a better offering for users than Parler in terms of data collection and processing. Parler requires government-issued IDs for basic platform features and has limited user options.

Facebook and MeWe

MeWe is a privacy-focused, free speech platform that is often seen as a viable alternative to Facebook. It gained popularity after Facebook removed various QAnon and Stop the Steal groups at the end of 2020.

MeWe’s Android app has been installed more than 5 million times.

It is important to note that Facebook has a much larger surface, and many more apps and features in its ecosystem, than MeWe does. 

Facebook MeWe
Documents [1],[2],[3] [1],[2]
Words 10894 6157
Reading time 83.8 47.3
Reading ease 46.3 46.4
Network requests 34 11

First party collection and use

  • Facebook: bad
  • MeWe: good

Facebook collects more data on its users than MeWe does. The first interesting point for Facebook is that it states it collects information about you even if you don’t have a Facebook account:

“Facebook uses cookies and receives information when you visit those sites and apps, including device information and information about your activity, without any further action from you. This occurs whether or not you have a Facebook account or are logged in.”

When a user agrees to import contacts, Facebook will collect not only the address book, but also a user’s call log and SMS log history:

“We also collect contact information if you choose to upload, sync or import it from a device (such as an address book or call log or SMS log history)…”

Another interesting point is that Facebook collects “device operations,” which includes “whether a window is foregrounded or backgrounded, or mouse movements.” It also collects device signals, including “Bluetooth signals, and information about nearby Wi-Fi access points, beacons, and cell towers.” Lastly, it collects network information about “other devices that are nearby or on your network.”

Furthermore, we found it worth noting that Facebook requires that users have only one account and provide “accurate information” about themselves, including using the name they use in their everyday lives.

Comparatively, MeWe’s first party collection is minimal: it collects the account creation information, UGC, engagement and usage, and log data that includes device information, IP address, OS, etc.

Third party sharing and collection

  • Facebook: OK
  • MeWe: good

Facebook shares a user’s data across its integrated products. It also provides aggregated data and insights to its partners and other businesses, for research and academic purposes, and provides anonymous engagement data for advertisers. Their Terms of Service make it clear that they don’t sell a user’s personal data or access to that personal data to advertisers: 

“We don’t sell your personal data to advertisers, and we don’t share information that directly identifies you (such as your name, email address or other contact information) with advertisers unless you give us specific permission.” 

MeWe also makes it clear what kind of data they share with third parties:

“We don’t track you to sell your data to third parties, and we don’t track you to manipulate your newsfeed and we don’t track you when you are not on MeWe.“

They also emphasize that they don’t use third-party cookies “to target” or “market” to their customers. They provide data to operating partners, as well as any payment-related data.

User options

  • Facebook: good
  • MeWe: OK

While MeWe has the more attractive offering, Facebook has a larger list of options for users to choose, control, access, modify and delete data. Most options are included in the user’s privacy settings. Its cookie policy also provides options for users to control what kind of ads they see.

While MeWe has these same features, Facebook allows for users to download all their account data, or delete all of their content by deleting their account. MeWe does not provide this option in its documentation, only stating that users have the “right to delete your account and take your content with you at any time” – without explicitly providing any mechanism to move that data. 

Data retention and security

  • Facebook: bad
  • MeWe: OK

Facebook promises to delete user data within 90 days. 

MeWe does not specifically state a maximum time frame until it deletes a user’s data, only stating that it will delete the data from its production servers “as soon as is technically possible.” MeWe does state that it incorporates a 30-day delay for deletion requests, and that it will delete a user’s data from its backups within 7 months. 

It also states that it will delete Log Data, such as the username, IP address, or email address “after a maximum of 12 months.”

Facebook does not have a clear or dedicated section for security in its privacy policy, providing only a small sentence in its ToS that it will “exercise professional diligence” to keep the service “a safe, secure and error-free environment.”

MeWe dedicates three sentences to its security, including encrypting personal information (but not saying what kind of encryption), and using HTTPS for “most, if not all” requests.

Summary

  • Facebook: OK
  • MeWe: good

MeWe is better in terms of data collection and processing since it has no ads and collects and processes less data. Facebook also shares more data with third parties, and doesn’t offer any information about the platform’s security. Facebook does, however, have better user options than MeWe. 

