Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on GitHub Follow marknca on YouTube

imgs/hero.jpg

Should I Worry About TikTok?

10 minute read |An icon depicting a retail tag with a heart for 'favourite'CybersecurityRiskSocial Media

I discussed this issue with Catherine Cullen on CBC Ottawa Morning on 27-Jul-2020. Have a listen…

I also cover this issue in the inaugural episode of The Impact, my new show aimed to help you understand security and privacy and how it impacts you and your community. Check out episode #1, “Is TikTok A Threat?

When you open up TikTok, you’ll most likely see a brand new dance move catching fire. Some light comedy. Maybe even some unique and touching content (like #MeetMyParents).

TikTok is the latest social media craze. It has captured the attention of millions of users around the world. Lately, it’s been catching headlines for more than it’s wild growth…what is TikTok and is it a threat?

What is TikTok?

TikTok is a video-based social network. It centers around 15 second video clips. Typically dancing and lip syncing, but in recent months the content has diversified.

The network has brought on longer videos (up to 60 seconds) and is experimenting with live video. But at it’s heart, it’s all about the short, viral video.

How viral? TikTok already boasts 800 million active monthly users. For context, Twitter has about 330 million and Facebook has about 2.6 billion. This popularity helped make its parent company $17B in 2019.

This is an app and network designed to scale…fast. The initial experience is very intuitive and gets user exposed to content immediately.

Backing these short video clips is a large library of licensed music. The company is adding to that library as quickly as they can. This music provdies the backing track for videos and helps raise the quality of the content.

It’s also had an impact on the music world. Old Town Road reached #1 on the Billboard Hot 100 in large part to its viral success on TikTok in 2019. Not sure if that’s a vote in favour of the network or against it…

Echoing Vine, the design makes easier for content from creators to go viral…regardless of their following. The primary feed in TikTok, For You, is built by the service and full of video it thinks you’ll enjoy. That’s in stark contrast to the customized feed of the other social networks. Those feeds are built from organizations you follow mixed with targeted advertising.

On TikTok, you must take an additional step to get to that customized feed. Swiping left on the “For You” feed shows one that is solely constructed from content of people you follow.

This approach is very powerful. It exposes content to a much broader audience by default which helps spur growth.

Public or Private?

TikTok focuses on public content.

Part design, part lack of maturity, TikTok provides only coarse controls for visibility. Facebook and LinkedIn have a more nuanced system that was built over time and in response to user demand.

Videos and your profile are—by default—public.

You set videos as private or for “friends” (where there is a mutual following relationship). Videos set to private are not searchable. They don’t appear on your profile and don’t get added to the feed. and can only be seen by people following you or that you send the direct link to.

You can also set your entire profile to private. This set the default visibility of new videos to “Followers.” When your account is set to private, you have to approach any new followers. This provides a solid privacy baseline for your TikTok activities, if you so desire.

Bad Reputation

On description alone, TikTok seems harmless…at least as harmless as any social network can be.

Yes, the privacy controls could be a little more intuitive. But the network does not seem nearly as invasive others. That lack of invasive feeling is in part due to the setup but also due to the content. When you’re sharing jokes, dances, and other fun entertainment, it feels less risky.

So why is TikTok getting a ton of negative press lately?

Censorship

The first issue is censorship.

TikTok is owned by ByteDance. ByteDance is a large internet company based in Beijing, China. The company owns several services including TikTok and it’s Chinese companion, Douyin.

Content about the Hong Kong protests in 2019 was the first to drive claims of censorship on TikTok. Searching for content about the protests returns almost no results, despite being available.

The Guardian published an inside look at how the network managed content in 2019. All social networks have content policies. The key questions are what do they cover and how effectively are they enforced ?

TikTok’s policy prohibits content that runs counter to the Chinese government’s worldview. At least, that’s the reality of it. The policy itself is vague enough to provide some deniability. Additionally, TikTok has been very effective in enforcing these guidelines.

As recently enforced as March, 2020, TikTok continues to evolve its moderation policies. Extending to modesty, military or police activity, giving the middle finger, and more. Commonplace on Chinese networks, the policies feel heavy handed and overreaching. Especially when compared to Facebook, Twitter, and others.

These articles expose policies that are more harsh than the public Community Guidelines.

This type of facade undercuts trust in the network itself. It also highlights the differences in ownership…even though TikTok has offices worldwide. The company has also made a media push that includes investing heavily in the United States.

National Security Threat?

Discussions in the United States have recently called TikTok a “ national security threat. ” Repeated mentions of a broader ban have popped up as well.

Several other organization picked up on the idea of a ban. Amazon echoed that sentiment and then quickly retracted it. The US Democratic and Republican National Committees have issued stern warnings about TikTok. The US Military, Wells Fargo, and the country of India have also issued bans of the network.

