TikTok: It’s hip, it’s fun and it’s a security risk

Key Takeaways

Introduced in September 2016 by a Chinese company and in the United States in 2018, TikTok allows users to create and share short videos that include music or other audio in the background.

It’s become a popular social media platform for users to share their talents, comedy, lip-syncing, vlogs and more, allowing users to promote their talents and brands to make money. Media, celebrities and politicians have used it in marketing campaigns to reach younger audiences, and businesses and organizations weren’t far behind.

Learn more

Why TikTok is the Latest Security Threat

Oracle begins auditing TikTok's algorithms

What You Should Know About The TikTok National Security Debate

TikTok's privacy policy

County Tech Xchange 

Local governments have hopped on, too. Health and human services departments spread information about prenatal programs along with COVID-19 updates. Some have promoted official campaigns and messages, such as mental health awareness, voter registration and other civic engagements.

But it has its downsides. Security concerns have grown over how user data is being used, and are further magnified by the fact that TikTok was developed and has its base in China. The Trump administration tried to ban TikTok in 2020, but was overturned by the higher courts.

On Dec. 2, 2022, FBI Director Christopher Wray warned that TikTok’s privacy and data collection policies could allow for the capture of sensitive, personally identifiable information and that data could be accessed by the Chinese government for use other than permissions given by the user. The FBI called TikTok a risk to national security in testimony before the House Homeland Security Committee in November 2022.

Security InfoWatch helped project light on the difference between TikTok and other social media platforms:

The experts say TikTok is different. [Facebook and Twitter] are based in the U.S. and are using it to market products or sell data. Law enforcement typically must go through the courts to get access.

China doesn't require that and could easily track data for the purpose of gathering information on Americans..

At least 25 states have banned TikTok on state-issued devices, all citing privacy concerns.

Many counties are now following a similar course of action. In a recent discussion on the NACo Tech Xchange, many counties have either banned TikTok use by employees on work devices or are in discussions to take that approach.

“There are county data security and privacy concerns, constituent data security and privacy concerns, and the perception that if we used it for our government purposes, it means we are comfortable with its use, so they should be ok with it,” said DeKalb County, Ga. CIO John Matelski. “with the fear of cyber backdoors, hacking, facial recognition, location tracking, spyware, and other personally invasive technologies at the forefront of everyone’s mind, TikTok’s data collection and storage practices need to be concerning unless or until they can be aligned with U.S. data privacy laws.”

So what can a county do? Options vary from banning TikTok completely, or having employees stop the use of TikTok on county owned devices. Not only is it the responsibility of counties to understand the concerns and evaluate the risks, but it is also vital that counties take a perspective that sends a positive message of safety and privacy to county residents.

If a county does allow use, employees should be aware of and agree to several key points:

• I acknowledge that I am aware of the security risks associated with using TikTok for the county and will ensure the following:
• I will use a unique username and password (at least 14 characters including letters and numbers), store my credentials in the current county password management tool, and change at least annually in accordance with our county password management practice.
• I understand posting videos where sensitive county information is displayed is prohibited (e.g., HIPAA, PII, etc.).
• I will ensure I use the InPrivate browser window via internet on any county device to limit tracking (preferred as anti-virus software is running).
• If I use a personal device, I understand that my location and cookies via Internet will be tracked (not as secure).
• I will exit the TikTok app or website once I am done using it to avoid running in the background.
• If I leave my department, I will verify with my management that my TikTok account has been de-activated prior to my last day working

Other recommendations include:

• Not allowing TikTok on corporate devices and barring personal devices with the TikTok application into sensitive areas.
• Recommending users decline TikTok’s prompts to access their phone contacts, which happens routinely. Once granted, this provides some contact information (e.g., name and phone number) for capture or review. TikTok’s Privacy Policy does state that the company may collect additional information about users from other publicly available sources.
• Warning users against using other social media accounts to create a new TikTok account. This could provide TikTok with personal information from other apps, including demographic data and social network connections.
• Practicing basic social media hygiene. Do not post too much information about family/friends, work and professional information, location, or other sensitive information. No not to reveal personal information in comments or direct messages.
• Reviewing third-party app permissions in the TikTok security menu (under manage app permissions) to ensure any connected apps are known and should have access to data. Deny any apps that are not recognized or not necessary. This list should be empty.

• Using mobile device management tools on corporate devices to monitor what applications are installed.
• If using a “bring your own device” model, enroll devices into mobile device management software that allows for work-related apps and information to be containerized. This will separate work and personal app data and allow for remote data deletion in the event of a security incident. TikTok will have access to camera and phone applications that may allow it to collect environmental intelligence, even if it doesn’t have access to sensitive business information due to containerization.