YouTube and Rumble

Rumble is a video-sharing platform and YouTube alternative that is largely filled with conservative content, regularly related to debunked conspiracy theories. 

Rumble’s Android app has been installed at least half a million times, and its website received 83 million visits in December, up from 1.5 million in August (according to SimilarWeb). 

YouTube Rumble
Documents [1],[2],[3] [1]
Words 9313 2987
Reading time 71.6 23
Reading ease 50.3 36.6
Network requests 21 5

First party collection and use

  • YouTube: bad
  • Rumble: OK

Because YouTube is a Google product, all of the important data collection documents for YouTube are actually for Google at large. Perhaps because of this reason it is much wider, and each document contains less specific information since it seems written to apply to so many Google products. However, unless YouTube is specified, we assume these data collection policies apply to all Google products.

YouTube’s personal information collection is similar to other platforms – account creation and any payment information – but it is distinguished in that publicly available information is also collected:

“In some circumstances, Google also collects information about you from publicly accessible sources.“

Naturally, this applies to Google’s search engine, but how much is information shared across Google’s products?

The UGC collected by YouTube is pretty standard, with the specification that YouTube users’ engagement activity offsite is also collected. Similarly, device information collected is pretty broad, covering Android-related analytics, log data, and location data – which includes GPS, IP address, device sensor data, plus wifi access points and Bluetooth-enabled devices near the user’s device.

Rumble in comparison collects much less. It collects standard account creation information, plus any information collected when a user creates an account using a third-party social platform. 

Rumble doesn’t list collecting/processing UGC, and doesn’t directly state that the platform processes imported contacts. However, its “Changing or Deleting Your Information” section allows the user to delete “any imported contacts.”

Third party sharing and collection

  • YouTube: bad
  • Rumble: OK

YouTube’s (Google’s) third-party data sharing is largely confined to any account administrators that the user may have, Google’s business partners, anonymized ad reporting, and in response to legal requests. 

It allows third parties to collect users’ browser or device information for advertising and measurement, using their own third-party cookies, beacons, etc.

Rumble’s sharing practices are pretty standard, but practically less than YouTube’s. It shares aggregate or non-identifying data with third parties for analysis, profiling, and other purposes. It also shares data with vendors, linked social media sites, and of course in response to legal requests. 

User options

  • YouTube: good
  • Rumble: bad

YouTube (Google) allows users to control their privacy via their account/privacy settings. This includes ad setting and YouTube history settings. YouTube (Google) also allows users easy ways to manage, review and update their info, and delete their content or entire accounts.This includes the ability to download all collected account data.

Rumble offers limited choices, at least in its privacy policy. Users can opt out of emails, change cookie settings, and remove linked social accounts. There is no option to download all accumulated account data, and Rumble’s allows users to “review, update, correct or delete the Personal Information” in their accounts. 

Data retention and security

  • YouTube: good
  • Rumble: bad

YouTube (Google) gives good information on varying data retention periods. They specify that content data and activity information can be deleted whenever a user prefers, while advertising data is deleted or anonymized automatically at set periods of time. 

In order to get a clearer picture, we had to go to Google’s designated data retention page. Here, Google claims to delete information immediately from public view when the user requests it, and then begins the process to remove it from their systems, which generally takes two months, plus the standard 30-day waiting period – but it does not provide a maximum allowed time.

Ad log data is anonymized by removing part of the IP address after 9 months and removing cookie information after 18 months. However, it appears that this data is never deleted.

YouTube (Google) has a dedicated security section, the most in-depth of all the platforms here.

Rumble has a less attractive data retention policy. It does not provide detailed information on what the retention periods are for various types of data. It also implies that not all the information may be deleted. Its entire data retention policy is concluded in a few sentences:

FSZ1HCbSzxHc48g08rAbBYIMlXuPqzNd3roGmhgrQQTCl ko70OKFnYwK88FZryR5EPFGOl9jmFNRvC9AcOO8EO6NL9Lfm NEtlA6i2AE7c0QbAoQLkawg2 Pw2GpgTG53dg504M

The privacy policy directs users to go to their Terms of Services page (which is actually their “Terms & Conditions”) and section “Sharing Your Content” apparently for more information on data retention. However, no such section exists on its Terms & Conditions page, and there is no further information on data retention.

