Why TikTok is the Latest Security Threat
TikTok is a widely-popular social media platform owned by the Chinese technology company ByteDance. Though its stated intention is to share short dance and lip-sync videos, it has become a substantial player in the targeted advertising business in recent years.
Review our updated analysis of TikTok.
TikTok and Data Collection
TikTok gained an edge through its ability to collect sensitive data about users, even when those users neither saved nor shared their content. This presents a security threat for users due to the 2017 Chinese National Intelligence Law, which states that “any organization or citizen shall support, assist and cooperate with the state intelligence work in accordance with the law.”
Collection of PII and User Data
To use the platform, users grant the app access to the microphone and camera. Multiple lawsuits allege that TikTok also collects biometric data from users, including facial geometry, iris scans, voice recognition, and fingerprints. TikTok uses facial recognition software to superimpose images on users’ faces for use in videos. Unlike other data that is collected, biometrics represent the physical user and are generally permanent. Biometrics are therefore of high intelligence value. There is no direct evidence that TikTok is giving this data to the Chinese government, yet the existence of the National Intelligence Law compels TikTok to provide the data if requested.
While TikTok claims all user data is stored in the U.S. and Singapore, TikTok’s parent company servers are all located in China and the app itself contains references to China-based infrastructure. While it is unlikely Chinese officials would have access to the data stored in the U.S., all data stored within China may be shared with the Chinese government for intelligence purposes. Because of this, users should assume that their data is being aggregated and shared with the Chinese government.
Security and privacy concerns stem directly from the vague language of the law and the promise that the state will protect those who aid it. Suspected use of propaganda to further China’s political interests, coupled with the creation of an unprecedented information harvester, has made TikTok a hot topic for the U.S. Government and cybersecurity community alike. Unlike Europe, the U.S. does not have many federal laws that prohibit the collection, sale, and use of such personal data, leaving TikTok able to continuously scrape user data with little restraint or oversight.
Violations of COPPA
TikTok collects data from all age groups and, in doing so, regularly violates the Children’s Online Privacy Protection Rule of 1998 (COPPA). Under COPAA, “developers of child-focused apps cannot lawfully obtain the PII of children under 13 years of age without first obtaining verifiable consent from parents.” A 2019 court case against ByteDance alleges that two children under the age of 13 were not asked to provide any parental consent to use TikTok. ByteDance settled the case and agreed to adding in parental controls. However, as of May of this year, multiple consumer groups have alerted the Federal Trade Commission that TikTok continues to violate children’s privacy.
Moderation guidelines for TikTok were leaked in late 2019 highlighting the app’s censorship of any content critical of Chinese state interests. According to the leaked documents, the company instructs their moderators to remove any undesirable content pertaining to topics sensitive to the Chinese Communist Party (CCP) including Tiananmen Square, Tibetan Independence, or any current protests. Late last year, a U.S. teenager posted a TiKTok video disguised as a “makeup tutorial” that was actually meant to bring attention to Chinese treatment of Uighur Muslims in Xinjiang. The user’s account was suspended and the video was removed, and though it was only temporary, this behavior aligns with China’s national interests without regard for freedom of expression.
What Can Be Done?
The U.S. military and private companies, such as Amazon, are among those currently banning TikTok on business devices. Regardless of an organization’s position on TikTok specifically, it is imperative that guidelines be set forth in an Acceptable Use Policy (AUP) for business devices. For those who would like to take it a step further, social media apps can be easily blocked by category or by specific infrastructure, such as Internet Protocol (IP) addresses and domain names.
The MS-ISAC Cyber Threat Intelligence (CTI) team recommends state, local, tribal, and territorial (SLTTs) government entities and all community members educate themselves on the privacy and data collection policies of the apps they use. Companies that collect too much data or whose policies contain vague language about what is collected should be avoided. In the case of TikTok, CTI recommends parents, teachers, and local leaders talk to young adults, teenagers, and children who may be using the app about the dangers it poses to their personal security. Through education and awareness, all are able to limit the use of personal data in nefarious ways.