Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on GitHub Follow marknca on YouTube

imgs/hero.jpg

Is TikTok a Threat?

Published 2020-Aug-2 |An icon depicting a retail tag with a heart for 'favourite'PrivacySocial MediaSecuritySociety

Watch the episode on YouTube

Read the follow-up newsletter

The President has promised to ban TikTok in the United States for national security reasons. Is that the case? Are there real security & privacy concerns or is this purely a political move?

Index

References

Transcript

[00:00:00] Can a social network that focuses on dancing lip sinking and humor, be a threat to the national security of one of the biggest countries on the planet. That's a question we're going to look at today. What's the impact of TikTok. TikTok has been in the news for all of the wrong reasons for the last month.

[00:00:22] It has gotten to the point where as I record this, the president of the United States has promised to ban it within the country. That is an extraordinary move that may or may not be possible. On this show, we look at privacy and security impacts. I think somebody branding a social network as a national security threat is the perfect subject matter to kick off this new series.

[00:00:48] So let's get into it. What is TikTok? TikTok is a social network, primarily skewing, very young in its demographic. It has 800 million monthly active users around the world with about 60 to 80 million of those being in the United States. But one in five Americans is on this platform. It is mainly centered around video content.

[00:01:13] So short videos, 15 seconds. So they allow you to string for those together for a 62nd video, right? And they are experimenting with live streaming, but it's mainly these short 15 second video clips that are the heart of this network. They started mainly in dancing because you could take a pre-licensed music and put it into your videos.

[00:01:34] Very easily, a nice user experience in the primarily mobile. Interaction with his network. And then it's expanded out into lip, sinking into comedy. And then as a natural progression in social networks, that content has a diversified and spread out to where brands are involved to increase their engagement with their customers, to where people are talking about social issues.

[00:01:55] And this is where we start to get into tech talks problems and why they got to the point where they are at the front role, national attention level within the United States. When the Hong Kong protests were at their peak for me, media attention in 2019, it was like they didn't even exist on TechTalk that naturally raised.

[00:02:15] Huh? A lot of questions. The protests were, primarily, or were very much socially, social media aware that there was content on all the major networks. Why nothing on tech talk? A great investigation by. The guardian revealed that beyond the public statement of community guidelines for Tech-Talk, they have a very aggressive, and very, almost a moderation policy that they are actively enforcing.

[00:02:40] In fact, you could argue that they are enforcing their content guidelines. Far better than any other social network, but in this case, it's a problem because those content moderation guidelines line up very closely with the view of the Chinese government. So anything that puts that government in a bad light, anything that highlights their atrocious human rights [00:03:00] records, anything that is highlighting.

[00:03:02] Things like the Hong Kong protests are not allowed on this network and they will be aggressively removed from the network either a black hold. So that's where somebody publishes the content. It looks like it's live, but it's not actually getting shared to anybody or outright removed off the platform or those users banned from the platform.

[00:03:18] So there's a very aggressive content moderation policy in place with the people to back it up. That's a problem. The intercept is, and following up a follow up reporting in March of 2020, and actually elaborated on this even more to show how broad this censorship policy is, but censorship is not a security or a privacy issue.

[00:03:43] Censorship is a personal, a rights issue. It is a personal stance issue. Yeah. And that is a key question that you're going to have to ask yourself around whether or not you want to support tech talk, whether or not you want to use this network, but it's not the core for this show. This show's around security and privacy.

[00:04:00] So where do we get this idea of a national security threat? And it comes down to the fact that tick talk is owned by a company called bite dance. Dance is a Chinese company with headquarters in Beijing and TikTok is one of its many subsidiaries. TikTok has operations around the world. They have just hired a new U S CEO.

[00:04:20] They've promised to hire 10,000 more workers in the United States and they just signed a bunch of new deals with a U S M recording labels in order to license the music onto the platform. So they do have a heavy. U S presence. But that parent company linkage has brought them into national attention to the point where, the members of the house and the Senate are regularly commenting on this.

[00:04:40] And the president has previously mentioned his promise to ban them within the United States. So despite tick talk, saying heatedly, that us user data is stored in the U S and backed up to Singapore. Is there actually an issue here? That comes down to what kind of data they have access to. This is what we're going to be doing in this show is looking at what the actual issues are when it comes to security and privacy.

