TikTok won’t Stop — How can CISO’s respond to the latest trends in data hacking and harvesting?
A key feature of GDPR was how it echoed concerns from Chief Information Security Officers (CISO’s) around data gathering beyond the need to accomplish a given business task. Big fines and scandals around breaches, and creation of the Data Protection Officer (DPO) role as internal ‘whistleblower’ for nefarious data activities appeared to address these. Mission accomplished, or so it seemed.
Almost 5 years on, this message still doesn’t seem to have reached those setting strategies in some of the world’s biggest tech companies when it comes to collecting data, and the techniques used in building platforms and apps.
TikTok, the short-video sensation that’s among the world’s most downloaded apps, has come under increased scrutiny over its data security over the personal information of a legion of users. TikTok passed a billion monthly users a year ago and now ranks as many young people’s favorite app. That makes it an enticing target for hackers who may seek to hijack popular accounts or resell sensitive information.
Felix Krause, a privacy researcher and former Google engineer, exposed how TikTok uses hacker-style javascript data harvesting through its in-app browser, to include keylogging and screen inputs, and a lot of people are upset. While TikTok admit the tracking code is front-loaded into their app, they claim never to use it other than to debug and troubleshoot issues.
This defence echoes the original argument for cookies — the javascript is simply a tool, a means to write instructions that are executed by the browser. But that is a lot of trust to place in a company which explicitly monetises data. There is now intense focus on TikTok and its parent as the US considers upping its measures against businesses with links to China.
Equally worrying is the fact Meta violated California law (and its own privacy policy) by gathering user data, despite them having turned off location services on their phones. In this case, Meta inferred where users were from their IP address, and sent them targeted ads.
So far, so annoying, and having been caught in the act, Meta is faced with a $37 million settlement cost. But in the wake of the recent Roe vs Wade reversal, if such data reached the wrong hands it could have more sinister repercussions.
People and governments are now unlikely to give many companies the benefit of the doubt when it comes to data harvesting, and the need is for CISO concerns to be enshrined in governance policy, which in turn flows through to strategy and delivery. Rather than grabbing all the data which is technically accessible, businesses should take a need to know approach, and ‘keeping people on platform’ is not going to cut it as justification.
CISO’s will be encouraged by new regulations from Europe, with a sharper focus than GDPR. Alongside regulating the activities of smart device manufacturers, two laws in particular have big platforms in their sights.
The Digital Markets Act (DMA) creates the category of ‘gatekeepers’, large online players with a market share of above 10%. From next year, these must provide users access to all the data they generate, and not stop them uninstalling any pre-loaded software if they wish to.
The complementary Digital Services Act (DSA) creates new responsibilities for platforms to prevent misuse of their systems by taking risk-based remedial action, and independent audits of their systems.
The level of political will behind these laws in Europe is unprecedented, and with the US studying their lead, the time is coming where the benefit of opaque practices is outweighed by the risks. CISO’s should hold firm and help demand tech architecture such that firms can move from “don’t” to “can’t be evil” when it comes to data.
