TikTok's Ticking Clock

My lifestyle had made me a walking time bomb

Jack Wild

For the brief time that TikTok was shut down in the US, many people tried bypassing the block with a VPN and routing their access to the social media service through another country... only to discover that this method didn't work.

?

TikTok still seemed to know that they were Americans.

?

TikTok has, after all, been accused of tremendous levels of tracking and data collection, and this ban enforcement seemed to prove the fact.

?

Except… it doesn't.

?

There are easily dozens of ways that TikTok can verify the location of a user without intrusive levels of tracking. To name just a few:

1. The mobile app can use the phone's location services
2. The phone's SIM card and phone number indicate the country of origin - even when the user is outside the country
3. The user specifies their location for registration
4. Cookies and other app specific tags

This is not to say, of course, that TikTok isn't collecting huge troves of personal data - they are.

?

In fact, the security and privacy industry has been screaming for years about the levels of TikTok data collection, which is above and beyond even standard social media data collection.

?

According to TikTok's own privacy policy, TikTok collects:

• Standard account details
• All user-generated content
• Phone and social network contacts
• Device information such as IP address, user agent, mobile carrier, identifiers for advertising purposes, device model, device system, network type, app and file names, keystroke patterns and rhythms, battery state, and connected audio devices
• Location data, including nearby points of interest
• Identifying contents of images and audio uploaded
• Metadata of any uploaded content

If there are legitimate concerns, then, about TikTok's privacy policy, why does it matter how a service ban is enforced?

?

Reputation.

?

TikTok developed a (well-earned) reputation of collecting personal data. As soon as users had a reason to complain then, they complained about that data collection - even when it wasn't warranted.

?

The same lesson is true for how we build our own security program.

?

If we focus on taking short cuts, postponing security projects, and encouraging bad practices among team members, we will earn a reputation as a place that doesn't take security seriously. As a result, any issues that arise will be blamed on security and few will take us seriously when we claim to have the issues resolved.

?

On the other hand, if we build a reputation for strong security practices, then users will likely consider a breach or security issue as an anomaly.

?

It all comes down to the reputation we build and communicate.

?

So, whether or not you believe that TikTok should be banned, we can still learn from their situation to consider the reputation that we are building for ourselves.

Security News

• A flaw in the widely used Cloudflare content delivery network (CDN) can expose someone's location by sending them an image on platforms like Signal and Discord, deanonymizing them in seconds without their knowledge.
• DoJ Busts Up Another Multinational DPRK IT Worker Scam
• Apple has released software updates to address several security flaws across its portfolio, including a zero-day vulnerability that it said has been exploited in the wild.
• A group of academics has disclosed details of over 100 security vulnerabilities impacting LTE and 5G implementations that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network.
• An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting the devices' firmware as well as misconfigured security features.
• Texas Attorney General’s Office has filed its first lawsuit under Texas Data Privacy and Security Act (TDPSA) to take the Allstate Corporation to task for sharing driver location and other driving data without telling customers.
• New evidence suggests that more than half of the US population was touched by the ransomware attack(s) against UnitedHealth subsidiary Change Healthcare.
• Attackers impersonating the US Postal Service (USPS) are striking again, this time in a widescale mobile phishing campaign that taps people's trust in PDF files.
• Cybersecurity has been identified as the top risk for the energy industry, new research suggests, with 65% of professionals in the sector citing it as the greatest threat to their operations.

Until next time!

The Craft Compliance Team