Technology can be a wonderful enabler. It can help us to grow our businesses, educate our children, increase the speed of gathering information, and facilitating important research, but it also has its down-side. In this world of IoT, we have all become inextricably connected—which means that we are all vulnerable to criminality and an ever-evolving state of risk. Risk of exposing our personally identifiable information. Risk of identity theft and fraud.
Cultures throughout the world have varying degrees of tolerance towards accepting such risk for the sake of convenience, acquiring new technology, or even gaining access to goods and services. In the European Union and other countries, citizens’ privacy is paramount and regulations have been put in place to safeguard against misuse of personal information as well as access to citizens’ data.
In the US, we are slowly moving in that direction, but we are a culture of immediate gratification and seek the newest and greatest technical gadgetry no matter what the cost. In our haste to possess that technology, we tend to throw caution to the wind. I have been guilty of it and most of you are probably guilty of it, too. How many of you read the Terms and Conditions and Privacy Statements before clicking that “I agree” button to download an app? The average “Ts and Cs” of an app are approximately 95,000 characters that comprise about 7,500 words and typically contain an inordinate amount of legalese that the average persons is challenged to comprehend.
Recently, there has been considerable controversy around two popular apps from China: TikTok and WeChat. The entertainment community has embraced TikTok as an exposure medium and more and more of our youth is getting hooked on it. If you might think that is a coincidence, think again—that is the mission. Any ethical hacker will tell you when doing their reconnaissance, they start with the children to get to the parents, to get to the parents’ employer, to then move laterally across company servers to the pay off.
TikTok
In early 2020, the FBI has warned that TikTok is potentially a national security risk as its parent company, Bytedance in Beijing, has members of the PRC Communist party officials sitting on its board of directors. There are various claims, including that it has weak security and is frequently used by hackers and child traffickers. The default privacy settings on TikTok are set to a public viewable status, but a certain amount of information can be set to a private only setting. With over 65 million users, there is at least a reason to pause for parents of young children. While the terms of service recommend that children under the age of 13 not use TikTok, they claim that there is a specific user experience this is designed specifically for users between 13 and 18 years old. As a parent, does that make you comfortable?
According to their privacy policy, the information that they collect automatically includes Internet or other network activity information such as your IP address, geolocation-related data, unique device identifiers, browsing and search history, as well as link subscriber information with users’ activity on their platform across all devices using email, phone number, or similar information.
Naturally, any software installation has to have device access, but it appears in the case of TikTok that it seems to go a bit overboard beyond the model of your device, mobile carrier, time zone setting, screen resolution, operating system, app and file names, and types. Keystroke patterns or rhythms also is a red flag for me.
In addition to collecting metadata (information, such as your account name, that enables other users to trace back the content to your account), when you upload content, you automatically are uploading certain metadata that describes other data such as providing information about your content that will not always be evident to the viewer.
And for those aspiring artists and performers, you should know that the terms of service indicate that you still own the copyright of your content, but by submitting it via the platform, you are granting TikTok rights to unconditional irrevocable, non-exclusive, royalty-free, fully transferable, perpetual worldwide license to use, modify, adapt, reproduce, make derivative works of, publish and/or transmit, and/or distribute and to authorize other users of the services and other third-parties to view, access, use, download, modify, adapt, reproduce, make derivative works of, publish and/or transmit your such content in any format and on any platform, either now known or hereinafter invented.
If you can believe it, it gets worse, but at the risk of being a buzzkill, I will leave it to you to suffer through all of the legalese on your own.
Personally, I have dear friends in China and WeChat offers a free platform to make voice calls, video calls, text messaging, and offers PRC citizens a window to the world in terms of communicating across the globe—avoiding expensive phone and data charges through traditional means. Users can also share music, travel videos, and event photos (“moments”). WeChat’s parent company Tencent also offers a development program for developers who want to leverage APIs to integrate WeChat into their websites and mobile apps.
For paid services related to these development tools, I was not pleased to learn in the WeChat terms of service that users automatically grant authorization to WeChat to save the user’s chosen payment method information (e.g. credit card information) on their systems. This runs afoul of the PCI-DSS standard for eCommerce here in the US.
Regarding content—which is similar, but not quite as heavy-handed as TikTok—users grant WeChat and their affiliate companies a perpetual, non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use that content for the purposes of providing, promoting, and developing existing services as well as any new services that they might provide in the future.
Personally identifiable information, in accordance with the WeChat privacy policy, is pseudonymized and aggregated to “enhance the WeChat experience” and is not shared without a user’s consent, which is some consolation. However, for content, they expressly indicate that WeChat and their affiliates may copy, reproduce, host, store, process, adapt, modify, translate, perform, distribute, and publish such worldwide in all media and by all distribution methods, including those that are developed in the future.
So, to contrast the drastic difference between apps such as TikTok and WeChat against, say, a US app such as Google, their terms of service states that any user content remains theirs, which means that you retain any intellectual property rights that you have in your content. They claim that they need your permission if your intellectual property rights restrict Goggle’s use of your content, although you provide Google with that permission through this license. Incredible isn’t it?
The Bottom Line
Proceed with caution when choosing any app and decide if you can live with a possible dire consequence that may rear its ugly head in the future—whether it’s your PII being sold on the dark web, seeing your intellectual property on some other website, or compromising your address book on your device. For good reason, there has been a convergence of cybersecurity and privacy in our global environment today, which demands that you educate yourself and your children about the pros and cons of digital communications and employing good old common sense. Your mother was right: If sounds too good to be true, it probably is.