TikTok Security Risks: The Ugly Truth and How to Protect Your Business Data

Some decisions in life are notoriously tricky.

For instance, do you give up your personal data, location and internet soul to watch a cat swat a drone?

Or do you not?

In 2023, this appears to be a surprisingly difficult call to make as more and more of us sign away our privacy for the joys of social media.

If you detect a touch of sarcasm in the above, bear in mind this is written by a cyber security company. And we get kind of horrified at the way people spray their personal data everywhere.

The plat du jour is TikTok. We recommend every business owner or IT department reads on to understand TikTok security risks and ensures employees follow the advice below.

First a little background…

What Exactly is TikTok?

TikTok is a wildly popular Chinese-owned video-sharing app that allows users to make and share short videos with other Tik-Tokers. It’s been around since 2016 and today boasts over 3.5 billion downloads globally.

Video topics range from entertainment and dance to lifehacks and bite-sized learning. The typical TikTok user is under 24, although brands and businesses are quickly joining the bandwagon to appeal to a younger target audience.

Which is why we’re writing this for you…

What are the TikTok Security Risks?

Like almost all social media platforms, TikTok gives you fun stuff in exchange for permission to harvest data about you. We’ll talk about that harvesting in more detail below.

But many countries are particularly uncomfortable with TikTok because of its Chinese ownership (Beijing-based ByteDance) and the (currently) theoretical risk that the company could potentially share its customer data with the Chinese government. The platform has always insisted that it doesn’t share any data with those running the country. But then, say detractors, they would say that, wouldn’t they?

Meanwhile, Article Seven of China’s National Intelligence Law states that all Chinese organisations and citizens should ‘support, assist and co-operate’ with Chinese intelligence efforts.

Oh, right. Gosh.

Mmm…

How are Governments Reacting?

China’s rival India responded to perceived TikTok security risks by banning the platform in 2020. It saw the app and several others based in China as a national security threat.

Donald Trump proposed a ban when he was president, worrying that Tik Tok could allow the Chinese government to ‘track the locations of federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage’. His decision was later reversed by Joe Biden.

Meanwhile, many governments around the world – including the UK, US, Australia, Canada and in the EU have banned the app from government devices and networks due to concerns that it could harvest confidential data.

So far, you might have noticed a lot of ‘coulds’ and pre-emptive bans regarding perceived TikTok security risks. But what has TikTok actually done?

Whoops – TikTok Does Things it Says it Won’t Do 

If TikTok’s credibility was hanging by a thread due to governmental bans, two events have tipped it over the cliff in the cyber security community.

Since 2020, TikTok has tried to reassure people that Chinese employees can’t access the data of non-Chinese users.

But then in December 2022, ByteDance – owner of TikTok – confessed that its Beijing-based employees accessed the data of at least two US journalists, and a ‘small number’ of others. They were tracking their locations to check if they were meeting TikTok employees suspected of leaking information to the media.

Call us paranoid, but that sounds a lot like accessing the data of non-Chinese users. And rather ups the ante on TikTok security risks.

TikTok has since updated its privacy policy to say that European user data can be seen by its employees outside the continent including in China.

Meanwhile, the company was recently fined £12.7m by the UK Information Commissioner’s Office for illegally processing the data of over a million children who were using the platform without the consent of their parents.

That just sounds… terrible.

What Sort of Permissions does TikTok Require?

The model for many social media platforms is data harvesting for commercial profiling – for instance, finding out things about you so they can target ads and get you to buy stuff.

So, like most social media companies TikTok will collect the following type of information from you:

• personal details to (username, email, mobile number, DOB and password)
• payment information
• information included in content you create such as photos, videos and location information
• IP addresses, your operating system and network data
• details on how you use the site, and who you talk to/message
• your audio and video through your camera and microphone (common with most video sharing apps)

But there are permissions it requests – that go above and beyond these that have raised eyebrows and for many amount to TikTok security risks. Most apps require permissions to a few data sets to function, but TikTok would have you believe that it requires access to all of them.

It asks to:

• collect any content you create on the platform – even if you don’t publish it
• share information with Facebook if you sign in that way
• access all your phone contacts; connect to your Wi-Fi; know your exact location using GPS
• keep the device turned on and automatically start the app when the device is powered on
• access the contents of your clipboard and typing patterns, which can be used for identity verification.

Should I be Worried About this Data Harvesting?

TikTok, like many other social media apps, justifies its access to personal data with the ‘all the better to serve you with’ argument.

But, unlike many other mainstream social media apps, which are American, TikTok is Chinese owned. Many cyber security experts and governments fear that the Chinese state could weaponise personal information in times of conflict. For instance, they could use your data and preferences to spread misinformation or undertake corporate espionage.

It’s important to point out that these kinds of TikTok security risks are largely theoretical. At least for now.

Should I Allow My Staff to Access TikTok on Work Phones?

That’s down to your workplace policies. If you don’t allow other social media, obviously no.

If you do and want to let people use TikTok – perhaps you’re a media agency and it’s important for your work – then follow due diligence to minimise its ability to collect data (see next section).

The Intersys view is this: unless there’s a very special reason why your people need to access TikTok at work, leave well alone. We believe its methodology and track record so far suggests it is a potential security risk. 

I’m Going to Use TikTok But I Also Acknowledge TikTok’s Security Risks. What Should I Do to Stay as Safe as Possible?

Take these immediate steps to minimise the amount of data TikTok can collect from your device. Many are based on the fundamental cyber security methodology called the ‘principle of least privilege’ (PoLP). Only give people/apps the information they need to know about you online to perform a task – nothing more.

Do remember, though, that limiting your permissions can affect your ability to access all the features of the app.

• Don’t share your phone contacts with TikTok. Check your current settings by clicking on your profile/Me, then on the three lines in the top right corner. Click on Settings and Privacy > Privacy > Sync Contacts. Ensure the button is turned off (grey not green).
• Don’t link TikTok with your Facebook account. Follow the path settings above to > Privacy and turn off Sync Facebook Friends.
• Minimise ad personalisation. To limit ad personalisation based on your behaviour go to Settings and Privacy > Privacy > Ads Personalization and turn off Use of Off-TikTok Activity for Ad Targeting.
• Keep your profile anonymous.
  • Sign up with an alias ‘junk’ email not linked to your other important accounts or contacts. It’s easy to create one at Gmail.
  • You don’t need to add your phone number to set up an account, so don’t do it!
  • Don’t use your full name in your profile – or a handle you commonly use on other accounts – unless there’s a very good reason (for instance, your personal ‘brand’ is out there online and your TikTok account contributes to that). Where possible, go unique and anonymous.
• Set your account to private. If you’re using TikTok for a select group – not strangers – go private. Go to Settings > Privacy > turn the Private Account toggle on.
• Stop people you know finding you. If you don’t want people you know getting ‘Follow’ suggestions for your account, go to Settings and Privacy > Privacy > Suggest Your Account to Others and turn off.
• Don’t ‘like’ things or follow people. Doing both of these gives the algorithm a huge amount of information about you. But remember, your page will still be personalised if you avoid these actions – the app will base what it shows you on demographic factors and how long you watch videos.

Finally, you can browse TikTok without having an account at all. While the app will still gather some information such as your IP and device information, going account-free significantly reduces what it can get access to.

Intersys is a specialist cyber security provider offering everything from full security operation services to one-off rapid breach response to organisations under threat. We also offer cyber security training packages to organisations that include smart use of social media. To find out more, talk to an Intersys cyber security expert now.