The Information System Authority (RIA) has barred its employees from using TikTok, a social media app which has conquered most of the world, and is recommending everyone consider the consequences of downloading the app, which RIA says presents a security threat, onto their device.
Since June's end, all phones belonging to RIA employees have been barred from downloading TikTok, with the decision also being forwarded to other state institutions and ministries for them to also consider banning the app from official devices.
Tõnu Tammer, Head of CERT-EE, RIA's cyber incident management department, told ERR: "The decision was made right after two Lithuanian journalists published a story on Boredpanda, stating that TikTok is in its essence, a data collection app facaded by social media."
The Boredpanda article, along with many others appearing before and after that, refers to different threats related to the China-based video-sharing app. The Wall Street Journal wrote in August that TikTok has been avoiding data protection regulations set by tech giant Google.
Tammer noted: "That was forbidden by Google in 2015. Three years later, TikTok came out and ignored regulations and went the way of collecting data that they should not have."
A report published by U.S. cyber security company Penetrum stated that TikTok is collecting far more information about its users than necessary. In addition, there are gaps in the app's code, which should make users very cautious of using it.
Tammer noted two main nuances: "First, the app collects a large amount of information from the phone and from the phone's internal data - any applications in use. Actually, TikTok does not need to 'know' whether or not I have downloaded the ERR app, for instance. In some cases, GPS locations [are harvested] every 30 seconds to see where the user actually resides."
TikTok hides the data collection "rather well", making the app even more suspicious, he said. "There is extensive cryptography implemented and action taken to conceal it. Plus, the app changes its behavior when it notices it is being poked and investigated," Tammer noted.
Tammer pointed to the app's security weaknesses as the second problematic point. "The app - in its essence - is a security risk, able to compromise the device and gain access."
Tammer said he did not want to publicly state that TikTok is a data collection app and not a social media app as such.
He explained: "But looking at the available data, it is clear why the U.S. sees it as a security threat. We also see problems. Evidence pointing to it being still waters that run deep is adding up."
India has banned the application nationwide, the United States will follow starting September. In addition, many European countries are investigating the app, including France.
Swedish public broadcaster SVT barred employees from downloading the app, stating security risks. Swedes also noted that TikTok "shares more info than necessary."
RIA does not investigate application security
Although the RIA has banned the use of TikTok in official devices, they have not themselves conducted an investigation into the app.
Tammer said: "That is one thing we tried to avoid because there are hundreds of thousands of applications, if not millions. We can not go over each of them. That is what we also said in the context of Yandex (a ride-sharing taxi app - ed.), we do not have that capability. It is important to note that the Google Play Store and Apple Store check the validity of apps."
He noted that RIA partners from the U.S. have directed attention to other potentially dangerous apps. "We have not taken the apps to assess them because tomorrow a new version will be developed and the situation is completely different," Tammer said.
For example, Tammer pointed out an infamous app used by the Chinese State Taxation Administration, which foreign entrepreneurs are also obligated to use. In July, a backdoor was discovered, but instead of the Chinese authorities announcing they have removed the backdoor, or the potential security threat, it silently disappeared.
Tammer said: "In actuality, [app developers] are trying to create an impression that such risks did not exist and you can't identify they even existed. It is a strategic risk for solutions coming from society: we do not know if and how solutions in the communist regime are developed and constructed and how they meet the principles and values of a western society."
Editor: Kristjan Kallaste