The situation TikTok is in is very unique. The pressure from the United States government on China has never been higher. There have already been knee-jerk reports about how TikTok would operate with Oracle's guidance and how the mass amounts of consumer data the viral social media platform currently possesses and is collecting would be structured. The details are still not totally clear. Regardless of the nature of the relationship, if Oracle does engage with TikTok in any way and put their brand name on the line, they have a big cybersecurity and data privacy challenge in front of them. Most importantly, they need to ensure the nefarious nation-state China doesn't still have their fingers in the mass amounts of consumer data and architecture when the deal is done.
We asked top cybersecurity experts their opinions on the deal and what Oracle needs to do to ensure security and privacy for TikTok's US operations.
Chester Wisniewski, principal research scientist, Sophos
While I am not privy to the agreements between Oracle and ByteDance, from what I have seen reported Oracle's agreement is simply to take over "US operations" and not the development of the backend code nor the app that is installed on user devices. This lack of transparency of the app's operations seems an odd compromise considering the allegations that led the US government to threaten to ban the application.
While data sovereignty, housing the data in the US requiring access to obey US law, is certainly a concern, the larger concern from my perspective is the behaviour of the application itself and what and how it decides to present certain content to certain users.
Oracle operating the US data centers does not seem to address this issue and it will certainly be interesting to see whether Washington stands up to China's demand that they not share the code. With the allegations of foreign powers attempting to manipulate people through social media as we head into the 2020 Presidential election, control over what and how people see information may be far more important than the ability to simply demand to see my dance videos.
Jimmy Tom, research advisor, security, privacy, risk & compliance at Info-Tech Research Group
"The Oracle-TikTok deal is not a full divestiture of TikTok's US operations. ByteDance will maintain ownership and control over TikTok's business assets and technology intellectual property (IP).
As such, TikTok's algorithm, artificial intelligence (AI), and source code will remain proprietary to ByteDance and the management of user data will reside with Oracle. This raises a serious concern around the processing of the data, also known as “data in use.” Under this scenario, in order to ensure that U.S. consumer data is secure and national security is protected, Oracle must have oversight and control over the data at all stages: at rest, in transit, and in use.
To achieve this, Oracle will need to:
1. Maintain sovereignty of U.S. data by ensuring that it is processed and stored in the United States;
2. Ensure that user data is safeguarded from data leakage to TikTok's operations outside of the United States;
3. Ensure that any user data that will be processed by ByteDance's algorithms and AI will remain in the United States.
Chris Hass, Director of Information Security and Research, Automox
“It's critical to give your IT teams as much time as possible to review the target companies' cybersecurity standards, processes, and protocols before the acquisition. If your IT team doesn't feel comfortable with performing the assessment, which is often the case, allocate a third-party resource to complete the evaluation.
Visibility is vital; shadow IT can be a massive threat during an M&A; unaccounted devices, misconfiguration, or just poor configuration standards in general, can open up an organization to attacks from both outside and inside the organization.
Intensive data mapping must be performed to understand and correct data from flowing in the wrong direction. This is a crucial step in ensuring your customers' data and privacy is handled correctly and securely.
The security assessment of the target company should not be a point in time assessment; it must be ongoing. This helps ensure that security policies and processes are maintained, and a standard is continuously set for the target company to achieve.”
Chris Hauk, Consumer Privacy Champion, Pixel Privacy
“Oracle needs to go over the TikTok code with a fine tooth comb to ensure that information isn't improperly being shared back to China. Unfortunately, there is no way to know what data the Chinese have already gleaned from the app.
Oracle should also modify the code so that it uses its own cloud computing structure, not that of TikTok's parent company.”
Paul Bischoff, Privacy Advocate, Comparitech
“Oracle will need to do an audit of TikTok's source code and ensure no data is being sent or stored on Chinese servers. The audit should ensure that no data is being surreptitiously exfiltrated and that there are no backdoors. Oracle will also have to ensure that TikTok is GDPR and CCPA compliant. One point of concern might be whether user data from prior to the sale is removed from Chinese servers. It would be difficult to guarantee that no copies of the data are stored somewhere in China.”