TikTok – is it a security risk?

The European Commission and some other EU institutions have forbidden the use of the TikTok mobile app not just on smartphones provided by the institution to its staff but also on all phones which can have access to corporate data. Further EU institutions may follow suit. This happens after the US government took a similar step. All social media platforms present risks to privacy, collect a large amount of personal data and even if they don’t abuse these data, hackers can exploit them. The popularity of TikTok among young people, including young adults, makes measures against it controversial and difficult. So why is TikTok pinpointed? Is it more risky than other similar platforms?
mobil telefon tiktok

Specific risks on social media platforms and TikTok

TikTok is the platform of the "Z" generation, it enables uploading short videos but is gradually extending its functionalities. Given its popularity and the gradual appearance of the "TikTok generation" in the workforce, gaining more and more seniority and responsibility, one cannot ignore the recent warnings that it presents serious security risks, not just in respect of protection of personal data, but also in respect of confidential information it may have access to.

It must be differentiated between security of a social media platform and illicit data collection and use by the social media platform or app itself. Security vulnerabilities could enable malicious actors to access information or content uploaded to the platform. Social media platforms may use information improperly (e.g. creating profiles from information not intended to enable monitoring of users) themselves or could share information uploaded with actors who should not have access (like in the case of Cambridge Analytica). It is, however, also possible that a social media application gains access to files and e-mails on the phone even when they are not uploaded to the platform and use or share them.

Some of the security risks can be mitigated by responsible user behaviour (i.e. not falling for phishing attacks, using two-factor authentication and secure passwords kept confidential, signing out when not using the platform, not sharing confidential information – i.e. taking care of the background shown on the uploaded videos – others by applying enhanced security (private browsing windows, encryption of sensitive files etc.). Another example is that social media platforms enable setting the visibility of posts to "friends only" or "public" (sometimes some intermediate solutions) and also sending messages and content directly to one or more assigned users, i.e. this content should only be visible to the recipients, not even to other "friends".

There are some risks, however, like disclosure of user content to those for whom it is not intended or access of the mobile application to unrelated content on the device, that could be inherent in the system. These cannot be excluded by any security measures by the user, except, of course, by not posting anything on the portal and not keeping anything on the device where the application is installed. This, however, is not realistic.

A grey zone is the access of the application to other content and peripheral equipment of the phone. To be able to upload videos, either access to the files or access to the camera and microphone is necessary. Applications also need access to the keyboard. The granularity of the permissions giving access is not sufficient to exclude the possibility of abusing these rights of access. TikTok also asks access to the location of the user. This may not be indispensable for the use of the app but presents serious risks. This is the case for displaying the face of the user if a video is made with the camera showing the user – the picture can be used for face recognition and can be used in conjunction with other pictures which exist about the user on line.

Multiple lawsuits allege that TikTok also collects biometric data from users, including facial geometry, iris scans, voice recognition, and fingerprints. TikTok uses facial recognition software to superimpose images on users’ faces for use in videos. Unlike other data that is collected, biometrics represent the physical user and are generally permanent. Biometrics are therefore of high intelligence value. There is no direct evidence that TikTok is giving this data to the Chinese government, yet the existence of the National Intelligence Law compels TikTok to provide the data if requested.

The ownership structure of TikTok gives rise to the worries that Chinese national security authorities or state-sponsored malicious actors may have access to information posted on TikTok, intended to remain private or shared only with "friends" on TikTok, i.e. users with whom the user uploading the content is connected (we may also call them "contacts" but in smartphone jargon contacts are those individuals and organisations whose contact details are included in the phonebook of the device).

The general risks on social media platforms can be more severe when the security of the platforms is weak. TikTok gives assurance about its security but not every expert shares their optimism.

That’s why the US government and the European Commission have forbidden the use of TikTok on corporate devices (the Commission also on private devices enrolled in the Commission mobile device service (known as BYOD – Bring Your Own Device) and other prohibitions are on their way.

Actions taken following the doubts over security of TikTok

The US military banned its members from using TikTok on government devices or at all in late 2019 and early 2020, as did the Transportation Security Administration and some other federal agencies. Just last month, the chief administrative officer for the US House of Representatives warned lawmakers against installing TikTok due to the data it can collect.

Security concerns have grown over how user data is being used, and are further magnified by the fact that TikTok was developed and has its base in China. The Trump administration tried to ban TikTok in 2020, but was overturned by the higher courts.

On Dec. 2, 2022, FBI Director Christopher Wray warned that TikTok’s privacy and data collection policies could allow for the capture of sensitive, personally identifiable information and that data could be accessed by the Chinese government for use other than permissions given by the user. The FBI called TikTok a risk to national security in testimony before the House Homeland Security Committee in November 2022.

The British Parliament discontinued its TikTok account in August 2022. Ireland is still investigating whether the privacy policy of TikTok is compatible with the GDPR. A number of other countries, even non-EU and non-NATO countries followed suit.

Lately, Denmark also proposes to civil servants not to use it. Just this week (28 Feb), the European Parliament banned the use of social media app TikTok on staff devices and recommended that MEPs delete it from their phones.

