TikTok, Nosy Apps and Your IT Security: What Employers Should Know
Memes, funny videos and entertaining dance routines are often what go viral on social media these days … but earlier this year, it was a warning about social media that became the talk — or should we say Tok — of the internet.
Sharing on the social news platform Reddit in April, someone known only as “bangorlol” methodically laid out a devastating indictment of the enormously popular video-based social media app TikTok. The Redditor claimed to have reverse engineered the app and concluded that “TikTok is a data collection service that is thinly veiled as a social network. If there is an API to get information on you, your contacts or your device … well, they’re using it.”
Among other things, TikTok stood accused of constantly monitoring users’ geographic locations, their phone memory space and other apps they’d installed. TikTok would later respond that the company was collecting the data to serve their users better and make fixes and updates to the app as necessary … but many found that explanation lacking.
“It’s not that TikTok was doing evil with the data, or doing evil with their access,” said Devika Kornbacher, a partner in technology transactions and intellectual property at V&E. “It’s a question of, ‘Does TikTok need all of this data when it’s largely a place for people to share fun videos?’”
TikTok’s data collection practices raise concerns for employers. It’s common for employees to have email and other work-related apps on their personal devices. When those devices are also home to TikTok or other data-collecting apps, that poses a risk to the security of corporate information.
“TikTok in particular has access to the clipboard on an iPhone, and that clipboard is universal across the phone. Anything you cut and paste to your clipboard within the corporate environment on your phone, TikTok would have access to,” explained Jeff Johnston, a V&E partner in government investigations and white-collar criminal defense.
Johnston and Kornbacher noted that TikTok is by far not the only mobile app that collects a significant amount of information from users. But the app faces intense scrutiny because of its popularity and because, as an app owned by a Chinese company, there are fears that it will share–freely or otherwise–information with the Chinese government. But Kornbacher added that users should take privacy concerns seriously no matter what app they’re using and where the app’s owner is based.
“I don’t want employers to get so myopic and focused on TikTok that they’re not thinking through other apps on their devices that may collect similar data or have access to similar data,” she said. “There is fear, and rightly so, of the Chinese government taking company trade secrets. But, employers should remember that there is domestic espionage as well.”
So how can employers protect their data in an age of nosy apps? Here are a few options to consider:
Remove TikTok from Company-Connected Devices
It certainly seems like an easy fix: remove TikTok from any company-controlled device and require removal of TikTok on any personal device that is used to access company information to eliminate that particular security threat. That’s a route some employers have taken, but that move alone doesn’t mean your company’s IT department will be sleeping soundly at night. As noted earlier, other apps may also present security risks, and new ones are being developed every day. Will your company be engaged in a perpetual game of whack-a-mole to ban them all? And how will employees react to having so many restrictions on how they use their own personal devices? “It becomes a slippery slope,” Kornbacher said.
Mandate Separate Devices for Personal and Corporate Use
Many are old enough to remember when it was standard practice for employees to carry one mobile device for work and one for personal use. For the sake of keeping their professional and personal worlds apart, some employees maintain this practice to this day … and indeed, it can be an effective way of attempting to keep a snooping app far away — an entire device away — from sensitive corporate information. But many today would find carrying two separate devices to be inconvenient, to say the least. And for employers that have completely moved away from providing company-owned devices to employees, there’s an additional headache: reclaiming responsibility (and bearing the costs) for purchasing and maintaining those mobile devices.
When companies largely moved to allowing employees to use their personal devices for professional use, “it got rid of a large line item for companies because they didn’t have to purchase devices and do refreshes of equipment every few years,” Kornbacher explained. “Does a company really want to capitalize a thousand devices when it doesn’t have to?”
In addition, this strategy does not wholly eliminate the risk of apps like TikTok if the personal devices are still in the room when company information is being discussed.
Use of Container Apps
An increasingly popular solution among businesses — whether they choose to ban certain apps or not — is installing what are known as container apps on mobile devices: tools that essentially wall off key apps from everything else on a given device. If your corporate email or document-editing app, for instance, is protected by the container, the container will stop TikTok or any other app from accessing information that those apps hold. Even if an employee wanted to cut and paste text from a corporate email into a personal email, the container would make that impossible.
“It’s like Vegas,” Kornbacher said. “What happens in the container stays in the container.”
As with other solutions, however, containers come with their own drawbacks. For one thing, companies must pay for licenses to access container-friendly versions of their favorite apps since traditional apps don’t work within containers. What may be worse is that not all apps even have container versions yet. If your go-to app isn’t workable within a container, you may need to build back doors into your container to allow access by that app … which creates a security vulnerability.
Finding the Right Balance: Developing a Culture of Security
At the end of the day, the security of company information is proportionate to the company’s investment in developing a culture of security. While policies and managed security tools are important, educating employees on their role in protecting the company’s information assets can be the difference between an effective information security program and a war with your own employees over what happens on their own devices.
Ultimately, it’s up to employers to establish an environment where mobile device security is strong, but not so strong that it paralyzes employee productivity. “It’s an exercise in risk mitigation,” Johnston said. “Companies have to evaluate the security risk versus the impact that security protocols have on their users and the users’ ability to work. You weigh those things and you try to come up with the right result for your company.”
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.