The EU Commission, US government and the Canadian government, have all now issued restrictions on the use of ultra-popular video-hosting service TikTok.
The policies follow years of question marks regarding the data practices of TikTok; in particular, concerns surrounding the Chinese government’s access to data relating to the firm’s 1 billion+ registered users worldwide.
There are suspicions that the Chinese government has, or will attempt to, use the data for espionage purposes, because the social media platform is owned by Chinese company ByteDance. This poses a potential national security risk when it comes to individuals working in government and critical infrastructure organizations.
Hanah Darley, head of threat research at Darktrace, told Infosecurity: “TikTok and other social media providers possess enormous personally identifiable information (PII) on their users and algorithm-specific data surrounding preferences and purchases. Given that TikTok's ownership is in China, there is an additional concern regarding data exploitation and how it could be weaponized.”
Numerous other Chinese companies, including Huawei, have already faced restrictions in countries like the US and UK.
It was concerns surrounding the Chinese government’s access to TikTok user data that led to the EU Commission banning the use of the TikTok application on its corporate devices as well as personal devices enrolled in the Commission’s mobile device service, in February 2023.
Around 32,000 permanent and contract employees must now remove the app as soon as possible and by no later than March 15, 2023.
In a blog post, the Commission explained: “The measure is in line with Commission strict internal cybersecurity policies for the use of mobile devices for work-related communications.
“It complements long-standing Commission advice to staff to apply best practices when using social media platforms and keep high-level cyber awareness in their daily work.”
TikTok was quick to condemn the decision and a spokesperson stated: “We are disappointed with this decision, which we believe to be misguided and based on fundamental misconceptions.”
The VP of public policy of Europe for TikTok, Theo Bertram, expressed his dissatisfaction with the policy and the process by which it was made via his Twitter account. “We haven't been given any explanation. No one has set out the process. Before the suspension kicks in on March 15, we would like to be able to understand if there are any specific concerns and to be given the opportunity to address them,” he outlined.
Mounting Fears
Suspicions around Chinese government access to TikTok data came to the fore in August 2020, when then US President Donald Trump signed executive order (EO) 13873 blocking people from downloading the app, which was followed by an order for TikTok to sell its US business.
EO 13873 accused the popular social app of bending to Beijing’s will in censoring content and of presenting a major data security and privacy risk to American users, businesses and institutions.
Although part of Trump’s motivation for signing these orders could have been geopolitical posturing, it also reflected genuine concerns from security experts. Given the nature of state power and interference in private businesses in China, it is impossible to guarantee that the Chinese Communist Party (CCP) is not able to access TikTok’s vast trove of user data.
“One of the concerns about TikTok is that we’re still not certain about its governance structure and who is pulling the strings,” Jonathan Armstrong, partner at law firm Cordery, noted.
Experts have warned that such data could be used to track perceived government, military or key corporate targets in rival countries.
The potential consequences of the Chinese government accessing TikTok’s user data could be far-reaching, according to Chris Vaughan, VP technical account management EMEA at Tanium.
“Chinese intelligence tactics are focused on longer-term objectives and are fuelled by the sustained collection of data. The immense collection of user data, to now include commerce and purchasing information, combined with biometrics and activity tracking, feeds detailed intelligence to be used in operations,” Vaughan explains.
“This data can be leveraged to deliver targeted, timely, and often personalized psychological operations against individuals or groups of citizens. This has been observed during election cycles and politically charged events in recent years,” he added.
While the two executive orders were revoked by President Joe Biden, in June 2021, the security and privacy fears were far from assuaged, and a new commerce department review of security concerns posed by the Chinese owned TikTok and WeChat apps was ordered by the new administration.
Recent Developments
Evidence has continued to mount relating to the potentially nefarious data collection processes of TikTok.
A white paper published by Internet 2.0 in July 2022 claimed that TikTok has been engaging in excessive data collection and connecting to China-based infrastructure. This includes device mapping, regular monitoring of device location and persistent calendar access.
The paper concluded that most of the observed access and device data collection is not necessary for TikTok to operate effectively, with the application able to run successfully “without any of this data being gathered.”
