Fraud Management & Cybercrime , Social Media
Look Beyond TikTok: Massive Data Collection Is the Real Risk
All Social Media Apps Collect Information on a Scale That Facilitates SurveillanceThere's much national security ado about the insanely popular, Chinese-owned, video-sharing social media app TikTok.
See Also: How to Take the Complexity Out of Cybersecurity
The concern isn't new, but it has been intensifying, and the U.S. is threatening to ban the app in America unless Chinese owner ByteDance divests. Last December, President Joe Biden banned TikTok from government devices. The EU, Canada, Britain and New Zealand have since followed suit. This week, France banned all "recreational apps" from government-issued devices.
Seeking to defend his company on the world stage, as well as from the Biden administration's threatened ban, TikTok CEO Shou Zi Chew testified before Congress last week. He promised lawmakers greater transparency, safety controls for parents, independent reviews of TikTok's code and what it does, and a "firewall" of all U.S. data as part of the company's "Project Texas," so named because that is where U.S. partner Oracle is based.
Despite what Chew promised lawmakers, and no matter how he responded to their questions - sometimes directly, sometimes avoiding their queries - many lawmakers' core concern about TikTok quickly became clear: its Chinese ownership and the country's national security law, via which it can compel any Chinese company to assist the government.
Questions of Trust
Questions about TikTok are merely the latest manifestation of concerns about how Beijing operates, said Emily Taylor, CEO of cyber intelligence firm Oxford Information Labs.
"The security and privacy risks are plausible, but largely without evidence," Taylor wrote in a Guardian op-ed about the "panic" around TikTok. "What this is really about is trust, trade and geopolitics."
Many Western government officials, policymakers and lawmakers don't trust Beijing today, and they don't trust what the Chinese government might do in the future. As the new White House cybersecurity strategy states, China "presents the broadest, most active and most persistent threat to both government and private sector networks."
Where TikTok is concerned, FBI Director Christopher Wray told a Senate panel earlier this month: "This is a tool that is ultimately within the control of the Chinese government and to me, it screams out with national security concerns."
Rob Joyce, who heads the National Security Agency's cybersecurity unit, warned Monday that TikTok is among the tools China is relying on not for some short-term "tactical" impact, such as hacking into or tracking end users' devices, but rather to give itself "a tremendous strategic capability," The Register reported.
Joyce, speaking at the Silverado Policy Accelerator's conference, likened TikTok not to a smoking gun, but rather a "Trojan horse" that doubles as a "loaded gun." In other words, it's too potentially dangerous to allow.
Concerns: Censorship, Monitoring
One concern is that the Chinese government could use TikTok's algorithms to censor Western opinions and even specific individuals' points of view. This could be used for information operations, for example, to avoid discussions of the country's human rights abuses - and possibly genocide - against its Uyghur population, or to shape perceptions of Western political candidates.
The volume of data being collected by Chinese intelligence services and how this might be used to create dossiers on Americans is another concern. In past attacks, Chinese government hackers have stolen personal information on 21.5 million individuals from the U.S. Office of Personnel Management. Exfiltrated data included private details from people holding or seeking classified security clearances, thus putting them at risk from blackmail threats.
But a January report from Georgia Tech's Internet Governance Project finds that obtaining information collected by any social media app - TikTok or otherwise - to monitor specific users wouldn't require a government order.
"Open source intelligence tools (OSINT) can be used to gather extensive data about social media users regardless of whether the service provider cooperates," IGP's report says. "If this is a 'threat,' it is one that applies to all social media, regardless of the provider's national origin."
Marketing Versus Surveillance
Focusing solely on TikTok misses bigger-picture risks at play, said Alan Woodward, a computer science professor at the University of Surrey who has advised Parliament on questions of cybersecurity and national security.
"All of these social media platforms collect data if you let them, so they should all be taken off any device used for official purposes," Woodward told me. "It's irrelevant why the data is being collected. If it's for marketing, sale to data brokers or surveillance, the end result is the same: Sensitive data can end up in the wild," although one exception, perhaps, would be for access to real-time location information, via GPS coordinates, which OSINT likely wouldn't touch.
The ban by France on "recreational apps" being installed on official devices is a reminder that "government devices used to be 'hardened' so you would never have allowed recreational applications on them," Woodward said. "Maybe we should follow the French lead, rather than the U.S."