In each of these cases—though India is more nuanced & complex—the main threat cited is access to data.

TikTok has stated that it operates independently from ByteDance. That all data rests outside of China and is not subject to Chinese government data requests.

Data on US users resides in the United States with back-ups made to Singapore.

Privacy Policy

The company’s Privacy Policy sheds some light on what types of data it collects. It’s all pretty standard for a social network;

Their policy also states all the ways how they will use the information. Again, very standard for a social network: anyway we choose.

This is the standard setup for every social network. “We collect all the data and can do with it what we please.”

Users have to then assume that everything they do is public…even marked as private.

The clause that is particularly concerning falls under data sharing. There is the usual list of business partners, service providers, advertisers, and then…

Within Our Corporate Group We may share your information with a parent, subsidiary, or other affiliate of our corporate group.

This statement includes ByteDance which does operate in China. And is thus under Chinese law. There is also no recourse under the policy for you to find out if your data was shared.

It’s also important to call out something positive in the privacy policy. TikTok has an explicit callout in the policy for how they handle the data of users under 13. Most organizations take the “easy” way out here. They don’t allow anyone under 13 to use the platform. This is typically to address the legal requirements of COPPA in the US.

TikTok explicitly states how they handle data for children under 13. They detail how that experience is different than a normal account.

More services should follow this example.

Risk Model

Back to the core issue. Does this policy and set of privacy practices mean that TikTok is a threat to US national security? Or a threat to anyone for that matter?

To make a decision about risk, you need two pieces of information;

  1. The potential impact of an event
  2. The likelihood of that event occurring

Making this more complicated, “national security” is a very nuanced concept. It concerns any direct threat to a nation state. The problem is that interpretation is wide open.

Let’s apply some basic risk calculus to this issue.

The data collected could provide a rough location and device identifier for a user. IP geolocation can be wildly inaccurate, but it is still a possible way o physically locate a user.

Users willingly hand over profile information. That data is already with hundreds of other sites in different jurisdictions.

That leaves the content you’re uploading and your behavioural patterns. As a nation state attacker, any information about a target is valuable. But an opponent knowing that you like Charli D’Amelio’s latest dance isn’t going to given them a leg up.

There is an operational security risk if you are an active poster. Items in the background could provide sensitive information. Repeated posts from favourite locations could identify habits or patterns. Any of these items could be harmless, they also might be the last piece of a puzzle an opponent is putting together.

These situations only apply to nation state actors. The impact to regular users is minuscule, if it exists at all.

The impact for each of these data issues is dependent on the user targeted. In cases where this is risk is relevant, the people involved are highly aware and trained in order to eliminate this risk.

The likelihood of those negative impacts happening is very low. Therefore the overall risk is very low.

Politics

The military and political campaigns have their own unique threat models. The military is a constant target. They are well adapted to this reality and well trained for it. Recently we’ve seen repeated attacks on US political campaigns and offices.

This changes their threat model and they need to take different risk mitigations. Does that justify a ban on TikTok? Perhaps. Organization-specific bans may be a good move, but that same logic holds true for all social networks…or even fitness trackers.

Banning TikTok for national security reasons doesn’t hold up to scrutiny. There’s a much simpler reason for the push; politics.

The US and China have a challenging relationship that plays out on many fronts. TikTok the latest callout for these issues. It’s become a household name and because of that, it holds political collateral.

It’s an easy drum for politicians to beat to win points with their constituents. It shows that they are calling for action…even if that action doesn’t make sense.

What’s Next?

It’s unlikely that TikTok is a threat to any nation’s security. Calls for a ban do highlight a broader issue.

The internet regularly breaks through geographical lines. The culture of the service will always be reflected in the social network.

American companies are driving some of the biggest social networks on the planet. As a result, there is a strong “free speech” component. This aligns with American cultural norms. This has created an expectation of a platforms for freedom of expression.

But has also lead to significant issues with the health of those online communities.

Are there issues with TikTok and its content moderation policies? Absolutely.

Does that mean you shouldn’t use the network? Maybe.

That decision will depend on your views are censorship. How closely do you associate a company with its parent? With their host countries actions? It’s a complicated issue.

Globally, social networks have been given a lot of leeway by their users. Facebook has had scandal after scandal after scandal. And yes, they have continued to grow, now boasting 1/3 of the population as monthly active users.

Their impact on the world was completely unimaginable 10 years ago.

In some ways, it was nice to have a social network that is primarily about dancing, lip syncing, and comedy. Unfortunately, it has a dark side as well.

Is TikTok a national security threat? Probably not. Should you use TikTok? That depends.

What do you think? Let me know on Twitter where I’m @marknca.