Open in app

Sign in

Write

Sign in

What in the TikTok is going on?

And Why you should Protect your Data with Peacemakr.

Jon McLachlan
6 min readAug 9, 2020

If you can convince five hundred million teens to upload groovy dance videos, you’ve got a 50 billion-dollar company. But with great success and fame, comes great scrutiny. The tin-foil hat security consultants scream bloody murder. A pissed-off President declares your app a national security threat. You get stuck between an economic standoff. And a bunch of lawyers running up their billable hours.

But what is the reason behind this madness? Could TikTok have prevented it?

Almost All Free Apps are Data Scrapers.

Let’s just take the iPhone 11, for example. It has

  • Ambient Light Sensor
  • Proximity Sensor
  • Accelerometer
  • Barometer
  • Gyroscope
  • Bluetooth signals sensors
  • GPS
  • Two cameras
  • A microphone
  • Near-Field Communication (for ApplePay)
  • WiFi
  • Cellular receiver and transmitter

Of course, not all sensors are directly accessible to Apps via the SDK, and iOS requires user permission to access GPS, the cameras, or microphone. But besides that, your sensors’ data are wide open.

So while you’re busting out dance moves, TikTok is vacuuming up data.

Why is data valuable?

The fact that data is so versatile is why it is so incredibly valuable. Advertisers, for example, use data to improve ad placement and response. Data improve ad placement effectiveness, allowing them to charge more per ad than before.

How do we go from a couple of sensors to better ad placement? Simple. With access to your accelerometer, we know if you’re riding a bicycle, walking, running, riding a motorcycle, in a car, truck, plane, or boat. Combined with GPS, we know where you are while doing these activities. So next time you glance at your phone, you’ll see an advertisement relevant to your current activity, that’s nearby. The precision and relevance increase the value of the ad.

Collect enough data, and it doesn’t matter what your app actually does, you will have a successful business if you become a data broker.

By the way, this is how Facebook and Google make money. The biggest con of the 21' st century is that everyone thinks of them as technology companies. Facebook and Google are not technology companies. They’re data brokers. They give away their software for free so that when people use it, while behind the scenes, they’re just collect more and more data. Then, they turn around use that data to sell well-placed advertisements.

TikTok is a much smaller fish in the same pond. But it’s exactly the same type of fish.

Ok, but what security issues does TikTok have?

TikTok had genuine security issues, as pointed out by CheckPoint Security Researchers. But this is not surprising. Startups are resource-strapped. Well-intentioned founders and aggressive investors often push engineers to think of data security as a “good problem to have,” not realizing that the best security practices decrease your time-to-market.

Startups that are lucky enough to experience exponential growth are always hit by hackers (or “security consultants”) that are trying to make a name for themselves. These unsolicited penetration tests quickly result in the re-prioritization of all-things-security. Leadership scrambles to staffs-up a new Product Security Team, and contract marketing consultants to manage the media fallout.

The Best Tech Startups Take Data Security Seriously starting day one. And TikTok, cautious about optics, stepped up the security challenges, hiring Roland Clouter as Global CSO of TikTok, and address the issues at hand, and planning for the future.

So yes, there were a few security issues at TikTok, but they’re doing the right thing and helping TikTok users move towards a more secure experience.

So then, why is TikTok a threat to “national security, foreign policy, and economy in the United States”?

The brief released by the White House is extremely speculative. It alleges that through a chain of subsidiaries from ByteDance (Ltd., China) to TikTok (LLC, US), the Chinese Government somehow has unfettered access to all that data. It accuses the Chinese Government may use it to spy on US Federal agents, produce blackmail, conduct corporate espionage, censor protests in Hong Kong, oppress Muslims, and propagate disinformation.

The actual security of the TikTok’s technology is not in question.

The US government is worried that the Chinese Government might get access to the data typically used to advertise to us.

Because of that, it’s no longer really about TikTok. It’s yet another battle in a long and bitter trade war between the US and China, just like Huawei. But it’s not quite as simple as Huawei, because, TikTok LLC is actually a US company. They are owned at least in part by ByteDance, a Chinese holding company. But keep in mind that China also owns about $1 trillion of US Government debt, about 10% of the total foreign US debt is owned directly by China. In other words, China directly invested in the US economy and its continued growth. Makes you really wonder who owns who, eh?

But doesn’t China Spy On Its Citizens and Disappear People?

Yes, China does spy on its citizens. But the US does the same. Edward Snowden’s Permanent Record is so devastating because it’s true. So do not be fooled by some sort of emotional appeal to “Ohh, we must protect the human right to privacy.” Nope. Those claims are entirely hypocritical.

Speaking of disappearing, during the Black Lives Matter peaceful protests, US Federal Agents in full military attire, and no official badges, rolled up, grabbing peaceful protested, and throwing them into the back of unmarked minivans and drove off. A clear violation of the most basic civil rights. So again, claims of the US doing this to protect politically vulnerable minorities? Nope. More hypocrisy.

Didn’t Trump ask for a cut of the sale of TikTok?

Well, he asked to be reimbursed for an approved TikTok purchase by Microsoft, yes. These are called kickbacks, also known as bribes.

Don’t Google and Facebook operate in China?

Google, yes. Facebook, not yet. The same “national security concerns” that apply to ByteDance Ltd. also apply Google and Facebook’s Chinese operating affiliates, too. This is the fascinating question: Why doesn’t the Trump Administration take a stand against the big fish in the same data-broker pond?

Maybe because this is just a political game. We’re told to conjure up imaginary enemies (China) that distract voters from presidential failures. TikTok is a small fish in the pond and a racially convenient target. Free trade and internationalization are absolutely a threat to a xenophobic foreign policy. Targeting Facebook or Google would have hurt the US Economy and would have surely been label as it should be, arbitrary and nonsensical.

So why target TikTok? It’s big enough to matter, but not big enough to actually hurt the US Economy.

What can we learn from all this?

Well, protect your valuables. Protect your data.

It’s not about money. It’s not about the number of uses you have. It’s not about your political affiliation or country of origin. It’s about the data. Entire wars will be fought over data, and in TikTok’s case, it’s just a trade war, thankfully. Understand how data can injure your vision of the future if it were to all into the wrong hands, and take protection measures starting day one.

Protect your data. If not, the data can be stolen and weaponized. It really doesn’t matter if it’s Chines Government if it’s the US Government, Ransomeware, a lone wolf hacker — it’s all bad.

Could TikTok have built their technology stack to avoid all this?

Yes. The use of full End-To-End encryption to protect application-layer data in the platform, for example as provided by the Peacemakr Open Source E2E- Encryption-as-a-Service, could have enabled TikTok to rebut these baseless accusations by the White House. With End-to-End encryption, and data would have been protected directly in the TikTok Apps, and remain private to those users and user’s friends. This is, of course, assuming no backdoors are baked into the encryption scheme. But, this risk is significantly mitigated by open source transparency and well-baked cryptographic implementations. Not even the latest Chinese surveillance technology can not break E2E encryption. In short,

We should protect our data whenever possible.

And with Peacemakr, it is always possible.

Security
Entrepreneurship
Business
Technology
Startup

--

--

Jon McLachlan

Written by Jon McLachlan

32 Followers

Founder of YSecurity. Ex-Apple, Ex-Robinhood, Ex-PureStorage. Lives in Oakland. Athlete.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams