Checklist 191: TikTok Talk with Patrick Wardle
TikTok. Harmless fun? Or existential threat to the United States? The answer you get depends on who you ask. This week we have a special guest to help us discuss the question in depth — and we’ll get into the larger issues with apps, user data, and digital privacy.
TikTok, apps, and your privacy
In recent weeks, the popular video-sharing app TikTok has made headlines for its practice of monitoring iOS pasteboard data. The pasteboard — kind of a system-wide clipboard for iOS that lets apps access the information copied there — can contain all sorts of sensitive user data. In iOS 14, users are alerted whenever an app is accessing the pasteboard, and people trying out the iOS 14 beta started to notice a constant stream of these notifications whenever they were on TikTok. TikTok was also found to be checking iOS devices to see what other apps were installed.
All of this resulted in a wave of negative press for TikTok, and even U.S. government officials began to weigh in on the matter. But soon after the issue with TikTok was discovered, it came out that many other apps were doing exactly the same thing! The developers behind those apps gave various explanations for their software’s behavior, with LinkedIn even saying that the pasteboard access was happening accidentally.
On this week’s Checklist, we asked security expert Patrick Wardle to share his insights on the TikTok story — and on app privacy issues generally. Wardle is Principal Security Researcher at Jamf, a leading Apple device management platform for enterprise. He is also the developer behind the Objective-See suite of Mac security tools, and he writes an award-winning technical blog devoted to macOS security. In addition, Wardle is a prominent leader in the Mac security community, having founded the Objective by the Sea Mac security conference.
We asked Wardle to start by telling us if he thought it was technically possible that some apps were reading the pasteboard “accidentally” — and if he could see any legitimate reasons why an app might be accessing the pasteboard.
PW: There are legitimate reasons for apps to access the pasteboard; for example, Google Chrome might look for URLs, and if it sees something that looks like a URL, will suggest browsing to that; I think the UPS app looks at the pasteboard to see if it’s a tracking number and asks if you want to track the package. So there are legitimate functionality reasons why apps would do this.
The issue is that there’s a whole group of apps (I think the researchers identified 50+) that would access the pasteboard without providing a reason. And these are well-known apps: The New York Times app, NPR, a whole variety of games, social media apps like TikTok, hotels.com, etc. So everyone’s doing this — which doesn’t make it right, or OK, but again there are legitimate scenarios where this would happen. I think that if an application is actually accessing the pasteboard, then they should explain why they are doing that.
As for LinkedIn’s excuse that it was “a mistake”? I don’t really buy that. I mean, maybe that was the case, but they’re likely just using it for some other purpose. I believe they did say, though, that they’re not capturing and transmitting pasteboard data, so at least it sounded like it’s all just done locally. And perhaps this was the case with TikTok as well.
So we’re kind of stuck in the middle, as users. It’s like, OK, this is not an ideal behavior, but it might not be malicious, it might not be sending my data to a server in China. But we also don’t specifically know that. At least with iOS 14, there’s now a notification about this, so the issue is coming to light, which I think is a good thing.
But I don’t think there was any “accident”, per se. I think maybe the accident was: “Oh, yeah … we shouldn’t have been doing this!” Or, maybe one scenario, if we’re going to give them the benefit of the doubt, was that it was being used in a debug build but somehow made it into production, or it was a feature that they were planning on using for some legitimate purpose that didn’t get taken out, or something like that.
I’m more inclined to think it’s just an interesting feature of the operating system that provided them more data about user activity. Which, let’s be honest, is what basically all apps are after, right? Especially the free ones! They want to gather as much information about you as possible, not necessarily for surreptitious purposes, but usually to understand and predict user behavior. That’s the value: What are my users reading, what are they doing, where are they located. If you pull apart any free app, you’ll see it basically collects as much data as it can. And that, unfortunately, is kind of just the price we pay for these free applications. I saw a great quote that went something like “TikTok isn’t doing anything more than Facebook does … but that’s not a good thing either way.”
While dozens of high-profile apps were found to be accessing the iOS pasteboard (some with dubious excuses for their activities), TikTok has borne the brunt of public criticism. Some people have suggested that the video-sharing app is being unfairly singled out due to its origins: TikTok is owned by the Chinese tech giant ByteDance, and for this reason has been the subject of whisper campaigns linking it to the Chinese government. We asked Wardle if he thought that the furor over TikTok was simply about an audio/video app collecting user data — or if it had more to do with the fact that TikTok is an audio/video app from China.
PW: I think it’s a combination of both. I think the China connection is something that we can’t ignore — and this is a really interesting topic if we’re talking about app security and app privacy.
Say you have an app like TikTok that probably needs access to your contacts, since it’s kind of a social media app, and so again there’s a legitimate reason why it would need access; and it probably would need your location to suggest certain things; it would also need access to your photos and videos … and so there’s a lot of legitimate reasons why it would need extensive access and permissions.
But the million dollar question is: What is it doing with all of that?
