TikTok is “unacceptable security risk” and should be removed from app stores, says FCC

An article written by Jovi Umawing a senior writer for Malwarebytes . A disturbing read for those using Tik Tok .

Posted: July 5, 2022 by Jovi Umawing

Brendan Carr, the commissioner of the FCC (Federal Communications Commission), called on the CEOs of Apple and Google to remove TikTok from their app stores. In a letter dated June 24, 2022, Carr told Tim Cook and Sundar Pichai that “TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijing’s apparently unchecked access to that sensitive data.”

Carr also said:

But it is also clear that TikTok’s pattern of conduct and misrepresentations regarding the unfettered access that persons in Beijing have sensitive US user data … puts it out of compliance with the policies that both of your companies require every app to adhere to as a condition of remaining available on your app stores.

Therefore, I am requesting that you apply the plain text of your app store policies to TikTok and remove it from your app stores for failure to abide by those terms.

In the Twitter thread, Carr pointed out the national security risks TikTok poses.

Excessive data collection

TikTok is said to collect “everything”, from search and browsing histories; keystroke patterns; biometric identifiers—including faceprints, something that might be used in “unrelated facial recognition technology”, and voiceprints—location data; draft messages; metadata; and data stored on the clipboard, including text, images, and videos.

Carr cited several incidents as evidence that TikTok has been dodgy about its data collection practices.

Relation to the CCP (Communist Party of China)

ByteDance, a company based in Beijing, developed TikTok. In China, it is known as Douyin. Carr mentioned in his letter to Apple and Google that ByteDance “is beholden to the Communist Party of China and required by Chinese law to comply with the PRC‘s surveillance demands.”

The Senate and House committee members, cybersecurity researchers, privacy, and civil rights groups have flagged this as a concern. In 2019, two senators labeled TikTok as a “potential counterintelligence threat we cannot ignore”. The American Civil Liberties Union (ACLU) is also concerned about the social platform’s “vague” policies, especially in collecting and using biometric data.

Unclear use of collected data

It’s a non-issue for apps that are clear about collecting data, but these must also say how they use the data they collect. TikTok, it appears, is not one of those apps that do not abide by this clause.

“Numerous provisions of the Apple App Store and Google Play Store policies are relevant to TikTok’s pattern of surreptitious data practices—a pattern that runs contrary to its repeated representations,” the letter reads.

“For instance, Section 5.1.2(i) of the Apple App Store Review Guidelines states that an app developer ‘must provide access to information about how and where the data [of an individual will be used’ and ‘[d]ata collected from apps may only be shared with third parties to improve the app or serve advertising.”

Is TikTok a “sophisticated surveillance tool”?

TikTok didn’t sit on its hands when news spread of the FCC calling for its removal from major app stores.

Speaking with CNN’s “Reliable Sources”, Michael Beckerman, VP, Head of Public Policy, Americas at TikTok, refuted a large chunk of the FCC’s claims against the social media company, predicated on the notion that Carr is isn’t an expert on such issues and that FCC doesn’t have jurisdiction over national security.

“He’s pointing out a number of areas that are simply false in terms of information that we’re collecting, and we’re happy to set the record straight,” Beckerman said.

When asked about the inaccuracies in Carr’s claims, Beckerman responded: “He’s mentioning we’re collecting browser history, like we’re tracking you across the internet. That’s simply false. It is something that a number of social media apps do without checking your browser history across other apps. That is not what TikTok does.”

“He’s talking about faceprints—that is not something we collect,” he said, explaining that the technology in their app is not for identifying individuals but for the purpose of filters, such as knowing when to put glasses or a hat on a face/head.

Concerning keystroke patterns, Beckerman said, “It’s not logging what you’re typing. It’s an anti-fraud measure that checks the rhythm of the way people are typing to ensure it’s not a bot or some other malicious activity.”

When challenged if the CCP has seen any non-public user data, he said, “We have never shared information with the Chinese government nor would we […] We have US-based security teams that manage access, manage the app, and, as actual national security agencies like the CIA during the Trump administration pointed out, the data that’s available on TikTok—because it’s an entertainment app—is not of a national security importance.”

Politicians and privacy advocates have criticized TikTok for potentially exposing US user data to China for years. To allay fears, TikTok teamed up with Oracle and began routing data of its American users to US-based servers.

This, however, doesn’t answer some questions raised when Buzzfeed News broke the story about TikTok employees in China “repeatedly” accessing US user data for at least several months. Such incidents reportedly occurred from September 2021 to January 2022, months before the Oracle data rerouting.

There is also an allegation that a member of TikTok’s trust and safety department said in a meeting that “Everything is seen in China”. A director in another meeting allegedly claimed that a colleague in China is a “Master Admin” who “has access to everything.”

