Why the US government’s TikTok ban is impractical for the private sector

The war on TikTok has begun. Ever since President Biden in December 2022 approved the ban on U.S. federal government employees from downloading or using TikTok on state-owned devices. two dozen states have decided to ban the app due to concerns about ByteDance’s data collection practices.

There is growing concern in both the public and private sectors that the data collected by the application could be exposed to the Chinese Communist Party (CCP).

These concerns are well founded, for sure Research from Internet 2-0 discovering that the data collected by TikTok is “overly intrusive” and “excessive”, collecting information from all other apps on a user’s phone.

As organizations must consider whether to follow the US government’s lead in banning TikTok altogether, it’s important to evaluate whether banning social media apps is really practical, especially in the Bring Your Own Devices (BYOD) era , where the line between personal and work equipment is often non existent.

Exploring the rationale behind the TikTok ban

One of the main reasons for the concern about TikTok’s data sharing practices is that the organization allowed last year that it shares European citizens’ user data with staff in China, Brazil, Canada, Israel, the US and Singapore.

While the organization insists these methods are intended to preserve the user experience and are “recognized under the GDPR,” there is still the potential for state access, with ByteDance obligated to make its data available to the CCP under Chinese law.

Concerns about TikTok’s data collection practices also increased then leaked audio emerged from more than 80 internal meetings, with 14 statements acknowledging that engineers in China had access to the personal data of users in the US. This controversy has reached the point where the US government has chosen to ban the app altogether.

“The potential TikTok bans are part of a broader US priority to mitigate China’s security risks. Other technologies from Huawei, DJI, Hikvisionetc. are subject to similar controls and restrictions,” said Bryan Ware, CEO of Looking Glass and former deputy director of cybersecurity at CISA.

However, the security risks of TikTok’s data collection processes are not only relevant to the US government, but also something organizations should be aware of.

“These companies and products represent real security risks and business implications, so companies should not wait until final determinations are made to limit or manage their exposure to or use of TikTok and other Chinese products whose security implications are known,” Ware said. .

How big are the risks?

In terms of practical risks, the most concerning is that private information collected through the app could end up in the hands of the CCP as part of a nation-state surveillance operation.

“While some may argue that TikTok is dangerous simply because of social media’s impact on the younger generation, the very real possibility that the popular platform is backed by the Chinese Communist Party (CCP) and used to conduct influence operations is, even more worrying. , collecting sensitive personal and biometric data,” said Matthew Marsden, vice president at Tanium.

Marsden emphasizes that TikTok’s privacy policy states that the provider “may collect biometric identifiers and biometric information as defined in U.S. law, such as facial and voice prints,” and publicly admits that it may also “share any information we collect with any parent, subsidiary or other affiliate of our corporate group.”

“This is incredibly concerning because the CCP can easily force China-based companies to share information to support party goals,” said Marsden.

In fact, employees using TikTok at work and on personal devices could be leaving biometric information and other PII for nation state actors. Using biometric authentication the collection of biometric information could be used to circumvent and exploit solutions in the future.

The practicality of banning TikTok

While the U.S. government has already begun a crackdown on TikTok, it’s difficult for organizations to completely ban the use of the app for a number of reasons. For example, organizations must be able to manage usage at the application level to implement a ban.

“A ban on TikTok, or any application for that matter, would not be an easy policy to implement. It requires a comprehensive approach to be adopted and enforced, which can be a significant undertaking for an organization not set up to manage users from a user application perspective,” said Barrett Lyon, co-founder and lead architect of Netography.

Lyon emphasizes that most organizations don’t have the technical means or resources to ban an app outright, especially when apps can change hostnames, network infrastructure or IP addresses, or overlap existing CDNs serving other important applications.

At the same time, the widespread nature of BYOD policies means that many of the personal devices employees use every day to perform their jobs are not managed by the security team.

This means that the only option would be to ban the use of personal devices, which is impractical for most organizations operating in hybrid work environments.

So what can organizations do about TikTok?

The best option enterprises have in mitigating TikTok’s potential data security risks is to rely on user awareness. In practice, this means that employees are informed about the security risks created by the app, so that they can decide whether or not to put their personal data at risk.

“In the case of personal devices used in workplaces, there is little that can be done except offering guidance to employees,” said security evangelist on CheckmarxStephen Gates.

“For example, there could be a ban on using TikTok when the personal device is connected to an organization’s network. But that’s almost impossible to enforce because of encrypted traffic, VPNs and the like,” Gates said.

It is also important for organizations to reevaluate whether a BYOD program is necessary for employees to perform their duties. This comes down to assessing whether the flexibility offered by BYOD outweighs the potential harm of data leakage to national actors.

Organizations that decide to continue operating in BYOD environments must eventually accept losing control over the risk of apps collecting personal data.

“If you allow employees to bring your own device (BYOD), then your control over that device is legally very limited because it is not owned by the organization, but by the employee,” explains Adam Marrè, former FBI cybercriminal. , from. special agent and current CISO Arctic Wolf.