The Chief Administrative Officer (CAO) of the House of Representatives is warning members of Congress about using TikTok in their official capacity.
In a two-page memo to Capitol Hill staffers Wednesday, obtained by Politico, the CAO recommended that members of Congressional offices refrain from downloading or using the Chinese-owned social media app to conduct messaging for the members, citing national security concerns. The CAO memo specifically mentions the app’s excessive permissions requests, its lack of transparency in how it protects user data, and potential security risks stemming from using the app. It also mentions how the app harvests content for data, including information that could be sensitive.
“TikTok is a Chinese-owned company, and any use of this platform should be done with that in mind,” the office wrote in the memo. “The ‘TikTok’ mobile application has been deemed by the CAO Office of CyberSecurity to be a high-risk to users due to its lack of transparency in how it protects customer data, its requirement of excessive permissions, and the potential security risks involved with its use. Additionally, we believe the user base should be aware that this application is known to store users’ Data Location, Photos, and other Personally Identifiable Information (PII) in servers located in China and potentially mined for commercial and private purposes.”
The memo notes that TikTok “actively harvests content for identifiable data.” According to the memo, “TikTok ‘may collect biometric identifiers and biometric information as defined under US laws,’ including ‘faceprints’ and ‘voiceprints,’ from videos users upload to their platform.”
The memo also notes that the app automatically collects information about devices that use the app, including location data based on the device’s SIM card, IP address, and GPS data; information about users’ use of the app, including the content the user creates or uploads; data sent in messages on the app; metadata from uploads; cookies; file names on the device; battery life; and even the user’s keystroke patterns and rhythms.
The CAO also cited several specific security concerns:
- Device mapping – the device can gather all other apps on the phone and retrieve other apps that are running
- The app checks the device’s location every hour
- The app has ongoing access to the phone calendar
- The app “continually requests access to contacts until given”
- The app requests external storage access
- The app saves images in the device’s photo album
- According to the CAO, the app may also be able to access other information including Wi-Fi networks; Device and SIM card serial numbers; device ID; phone number; GPS information; and the clipboard.
“To reiterate, we do not recommend the download or use of this application due to these security and privacy concerns,” the memo concluded, citing a separate report from 2020 that military services had already banned the use of the app.
Several Democratic members of Congress who had begun using the app expressed concerns to The Hill. “We only just put something up for the first time. So it’s not something I have used extensively. I do have concerns about the company. … So this is always a dilemma,” New Jersey Rep. Tom Malinowski told the outlet.
“TikTok has been a way to reach young and otherwise disengaged people, but now that we have more details about the security risks of having it on government devices, we will pause on usage until we feel safe and get further clarity,” a spokesperson for New York Rep. Jamaal Bowman added.