UK TikTok ban gives us all cause to consider social media security

The UK ban on installing and using social media app TikTok on government devices brings our country’s policy in line with that of other jurisdictions including the United States (US) and member states of the European Union (EU).

Announced yesterday in the House of Commons by Oliver Dowden, chancellor of the Duchy of Lancaster, the ban covers devices in ministerial and non-ministerial departments, and is a precautionary move that has not been taken in response to any specific incident or threat.

It’s the latest step in a long-running feud between the West and China over data privacy issues, that besides TikTok has drawn in the likes of Hikvision, a manufacturer of IP surveillance cameras, and most famously, networking and comms giant Huawei, which found itself banned from the UK’s core communications infrastructure in 2020.

All of these cases arise from concerns shared by Britain, the US and other Western states. Broadly speaking, these concerns centre on the possibility that the Chinese government may be able to extract sensitive data from these companies for espionage purposes.

China has a long history of industrial espionage, and its state-backed cyber operations are widely acknowledged as a particularly dangerous threat, so these concerns are not wholly unjustified, and it’s not a stretch to imagine how Beijing could exploit the personal data of UK government officials should it fall into their hands. In light of this, Chris Vaughan, vice-president of technical account management at Tanium, said it’s no surprise to see Westminster following in the footsteps of Brussels and Washington DC.

“Chinese intelligence tactics are usually focused on longer-term objectives and are fuelled by the sustained collection of data,” he said. “The immense collection of user data, to now include commerce and purchasing information, combined with biometrics and activity tracking, feeds detailed intelligence into Chinese state departments.

“This data can also be leveraged to deliver targeted, timely and often personalised psychological operations against individuals or groups of citizens. These tactics could potentially be used during election cycles and politically charged events in the coming years.”

Vaughan regards the UK’s TikTok ban as speaking to a wider issue around how much Chinese influence is deemed acceptable in national infrastructure and everyday life (similar issues dogged Huawei previously).

“We have seen concerns increase in the West in recent months, with the use of Chinese surveillance technology being restricted,” he said. “There have also been numerous reports of Chinese efforts to sway politicians by way of lobbying and donations, and the public via social media and the spread of disinformation.”

“Historically, Russia has been the most prominent user of information operations as we saw from its activities related to the 2016 US election and the Brexit referendum. China has been more focused on stealing intellectual property which it can then use to its own advantage. However, there are indications that the CCP [Chinese Communist Party] will start to focus more on information and influence operations to achieve its strategic goals which adds to the concerns about the use of technology such as TikTok.

“Any instances of these activities need to be met head-on by Western political leaders who should take a strong stance against it at the government level, rather than leaving the responsibility to individual organisations.”

Double standards

In her response to Dowden’s statement yesterday, Labour deputy leader Angela Rayner was scathing in accusing the government of being behind the curve and making sudden U-turns, and for some in the cyber security community, there is something distinctly fishy about its decision.

Matthew Hodgson, co-founder and CEO of secure comms services provider Element, said that in one important way, the ban is downright hypocritical.

“The UK government banning officials having TikTok on their phones while pushing through legislation that will give the UK government access to all UK communications screams of double standards,” said Hodgson.

“Outwardly it looks like they’re taking the security of data seriously by stopping China having a backdoor into UK data, albeit only for government officials currently. However, the UK government is pushing through the Online Safety Bill, which creates a very similar backdoor into every communications platform used by UK citizens.

“So, it’s not OK for China to access government communications but it is OK to provide a route for them to access citizen communications via Online Safety Bill weaknesses? We need to protect the privacy of UK citizens today from bad actors and nation states of all shapes and sizes,” he said.

TikTok speaks out

Naturally, Westminster’s thoughts are not shared by TikTok, which continues to stress that it’s never been asked to hand over data by the Chinese government, and insists it would never do so if asked.

In a statement following Dowden’s announcement on 16 March, a TikTok spokesperson said: “We are disappointed with this decision. We believe these bans have been based on fundamental misconceptions and driven by wider geopolitics, in which TikTok, and our millions of users in the UK, play no part.

“We remain committed to working with the government to address any concerns, but should be judged on facts and treated equally to our competitors. We have begun implementing a comprehensive plan to further protect our European user data, which includes storing UK user data in our European datacentres and tightening data access controls, including third-party independent oversight of our approach.”

The organisation believes it is inaccurate to describe it as Chinese-owned as its European presence is incorporated and regulated in the UK and Ireland, and its parent, Bytedance, is incorporated outside of China, so would not be subject to laws that require it to hand over data to Beijing if asked.

