TikTok – a risk to manage?

Update 07 July 2020: Since we initially published this blog, the US Whitehouse have announced executive orders in an attempt to restrict US dealings with TikTok and WeChat.

The orders, signed by US President Donald Trump, cited concerns that the data-sharing would allow the Chinese Communist Party access to Americans’ personal data, which could be used to track locations and build dossiers on Federal employees and contractors for use in blackmail and corporate espionage. The orders also cited concerns that the app allowed censorship in China of certain events, such as the Hong Kong protests and the treatment of Uighur Muslims as well the use of the apps in disinformation campaigns. The far-reaching orders, which take effect in 45 days’ time, essentially restrict any transactions between any US entity and the parent companies of both apps or connected entities.

Considering the scale of usage of both apps in the US and globally, these executive orders will undoubtedly cause substantial impacts for both users, communities and in some instances, businesses which rely on the apps to market goods and services, or promote their brands. We expect to see significant backlash in response to the announcement from these groups. The orders may also stimulate the development of various technical workarounds by users to be able to use the apps, and indeed the development of similar apps to fill the niche which will exist. Larger US technology companies will likely see the announcements as an opportunity for future acquisition or launching and promotion of their own alternatives.

Another potential reaction to these orders is that of Chinese retaliatory action against US private companies which trade in China or rely heavily on Chinese production in their supply chains. As such, we might expect to see similar Chinese action to restrict trade with US entities, particularly those involved in technology.

Businesses with operations in the US should be mindful of their obligations under these executive orders and review staff use of the apps on corporate devices.

The popular Chinese-owned video-sharing app TikTok has recently received considerable attention from Governments and businesses, based on concerns about security and privacy. Are these reactions proportionate for all businesses and what are the factors that might influence corporate approaches to managing the risks associated with apps on mobile devices?

The privacy of mobile apps

We now use our mobile devices in an enormous number of ways. We find places, read, shop, book travel, socialise, meet potential partners, order food, and play games. The data generated by this activity has become a prime commodity, allowing companies to service their users and market more effectively. However, data can also be used for other purposes, most often lawfully but sometimes skirting the rules of what is acceptable and what infringes on users’ rights.

The rise of TikTok

The Chinese-owned video-sharing Tik Tok was the most downloaded non-gaming app in the first half of 2020, helped by the COVID-19 global pandemic which saw more young users drawn in to escape the monotony of lockdown. But the app has seen significant controversy, driven by privacy and security concerns in both the US and Europe. The app is alleged to share a large amount of user data with the Chinese company which owns it as well as having some functionalities for which the purpose is unclear. Given the legal requirements for Chinese-owned companies to share data and provide assistance to the Chinese Government, this has provoked some concern among other Governments and companies.

While this concern is potentially being over-emphasised by some for political capital in an increasingly tense relationship between the UK, the US and Beijing, concerns around apps and data sharing more generally are well founded. Despite an increased focus on data protection in the West via elements such as legal requirements around terms of usage and privacy policies, users and businesses are not well informed about how their data is being collected and used by many mobile applications.

Geopolitics of apps

International Governments have seized on the power of speaking publicly against Chinese apps to further political or diplomatic objectives. In June 2020, following military action between the two nations, the Indian government announced a “ban” on 59 Chinese Apps, including some of the most downloaded. The list included TikTok and one of the most popular apps in the world, WeChat. India claimed the apps were “engaged in activities … prejudicial to [the] sovereignty and integrity of India.” While also attempting to protect national interests, wide-reaching bans on apps originating from one country will also serve as a kind of economic sanction while sending a clear political message.

US President Trump has announced his intention to ban TikTok, although the unclear what authority or legal challenges he would face in doing so. A senior UK politician also publicly suggested TikTok should be banned on the grounds that it was an “untrusted vendor”, likening it to the Huawei controversy. Similar concerns to those of TikTok concluded in the Chinese parent of the dating app Grindr to agree to a sale of the company to a US-based company.

Businesses follow suit

Some may see these announcements as pure political point-scoring, but some businesses have followed suit. The US bank Wells Fargo announced a ban on the app on some corporate-held devices, citing concerns about privacy and security but also acceptable use; it is highly unlikely that many bank staff have a legitimate need for the video-sharing app to do their jobs.

Amazon was also scrutinised in press reporting over ambiguity in its messaging surrounding corporate use of the app.  The firm reportedly shared an email to staff requesting removal of the app for security reasons. Public messaging from the company subsequently stated it had not changed its policy on the app.

As a result of the significant media attention on this issue, it is highly likely that many businesses in the UK and the US will be asked questions by their leadership regarding how risks from TikTok and other apps are managed. As well as security concerns, a significant worry, well-founded or not, is that businesses such as TikTok are subject to Chinese laws requiring that they provide personal data on users and devices to the Government and co-operate with all requests for technical assistance with intelligence or security matters. Despite flat denials that user data is shared with the Chinese Government, concerns remain.