The prohibition of the use of TikTok for EU institution staff on their devices which have access to service-related data was criticised, although it shouldn’t come as a surprise as at recent meetings, with TikTok management, top EU officials raised their concerns.

Concrete security considerations concerning TikTok

While it is more or less clear that information uploaded to TikTok is not as secure as it should be, whether the app has access to information it is not intended to, actual access is not proven. There are opinions for and against.

TikTok may use its accesses to collect data about the behaviour of the user (including keystrokes, for example) even when the user does not use the app at the moment. No actual proof was found.

Although there has been no evidence that the Chinese government spies on TikTok users, advice is not to use it if the user works for the US government or is required to protect trade secrets,

said Paul Bischoff, Editor of Comparitech.

“TikTok carries many of the same risks as other social networks like Instagram and Snapchat. TikTok collects personal information about its users for advertising purposes,” he added.

“We don’t see TikTok targeted more than any other social media platform. Hackers will try to harvest user data and distribute phishing links but this is the case with pretty much all social media,” Tom Gaffney, security consultant at F-Secure told Trusted Reviews.

In June 2022, Buzzfeed report leaked audio from internal meetings that showed China-based employees of ByteDance had "repeatedly" accessed non-public data from American users, including journalists. It was further revealed in December 2022 that employees at ByteDance (TikTok’s parent company) accessed TikTok data in an attempt to track the whereabouts of several western journalists in order to discover their sources within the company. This was also reported by Forbes.

Security of the TikTok app

Content on TikTok, legally used by the app, may, on the other hand, be accessible to hackers if the security protection of the app and the servers actually storing the information is not strong enough. When not using the information directly, it can help in devising phishing attacks using social engineering (using personal information to make phishing or scams more credible, like referring to a friend or spoofing addresses of friends (pretending that the e-mail comes from that address) when sending the e-mails recommending links (which then turn out to be malicious) or asking for money.

Microsoft discovered a high-severity vulnerability in the TikTok Android application, which could have allowed attackers to compromise users’ accounts with a single click. The vulnerability, which would have required several issues to be chained together to exploit, has been fixed and we did not locate any evidence of in-the-wild exploitation.

Other security researchers called attention to an insecurity on a server TikTok uses to store data. TikTok denied the allegations, stating that the code where the vulnerability was discovered, had nothing to do with their back-end software.

It has to be noted that all platforms enable a certain level of “scraping”, collecting information automatically (like Facebook in the famous “Cambridge Analytica” case. There was and incident in August 2020 that exposed the user profiles of over 200 million TikTok, Instagram, and YouTube users based on scraping – which breaks TikTok’s conditions of use.

Access of TikTok to information on the device

New analysis by Australian cybersecurity firm Internet 2.0 has found TikTok requests almost complete access to the contents of a phone while the app is in use. They found it by analysing the app’s source code to assess how exactly it was functioning on a phone. The phone was requesting significantly more information than what they said publicly they were doing, including to scan the entire hard drive, access the contact lists, as well as see all other apps that have been installed on the device, i.e. significantly more” than what a social media site needs access to. No information was found as to how much of these permissions were actually used.

According to Kaspersky, the well-known security firm, in 2020, Apple identified an issue with iOS 14, where certain apps could secretly access the clipboard on a user’s device. One of those apps was TikTok – which said that the issue was down to an anti-spam filter, which flagged users copying the same comment to multiple different accounts on the same device. TikTok acknowledged the issue and removed the feature.

Kaspersky (who got into disrepute due to its contacts with Russia) does not find the risk of TikTok extremely high, it explains the finding of its researchers that TikTok permissions give the platform full access to the audio, video, and address book on the device, that TikTok is an audio-visual app by design. However, GPS tracking is also enabled by default, which is surprising, especially as TikTok videos don’t obviously display location information. In their privacy policy, the platform states that this can be switched off.

On Android, however, the app has the ability to access other apps running at the same time, which can give the app with that permission the ability to access data in another app like a banking app. However, Kaspersky states that its researchers see no evidence that TikTok abuses this ability. There are other allegations that TikTok can override Android and IOs security features. Apple Insider plays down the risk saying that the features criticised are necessary and present also in other social platforms.

The political dimension of risks

Finally, TikTok could censor content or disseminate or give preference to the dissemination of information biased according to Chinese political interests or even spy on its users for the Chinese government.

While a Malwaretech report finds privacy risks small, they do not deny that there is a national security risk.

Although privacy risks exist with all social media platforms, but as the other big platforms are based or headquartered in the US, the links of TikTok to the Chinese government have mainly raised the fears. It was established that the TikTok app routinely connects to a lot of servers all over the world, including Chinese ones while other platforms limit where they store data. While TikTok claims all user data is stored in the U.S. and Singapore, TikTok’s parent company servers are all located in China and the app itself contains references to China-based infrastructure – says the community based non-profit Center for Internet Security.