And if we look at other apps, we kind of have the whole gamut. On the one end we have an app like “ToTok” (not to be confused with TikTok), which turned out to be a government spying application used by the UAE government — the New York Times reported this after it was tipped off by an anonymous source in the U.S. intelligence service. I took a look at this app and did some research with the New York Times, and what we found was that it was basically collecting all the same information that a lot of other apps were, but then it was sending this information off to these back-end servers. So at that point, you wonder where that data is going and who’s doing what with it.
That’s one end of the spectrum, where we have data or intel from an intelligence agency telling us that the people who have access to the data on the back end are using it for nefarious purposes. But if we didn’t have that information, really there’s not anything inherently suspicious about the application per se, if you’re just looking at the the binary code, the stuff that runs on the phone, it’s just collecting as much information about the user as possible, and much of that is for legitimate purposes.
So we look at TikTok, and we’re seeing it doing things like enumerating what apps are installed on your device, and you wonder why they need this information. And if we start getting creative, we can imagine that if the Chinese government is behind the app, then if you have other apps on your phone that are perhaps related to your sexual preference, or your political views, that could be very relevant information in the wrong hands.
On the other hand, maybe the app is just collecting data about users to better target them with advertising. For example, if I have an app installed for a GPS tracker for my dog, another app might be able to see that, and then they know that I have a dog, and so now they can start showing me dog toy advertisements.
So the question is — and I don’t have a good answer for this — how is the data collected by TikTok and all these other apps being used? Is it just for advertising? Because that still isn’t good, but it doesn’t really bother me if someone wants to show me dog toy advertisements. Or is there some government behind it, using this data in select scenarios to collect, for example, intel about potential targets of interest.
Many people, if you suggest that an app may be transmitting their data to a foreign government, are likely to react with indifference. After all, the reasoning goes, as long as you’re not a spy, or working with classified material, why would the government of another country care about little old you — just an ordinary citizen from another country?
Wardle cautions that although there is, in one sense, some justification for this attitude, it’s not consistent with people’s feelings about their personal privacy generally — and it doesn’t take into account the way in which governments and corporations make use of data in aggregate.
PW: The average American is probably going to say, “Hey, I don’t have anything to hide, I don’t really care if they have this information”. My reply to that is always, “Well, do you shut the door when you go to the bathroom”? And of course the answer is yes, so it’s like, see, you do care about your privacy a little bit — even if you don’t have anything to hide!
Look, if we’re talking about the data of the average teenager using TikTok, I don’t think anybody really cares about that data per se. But in aggregate, there’s more information there, especially to advertisers. And thinking back to other government operations (and again, I’m not saying that’s what TikTok is), if we look for example at ToTok, the goal there was just mass surveillance aimed at gathering tons of information. If you have that, then, in aggregate, you can start making interesting connections. You see who’s talking to whom; there’s going to be some people of interest that you have a priori knowledge of, and then as you go after that specific individual you have all this aggregate data you can now start to use for tracking and finding other links. And while average individuals may not be of interest to a government, if they’re talking to someone who the government is interested in, then maybe an individual joins that sphere of interest.
What advertisers or governments will do is collect as much data as possible and then start mining that data for advertising purposes, or just hang onto it, so that if down the road someone becomes “interesting”, then they have all this past data to crunch.
While ordinary citizens may not perceive TikTok as a threat, high-ranking officials in the U.S. government have signaled that they see the app differently. U.S. Secretary of State Mike Pompeo has said that the government is considering a ban on TikTok, citing worries that Beijing may be using it as a surveillance and propaganda tool.
Yet the government has often ignored highly publicized cases of U.S. tech companies infringing on their users’ privacy (often in ways that seem far more intrusive than anything TikTok has done). This raises the question about whether or not Pompeo and other politicians are seriously concerned about TikTok as a security threat, or if they’re simply targeting the app to score political points with their base.
Wardle offers a balanced perspective on the issue:
PW: I think it’s largely a political talking point. Our current administration is rather anti- China, so this fits very well into their messaging and what they’re telling their supporters. When our government talks about TikTok and the Chinese government, I don’t think there has been anything tying the app directly to Beijing. But if there was, then that would be a problem: Facebook is probably collecting the same amount of information, but at least in the United States there are legal protections afforded to companies where the government can’t just show up and grab the data.
Basically, if you’re working at an intelligence agency or in the military, maybe don’t install TikTok on your phone, because there is a possibility that your information might be useful in the wrong hands. I think that’s probably right for those individuals, and that probably goes for any apps that are developed in foreign countries. It’s just good policy, if you’re a person who’s handling classified information or has a job that’s tied to national security interests, to be careful what you put on your phone!
But the average American teenager? I don’t see any security risk per se.
