The number of government organizations around the world banning their employees from using TikTok on corporately-issued internet-connected devices continues to grow. And a BlackBerry official believes firms in the private sector are about to follow.
On Tuesday, the Bank of Canada and the government of Quebec joined the federal government in banning employees from using the Chinese-headquartered video-sharing app over privacy concerns. And the Speaker of Denmark’s parliament sent an email to politicians and staff urging them to delete the app from their work phones because of an espionage risk.
Ottawa said its decision was based on a review of TikTok by the federal chief information officer, who determined that it “presents an unacceptable level of risk to privacy and security.”
Also this week, the White House gave U.S. government agencies 30 days to ensure they don’t have TikTok on federal devices and systems.
Also on Tuesday, Ismael Valenzuela, BlackBerry’s vice-president of threat research and intelligence, said the private sector may soon follow.
“I know for a fact many CISOs are considering banning TikTok from their corporate devices,” he said in an email. “Many commercial organizations, especially those with bring your own device (BYOD) policies, may not follow this type of policy, but I anticipate others in highly-regulated environments, such as the financial sector, will conduct their own product security testing and legal review of the privacy policy terms to restrict its use, at least on corporate devices or by high-value users.
“It’s no secret nation-state groups often target large corporations for intelligence gathering or even for financial gain, so it’s not difficult to see why corporations may make a similar decision on this policy. Organizations that regularly update their threat model based on contextual intelligence, and that have mature asset management practices and unified management endpoint solutions, are definitely in a better position to manage this risk enterprise-wide.”
Not everyone agrees that the Canadian government’s move is justified at this point. “I don’t understand what the new information is here, which is why I see it as kind of a frustrating, almost theatric response,” Vass Bednar, executive director of the master of public policy in digital society program at McMaster University, told the CBC.
Meanwhile, Check Point Software emailed news media, reminding reporters that “this isn’t the first time the Chinese-owned social media app has been under fire for its data privacy protections.” In 2020, its researchers discovered a vulnerability in the TikTok mobile application’s friend finder feature – a vulnerability that, if exploited, would have enabled an attacker to access users’ profile details and the phone numbers associated with their accounts. This would enable the attacker to build a database of users and their related phone numbers, the report noted.
Check Point notified TikTok and “a solution was responsibly deployed,” the report says.
Last month, the Brookings Institute tried to put perspective on the controversy over TikTok. It cited news stories quoting critics who say the app collects too much personal data, and others who have long noted that China forces all companies there to co-operate with its intelligence agencies when required. But Brookings also quotes those who say banning TikTok won’t greatly improve privacy protection of consumers, because much of the information collected by the app is similar to that compiled by many companies that host consumer-facing products. “The app undoubtably has information on which videos users have watched, comments they have made about those items, and their geolocation while watching the videos, as well as both users’ and their friends’ contact information, but that is true for nearly all digital platforms and e-commerce sites around the world.”
“If concerns about TikTok are around the compromising of personal information with government authorities, either in China or elsewhere, there are many firms both within the U.S. and abroad that have been accused of the same,” the article says. “For example, a former Twitter employee has been convicted of acting as a foreign agent for Saudi Arabia and providing confidential information from that platform about dissidents to foreign officials. Geolocation data are routinely bought around the world by data brokers and repackaged for sale to advertisers, governments, and businesses around the world.”
In the end, the Brookings authors argue, if governments are serious about addressing Chinese security risks, they should limit the ability of commercial data brokers to sell information to adversarial foreign entities (or their intermediaries), in general. “Even if TikTok did not exist, China could purchase confidential information on U.S. consumers from other companies and use that material for nefarious purposes, creating similar national security challenges. The U.S. needs stronger overall platform governance and data privacy regulation to mitigate problems not just from TikTok but from social media platforms overall.”