The Australian cybersecurity firm added that the social media giant refused to go on the record about the details of their China-based infrastructure when approached.
The legality of TikTok’s practices came into question in September 2022 when the UK’s privacy regulator, the Information Commissioner’s Office (ICO), announced its intention to fine the company £27m ($33m) over breaches of data protection law. Its provisional findings indicated that TikTok may have processed the data of children under the age of 13 without “appropriate” parental consent and processed special category data without legal grounds to do so, among other violations.
Shortly afterwards, in November 2022, TikTok confirmed that some of its employees Europe, including in China, can access the data of individuals using the app in the continent.
While the company argued that this was necessary for staff to do their job and was “subject to robust controls and approval protocols,” it only fuelled fears about the Chinese state’s potential access to user information.
“Many of us have been reluctant to install TikTok on our work devices for a number of years"
In response to these developments, Cordery’s Armstrong observed that the TikTok has been on a “charm offensive” to try and assuage Western security concerns. This includes providing answers to questions from nine US Republican Senators who raised concerns about TikTok’s data privacy in July 2022.
This letter emphasized that TikTok has never been asked by the Chinese Communist Party (CCP) to share US user data.
The company has also held meetings with UK and EU officials at its European HQ in Dublin and in January 2023, TikTok’s CEO Shou Zi Chew met with EU officials to discuss privacy, misinformation and cybersecurity fears.
Yet, this dialogue has failed to stem the tide of opinion at the Western government level. Before the EU Commission’s decision to ban staff from using the TikTok app on their devices, several US federal government agencies banned TikTok on federal government-issued devices on national security grounds in 2022, and in January 2023, the Dutch government reportedly advised public officials to avoid using the app.
These decisions have been of no surprise to Armstrong. “Some of TikTok’s data processing practices still don’t look right – for example, when I checked their cookies it seems some cookie data is still being retained indefinitely. This will be extremely hard – and probably impossible – to justify to a regulator,” he explained.
“Many of us have been reluctant to install TikTok on our work devices for a number of years – in some respects this is a move the Commission should have taken some time ago,” Armstrong added.
Future Penalties for TikTok
The EU Commission’s decision appears to already be having a knock-on effect. Just days later, Canada announced it will also be banning TikTok from all government-issued devices, and the White House gave all US government agencies 30 days to ensure that employees did not have the Chinese-owned app on federal devices.
In addition to these restrictions, Armstrong expects the company to face further regulatory action. For example, he said Ireland’s Data Protection Commission (DPC) is currently leading an investigation into TikTok, which is currently going through the European Data Protection Board (EDPB) process.
“I imagine this is because other EU data protection authorities are trying to get the fine raised. I’d expect to see a large fine announced in the next few weeks,” he outlined.
Armstrong believes that any fines issued by data protection authorities “could be easily overtaken by civil penalties.”
The social media behemoth is already facing a number of civil group action claims in Europe in respect of privacy breaches, including in the Netherlands and UK. The claim in the Netherlands is for a huge €1.5bn ($1.6bn).
TikTok could also face court orders to be more transparent, or even to change its business practices in regions like the EU.
“For example, is TikTok really HQ’d in the Cayman Islands as it has said in the past? If so, to what extent does HQ control data processing or is some of that done in China? Restricting TikTok’s business model could be more harmful than any fines too,” noted Armstrong.
More generally, the concerns around TikTok’s practices and ambiguous relationship with the Chinese state may make governments adapt their approach to social media companies going forward.
Darktrace’s Darley commented: “Governments must continue to demand accountability for data holders and users in the private sector, especially social media providers. As these technologies continue to develop and usage skyrockets, it is imperative that legislation keeps pace and regulates this mass data market to the greatest extent.”
TikTok’s business model and data practices are coming under increasing scrutiny from regulators and governments, and moves to restrict its usage among state employees are coming into effect. There is room for more restrictive moves and this trend will push government action to its limits.
TikTok has already responded to these but it is yet to be seen whether it can persuade Western nations that it is truly independent from the Chinese government. This will be vital to determining the company’s future in these regions.
Image credit: kovop / Shutterstock.com