In a year of filled with concerns such as a global pandemic, murder hornets, and so much more, the crisis du jour for Americans is now…TikTok? Though it has existed for roughly two years, the short-form video app skyrocketed to pop culture prominence during stay at home orders, playing a role in everything from viral memes to political activism. But with large companies like Amazon and Wells Fargo making headlines for asking employees to delete the app, the U.S. military banning it from government-issued phones, and India outright banning it completely—all citing national security concerns—many of TikTok’s hundreds of millions of users and their employers have been left asking, “Is it safe?”
The short answer: no. The slightly longer answer: it’s complicated.
The common claim that TikTok is “Chinese spyware” that steals data from users’ devices and sends it directly to China is not true, at least not in the clear-cut way it is presented. Yet this risk can easily occur from a backdoor method or breach methods well leveraged in China with GhostNet. The Information War Monitor (IWM) found this to be true after a 10-month investigation of the state-funded GhostNet company in China. As it stands currently, the threat to security, particularly national security, is more hypothetical than tangible. However, there are several major security issues consumers and their employers should be concerned about.
- TikTok is owned by
Chinese company ByteDance but is essentially two companies in one. In China, it
operates as the highly restricted and censored DouYin, and everywhere else it
is largely unrestricted TikTok we know. This separation is how the company is
able to claim the data is safe from the oversight
of the Chinese government. While TikTok argues that they do not operate in
China, they only store TikTok data on servers outside of China,
and they would not turn over data to China even if asked, skeptics disagree.
They argue that, as TikTok’s parent company is Chinese, they could be forced to
hand over TikTok’s data to the Chinese government under their recent and
far-reaching national security laws. Recent issues
with China imposing its national security law over Hong Kong, effectively
booting out TikTok, could shed further light on this for other countries. It
has been proven by US federal agencies that the Chinese
government pervasively surveils within its borders and can get access to company-held data on a whim; thus,
TikTok’s potential collection of information on U.S. citizens is true a
security risk. The Chinese government has already acted on this with other
companies, regardless of where the data resides. TickTok openly discloses the
information they capture and use. (Click here to
- At its core, TikTok
is a social media platform, and social
media and data privacy will always be at least somewhat at odds. While the data
it collects is likely no more intrusive than that collected by other social
media giants, the risk of that data in the wrong hands is high, especially in a
world where users often rely on social media as a source of
news. There have already been several allegations that the company has sought
to suppress content critical of the Chinese government or considered
controversial in China.
- TikTok’s popularity
makes it a prime target for hackers, and it’s unclear
whether TikTok’s infrastructure is strong and sophisticated enough to withstand
attacks. In January, Check Point researchers found several vulnerabilities in
TikTok that could have let attackers gain control of TikTok accounts, change
the privacy settings on TikTok videos, upload videos without permission, and
obtain user data such as email addresses. (Click
here for more details on their research.) While security issues are something all software
companies grapple with and TikTok did fix the issues Check Point uncovered, the
software and company are still so new that it’s hard to say whether they can be
trusted going forward.
In short, how TikTok handles content produced and disseminated on its platform and its user data may absolutely pose a national security risk, just in a more abstract way than directly spying on government or military actions. That being said, just because you can keep TikTok—for now—doesn’t necessarily mean that you should. Always exercise caution when sharing personal information online. Despite the allure, TikTok just isn’t worth the risk. This is especially true for company-issued equipment, where the data you are risking isn’t just your own.