Irredeemable: A TikTok Ban Is the Only Solution

The possibility of a TikTok ban emerged again in the wake of testimony before the United States Congress from TikTok Chief Executive Shou Zhi Chew. The Biden administration has signaled it wants TikTok sold to a United States company, but this overlooks real vulnerabilities for every TikTok user in the United States. Only a ban can counteract the cyber security risk of this irredeemable software.

What Is the Concern with TikTok?

TikTok was developed and is owned by ByteDance, a Chinese company. While the company itself claims no affiliation with the Chinese Communist Party (CCP), members of the United States House of Representatives cited a?Chinese law?that compels Chinese businesses to turn over any data requested by the CCP.?Lawmakers also asked if TikTok had been used to?monitor the locations?of people of interest to the Chinese government, which Chew denied.

These questions from bipartisan members of the House Energy and Commerce Committee underscore one of the greatest risks of TikTok: that it can be used to collect data on U.S. citizens or Chinese nationals residing in the United States for targeted cyber attacks or cyber fraud. Protect Now has recommended for some time that high-value targets, people who operate or have access to large amounts of personal customer data, should not use the app due to these risks. The United States government, along with the governments of Canada, India, the United Kingdom and the European Union have banned TikTok on all government-owned devices on security grounds.

During Chew’s testimony, members of Congress also brought up the potential for TikTok to be used as a propaganda tool, as well as its negative impact on the mental health of some users. These are legitimate concerns, but national security concerns should be a higher priority, and Congress missed two very significant areas that are well known to cyber security professionals.

TikTok’s Hidden Dangers

Every video on TikTok is available to the company’s owners, and most are available freely online. President Biden appeared in a TikTok shot in the Oval Office as recently as last week, demonstrating the stark gap between the reality government leaders perceive and the real risk of the software.

Millions of users posting videos provide a stream of real-time information about the exterior and interior layouts and contents of locations throughout the United States. Working from these videos, foreign agents could easily construct 3-D models of them and potentially identify security measures. Cyber criminals are known to scan videos of offices for?passwords written on whiteboards or sticky notes on desks. Videos may also inadvertently reveal the schedules and locations of security personnel, access points for cyber intrusions and potential targets for phishing attacks. As Protect Now has outlined previously, TikTok should be banned from all office settings except a designated location in the lobby free of anything that a criminal would find interesting.

These concerns are not unique to TikTok; users of YouTube, Instagram, Vimeo and Facebook should also be mindful of what and where they share to prevent compromise. What is unique to TikTok is the access that a rival government could have to this information, including private videos that are not widely shared.

The second hidden danger of TikTok is its code, which has been developed by Chinese programmers. Mandiant recently reported a new wave of cyber attacks on firewalls that they attribute to?Chinese hackers, noting that the sophistication and novelty of the attacks made their full extent difficult to detect. The United States government strongly suspects Chinese involvement in cyber attacks against U.S. businesses and organizations. While TikTok has not been used for any large-scale cyber attacks to date, there is no way for cyber security professionals to guarantee that it could not be used for targeted or widespread attacks in the future. The code base of the software itself is suspect. Moving that code base, or the data of U.S. TikTok users, to a server in the United States will not eliminate those vulnerabilities. The code is irreedeemable; only a ground-up rebuild of TikTok could eliminate the risk.

Is a TikTok ban coming?

The Biden Administration and the United States Congress have proposed two possible solutions, while TikTok is promoting one of its own:

1. Relocation of all user data and code for the United States version to a facility in the United States (known as “Project Texas” within TikTok)
2. A sale of the U.S. arm of TikTok to a U.S.-based company
3. A TikTok ban

In comments ahead of Chew’s testimony, Chinese officials rejected the prospect of a sale and warned that a forced sale or ban might make foreign investors afraid of U.S. regulators. TikTok’s preferred solution is to retain ownership and move data and code to the United States, but this would not fully address the cyber security or propaganda concerns raised by Congress. A sale of the platform to a U.S. owner would also fail to resolve these concerns unless every bit of the original code was replaced by new code developed by United States programmers. ByteDance has signaled that it intends to protect the algorithm that recommends videos on TikTok, making a ground-up rebuild unlikely.

A ban would be bad news for TikTok users and U.S. investors, as well as a rare and somewhat doomed attempt to control what U.S. residents can access online. Circumventing the ban could be as simple as setting up a VPN, and it would fall to Congress to determine whether this would be a criminal offense. A ban would significantly limit exposure and use of TikTok in the United States, providing the only real way to mitigate its potential cyber security risks.