Skip to main content

TikTok Risks Increase For US Citizens And Orgs

A graphic of a smartphone with a fish hook dangling a password and a shield above, symbolizing cybersecurity and data protection.

November 16, 2022 | Charmaine Skoubo

The app’s popularity has given rise to major cybersecurity vulnerabilities on the user-level.

Imagine you’re back in your house in April of 2020, glued to your phone for the latest COVID-19 news. Staying home was tough at times, but people found a cure for the lockdown in the form of TikTok, the social media platform that gained immense popularity in 2020 during the widespread pandemic lockdowns.

As TikTok recently passed 1 billion users, there’s no denying the app’s popularity around the world However, no rise in popularity is without scrutiny, and in recent years the cybersecurity of U.S. organizations, institutions, and even citizens using the app have come into question.

Earlier this year, BuzzFeed News reported on leaked audio from more than 80 internal TikTok meetings that revealed China-based employees of ByteDance, TikTok’s parent company, have accessed nonpublic data about US TikTok users. In response to the BuzzFeed News report, nine U.S. Senators wrote to the CEO of TikTok, Shou Zi Chew, outlining their concerns.

Alarmingly, at the end of August 2022, Microsoft posted on their blog that a recently discovered “high-severity vulnerability” in the TikTok application could have allowed attackers to compromise users’ accounts with a single click. The vulnerability has since been fixed, but attackers could have accessed and modified users’ profiles and gained access to personal information.

In 2020, all branches of the US military banned members from using TikTok both on government and personal devices, and more recently, TSA followed suit. The concerns that led to these bans stem from TikTok’s ownership. ByteDance, the company that owns the social media platform, is a China-based company whose relationship with the Chinese government has U.S. lawmakers concerned of potential cybersecurity issues.

In June 2021, President Biden signed an executive order that instructed the U.S. Government to evaluate the risk of apps connected to foreign adversaries, with TikTok and WeChat in mind. This order specifically directs the Commerce Department, following review of the apps, to detail which it considers to be an unacceptable risk. This risk would be classified into this category if the app was determined to be controlled or managed by people supporting foreign adversary military or intelligence service, or when the apps collect sensitive personal data.

More recently, in mid-September, Biden issued another executive order instructing the U.S. Treasury to more closely vet transactions that could impact U.S. leadership in biotechnology and quantum computing.

ByteDance, the China based company that owns TikTok, then began talks of a U.S. based company buying the platform. However, TikTok was estimated to be worth over $50 billion, and they wanted to still have some stake in the company, making negotiations challenging. Initially, they went with the software company Oracle – but this deal fell far short of a full sale. A contract to provide cloud services is still undergoing negotiations under TikTok’s “Project Texas,” which is the internal name for the company’s efforts to redirect the flow of protected data so that it does not go from the US to China.

However, just before BuzzFeed News published their article, TikTok released a blog post indicating that, while they still have yet to complete a “full pivot to Oracle cloud servers located in the US,” “100% of US traffic is being routed to Oracle Cloud Infrastructure.” But, the very next sentence in their post states that “[w]e still use our US and Singapore data centers for backup,” which indicates that the US user data is still accessible beyond the reach of the US Government.

The fears that lawmakers currently hold regarding the omnipresence of TikTok in the lives of citizens stems from the potential that the Chinese government could force ByteDance to collect and turn over data. Beyond that, there is a passive risk that stems from the concern the Chinese government could direct ByteDance to adjust TikTok’s “For You” algorithm that is the force behind keeping users so engaged and glued to the content produced on the app. The algorithm change could be used to alter the type of content that users in the US see, and thus influence their behaviors and ideas.

Organizations will have to decide on a case-by-case basis how much to restrict employees use with TikTok. Private companies such as Wells Fargo have instructed staff to delete the app from corporate devices, but there has been no widespread policy in place. In any case, it may be important to update IT or web policies within your organization, and also begin to have conversations with staff about these emerging risks.

As with any social media, TikTok also presents the risk of data breaches. In September of 2020, 235 million records containing personal information such as usernames, contact information, and account statistics from profiles across Instagram, YouTube, and TikTok were released in a massive data breach. The culprit was a third-party social media data broker called Deep Social. Both Facebook and Instagram banned Deep Social for repeatedly violating terms of service, but that ban came too late to stop the breach.

If hackers do access your organization’s profile or the profile of a trusted employee, they can do irreparable damage. This damage can range from ruining your brand’s reputation to using the account to spread malware and collect massive amounts of data.

We are invested in cybersecurity!

News

Industry and membership news tailored to Colorado special districts.