The threat from TikTok

While most of TikTok’s functionality is likely necessary to provide its core services, some researchers have claimed that some features within the TikTok app have no discernable benefits to the user. Equally, other researchers have refuted this assertion.

Regardless of the functionality, the fear is that in the wrong hands, or used improperly, a mass of data on individual users could be used to target or gather information on their locations and the devices they use. It is argued that this could potentially be used to support Chinese intelligence activity and operations. The concern in the cases such as TikTok is one of espionage – governments looking to acquire data on individuals and businesses to progress political, military or economic aims.

Technical reviews of the TikTok app are split about the data-sharing that it carries out. In January 2020, a security researcher published technical research on the TikTok app, making inferences about the purpose of the app and alleging it was a “data collection service …thinly-veiled as a social network”.

This reverse-engineering of the app led to allegations of considerable sharing of data between the app user and TikTok including device details, IP addresses, routers, Wi-Fi access points being used and what other apps are installed the user’s device. Further to this, the researcher also alleged privacy issues such as exposing user email addresses through the movement of unencrypted data, and questioning the purpose of some functionality, such as functionality in the Android app which is capable of downloading and executing files on users’ devices. The concern is that it could allow someone to run unwanted or malicious code on a device to steal data or take it over devices.

In this instance, the researcher was clear to point out previous work researching other social networking apps, stating that many he had reviewed did not share “anywhere near the same amount of data that TikTok does”.

However, alternative technical analysis has also concluded just the opposite and that the TikTok app does not act suspiciously, nor is it sharing significantly different data to that of other popular apps.

It may be true of established and well-scrutinised apps that privacy and security are high on the priority list. Some have had their hands burnt by brushes with privacy scandals and tightened security and privacy controls. However, not all apps are created equal, and privacy by design is not always at the forefront of many app developers’ minds. This is particularly true of projects led by individuals or small teams creating apps on a shoestring. Many other apps have security and privacy issues but given low popularity and no links to foreign governments, they have escaped attention.

With both TikTok and other consumer mobile apps, businesses should be mindful of managing apps access to their corporate devices, and carefully assessing what business purposes they serve.

Managing the risks from consumer apps

While security and data privacy are a concern for all businesses, there is no one-size fits all answer to the question of the level of risk allowing certain apps into corporate environments entail. Organisations invariably face different risks and have different risk tolerance levels reflecting their business strategies.

In this case, a defense contractor might perhaps view a Chinese-associated app as a significant risk, while a small retail business might not share those concerns. Bearing this in mind, businesses need to undertake individual appraisals of the risks consumer or business apps may pose. This includes the use of consumer applications such as WhatsApp, for which there is known to be remote access vulnerabilities, games which have been linked to intelligence activity, apps known to leak location data, or apps whose data collection is generally seen as significant, but not necessarily problematic such as Facebook.

When considering these risks, businesses need to think about the data that their staff could either have or generate on their devices and determine if access to data poses a risk to the business, or to the staff member.  This is one area to understand – as well as access to business data, does the collection of information on device usage, installed applications and e-mail addresses being linked to devices IDs present an issue?

This consideration needs to be extended beyond the core business; suppliers whose clientele might include government agencies or defense firms, for example, may wish to proactively adopt the more cautious stances of their clients to facilitate smoother conversations in the inevitable supply chain reviews they will experience.

Depending on the risks faced businesses may choose to remove all consumer applications, to allow only specific apps onto a device, creating a protective bubble or to not separate these concerns.

Technology mitigations

The most common tool for the mitigation of risks to mobile devices is the use of strong Mobile Device Management (MDM) solutions.

Such tools can be used to either maintain complete control over devices being used to access corporate data, or can be used to set up secure sandboxes on mobile devices, allowing only trusted apps access to the corporate data on business devices. An application like TikTok should only be allowed outside of this sandbox, as there are limited use cases for business use.

This latter option does come with drawbacks – user generated data which might expose a staff member to coercion, for example, will not be protected from a sandbox even if users are able to install applications at will.

The pros and cons of these approaches such as costs and likely staff reactions such as the use of secondary devices must be considered.

Policies and training

Whether technical solutions are implemented or not, businesses wishing to address these risks must ensure that appropriate policies and training are in place for their staff.

While conversations about app security and privacy are becoming more common, staff will inevitably benefit from straightforward guidance on the risks they face not only from a business perspective, but also from a family perspective when their partners, parents, or children make use of apps which might not be trustworthy.

Response Planning

Similarly, the issues posed by rogue apps should be factored into incident response plans; this doesn’t mean individual playbooks just for mobile phone incidents, but businesses should ensure that as with any other potential cyber incident scenario in their risk register, plans in place can address these potential events.

While restricting access to certain apps may have obvious security benefits to an organisation, it is important to balance the needs of your individual business to these concerns.

MDR Cyber provide cyber security consultancy and threat intelligence services to help businesses assess, treat and monitor risks to their businesses. For more information, contact cyber@mishcon.com.