You may have seen the recent clip from the Joe Rogan Experience podcast where he and his guest discuss TikTok’s terms of service. TikTok is an extremely popular social media app among Americans and it is owned by ByteDance, a Chinese company.  One of the most concerning portions of the TikTok privacy policy discusses what information they gather from your device. TikTok states:

“We collect certain information about the device you use to access the Platform, such as your IP address . . . app and file names and types, keystroke patterns or rhythms, battery state, audio settings and connected audio devices. Where you log-in from multiple devices, we will be able to use your profile information to identify your activity across devices. We may also associate you with information collected from devices other than those you use to log-in to the Platform.”

The last sentence above is very distressing.  There are several ways to interpret it and I will talk about two possibilities here:  one is typical of social media applications and the other would be very dangerous.  (Disclaimer: I am not a lawyer.  These are my personal speculations as to what the above privacy policy statement might mean.)

The first interpretation of the final sentence is that it refers to information that other applications gather regarding your online activity and share with TikTok regardless of whether it was done on a device used for TikTok or not.  This would be like exclusively accessing your TikTok account on your phone and separately surfing Instagram on your laptop at home.  Instagram (Meta) might share data about your Instagram browsing with TikTok even though it occurred on a device that you never used to log into TikTok.  This type of sharing is commonplace among social media applications and is the reason you might search for a product on Facebook Marketplace and later see ads pop up related to that same product on a different app.  A second interpretation, however, would be more dangerous.

Another way to read that last sentence is that it grants TikTok access to information on devices that are in no way connected with your use of TikTok.  If true, this could mean granting access to data on any device connected to the network you use to log into TikTok.  If this interpretation is correct, one of the most worrisome scenarios from a cybersecurity standpoint is having an employee log into TikTok on their device at work.  TikTok could then collect information from other devices on their employer’s network.  This is especially scary since Chinese companies like TikTok are contractually required to share their corporate data with the Chinese state government.

What does all this have to do with Pittsburgh? If the second interpretation of TikTok’s privacy policy is accurate, it would give China another route to access and collect data from Pittsburgh companies – and that is something the Chinese government would love to do. In 2016, Pittsburgh-based U.S. Steel filed an international trade complaint alleging that the Chinese government stole advanced steel production trade secrets. The information gathered during this breach allowed Chinese steelmakers to produce competitive, advanced products at a cheap rate by side-stepping the research and development costs of these trade secrets. This is not an uncommon phenomenon.

China has been known to steal U.S. designs for some of our most advanced aircraft such as the F-35 and C-17. It’s not only the D.O.D. that’s under threat of a Chinese cybersecurity breach, however.  For example, hundreds of gigabytes of data related to cutting edge U.S. submarine warfare technology were stolen not directly from the Navy, but from its civilian subcontractors.  Government contractors and even civilian companies in the manufacturing, energy and pharmaceutical sectors have come under attack as well with the sum total loss of intellectual property numbering in the trillions of dollars. Pittsburgh is home to many companies that fall under the sectors described above:  we have government subcontractors, manufacturing companies, oil and gas headquarters, advanced robotics research labs, and some of the country’s largest medical firms.  Pittsburgh is a ripe apple in the eyes of the Chinese government.

China’s practices are here to stay and they employ an army of cyber agents working around the clock to steal your information.  Their strategy is clear: 1) steal critical design information in order to advance their technology without incurring any research and development costs and 2) gather massive amounts of personal data (including where you work).  Pittsburgh companies must protect themselves against these cybersecurity breaches – it’s more than merely data that you stand to lose.

Imagine the reputational damage of losing your customer’s private information. Imagine the loss of competitive advantage if your trade secrets were swept up in one major security breach (to say nothing of your contractors’ loss of faith). Imagine the loss of business if your customer no longer views you as a secure business and chooses to not send more work your way.  Cybersecurity and data backup systems are often seen as a ‘check in the box’ requirement and not taken seriously — not taken seriously until something goes seriously wrong. These aren’t set-and-forget features that you turn on and just assume that they’ll work forever.  Backup devices and media fail over time and you may not discover the failure until you need to recover your files or server (not a good time to find out your backups weren’t working).  Likewise, cyber threats are ever-evolving and last year’s firewall security settings and anti-virus systems to defeat them aren’t enough for today’s threats.

If you are (or know) a business owner in the Pittsburgh area and you’re not 100% sure that your data is backed up, that you have an effective firewall in place, that all of your cybersecurity systems are up-to-date, and that your employees are handling your sensitive data safely then consider downloading and reading my Network Security Guide. It is a source that explains how to gauge if your company’s security measures up against your competition’s and if your systems can hold up against a cyber-attack.  My company, Ascent Systems, is a computer support and IT consulting firm which handles exactly that. Let us bring surety to your security.  If you’re interested in gauging your company’s network security, we offer a free vulnerability assessment which will tell us exactly where you are falling short.

For more information you can check us out at ascent-systems.com.

Best Regards,

John Twigg
CEO, Ascent Systems Inc.

P.S. Regarding the U.S. Steel trade dispute mentioned above, I have been asked how it was resolved. Two years after the complaint was filed, then-President Trump signed an executive order increasing tariffs on steel imports by 25 percent. It is my belief that U.S. Steel’s international trade complaint played an important role in this decision.