Rumble does, at least, have a designated section for security, although the promises are sparse, as they commit to “use commercially reasonable safeguards” to protect user data. However, it also includes a breach notification section in which it will communicate to their users via email or “conspicuous posting” on Rumble as soon as possible. None of the other platforms have this information. 

Summary

  • YouTube: OK
  • Rumble: bad

YouTube narrowly beats out Rumble in terms of its data collection and processing policies. YouTube (Google) collects and processes too much data, but it offers better user choices, offers data portability, and has clearer data retention policies. While Rumble collects less data, it doesn’t offer as many options for the user.

Reddit and Voat (R.I.P.)

Voat was a Reddit clone that allowed for “free speech” without moderation, except in extreme cases, and offered users the chance to share in ad revenue. Voat shut down its services on December 25, 2020, apparently after an investor backed out in MarchIt had about 3 million monthly visitors.

Reddit Voat
Documents [1] [1],[2]
Words 4305 2173.0
Reading time 33.1 16.7
Reading ease 39.5 39.8
Network requests 14 N/A

First party collection and use

  • Reddit: OK
  • Voat: bad

Reddit collects the standard personal information (account creation information, payment data and other information provided by the user), UGC and engagement activity, and device information (log and usage data, cookies, and IP address, Bluetooth or GPS location data).

Voat’s first party collection policy is non-standard, since it provides almost no real information. It claims to collect account creation information, log and usage data and cookies. But it doesn’t discuss the UGC or engagement data that a social platform normally collects.

Third party sharing and collection

  • Reddit: OK
  • Voat: bad

Reddit shares user data in a standard way. However, it also claims to share data with any “parents, affiliates, subsidiaries, and other companies under common control and ownership.” Beyond that, it interestingly notes that it will also share personal information in emergency situations “to prevent imminent and serious bodily harm to a person.”

While common sense would dictate that Voat has similar data sharing practices to other platforms here, it only admits to using Google Recaptcha:

“Voat uses Google Recaptcha in order to minimize spam. For more information about how Google handles recorded data, please consult the Google Privacy Policy.”

User choice

  • Reddit: good
  • Voat: bad

Reddit provides users with a detailed list of options, including editing and deleting information, removing linked services, changing cookie settings, opting out of ads and Do Not Track, mobile notifications and even location settings.

Reddit also provides information on how to delete content or the entire account, plus it allows users to submit a request to get all their account and activity data. However, it may take up to 30 days to process the request.

Unsurprisingly, Voat offers no information about any user choices to update settings or access, edit and delete their information.

Data retention and security

  • Reddit: bad
  • Voat: bad

Reddit’s data retention policy is very short and provides no practical information:

“We store the information we collect for as long as it is necessary for the purpose(s) for which we originally collected it. We may retain certain information for legitimate business purposes or as required by law.”

It does have a separate section for security, however, with information on HTTPS usage and access controls for its employees.

Voat, again unsurprisingly, has practically no information on its data retention practices. In its Terms & Conditions, it discusses its security with the following:

“Please don’t hack us 🙂 We support the responsible reporting of security vulnerabilities. To report a Voat security issue, please send an email to [email protected].” 

Summary

  • Reddit: OK
  • Voat: bad

Reddit is the clear winner here as Voat’s data collection documents are too short, vague and practically useless to give users a good idea of what data is collected and what happens to that data.

TikTok and Triller

Triller is a short-form video sharing platform similar to TikTok that was popularized when Trump first raised concerns about TikTok. Triller’s Android app has been installed more than 10 million times.

TikTok’s data collection policies can be found in its comprehensive privacy policy, which lists three different versions for US, European and non-European/non-US users. It’s worth noting that the European version is 67% longer than the US version. 

TikTok Triller
Document [1] [1]
Words 2964 8629.0
Reading time 22.8 66.4
Reading ease 37.1 44.3
Network requests 54 32

First party collection and use

  • TikTok: bad
  • Triller: bad

TikTok’s data collection is for the most part standard – account creation and payment information for the personal information category. The also list that they collect “information to verify an account,” which is common for Parler, Facebook, and other platforms at certain points (for example, Facebook will ask for verification if there is a problem or some suspicions around your account, whereas Parler will ask for verification information immediately when you join the platform).

Interestingly, however, is that they also claim to collect information about users “from other publicly available sources.” This is understandable for YouTube (Google), since it’s a search engine, but less clear in TikTok’s case.

