With no hard evidence of wrong-doing, are TikTok bans warranted? The real security concerns will likely come after the proposed ban goes into effect; researchers have suggested.
Chinese apps TikTok & WeChat, over the weekend, have been given a late reprieve from a plan to cut off access.
As a ban on US downloads seemed certain for Sun., TikTok owner Byte Dance reached an agreement to sell significant ownership stakes to Oracle & Walmart. While the deal is reviewed, the US Department of Congress has put the download ban on hold for at least a week.
Tencent
Also, a US judge blocked the US Commerce Department’s plan to outright ban Chinese messaging app WeChat, owned by Tencent.
Regarding TikTok, Oracle has agreed to take a 12.5% in the Chinese firm, while Walmart will take a 7.5% share, commented Bloomberg. Together, the companies will pay a combined $12 billion for the 20% ownership share at Byte Dance’s current asking price, which values the company at $60b overall, sources told the outlet.
The plan is that the 20% sale will cover TikTok’s US operations, but Byte Dance will still retain an 80% stake in the new entity, which will be called TikTok Global, & could still maintain control over the app’s code & technology development.
Donald Trump
However, US President Donald Trump told reporters on Sat., “I approved the deal in concept.” That is because, crucially, the deal also gives Byte Dance 12 months to hold a US IPO, which will expand the company’s American ownership.
On Fox News, Mon., he elaborated: “Byte Dance will have nothing to do with it, & if they do, we just won’t make the deal. It’s going to be controlled, totally controlled by Oracle, & I guess they’re going public & they’re buying out the rest of it, they’re buying out a lot, & if we find that they don’t have total control then we’re not going to approve the deal.”
China
The sale is still pending approval from China.
Regarding WeChat, Laurel Beeler, a judge for the District Court for the Northern District of California, issued a preliminary injunction over the weekend against a decision by the Commerce Department. The Department had planned to ban the communications chat app outright, meaning that “it will be illegal to host or transfer internet traffic associated with it,” according to a news release.
Plaintiffs
Following reviewing evidence from a group of plaintiffs who argued that the ban impacts their 1st US Constitution Amendment rights, Beeler issued a decision.
“The plaintiffs’ evidence reflects that WeChat is effectively the only means of communication for many in the community, not only because China bans other apps, but also because Chinese speakers with limited English proficiency have no options other than WeChat,” Beeler wrote. The app is used by about 20m people in the US, according to Tencent.
Background
TikTok, the video-sharing app that boasts 100m users in the US, was poised to become much less accessible on Fri., as executive orders previously signed by President Trump were planned to go into effect by the weekend. Security & privacy experts had mixed reactions, noting the conflict between data-privacy concerns & censorship & highlighting that no concrete security threat has emerged.
Starting Sun., downloads of TikTok would have been cut off from any app store operating in the US. Users that already have the app installed would still be able to use it, without refreshes or updates, until Nov. 12, when a complete ban was set to go into effect.
National-Security Concerns
Trump signed an executive order issuing the ban on Aug. 6, citing “national-security concerns” over the China-based apps. US Commerce Secretary, Wilbur Ross, echoed this reasoning, & said in the release that the apps allow “China’s malicious collection of American citizens’ personal data.”
The Nov. 12 shutdown of TikTok may now be averted by a deal with Oracle & Walmart (the corporations want to take over TikTok’s US operations), offering hope that the app that has dominated Millennial self-expression for the last few months won’t go be forbidden in the US after all.
Data-Collection Concerns
TikTok parent Byte Dance has a reportedly cosy relationship with China’s govt., including an alleged strategic partnerships in place with Communist Party of China, & its ventures in Beijing & Shanghai. Since user data is housed on servers in China by the company, concerns have surfaced about the possible use of the app to snoop information on US citizens.
Those concerns have led to the app being banned by the US military, including by the Army in January. Shortly thereafter, the app fixed several severe security vulnerabilities, putting the app’s security even more into the spotlight.
Over-Permissioned
Are any of the concerns valid?
Some security & privacy experts felt the move was good for consumers, & noted that the apps, like many social-media apps, are over-permissioned.
TikTok for instance (per its privacy policy) does collect phone & social-network contacts, GPS position, personal information such as age, & any user-generated content posted, such as photos & videos. It can store payment information, as well.
Social-Media Applications
“The challenge is balancing public wants, national-security perceptions & valid cybersecurity concerns,” Saryu Nayyar, CEO at Gurucul, observed. “Social-media applications are important platforms for public discourse & influence, but we have seen numerous incidents where these platforms can be abused to any number of ends.
Analysis based on Artificial Intelligence & Big Data can make even mundane information useful in the right hands.”
This reality means that govt. stepping in could be a good thing, Eve Maler, CTO at ForgeRock, further explained.
Intensifying Restrictions
“The ban on new app versions of TikTok & WeChat is a significant indication of intensifying restrictions that signal the abuse of personal data is not okay,” she suggested. “It’s going to be effective, & we can expect more steps to come. These moves significantly increase the cost of wholesale personal data collection & use without permission.
