Security Cloud Courses About
imgs/hero.webp

Should I Worry About TikTok?

I discussed this issue with Catherine Cullen on CBC Ottawa Morning on 27-Jul-2020. Have a listen…

I also cover this issue in the inaugural episode of Impact Assessment, my new show aimed to help you understand security and privacy and how it impacts you and your community. Check out episode #1, “Is TikTok A Threat?

When you open up TikTok, you’ll most likely see a brand new dance move catching fire. Some light comedy. Maybe even some unique and touching content (like #MeetMyParents).

TikTok is the latest social media craze. It has captured the attention of millions of users around the world. Lately, it’s been catching headlines for more than it’s wild growth…what is TikTok and is it a threat?

What is TikTok?

TikTok is a video-based social network. It centers around 15 second video clips. Typically dancing and lip syncing, but in recent months the content has diversified.

The network has brought on longer videos (up to 60 seconds) and is experimenting with live video. But at it’s heart, it’s all about the short, viral video.

How viral? TikTok already boasts 800 million active monthly users. For context, Twitter has about 330 million and Facebook has about 2.6 billion. This popularity helped make its parent company $17B in 2019.

This is an app and network designed to scale…fast. The initial experience is very intuitive and gets user exposed to content immediately.

Backing these short video clips is a large library of licensed music. The company is adding to that library as quickly as they can. This music provdies the backing track for videos and helps raise the quality of the content.

It’s also had an impact on the music world. Old Town Road reached #1 on the Billboard Hot 100 in large part to its viral success on TikTok in 2019. Not sure if that’s a vote in favour of the network or against it…

Echoing Vine, the design makes easier for content from creators to go viral…regardless of their following. The primary feed in TikTok, For You, is built by the service and full of video it thinks you’ll enjoy. That’s in stark contrast to the customized feed of the other social networks. Those feeds are built from organizations you follow mixed with targeted advertising.

On TikTok, you must take an additional step to get to that customized feed. Swiping left on the “For You” feed shows one that is solely constructed from content of people you follow.

This approach is very powerful. It exposes content to a much broader audience by default which helps spur growth.

Public or Private?

TikTok focuses on public content.

Part design, part lack of maturity, TikTok provides only coarse controls for visibility. Facebook and LinkedIn have a more nuanced system that was built over time and in response to user demand.

Videos and your profile are—by default—public.

You set videos as private or for “friends” (where there is a mutual following relationship). Videos set to private are not searchable. They don’t appear on your profile and don’t get added to the feed. and can only be seen by people following you or that you send the direct link to.

You can also set your entire profile to private. This set the default visibility of new videos to “Followers.” When your account is set to private, you have to approach any new followers. This provides a solid privacy baseline for your TikTok activities, if you so desire.

Bad Reputation

On description alone, TikTok seems harmless…at least as harmless as any social network can be.

Yes, the privacy controls could be a little more intuitive. But the network does not seem nearly as invasive others. That lack of invasive feeling is in part due to the setup but also due to the content. When you’re sharing jokes, dances, and other fun entertainment, it feels less risky.

So why is TikTok getting a ton of negative press lately?

Censorship

The first issue is censorship.

TikTok is owned by ByteDance. ByteDance is a large internet company based in Beijing, China. The company owns several services including TikTok and it’s Chinese companion, Douyin.

Content about the Hong Kong protests in 2019 was the first to drive claims of censorship on TikTok. Searching for content about the protests returns almost no results, despite being available.

The Guardian published an inside look at how the network managed content in 2019. All social networks have content policies. The key questions are what do they cover and how effectively are they enforced ?

TikTok’s policy prohibits content that runs counter to the Chinese government’s worldview. At least, that’s the reality of it. The policy itself is vague enough to provide some deniability. Additionally, TikTok has been very effective in enforcing these guidelines.

As recently enforced as March, 2020, TikTok continues to evolve its moderation policies. Extending to modesty, military or police activity, giving the middle finger, and more. Commonplace on Chinese networks, the policies feel heavy handed and overreaching. Especially when compared to Facebook, Twitter, and others.

