Cyber Security, Tech, Analysis.

TikTok is a National Security Risk, Not A Privacy One

Yesterday lawmakers introduced a bill to ban TikTok. But is an outright ban the right course of action, and what is the threat posed by TikTok?

The Privacy Dilemma

Much of the focus on TikTok has been primarily around user privacy, what data TikTok gathers, and what they do with it. I decided to investigate the extent of TikTok’s data collection, and came to the same conclusion as others. TikTok doesn’t operate outside the norms of standard social media apps, nor do they gather any data others don’t.

I was actually very surprised to find that TikTok not only doesn’t gather location data, but doesn’t even ask access for the permission required to do so (meaning it couldn’t track user’s GPS location at a later date, even if it wanted to). I had simply assumed it would gather this data, because granular location data is a goldmine for advertisers. If I can see you visited an electronics store 3 times this week, it would probably be beneficial to show you adverts related to electronics. However, TikTok doesn’t do this. The best they can do is infer your approximate location via IP address, which is wildly inaccurate and usually at best shows the city a user is connecting from (assuming they do not mask their IP with a VPN).

The Clipboard Controversy

An article that really caught my attention was this one, revealing TikTok’s “Spying Capabilities”. But upon further analysis, I found it to be mostly clickbait. TikTok was revealed to be engaging in clipboard monitoring, which is also used by other social media apps such as Reddit and LinkedIn. Simply put, when you copy & paste anything on a mobile device, the data you copy is temporarily stored to a memory location referred to as the clipboard. When you copy data, it overwrites the previously stored data, so only a single piece of information can be held on the clipboard at one time. Researchers discovered that whenever a user is using the TikTok app, it will periodically fetch the clipboard data and submit it to the TikTok’s server.

TikTok’s explanation for the feature was anti-spam, which actually does make sense. Normally, users type out messages when posting on an app. If a user is frequently copy and pasting their messages from elsewhere, there is a good chance they may be engaging in malicious behavior (spam, plagiarism, or impersonation). By correlating what users post with what’s on their clipboard at the time of posting, it’s possible to see if a user wrote their message or copy and pasted it. The system can use this technique to flag users who look may be behaving in an inauthentic manner, then their accounts can be reviewed by trust & safety.

The problem with clipboard monitoring is, the clipboard can be used for all kinds of purposes. Transferring photos, pasting passwords, copying text messages. As a result, clipboard monitor may inadvertently vacuum up arbitrary data. This is where there “spying” accusation comes in. What wasn’t explained, is the limitations of such a feature. TikTok can’t simply just see anything copied to the clipboard. The app must be running, and active on the screen (not just open in the background). Since clipboard data is overwritten every time something is copied, TikTok will only see the data if the user switches to the TikTok app while the data is still on the clipboard. Most password managers automatically clear the clipboard, sp the risk of user credentials being uploaded is fairly low.

But more important, is the clipboard’s lack of context. Let’s say the user copies their password to the clipboard, switches to the TikTok app for whatever reason, then TikTok uploads it. Great, now they have a random string of characters. What are these characters? What do they mean? Is this a password? If it’s a password, what is it a password for? What is the username that goes with this password? None of this is known. I think it’s highly unlikely this feature was designed for espionage as some have suggested. It’d simply result in a jumble of meaningless data with TikTok knowing neither what app it came from, where it was going, or what it’s for. If they wanted to spy on users, there are much, much better ways.

The broader picture

The data TikTok gathers is the same data that other social media platforms gather. So the only real argument here is not what data is gathered, but who gathers it. If social media data were even remotely hard to obtain, I’d say this is a fine argument, but it’s not. Almost all social media platforms make their money selling user data to advertisers. They claim to anonymize this data, but the truth is, there is no such thing as anonymous data. The only difference between John Doe who went to the 4th Street Starbucks twice last week, and AnonymousUser2342342354 who went to 4th Street Starbucks twice last week, is whether or not I have the data to see who went to that starbucks and when. With social media data, there are so many data points that it is trivial to de-anonymize the user.

But things don’t stop at “anonymized” advertiser data. In 2017 Congress passed a law enabling US ISPs to track their users and sell that data (including their browsing history). This again, is data China can easily buy. Chinese state-sponsored hackers were behind the 2014 hack of OPM (the agency which handles US government security clearance applications). They were behind the 2017 breach of Equifax (the largest holder of US consumer credit data). In 2021 they also breached tends of thousands of Microsoft Exchange email servers and downloaded the emails. I realize these are all separate issues, and we can address multiple issues at the same time, but the problem is, we’re not.

