Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Microsoft May Be TikTok's Privacy and Security Lifeline
CEO Spoke With Trump About Buying TikTok's English-Speaking MarketsIs Microsoft coming to TikTok’s rescue? It appears that’s a very strong possibility following President Donald Trump’s threat Friday to ban the app in the U.S.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
In a statement late Sunday, Microsoft says it's discussing acquiring a portion of TikTok. Microsoft didn’t commit to buying part of TikTok’s operations from its China-based owner, ByteDance. But it is aiming to conclude discussions with ByteDance no later than Sept. 15.
Microsoft also said its CEO, Satya Nadella, has spoken with Trump about TikTok. “During this process, Microsoft looks forward to continuing dialogue with the United States government, including with the President,” it says.
The news comes as TikTok is close to being banned in the U.S. ostensibly for its collection of personal data of citizens. The U.S. has expressed concern that because TikTok is owned by ByteDance, headquartered in Beijing, the app’s data could be shared with the Chinese government. In June 2017, China passed a cybersecurity law that appears to give the government expansive power to access data.
Microsoft says that if it does acquire part of TikTok, it would add “world-class security, privacy and digital safety protections.” All private data for U.S. users would be transferred to the U.S., and Microsoft would ensure that the data has been deleted from other locations.
ByteDance: Valuable Startup
The TikTok tangle has been another front in the tussle between the U.S. and China, which have been at odds over trade and cybersecurity, among other issues.
Banning the social networking service could have an immediate effect on its more than 100 million users in the U.S. But it would also be a provocative action affecting a youthful audience just three months shy of the presidential election.
Microsoft and ByteDance have notified the U.S. Committee on Foreign Investment about the discussions, which revolve around Microsoft acquiring TikTok’s services for the U.S., Canada, Australia and New Zealand. CFIUS has been investigating ByteDance over its acquisition in 2017 of Musical.ly, another video app.
After Trump’s announcement on Friday, Reuters reported that ByteDance had agreed to divest its ownership of TikTok. Other companies in addition to Microsoft have reportedly been in discussions with ByteDance to buy TikTok.
ByteDance has grown to be the world’s most valuable startup, posing a threat to dominant U.S. internet companies. TikTok is posing fresh and rare competition for online advertising dollars largely scooped up by Facebook and Google.
TikTok collects data, just like Google, Amazon or Facebook. According to TikTok’s privacy policy, that includes IP addresses, geolocation data, unique device identifiers, browsing and search histories and cookies. That kind of data could be useful for tracking people as well as gaining insight into personalities, but it's also a staple for any online company for development purposes and not necessarily a security risk if competently managed.
But security researchers have found egregious flaws in TikTok. Check Point, a security vendor, found several vulnerabilities, including the ability to send TikTok users malicious links, view sensitive account data and even delete or add content to a user's account. In April, two researchers found that TikTok transmitted video and other media without TLS encryption, which means it may be possible for someone to tamper with it.
TikTok fixed the Check Point issues and said it was continuing to roll out TLS across all regions (see: TikTok Content Could Be Vulnerable to Tampering: Researchers).
TikTok’s Headwinds
The headwinds have been blowing against TikTok for some time. The U.S. military banned the app early this year from government-issued devices, and some companies, including Wells Fargo, have followed suit. India also banned TikTok, along with dozens of others Chinese-made apps, in June for national security reasons (see: Wells Fargo Bans TikTok App on Company Devices).
TikTok has rebutted accusations it poses a threat and sought to establish a stronger presence within the U.S. The company says it already employs 1,500 in the U.S., with that expected to eventually grow to 10,000, according to a video posted by the company’s U.S. general manager, Vanessa Pappas, on Twitter.
A message to the TikTok community. pic.twitter.com/UD3TR2HfEf
— TikTok (@tiktok_us) August 1, 2020
Kevin Mayer, a former Disney executive who joined TikTok in May as CEO, wrote just before Trump’s planned ban that the “entire [technology] industry has received scrutiny, and rightly so. Yet, we have received even more scrutiny due to the company's Chinese origins.”
“We accept this and embrace the challenge of giving peace of mind through greater transparency and accountability,” Mayer writes. “We believe it is essential to show users, advertisers, creators and regulators that we are responsible and committed members of the American community that follows U.S. laws.”
ByteDance has scrambled to distance TikTok from its birth in China. The company says that user data is now stored on servers within the U.S. and Singapore. And it told the Washington Post last month that the Chinese government has never asked it for data, and if it did, it would refuse the request.
Since last year, U.S. Committee on Foreign Investment has been examining ByteDance’s acquisition of Musical.ly, a lip-syncing app developed in Shanghai featuring 15-second to one-minute videos. The 2017 acquisition eventually resulted in Musical.ly being rolled into TikTok.
TikTok didn’t seek the approval of the committee when it acquired Musical.ly “likely because it did not perceive an obvious link to American national security, which is the basis for triggering CFIUS reviews,” writes the Center for Strategic and International Studies in May.
The New York Times reports that the committee has concluded that ByteDance must divest TikTok, although that has not yet been publicly announced.
TikTok has brushed with U.S. regulators over privacy concerns before, much like other U.S. technology companies.
In February 2019, the U.S. Federal Trade Commission announced a $5.7 million settlement with TikTok. The FTC alleged that Musical.ly had violated the Children’s Online Privacy Protection Act, which requires that online services obtain parental consent before collecting personal details of children younger than 13. At the time, it was the largest ever settlement obtained in a case related to children’s privacy, the FTC said.
But Google smashed the record just seven months later. Google reached a $170 million settlement with the FTC for also allegedly violating COPPA. The FTC alleged Google used tracking cookies on YouTube to track child viewing habits for online advertising without the permission of their parents.