Content-wise, they collect uploaded contact information, UGC, engagement, etc. They also collect device information and location data (from the SIM card and/or IP address, or GPS with the user’s permission).

Triller seems to collect a similar amount of data. However, the one aspect that is worth notice is that Triller doesn’t handle its own messaging. Instead, it outsources all messaging functionality to a third-party known as Quickblox (even though Triller spells it “Quickblocks”). Triller still collects message-related data, including:

“Personal Information, in the context of composing, sending, or receiving messages to other Users (that means the content as well as information about when the message has been sent, received and/or read and the participants of the communication) through our Service’s messaging functionality.”

However, Triller’s privacy policy doesn’t state whether Quickblox collects and processes this data as well. When we approached Quickblox about this, a representative told CyberNews that “we no longer have a business relationship with Triller and we will be in contact with them to remove our mis-spelt name from their website.”

Third party sharing and collection

  • TikTok: OK
  • Triller: OK

TikTok has been accused of sharing user data with the Chinese government. However, inside its privacy policies there is nothing particularly salacious. 

They share data with third party vendors and analytics, payment processors, researchers, anonymized ad data, etc. They also share data in response to legal requests, and “with consent” linked social accounts.

Lastly, they claim to share user information with “a parent, subsidiary, or other affiliate of our corporate group.” While its parent company is Chinese, TikTok has repeatedly claimed to not share user data with the Chinese government, or even store data in China.

Triller has nearly the same data sharing policy, with the addition of allowing third-party tracking cookies and other technology from ad partners who “may collect Personal Information when you visit the Platform or other online websites and services.” 

User options

  • TikTok: bad
  • Triller: bad

Users have a variety of choices on TikTok to control the amount of data being collected. This includes disabling cookies, opting out of ads, limiting location data, and accessing or editing account information; TikTok aso respects Do Not Track requests.

However, TikTok doesn’t provide a way for users to download all their account data. Furthermore, there is no easy way to delete content besides doing so manually on a video-by-video basis or deleting the entire account.  Even when deleting an account, it’s not clear if the account data is deleted from TikTok’s systems. Instead, they require users to send a request via email or physical post to view or delete all collected data:

“You may submit a request to access or delete the information we have collected about you by sending your request to us at the email or physical address provided in the Contact section at the bottom of this policy. We will respond to your request consistent with applicable law and subject to proper verification.“

At least, this is the US version of their privacy policy. The EU version is longer, but it doesn’t present much better options:

“You can ask us, free of charge, to confirm we process your personal data and for a copy of your personal data.”

It is almost laughable, in view of the other social platforms in this research, that they mention the ability to ask them to confirm or download all account data as “free of charge,” or in general that they expect users to send physical mail to do so.

Triller doesn’t fare much better. It allows users to change location settings, cookies, and access or edit their account information. However, it does not respect Do Not Track, instead claiming that “many websites and online services” follow the same practice.

When it comes to data portability, or allowing the account holder to view and get a copy of the accumulated account information, they have a pretty similar position as TikTok’s EU version.

In Triller’s version, data portability and data deletion requests are to be sent to an email address only, but the information that can be requested only covers “the past 12 months.”

Data retention and security

  • TikTok: bad
  • Triller: bad

TikTok and Triller also have similar approaches to data retention and security. 

That is to say: they do not have any clear data retention policies, but they do have a separate section on security. TikTok’s security section is small, with only three sentences and no practical information. 

While Triller’s security section is much larger at 8 sentences, the information is only vaguely helpful with promises of  “generally accepted industry standards” for account security.

Summary

  • TikTok: bad
  • Triller: bad

Overall, both TikTok and Triller perform poorly, requesting too much data, providing too few user options, and a lack of clear data retention and difficult data portability.

For Recommendations see the legitimate post at:

https://cybernews.com/privacy/how-parler-twitter-facebook-mewe-data-policies-compare/

About the author: Bernard Meyer

Bernard Meyer is the Senior Researcher at CyberNews.

Bernard focuses his investigations on popular online tools that can impact users’ privacy and/or security. 

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

(SecurityAffairs – hacking, Parler)

The post Data collection cheat sheet: how Parler, Twitter, Facebook, MeWe’s data policies compare appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source