TikTok: Worrying About the Wrong Risk
Recent media coverage and Congressional hearings, including testimony last week from TikTok CEO Shou Zi Chew, have raised concerns about the app to a frenzy.
Most of the focus has been on “data harvesting” whereby TikTok can allegedly gather vast amounts of data on US citizens. If that data reaches servers in China, then under Chinese law the Chinese Communist government can obtain it, even though TikTok’s owner ByteDance is a private company.
Public data, such as videos posted on TikTok, is of course visible in China (and everywhere else) so the data risk really applies only to private data or metadata. TikTok collects private user data the same way most other apps do, primarily limited to information the user voluntarily provides, plus some additional metadata such as location, phone number, phone model, etc.
Data harvesting sounds scary, and for a few users it’s a real threat. Chinese dissidents living abroad should not install TikTok on their smartphones. Ditto for members of the US intelligence community or defense industrial base. That being said, spyware like NSO Pegasus is a much bigger threat to sensitive targeted users than TikTok.
TikTok’s proposal to address the data concern is something they call Project Texas. Data on US users would be stored on US servers, under supervision of a US tech company (Oracle) which would monitor to ensure US data stays within its US cloud. Oracle would also review TikTok source code for potential vulnerabilities or back doors.
Often overlooked in the TikTok hysteria is the secret sauce of every social media platform – the algorithm. The algorithm decides what content appears on a user’s phone. Whoever controls the algorithm can manipulate what users see. Control eyeballs, influence brains.
TikTok’s algorithm poses a more serious threat than its data. China could use it to manipulate US elections (as Russia did in 2016), sow domestic dissent, or promote pro-China messages to America’s youth, while suppressing anti-China or pro-democracy messages that it finds threatening.
Does Project Texas reduce the algorithm threat? Not at all. Even with zero access to private US data, China could leverage TikTok’s algorithm to promote some videos while suppressing others. Oracle reviewing source code for vulnerabilities won’t help either. These aren’t traditional security vulnerabilities like buffer overflows or SQL injections.
Unlike Russia, China wouldn’t have to create fake content to promote its message. There’s plenty of organic, homegrown US video content that fits the bill. China can use the TikTok algorithm to subtly elevate the kinds of videos it likes, and downplay the kinds it doesn’t.
While the menace of “data harvesting” can sound frightening, the algorithm is the real threat. Project Texas would help with the data, but does nothing about the algorithm.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.