Montana’s TikTok ban on both personal and work-related devices has caused quite a stir nationwide, and engendered great skepticism among security pros who say it’s an unenforceable law that largely serves as a political swipe at the Chinese government.
More than 30 states and the federal government have moved to ban TikTok on work devices, but Montana’s new law stands as the first outright ban of TikTok on all devices.
The new law, which goes into effect January 1, 2024, would make it illegal for TikTok and app marketplaces to offer the program to Montana residents. It also lets the state impose fines of $10,000 per violation, per day, with the main targets of the fines being TikTok and online app stores such as the Apple Store and Google Play.
One important point: those who already have TikTok installed are exempt from the new law, a major reason security pros believe it’s impossible to enforce. They say users can download the app over the next several months before the law goes into effect, download it in another state once the law goes live, or use a VPN.
“The ban is pointless and technically naïve,” said Willy Leichter, vice president at Cyware. “It's likely the bill’s drafters have a hazy understanding of the technology and are really promoting this for posturing and publicity. While there are growing and legitimate security concerns around TikTok, state laws that stomp on First Amendment rights are unenforceable and technically dubious and will not solve this.”
More security issues ahead
Michael Covington, vice president of portfolio strategy at Jamf, told SC Media that discouraging the major app platforms not to offer TikTok will force consumers in Montana to find riskier alternatives, such as sideloading the app after obtaining it from unofficial sources, a move that will likely cause users to lose access to updates, including security and performance fixes.
By failing to see the bigger picture of how this new law exposes users to even more online risk, Montana may open the door to malware that targets users who aren’t ready to give up TikTok. A more effective approach would have been for state legislators to start small and focus on devices owned by state government and, perhaps, state-run businesses, something other states like Maryland have already moved to implement over the past year.
“By focusing on the devices using TikTok rather than the services that distribute the app, organizations operating in the state could adopt technologies that would effectively block the service, ultimately having a greater impact on addressing the data and privacy concerns than a superficial and ineffective ban on app marketplaces hosting the service,” explained Covington.
Cyware’s Leichter pointed out that if a company issues phones to its employees and gives them sanctioned remote access to corporate data, there are many apps they could block, including TikTok.
“But if the company allows access via personal devices, like most do, then they should assume that all personal devices can be compromised, and take other measures to maintain security, such as multi-factor authentication separate from the phone, such as a hardware token or biometrics,” said Leichter.
Ira Winkler, chief information security officer at CYE, added that for those who work at companies that use TikTok for marketing purposes, there’s a “potential” dilemma if some of those people are in Montana.
“The fact is that most people inside most companies do not use TikTok for work, and it’s more of a distraction than it is useful,” said Winkler. "That aside, I don’t know of any company that wants to just ignore the law. So, most will try to adhere to the law until it’s likely overturned. If you have MDM, you might be able to remotely uninstall it if the permissions to do so are set up properly.”
Legal challenges ahead
Legal challenges are already mounting as CNN reported that a group representing TikTok users in Montana has filed a lawsuit on First Amendment grounds. And the New York Times reported yesterday that free speech groups are weighing potential lawsuits over the case.
U.S. officials have cast TikTok as a unique threat to the American digital ecosystem, even as its data collection practices often closely resemble those of other social media platforms. Like the Russian-owned Kaspersky antivirus software and Chinese-owned telecommunications company Huawei, American national security officials say that TikTok — owned by Chinese company ByteDance — is subject to intrusive local laws that could potentially force them to cooperate with Chinese intelligence agencies or provide access to their systems and data to assist in "national security" investigations.
But to date, these accusations have been based more on the hypothetical potential for abuse rather than concrete examples of spying. A bipartisan group of senators have proposed a bill that would create a process whereby foreign-owned apps like TikTok could be banned or forced to sell to a domestic owner if the Department of Commerce deems them a national security threat.
"It is vital for Congress to establish a process to review and mitigate the harms posed by foreign technology products that come from places like China and Russia," said Senators Mark Warner, D-Va., and John Thune, R-S.D., co-sponsors of the bill, in March.
Some legislators in the House have pushed back against those efforts, saying TikTok remains tremendously popular with American teens, does not pose a unique security threat to the United States and is being swept up in a tide of anti-Chinese sentiment in Washington.
A spokesperson for the Electronic Frontier Foundation (EFF), said while EFF was not involved in the TikTok user lawsuit that was filed yesterday, they are pleased that it was filed and will look for opportunities to support it, such as filing an amicus brief.
“I believe that first amendment rights are at stake here,” said Chris Vaughan, vice president, technical account management at Tanium. “Questions will be asked during the coming days and weeks about censorship and free speech. For now, it’s up to Montana citizens to let their local representatives know how they feel about this legislation and whether they are in support or against it.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said the issue will likely wind up in court regardless of how the state of Montana tries to enforce it. Parkin said Google and Apple could simply respond that it's not practical to address individual applications, which this sets a precedent for, so they may opt to close operations in the state.
“Considering Montana has a population of a bit over 1 million people, the major players could take the loss and barely notice,” said Parkin. “Overall, while there may be some legitimate concerns with the Chinese Communist Party having access to TikTok data, it's unproven and probably low quality, though high volume data at best. If TikTok’s parent company ByteDance follows through with its plan to store all U.S. citizen data within the United States and verifiably limit access by the Chinese government to said data, the point becomes moot.”