TIK-TOK ongoing security concerns
TikTok (TT), best known for short videos that are recommended to users through a recommendation algorithm, is used by more than 15m adults in the UK who spend an average of 30mins a day on the app. In Nov 22, the FBI Director informed lawmakers that he was “extremely concerned” that Beijing could ‘weaponize data’ collected via the social media app. During a Homeland Security hearing on current threats to the US, the FBI head said, Beijing could harness TT to influence users or even ‘control their devices.’ Officials in the US have long warned of a potential security threat because the wildly popular platform is owned by a Chinese company, ByteDance (BD). But TT has always maintained that it is ‘firewalled between BD and its US userbase’. China is notorious for stealing US tech, especially military weaponry. The US DoD banned the use of TT on Govt-owned smartphones/devices. US lawmakers have also been banned from using TT on work-issued mobile phones because of spying fears – the app is considered ‘high risk’. Pres Biden has also banned federal employees from using TT on official phones as have more than a 12 states.
Mike Gallagher (1stJan 23 – interview with NBC), the incoming chairman of a new House of Representatives select committee on China, called TT “digital fentanyl” because “it’s highly addictive and destructive and we’re seeing troubling data about the corrosive impact of constant social media use”. In a statement, BD said Gallagher’s comments contained “zero truth”.
Of note under China’s 2017 National Intelligence Law, citizens/businesses are required to assist in intelligence gathering,’ and must share any data with Beijing. So, are concerns about TT real or overstated – most experts assess there are legitimate concerns, but they may be overstated. From a cyber-security perspective when software is used on a device (phones, tablets, laptops, desktop) one or more pieces of software are usually embedded on the device. These application programming interfaces help the software to run smoothly, but also (sometimes) collect info. Worryingly, these small pieces of software may even remain active after the application is closed. That means (in theory) TT, once opened on a phone/device, can collect/distribute info to a state-sponsored agency.
BD admitted to spying on a Financial Times journalist and others as part of an internal investigation into leaks about the company. The Chief Exec of BD, said “several employees misused their authority to obtain access to user data.” The incident stemmed from an internal BD probe launched early 22 to identify employees who were leaking to the press. As part of that investigation, members of BD’s internal audit team accessed personal data from several journalists’ accounts, including their IP addresses, to try to determine whether they interacted with TT employees. In Oct 22, BD launched a separate investigation – conducted by an external law firm, following a Forbes story claiming that BD employees planned to use TT to track the physical location of some US users. Another investigation that spoke to TT employees found Chinese employees were able to see ‘non-public data’ (birthdays/phone numbers), according to staff recordings obtained by news website, BuzzFeed. One employee claimed that “everything is seen in China” (Master-Admin), adding to concerns that the app’s data could be used by Beijing. BD has insisted that it has never handed over data to the Chinese Govt and that data for users in the UK, EU and US is stored on servers in the US (Oracle in Texas) and Singapore. However, the investigation found there is little to stop data from being accessed by China. A data storage facility is planned for Ireland to store UK/EU user data (2023?). But it is unclear if data will receive the same protections as the Oracle servers, BD said it would “minimise data transfers” outside EU. UK MPs have called for a server to be based in the UK to store UK data. TT had been expected to announce that its non-US HQ would be based in London but reportedly backed out in 2020 amid growing tensions between the UK and China.
The UK parliament closed its TT account early 2022, but some MPs have called for a ban on politicians using the app and a harder line generally over concerns about China’s potential to manipulate TT. In Dec the security minister, Tom Tugendhat raised concerns that TT and other platforms could influence first-time voters at the next election as around a third of young people aged between 18-24 are now reading the news on social media sites such as TT. Although previous to this in Oct 22 when asked whether he thought TT was of concern, the director of GCHQ, Jeremy Fleming said TT is unproblematic and it does not pose a concern because the user data it harvests, like other popular apps such as Facebook, is not processed in China (reflecting an intelligence agency view). That said, Fleming went on to say that Chinese technology did pose a major risk to the UK’s security and prosperity. He warned China was seeking to create “client economies and governments” by exporting technology to countries around the world, and said these countries risked “mortgaging the future” by buying in Chinese technology with “hidden costs”, examples included – the BeiDou satellite system, a rival to the established GPS network, new standards for the internet proposed by China which would embed greater Govt control and plans for Chinese digital currencies.
Larger orgs and Govts have banned the use on corporate devices and from a Cyber security perspective shows that having a two phone system in place works as it allows you to place restrictions on what apps are installed on the device by managing this via a Mobile Device Management (MDM) solution; however, in our experience, there are several businesses out there which have a bring your own device (BYOD) policy or allow personal devices to connect to the corporate network which will allow potential access to sensitive data. There are many ways threat actors try and gain access to your data and we see the best defence is awareness and making sure everyone knows what the threats are. It’s important to weigh up the risks against the consequences when it comes to controlling access to your data. You don’t want to completely lock it down; however, a detailed chat with C-Suite members, IT and security should be done on regular basis to assist with lowering the risk of a security breach.
We should all be aware of the dangers of apps accessing our data. Whilst apps will not function correctly if you don’t accept their terms and conditions and allow them access to certain parts of your data, we should be mindful of the impact it can have on you. Do you need to install the app on your device? What sensitive data do you have that can potentially be accessed? As a user, we should weigh up the risks and consequences; however, before doing so, we should really understand what the risks to you as a user really are.