These articles expose policies that are more harsh than the public Community Guidelines.

This type of facade undercuts trust in the network itself. It also highlights the differences in ownership…even though TikTok has offices worldwide. The company has also made a media push that includes investing heavily in the United States.

National Security Threat?

Discussions in the United States have recently called TikTok a “ national security threat. ” Repeated mentions of a broader ban have popped up as well.

Several other organization picked up on the idea of a ban. Amazon echoed that sentiment and then quickly retracted it. The US Democratic and Republican National Committees have issued stern warnings about TikTok. The US Military, Wells Fargo, and the country of India have also issued bans of the network.

In each of these cases—though India is more nuanced & complex—the main threat cited is access to data.

TikTok has stated that it operates independently from ByteDance. That all data rests outside of China and is not subject to Chinese government data requests.

Data on US users resides in the United States with back-ups made to Singapore.

Privacy Policy

The company’s Privacy Policy sheds some light on what types of data it collects. It’s all pretty standard for a social network;

  • Anything you provide as profile information
  • Behavioural data
  • Device information
  • Location data
  • Direct messages

Their policy also states all the ways how they will use the information. Again, very standard for a social network: anyway we choose.

This is the standard setup for every social network. “We collect all the data and can do with it what we please.”

Users have to then assume that everything they do is public…even marked as private.

The clause that is particularly concerning falls under data sharing. There is the usual list of business partners, service providers, advertisers, and then…

Within Our Corporate Group We may share your information with a parent, subsidiary, or other affiliate of our corporate group.

This statement includes ByteDance which does operate in China. And is thus under Chinese law. There is also no recourse under the policy for you to find out if your data was shared.

It’s also important to call out something positive in the privacy policy. TikTok has an explicit callout in the policy for how they handle the data of users under 13. Most organizations take the “easy” way out here. They don’t allow anyone under 13 to use the platform. This is typically to address the legal requirements of COPPA in the US.

TikTok explicitly states how they handle data for children under 13. They detail how that experience is different than a normal account.

More services should follow this example.

Risk Model

Back to the core issue. Does this policy and set of privacy practices mean that TikTok is a threat to US national security? Or a threat to anyone for that matter?

To make a decision about risk, you need two pieces of information;

  1. The potential impact of an event
  2. The likelihood of that event occurring

Making this more complicated, “national security” is a very nuanced concept. It concerns any direct threat to a nation state. The problem is that interpretation is wide open.

Let’s apply some basic risk calculus to this issue.

The data collected could provide a rough location and device identifier for a user. IP geolocation can be wildly inaccurate, but it is still a possible way o physically locate a user.

Users willingly hand over profile information. That data is already with hundreds of other sites in different jurisdictions.

That leaves the content you’re uploading and your behavioural patterns. As a nation state attacker, any information about a target is valuable. But an opponent knowing that you like Charli D’Amelio’s latest dance isn’t going to given them a leg up.

There is an operational security risk if you are an active poster. Items in the background could provide sensitive information. Repeated posts from favourite locations could identify habits or patterns. Any of these items could be harmless, they also might be the last piece of a puzzle an opponent is putting together.

These situations only apply to nation state actors. The impact to regular users is minuscule, if it exists at all.

The impact for each of these data issues is dependent on the user targeted. In cases where this is risk is relevant, the people involved are highly aware and trained in order to eliminate this risk.

The likelihood of those negative impacts happening is very low. Therefore the overall risk is very low.

Politics

The military and political campaigns have their own unique threat models. The military is a constant target. They are well adapted to this reality and well trained for it. Recently we’ve seen repeated attacks on US political campaigns and offices.

This changes their threat model and they need to take different risk mitigations. Does that justify a ban on TikTok? Perhaps. Organization-specific bans may be a good move, but that same logic holds true for all social networks…or even fitness trackers.

Banning TikTok for national security reasons doesn’t hold up to scrutiny. There’s a much simpler reason for the push; politics.

The US and China have a challenging relationship that plays out on many fronts. TikTok the latest callout for these issues. It’s become a household name and because of that, it holds political collateral.

