In less than three months and notwithstanding intervention, TikTok will be effectively banned in the U.S. unless an American company steps in to save it, after the Trump administration declared by executive order this week that the Chinese-built video sharing app is a threat to national security.
How much of a threat TikTok poses exactly remains to be seen. U.S. officials are convinced that the app could be compelled by Beijing to vacuum up reams of Westerners’ data for intelligence. Or is the app, beloved by millions of young American voters, simply a pawn in the Trump administration’s long political standoff with China?
Really, the answer is a bit of both — even if on paper TikTok is no worse than the homegrown threat to privacy posed by the Big Tech behemoths: Facebook, Instagram, Twitter and Google. But the foreign threat from Beijing alone was enough that the Trump administration needed to crack down on the app — and the videos frequently critical of the administration’s actions.
For its part, TikTok says it will fight back against the Trump administration’s action.
This week’s Decrypted looks at TikTok amid its looming ban. We’ll look at why the ban is unlikely, even if privacy and security issues persist.
THE BIG PICTURE
Internet watchdog says a TikTok ban is a ‘seed of genuine security concern wrapped in a thick layer of censorship’
The verdict from the Electronic Frontier Foundation is clear: The U.S. can’t ban TikTok without violating the First Amendment. Banning the app would be a huge abridgment of freedom of speech, whether it’s forbidding the app stores from serving it or blocking it at the network level.
But there are still legitimate security and privacy concerns. The big issue for U.S. authorities is that the app’s parent company, ByteDance, has staff in China and is subject to Beijing’s rules.
Could Beijing force ByteDance to turn over data on millions of TikTok users? Potentially, yes. But the data that TikTok obtains and generates on its users is not far from what the U.S. can get under its own jurisdiction. Exactly what China would do with that data is unclear, but China, if you recall, is blamed for the massive data breach at the U.S. Office of Personnel Management in 2014, the 2015 Anthem hack and more recently of using powerful spyware to surveil Uyghurs, an oppressed Chinese minority group.
TikTok maintains it hasn’t given any user data to China, “nor would we do so if asked,” per a spokesperson. But that hasn’t done much to quell fears.
The EFF says whoever buys TikTok — Microsoft appears to be the frontrunner — may have the ostensible blessing from the White House. But the buyer will still have to navigate the many security and privacy issues that won’t have gone away.
TikTok tracked user data using a tactic banned by Google
Until November last year, TikTok skirted Google’s app store rules by collecting unique network identifiers from users — without their knowledge — potentially allowing the company to track users online.
MAC addresses are 12-digit codes that are hardcoded in internet-connected devices and can be difficult to change, making it possible to track a device from place to place. Some 1% of Android apps are said to be able to collect MAC addresses — even if Google banned the practice — but brick-and-mortar stores and billboards frequently collect MAC addresses to track individuals as they walk in or pass by.
“It’s unfortunately quite common,” wrote Robert Baptiste, a French security researcher, who weeks earlier wrote a detailed app analysis under the hood of TikTok. “Why the fuck Google is not fixing this issue is another question.”
Exactly what TikTok did with MAC addresses is unclear. It stopped the practice, but critics fear that China could demand the data to use for “blackmail or espionage.”
Collecting MAC addresses without permission is both a violation of Europe’s GDPR privacy rules but also U.S. online child protection rules, likely (or inevitably, under the current political climate) opening the company up to regulatory scrutiny.
But in Baptiste’s view, “it’s bad but far from being a threat to national security.”
All of this reporter’s TikTok followers are fake
Another major concern is that TikTok — like other social media platforms — could be abused as part of foreign disinformation campaigns. This month alone, TikTok banned manipulated “deepfake” videos, improved its fact-checking, and added an in-app reporting option for election misinformation.
But one reporter found that TikTok has done little to curb fake engagement. Motherboard bought $50 worth of artificially inflated followers, likes and views for a benign, uninteresting video, giving it over 25,000 views and 1,000 likes, bumping its popularity across the site.
A week later, the reporter’s account and video were still up — “seemingly undetected by TikTok,” he wrote. It’s precisely this kind of “inauthentic behavior” that Facebook and Twitter have worked but struggled to remove.
MOVERS AND SHAKERS
In other news this week, the FBI — with help from the National Security Agency — publicly linked a new hacking tool, named “Drovorub,” to Russian intelligence, also known as Fancy Bear, which hacked the Democratic National Committee in 2016.
The newly discovered tool targets Linux systems, typically used in server rooms and data centers. When deployed it can hook into a system, persist and exfiltrate data to the attacker’s own servers.
In an advisory, the FBI-NSA said the Russians “continue to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 U.S. presidential election.”
Not only does it serve as a reminder to U.S. organizations to patch their systems, it’s a reminder to the Russians that the U.S. can track their work.
$ECURITY $TARTUPS
Just one this week:
Adaptive Shield, a Tel Aviv-based security startup, has raised $4 million and emerged out of stealth. The company helps businesses protect cloud software-as-a-service applications by scanning for settings and configuration changes that could cause security problems.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.