top of page

TikTok Trends or Troubles?

A SecurityInsecurity client recently asked us about the risks of using TikTok, and since this is a question that we field quite often, we thought it best to provide an unbiased analysis of TikTok, their platform, and their operations so that users can develop their own opinions on the matter. To preface this response, it is important to note that every single application available on the market today comes with a certain level of risk and it is ultimately the responsibility of the users to determine whether the usage of an application is worth the risk in the long run. With that said, let’s dive into some research surrounding TikTok.

As always, we would like to start with the facts. To be more specific, we would like to start with the published facts from TikTok’s privacy policy. For the most part, this language is fairly boilerplate and nothing egregious immediately jumps off the page, however there is one specific line in the “How we use your information” section that caught our attention due to it being so open-ended and boundless. The statement reads: “to facilitate research conducted by independent researchers that meets certain criteria”. Whereas this line is not unique to just TikTok, it does raise some serious concerns such as: “what researchers?” and “what criteria?”.

Upon further review, it turns out that TikTok never fully explains (nor justifies) this line in their published policies, so we are left to speculate on it. There is a line that we use in the cybersecurity sphere quite often and that is “If you’re not paying for a product, they you are the product.” It would be safe to assume that TikTok is selling off your personal data en masse, but to whom is quite unclear.

Another notable concern is that it appears that TikTok is very active in the analysis and interpretation of user data. In their privacy policy it states: “We may collect information about the videos, images and audio that are a part of your User Content, such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content.” If taken at face value, this caveat leads users to believe that TikTok analyzes their content very deeply and may interpret or deduce additional information from that data. With the collection of this much data, it is not out of line for users to ask “why?”, but once again this is not exclusively a TikTok concern. In fact, many of the most popular social media applications available today follow a similar construct in which data sanctity goes out the window as soon as a user installs in the application.

It should be no secret that TikTok has been at the center of quite a bit of geopolitical controversy over the years, so let’s dissect that for a moment. TikTok is owned by ByteDance Ltd; a Chinese-registered entity, but ownership and management are not exclusively Chinese. TikTok is multi-nationally owned by several business conglomerates and has operating facilities in various geopolitical locations: including America. In addition (and contrary to popular belief) there is not enough quantifiable evidence available in the public sphere to suggest that the Chinese government is using TikTok to actively spy on American citizens. Note: we said ‘government’. It is an undeniable truth that TikTok as a company harvests data, but whether they sell or share that information with the Chinese government has not been formally proven with any high degree of certainty. With that said, there are various ongoing investigations into the data collection methodologies and privacy concerns surrounding TikTok so it is possible that as these investigations develop further, more information may come to light. There have been plenty of unsubstantiated claims that the Chinese government is using TikTok to generate anti-American propaganda and that TikTok is actually owned by the Chinese government, however once again there is not publicly available (or verifiable) evidence to support these accusations.

So, are there still risks? Absolutely. Any application that requires that you share personal information comes with its fair share of risks, but there are some concerns that are more specific to apps like TikTok. For instance, this application comes with the added risks of being able to capture audio and video; a trait that many other apps do not require. If compromised, this data could impact TikTok’s user-base in a very negative way. When paired with advancements in Artificial Intelligence (AI) this becomes a genuine concern. It is well-known that hackers have the ability to use AI to mimic voice profiles (the speed, diction, and tonality of an individual’s voice) as well as the ability to capture facial heuristics for the purposes of generating deepfake video content. Thus, as users upload more and more content, it becomes increasingly easier for hackers to use this data to their advantage. Audio and video content aside, TikTok openly claims to collect mountains of other data from its users, to include (but not limited to): phone numbers, passwords, date of birth, email addresses, photographs, usernames, hashtags, livestreams, messages, clipboard content (text, images, videos), purchase history, proof of age, social network contacts, promotional data, marketing information, surveys… Should we keep going? On the surface, this seems like an awful lot of data for a short form content social media application.

This brings us to the million-dollar question: is TikTok as bad as some people believe? Ultimately, that depends on the users and their unique risk appetite. Security is a spectrum and unfortunately there is no one-size-fits-all solution. Regardless of whether users decide to embrace TikTok or not, there are some strategies that can be used to help protect their sensitive data.

At SecurityInsecurity, we always recommend that users read the terms and conditions for the applications that they use regularly; especially the apps that are as data invasive as TikTok. Whenever possible we recommend implementing defense-in-depth to prevent unnecessary headaches. Below is a list of some simple steps that can be taken to increase security while using these potentially risky applications.

1. Be aware! This is the most important tip, and it cannot be overstressed. Be aware of where you are filming, be aware of what you are saying in your videos, be aware of where you are using the applications, be aware of what permissions the applications have (contacts, location, messages, camera, etc.). Awareness is critical to security and intuition can often be your most valuable tool.

2. Turning off unnecessary services and features such as “contact sync” or location services. Many times, these extraneous services are only needed for “fluff” features of the application and turning them off will not impact the overall operation of the apps. If they are not needed for core functionality, consider disabling them. This might require some fine-tuning of the apps and features but is a general best practice.

3. Explore data anonymization. This essentially means generating accounts without any personally identifiable information (PII). Use false names, burner email addresses, fake phone numbers, etc. Obviously, some applications require real data (and have verification methods to confirm validity), so this may not be viable in every scenario, but it is a good practice to get into.

4. Utilize external security tools, such as virtual private networks (VPNs), anti-malware/spyware tools, monitoring applications, etc. Whereas software is not a catch-all solution, it can provide a layer of security that ultimately reduces attack surfaces -in most situations.

5. Stay informed. As information regarding certain applications emerges, it is important to follow along and constantly re-evaluate your risk/reward balance. If an application is under intense scrutiny from the public for being too cavalier with user data, perhaps it would be a good time to rethink whether that application is worth it.


For fun, we asked SecurityInsecurity President, William Spettmann if he would ever consider opening a TikTok account and he simply chuckled and replied “never.”



51 views0 comments

Recent Posts

See All

Comments


bottom of page