It’s an easy drum for politicians to beat to win points with their constituents. It shows that they are calling for action…even if that action doesn’t make sense.

What’s Next?

It’s unlikely that TikTok is a threat to any nation’s security. Calls for a ban do highlight a broader issue.

The internet regularly breaks through geographical lines. The culture of the service will always be reflected in the social network.

American companies are driving some of the biggest social networks on the planet. As a result, there is a strong “free speech” component. This aligns with American cultural norms. This has created an expectation of a platforms for freedom of expression.

But has also lead to significant issues with the health of those online communities.

Are there issues with TikTok and its content moderation policies? Absolutely.

Does that mean you shouldn’t use the network? Maybe.

That decision will depend on your views are censorship. How closely do you associate a company with its parent? With their host countries actions? It’s a complicated issue.

Globally, social networks have been given a lot of leeway by their users. Facebook has had scandal after scandal after scandal. And yes, they have continued to grow, now boasting 1/3 of the population as monthly active users.

Their impact on the world was completely unimaginable 10 years ago.

In some ways, it was nice to have a social network that is primarily about dancing, lip syncing, and comedy. Unfortunately, it has a dark side as well.

Is TikTok a national security threat? Probably not. Should you use TikTok? That depends.

What do you think? Let me know on Twitter where I’m @marknca.

Transcript of My Discussion With Catherine

[00:00:00] Catherine: [singing]. That is of course Lil Nas X with Old Town Road, we apologize if that is stuck in your head for the next week and a half. But we are playing it for a reason, it became the longest number one hit of all time in part because it went viral last year on TikTok if you don’t know, the app allows you to share short videos often. It’s people dancing, lip-syncing, joking around. It is one of the most downloaded apps on Earth, especially by teens and 20 somethings.

It’s owned by a Beijing based company called ByteDance, and that has made it the target have a lot of scrutiny lately. Last week, US Congress advanced legislation to block federal employees from using it on government issued devices, and the Trump administration is considering ways to push the app out of the United States. Here’s Secretary of State Mike Pompeo, earlier this month.

[00:01:44] Mike Pompeo: The mission said is to protect American national security and in this case the information of American citizens and whether it’s TikTok, or any of the other Chinese communications platforms, apps infrastructure, th- this administration is taking seriously the requirement to protect the American people from having their information end up in the hands of the Chinese Communist Party.

And we’re working through a process where all the relevant agencies and the private sector are getting to say their uh, piece, we- we hope to have a set of decisions shor- shortly.

[00:02:14] Catherine: Secretary of State Mike Pompeo, so how concerned should you be if you or your kids have TikTok? Our tech columnist Mark Nunnikhoven is here to walk us through what you need to know. Good morning, Mark.

[00:02:26] Mark: Good morning, Catherine.

[00:02:26] Catherine: So let’s start with what is TikTok? For the folks who are not making videos themselves dancing at home, can you give us the- the sum up?

[00:02:34] Mark: For sure and the intro was- was really good. And then it highlighted, this is primarily a video based social network.

[00:02:40] Catherine: [affirmative].

[00:02:41] Mark: So it’s built around video clips that are both 15 seconds long of people just having fun. If you opened up the app today you’re gonna see a lot of trending around pets have TikTok has almost 9 billion views. One of my fav-

[00:02:55] Catherine: Pets of TikTok?

[00:02:55] Mark: … Pets of TikTok.

[00:02:56] Catherine: Oh, there we go.

[00:02:56] Mark: So people doing little 15 second clips of their cats or their dogs.

[00:02:59] Catherine: [laughs].

[00:02:59] Mark: There’s one that I really like, which is today today years old, where people are posting “Hey, today, I was today years old when I learned that the potato peeler works both forward and backward.” Things like that.

[00:03:10] Catherine: Yes. An important revelation, I will say. So it’s not all fluff. [laughs].

[00:03:14] Mark: Exactly. That’s critical information that we need to know. Yeah. But that highlights the content on the network generally tends to be on the lighter side. It’s not in depth, political discussion.

[00:03:23] Catherine: [affirmative].

[00:03:23] Mark: It’s mainly entertainment, though there are some deeper topics there.

