While institutions across the world have started banning TikTok from their employees’ devices over security concerns, experts say Malta’s plan of action may not be enough to protect against the social media scourge.
According to the Malta Information Technology Agency (MITA), TikTok, like other social media sites, is not part of the select list of applications allowed on government devices.
Yet, the country has not committed to a blanket ban as specific public sector workers who are eligible for an enhanced internet package known as the Standards Plus Internet Package can still access the platform from their device’s web browser.
In other words, users with the Plus package are able to google TikTok and view it through Chrome, Internet Explorer or any other web browser from their mobile device despite not being able to download the app.
By only allowing government users to access the app via a web browser, MITA is protecting users from having their device altered but is leaving the door wide open for data collection and gathering, program analyst Neville Grech told Times of Malta.
“If the Chinese government is controlling TikTok, then they could access this data,” he said.
Asked what type of data it can access from a browser, Grech replied: “probably more than you think”.
According to MITA, accessing the platform from a web browser has a similar risk profile to using other social media websites as it is contained within the device’s web browser.
'Negligible' TikTok use
Between February 8 and March 10, MITA recorded 53GB worth of traffic from government internet on TikTok via web browsers, a value it deems to be “negligible”.
Anything that the TikTok app gathers as part of the design (like video history) can be gathered irrespective of whether TikTok is installed as an app or viewed on the browser, Grech said.
“They can create a unique signature of your device, understand what you're using it for, where you are, an approximate profile of your browsing history.”
Other apps or sites that are open could potentially leak information into TikTok's front end if this has been carefully crafted to do so, he explained.
I don’t think TikTok would overtly hack users’ devices because, if they did so, there is a good possibility that someone would find out
MITA grouped the app’s security risks into three categories.
Firstly, the type of data collection and personal identifiable; secondly, the possibility to compromise/alter the software of users’ devices; and thirdly, the possibility to manipulate and curate content intended to influence public opinion.
A term used within the industry, personal identifiable information, refers to any information that can be used to identify a user such as physical and IP addresses.
Even less direct sources of information such as date of birth and race can be combined to find exact users.
When accessing the social media platform via a browser, it is required to ask users for permission to access data.
Yet, as many users are seeking content, they may have a tendency to tap ‘accept’ without checking what permissions they are giving, Grech said, in a similar way to most users accepting terms of services without checking them.
Extreme cases may see advanced hacking techniques such as remote code execution used to transform a phone or tablet into a spying device. However, such practices tend to be expensive and rarely worth it, Grech said.
“From a ‘hacking’ point of view, it is easier and cheaper to construct a malicious app installed on the phone than run on the browser.
“Having said that, I don’t think TikTok would overtly hack users’ devices because, if they did so, there is a good possibility that someone would find out,” he said.
Espionage worries
Ever since its rise to social media in 2018, TikTok has faced a controversial spotlight as claims that the app is spying on its users have led to its ban by institutions in multiple countries.
The US, Belgium and the UK are among the countries that have started banning the app on government employees’ devices following allegations of data espionage. EU institutions have also followed suit, the first time they have banned a social media app from work-related devices for security reasons.
In March, TikTok CEO Shou Zi Chew was grilled at a US congressional hearing as lawmakers questioned the app’s relationship with the Chinese government and the privacy of its American users.
Chew unequivocally denied any relationship between the app and the Chinese government during the hearing despite several recent revelations pointing to a closer connection.