On March 23, TikTok CEO Shou Zi Chew testified before Congress. “After last week’s hearing, it was clear that Congress doesn’t think TikTok’s plan for data security, privacy, and national security is strong enough,” Frank Johnson, vice president of US Federal at data protection and cloud security platform Lookout, tells InformationWeek.
The video-sharing app is at the heart of a complicated debate about national security, data privacy, and international privacy law. The recent hearing is in line with the government’s and public’s heightened scrutiny of data collection and privacy. There is increased pressure to find a way to ban TikTok, a move easier said than done.
With so much noise around TikTok, what issues should CIOs and other enterprise IT leaders be thinking about? Six data and cybersecurity thought leaders share their insights with InformationWeek.
Data Privacy and National Security
Is TikTok sharing data with the Chinese government? The answer to that question is the lynchpin of the national security concerns regarding the app. In Chew’s prepared remarks before his testimony on March 23, he denies that any such data sharing is happening. “TikTok has never shared, or received a request to share, US user data with the Chinese government. Nor would TikTok honor such a request if one were ever made.”
TikTok is owned by Chinese company ByteDance. As of yet, no evidence that the company is sharing data with China has been revealed, but there is significant concern among policymakers.
“When we see how active the US intel agencies are with US-based social media companies, why would we not assume that the same is not true in China?” asks Jon Moore, chief risk officer and senior vice president of consulting services at cybersecurity and HIPAA compliance solutions company Clearwater.
“At its core, TikTok should be viewed as a forward deployed global intelligence gathering network, all the risk is around national security and data privacy,” adds Eric Noonan, CEO of cybersecurity compliance company Cybersheath.
TikTok is not the only app that gathers user data. “Social media apps collect a large amount of data about their users and their preferences in order to more effectively advertise to them. That is the core of their business model,” says Brooke Motta, co-founder and CEO of cloud-native SaaS platform KSOC.
Large companies such as Twitter, Meta, Google, and Amazon collect and monetize data. “The difference is that whatever Meta and Twitter are doing with data, they probably are not weaponizing it to use against the United States in a future war,” argues Bryan Cunningham, a former White House lawyer and current advisor to data security company Theon Technology.
While there is no definitive evidence that TikTok is sharing data with China, Cunningham advocates for IT leaders to take a proactive approach. “I think they should just view it as another piece of evidence that China poses significant threat to the security and privacy of our data, and certainly to American trade secrets and intellectual property, and act accordingly,” he says.
International Privacy Law
The way data is treated across borders is a big part of the TikTok conversation. Europe, for example, has a different approach to privacy and personal data compared to the US. “Essentially, they [Europe] view one’s personal information as the property of the individual, whereas the US, with certain restrictions, views personal information as belonging to the organization that collects it,” Moore explains. “If the US would adopt a more European perspective on privacy, it would severely disrupt much of the US tech industry and, in particular, social media companies, mobile app developers, and others like Google whose business model is built to collect and monetize data.”
Other countries, and states, are moving toward stricter privacy regulations as well. “The EU was the first to implement stricter privacy regulations, but over time, the rest of the world has been slowly going in a similar direction. You have California, for example, Australia, all implementing their own versions of the same,” says Motta.
It is likely that some kind of legislation addressing TikTok and the large issues it brings to the fore will pass in the United States. The current proposals include a lot of latitude for enforcement and would likely focus on more than just TikTok, according to Moore. “Therefore, IT professionals would be well served to start preparing to limit their exposure to hardware, software, and other products and services manufactured, developed, or delivered in for example, China and Russia, or by organizations whose ownership is based in these countries,” he says.
A Potential Ban
App bans are not without precedent. “Many of the US companies in the same space as TikTok like Facebook and Twitter are already banned in China,” Noonan points out.
The Biden Administration is pushing ByteDance to sell its stake in TikTok, threating to ban the app if it doesn’t, according to The Hill. “There is a deal that could be made that the US government would approve of; I just don’t think ByteDance will approve it,” says Cunningham.
If a TikTok ban moves forward in the US, it could face legal challenge. “Media commentary further suggested after the hearing that a nationwide ban would likely end up in the courts over First Amendment-related concerns,” says Johnson. If the ban does move forward successfully, people will find plenty of workarounds, Cunningham points out.
Yet, US companies will still need to contend with the consequences of a ban and continued government focus on data privacy and regulation. “They [the government] have recognized regulation as the only way to meaningfully move us forward relative to cybersecurity and with those regulatory actions, be it at the SEC in the DoD or elsewhere, the Biden Administration has made cybersecurity a business issue. So, yes, US companies should be paying attention and taking action to align with the regulatory wave that is upon them,” says Noonan.
While national security and data privacy concerns are the focus of the attention on TikTok, legislation could have other consequences. “Whenever there is legislation like this that restricts the market, there will be those who benefit, and if we look closely, we will see them either actively supporting it or at least not questioning it,” says Moore. “It is easy to see how the proposed legislation could be used to selectively punish certain groups or companies and stifle speech adverse to the government’s interests under the guise of protecting the public from the influence of adversarial states.”
The Outlook for IT Leadership
TikTok may be in the spotlight, but regulation resulting from its scrutiny signals that many companies could be facing new regulations. “Critics may argue that it seems authoritarian to impose a nationwide ban or forced sale on a single app, but by proposing laws that would raise data compliance standards, the government is holding all corporations to a higher level of shared accountability,” says Johnson.
Exactly how new regulations will unfold remains to be seen, but IT leaders can look ahead at the possibilities. “If I were an IT enterprise director or CISO, I would already have blocked my employees from having TikTok on their work phones,” Cunningham shares.
Tom Guarente, vice president of government affairs at FedRAMP-certified asset-management platform Armis, points out that network visibility and awareness of device connectivity loom large in the proposed bans. “Agencies should be able to have the ability to report every device name, IP and location, determine asset owners and whether any sensitive information is involved, and the ability to monitor for policy violations, among other requirements,” he elaborates. That kind of awareness can be adopted now, ahead of any regulatory requirements.
Human error still plays a big role in successful cyberattacks and data breaches. With more regulation on the horizon, companies have the responsibility of educating employees and end users. “Stronger cybersecurity always relies on a foundation of good cyber hygiene, including efforts to educate employees on good practices and raise awareness around the proliferation of non-traditional devices that now grow an ever-increasing threat surface,” Guarente says.
What to Read Next:
What Does the National Cybersecurity Strategy Mean for Public and Private Stakeholders?
Citing Risks to Humanity, AI & Tech Leaders Demand Pause on AI Research