[00:03:27] Catherine: I was gonna say recently, I- I think we’ve been seeing some Black Lives Matter content starting to make its way onto the app and whatnot. But let’s talk about these security concerns particularly coming from us lawmakers, although we are hearing other countries around the world raise concerns as well. What can you tell us?

[00:03:41] Mark: Yeah, absolutely. And we’ve been seeing it increasingly in US headlines with the political parties getting behind this and saying that there is a threat to national security here, which seems very much a disconnect between the type of content that’s sitting on the network. And a threat to national security. It doesn’t seem like cat videos are very critical to national security.

But the concern here is the fact that TikTok is owned by ByteDance. Which is a Chinese based company, and every social network, including TikTok tracks a lot of information about your behavior as well as potentially location information based on where you’re logging in from. And so their… The position from the US is that information then poses a risk to national security.

[00:04:21] Catherine: Now it’s interesting, the company ByteDance, based in Beijing, and it’s particularly interesting, I think, because there’s news today once again about the Meng Wanzhou case here in Canada. Huawei in that discussion, there have been a lot of questions about that company’s tie to China. But what do we know about ByteDance’s potential ties to the Chinese regime?

[00:04:39] Mark: Yeah, so ByteDance is fully based in China, which means they follow all Chinese law. And it is commonly understood that the Chinese government has a far more active hand in requesting data from companies with far less oversight, unlike in other countries where there’s a judicial process as a checking of balance.

So there is concern there. And when it comes to a company like Huawei, they’re making critical telecommunications infrastructure. So it’s a completely different risk model-

[00:05:06] [to a social network, and I think that’s a really important thing to keep in mind.

[00:05:10] Catherine: When we talk about comparisons, I you touched a moment ago on some of the data that TikTok is collecting on its users. To what extent is that different than let’s say what a Facebook or another company might be collecting about you?

[00:05:22] Mark: Yeah, and that’s a key question and one that I’ve been diving into lately, and it actually turns out that there’s a lot less data on TikTok than on Facebook. So there’s some basic profile information your name your phone number, because it’s a primarily a mobile based social network.

As well as your email. And that’s about it as far as your information that you’re handing over. Other than your activity. The liked videos, the videos you’re uploading and some direct messaging. So that leaves the metadata in the background.

[00:05:48] So it would be able to see the IP address you’re logging into. So your unique identifier on the back end network, and that is loosely tied to your location but not as clearly as the movies would have you believe. In contrast that to Facebook, where you’re actively providing your real name.

That’s a policy or requirement you’re connecting all of your friends who also use their real names, you’re adding in your location, your school. There’s far more in depth information on other social networks than there is on TikTok, there’s really a bare minimal information set there.

[00:06:18] Catherine: Okay. What about the question of censorship and people may raise their eyebrows, because you and I have been talking about cat videos for a couple minutes now. But there- there have been allegations that TikTok centered- censored certain videos, including during the Hong Kong protests, what can you tell us about that?

[00:06:31] Mark: Yeah, and this is where it really starts to set apart from other social networks is that there have been allegations and there have been confirmations of those issues around censorship. You mentioned the Hong Kong protests, that’s where it first spun up.

The Guardian had a really in depth look at the content moderation policies on the platform in the fall of 2019. And they were actively… TikTok was actively removing content that was highlighting the Hong Kong protests. And they were banning users as well as basically putting that content in a black hole where you thought it was public, but it was actually not getting pushed out.

[00:07:04] And that has continued with things like Black Lives Matter. And The Intercept which is another outlet just had a leak of all the documents for content moderation on the platform. And it’s very much an aggressive content moderation platform. Anything that is speaking ill of the Chinese government that doesn’t align with their worldview.

So things like Tiananmen Square protests against socialist systems. Things like these are actively removed from the platform extremely aggressively. Where that doesn’t hold true for other networks like Facebook or Twitter.

[00:07:36] Catherine: That is obviously very concerning. When we hear the argument from the United States administration, it does seem to be more security linked, though their concerns but I wonder what do you think that they might be able to do, if they do indeed want to prevent people from using TikTok?