“We want to be trusted,” Beckerman said during the CNN interview. “There’s obviously a lack of trust across the Internet right now, and for us, we’re aiming for the highest, trying to be one of the most trusted apps, and we’re answering questions and being as transparent as we can be.”

‘as we can be’ seems an intended reassurance but also could be taken as a hedge if there ever was one.

Personally, I try to run as few apps as possible.

There aren’t any apps that I exactly trust (other than the ones that come from Apple itself, because Apple doesn’t need to rely on a dodgy app to compromise me when they can just do it via the base operating system).

This would apply to

a) most if not all social media apps

b) a great many apps across the entire spectrum of apps.

I would hope that this would be on a country by country basis i.e. if the FCC decides that TikTok is an unacceptable national security risk to the US, that should not automatically apply to any other country.

There isn’t really an answer to this for any government. The US government is being silent about the fact that it has unchecked access to so so so much data itself. Ditto the Australian government.

The only answer is … don’t collect the data in the first place. However that would require the world to move right away from the “surveillance capitalism” business model, which business model parasitic governments then leverage off.

They could be more transparent if they open sourced the app. That at least makes it completely transparent as to what information is collected by the client app and what information is then sent to the server.

Unfortunately you still don’t know what is done with the information on the server and who has access to it.

A law suit by a sacked exec who reinforces that premise.

https://abcnews.go.com/Business/wireStory/executive-fired-tiktoks-chinese-owner-beijing-access-app-99295965

What I find interesting is the difference rhetoric about Tiktok in Europe compared to other places in the world. The outrage in Europe over Tiktok isn’t there, its all very muted…why?

Facebook has been fined in the EU for sending personal data outside the EU.
1.2 billion euro fine for Facebook as a result of EDPB binding decision
If Tiktok was a problem you would expect the same legal action in the EU. There doesn’t appear to any.

Social media and other platforms have to comply with EU law
Europe designates 19 platforms as gatekeepers under Digital Services Act
Those 19 are: Alibaba AliExpress Amazon Store, Apple AppStore, Bing, Booking.com, Facebook, Google Play, Google Maps, Google Search, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, YouTube, Zalando

Tik Tok seems to have been under a lot of scrutiny with opinions on its security risks, when it is commonly known that WeChat is monitored and data is captured by the Chinese authorities. The Australian government has focused on Tik Tok but continues to use, for official government purposes, WeChat so they can connect with Australian residents who use WeChat to communicate with family, friends and work colleagues in China. It is confusing to say the least why focus has been on Tik Tok but not on WeChat which is used often for political purposes - such as being able to advertise party policies during an election campaign.

Using WeChat has significantly higher risks when compared to Tik Tok. Maybe political benefits override the risks.

Note: we use WeChat when communicating with Chinese friends in Australia and China and understand the risks. We are also very careful on permissions given to WeChat on the device it is installed and the type of information communicated through the platform. We are also careful its use doesn’t potentially make those we communicate with, become the attention of Chinese authorities.

(The whole subject area illustrates the fundamental problems with knowing exactly where data is stored.)

On the face of it, TikTok should be being fined too - for doing the same thing i.e. sending data about EU citizens to the US. But there are two additional factors.

1. TikTok also has a major data centre in Singapore. Whether Singapore is any better or any worse than the US, I don’t know - but it is clearly outside the EU. The action against Facebook is specifically in relation to sending data to the US, not just outside the EU, as I understand it.

2. TikTok is building two major data centres within the EU. This investment, coupled with a “commitment” to use them once in operation, may be sufficient to hold off the EU attack dogs (even though that makes it likely that TikTok is not actually compliant today).

I put “commitment” in quotes because the actual concern by the US is not where the data is stored but who has access to it. If you believe that the Chinese government can’t access the TikTok data when it is stored in the EU but can access the data when it is stored outside the EU then I’ve got a bridge to sell you.

Facebook can no more resist a secret directive from the US government than TikTok can from the Chinese government.

I’m sure there is a strong element of “geopolitics” in all this. I could summarise it as: The EU is more concerned about the US than China. The US is more concerned about China than anyone else.

If you ask me, it is the EU that has its head in the “sand”.

Not a fan of Tik Tok personally I will just stick with Youtube

TikTok also setting up operations in the US its is known as Project Texas. Project Texas resides in Oracle Cloud Infrastructure (OCI) where US authorities will have access to it through the US Cloud Act. The US Cloud act gives US authorities access to any data and servers residing on any US cloud provider anywhere in the world. Australia has an agreement with the US on the US Cloud Act.

TikTok is setting up a similar operation in Ireland its known as Project Clover.

Now that’s “unacceptable security risk”.