Some governments have banned the Chinese social media app TikTok on work devices, which has left many wondering whether their data and privacy are really at risk, or whether the Chinese company has simply been caught in a diplomatic spat.
When you install an app on your phone, do you read all the terms and conditions? Does anybody?! For some social media apps, however, the details in the small print could have serious implications.
The UK, US, European Commission and Canada have recently banned the Chinese social media app TikTok from government devices, India has banned the app outright and the US is currently debating whether to also ban the app altogether. The fears are rooted in how data is collected and shared, with many claiming the app poses a national security risk because the Chinese government potentially has access to the data.
There are also fears of data being passed onto other malicious actors. For corporate treasurers, this could mean, for example, that all the data from their work phone – such as location, search history, contact lists, keystroke information, biometric data, and more – could be used to inform a bank scam and launch a phishing attack that target’s their company’s funds.
Amid this, it is difficult to assess whether TikTok – which has over one billion active users worldwide – is riskier than other social media apps, or whether the app’s owner ByteDance has been caught in a diplomatic spat, with some of the usual charges of espionage being levelled against a Chinese company.
The US is considering whether to go the route of India and ban the app altogether or force the company to spin off for the US market, a proposal first suggested during the Trump administration. TikTok has been described as a ‘Trojan horse’ used as a means for the Chinese government to access sensitive data, and other accusations go further. For example, US politician Buddy Carter said during a recent Congressional hearing, “I don’t speak for everyone, but there are those on this committee, including myself, who believe the Chinese Communist Party is engaged in psychological warfare through TikTok to deliberately influence US children.”
The company’s CEO Shou Zi Chew, in his testimony to US Congress, denied this and said accusations of spying were a mischaracterisation. ByteDance has also denied it has shared data with the Chinese government.
As Benjamin Dowling, Lecturer of Cybersecurity at the University of Sheffield, points out, spyware is something quite different from the usual use of social media apps – spyware extracts data from users without their consent, which is a different issue from the privacy policies users are consenting to. Dowling argues TikTok’s privacy policy isn’t much different from the likes of Instagram or Facebook. And Citizen Lab Research stated in a report TikTok’s behaviour is not overtly malicious.
In terms of location data, for example, Dowling explains in a piece for The Conversation, TikTok collects data up to 3km sq, which is inferior when compared to the precise location Instagram pinpoints. This can have malicious purposes, however, such as stalking. Also, Dowling says that user data can be used to build profiles of users, which could be used – in combination with artificial intelligence and machine learning – for phishing attacks (where social engineering is used to target a victim and to fool them into handing over large sums of money).
The privacy issues came to prominence in April 2022 when ByteDance changed its policy, which enabled staff in China to access the data of users in Europe. This caused alarm bells to ring, especially in light of news reports that ByteDance employees were using data – such as location – to spy on US journalists to root out their sources.
Amid these concerns, what is the best approach for multinationals and their corporate treasurers to take? Is it worth banning the app altogether, even on personal devices? Dowling concludes the onus should be on users to manage their own privacy and decide for themselves whether the risks are worthwhile.