Why the US government’s TikTok ban is impractical for the private sector

Check out all the on-demand sessions from the Intelligent Security Summit here.

The war on TikTok has begun. Since President Biden approved the ban on U.S. federal government employees downloading or using TikTok on state-owned devices in December 2022, over two dozen states have decided to ban the app, due to concerns over ByteDance’s data collection practices.

In both the public and the private sector, there is a growing concern that data collected by the application may be exposed to the Chinese Communist Party (CCP). 

These concerns are well-founded, with security research from Internet 2-0 finding that the data collected by TikTok is “overly intrusive” and “excessive,” gathering information from all the other apps on a user’s phone. 

Now as organizations are left to consider whether to follow the US government’s lead on banning TikTok altogether, it’s important to evaluate whether banning social media apps is actually practical, particularly in the era of bring your own devices (BYOD), where the line between personal and work devices is often non-existent. 


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

Examining the rationale behind the TikTok ban 

One of the main reasons for the anxiety over TikTok’s data sharing practices is that the organization admitted last year that it shares the user data of European citizens’ with staff in China, Brazil, Canada, Israel, the U.S., and Singapore. 

While the organization insists these methods are for maintaining the user experience and are “recognized under the GDPR,” there is still the potential for state access, with ByteDance required to make its data available to the CCP under Chinese law. 

Anxiety over TikTok’s data collection practices also rose when leaked audio emerged from over 80 internal meetings, with 14 statements acknowledging that engineers in China had access to the personal data of users based in the U.S. This controversy has reached the point where the U.S. government has opted to ban the app altogether. 

“The potential TikTok bans are part of a broader U.S. priority to reduce security risks from China. Other technologies from Huawei, DJI, Hikvision, etc. are falling under similar scrutiny and restrictions,” said Bryan Ware, CEO of LookingGlass and former assistant director of cybersecurity at CISA. 

However, the security risks of TikTok’s data collection processes aren’t just relevant to the U.S. government, but are also something that organizations need to consider too. 

“These companies and products represent real security risks and business impacts, so enterprises should not wait until final determinations are in place to begin limiting or managing their exposures or uses to TikTok and other Chinese products that have known security implications,” Ware said. 

How bad are the risks? 

In terms of practical risks, the most concerning is that private information collected through the app could end up in the hands of the CCP as part of a nation-state surveillance operation. 

“While some might argue that TikTok is dangerous simply due to the impact of social media on the younger generation, even more concerning is the very real possibility that the popular platform is supported by the Chinese Communist Party (CCP) and used to conduct influence operations, collecting sensitive personal and biometric data,” said Matthew Marsden, vice president at Tanium. 

Marsden highlights that TikTok’s privacy policy states the provider “may collect biometric identifiers and biometric information as defined under U.S. laws, such as faceprint and voice prints,” and publicly admits that it may also “share all of the information we collect with a parent, subsidiary, or other affiliate of our corporate group.” 

“This is incredibly concerning as the CCP can easily compel China-based companies to share information to support party objectives,” Marsden said. 

In effect, employees that use TikTok on work and personal devices could be leaving biometric information and other PII exposed to nation-state actors. With the use of biometric authentication increasing, the collection of biometric information could be used to work around and exploit solutions in the future. 

The practicality of banning TikTok 

Although the U.S. government has already begun its crackdown on TikTok, banning usage of the app completely is difficult to achieve for organizations for a number of reasons. For instance, organizations need to be able to manage usage at the application level to implement a ban. 

“A ban on TikTok, or any application, wouldn’t be a simple policy to implement. It requires a comprehensive approach to be put in place and enforced, which could be a significant undertaking for an organization that’s not set up to manage users from a user application perspective,” said Barrett Lyon, cofounder and chief architect of Netography. 

Lyon highlights that most organizations don’t have the technical means or resources to outright ban an app, particularly when apps can change hostnames, network infrastructure, IP addresses or overlap on existing CDNs that serve other important applications. 

At the same time, the widespread nature of BYOD policies means that many of the personal devices that employees use to perform their functions every day aren’t controlled by the security team. 

This means the only option would be to ban the use of personal devices, which is impractical for most organizations operating in hybrid working environments.

So what can organizations do about TikTok? 

The best option that enterprises have when mitigating the potential data security risks of TikTok is to rely on user awareness. In practice, that means educating employees on the security risks created by the app so they can decide whether they want to put their personal information at risk or not. 

“In the case of personal devices being used in places of employment, there is little that could be done, other than offering guidelines to employees,” said security evangelist at Checkmarx, Stephen Gates. 

“For example, a ban on the usage of TikTok when the personal device was connected to an organization’s network could be implemented. But that is nearly impossible to enforce due to encrypted traffic, VPNs and the like,” Gates said. 

It’s also important for organizations to reevaluate whether a BYOD program is necessary for employees to perform their functions. This comes down to assessing whether the flexibility offered by BYOD outweighs the potential damage of data being leaked to nation-state actors. 

Organizations that decide to continue operating in BYOD environments ultimately have to accept a loss of control over the risk of apps harvesting personal data. 

“If you allow employees to ‘bring your own device’ (BYOD), then your control of that device is very limited legally because it is not owned by the organization, it is owned by the employee,” explained Adam Marrè, former FBI cyber special agent and current CISO at Arctic Wolf. 

Originally appeared on: TheSpuzz