Texas this week become the fifth US state to ban the TikTok app on government-owned devices over concerns about the social media app harvesting sensitive data from user devices and potentially making it available to the Chinese government.
The question now is whether private companies will implement similar restrictions on use of the popular social media app on devices that employees use to access enterprise data and applications.
Texas Gov. Greg Abbott on Wednesday said he had ordered all state agencies to ban TikTok on any state-issued devices effective immediately. Abbott said he has also given each state agency until Feb. 15, 2023 to implement their own policies regarding the use of TikTok on personal devices belonging to employees — subject to approval by the Texas Department of Public Safety.
“TikTok harvests vast amounts of data from its users’ devices — including when, where, and how they conduct internet activity — and offers this trove of potentially sensitive information to the Chinese government,” Abbott said, echoing concerns that many others have expressed recently.
Abbott pointed to China’s 2017 National Intelligence Law, which obligates Chinese companies and individuals to assist in state intelligence-gathering activities, and a recent warning from FBI Director Christopher Wray about TikTok’s use in influence operations, as reasons for his decision.
Abbott’s order came just one day after Maryland Gov. Larry Hogan issued an emergency directive prohibiting the use of TikTok and other Chinese and Russian-influenced products on state-issued devices, citing the “unacceptable” cybersecurity risk they presented to the state.
His order applies to TikTok, Huawei Technologies, ZTE Corp., Tencent Holdings products including WeChat, Alibaba products including AliPay, and Kaspersky. Hogan’s directive requires all Maryland state agencies to remove these products from state networks within 14 days and to implement network-based restrictions preventing access to these services.
Like Abbott, Hogan also cited Wray’s warning about TikTok presenting a national security threat in his statement, as well as a recent NBC News report about Chinese hackers stealing millions of dollars in COVID-related benefits.
The three other states that have issued similar directives over similar concerns are South Dakota, South Carolina, and Nebraska. In addition, the US Departments of Defense, State, and Homeland Security have all banned TikTok on federally issued devices. This July, members of the Senate Select Committee on Intelligence sent a letter to the chair of the Federal Trade Commission urging the agency to investigate what it claimed were deceptive practices by TikTok with regard to its data privacy practices.
Concerns Mount Despite TikTok’s Assurances
The growing number of bans on the use of TikTok on state and federal devices and networks is sure to encourage other state governments, federal agencies, and private companies to weigh the security and privacy implications of using the social media app.
In a Senate hearing earlier this year, TikTok COO Vanessa Pappas maintained that TikTok does not operate inside China and the app is not available there. She has described the company as incorporated in the US and compliant with US laws. Though TikTok does have employees based in China, the company has strict access control over what data those employees can access and where TikTok stores the data, Pappas testified. Earlier this year, the company also announced it has launched an initiative called Project Texas designed to bolster confidence in the safeguards the company has put in place and will put in place to protect US user data and national security interests. TikTok now stores 100% of US user data in the US in Oracle’s cloud environment and is working with Oracle to implement advanced data security controls, TikTok CEO Shou Zi Chew said at the time.
In an emailed comment to Dark Reading, TikTok spokesperson Jamal Brown expressed disappointment over the recent developments. “We believe the concerns driving these decisions are largely fueled by misinformation about our company,” Brown says. “We are happy to continue having constructive meetings with state policymakers to discuss our privacy and security practices. We are disappointed that many state agencies, offices, and universities will no longer be able to use TikTok to build communities and connect with constituents.”
Despite such assurances, the fact that a China-based entity called ByteDance Ltd owns TikTok and that the Chinese government owns at least a partial stake in one of its subsidiaries continues to be a major source of concern for many. Recent reports about threat actors using the platform to distribute malware have not helped matters.
“The specific situation with TikTok being based in China and being subject to Chinese law, which can give the Chinese Communist Party (CCP) access to user data, is giving many people pause,” says Mike Parkin, senior technical engineer at Vulcan Cyber.
Social media applications like TikTok can be problematic for organizations as well. “They are immensely popular, especially with the generations that have grown up with social media,” he says. It’s entirely reasonable that organizations would restrict what apps get installed on their organization-provided devices and recommend their employees don’t install it on any personal systems they use to access enterprise systems, Parkin says.
On devices provided by organizations, a ban on TikTok would be absolutely enforceable, he says. But the same wouldn’t be true of personally owned and unmanaged devices, he notes. “The organization can lay out the requirements, but enforcing them becomes much more challenging both ethically and legally,” Parkin says.
Patrick Tiquet, vice president of security and architecture at Keeper Security, says the rapid proliferation of BYOD policies and distributed remote work environments has contributed to an exponential increase in risk to endpoints and applications for both public and private sector entities. “This puts organizations in a precarious situation, as they must weigh the convenience and cost-savings of BYOD policies with the significant cybersecurity risk,” Tiquet says. “Banning specific apps may seem like a simple and straightforward approach to ensuring security, but with a BYOD policy, it is difficult to enforce.”