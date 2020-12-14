As the TikTok security saga continues to play out, Phil Muncaster assesses just how much of a threat the social media app poses to organizations and their users.

When President Trump signed a dramatic Executive Order back in August to ban TikTok, it seemed that the White House had found another Huawei to demonize. It accused the popular social app of bending to Beijing’s will in censoring content and of presenting a major data security and privacy risk to American users, businesses and institutions. The only way its concerns would be assuaged, it seemed, was through a deal to sell the app to a US firm. Fast forward a few months and the President appears to have been backed into a corner. The deal announced by Oracle, but yet to be approved, seems to offer little to address those security concerns. It has many CISOs wondering whether TikTok ever presented a serious security risk to their organization, or if it is simply another pawn in the geopolitical stand-off between the US and China.

The Story So Far

Commentators have been skeptical about the administration’s true intentions with TikTok, in part because of the vague terms of its supposed wrongdoing. “TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories. This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information – potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage,” the Executive Order claimed. “TikTok also reportedly censors content that the Chinese Communist Party deems politically sensitive, such as content concerning protests in Hong Kong and China’s treatment of Uyghurs and other Muslim minorities.” TikTok has already been placed off-limits for US military users on security grounds, and India has banned it as part of a crackdown on Chinese-owned apps, although the country is currently involved in a high-profile geopolitical dispute with Beijing which may have influenced its decision. As for Trump, he failed in his first attempt to ban the app, after a judge ruled it unlawful to prevent its listing in app stores. A further opportunity will come on November 12 when new government rules make it illegal for ISPs to handle TikTok traffic. Some suspect the hard line was merely a bargaining tactic designed to force a sale of the app to a US firm, something the “dealmaker-in-chief” could hold up as a political win ahead of the November election. Those suspicions were confirmed when Oracle was chosen as TikTok’s new suitor. Boss Larry Ellison and CEO Safra Katz have been vocal supporters of Donald Trump.

Time to Worry?

So do the allegations about TikTok carry any weight, and should CISOs be concerned? Some censorship concerns appear to have been confirmed by several press reports over the past year, although TikTok says the guidelines contained in these reports have now changed. The firm has opened a Transparency and Accountability Center in the US to provide clarity on how content moderators apply community guidelines, among other things. It recently expanded its bug bounty program with HackerOne, and is also keen to remind critics that its new CISO Roland Cloutier has 30 years of US government and security industry experience. However, a more difficult accusation to rebut has been that of TikTok as a potential data security risk to organizations. A spokesperson for the company sent the following statement to Infosecurity: “Protecting the privacy of our users’ data is a top priority for TikTok. User data is stored in the US and Singapore, and we intend to establish a European data center in Ireland by 2022 that will be the home for UK and European data. As we have said repeatedly, we have never shared TikTok user data with the Chinese government, and would not do so if asked, nor do we moderate content on the basis of political sensitivities.” Yet the vagaries of China’s powerful Cybersecurity Law mean that if the state demands it, domestic firms must theoretically accede to data requests. “The app itself is ultimately owned and controlled by a nation known to leverage key resources for various government and commercial espionage needs,” argues Neal Dennis, threat intelligence expert at Cyware. “It’s not a stretch to envisage the data being used to track perceived government, military or key corporate targets for the betterment of China’s own goals.” Roslyn Layton of pressure group ChinaTechThreat argues that a newer government initiative may also require data to be sent back to Beijing. The Corporate Social Credit System (SCS) will seek to give Chinese authorities sweeping new powers to demand data from enterprises doing business in the Middle Kingdom for ‘compliance’ purposes. “Such data could be screened to recruit potential spies for the PRC and to gather information which can be used for social engineering,” Layton tells Infosecurity. Ray Walsh, digital privacy expert at ProPrivacy, goes further, claiming that American users’ data could be used to identify military installations in the US or fed into Chinese facial recognition systems. He adds that TikTok collects biometric data on keystroke patterns, which could be used to identify users across the internet. Although the firm is not unique in many of the data points it captures, that doesn’t mean they can’t be stitched together to build a detailed picture of individual users. “Consumer data has the potential to reveal extremely sensitive things about people, due to the way that seemingly fractured and disparate information can be exploited to make staggeringly precise secondary inferences about data subjects,” Walsh tells Infosecurity. Cyware’s Dennis adds that TikTok “has the potential to load and collect other data points not disclosed, should China further weaponize it."

