Is your data going TikTok?
Carr warns the app collects huge quantities of data and cited a recent report that claimed the company has accessed sensitive data collected from Americans. He argues that TikTok’s, “pattern of conduct and misrepresentations regarding the unfettered access that persons in Beijing have to sensitive U.S. data…puts it out of compliance,” with App Store security and privacy policies.
He warns that TikTok functions as a sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data. He claims it collects:
- Search and browsing histories.
- Keystroke pattens.
- Biometric identifiers, including faceprints and voiceprints.
- Location data.
- Draft messages.
- The text, images, and videos stored on a device’s clipboard.
- And more…
In his letter, the commissioner provides some evidence to support his argument that TikTok fails to adhere to Apple and Google’s security practices — for example, researchers in 2020 claimed the app might be able to access sensitive data, including passwords, crypto wallet addresses and messages.
Security, politics and hype
Carr points out that US government and national security agencies are either urging or mandating the removal of the TikTok app from devices; India has banned the app on national security grounds; and some businesses have already banned its use on company devices.
At the same time, there continue to be mainstream reports to support the service. For example, one of the UK’s leading newspapers, the Evening Standard, today leads with a report explaining who the most followed people on TikTok are. The numbers are staggering: Khaby Lame has 142.8 million followers on the service. The most viewed video on TikTok ever, Zach King’s Harry Potter Illusion video generated 2.2 billion views.
That’s a lot of people — and, conceivably, a lot of data potentially made available outside the circle of trust many may expect. That’s important, given 80 million people spend around 24 hours a month using the service.
Objectively, TikTok does seem to have tried to distance itself from the privacy abuses Carr points to, but the most recent claim that US user data can be accessed by the company may have pushed its reputation over the precipice. Though it did move US user data to Oracle servers in the US just before the latest damaging report appeared.
What happens next?
I imagine TikTok will attempt to dispute the report that prompted the commissioner’s request. In the event it fails to achieve that, it seems inevitable that Apple and Google will remove the app from their stores, at least in the US.
But what this really represents is an allegory for the level of risk businesses face, and will continue to face, as entities of various kinds persist in exploiting digital connectivity for their own ends. If Carr’s claims are true, then TikTok joins names such as NSO Group and RCS Labs on the roll call of companies dedicated to undermining user privacy.
It is possible the US government’s Committee on Foreign Investment in the United States (CFIUS) may soon announce a National Security bill designed to put the brakes on any potential abuse by state actors in line with the commissioner’s claims.
All the same, if we disregard the nationalities, then the claim also exposes the challenge of doing business in an increasingly surveilled age. If every nation is involved in exfiltrating data in this way, no one can really be seen as secure. That some of this activity is outsourced to shadowy private entities amplifies this risk.
Of course, in the short term, business users will want to figure out how to convince employees to cease use of TikTok on work devices while MDM and security vendors will be exploring ways to partition the app from any sensitive data held on a dual use work/personal machine.
The less they know, the less they know
Finally, of course, this news should be seen as a testament to support Apple’s fundamental approach to privacy and security on devices, and an argument to go further on that path. After all, even the most intrusive app can’t gather data that does not exist. The best approach is to ensure the endpoint intelligence remains on the device and can’t be shared in any useful format. Though at this stage of the digital transformation, the parable of TikTok suggests there is still some way to go, so you’d best ensure your company security practice is TipTop for TikTok.
Copyright © 2022 IDG Communications, Inc.