Sensible Thoughts on TikTok Security
If you are a typical teen, then you waste about an hour or so each day on TikTok. As a parent, I can confirm that this time is, in fact, truly wasted, because all of the content on TikTok is utterly ridiculous. And look – I watched Gilligan’s Island and The Brady Bunch as a youngster, so I have no right to complain. But it is nevertheless perfectly accurate to point out that TikTok content is basically created by, and for, a bunch of juveniles.
And so, it’s interesting to see the uproar recently, particularly from the resident of the Oval Office, that if we don’t do something quickly about TikTok, our national security will be at serious risk. While channel surfing recently, I paused on the Fox News channel (yea, I know) and watched a few minutes of a segment designed to terrify me that the Chinese are using TikTok to collect valuable and critical secrets about our society.
Now – before we address this point, let’s examine the snoopware causing the fuss. First, recognize that TikTok does canvas fingerprinting, where your device draws some graphic, and a unique hash is stuffed into a cookie based on how the image is created. This includes the sub-pixel rendering by your operating system, as well as the compression level and image export options in your browser. The result is a fingerprint – and yes, it’s a bit creepy.
Similarly, TikTok is the poster child for every bad privacy decision a designer could conjure: It logs and shares usage time, watched videos, and search terms to Appsflyer and (possibly) Facebook. It resolves short URLs to simplify review of who’s sharing what videos. It also does audio fingerprinting where sounds are made internally and the bitstream becomes the unique designator. And the app uses Google Analytics without anonymizing IP data.
All this ignores the non-privacy related issue (perhaps bordering on evilness) of the parent company censoring any posted TikTok videos that might be considered subversive or culturally problematic to the Chinese government. This is bad stuff, none of which will ever be welcomed by American users. So, if a teenager or parent chooses to stay away from the app on these moral grounds, then that seems a perfectly mature decision.
That said – I think it would be wise to take a moment to address the severity of actual risk here. We’ve already established that kids post a bunch of silly crap to TikTok, so their search term history and video usage logs would do nothing more than make it clear that all of my daughters and nieces enjoy watching Charli dance (look it up). Since businesses don’t use TikTok, I just don’t see much more risk here than one finds with Instagram or Snapchat.
If you read this TAG Cyber column, then you know that we do not approve of Spyware in software, and we are 100% opposed to hidden Trojans in applications that normal users would not have accepted. This is bad practice, and should be addressed by customers simply by not downloading or using that software. But turning the TikTok situation into some invented national security situation dilutes our ability to spot real emergencies.
And on the matter of Trump’s obsession with this app, two things come to mind: First, it is obvious that by picking on the Chinese for any reason, he wins political points with his base, which is an increasingly shrinking minority of Americans. But second, I can’t help but wonder if Kelly Anne Conway’s daughter trolling the President (and her mom) on TikTok didn’t absolutely infuriate him. (Don’t laugh – anything is possible these days.)
Here's my advice to you: Since there is nothing any of us can do other than watch to see if Microsoft wastes $20B on a company that I predict will be worth zero in a few years, the best we can all do is just crank down the xenophobia. The United States and China will be intertwined for the next century, whether either of us like it or not. So, it would just seem like a good idea to me that we all start finding ways to cooperate when it comes to tech.
Stay safe and healthy.
Penetration Tester at AUDI AG
4 å¹´Sorry, I don't see any difference between Tik Tok and Facebook but it is politics! If US has benefits (??) from Tik Tok it will support it and defend it. Let me give you an example Facebook SDK is almost in every Mobile App so people can be tracked anytime even if they are offline, they don't need to get your MAC ??
I build teams out of Pwn2Own, Pwnie Award and DEF CON CTF winners
4 年It’s as if it doesn’t occur to you that it might be backdoored.
Digital Assets, Exempt Offerings, Capital Markets, Broker Dealer/Investment Adviser, FinTech, AML.
4 å¹´Insightful. The broader point is about picking your fights wisely....or at least consistently. Comments are well thought out but it is hard to take the position that the decision was anything but entirely politically motivated. Maybe if it were a part of a broader national privacy policy versus an obvious political exercise it would have more credibility....and be more moderate in application.
Hi Ed, Teenagers don’t stay teens forever. What a great way to develop profiles on people for a surveillance state and carry that on thru their entire life especially in their active professional career.