Business Daily Media

what the evidence says about security and privacy concerns

  • Written by Benjamin Dowling, Lecturer of Cybersecurity, University of Sheffield
Woman viewing social media on her phone.

The UK prime minister, Rishi Sunak, recently hinted[1] that he may ban the social media application TikTok from devices used by government employees.

His comments follow similar bans by the European Commission[2] and US federal government[3]. In the EU and US cases, security concerns were used as the justification for a ban. Unlike Facebook or Instagram (both owned by US-based Meta), TikTok is owned by ByteDance[4], which is based in China.

Such concerns are not new. In October 2022, the former US secretary of state Mike Pompeo described his fear[5] that China could compel TikTok to act as a “Trojan horse”, accessing and exploiting sensitive data on users’ devices.

TikTok, like many social media applications, collects significant amounts of user data[6] including dates of birth, email addresses and telephone numbers.

Discussions around privacy in social media applications usually concern excessive collection of data that users consent to handing over. TikTok’s privacy policy[7] says the app collects user location data, up to a granularity of three square km. This is quite coarse – Instagram, for example, allows for more precise location tracking[8].

Instagram says this is for personalising advertisements. But the risk is that, if exposed, location data could be used by malicious parties to track users, enabling behaviour such as intimate partner stalking[9]. This kind of location data was involved[10] in an alleged effort by TikTok employees (who were subsequently reported to have been sacked) to determine the location of US-based journalists – in a bid to catch leaks from inside the company.

In an email published by Forbes magazine[11], ByteDance chief executive Rubo Liang wrote that he was “deeply disappointed” by the episode.

Woman viewing social media on her phone.
Some concerns centre around the ability to construct profiles of individual users. Shutterstock[12]

Access to user data enables businesses to build profiles for specific users. The increasing availability to the public of software tools using machine learning – a type of AI that improves at a task with experience – has caused some cybersecurity analysts alarm.

These experts are concerned about the potential use of this technology[13] for “targeted phishing attacks”. In these attacks, victims receive communication, such as an email, that impersonates a trusted source, prompting the victim to engage with a scam.

Social media applications have significant knowledge of their users. So it’s entirely plausible that building a profile from user data could enable targeted phishing attacks on sensitive government accounts. However, there is no evidence TikTok has been used for this purpose.

Industry standards

ByteDance has responded[14] to recent bans by saying it has not provided user data to the Chinese government. It also claims that its data collection practices align with those of other social media companies. A cursory comparison with the privacy policy of Instagram supports this view: the identifying information collected by Meta from Facebook[15] and Instagram[16] generally matches the information TikTok collects in terms of device information, social media graphs and location information.

Some criticisms of applications such as TikTok have centred on a claim that they function as spyware[17]. The goal of spyware, in comparison to data collection, is to extract confidential or sensitive information that users did not consent to providing. For instance, spyware may target information that the user has copied into the clipboard of their device.

Common advice is to use complex and unique passwords for every online account. So people who are concerned about privacy will often use password managers such as LastPass[18] or 1password[19].

However, these users are likely to copy and paste the complex password from their password manager into an account’s log-in mechanisms. Extracting clipboard information allows those with malicious intent to recover passwords and access sensitive accounts.

Evaluating the risk

TikTok is a “closed-source application”, which means the source code – the underlying instructions – used to build the application is not available. However, there have been efforts to reverse-engineer TikTok’s source code. These efforts have been used to determine whether the app behaves as spyware, or otherwise collects user data in ways that are excessive.

A report by Citizen Lab Research[20] described the reverse-engineering of an Android-distributed version of TikTok. It concluded: “TikTok… (does) not appear to exhibit overtly malicious behavior” such as that displayed by spyware. Furthermore, the report says that while TikTok collects a large variety of device information and usage pattern information, “(these) characteristics are not exceptional when compared to industry norms.”

It is reasonable to conclude that Tiktok itself does not necessarily present a much greater risk in this regard than other US-based social media applications, a conclusion shared by the Electronic Frontier Foundation[21].

