Last time around, we talked about security and privacy concerns surrounding Zoom, the videoconferencing app du jour. Another product that recently had gained tremendous popularity is TikTok, an app for creating and sharing short videos typically with musical backgrounds. Like Zoom, there have been concerns raised regarding the security of TikTok, so much so that President Donald Trump has gotten involved. What’s with all the fuss?
Just about everyone has seen a TikTok video in the past few months, a testament to its popularity. Most of the videos are meant to be humorous. Videos are created and can be shared in the app. Videos also can be posted to other social media such as Facebook, Instagram and other websites. Seems innocent enough, right?
Why then has the app been banned by so many, including the U.S. Navy, U.S. Army, Wells Fargo, political campaigns, even the entire country of India? First and foremost, the biggest concern is that TikTok is owned by Beijing-based ByteDance, which also owns several other social media platforms. With the current state of international relations, it’s very easy to distrust anything based in China.
Is there any technical basis to support these concerns? In a word, yes. On iPhones, TikTok was identified as one of several apps taking advantage of a flaw in the iOS and reading the last item copied to the clipboard. Relying upon the tried and true excuse of ‘it’s not a bug, it’s a feature,’ TikTok nevertheless quickly released a fix. However, even after this fix was released, the offensive behavior continued to be exhibited.
So what, you say, who cares what’s on my clipboard? Well, in the Apple-verse, the clipboard is typically shared among all your devices, such as your Mac and iPad. It is not uncommon at all to copy sensitive documents or emails or financial information to the clipboard, and many password managers rely upon the clipboard to function. Which means … your passwords are all copied into the clipboard. Most times, even after you’ve pasted, the info remains in the clipboard.
Now, there is no evidence, not even anecdotally, that TikTok actually has used this hack for nefarious purposes. But it’s the type of intrusion that is all too common on our phones, not just by TikTok but by others.
TikTok tells you that it will collect all sorts of data if you bother to read the extremely fine print. It tracks websites you visit, even how you type. On iPhones, this is limited to what you do within the app. On some Android-based phones, it will track this info even when you are using other apps. By default, the app tries to gain access to photos, videos and contact info, which can be denied by the user. It tracks your location via GPS, which can be shut down, but that could cause issues with other apps.
Note that these are not uncommon practices. The question is, what does TikTok do with this data? In America, despite the protestations of the tinfoil hat conspiracy theorists, it’s largely understood that this data is used for capitalistic purposes — that is, figure out how to make more money. It is certainly conceivable that such data, in the hands of a global competitor (if not outright adversary), can be used for unethical purposes.
This uncertainty is the basis for the Trump ban. His executive order calls for TikTok to be sold to a U.S.-based company or banned in the U.S. Executing a ban would require the cooperation of not only ByteDance, but also Apple, Google, Microsoft and many others, which is questionable. (A separate order calls for similar action with respect to another Chinese-owned app, WeChat.)
Speaking of Microsoft, it was in talks with ByteDance to buy TikTok prior to Trump’s executive order. A Microsoft purchase would render the executive order moot.
John Agsalud is an information technology expert with more than 25 years of IT experience in Hawaii and around the world. He can be reached at jagsalud@live.com.
