While TikTok is seeing a significant increase in usage amid the COVID-19 lockdowns, questions still remain around how it tracks user data, how its algorithm surfaces content, and what types of information it is, and is not, obligated to share with the Chinese Government.
Indeed, just this week, the UK Ministry of Defence issued an internal directive that TikTok is not to be used by staff, citing the app’s likely exposure to the Chinese government. Both the US and Australian military have initiated similar bans on the app – and while TikTok has been working to distance itself, and the data it collects, from the ruling Chinese regime, clearly, that association still remains for some.
And when military officials make such a ruling, it raises questions as to what they’ve discovered, and whether others users should also be concerned.
This is one of the many perceptual challenges now faced by incoming TikTok Chief Information Security Officer Roland Cloutier, who was appointed just last month. Cloutier has this week outlined his key areas of focus, as he looks to improve the app’s systems and processes.
Cloutier has outlined three key elements:
- Working with the world’s leading cybersecurity firms to “accelerate our work advancing and validating our adherence to globally recognized security control standards like NIST CSF, ISO 27001 and SOC2”
- Facilitating more transparency around the app’s operations, which includes the development of the company’s new Transparency Center in LA.
- Limiting the number of employees who have access to user data, and the scenarios where data access is enabled.
On the last note, Cloutier specifically highlights the need to establish more distance between TikTok’s operations in the US with that of its Chinese parent company, Bytedance:
“Although we already have controls in place to protect user data, we will continue to focus on adding new technologies and programs focused on global data residency, data movement, and data storage access protections worldwide. Our goal is to minimize data access across regions so that, for example, employees in the APAC region, including China, would have very minimal access to user data from the EU and US.”
Of course, “very minimal” is a relative term – a criminal only needs “very minimal” access to my bank account to rob me of everything I have. In this respect, any access at all will likely maintain a level of concern, and until TikTok can absolutely assure authorities that it will not share user data, in any way, with the Chinese Government, it’s hard to see that changing, and for concerns around the app to dissipate.
And TikTok likely can’t say that. Under China’s cybersecurity laws, all Chinese-owned companies must furnish Chinese government requests for user data on demand, without question. That, of course, doesn’t necessarily mean that the Chinese government is going to request such, and TikTok has repeatedly noted that it doesn’t store American user data in China, limiting any potential exposure. But as long as TikTok is owned by ByteDance, which is based in China, it seems likely that there will always be the possibility that it may well have to share user data, in some form, with Chinese authorities.
This is why military personnel are banning TikTok use, and why various analysts and government groups have advised caution with it. The fact is, the same concerns would be present with any Chinese-owned app, because the rules they are required to adhere to essentially compel them to share data, if requested.
That, then, remains the key question. Will the Chinese Government actually request that TikTok share its data? Has it already? We don’t know, and we also don’t know what such insights could be used for.
As noted, this is one of the many challenges that Cloutier now faces, and it looks set to remain a point of contention for some time yet.
