TikTok is “unacceptable security risk” and should be removed from app stores, says FCC

Credit to Author: Jovi Umawing| Date: Tue, 05 Jul 2022 14:51:08 +0000

Brendan Carr, the commissioner of the FCC (Federal Communications Commission), called on the CEOs of Apple and Google to remove TikTok from their app stores. In a letter dated June 24, 2022, Carr told Tim Cook and Sundar Pichai that “TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijing’s apparently unchecked access to that sensitive data.”

Carr also said:

But it is also clear that TikTok’s pattern of conduct and misrepresentations regarding the unfettered access that persons in Beijing have sensitive US user data … puts it out of compliance with the policies that both of your companies require every app to adhere to as a condition of remaining available on your app stores.

Therefore, I am requesting that you apply the plain text of your app store policies to TikTok and remove it from your app stores for failure to abide by those terms.

In the Twitter thread, Carr pointed out the national security risks TikTok poses.

Excessive data collection

TikTok is said to collect “everything”, from search and browsing histories; keystroke patterns; biometric identifiers—including faceprints, something that might be used in “unrelated facial recognition technology”, and voiceprints—location data; draft messages; metadata; and data stored on the clipboard, including text, images, and videos.

Carr cited several incidents as evidence that TikTok has been dodgy about its data collection practices.

Relation to the CCP (Communist Party of China)

ByteDance, a company based in Beijing, developed TikTok. In China, it is known as Douyin. Carr mentioned in his letter to Apple and Google that ByteDance “is beholden to the Communist Party of China and required by Chinese law to comply with the PRC‘s surveillance demands.”

The Senate and House committee members, cybersecurity researchers, privacy, and civil rights groups have flagged this as a concern. In 2019, two senators labeled TikTok as a “potential counterintelligence threat we cannot ignore”. The American Civil Liberties Union (ACLU) is also concerned about the social platform’s “vague” policies, especially in collecting and using biometric data.

Unclear use of collected data

It’s a non-issue for apps that are clear about collecting data, but these must also say how they use the data they collect. TikTok, it appears, is not one of those apps that do not abide by this clause.

“Numerous provisions of the Apple App Store and Google Play Store policies are relevant to TikTok’s pattern of surreptitious data practices—a pattern that runs contrary to its repeated representations,” the letter reads.

“For instance, Section 5.1.2(i) of the Apple App Store Review Guidelines states that an app developer ‘must provide access to information about how and where the data [of an individual will be used’ and ‘[d]ata collected from apps may only be shared with third parties to improve the app or serve advertising.”

Is TikTok a “sophisticated surveillance tool”?

TikTok didn’t sit on its hands when news spread of the FCC calling for its removal from major app stores.

Speaking with CNN’s “Reliable Sources”, Michael Beckerman, VP, Head of Public Policy, Americas at TikTok, refuted a large chunk of the FCC’s claims against the social media company, predicated on the notion that Carr is isn’t an expert on such issues and that FCC doesn’t have jurisdiction over national security.

“He’s pointing out a number of areas that are simply false in terms of information that we’re collecting, and we’re happy to set the record straight,” Beckerman said.

When asked about the inaccuracies in Carr’s claims, Beckerman responded: “He’s mentioning we’re collecting browser history, like we’re tracking you across the internet. That’s simply false. It is something that a number of social media apps do without checking your browser history across other apps. That is not what TikTok does.”

“He’s talking about faceprints—that is not something we collect,” he said, explaining that the technology in their app is not for identifying individuals but for the purpose of filters, such as knowing when to put glasses or a hat on a face/head.

Concerning keystroke patterns, Beckerman said, “It’s not logging what you’re typing. It’s an anti-fraud measure that checks the rhythm of the way people are typing to ensure it’s not a bot or some other malicious activity.”

When challenged if the CCP has seen any non-public user data, he said, “We have never shared information with the Chinese government nor would we […] We have US-based security teams that manage access, manage the app, and, as actual national security agencies like the CIA during the Trump administration pointed out, the data that’s available on TikTok—because it’s an entertainment app—is not of a national security importance.”

Politicians and privacy advocates have criticized TikTok for potentially exposing US user data to China for years. To allay fears, TikTok teamed up with Oracle and began routing data of its American users to US-based servers.

This, however, doesn’t answer some questions raised when Buzzfeed News broke the story about TikTok employees in China “repeatedly” accessing US user data for at least several months. Such incidents reportedly occurred from September 2021 to January 2022, months before the Oracle data rerouting.

There is also an allegation that a member of TikTok’s trust and safety department said in a meeting that “Everything is seen in China”. A director in another meeting allegedly claimed that a colleague in China is a “Master Admin” who “has access to everything.”

“We want to be trusted,” Beckerman said during the CNN interview. “There’s obviously a lack of trust across the Internet right now, and for us, we’re aiming for the highest, trying to be one of the most trusted apps, and we’re answering questions and being as transparent as we can be.”

The post TikTok is “unacceptable security risk” and should be removed from app stores, says FCC appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/