loader image

Should the U.S. ban TikTok? Can it? A cybersecurity expert explains the risks the app poses and the challenges to blocking it

by | Apr 4, 2023 | Cybersecurity

Should the U.S. ban TikTok? Can it? A cybersecurity expert explains the risks the app poses and the challenges to blocking it

by | Apr 4, 2023 | Cybersecurity

Shutterstock

Should the U.S. ban TikTok? Can it? A cybersecurity expert explains the risks the app poses and the challenges to blocking it

by | Apr 4, 2023 | Cybersecurity

TikTok CEO Shou Zi Chew testified before the House Energy and Commerce Committee on March 23, 2023, amid a chorus of calls from members of Congress for the federal government to ban the Chinese-owned video social media app and reports that the Biden administration is pushing for the company’s sale.

The federal government, along with many state and foreign governments and some companies, has banned TikTok on work-provided phones. This type of ban can be effective for protecting data related to government work.

But a full ban of the app is another matter, which raises a number of questions: What data privacy risk does TikTok pose? What could the Chinese government do with data collected by the app? Is its content recommendation algorithm dangerous? And is it even possible to ban an app?


Vacuuming up data

As a cybersecurity researcher, I’ve noted that every few years a new mobile app that becomes popular raises issues of security, privacy and data access.

Apps collect data for several reasons. Sometimes the data is used to improve the app for users. However, most apps collect data that the companies use in part to fund their operations. This revenue typically comes from targeting users with ads based on the data they collect. The questions this use of data raises are: Does the app need all this data? What does it do with the data? And how does it protect the data from others?

So what makes TikTok different from the likes of Pokemon-GO, Facebook or even your phone itself? TikTok’s privacy policy, which few people read, is a good place to start. Overall, the company is not particularly transparent about its practices. The document is too long to list here all the data it collects, which should be a warning.

There are a few items of interest in TikTok’s privacy policy besides the information you give them when you create an account – name, age, username, password, language, email, phone number, social media account information and profile image – that are concerning. This information includes location data, data from your clipboard, contact information, website tracking, plus all data you post and messages you send through the app. The company claims that current versions of the app do not collect GPS information from U.S. users. There has been speculation that TikTok is collecting other information, but that is hard to prove.

If most apps collect data, why is the U.S. government worried about TikTok? First, they worry about the Chinese government accessing data from its 150 million users in the U.S. There is also a concern about the algorithms used by TikTok to show content.

Get legit expertise

* indicates required

Data in the Chinese government’s hands

If the data does end up in the hands of the Chinese government, the question is how could it use the data to its benefit. The government could share it with other companies in China to help them profit, which is no different than U.S. companies sharing marketing data. The Chinese government is known for playing the long game, and data is power, so if it is collecting data, it could take years to learn how it benefits China.

One potential threat is the Chinese government using the data to spy on people, particularly people who have access to valuable information. The Justice Department is investigating TikTok’s parent company, ByteDance, for using the app to monitor U.S. journalists. The Chinese government has an extensive history of hacking U.S. government agencies and corporations, and much of that hacking has been facilitated by social engineering – the practice of using data about people to trick them into revealing more information.

The second issue that the U.S. government has raised is algorithm bias or algorithm manipulation. TikTok and most social media apps have algorithms designed to learn a user’s interests and then try to adjust the content so the user will continue to use the app. TikTok has not shared its algorithm, so it’s not clear how the app chooses a user’s content.

The algorithm could be biased in a way that influences a population to believe certain things. There are numerous allegations that TiKTok’s algorithm is biased and can reinforce negative thoughts among younger users, and be used to affect public opinion. It could be that the algorithm’s manipulative behavior is unintentional, but there is concern that the Chinese government has been using or could use the algorithm to influence people.


Can the government ban an app?

If the federal government comes to the conclusion that TikTok should be banned, is it even possible to ban it for all of its 150 million existing users? Any such ban would likely start with blocking the distribution of the app through Apple’s and Google’s app stores. This might keep many users off the platform, but there are other ways to download and install apps for people who are determined to use them.

