CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Security of TikTok: How does a Microsoft acquisition change things?

By Sam Rubin
tiktok
August 6, 2020

Security fears linger around the wildly popular, Chinese-owned social media platform TikTok, and discussions are in the works for the platform to potentially be acquired by Microsoft. Should users be concerned in the interim? Will a change of ownership to a U.S.-based company allay security and privacy fears?

It’s important to note that neither acquisition talks nor moving through deal legal approvals are instantaneous processes, despite any amount of applied political pressure to the contrary. While it is rumored that President Trump has put a time clock on Microsoft’s deal negotiations, even an aggressive schedule still means several months of Chinese company ownership and the uninterrupted use of a roughly 65-80 million U.S.-based users. TikTok has stated that it does not operate in China and that it stores U.S. user data in the United States; however, its Beijing, China-based owner, ByteDance, must adhere to Chinese law (as must all Chinese companies).

With an ever-shifting maze of Chinese national security, intelligence, and cybersecurity laws, any Chinese company could be compelled to meet requests by the CCP (including by providing data). While we certainly can’t speculate as to whether the CCP would require ByteDance to produce TikTok user data, it certainly stands to reason that if the CCP were in fact motivated to do so, the time is ripe prior to any acquisition. A “wait and see” approach is warranted: current users would be wise to limit what they share with the application, and non-users may wish to wait to see what transpires in the coming days and weeks before signing up.

If TikTok is acquired by a U.S.-based entity, that would sever any legal ties to the CCP and should allay concerns about China’s ability to access this U.S. user data. It is important to remember, however, that all applications carry with them inherent risks. When downloading applications, few read the lengthy, legalese-cloaked End User Licensing Agreements (EULAs). These agreements typically contain terms that enable the platform operator to collect data in either clearly specified or vague ways. On the surface, TikTok functions much like other social media platforms in that it gathers user information to allow sign-in and supply targeted advertisements.

It keeps track of cookies and user search and browsing history on the application and has access to the user’s location through the device’s SIM card or IP address. If given permissions, it can access phone contacts and social media contacts. Together, disparate data points gathered over time can paint a fairly detailed picture about the user, including daily routines, political beliefs, social circles, preferences, buying behaviors, and more. In short, users should generally be concerned about data gathering on any application they use, regardless of who owns and operates it.

Another concern we are seeing expressed more recently is around voter manipulation. Concerns about technological influence on voting and foreign election interference are certainly not new; but if motivated or compelled to do so, TikTok might be in position to attempt to influence election results through biased algorithms and content moderation and the promotion of preferred content and/or deletion of undesirable content.

Given its hefty U.S. user base, TikTok has the opportunity to shift opinions if misused. (Chinese-based Tencent also invested $150M in Reddit, an influential social media platform, providing the country with yet more social media muscle.) Despite acquisition talks, the time delay until close of the deal could still present adequate time to influence opinions as we lead into the election.

While being acquired by a U.S.-based entity may give TikTok the “all clear” from a foreign intellectual property theft and voting manipulation viewpoint, it hasn’t happened yet and the risk is real—you might want to hold off on your #millennialdancechallenge to save TikTok. When and if it does, all other application security, privacy, and viewer discretion warnings still apply; let the downloader always be wary.

KEYWORDS: cyber security information security national security privacy concerns TikTok
Screenshot 244

Sam Rubin is a Vice President at The Crypsis Group, where he leads the firm’s Managed Security Services business, assists clients, and develops the firm’s business expansion strategies. Rubin is an industry-recognized cybersecurity professional with wide-ranging expertise in data breach incident response, digital forensics and cybersecurity risk management. Rubin frequently serves as an expert witness and has provided expert opinions in numerous high-stakes matters, including a landmark civil trade secret misappropriation case, a criminal securities fraud matter, and civil litigation stemming from a multi-billion-dollar Ponzi scheme. He is a frequent presenter, author, and lecturer on cyber-related topics, including digital forensics and incident response, insider threats, and information security best practices.

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!