TikTok, for its part, is not simply hunkering down and attempting to ride out the storm. The app’s parent company, ByteDance, has appointed a former Disney streaming executive and American citizen, Kevin Mayer, as its new COO, and has also named him CEO of TikTok. Wardle sees this as part of a PR strategy aimed at assuaging the fears of the American public, and perhaps the government as well — a strategy which may be necessary for the TikTok’s survival:
PW: I think this is purely a business move. TikTok’s biggest issue right now is this “China connection”, where Americans are kind of freaking out that the app is owned by a Chinese company. So what they’re trying to do is distance themselves as much as possible from that. Hiring a well-known business exec from the United States is kind of a step in this direction. I think they’ve taken other steps as well, for example, they store data on servers outside of China. They’re going to do everything they can to be transparent and do this PR campaign that distances them from China as much as possible. Especially because there are people in the U.S. government threatening to ban, or at least talking about potentially banning, TikTok. And for a business, that would be kind of a death knell — so obviously they’re going to proactively try to do as much as they can to to separate themselves from any China connection, real or even just perceived.
This isn’t the first time that an app has worried U.S. government officials for its possible ties to a foreign government: Regular listeners of The Checklist will recall that FaceApp came under scrutiny because its developers were based in Russia, a fact that concerned both lawmakers and analysts at the FBI. For those unfamiliar with FaceApp, the app generated digitally altered photos of its users via AI neural networks. For most people, it was just a harmless diversion: a fun way to see what they’d look like in a few decades, or with a different hairstyle. But the government was concerned about who had access to all of those user photos, and claimed that the app was a potential security risk due to its developers being based in Russia. We asked Wardle to comment on the issue, and asked a somewhat wistful question: Can we never have fun again?
Luckily, in the case of Instagram and Facebook, it’s all about advertising. That’s easier to swallow. We’ve all had this experience where we think Facebook or Instagram or whatever has to be listening to us, because the ads we see are sometimes so specific. But the scary thing is, they’re able to provide such relevant ads without actually having to listen in, or turn on your microphone or something — which to me is almost scarier, because it shows how much they know about you!
So to answer your question about fun — I mean, I don’t have a good answer for that … hopefully you can still go outside and play in the woods, and that should be fine! I think we just have to acknowledge that a lot of the applications we’re using, especially the free ones and the social media ones, are free for a reason. And the price is basically our privacy. And unfortunately, I think the average user just doesn’t care about that.
For a lot of social media apps, Facebook and Instagram and the like, hopefully there’s no nefarious purpose behind them. An app like the face swapping app with the data going to Russia? Well, not to get paranoid, but you can envision a scenario where the government of Russia is now building a database of faces combined with location data. And maybe they can say, OK, I want to go in and do a query to find people in the Fort Meade, Maryland area (which is where the NSA is) who are using this app, and see their pictures. And with that, you might be able to build a database of employees of certain intelligence agencies, which you can then feed into a system at the border.
So you now have the ability to do a face match when someone enters the country with a passport, and perhaps that person becomes a person of interest. Maybe you approach them with a suitcase with a million dollars and say, “Hey, I know you work for the US government. We’re not going to let you leave the country … or we’re going to give you a million dollars if you just tell us a little bit about what you do”. Granted, this is somewhat of a far-fetched scenario, but it’s also a scenario that could come to fruition based on this kind of information.
I think the middle ground is that if you’re working in a field where you need to be traveling anonymously, or if the type of work you’re doing is sensitive, be very careful about what applications you’re installing on your phone.
But if you’re just an average consumer, well, I feel like (especially now in 2020) there are bigger things to worry about. But it’s still important for people to be aware that you’re basically giving away this data when you use an app, and you don’t know where it’s going or who’s using it.
To come back to TikTok, though, I think that this is likely an application that doesn’t necessarily have any nefarious purpose. I mean, we don’t know for sure, and that’s kind of the issue, but they’re probably making money, and if they have a robust business model where they’re raking in billions of dollars a year, it almost makes no sense for them to compromise that business model by doing shady things to track users.
I always try to look at motivations. It was interesting with ToTok, the government spy operation in UAE, because it was “too good to be true”. The government had banned all of the big social media and video and audio apps, and then introduced this amazing free application that everyone started using — an application with no ads! And … no business model. And so you’re like, OK, well, this is obviously too good to be true. It was almost obvious in retrospect.
But apps like Facebook and Instagram show ads, so it’s like, OK, my data is being collected so that they can have a well-defined revenue model. So that helps me kind of come to peace with things, because Facebook isn’t going to turn on your microphone to listen to you, as that would get them banned and compromise a very lucrative business. In a roundabout way, that can offer peace of mind, because if you know how apps are making money off of you, then you can also ascertain, in a general way, what they’re doing with your data. And if they’re making a lot of money, they’re unlikely to use that data in illegal ways to jeopardize their successful money-making scheme.
The Checklist thanks Patrick Wardle for taking the time to talk with us. If you want to catch up with Patrick on social media, you can follow him on Twitter. To read his writing, and to learn more about his malware research and software development work, visit objective-see.com. You may also be interested in Patrick’s previous appearance on The Checklist, in which he discussed iOS encryption and privacy.
If you’d like to get in touch with us — either to suggest a topic or a guest for a future show, or to ask us a question about digital security and privacy — please feel free to write to us.