All-in-One
WeChat in particular, as an ‘all-in-one’ app that conveniently combines many functions, makes it tempting for people to convert real-life daily functions into digital form. It’s better & safer to enable individuals to give permissions to share their data at a finer grain.”
Chloé Messdaghi, VP of Strategy at Point3 Security, agreed that by virtue of being social-media channels, TikTok & WeChat bear watching, but noted that app bans (rather than entrusting individuals to craft their own data destinies) have their own issues.
Transparency
“We’ve inherently accepted that social media is allowed to collect our data for their purposes, without disclosing how that data is being used,” she outlined. “Today, the major social-media companies know so much more about you & I than we know, & in terms of consumer rights & transparency they act a bit like they are their own personal govts.”
She further added: “As of now there is no publicly available evidence that China had access to or used this data. It is just being assumed, & that is unfortunate from a 1st Amendment standpoint. In 2020, TikTok is one of the dominant platforms that has helped help like-minded people to share information & plans & come together. Similar to Twitter during Arab Spring, TikTok has served as a catalyst in this summer of social upheaval & progress-minded action. Banning TikTok thwarts that.”
Regarding WeChat, at least one security expert said there was cause to worry about its ties to cyber-crime. “WeChat has previously been used for command & control channels, insider threat & other ways to transfer sensitive information,” James Carder, CSO of LogRhythm, explained.
“It’s also been used as a nation-state espionage tool. Unfortunately, & likely unknown to a potential buyer, WeChat is often used as a communication vehicle back to China from smart devices.”
No Hard Evidence of TikTok Data Abuse?
Many believe that TikTok sends personal & usage information back to the Chinese govt., but there has been no concrete evidence to that effect that has surfaced in existing technical reviews of the app. Comparitech evaluated TikTok privacy & security concerns in detail & found no evidence that TikTok is collecting user data & sending it to China.
“TikTok hasn’t been shown to collect any more data than other social-media apps,” Paul Bischoff, Privacy Advocate with Comparitech, suggested. “It sets a dangerous precedent of censorship in the US. We are banning a Chinese app but adopting a Chinese censorship policy. The latter is much more concerning.”
Overreaction
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, agreed.
“Considering no true threat has been proven, it’s a bit of an overreaction,” he suggested. “The censorship aspects of the ban bug me. Sure, ban it from use in government & certain industries if needed. Banning apps for public use is a totally Chinese govt. kind of thing. Do we want to travel down that path?”
He added, “Further investigation is needed before any bans are enacted. Banning an app due to unproven suspicions is censorship, plain & simple.”
Deep Technology Vetting
To get the bans lifted, there will likely need to be several rounds of deep technology vetting & inspection. Including, but not limited to code base review & traffic analysis, according to Brandon Hoffman, CISO at Netenrich, who added that he hopes transparent technical information comes to light.
“I want to say that the government is doing this for a valid reason,” he suggested.
“On the other hand, the banning of specific application feels like an infringement on our rights, & to a degree, our privacy – the very same thing they are claiming to protect. In today’s age, consumers are extremely tech-savvy & well-informed. If the government wants their position validated, not that it needs to be, it makes sense for them to disclose a little more technical detail or findings.”
Post-Ban Security
While problems within the apps may be hard to track, Hank Schless, Senior Manager of Security Solutions at Lookout, did raise security problems that will likely arise because of the ban itself. Specifically, because TikTok & WeChat will be end-of-life, no patches or updates will be forthcoming, & that is potentially a heyday for criminals looking to tap the app’s huge user base.
“This is risky because if someone discovers a vulnerability in either app, there won’t be a way to release a fix & users will remain exposed to the risk,” Schless explained.
Also, because of the ban, those wanting to use the platform may turn to pirated versions – another enormous threat.
Malicious Versions
“Threat actors will likely start distributing malicious versions of the app through various channels such as other social media platforms,” he noted. “They can identify targets that fall within the primary demographic of TikTok and WeChat users & send them socially engineered messages with links to a malicious app.”
This has already happened: When India banned the app, cyber-criminals distributed something called “TikTok Pro” via social media, SMS & messaging platforms within a week of the ban.
“The threat actor behind fake TikTok Pro app in India was able to build and distribute the app in a very short time frame once the ban went out,” according to Schless.
Cyber-Criminals
“This exemplifies how cyber-criminals could take advantage of a similar situation in the US & profit from the public’s desire for the app or to steal personal data. Everyone should be wary of future attempts to distribute fake versions of these 2 apps targeting our mobile devices.”
It remains unclear how the situation will resolve, but TikTok commented it would continue to argue its case.
“Our community of 100m US users love TikTok because it’s a home for entertainment, self-expression & connection,” the company commented in a statement last Fri., “& we’re committed to protecting their privacy & safety as we continue working to bring joy to families & meaningful careers to those who create on our platform.”
https://www.cybernewsgroup.co.uk/virtual-conference-november-2020/