[00:07:51] Mark: Yeah, and that’s where the- the real challenge comes down to. Is there’s a lot of muddied angles here, they’re not calling the censorship thing out.

[00:07:57] Catherine: [affirmative].

[00:07:57] Mark: They’re calling a security angle and as far as what they can do, they can control their own uh, house, so to speak. The US military has already banned using this app. Both the DNC and the RNC have said don’t use it. So there is limit… Their ability to restrict its use within the US government or the political campaigns.

But broader than that a ban is simply unrealistic. They would have to get Google and Facebook, who are the primary distributors of the app onboard. And both those companies have shown, hesitancy is a polite word, an extreme aversion to any of these types of bands simply because it’s a very slippery slope because they are international companies and the app stores have a huge amount of content from countries around the world.

[00:08:36] Catherine: Interesting. Now, what about what we’ve heard from TikTok? What’s the response been?

[00:08:40] Mark: So TikTok’s response has been what you would expect, [laughs], in situations like this they are highlighting the difference between ByteDance their parent company which is based firmly in China and themselves who have operations around the world.

They have repeatedly pointed out that their privacy policy and their content moderation policies are public very much aligned with the rest of the social networking world, even though we know that content moderation policy doesn’t actually line up with the rest of the world, content media, social media world. But they’ve also pointed out that the data for US users is in the US backed up in Singapore, and that none of their data actually sits in China.

[00:09:13] Catherine: [affirmative].

[00:09:13] Mark: Which means that the Chinese government can’t get at it. Now, how much of that is positioning, how much of that is true-

[00:09:19] [ It, that’s the real challenge. As users is, you of have to either take the company on its word, or do some light investigation, but you can’t turn up some more that information on yourself, because it is basically just taking it on faith.

[00:09:30] Catherine: Yeah, certainly there is some skepticism about their… About a Beijing based company’s ability to resist the Chinese regime. I wonder about push back from TikTok users themselves.

[00:09:40] Mark: And this is where it gets quite interesting, because as we’ve seen with the long history from Facebook users is that while there are temporary flare ups of abuses of privacy and of data in the long term, it doesn’t really matter. And that seems to be the case with a much younger TikTok.

While these issues, especially around censorship were brought up almost a year ago the app continues to have growth numbers that are through the roof. There’s currently 800 million active users every month which puts it well above Twitter, which was-

[00:10:05] [established far longer. So it doesn’t seem to be affecting its usage and ByteDance, the parent company recorded a record- a record level of profit in 2019, pulling in $17 billion. So it’s not slowing down anytime soon.

[00:10:17] Catherine: Okay, now I want you to just sum it all up to give us the TikTok version, you can dance at home, we won’t know. [laughs]. But where the- the summary of where this leaves us as people who might have it on our phones, or if our kids have it on their phones. TikTok yay, or nay in terms of the safety and security of the app?

[00:10:32] Mark: I would say for most users it- it would be a yay if it’s something you’re interested in though if you are strongly adverse to participating in a platform that will clamp down on political speech and clamp down on your point of view, then that’s not the place because they’re going to ban you off the platform pretty quick.

But if you’re looking for light entertainment content, there doesn’t seem to be a real security risk for the average user. That being said, if you’re in a political party, if you’re working in the military, or something where there’s a nation state aspect, the risk model is completely different. I think the biggest risk for most users is you know what you played in the intro, getting a song like Old Town Road-

[00:11:09] Catherine: [laughs].

[00:11:09] Mark: … which is hit number one because of TikTok stuck in your head or having to watch teens and tweens do the same dance repeatedly for hours to nail it. And some of the results are amazing, but that can be really challenging to process, to get those ear worms in and to figure a way to get them out of your head.

[00:11:25] Catherine: Yeah, I gotta admit, I love that song. But once again, I do apologize to our audience for that whole Old Town Road thing. Thank you so much Mark Nunnikhoven.

[00:11:32] Mark: Thank- Thank you, Catherine.

[00:11:33] Catherine: Mark Nunnikhoven is our tech columnist and the Vice President of cloud research at Trend Micro.