Social media provided many in isolation during the pandemic an outlet, a way to be "out" in the world or a way to take a break from work. Here is the rub, social media apps are entrenched in data and the devices they sit on, some say, makes the entire company vulnerable. That brings us to the TikTok controversy.
Concerned about the app's relationship to the Chinese government and possible surveillance, the U.S. government is assessing the national security risk of TikTok. While Amazon asked employees to delete TikTok from cellphones then quickly recanted, Wells Fargo requested a "small number" of employees to delete the app off corporate-owned devices.
This led the CIO Dive team to ask: Is it a problem to run TikTok on devices with access to corporate data?
We spoke to sources and held a team discussion over Slack. Our lightly edited conversation weighing the pros and the cons is below:
Samantha Ann Schwartz: Employees are going to use whatever personal apps they desire. And where those apps tap into on devices is extensive.
Roberto Torres: In the squabble over whether TikTok should be banned from devices with corporate data, companies mind the flag its parent company represents more than the cyber risk factors themselves. But given China’s track record re: cyberattacks and political pressure on businesses, their fears may not be unwarranted.
Naomi Eide: But doesn't this all fall outside the purview of the enterprise? There are constantly geopolitical forces at play. Best way to insulate a company is monitor your access. Companies have every right to request employees remove applications off their devices if that same device has corporate data. It's part of the pay-to-play with BYOD programs.
Schwartz: If companies want their employees to choose one side or the other, they they also have to say "no corporate email on your personal phone." Are companies willing to cut off that line of communication?
Eide: There's a reason business professionals used to carry two phones (hello, Blackberry).
Schwartz: But it's harder to carry two (hello, Hillary Clinton).
Torres: The question is why weren't the other 32 apps that copied clipboard data banned, but TikTok was singled out by Wells Fargo and Amazon (though Amazon did later recant).
Eide: One of the key distinctions here is attention paid toward application security, Ari Lightman, professor of digital media and marketing at Carnegie Mellon University's Heinz College, told me there are huge issues around BYOD programs. Companies spend a tremendous amount of time focusing on the security of workstations and desktops, but forget the cell phone.There is never a complete demarcation between personal and professional life. "The two blend all the time," he said.
Schwartz: Right, Kevin Breen, director of Cyber Threat Research at Immersive Labs, told me that there are no grounds to enforce removal of these kinds apps. "They could request, but not enforce," when it comes to bring your own mobile.
Torres: There's good reason why this is an outlying case, an exception that led to Wells Fargo and probably others down the line to single TikTok out and cross that barrier. Some of the fear around TikTok's data flows from the "political vilification of China, the political race to turn China into some kind of evil enemy," Phillip Nichols, professor of legal studies and business ethics at the Wharton School of the University of Pennsylvania, told me.
Eide: So TikTok is the villain here, but these mildly concerning applications are taking place elsewhere?
Schwartz: No, because "excessive data collection is very much the norm" among social media apps, Brett Callow, threat analyst at Emsisoft, told me. This leads me to conclude it's a matter of characterizing a villain and in this case it's China, not Mark Zuckerberg.
Torres: Right. A mobile game I had not too long ago on my phone also copied clipboard data. Why does the personal/private line go blurry for TikTok and not, say, the LinkedIn app? It's because TikTok's parent company is Chinese, and companies fear China could pressure the company into accessing that data, according to Dawud Gordon, CEO and co-founder of TWOSENSE.AI.
Eide: John Parkinson, partner and managing director at ParkWood Advisors LLC, told me there are parts of TikTok that are a "little bit sketchy, but generally it looks okay." There is some dead code that raises questions and buried in there are some IP addresses in China.
But there might be a bigger picture here on why companies should pay attention. Okay, maybe you don't outright ban, but what policies do you have in place to deter vulnerabilities or inadvertent information sharing?
TikTok asks to read all contacts on your phone and connect to your social media, which a lot of apps do. But part of the problem with BYOD is people tend to intermix contacts, business and personal, Parkinson said.
Schwartz: I am one of those people. But I also recognize that I have fallen into the pit of "everyone has my data anyway."
Eide: Never save people's names and it's not a problem. That's what I do. Full proof security, am I right? But that's one of the reasons why companies are asking employees who use a personal device to remove TikTok on their phone.
Schwartz: At the end of the day, let's remember that the Department of Homeland Security couldn't completely ban Kaspersky. The federal government removed the software, but it's likely still out in play in corporate America. So we'll likely be dealing with TikTok and future TikToks for a while.
Torres: I also thought it was interesting wording from the now-recanted Amazon warning. It delineated it in such a way that ownership of a device didn't matter. If you use any device to log into your Amazon email, then don't use TikTok on that device.
Eide: I could still find sweet TikToks to watch on Twitter and it wouldn't be a problem then.
Torres: The Twitter hack, potentially, just reminded us all of how much of a weak link employees represent for the security perimeter — which disappeared anyway in the pivot to remote work.
Eide: Companies can't just give up though, right? What's the recourse? Your personal data might be out to lunch Sam, but companies can't really afford to take that approach (Privacy regulation, here's looking at you).
Torres: What the recourse is remains to be seen. But at least in the case of TikTok it was clear to Wells Fargo where to draw the line.
Schwartz: Breen told me, "Some of this stems down to Chinese and other foreign laws that can compel companies to hand over any data they hold. If an application can access other data on a device, then there could be cause for concern." But non-critical apps, such as TikTok (unless you're The Washington Post), isn't for governing bodies to regulate ... although their input is nice! Especially when it's grounded.
Eide: It seems like a healthy dose of institutional paranoia is not a bad thing here. A base level of paranoia is that all software has bugs. If you can't verify an app and it can do something you don't like, you can ban it, Parkinson said.
Schwartz: Paranoia pairs nicely with cybersecurity, always.
Torres: Expect more businesses to ban apps they view as risky, a decision they may end up making while wearing their geopolitical thinking caps.
Schwartz: For all TikTok users, unless your company tells you otherwise, keep on dancing.