As the TikTok security saga continues to play out, Phil Muncaster assesses just how much of a threat the social media app poses to organizations and their users.
When President Trump signed a dramatic Executive Order back in August to ban TikTok, it seemed that the White House had found another Huawei to demonize. It accused the popular social app of bending to Beijing’s will in censoring content and of presenting a major data security and privacy risk to American users, businesses and institutions. The only way its concerns would be assuaged, it seemed, was through a deal to sell the app to a US firm.
Fast forward a few months and the President appears to have been backed into a corner. The deal announced by Oracle, but yet to be approved, seems to offer little to address those security concerns. It has many CISOs wondering whether TikTok ever presented a serious security risk to their organization, or if it is simply another pawn in the geopolitical stand-off between the US and China.
"Many CISOs wonder whether TikTok ever presented a serious security risk to their organization"
The Story So Far
Commentators have been skeptical about the administration’s true intentions with TikTok, in part because of the vague terms of its supposed wrongdoing.
“TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories. This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information – potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage,” the Executive Order claimed.
“TikTok also reportedly censors content that the Chinese Communist Party deems politically sensitive, such as content concerning protests in Hong Kong and China’s treatment of Uyghurs and other Muslim minorities.”
TikTok has already been placed off-limits for US military users on security grounds, and India has banned it as part of a crackdown on Chinese-owned apps, although the country is currently involved in a high-profile geopolitical dispute with Beijing which may have influenced its decision. As for Trump, he failed in his first attempt to ban the app, after a judge ruled it unlawful to prevent its listing in app stores. A further opportunity will come on November 12 when new government rules make it illegal for ISPs to handle TikTok traffic.
Some suspect the hard line was merely a bargaining tactic designed to force a sale of the app to a US firm, something the “dealmaker-in-chief” could hold up as a political win ahead of the November election. Those suspicions were confirmed when Oracle was chosen as TikTok’s new suitor. Boss Larry Ellison and CEO Safra Katz have been vocal supporters of Donald Trump.
Time to Worry?
So do the allegations about TikTok carry any weight, and should CISOs be concerned? Some censorship concerns appear to have been confirmed by several press reports over the past year, although TikTok says the guidelines contained in these reports have now changed. The firm has opened a Transparency and Accountability Center in the US to provide clarity on how content moderators apply community guidelines, among other things. It recently expanded its bug bounty program with HackerOne, and is also keen to remind critics that its new CISO Roland Cloutier has 30 years of US government and security industry experience.
However, a more difficult accusation to rebut has been that of TikTok as a potential data security risk to organizations. A spokesperson for the company sent the following statement to Infosecurity: “Protecting the privacy of our users’ data is a top priority for TikTok. User data is stored in the US and Singapore, and we intend to establish a European data center in Ireland by 2022 that will be the home for UK and European data. As we have said repeatedly, we have never shared TikTok user data with the Chinese government, and would not do so if asked, nor do we moderate content on the basis of political sensitivities.”
Yet the vagaries of China’s powerful Cybersecurity Law mean that if the state demands it, domestic firms must theoretically accede to data requests. “The app itself is ultimately owned and controlled by a nation known to leverage key resources for various government and commercial espionage needs,” argues Neal Dennis, threat intelligence expert at Cyware. “It’s not a stretch to envisage the data being used to track perceived government, military or key corporate targets for the betterment of China’s own goals.”
Roslyn Layton of pressure group ChinaTechThreat argues that a newer government initiative may also require data to be sent back to Beijing. The Corporate Social Credit System (SCS) will seek to give Chinese authorities sweeping new powers to demand data from enterprises doing business in the Middle Kingdom for ‘compliance’ purposes.
“Such data could be screened to recruit potential spies for the PRC and to gather information which can be used for social engineering,” Layton tells Infosecurity.
Ray Walsh, digital privacy expert at ProPrivacy, goes further, claiming that American users’ data could be used to identify military installations in the US or fed into Chinese facial recognition systems. He adds that TikTok collects biometric data on keystroke patterns, which could be used to identify users across the internet. Although the firm is not unique in many of the data points it captures, that doesn’t mean they can’t be stitched together to build a detailed picture of individual users.
“Consumer data has the potential to reveal extremely sensitive things about people, due to the way that seemingly fractured and disparate information can be exploited to make staggeringly precise secondary inferences about data subjects,” Walsh tells Infosecurity.
Cyware’s Dennis adds that TikTok “has the potential to load and collect other data points not disclosed, should China further weaponize it."
"The app is ultimately owned and controlled by a nation known to leverage key resources for various government and commercial espionage needs"
It’s All About China
Although it’s not alone in this, TikTok has been called out multiple times in the past for security issues, such as bypassing privacy safeguards in the Android OS which allowed it to collect unique identifiers on millions of mobile devices. It was also found to be illegally copying clipboard content from iOS devices and has been forced to patch critical bugs in its software. Yet the number one concern remains its ownership.
This is not something the Trump administration has been able to change. As it stands at the time of writing, the Oracle deal would keep ByteDance as TikTok’s majority owner – potentially exposing user data and information flows to state interference. As a “trusted technology provider” Oracle would be able to view the TikTok source code, but it would remain in Beijing.
“While storing user data on US servers will permit the US government to potentially analyze and harvest that data, the data will still technically belong to TikTok and there is no way to guarantee that it won’t still use that data and potentially share it with the third parties and affiliates it works with – including the Chinese government,” warns Walsh.
“It is also worth noting that the Oracle deal will not transfer the ownership of any of TikTok’s technologies to the West, and it theoretically remains possible for TikTok to include backdoors in the apps it publishes to app stores that are not present in the version analyzed by Oracle.”
The final insult, for the White House at least, is that TikTok’s much-prized recommendations algorithm is not for sale, according to the Chinese government. This means the app could still be used as a tool for spreading misinformation or state-backed propaganda, however mild.
In the end, the decision on TikTok is one CISOs must take according to their organization’s risk appetite. Wells Fargo has told staff to delete the app from corporate devices, although few others have followed suit as of yet. They may be waiting to see whether the US and Chinese governments agree to any finalized deal with Oracle. Efforts by Xi Jinping to align private enterprise more closely to Communist Party goals will do nothing to reassure those already skeptical about the firm.
The irony is that, by seeking an outright ban on a social media app, and taking an interventionist approach in trying to force a sale, the US is increasingly coming to resemble China. As always, it is blameless users and businesses that end up stuck in the middle.