TikTok has dominated the news cycle for years over the potential that they could abuse user data, despite being able to obtain vastly superior data elsewhere. It’s become a fixation, at extreme detriment to the broader discussion. In the meantime, congress has rolled back privacy laws, done nothing to limit the sale of user data, and current cybersecurity legislation leaves a lot to be desired. Overall, I think the “privacy threat” posed by TikTok is inconsequential, especially against the backdrop of the near constant data breaches, as well as companies trafficking in personal information. But that’s not what this is actually about, not really.

TikTok as a national security threat

There is a legitimate and very real threat posed by TikTok to national security. I suspect most of the privacy concerns are stawman arguments aimed at building support for a ban on national security grounds. This makes sense. After all, why hit TikTok on one front when you can do two. The problem though, is the privacy debate has eclipsed the real one, and now everyone is arguing in circles about data collection.

TikTok is unique in the social media space. Their algorithm is lightyears ahead when it comes to content recommendation. Many platforms are attempting to use machine learning to figure out user’s interest and recommend them content they will like, but TikTok appears to have already mastered this. Whilst platform such as YouTube, Instagram, Facebook, and Twitter are still heavily reliant on people “following” accounts they like, TikTok’s algorithm has excelled to the point where users simply just let it pick what to show them. This is what has put TikTok on course to be the most used social media platform. Users needn’t sift through a vast ocean of garbage to find videos they enjoy, the platform will do all the heavy lifting for them.

But of course, algorithms can be manipulated. Both from the side of the social media platform, and its from its users. These algorithms run on machine learning models which use computer code to determine the topic of a video, the interests of a users, then match the two together. But what if the platform were to tweak the algorithm to prioritize certain videos? Or someone were to sign up fake accounts and feed the algorithm with bias data? In both cases, the algorithm could be manipulated to control what users see. Such exploits could be used to sway public opinion about anything from which stores to shop at, to which presidents to elect. The results could be catastrophic.

So, should we ban TikTok?

A ban may be more complex than it seems

TikTok is not just a potential nuclear weapon in the information war, it’s a successful social media company which represents China’s economic and technical acomplishments. The CCP may be reluctant to weaponize the platform for widespread foreign influence, as this would result in a widespread ban, not just in the US. Given the important role of tech in the race for global dominance, it may not make sense for China to sacrifice TikTok, at least not yet. Use of TikTok for propaganda doesn’t just undermine the platform, but the west’s already limited willingness to embrace Chinese technology. Meanwhile, China, as with every other hostile nation, is free to engage in rampant and overt manipulation on western social media platforms.

We have to ask the question, right now, are users in more danger on TikTok than they would be elsewhere. We don’t know where TikTok’s users might go, or who will end up with controlling the content they see. As of right now, there is no clear replacement for TikTok and its elimination would leave a large power vacuum in the social media space. Thus far the opaqueness of TikTok’s algorithm appears to have actually insulated users from many kinds of malicious influence. Bad actors can’t rely on pure engagement to disseminate their content. Since the algorithm recommends based on interests, content must be tailored to the individual groups.

On the other hand, Twitter and Facebook have been a never ending barrage of far-right propaganda, conspiracy theories, and foreign influence ops. Meta has made a “good faith” effort to counter misinformation and disinformation, but are under no legal obligation to do so. Twitter on the other hand, recently cut its staff by 85%, abolished its trust and safety team, and the CEO appears to have aligned himself with the very people the platform should be trying to stop.

There is no telling what China could do with TikTok’s influence. But if they do, a ban would be swift (in fact, Apple & Google may revoke the app themselves if they feel it steps out of line). As of right now, western platforms have done far more to undermine our own democracy than anyone else could even dream of. Before considering a ban, it might be wise to evaluate where TikTok users will go, and if it’s better than where they are now. The last thing we need to do is take over a billion TikTok users, and throw them into a hotbed of domestic terrorism, conspiracy theories, election denial, and foreign propaganda, over fear that TikTok may later do the same. A ban should be considered after all others regulatory options have been exhausted, which includes regulation of our own platforms, not just TikTok.

Marcus Hutchins
Threat intelligence analyst, programmer, ex-hacker. https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/