The firm recently announced Project Clover, a dedicated secure European “enclave” to harbour its UK and European Economic Area (EEA) user data. The fulfilment of this project will also see UK user data – currently stored in datacentres in Singapore and the US – moved within European jurisdiction.

It has also named a third-party cyber security company to audit its controls and protections, monitor data flows, and verify its compliance with relevant laws, which it believes goes beyond what any other tech platform is currently doing.

Venari Security chief technology officer Simon Mullis agrees that the TikTok ban is politically motivated, to some extent. “The concerns are really rooted in the ability to assure the chain of trust of data protection from beginning to end, and at all steps in between,” he said. “With TikTok, this has proven to be extremely difficult for a variety of technical and political reasons.

“In fairness, the ban is as much political as it is a consequence of the technical design of the application,” said Mullis. “Is the TikTok design and architecture so wildly different from other social media applications in widespread use as to cause massive security fears? The answer is ‘probably not’.”

Long time coming

But Jamie Moles, senior technical manager at ExtraHop, said that given what we do know about how TikTok works, and most importantly, what we know about the data it requests and must have access to in order to run on a device, it’s mystifying why the UK government has dallied for so long.

“I’m a security expert who downloaded and used TikTok when it came out like so many others, including those working in the UK government,” he said. “But here’s the difference: I removed it as soon as it became clear that the app could harvest anything from my phone including contacts – GPS data, authentication info from other apps, and so on.

“Having this app on your phone is tantamount to giving the Chinese government the keys to our economy.”

Arctic Wolf chief information security officer (CISO) Adam Marrè said: “TikTok is collecting massive amounts of information from consumers like user location, voiceprints, calendar information and other sensitive data. The issue is we don’t know what this data is being used for, or if a foreign government has access to it. 

“With the rise of data brokers who make a living out of selling user information, this platform can serve as a vessel for malicious actors to leverage. They can then sell this information, which can be used to target people via phishing emails, influence via propaganda, or even control or access devices. Let this be a reminder that nothing is truly ‘free’ and that we should all exercise caution.” 

Faaki Saadi, UK and Ireland sales director at SOTI, said: “Any app that harvests the data you put into it should be treated with caution. Especially for people trusted with sensitive company information.

“TikTok being banned from UK government devices should act as a wake-up call to other organisations – do you have full visibility over the apps your employees have on their corporate devices? If not, perhaps now is the time to take stock. And it doesn’t need to be a heavy lift – there are solutions available that can do this for you, and wipe any unwanted apps in an instant.”

Social media security

Marrè and Faadi both speak to a wider issue with social media in general. Other social media platforms such as Facebook and Instagram owner Meta have shown themselves repeatedly to be highly blasé with regard to their user data and security policies. Twitter, under the control of the erratic Elon Musk, is heading in a similar direction.

And Robert Huber, chief security officer at Tenable, said that focusing only on TikTok means we risk missing the forest for the trees. “There are hundreds of software applications used in government agencies every day that introduce risk, and unpatched known vulnerabilities are the most likely source of data breaches,” he said.

“The key is for security leaders to understand their organisation’s unique risk profile, discover where vulnerabilities exist and prioritise remediation efforts to root out those that could be the most harmful first.”

Should we all ban TikTok?

Ismael Valenzuela, vice-president of threat research and intelligence at BlackBerry, said he is already seeing CISOs considering banning the use of TikTok on company devices. This is particularly relevant to those working for organisations that operate in highly regulated environments, such as the financial services sector, where companies are rightly expected to conduct their own product security testing and legal review of privacy policy positions to, at the very least, limiting use on corporate devices or by high-value users.

“There is no doubt that organisations with regularly updated threat models based on contextual intelligence, mature asset management practices and integrated management endpoint solutions are better positioned to manage this risk enterprise-wide,” said Valenzuela.

“It underscores the importance of managing risk throughout the organisation and the need to assess, and thereby control, the impact of the introduction of new products and technologies upon overall organisational security. This includes the use of seemingly innocuous chat and social media apps.

“I suspect that only a limited number of CISOs are aware of TikTok’s privacy policy statement,” he continued. “While attacks on the supply chain are a real concern today, privacy risk should also be a top priority for CISOs of high-risk organisations. This is because personal data on company executives and other important individuals can be of great value in the hands of financially motivated attackers or the state.”

Ultimately, the question of whether or not security leaders should ban or restrict the use of TikTok on company-owned devices is one that only they can answer. But given the growing number of government bans being proposed or enacted, at the very least, a thorough risk assessment is in order, coupled with a wider audit of corporate social media activity.

Leave a Reply

Your email address will not be published. Required fields are marked *