Concerns over how much data TikTok collects and how it may be used have led the university to restrict use of the app.
“Espionage is one of the threat scenarios, given the vast amount of data that can be used. TikTok collects a lot of data across the whole device, not just what the app contains. It can also collect data from other parts of the device, like location data,” says Morten Ingvard Falck, Chief Information Security Officer at CBS’ IT Department.
TikTok is now prohibited on CBS devices, and use on private devices that operate CBS applications or that process CBS data is not recommended.
“We have no way of enforcing anything on private devices. But if you are processing CBS data, we recommend removing the app to reduce the risk,” he advises.
CBS is just one of many Danish and international public authorities to leave the platform. In recent months, a growing number of other countries and government bodies have banned TikTok from official devices, including the US, UK, European Union and most recently Australia.
The app, owned by the Chinese company ByteDance, was launched on the international market in September 2017 and is one of the fastest-growing social media platforms ever. In 2021, the company reached one billion users.
Chinese ownership raises doubts
CBS’ announcement to restrict the use of TikTok on its equipment came shortly after the Danish Center for Cyber Security warned state authorities against using the app.
As a self-owned public institution, the decision is ultimately up to CBS, but the recommendation weighs heavily. All Danish universities have imposed similar restrictions.
“We don’t have the resources or a research team to deep dive on such a specific topic, so we primarily rely on third-party sources. Centre for Cyber Security is one of those strong sources, but I have also been discussing this with my counterparts at other Danish universities, and a couple of risk assessments have been made. They all reached the same conclusion, says Morten Ingvard Falck.
The risks, confirmed by the assessments, are twofold. One is that huge amounts of data are being logged. The other aspect is concern over the Chinese ownership, given that the Chinese government has the legal capacity to seize and collect data from Chinese companies, though TikTok denies that its data can be accessed by the government.
These aspects in total are seen as a risk to CBS, given the assets we have and the research we are doing. But also, for individuals themselves and their personal data.Morten Ingvard Falck, Chief Information Security Officer
“These aspects in total are seen as a risk to CBS, given the assets we have and the research we are doing. But also, for individuals themselves and their personal data,” says Morten Ingvard Falck.
He does not know how many CBS employees were using the app before the ban, nor has his department checked if any still do – though it has the technical capacity to do so.
This is not an absolute ban on TikTok at CBS however. Exceptions can be given for business-critical purposes, such as research or external communications, but so far, no requests have ended up on Morten Ingvard Falck’s desk.
Students advised to follow suit
The ban applies only to CBS employees and their equipment, as CBS has no jurisdiction over private devices, but Morten Ingvard Falck recommends students also stay away from TikTok.
“We recommend not using it, but that’s in no way an enforcement. They have their own devices and are allowed to do what they want.”
Whether they use it while connected to CBS networks or not, is irrelevant.
“The risk comes down to the device and what is collected by the application, so whether they are on CBS’ network or at home doesn’t play a role.”
In Denmark, TikTok is most popular among young people: 41% of the platform’s users are aged one to 29. Last Friday, the Danish Media Council for Children and Young People, which advises on children and young people’s use of digital media, announced it does not consider TikTok a safe place for children and youth.
While much attention has centred on TikTok lately, many social media platforms and apps collect data and could pose similar risks. According to Morten Ingvard Falck, however, a number of studies suggest that TikTok is the worst player in the game.
In this case, the IT Department has handled TikTok as an isolated case, to act quickly in response to the latest development. Morten Ingvard Falck sees no reason to ban other applications at the moment, but does not think it will end here.
Data is the new trading currency. We are seeing more and more examples of that – if you are not paying for a digital service, you are trading it for your personal data.
“I expect more cases like this because data, especially personal data, is the new trading currency. We are seeing more and more examples of that – if you are not paying for a digital service, you are trading it for your personal data.”
Is CBS a target for cyber espionage or academic espionage?
“Yes, we are. On a national level, the Center for Cyber Security provides a threat landscape and it has never been on higher alert than now. If we look at CBS specifically, there is definitely a valid and relevant threat. CBS as an institution has some valuable assets, so we focus a lot of on how we can provide a safe environment.
“There is also strong pressure from businesses. When they sponsor research, they expect scientists to protect their data.”
The espionage threat towards academia is not new, but it is becoming increasingly digital.
“It has always been there in the physical world. Now we see it in the digital world. We’re seeing an increase in that the bad guys, the dark side, are just getting smarter and smarter and more and more competent. It’s an arms race.”