The battle against TikTok has commenced. Ever since President Biden sanctioned the prohibition of downloading or using TikTok on state-owned devices for U.S. federal government employees in December 2022, more than two dozen states have opted to restrict access to the application, citing concerns about ByteDance’s data collection practices.
In both the public and private sectors, there is a mounting apprehension that TikTok’s data collection might expose information to the Chinese Communist Party (CCP).
These concerns are substantiated by security research conducted by Internet 2-0, which has characterized TikTok’s data collection as “excessively intrusive,” gathering data from all other apps installed on a user’s mobile device.
Now, organizations find themselves grappling with the decision of whether to emulate the U.S. government’s lead in banning TikTok outright. It is imperative to assess the practicality of such bans, especially in the age of Bring Your Own Devices (BYOD), where the boundary between personal and work-related devices often blurs.
Analyzing the Basis for the TikTok Ban
One of the primary drivers behind the TikTok ban is the growing concern surrounding TikTok’s data-sharing practices. This apprehension stems from the organization’s acknowledgment, last year, of its sharing of user data belonging to European citizens with personnel located in China, Brazil, Canada, Israel, the United States, and Singapore.
While TikTok asserts that these data-sharing methods align with the General Data Protection Regulation (GDPR) and are intended to enhance the user experience, there remains the potential for state access. This stems from ByteDance’s obligation, under Chinese law, to provide data access to the Chinese Communist Party (CCP).
Tensions over TikTok’s data collection practices escalated further when leaked audio recordings surfaced from more than 80 internal meetings. Within these recordings, 14 statements admitted that engineers in China had access to the personal data of users based in the United States. This controversy has ultimately led to the United States government deciding to completely ban the TikTok app.
Bryan Ware, CEO of LookingGlass and former assistant director of cybersecurity at CISA, commented on the situation, stating, “The potential TikTok bans are part of a broader U.S. priority to reduce security risks from China. Other technologies from companies like Huawei, DJI, Hikvision, and more are undergoing similar scrutiny and restrictions.”
However, it is crucial to recognize that the security risks associated with TikTok’s data collection processes extend beyond just the U.S. government’s concerns. These risks are pertinent for organizations as well. Ware emphasized this point, saying, “These companies and products pose genuine security risks and can have significant business implications. Enterprises should not delay taking action to limit or manage their exposure to TikTok and other Chinese products known to have security implications until final determinations are made.”
What is the extent of the risks involved?
Regarding practical risks, the most alarming concern revolves around the possibility that private information gathered via the app might fall into the hands of the Chinese Communist Party (CCP) as part of a nation-state surveillance effort.
Matthew Marsden, Vice President at Tanium, voiced even deeper concerns about TikTok, stating, “While some may argue that TikTok poses a danger simply due to its impact on the younger generation through social media, what is even more disconcerting is the very real possibility that this popular platform has ties to the Chinese Communist Party (CCP) and is being utilized for influence operations, including the collection of sensitive personal and biometric data.”
Marsden pointed out that TikTok’s privacy policy explicitly mentions the collection of biometric identifiers and information, such as faceprints and voiceprints, as defined under U.S. laws. The policy also openly acknowledges the potential sharing of all collected information with a parent company, subsidiary, or other affiliate within their corporate group.
“This is deeply concerning because the CCP can easily compel China-based companies to share information in order to advance party objectives,” Marsden emphasized.
In essence, individuals who use TikTok on both work and personal devices may unknowingly expose their biometric information and other personally identifiable information (PII) to nation-state actors. Given the increasing prevalence of biometric authentication, the accumulation of biometric data could potentially be exploited in the future to circumvent security measures.”
The Feasibility of Prohibiting TikTok
While the U.S. government has initiated efforts to crack down on TikTok, a complete ban on its usage poses considerable challenges for organizations. Managing and enforcing such a ban at the application level proves to be a complex task. According to Barrett Lyon, co-founder and chief architect of Netography, implementing a TikTok ban, or any similar app ban, is not a straightforward policy. It necessitates a comprehensive approach that may be a substantial undertaking for organizations ill-equipped to handle users on an application level.
Lyon underscores that most organizations lack the technical infrastructure and resources required to outright ban an app, especially considering that apps can change hostnames, network configurations, IP addresses, or even overlap with existing Content Delivery Networks (CDNs) serving critical applications. Additionally, the prevalence of Bring Your Own Device (BYOD) policies means that many personal devices used by employees are beyond the control of the security team.
Consequently, the only viable option would be to prohibit the use of personal devices, an impractical measure for most organizations operating in hybrid work environments.
So, what steps can organizations take regarding TikTok?
The most effective approach for enterprises to mitigate potential data security risks associated with TikTok is to rely on user awareness. In practical terms, this entails educating employees about the security risks posed by the app, allowing them to make informed decisions regarding the safeguarding of their personal information.
Stephen Gates, a security evangelist at Checkmarx, suggests that, in the context of personal devices used in workplace settings, there is little that can be done beyond offering guidelines to employees. One potential action is implementing a ban on TikTok usage when personal devices are connected to an organization’s network. However, enforcement is nearly impossible due to encrypted traffic, Virtual Private Networks (VPNs), and similar technologies, as noted by Gates.
Furthermore, organizations should reassess the necessity of Bring Your Own Device (BYOD) programs for employee productivity. This involves weighing the benefits of BYOD flexibility against the risks of data exposure to nation-state actors. Those organizations that choose to persist with BYOD environments must accept a diminished level of control over the risk associated with apps harvesting personal data.
As Adam Marrè, former FBI cyber special agent and current CISO at Arctic Wolf, explains, allowing employees to “bring your own device” (BYOD) entails limited legal control because these devices are owned by employees, not the organization itself.