TikTok’s Data Collection And What It Means For Cybersecurity
Since taking the social media landscape by storm a few years ago, TikTok - along with other social media platforms - has been the source of many heated debates among the InfoSec community over its data collection practices. In the midst of feverish controversy, the short-form videos app has exploded in popularity across all age brackets around the world.
Allegedly, TikTok has also taken over its users cellphones too, surreptitiously harvesting data.
Accusations that social media apps are mining consumer data aren’t anything new in today’s digital world. For instance, companies like Apple have ramped up privacy policies to give their users more control and block or limit data sharing.
However, TikTok has garnered increased scrutiny over the extent of the information that the app collects, how it collects it and when it collects it, as well as the fact that it is a Chinese-owned company.
Governments Are Cracking Down On TikTok
Concerns over TikTok were initially raised by lawmakers in the US in 2022 and those concerns have gained steam going into 2023. As a result, governments across the world have started cracking down on TikTok, ordering their officials to remove the app from their devices.
In February, US federal agencies were given a month for all officials to remove the app while several states have already completely banned the use of the platform internally. Since then, more countries have taken similar measures including India, Taiwan, Jordan and most of the European Union.
Per a recent report, without the proper cybersecurity infrastructure in place, it might be too little too late. And therein lies the issue.
The Extent Of TikTok’s Data Collection Practices
Freroot recently reported that TikTok is capable of accessing its users’ data even if they have never used the app. It turns out, TikTok still collects and transfers data even after it has been deleted by the user.
TikTok's pixels (trackers) are found across a wide array of different websites associated with anything from e-commerce, to financial institutions and government agencies.
These pixels are a part of the browser code that is loaded from multiple websites, which immediately links to data mining platforms collecting sensitive data as well as banking information, and even personal health details.
The most troubling part of the report is that the sensitive data that is being collected by the pixels includes usernames, passwords and authentication codes.
All this data is collected without users’ consent and even before they have the chance to accept cookies which, on top of being illegal and unethical, is a serious cyber risk.
How Could Threat Actors Use TikTok Data?
The underlying concern with data collection on social media sites and apps is the potential for threat actors to use the data for malicious purposes.
For example, cybercriminals could use this information to conduct phishing attacks, social engineering scams, or identity theft.
The Chinese government has been accused of using TikTok as a spyware to collect sensitive data, raising national security concerns. Regardless of any potential involvement, the data could essentially be transferred, sold to or stolen by anyone.
Another concern is the use of TikTok on personal devices that employees may also be using to access apps and systems for work that are not protected by Single Sign-On (SSO) or other enterprise security measures.
This could potentially put sensitive business data at risk and leave the door open to costly data breaches.
What Is The Best Way To Mitigate Risks From TikTok and Other Apps?
TikTok is likely not going anywhere. The company’s CEO has come up with Project Texas - that would ensure US user data is safely stored by a US company (Oracle) with stringent data security policies in an effort to abide by data regulation laws.
Many organizations will continue to use TikTok along with other social media platforms to reach their audience more effectively and app users will continue to consume the endless stream of entertaining content flowing by the tip of their fingers.
So how can the InfoSec community help mitigate cybersecurity risks to protect an organization and its employees?
A top-rated password manager like Keeper can help secure user credentials and sensitive data, protecting against phishing attacks and other cyberthreats.
All it takes is one employee’s weak or stolen password to jeopardize the security of an entire organization.
Keeper's zero-knowledge architecture ensures that even if a cybercriminal gains access to the data stored within Keeper, they would be unable to read or decipher it. This makes it an essential tool for both personal and business security with best-in-class features including:
Secure vault to create and store strong and unique credentials
BreachWatch® - a dark web monitoring tool that scans for compromised credentials
Backed up by Elliptic Curve Cryptography with multiple layers of encryption, MFA, biometric authentication, and FIPS-140-2 validated AES 256-bit encryption plus PBKDF2, Keeper is the world’s most secure password manager.
Data collection practices by TikTok and other apps along with a lack of data regulation laws, raise valid concerns regarding the potential misuse of user data.
Organizations can take steps to protect themselves by using Keeper’s zero-knowledge and zero-trust framework to secure their passwords and sensitive information and assume that all apps and devices are potential targets for cyberattacks, while continuing to use the app safely.