TikTok – what is the problem?

Last Friday, I was interviewed by the Swedish television (the local Uppland channel) about the reasons for this and the possible dangers with the application from a security perspective. The interview can be found here but it is only in Swedish. Therefore I will describe the problem in this post as well.

The municipality of Uppsala, together with a large number of other public actors (also in many other countries) have recently prohibited the use of TikTok on the work spade. Apart from that some people might think that there are very limited reasons to why you should need access to TikTok on your mobiles at all during your work, why would you prohibit the use of TikTok, when you can still use Youtube, Instagram and Facebook? What is different with TikTok?

There are actually some reasons for this, both the prohibition and the differences between the application. TikTok is an application that allows the users to record short videos (max 3 min) and publish these on the TikTok platform. This has become very popular among, above all, young people. There is also an ongoing critical discussion about the social aspects of the TikTok application, but it is not part of this post.

When the application is installed, it asks the user for permission to access photo and video storage, the camera and the microphone, which is of course quite reasonable, since the purpose of the app is exactly to record videos and store them in the user’s phone. However, it also asks for access to the contact lists, and the current location when used. And here is one of the problems, namely that this data is given by the user to an application we know very little about. But, one may object, this data is not dangerous, we give it to almost any of the social media applications (actually, that might be something we should not do either, without some consideration).

The data the users provide is, however, actually not that innocent as it might seem at first sight. If the application can collect the data as mentioned above, the data might form a much bigger collection of “innocent” data, which is not as innocent anymore. It contains your contacts, the places where you have been, and also when you where there. If the data of different people are correlated on the whole data set, there might be patterns that could show interesting things for people who are specifically interested. It could for example show regular visits to certain locations, or even that you meet some people regularly. Still, who would be interested of this information? Not everything might be interesting, but suppose that you are engaged in a civil defense organization. Then the meeting places, the people you meet at those meetings, and who these people meet in other contexts might be very important information for a possible enemy. So, there are quite a few people in a city that could be of interest in this kind of analysis.

But, as mentioned above, this information is provided to many different applications, so why has TikTok been singled out like this? Well, there is one additional argument for this, namely that it is very important that we know where the information is going in the larger perspective. This is where the history of TikTok becomes relevant. TikTok is owned by the Chinese company ByteDance, one of the biggest startup companies in the world, and this is where the main problem starts. The statement in the Privacy Policy gives an indication (my boldface added):

We may disclose any of the Information We Collect to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims, or government inquiries, and to protect and defend the rights, interests, safety, and security of the Platform, our affiliates, users, or the public. We may also share any of the Information We Collect to enforce any terms applicable to the Platform, to exercise or defend any legal claims, and comply with any applicable law. 

TiKToK Privacy Policy

The text in boldface provides a key to the problems. The data can be released in certain situations, which are not under our control. In 2017 China implemented a law that compels companies to turn over personal data relevant to China’s security. The question is then what this data might be. Depending on the situation, information pertaining other countries’ military and/or civil defenses might be very relevant to another country. The company can, through its mother company be forced to hand out any information under the conditions mentioned.

What are the odds? It is difficult to say, of course. However, since TikTok is not crucial to the work in public organizations, there is no reason even to take the chances. Especially in the current situation where there is such unrest over most of the world, there is definitely a reason for being careful in general with the handing out of data.

But, there are also some drawbacks with the general ban on the application. As mentioned above, the application is mostly used by young people. This also means that the proper use of the application can become an entry point to different youth groups, which could be invaluable to certain groups in the municipality, such as social workers, schools, and not least libraries. The libraries have used the application for some time to spread information to young people under the hashtag #BookTok, which allegedly has been very popular. This will now become difficult to handle with the current ban. Of course there may be ways around this ban, but in my opinion it all goes to show that a ban on an application like this has to be carefully considered, and that there should be an awareness of that there could be cases where there has to be exceptions. And, not least, there is a need for more information to potential users of social media about the possible risks that follow the usage.