TikTok, the viral app resident on millions of devices, was recently banned from executive branch devices in the United States, as set out in in the recent Omnibus Bill signed by President Joe Biden.

The Omnibus Bill, as detailed in CSO Online’s overview, highlighted that the “legislation required the Office of Management and Budget in consultation with the administrator of general services, the director of CISA, the director of national intelligence, and the secretary of defense, to develop within two months standards and guidelines for executive agencies requiring the app’s removal.” Duly noted was the action taken by the House of Representatives, which immediately voted to ban the app from the phones of House members and staff amid protestations from TikTok, owned by China-based ByteDance.

The federal government is not alone.

State government TikTok bans

State governments have also stepped up and have acted or plan to take action to ban TikTok from official devices, including:

  • Tennessee: Governor Bill Lee banned TikTok in December 2022.
  • Texas: Governor Greg Abbott on December 7, 2022.
  • Indiana: Banned by the Indiana Office of Technology on December 7, 2022.
  • Utah: Banned by Governor Spencer Cox on December 12, 2022

It’s important to note that this is not just a US versus ByteDance/China dance. The UK has warned government entities of the risk associated with TikTok, which has resulted in the closure of TikTok accounts within Parliament. Sweden’s Sveriges Television has asked employees to delete the app from their work phones due to “safety concerns.” India, which has a track record of banning Chinese applications from devices for national security reasons, continues to do so. In 2020, India banned TikTok and a number of additional apps of Chinese origin, citing national security concerns. An action they had previously taken in 2018 when 40 apps were banned by India.

Universities banning TikTok

In addition, a number of universities, hubs of research and development where the future is often seen up close, have banned TikTok from their devices and network access.

  • University of Oklahoma
  • Langston University
  • Oklahoma State University
  • University of Central Oklahoma
  • Northwestern Oklahoma State University
  • Boise State University
  • Idaho State University
  • Auburn University

Universities within Oklahoma were directed by the governor’s office to banish TikTok from their networks, as the governor noted: “Maintaining the cybersecurity of state government is necessary to continue to serve and protect Oklahoma citizens and we will not participate in helping the Chinese Communist Party gain access to government information.”

TikTok spokesperson Brooke Oberwetter was quoted by CNET as taking exception with the bans by universities as based on “unfounded falsehoods” about the app that won’t advance cybersecurity. Oberwetter also called the schools’ policies “rushed” and said they’d have unintended consequences when it comes to recruiting students, sharing information, and building various student communities.

CIFUS continues to review

The Committee on Foreign Investment in the US (CFIUS) review should continue, and if TikTok’s “Project Texas” has legs and will successfully demonstrate the separation of US user data from the rest of the globe, perhaps a rethink will be in order. It would seem a very high bar, however, given that less than six months ago we noted here on CSO Online that Internet 2.0, an Australian cybersecurity firm, had produced the pointedly titled It’s Their Word Against Their Source Code – TikTok Report. Their research showed that the app does indeed connect to China and requests “almost complete access to the contents of the phone while the app is in use. That data includes calendar, contact lists, and photos.”

TikTok can and has collected user data

Furthermore, there was also the recent revelation that TikTok had indeed used its platform to monitor Forbes journalists. TikTok’s claim that an internal investigation discovered that “individuals misused their authority to obtain access to TikTok user data,” is doing nothing to help TikTok’s position that they won’t and can’t monitor individual users, as clearly it is technologically possible.

National security threat

In early December 2022, FBI Director Christopher Wray called out TikTok as a national security threat and highlighted how the app could be used by China to shape the content seen by users. In other words, as a funnel for Chinese propaganda into the United States. He also observed, in much the same way as noted above, how China could use the app to harvest information, which he characterized as “more traditional espionage.”

Is TikTok touching your users and network?

With nations banning TikTok from their infrastructure and devices, universities attempting to protect the PII and intellectual property within their ecosystems, and the national security concerns highlighted, every CISO must be asking the question: What could TikTok harvest from our user’s devices that would put our entity at risk?

If the answer to that question is “I don’t know,” then perhaps a bit of research is in order to quantify the risk, if any. If the answer is “our intellectual property, information on network configuration, personal information on our employees, email archives one employee at a time, and calendar and contact data of every employee who uses TikTok,” then perhaps a discussion should be had on why TikTok is allowed on corporate devices that touch corporate infrastructure.

Copyright © 2023 IDG Communications, Inc.