Security risks of the social media video-sharing site TikTok recently highlighted by congressional Republicans are real, but they’re not unique to the Chinese-owned app, cybersecurity experts said.
That’s because any time a user grants a smartphone app the ability to access their location, contacts, camera or microphone, they’re opening up a potential avenue that can be exploited by hacking or phishing schemes. In extreme cases, that could mean a hacker could access a device’s camera or microphone functions without the user’s knowledge or use GPS data to track the user’s location.
What makes TikTok different is that its parent company, ByteDance, is Chinese, and therefore susceptible to influence or outright control by China’s authoritarian government. Last month, FBI director Christopher Wray said the app’s mass adoption was a national security concern, and security negotiations are ongoing between the company and the Biden administration.
Stay informed on the latest news
Sign up for WPR’s email newsletter.
“Everything (TikTok) has might be in the hands of the Chinese government,” said Khaled Sabha, a cybersecurity lecturer at the University of Wisconsin-Milwaukee. “The Chinese government might ask TikTok … or maybe force them to share users’ information.”
That concern prompted Wisconsin’s Republican congressional delegation last week to send a letter to Democratic Gov. Tony Evers calling for the governor to ban the app from state-owned devices. Several states have already done so, including Maryland, whose governor announced the move last week.
Cybersecurity experts told Wisconsin Public Radio the state of Wisconsin and any individual user should consider potential risks from using social media. But they stopped short of endorsing a ban on TikTok, saying its security risks are mostly the same risks that come from simply carrying a smartphone.
In their letter, GOP legislators called the app a “surveillance tool” that “tracks cellphone users’ data, including user location data and users’ keystrokes, even when not even using the app.”
“That’s the fear,” said Keatron Evans, principal security researcher with the InfoSec Institute, which is part of Cengage Group, an education technology company. “But I think that’s the fear for any social media app that you put on your device.”
That’s because hackers or scammers can exploit security loopholes or trick users into sharing their data through phishing schemes. The large amounts of user data collected and stored by social media companies may also be vulnerable to abuse, either by the companies themselves or by hackers who target their databases.
“There is nothing particularly different about TikTok,” said Michael Patton, director of the Cybersecurity Center of Excellence at the University of Wisconsin-Oshkosh. “We should have the same concerns about what is Facebook collecting, what is Twitter collecting — insert social media product here.”
The lawmakers say the app’s connection to the Chinese government makes the difference. In addition to signing onto the letter to Evers, U.S. Rep. Mike Gallagher, R-Green Bay, has also sponsored federal legislation that would ban the app outright within the United States.
The app’s audience, and its cultural influence, is enormous and growing. The company reportedly claims to have more than 1 billion users globally, and may have as many as 80 million U.S. users. Its users’ short videos have launched dance trends, famous pets and in some cases fostered supportive communities. It’s also known for the sometimes-uncanny ability of its algorithm to predict which videos will appeal to individual users.
In response to the lawmakers’ letter, Evers’ spokesperson Britt Cudaback told The Associated Press that the administration takes cybersecurity threats seriously and will “continue to defer to the judgment and advice of law enforcement, cybersecurity, and counterintelligence experts regarding this and other evolving cybersecurity issues.”
Patton said protecting against such threats may not require an outright ban of TikTok for state use.
“Is the (Department of Tourism) using it to promote tourism? Maybe that’s OK,” Patton said. “And maybe they should have devices specifically dedicated to doing that.”
Evans also said a good security policy might be for public officials, celebrities and other potential targets of hacking to use a separate device for TikTok, to better quarantine potential intrusions.
Wisconsin Public Radio, © Copyright 2024, Board of Regents of the University of Wisconsin System and Wisconsin Educational Communications Board.