The recent bans prompted ByteDance to strengthen privacy protections for users. Specifically, ByteDance announced Project Clover[22], which outlines strategies for improving European data security.

Project Clover proposes a so-called European Enclave, which aims to guarantee that ByteDance employees cannot access or transfer European user data externally without complying with data protection laws such as GDPR. It would also be overseen by a third-party European security company – discussions between ByteDance and this third-party are currently ongoing.

User protections

ByteDance has also proposed two mechanisms for anonymising user data, the goal of which is to ensure that any malicious parties that wanted to access TikTok user data could not exploit it for phishing or other types of attack. The first approach is to “pseudonymise”[23] personal data collected from users to align with Article 4(5) of GDPR[24]. This would require personal data to be processed in such a way that it cannot be linked to specific users without the use of additional, external information.

ByteDance will also aggregate information from users in large data-sets, achieving anonymity by separating the details from a particular user’s profile. Thus, the recent TikTok ban from the European Commission highlights a growing perception from governing bodies that TikTok and other applications could potentially harm user security and privacy through targeted and excessive data collection.

While this has caused ByteDance to propose strengthened privacy protections, users must wait for these to materialise, and for experts to verify them. In the meantime, the onus remains on users to manage their own privacy and decide for themselves whether the risks presented by social media applications like TikTok are worth the value they provide.

References

  1. ^ recently hinted (www.theguardian.com)
  2. ^ European Commission (www.bbc.co.uk)
  3. ^ US federal government (www.theguardian.com)
  4. ^ owned by ByteDance (www.bytedance.com)
  5. ^ described his fear (twitter.com)
  6. ^ collects significant amounts of user data (www.tiktok.com)
  7. ^ TikTok’s privacy policy (www.tiktok.com)
  8. ^ allows for more precise location tracking (help.instagram.com)
  9. ^ behaviour such as intimate partner stalking (www.usenix.org)
  10. ^ location data was involved (www.reuters.com)
  11. ^ published by Forbes magazine (www.forbes.com)
  12. ^ Shutterstock (www.shutterstock.com)
  13. ^ the potential use of this technology (www.darkreading.com)
  14. ^ ByteDance has responded (www.bbc.co.uk)
  15. ^ collected by Meta from Facebook (www.facebook.com)
  16. ^ Instagram (help.instagram.com)
  17. ^ function as spyware (techcrunch.com)
  18. ^ LastPass (www.lastpass.com)
  19. ^ 1password (1password.com)
  20. ^ A report by Citizen Lab Research (tspace.library.utoronto.ca)
  21. ^ a conclusion shared by the Electronic Frontier Foundation (www.eff.org)
  22. ^ ByteDance announced Project Clover (newsroom.tiktok.com)
  23. ^ The first approach is to “pseudonymise” (newsroom.tiktok.com)
  24. ^ Article 4(5) of GDPR (gdpr-info.eu)

Read more https://theconversation.com/tiktok-bans-what-the-evidence-says-about-security-and-privacy-concerns-200608

Will Queensland’s Granny Flat Laws Solve the Housing Problem?

Queensland’s new Granny Flat rental laws aim to ease the housing crisis – but will they? Relaxing laws around renting out your granny flat has lan...

Property

Why Australia’s construction bust will give commercial property values a boost

With builders folding on the daily, second-hand assets are starting to look like a safe haven for property investors, notes Peter Rose, Director, ...

Property

5 Reasons Why Serviced Apartments Are Great Investment

When it comes to property investment success, it is not just limited to the traditional buy-to-let structure. Investors always look for alternative ...

Property

6 Ways to Improve Customer Experience

When it comes to a great customer experience, how you treat your customers, the quality of your products or services, and the overall customer jou...

Business Training

Australian Venue Co to acquire 9 Western Australia venues

Leading hospitality group to enter acquisition & asset swap agreements with Ark Group & Colonial Leisure Group  Australian Venue Co is pl...

Property

How Melbourne Property Lawyers Can Make Transactions Flow More Smoothly?

There are a few things that Melbourne property lawyers can do to make transactions flow more smoothly. One is to be familiar with the contract law...

Property