TikTok: What's going on and should you be worried?
Since 2020, several governments and organizations have banned, or considered banning, the immensely popular social media app TikTok from their staff’s devices.
With all these alarming bells ringing, we thought it might be handy to break down what we know and see if we can plot a sensible strategy from there. So, if your hair is on fire, extinguish it and consider this with a cool head.
If you prefer listening over reading, Malwarebytes covered this topic in a recent LinkedIn Live.
TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It's received explosive growth since it first appeared in 2017, and now it claims to have well over 1 billion users, an estimated 150 million of them in the US.
In 2020, India was the first country to ban TikTok, along with some 200 other Chinese apps that were all blocked from operating within the country. The decision came two weeks after a Chinese military operation in India’s northern border lead to the death of at least 20 Indian soldiers.
In the same year, retail giant Amazon sent a memo to employees telling them to delete the popular social media app from their phones. Even earlier, in December of 2019, the US Army banned the use of the app on government-issued phones.
Other US agencies and other governments have followed suit since then, or are planning to do so. During a US Senate hearing, General Paul Nakasone, Director of the National Security Agency (NSA) stated that "America's TikTok-addicted youth is playing with a loaded gun."
We can break down the potential problems with TikTok in 3 main categories:
- The data
- The algorithm
- The app itself
Let’s start by saying that all of the above categories are present in many other social media apps. The differentiating factor for TikTok is that it is owned by a Chinese company called Bytedance. It’s these ties with China and the ruling Chinese Communist Party (CCP) that have created so much concern among nations and their government agencies.
The data
In general, it is safe to say that every free social media app makes money by using and selling the data of large groups of people for advertising purposes. The more specific to smaller groups these data can be refined, the bigger the privacy concern. Can TikTok be used to spy on certain groups of people? Definitely! TikTok has admitted that employees used its own app to spy on reporters as part of an attempt to track down the journalists’ sources. The company fired 4 employees for doing so.
We have seen similar cases in other social media apps. For example, a Twitter employee that was sentenced to more than three years in prison for spying for Saudi Arabia. With the amount of readily available information, there will always be those that use it for their own purposes, good or bad.
The algorithm
Control of the algorithm provides an opportunity to be an influencer. By the algorithm we mean the code in the app that tries to optimize the time you spend on the app, by showing you videos that it has determined you might be interested in. Knowing which reels show up on your feed tells us something about you. If nothing else, it will tell us what you prefer watching. Be it kittens, fails, or dance routines. What worried Christopher Wray, the Director of the FBI, is the possibility that the CCP might take control of the TikTok algorithm to conduct hard-to-detect influence operations against Americans. By deciding what you see, the Chinese government might influence your opinion about matters.
Again, neither the algorithm nor the utilization for influence are exclusive to TikTok. International state actors are increasingly leveraging social media platforms to spread computational propaganda and disinformation during critical moments of public life. Last year, we discussed some stats provided by YouTube about their battle against misinformation.
The app
Most people will install TikTok on their personal devices, especially now that many organizations have or are considering a ban for the app on company-provided devices. And, so far, nobody has found anything malicious in the app. But as an app it has access, although limited, to information on your device and about other devices on the same network. This information could be used for nefarious motives, but there has been no proof of that. Another worry is that this behavior could change with one update, and whether that next update will be secretly malicious. But this is true for any app, whether the developer introduces the malicious code or whether it comes as part of a supply-chain attack.
Should I be worried?
The risks of allowing TikTok on corporate or hybrid devices very much depends on your threat model. While it is understandable that governments, the military, or defense contractors are among the first to ban TikTok from these devices, many other organizations are facing a lot of threats that are a much greater concern. On the other hand, if the app, or any other app, is not needed for work purposes, why would you allow it on a corporate device? Using Mobile Device Management (MDM) can go a long way in keeping risks and distractions away from corporate devices.
Banning the app from personal devices that are used in a work environment is a whole different matter. Your employee satisfaction might even be a bigger concern than TikTok potentially spying on you.
During a recent congressional hearing, TikTok’s CEO Shou Chew said they were doing everything they could to accommodate the US:
Our commitment is to move their data into the United States, to be stored on American soil by an American company, overseen by American personnel. So the risk would be similar to any government going to an American company, asking for data.
I think we can agree with that last sentence. Until proof is provided that TikTok is worse than other social media apps, there is no compelling reason to treat it differently. But all social media apps should be regarded with reservations when it comes to privacy.
Pieter Arntz is Threat Researcher and writer at Malwarebytes.