US Chief Administrative Officer Issues Cyber Advisory Against TikTok

US Chief Administrative Officer Issues Cyber Advisory Against TikTok

Date:

House of Representatives’ Chief Administrative Officer Catherine Szpindor has issued a cyber advisory for TikTok, saying that the popular social media platform is “a high-risk to users due to its lack of transparency in how it protects customer data, its requirement of excessive permissions, and the potential security risks involved with its use.”

“Additionally, we believe the user base should be aware that this application is known to store users’ Data location, Photos, and other Personal Identifiable Information (PII) in servers located in China and potentially mined for commercial and private purposes.”

The advisory also added that “TikTok actively harvests content for identifiable data. TikTok “may collect biometric identifiers and biometric information as defined under US laws,” including “faceprints” and “voiceprints,” from videos users upload to their platform.”

 

Security issues identified by the advisory include:

  • Device mapping – gathers all apps installed on the phone and retrieves other
  • running applications on the phone
  • Location – device location is checked every hour
  • Calendar – ongoing access
  • Contacts – TikTok continually requests access to contacts until given
  • External storage – App requests external storage and retrieves everything in
  • external storage folder
  • Images – TikTok saves images in photo album

 

In a letter from TikTok to Szpindor that was obtained by Politico, the company responded to the advisory by stating that its information appears to “stem from false and misleading allegations made by a security firm based in Australia, Internet 2.0.” 

The letter stated that it was to correct “factual inaccuracies” and listed what it says are the facts:

  • “Allegations that TikTok stores U.S. user data in China are inaccurate. TikTok has long stored U.S. user data in our own data centers in the U.S. and Singapore. Our Virginia data center includes physical and logical safety controls such as gated entry points, firewalls, and intrusion detection technologies. We maintain data backups to guard against catastrophic scenarios where user data could be lost, and our data center in Singapore serves as the backup data storage location for our U.S. users.”
  • “100% of U.S. user traffic is being routed to Oracle Cloud Infrastructure. We still use our U.S. and Singapore data centers for backup, but we expect to delete U.S. users’ personal information from our own data centers and fully pivot to Oracle cloud servers located in the U.S.”
  • “Furthermore, we are making operational changes, which includes a new department with U.S.-based leadership that will solely manage U.S. user data for TikTok.”
  • “We do not use facial recognition technology, or collect or use face or voice data to identify individuals.”
  • “TikTok does not automatically collect precise GPS location information in the U.S. Our privacy policy is quite clear that in the event we were to request precise location data, users would have to approve it for each request. Moreover, operating system rules prohibit applications from “automatically” collecting GPS location information.”
  • “TikTok does not collect user device IMEI, SIM serial number, active subscription information, or integrated circuit card identification number. We do not access the clipboard function to read data, though it may be initiated by a user (e.g., if a user is attempting to copy and paste a URL or text into another app).”

The letter finished by saying “We urge the CAO to rescind the ‘TikTok Cyber Advisory.’ While we would have preferred a dialogue with your office prior to the Advisory being sent, we look forward to meeting with you to further discuss the facts laid out in this letter and ensure that accurate information about TikTok is shared going forward.”