Johns Hopkins cybersecurity expert Anton Dahbura urges Congress to put restrictions on the popular app
- “The solution will be a combination of regulations that are similar to HIPPA laws in that confidentiality will be expected, and technology under development that can give users the best of both worlds: privacy and functionality.”
- TikTok users can be used by foreign actors to determine whether someone works in a facility that may be of interest, such as a military or other government facility.
Montana became the first state to ban TikTok, the social media app used by nearly 90 million Americans, out of concerns about data security.
Though users consider the app harmless fun, a growing number of cybersecurity experts and elected officials aren’t so sure. They point out that TikTok’s parent company, the Beijing-based ByteDance, has been accused of working with the Chinese government to censor content and could also collect sensitive data on users.
While the future of Montana’s ban is being litigated, members of Congress are considering similar federal action. Anton Dahbura, the executive director of the Johns Hopkins University Information Security Institute, says there is no time to waste.
“Congress needs to accelerate its efforts to develop sensible data privacy policies that achieve a balance between user protections and functionality to give TikTok users the advantages they’re accustomed to, such as sharing user-generated content, and for businesses, marketing products and services,” Dahbura said. “The solution will be a combination of regulations that are similar to HIPPA laws in that confidentiality will be expected, and technology under development that can give users the best of both worlds: privacy and functionality.”
Executive Director, Information Security Institute
Anton Dahbura is a researcher in computer science, co-director of the Johns Hopkins Institute for Assured Autonomy, and executive director of the Johns Hopkins Information Security Institute, which is the university’s focal point for research and education in information security, assurance and privacy. See full profile
Dahbura spoke with JHU’s Hub about his concerns with TikTok.
Q: TikTok critics warn that it could be used to collect data on millions of users. Is this a realistic worry?
Anton Dahbura: It’s very much a realistic concern. Basic information such as the locations of users of the app can be used by foreign actors to determine whether someone works in a facility that may be of interest, such as a military or other government facility. But manufacturing, high tech, food production, educational institutions, and many other facilities are also of interest.
For instance, the Chinese government was accused of a data breach of a Marriott Hotel customer database, allegedly to find out who had been staying there.
The Chinese government has a long history of intellectual property theft, so the scope of what they’re looking for goes well beyond classified information or disruptive attacks but extends to industrial espionage to obtain proprietary information. They can quickly sort through millions of records to find persons of interest. They can connect people, so their interest isn’t limited to people who work at key facilities, but also their friends, and even people who live nearby or in the same building.
Once they have a person of interest, they can use them to obtain what they want, such as gaining access through nefarious means to an enterprise system where the person works by launching very specific phishing attacks against the person. Sooner or later, they’ll find a way in.
Q: TikTok says it rigorously protects users’ information and outlines its privacy policies when users enroll. Should users feel their information is secure?
AD: Although the legal aspects of this are outside of my areas of expertise, I would venture to say that all bets are off when it comes to the Chinese government gaining access to Americans’ personal information, regardless of the attempts to set up a legal framework for that access. Any potential security threat would certainly supersede a user agreement.
Q: Some have suggested that the app could be used to compromise/alter the software of TikTok users’ devices, potentially even taking control of those devices. Is this possible?
AD: It’s a possibility, although in the case of the Chinese government, their primary motive is the acquisition of information. They have figured out how to tie pieces of information together for their purposes in ways that most of us had never imagined. FBI Director Christopher Wray has expressed general concerns about the Chinese government having access to the software in phones for cyber operations such as espionage or disruption of computers, mobile devices, and critical infrastructure, but there hasn’t been a specific revelation about this.
Q: How about the notion that ByteDance could manipulate and curate content intended to influence Americans’ views on issues important to China?
AD: This is an issue that we should be concerned about across all social media platforms. There hasn’t been any specific information by the U.S. authorities about TikTok manipulating content. Although Director Wray has expressed general concern, for the moment we should focus on the larger issue of bias in social media in general, especially when the bias and/or misinformation is amplified by the algorithms companies use to manage the flow of content.