The short video-sharing social network TikTok has been the fastest-growing platform of its kind in recent years. It is now used by over one billion users in 154 countries, with two million in the Czech Republic alone.
However, as the popularity of this platform continues to grow, questions are being raised about its security. TikTok is developed and operated by ByteDance, a Chinese company based in Beijing. It thus falls under the jurisdiction of the People’s Republic of China, which is a cause for concern. “TikTok sends data to China, while Facebook and Twitter send data to the US. It very much depends on which country is our ally and which is our adversary at the moment. Trust in the legal environment of certain countries has a direct impact on the trustworthiness of the companies that are based in those countries and subject to their laws. In countries with a less trustworthy legal environment, it cannot be ruled out that the government will force the companies to put the interests of the state before the interests of their customers,” explains Tomáš Plesník, Head of the Cybersecurity and Data Management Division of the MU Cybersecurity Team.
TikTok is thus able to collect browsing history data and biometric identifier information, conduct device mapping, private communications tracking and access contacts for the Chinese government. “The amount of data and the way it is collected can be used to target specific individuals for cyber-attacks, thereby increasing the risk of a successful breach (e.g. through spear phishing). At the same time, this data can be used to blackmail persons of interest and thus undermine the security or strategic interests of the Czech Republic,” adds Tomáš Plesník.
Some institutions have already taken concrete steps in response to the aforementioned risks and the growing popularity of the app. In early March, the European Parliament banned its staff from using TikTok. The ban applies not only to their work devices but also to their personal devices registered for EU services.
Subsequently, the National Cyber and Information Security Agency (NÚKIB) warned against using the app. It recommended prohibiting the installation and use of the TikTok app on devices used by employees for work. At Masaryk University, this warning concerns the Information System (IS MU) and the personnel and economic system (INET). The Cybersecurity Team of Masaryk University has issued its own warning.
MU Cybersecurity Team recommendations
In its warning, the MU Cybersecurity Team recommends that students and employees of the University do not install or use the TikTok mobile application on devices from which they access the IS MU and INET, in order to protect their personal data.
Masaryk University has had its Czech-language profile on TikTok since last summer. Considering all the security risks, it has now decided to say goodbye to its TikTok followers and delete the account by the end of April. It will no longer support or use social network as a communication and marketing channel. With this move, the university wants to set an example and bring attention to TikTok’s inappropriate handling of personal data.
Warning for IT users at MU
When using TikTok, the application’s operator may:
• force the use of a native browser, which allows monitoring of almost all user activity (e.g. collecting information about the device, including connection to Wi-Fi networks, device and SIM card serial number, phone number, a list of all user accounts used on the device, and complete clipboard access);
• map the device, where the application collects information about other running and installed applications;
• regularly check the device’s location;
• forward private communications to the servers of the Chinese company ByteDance;
• access contacts on the device.
As for the future of TikTok, Tomáš Plesník adds: “Western countries are likely to go down the route of a complete ban for all users, or at least attempt to do so. The US state of Montana has already passed such legislation and President Biden’s administration has also signalled that it would like to implement a full ban on the app at the federal level. We are seeing a similar development in the EU, with individual countries banning the app for their civil servants, following the US example with only a small delay. Judging from these developments, we expect that the EU will also try to regulate the app across the board.”