TikTok – Not a Shock?
by Frank Downs

The new app on the block; TikTok has been on our radar for a while; in a way that was questionable in terms of the value it provided, but even bigger concerns about the security and privacy side of it. I wanted to dig a little deeper and get some cold hard facts on what is really going on. So I’ve turned to Frank Downs – ISACA, Senior Director, Cybersecurity Advisory and Assessment Solutions.


Can you please provide a lay of the land; what were the actual chain of events that went down with the almost passe platform TikTok?

In the last year, certain organizations and U.S. representatives have expressed concern about the type and amount of data that the application collects. Additionally, these interest groups have also been concerned about the location in which the data collected is stored and how that information is used.


Can you talk to me about how the platform was luring in young teens initially? Apparently their algorithm was positioned in a way that it would appear to the teen that they were “TikTok famous” to keep them coming back for more. Is this true? 

TikTok has released a press statement which dissects its algorithm to explain what people see when logging into the app and how that content is determined. Specifically, this is based on user interactions, such as liking a video, following accounts, and posting comments. Taking general interests into account, TikTok leverages their algorithm to include elements outside of just “likes.” This, theoretically, can present users with low levels of followers to other users who may like the same types of things.  As such, new users have the potential of becoming “famous” more quickly than with other social media platforms.


What were your initial security or privacy concerns when this app was created originally?

There are universal concerns for any type of application that is developed and made available on the Google Play or App Store.  Specific concerns for mobile applications include system permissions, data encryption, data storage, and data distribution.  Many of these concerns revolve around the privacy of user data.  TikTok, like other applications, is not exempt from these concerns.


What are your security concerns right now? 

Right now, some individuals and organizations are concerned that the data obtained through the use of TikTok is stored and used in manners that would not be in the best interest of the users themselves or their organizations.


I always like to consider all options; do you believe it is warranted that this app is banned in some countries?  

Countries have been banning mobile applications and capabilities for over a decade.  The act of banning and prohibiting certain capabilities or applications is not a new practice. A thorough, transparent review of the application, its data policies and practices may lead some countries to conclude that the app should be banned. It’s hard to endorse or not endorse the actions of the countries instituting a ban on the app as each country has a unique and specific policy towards privacy and security.


Do you believe there is an ulterior motive behind the creation of TikTok? Can you affirm it was coming from a place of malice? Why/Why not? 

Nothing that I have seen publicly released has provided proof of ulterior motive behind the creation of TikTok.  Additionally, it’s very hard to prove intent.  Although some organizations may point out that TikTok pulls data from the users and their devices, nearly all apps do that.  There are many different reasons to pull the same type of information from a device.


What’s your opinion on the future of these application types? Where are we headed? 

I believe that as online privacy becomes a bigger priority for organizations and individuals, there will be greater scrutiny of all types of applications, including social media.  Especially as companies onboard more Certified Data Privacy Solutions Engineers who will perform deep dives on the privacy considerations of corporate applications, mobile app companies will feel greater pressure to justify the data that they extract through the use of their applications.


What would be your advice to people who are perhaps unaware of some of the ramifications that are involved with downloading an app without due diligence, even if they can be found ‘on the store’? 

The world is playing the biggest game of “catch-up” since the dawn of the internet.  Specifically, these privacy concerns are not new, with user data being pulled by mobile apps since they first emerged in the 2000s.  Everyone should understand that downloading any application invites a level of risk, regardless of the company developing it.  Thorough reviews of the privacy policy of each application should be performed, if an individual truly wants to know what data the app will collect and how it will be used.  Those same users should be prepared to go without the capabilities the application provides if they don’t agree with the data policy – these companies are not making exceptions based on individual requests.  They need to ask themselves if they are willing to go without these everyday applications they have become reliant on.

Author’s Links

Frank Downs

Frank Downs is senior director of cybersecurity advisory and assessment services ISACA, where he shares the good news about ISACA’s Cybersecurity Nexus (CSX) platform. Downs, an 11-year cybersecurity specialist, graduated with a bachelor’s degree in English from the University of Maryland, after which he promptly joined the US Department of Defense as a subject matter expert, working with computer networks on a daily basis. Realizing that English and cybersecurity were two very different concepts, Downs proceeded to obtain a master’s degree in cybersecurity from UMBC, after a pit stop at Johns Hopkins to obtain a master’s degree in Government. Eventually, he decided to ease the learning process for individuals transitioning from non-technical backgrounds into cybersecurity by becoming a full-time Intelligence and Operations Consultant for multiple federal law enforcement and intelligence agencies.

Share This