Calling time on TikTok

On 4 April 2023, Australia became the latest jurisdiction to ban the TikTok app on government-owned devices. On advice from intelligence and security agencies, the Commonwealth Government’s move followed those of its Five Eyes allies – the United States, Canada, New Zealand and the United Kingdom – and a similar edict from the European Commission, along with bans in countries including Denmark, France, India, Netherlands, Belgium, Norway and Taiwan. Australian State and Territory Governments have also introduced bans on the app on government-owned devices.

The Australian ban has many business owners wondering if they should also look to prohibiting the video-sharing app on company devices.

TikTok – an overview

TikTok and its Chinese counterpart Douyin, is a short-form video sharing app. The social media platform is owned by Chinese technology company ByteDance and hosts user-submitted videos which range in duration from three seconds to 10 minutes.

In its original incantation, Musical.ly, it was a short-form video app that mainly focussed on lip-syncing content and gained significant popularity at the time (2014). When it was acquired by ByteDance in 2018, the name was changed to TikTok and has since grown exponentially in terms of popularity and user count. According to TikTok statistics, the app has been installed three billion times and it has one billion active users on a monthly basis. It is now one of the biggest social media platforms globally with users including major corporations and governments (including politicians).

The issues

National governments are instigating bans on the use of TikTok over privacy and cybersecurity concerns. According to an article in The New York Times, lawmakers and regulators in the West have increasingly expressed concern that TikTok and its parent company may put sensitive user data, like location information, into the hands of the Chinese government.

A key concern has been the amount of data that TikTok harvests. A cybersecurity report published in July 2022 by researchers at Internet 2.0, an Australian cyber company, found the app carries out “excessive data harvesting”. Analysts said TikTok collects details such as location (at least once an hour), what specific device is being used and which other apps are on the device (running and installed apps). It also continuously requests access to contacts even if the user originally denies. Industry sources have said that the data TikTok collects is no different to that being collected by other social media platforms such as Instagram, Facebook, Snapchat, YouTube or Twitter. However, the other platforms are not owned by a Chinese company (most are US-founded) which can be forced to provide the data it collects to the Chinese government.

The ability for the Chinese government to demand access to the data has raised concerns that TikTok could be used to spy on users. According to a BBC report, evidence available so far points to this being only a theoretical risk, but fears have been stoked by a vague piece of Chinese law passed in 2017. Article seven of China’s National Intelligence Law states that all Chinese organisations and citizens should “support, assist and co-operate” with Chinese intelligence efforts.

TikTok has tried to assure users that Chinese staff cannot access the data of non-Chinese users. However, in December 2022, ByteDance admitted that several of its Beijing-based employees did access the data of some US users. Among those whose data was accessed were at least two journalists whose locations were tracked to check whether they were meeting TikTok employees suspected of leaking information to the media, the BBC reported. The Australian Financial Review obtained a letter from TikTok to Liberal Senator James Paterson in July 2022 in which the platform admitted that Australian user data is accessible in mainland China.

It appears that the privacy concerns are not unfounded. In 2020, ByteDance was involved in a settlement around consumer privacy litigation that exposed it to hundreds of millions of dollars in damages in the US and included claims the app unlawfully recorded facial-scan images of children and sent confidential information about adult users to China, according to a filing in Chicago federal court cited by Bloomberg.

The prospect of TikTok being used as a ‘brain-washing’ tool has also been raised, according to the BBC.

In November 2022, the director of the FBI told US lawmakers: “The Chinese government could…control the recommendation algorithm, which could be used for influence operations”. The director said the app “screams out with national security concerns”.

All social networks are heavily censored in China, including Douyin which is also reportedly engineered to encourage educational and wholesome material to go viral. At the start of TikTok’s ascendancy, there were high-profile cases of censorship on the app. Since then, there have been few cases of censorship, other than the sort of controversial moderation decisions all platforms have to deal with, the BBC reported. Researchers at Citizen Lab carried out a comparison of TikTok and Douyin and concluded that TikTok does not employ the same political censorship.

However, concerns that TikTok poses cybersecurity and foreign interference threats has led to bans on the apps’ use.

Banning the app

To date, most of the TikTok bans have been implemented by governments and other institutions (such as universities) that have the power to keep an app off their devices or networks. In the United States, the possibility of instituting a nationwide ban on the app has been raised. Such a ban would likely face legal challenges, but commentators note that a US ban could have a major impact on the platform as US allies typically fall in step with such decisions, as evidenced when the US led calls to block Chinese telecom giant Huawei from being deployed in 5G infrastructure.

Should Australian business owners follow suit?

TikTok is one of many social media platforms that users have embraced. For some businesses, it is a key engagement tool.

Despite the popularity of the platform, serious concerns over privacy and cybersecurity have been raised. These have promoted numerous governments to ban the use of the app on government-owned devices.

The concerns governments have over the use of TikTok – including the ability to track users, sometimes without their full consent or knowledge, and the risk of sensitive data falling into the wrong hands – are shared by many businesses. As a result, a similar ban has been enacted among some organisations around the globe including universities and others whose devices may hold, or provide access to, sensitive data.

Given the potential risks, should Australian business owners follow the lead of the Government and prohibit the use of TikTok on company-owned devices?

For many, the answer to this question will depend on what data the devices their employees use holds or can provide access to (through networks).

The volume and nature of data held by the business and its devices should determine the level of protection required. For example, if the business only holds a person’s name and address, which could also be easily found in the public arena elsewhere, then the business may not have a need to implement detailed security measures. By contrast, if the business held personally identifiable information or sensitive data such as medical records, then a much higher level of protection is required, which may include removing/banning the app on company-owned devices.

Cyber risks and insurance

The debate around how serious a privacy risk TikTok presents is multilayered and, in many cases, encircles other social media applications that gather and use people’s data. TikTok’s expansion and the political controversies to which it has given rise, underscores the emergence of a new risk in the cyber and privacy landscape, as well as the importance of regulations to protect users’ rights and privacy.

The developing regulatory environment is shining a harsh light on companies that either don’t adequately safeguard their users’ information or misuse it. The wrongful use or wrongful collection of data is an evolving risk that presents challenges on the cyber insurance front as insurers look at providing coverage.

It is important for business owners to understand what the wrongful use and/or collection of data looks like within their own operations, and the consequences of breaching regulations – including both the financial and reputational risks. Talk to your EBM Account Manager about the risk landscape and cyber insurance.