[00:05:05] So for this one, you need to look at what you're providing the network. What data have you voluntarily. Hand it over because when you dig into the privacy policy and you dig into the terms of service, it clearly States that they have the ability if they so choose to share all of the data that they collect, all the data that you provide with their parent company, along with a bunch of other usual caveats like business partners, for the benefit of their service, things like that.

[00:05:31] But it does clearly state that they can share the data with bike dance, whether or not they do is a completely different matter. When you sign up for the network, you're giving up the standard information, nothing you haven't done a thousand times already. They ask for your email, a unique password, your phone number and a couple other details, nothing too sensitive, but still what we would consider personally, identifiable information or PII.

[00:05:54] This is a class of information that tech companies need to treat with a higher level of care [00:06:00] than just normal. Data. So there is some basic stuff there, but like I said, nothing, you haven't voluntarily shared quite liberally across the internet at this point. So the next question ends up being, what kind of data are you generating while you use.

[00:06:14] The network. So what kind of metadata or data about your data are you actually leaving behind in this case? It's going to be comments, likes, shares, you're uploading videos. If you're an active participant, some direct messaging, all of that information. Again, very clear. That you actually are creating it, but there is some stuff behind the scenes.

[00:06:35] Now this is standard for the way technology works time, you interact with anything on the internet. You are broadcasting a return address because that's how you get the data. You send a request, say, Hey, give me this blade as video from Mark and the video needs to come back somewhere. So the server needs to know where to send it back to that.

[00:06:54] Part of the information is called your IP address, your internet protocol address. It's like unique phone number. On the internet. Now, there is an ability to link those to a physical location at a high level. Yeah, it can be somewhat inaccurate, but when you're dealing with nation state actors or a very advanced, and governments who are trying to track you, they can be quite accurate.

[00:07:15] So there's this potential for location information, even though you haven't actually. Giving it permission to send your location, with the app or for something you do for like ride sharing or for delivery. So there's a less explicit, there's an issue implicit, sharing of location here. But beyond that, there's nothing nefarious going on behind the scenes.

[00:07:34] So the claim right now from the U S government of saying it's the national security threat, because you're sharing your data with the Chinese government can be applied to any number of websites that you visit. If they happen to be hosted by a Chinese company or Chinese company involved, but the same thing also applies for Canadian companies for European companies, for us companies, any company that is running a service on the internet.

[00:07:56] They are getting the same type of data. The question is what they're doing with it or what their interest is. So when you're doing this type of analysis, you can't assume intent. I don't know what you're thinking by watching this video. I hope you like it, but I don't know what a company wants to do with my data.

[00:08:13] So I have to assume sort of case scenario. So given that I leave this data all over the internet, There's not really a bad scenario here for most people. Now, there are a couple exceptions. If you're active duty military, this is probably a bad idea, but the same thing goes for using any social network when you're on a base or even fitness trackers.

[00:08:32] We've seen that before where fitness tracker used actually identified key military installations. So there is a different threat model because you're in the military and you're on. Active duty. That's a completely different threat model than you or me or our kids or students at school or whoever the case may be.

[00:08:48] The second unique risk model is for people who are actively involved in elections or in the current political climate down in the state. So if you're a member of the party, or if you're running for a seat, then [00:09:00] you have a different threat model as well. Ideally, you should be aware of already that's an issue and up on your operational security.

[00:09:05] So making sure that you're practicing strong cyber security, but again, that's not the average user. So with knowing this, we know that tick talk, isn't tracking any data beyond standard social networks. In fact, a little less than the other social networks, and very much closer to any type of website on the internet.

[00:09:23] So what is the impact of TikTok on the average user? I would say not much, there's not a huge, the security or privacy impact on the user. The private information that we're providing is stuff that we give to other social networks all the time. It's stuff that we give to a lot of standards is web services.

[00:09:40] There's nothing particularly unique about it. There's nothing particularly dangerous about it. Same with the security aspect of the metadata from our behavior, from our interaction, it's basically the same thing as any other website on the internet. Of course, the two exceptions being military and active political campaigns, they have a different risk model than the rest of us than the average user.

[00:10:02] The biggest issue with TikTok is definitely censorship. Are you okay with a heavily moderated community that is not only striking down a negative hateful content, but also things that don't align with their worldview. That's a real issue and that's a personal decision, but it's not a security one.

[00:10:20] That's not a privacy one. The worst thing that we've gotten from tick talk is that it helped propel old town road to number one on the billboard charts for a record length of time. That is an ear worm that took forever to get out. And it's something that I can write, never forgive, but a threat to my privacy, a threat to my security, not really.