TIME MAY BE RUNNING OUT for TikTok. There are bans in effect for government devices at federal agencies and at least 27 states, and at press time Montana became the first state to ban the app entirely. Should private entities follow suit? And how should MSPs advise customers about use of the social media app?
For Joy Beland, the answer is simple: Not only should MSPs recommend that clients ban it, but they also should ban it for themselves. “We simply cannot ask our clients to participate in proactive cybersecurity behavior without setting the example,” says Beland, vice president of partner strategy and cybersecurity education at Summit 7, a cybersecurity and compliance provider for the aerospace and defense industry and corporate enterprises, and member of CompTIA’s Cybersecurity Advisory Council.
Joy Beland
Beland is far from alone in viewing TikTok as a cybersecurity threat—and even a national security risk. The app is owned by Beijing-based ByteDance, causing concern that the Chinese government can access user data, including that of 150 million American users. In a rare show of bipartisan agreement, Congress is considering a nationwide ban of the app.
For some private companies, banning TikTok shouldn’t even be in question, says Lawrence Cruciana, CEO of Corporate Information Technologies, an MSP in Charlotte, N.C. Specifically, he cites companies in the financial and defense sectors subject to strict regulations that prevent them from sharing information publicly about their work.
So, in addition to potentially posing a cybersecurity risk, TikTok creates a liability concern for individuals working in those regulated sectors, he says. An employee’s social media post that runs afoul of regulations opens the employee and the company up to liability.
Neither Beland nor Cruciana use TikTok, but both say they know of MSPs that use it for marketing. “It saddens me that they are not seeing the forest fire through the trees,” says Beland.
Social Media Risks
Of course, cyber and privacy risks are present with all social media platforms, including Facebook, Instagram, and LinkedIn, all of which have suffered security breaches.
“If channel firms recommend banning TikTok, then I think that recommendation should be part of a larger ban on social media applications,” says Bradley Gross, president of the Law Office of Bradley Gross, and member of CompTIA’s Cybersecurity Advisory Council.
“TikTok has the ability to track its users, record its users’ behaviors, and aggregate behavioral data from various different sources; however, the same can be said about other popular applications, including Facebook,” says Gross, who advises clients on information technology law.
But Cruciana is particularly concerned about TikTok’s keylogging capabilities and its policy on biometrics, which states: “We may collect biometric identifiers and biometric information as defined under U.S. laws, such as faceprints and voiceprints, from your User Content.”
Biometrics, Cruciana points out, eventually are expected to replace passwords for user authentication. “Those are the very things that TikTok says they can collect, store, and process,” he says. Unlike passwords, “those are the elements that we as humans can’t change.”
Beland views TikTok as another manifestation of a “vacuous transfer of wealth, intellectual property, and expectation of privacy with China. TikTok is a silent and invisible perpetrator that we are inviting into our personal health, our homes, our families, and our businesses.”
Client Recommendations
While Beland and Cruciana recommend banning TikTok, some clients may still decide to use it. In that case, says Gross, MSPs should make some things clear to them: “One, there is no expectation of privacy in any communications transmitted on or through TikTok. Two, their personal and behavioral activities are being monitored and recorded.
“Three, there is no way to avoid such monitoring and recording from taking place. Four, the data being collected by TikTok, including geolocation data can, and likely is, being provided to private and public entities, such as governments, data aggregators, marketing companies, and law enforcement agencies. Five, the only way to avoid being tracked or recorded is to not install or use the application.”
TikTok users should post only videos and information they are comfortable sharing with private and public entities, Gross says.
PEDRO PEREIRA is a New Hampshire-based freelance writer who has covered the IT channel for two decades.
Image: iStock / 5./15 WEST
