It’s emerged that TikTok is handing over user data to US law enforcement. The info is thanks to the BlueLeaks hack last month.
Of course, there’s nothing new about the police and the feds demanding data from social-media companies. But the types of data TikTok collects might raise one or two eyebrows.
Is there a sinister guiding hand behind the narrative? In this week’s Security Blogwatch, Richi risks being a useful idiot. [As opposed to your usual idiocy? —Ed.]
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A-bomb anniversary #3 this week.
Po-po shut us down
What’s the craic? Aaron Holmes reports—Leaked documents show what it looks like when TikTok hands over a user's data to police:
TikTok is constantly collecting information about its users. Newly leaked documents show what happens when that information is requested by police.
…
All social media platforms are required by law to comply with court orders or subpoenas demanding information about users. … But the leaked files reveal just how much data TikTok can collect — including from users who never created an account.
…
One leaked document sent from TikTok to police includes details on a user's handle, phone number, model of smartphone, sign-up date, and a list of IP addresses from which they logged into TikTok. It also includes details on the user's … unique ID tied to their Facebook account.
…
However, TikTok is taking steps to reshape which governments around the globe can access user data. The company said it would withdraw from Hong Kong … in order to avoid complying with a new security law imposed by China.
And Mara Hvistendahl adds—BlueLeaks Reveals What TikTok Shares with U.S. Authorities:
TikTok’s parent company, ByteDance, is headquartered in Beijing, where the government censors social media content and maintains other forms of influence over tech companies. But a glimpse at what TikTok does in the U.S. underscores that data privacy issues extend beyond China.
…
The documents also reveal … that the Federal Bureau of Investigation and Department of Homeland Security actively monitored TikTok for signs of unrest during the George Floyd protests. [And] that two representatives with bytedance.com email addresses registered on the website of the Northern California Regional Intelligence … fusion center.
…
It is unclear whether these data releases were in response to warrants, subpoenas, or other requests, and the company would not give details. [But] federal investigators and police — some of whom are themselves enthusiastic TikTok users — increasingly view the app as a useful tool.
…
TikTok has tried to distance itself from its Chinese origins, hiring a former Disney executive as CEO, engaging lobbyists with ties to the Trump campaign, and pledging to add 10,000 positions in the United States. Some of that expansion is apparently coming in the area of cooperation with authorities. TikTok recently sought out a law enforcement response specialist and is currently recruiting a global law enforcement project manager.
…
In last week’s executive order, Trump cited concerns that TikTok’s ownership by ByteDance could “allow the Chinese Communist Party access to Americans’ personal and proprietary information.” [It] takes effect 45 days after its issuance. Trump appears to favor ByteDance selling TikTok to an American owner, with Microsoft being the frontrunner.
Microsoft? Heed the insights of dirtyvu:
The deal is dancing with the Devil. [I’m] incredulous to see the US government force a company to sell its assets to an American company and then expect to get paid for doing so.
…
Can you imagine the uproar if China forced Apple to sell its assets to a Chinese company? And if Microsoft gets this deal, good luck getting anywhere in China … the largest market in the world.
Yes! Exactly; aren’t we just as bad? What about US censorship?—Ray Morris worms his way into the narrative: [You’re fired—Ed.]
Saying "we don't want … an authoritarian regime to own the communications media used by US citizens" is not censorship. Censorship is specifically having censors pre-approve the content of communications before they can be sent or published.
…
Censorship has absolutely nothing whatsoever to do with allowing a foreign power … to own your means of communication. … It would be censorship … if TikTok was … blocked in the US … in order to prevent the spread of … ideas.
…
I don't see anyone criticizing China because they don't want the US to own the Chinese telephone network. … I'm not saying it's necessarily wise policy, [but] there is probably a balancing of pros and cons.
Our old chum Robert McMillan has this—TikTok collected Android user data using tactic banned by Google:
TikTok skirted a privacy safeguard in Google’s Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out. … Experts in mobile-phone security said … the tactic … was concealed through an unusual added layer of encryption.
…
The findings come at a time when TikTok’s Beijing-based parent company, ByteDance Ltd., is under pressure from the White House over concerns that data collected by the app could be used to help the Chinese government track U.S. government employees or contractors. … The White House has said it is worried that users’ data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage.
…
In a statement, a spokesperson said the company is “committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges. … The current version of TikTok does not collect MAC addresses.”
MAC address harvesting? That’s old hat, says Mattcelt:
But with IPv6 there is no reason for IP addresses to change, ever, regardless of which network the device is on. Connecting to your home WiFi? Got your IP. Connecting to your work WiFi? Now I know where you live and work.
Friends? Mistresses? Retail shops? You can now be tracked everywhere you go by anyone, not just your mobile provider.
IPv6 not only obviates the need for NAT, it removes the capability for it entirely. Welcome to persistent tracking everywhere.
But banned by Google? adamleithp finds that hi-lar-i-ous:
I've worked in advertising and ad-click networks for over 9 years. … It's funny to read "Banned by Google." Google supported the most scummiest of advertising/ tracking tactics themselves—that is until someone else started doing it.
With a slightly fringe theory, here’s Bill McGonigle:
Whether it's valid or not, the concern is not crime but psyop. Look at how the Chinese programmed American POW's during the Korean War and then apply that science to youths with an AI running the show.
It may still be science fiction and unfounded, but let's not pretend the issue is something it's not: The actual BS excuse they're currently using is kompromat on government employees.
Meanwhile, tangorum just laughs at the idea of Microsoft owning TikTok:
Haha, MS has been throwing money outta window for stupid acquisitions for decades and they still have cash to drown the USA in bills.
The moral of the story?
Unicorn one day, pariah the next: Politics is … complicated.
And finally
August 15 was to have seen the third atomic bomb dropped on Japan
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Solen Feyissa (via Pixabay)
Keep learning
Get up to speed on unstructured data security with TechBeacon's Guide. Plus: Get the Forrester Wave for Unstructured Data Security Flatforms, Q2 2021.
Join this discussion about how to break the Ground Hog Day repetition with better data management capabilities.
Learn how to accelerate your analytics securely into the cloud in this Webinar.
Find out more about cloud security and privacy, and selecting the right encryption and key management in TechBeacon's Guide.
Learn to appreciate the art of data protection and go behind the privacy shield in this Webinar.
Dive into the new laws with TechBeacon's guide to GDPR and CCPA.