FCC Commissioner Brendan Carr wrote to Apple and Google asking the two companies to remove the insanely popular TikTok app from their stores, citing a national security threat.
Does your data go to TikTok?
Warning that the app collects vast amounts of data, Carr cites a recent report that claims the company accessed sensitive data collected from Americans. He argues that TikTok's "pattern of conduct and misrepresentations regarding the unrestricted access people in Beijing have to sensitive US data.
It warns that TikTok works as a sophisticated surveillance tool that collects large amounts of personal and sensitive data. It states that it collects:
- Search and browsing history.
- Writing patterns.
- Biometric identifiers, including facial and voice prints.
- Location data.
- Message drafts.
- Metadata
- Text, images, and videos stored on a device's clipboard.
- And more...
In his letter, the commissioner provides evidence to support his argument that TikTok does not follow the security practices of Apple and Google; for example, researchers in 2020 claimed that the app could access sensitive data, including passwords, crypto wallet addresses, and messages. .
Security, politics and publicity
Carr points out that the US government and national security agencies request or enforce the removal of the TikTok app from devices; India banned the app on national security grounds; and some companies have already banned its use on corporate devices.
At the same time, there are still main reports to support the service. For example, one of Britain's leading newspapers, the Evening Standard, leads today with a report explaining who the most followed people are on TikTok. The numbers are staggering: Khaby Lame has 142,8 million subscribers on the service. The most viewed video on TikTok, Zach King's Harry Potter Illusion video has generated 2200 billion views.
That's a lot of people and, in theory, a lot of data potentially available outside the circle of trust that many might expect. That's significant, considering that 80 million people spend around 24 hours a month using the service.
Objectively, TikTok appears to have tried to distance itself from the privacy breaches Carr alluded to, but the latest claim that the company can access US user data may have pushed its reputation over the edge. Although it did move US user data to Oracle servers in the US just before the latest malicious report came out.
What happens next?
I imagine that TikTok will try to challenge the report that prompted the commissioner's request. If that fails, it seems inevitable that Apple and Google will remove the app from their stores, at least in the US.
But what it really represents is an allegory for the level of risk businesses face and will continue to face, as entities of various kinds persist in exploiting digital connectivity for their own ends. If Carr's claims are true, then TikTok joins names like NSO Group and RCS Labs on the list of companies dedicated to invading user privacy.
The US government's Committee on Foreign Investments in the United States (CFIUS) may soon announce a national security bill designed to curb any potential abuse by state actors according to the commissioner's claims.
However, if we disregard nationalities, the claim also exposes the challenge of doing business in an age of increasing scrutiny. If all nations are involved in data exfiltration in this way, no one can be considered truly secure. The fact that some of this activity is outsourced to private shadow entities amplifies this risk.
Of course, in the short term, business users will want to figure out how to convince employees to stop using TikTok on work devices, while security and MDM vendors explore ways to separate the app from the sensitive data it contains on the go. a dual purpose job. /staff machine.
The less they know, the less they know
Ultimately, of course, this news should be seen as a testament to support for Apple's fundamental approach to on-device privacy and security, and a case for taking it further. After all, even the most intrusive app can't collect data that doesn't exist. The best approach is to ensure that the endpoint intelligence remains on the device and cannot be shared in a useful format. Although at this point in digital transformation, the TikTok parable suggests there is still some way to go, so you better make sure your company's security practices are TikTok TipTop.
Follow me on Twitter or join me at AppleHolic's bar & grill and Apple discussion groups on MeWe.
Copyright © 2022 IDG Communications, Inc.