On April 30, 2021, ByteDance's Chinese subsidiary Douyin sold a 1 percent stake to Wang Tou Zhong Wen Technology, which is owned by three state entities. One of them is linked to the China Internet Investment Fund (CIIF), which is backed by the Cyberspace Administration of China (CAC), the nation's central internet regulator. TikTok quoted the need to get access to several China-based content applications. Douyin is responsible for the operations in mainland China.

An article in the Forbes magazine takes a more moderate view, although it recognises the concerns, also notes that there is no evidence and TikTok tries to keep its US data separate from the Chinese.

These are legitimate concerns, overblown but legitimate," said Dr. Clifford Lampe, professor of information and associate dean for Academic Affairs at the School of Information at the University of Michigan.

Another study, published by the Internet Governance Project, concludes that TikTok is not a tool of the Chinese state and the efforts to control it target its domestic (i.e. Chinese) operations. Data on TikTok are of espionage value only if it come from users connected to national security. TikTok does not export censorship: it does not blocks material directly (which sounds realistic) and its recommendation algorithms are driven by commercial interests (which is more difficult to prove). Also, the multitude of data in the public domain mean that information in TikTok does not add much to insights provided by Open Source Intelligence Tools. The project believes in free communications consistent with individual rights and consists of a group of professors, postdoctoral researchers and students hosted at the School of Public Policy at the Georgia Institute of Technology.

According to a study prepared for the EDPB: concluded that Chinese authorities only have access – for fight against crime – to public data when they are stored outside the country of the user. This protection is not available if Tiktok Europe shares data with its Chinese affiliate(s), subcontractors or HQ.

Manipulation of content by TikTok

TikTok is not directly the reason for some anomalies on it but there are more and more stories showing TikTok abuses. The audience of the platform is particularly reactive and sensitive, videos are a strong communication tool, thus the impact is high but it cannot be excluded that the algorithms deciding what to show to users also play a role. It is also questionable whether TikTok is very diligent in taking down dangerous content (and this worry spills over to handling of disinformation).

For example, TikTok challenges like “blackout” are linked to several deaths of youngsters. The challenge encouraged users to strangle themselves with household items and post footage on TikTok.

Several lawsuits argued that the design of TikTok also influences promoting blackout challenge videos in users’ feeds. TikTok was actually acquitted as it only shared content created by users.

Another similar allegation is denied by TikTok and videos can’t be found any more, only those calling the attention to their risks. It cannot be excluded, of course, that the platform removed the videos after the scandal broke out.

A Hungarian journalist had a lot of disgusting videos presented to him as he looked at some, they literally started to pour in to his feed and it took weeks to re-condition the algorithm. Now he collected the most disgusting ones for the article and is already worried how and over what time he will again be able to get rid of them.

The background is that if a user looks at or reacts to certain type of content on a social media platform, similar posts are shown to this user more and more as they seem to interest the user. To get rid of them, one has to give the algorithm something else. If concentrating on one type of content, the algorithms discovers the change quicker. The downside is that then the content provided will again be concentrated while if there is no clear new interest, it takes longer until the algorithm forgets the old preference.

There are other accusations of misleading content or collective hysterias and harmful activities spreading quickly on TikTok, one example is the proliferation of private sleuths hindering the work of Police or disseminating conspiracy theories. This could also lead to racist allegations of crime, for example.

This is not limited to TikTok but these things seem to be published more and more about TikTok – whether this is due to indirect manipulation by public opinion, the US national security authorities or the policy and algorithms of TikTok – more oriented on adolescents – are the main reason, remains unclear.

What can we conclude?

TikTok shares the risks of other social media platforms, its distance from the Western world makes it less transparent and its connections to China doubtlessly mean some more risks.

Responsible use can mitigate many of the risks to ordinary users, but caution is recommended not only for government and international organisation staff but also those working with trade secrets or sensitive technical information.

Risks cannot be excluded when TikTok has access to devices holding confidential information – it is a specificity of smartphones that companies and authorities allow not just some private use but also to install private applications on these devices. More intelligent solutions separate the work and personal partitions, nevertheless some applications may be able to override these limitations.

Cover photo: Getty Images

 

More in Business

November 21, 2024 10:10

Raiffeisen's new bank account package already includes the increased transaction tax

But does so differently from other banks

Gázmező Oroszország
November 21, 2024 08:55

Hungary Mol inks cooperation deal with Kazakhstan's national oil company

Further agreements with Kazakhstan signed

Bacsa Gyorgy Portfolio1
November 20, 2024 11:30

Mol ready to divest from Russian oil if it gets EU funding

Oil company management worried by promises of newly appointed EU energy commissioner Dan Jørgensen

Paksi Atomeromu bejarat1
November 15, 2024 16:07

Serbia offers to buy stake in Hungary's NPP

President Vucic makes proposal at joint gov't meeting in Budapest

étterem borravaló pincér felszolgálás szervidíj jatt jattolás adó adómentes
November 15, 2024 15:16

Hungary to change regulation on service charge, tipping

Service charge to be capped, tips to be made tax-exempt

wizzair_5
November 15, 2024 09:24

Wizz Air gets tough on baggage size and weight

Passengers will not be happy about this

LATEST NEWS

Detailed search