Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Is TikTok out of time? Experts mull implications of ban

Edicts by Wells Fargo, India and the U.S. military forbidding use of popular Chinese video-sharing app TikTok, may portend a national ban and raise questions if such a prohibition would be practical and enforceable, and what the greater implications would be.

Owned by Beijing-based internet technology company ByteDance, TikTok has been downloaded more than 2 billion times. Just this month, Secretary of State Mike Pompeo reportedly told Fox News the U.S. was considering a ban on TikTok and other apps of Chinese origins, warning that users should only install such programs "if you want your private information in the hands of the Chinese Communist Party." Meanwhile, White House trade advisor Peter Navarro reportedly called TikTok’s new CEO Kevin Mayer a "puppet" for China and added that WeChat, a messaging app owned by Chinese company Tencent, could also face a ban.

For its part, TikTok reportedly maintains that it does not share user information with China, and says it stores American user data on servers in the U.S. and Singapore. Yet talks of punitive actions by the U.S. have intensified, especially with the U.S. locked in a trade war with China -- a country regularly accused of employing cyberattacks to steal intellectual property in an attempt to gain economic superiority and become a world leader in 5G.

And so the debate remains whether sufficient proof exists that TikTok is substantially more dangerous to security and privacy than countless other apps that collect data and ask for user permissions.

"I am not aware of the app collecting more or qualitatively different data than other social media platforms. I do think TikTok has become the latest lightning rod in the escalating techno-trade clash between China and the U.S.," said Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals (IAPP), affiliate scholar at the Stanford Center for Internet and Society and a senior fellow at the Future of Privacy Forum.

Tene said the talk of banning TikTok is "grounded in its ownership by a Chinese company. This echoes the larger – and more fateful – debate surrounding Huawei’s push for leadership in the global 5G market and the counter push by the U.S. government to prevent Chinese access to telecom infrastructure in the U.S. and EU."

But others have called out TikTok for certain dubious behaviors and suggest approaching with caution. Indeed, a recent report by the Australian Strategic Policy Institute warned alleged ByteDance works with Chinese government authorities to distribute propaganda and support human-rights abuses against Uyghur Muslims in Xinjiang, who have been subject to a widespread electronic surveillance and internment program.

"Considering China’s history of surveillance on its own people, it’s possible they could deploy similar tactics to monitor their adversaries," said Hank Schless, senior manager, security solutions at mobile security and privacy company Lookout.

And then there was this widely reported Reddit discussion from three months ago in which a user claimed to reverse-engineer the app only to assert that TikTok "is a data collection service that is thinly veiled as a social network."

"While there is no hard evidence that the data being collected by TikTok is being used for particularly malicious intent, the actions of the parent company are enough to make this a legitimate security concern," said Schless. "To sign up for the app, users give their email, phone number, and another social media account, which could be used in combination with permissions such as accessing the location of the device and reading the user’s contacts to identify and track the actions of people of interest that use the application."

Considering China's history of aggressive cyber surveillance and espionage, and past accusations that Chinese telecom companies Huawei and ZTE represent national security threats, the Army and Navy have already banned the use of TikTok, as has the Transportation Security Administration.

But if a full nationwide ban could be justified, it presents all sorts of challenges and ethical issues.

Tene, for instance said that a true nationwide ban would a move more befitting of oppressive nations than America. "China, of course, has a history of blocking and banning a wide variety of Western websites and apps, but that shouldn’t be a model for democracies, such as India, the EU and U.S.," said Tene. "Our values, policies and practices have always been and should remain different. A U.S. ban on an app already used by tens of millions of Americans would be a radical, highly irregular response. If pursued, it should be based on compelling evidence that has not yet come to light."

"For this to become a broader ban of Chinese-developed apps, I think we would have to see proof that these apps really are sending data to malicious servers," agreed Schless.

A nationwide ban of TikTok and other Chinese apps would could also have unintended consequences. India -- in the midst of its own border clash with China -- is beginning to discover this after announcing last June that it was banning TikTok and 58 other Chinese apps.

"A nationwide ban of any app would be very difficult to implement. As we saw in India a couple weeks ago when they banned TikTok nationwide, there was no way to remove it from phones that already had the app," said Schless. "However, by removing it from the iOS and Google Play stores, they could greatly reduce the number of new users."

Schless also said that to be effective, a national ban from all devices "would have to go out alongside a lot of education and guidance about why it’s dangerous to have this app."

Also, malware actors will likely seize on the opportunity to distribute pirated versions of TikTok containing trojanized malware. For instance, Schless noted that Maharashtra Cyber, a Nodal office under India's state government of Maharashtra, tweeted a warning about fake TikTok Pro apps that malicious actors were distributing through SMS, social media and messaging platforms. 

Corporate bans, however, are another matter altogether, as experts seem to agree that business management has a right to set its own policies. Last Friday it was reported that banking giant WellsFargo banned TikTok on corporate devices, and Amazon similarly had ordered its employees to delete the program from their mobile devices, only to quickly reverse itself and claim the directive was sent in error.

"Companies can prevent employees from downloading apps to work devices for a variety of reasons, including not only security vulnerabilities but also a waste of work time. This is a call each company’s HR department should make, first by introducing corporate policies forbidding or discouraging use of the app," said Tene.

Schless agreed. "Any organization that handles sensitive data, especially under the context of compliance, should not allow employees to have TikTok on their mobile devices. The app monitors location changes, records audio, and reads contacts -- all potential data access points that a malicious actor could use to steal highly sensitive data," he said.

"As a general best security practice, personal apps with this amount of data access should not be allowed on devices that handle sensitive data. This gets more difficult as organizations embrace more flexible deployment models such as Bring-Your-Own-Device (BYOD) in this time of remote work," Schless continued. "Now more than ever, organizations need visibility into what data mobile apps can access and implement mobile security on any device that accesses corporate data. "

SC Media reached out to TikTok for comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.