A more drastic method would be to force Apple and Google to change their phones to prevent TikTok from running. While I’m not a lawyer, I think this effort would fail due to legal challenges, which include First Amendment concerns. The bottom line is that an absolute ban will be tough to enforce.

There are also questions about how effective a ban would be even if it were possible. By some estimates, the Chinese government has already collected personal information on at least 80% of the U.S. population via various means. So a ban might limit the damage going forward to some degree, but the Chinese government has already collected a significant amount of data. The Chinese government also has access – along with anyone else with money – to the large market for personal data, which fuels calls for stronger data privacy rules.


Are you at risk?

So as an average user, should you worry? Again, it is unclear what data ByteDance is collecting and if it can harm an individual. I believe the most significant risks are to people in power, whether it is political power or within a company. Their data and information could be used to gain access to other data or potentially compromise the organizations they are associated with.

The aspect of TikTok I find most concerning is the algorithm that decides what videos users see and how it can affect vulnerable groups, particularly young people. Independent of a ban, families should have conversions about TikTok and other social media platforms and how they can be detrimental to mental health. These conversations should focus on how to determine if the app is leading you down an unhealthy path.

This article has been updated to indicate that TikTok CEO Shou Zi Chew testified before Congress on March 23, 2023.


Republished from The Conversation under a Creative Commons license to point warfighters and national security professionals to reputable and relevant war studies literature. Read the original article.


Doug Jacobson, Iowa State University

Doug Jacobson is a Professor in the Department of Electrical and Computer Engineering at Iowa State University and currently holds the rank of University Professor. Dr. Jacobson joined the faculty in 1985. Dr. Jacobson’s current funded research is targeted at developing robust countermeasures for network-based security exploits and large scale attack simulation environments. He is director of the Internet-Scale Event and Attack Generation Environment (ISEAGE) test bed project. Dr. Jacobson has given over 150 presentations in the area of computer security and has testified in front of the U.S. Senate committee of the Judiciary on security issues associated with peer-to-peer networking. He has published numerous papers on computer security education and the use of hands-on laboratories to teach computer security, as well as written a textbook on network security. He also created a computer security outreach program targeted at the general public, post-secondary students and faculty. He co-authored a book on security literacy for the non-technical audience and also lectures on this topic. His team has developed a cyber security literacy curriculum for grades k-12.

Related Articles

Expert: TikTok could be a risk to national security

Expert: TikTok could be a risk to national security

More than 86 million Americans use the social media app TikTok to create, share, and view short videos, featuring everything from cute animals and influencer advice to comedy and dance performances.
Concerned experts point out that TikTok’s parent company, the Beijing-based ByteDance, has been accused of working with the Chinese government to censor content and could also collect sensitive data on users.

Pentagon leaks suggest China developing ways to attack satellites – here’s how they might work

Pentagon leaks suggest China developing ways to attack satellites – here’s how they might work

The recent leak of Pentagon documents included the suggestion that China is developing sophisticated cyber attacks for the purpose of disrupting military communication satellites. While this is unconfirmed, it is certainly possible, as many sovereign nations and private companies have considered how to protect from signal interference.

Ransomware Attack Hits Marinette Marine Shipyard, Results in Short-Term Delay of Frigate, Freedom LCS Construction

Ransomware Attack Hits Marinette Marine Shipyard, Results in Short-Term Delay of Frigate, Freedom LCS Construction

The Wisconsin shipyard that builds the U.S. Navy’s Freedom-class Littoral Combat Ship and the Constellation-class guided-missile frigate suffered a ransomware attack last week that delayed production across the shipyard, USNI News has learned.

Fincantieri Marinette Marine experienced the attack in the early morning hours of April 12, when large chunks of data on the shipyard’s network servers were rendered unusable by an unknown professional group, two sources familiar with a Navy summary of the attack told USNI News on Thursday.