Has the TikTok Ban Already Backfired on US Cybersecurity?

Source: Roykas Tenys via Alamy Stock Photo

Now that the US Supreme Court has upheld a ban on the wildly popular video social media platform we know as TikTok, its most influential users have decided to retaliate by moving their game over to REDnote, a competing Chinese social media company, thus creating an entirely new, and arguably worse, situation for the nation’s cybersecurity.

The move to the alternate platform is emerging as a pop culture phenomenon. Of TikTok’s roughly 170 million monthly users in the US, more than 3 million have already headed over to REDnote. Chart-topping rapper Doechii announced her account, with 2.5 million followers, was headed over to REDnote just days before the Supreme Court ruling. Bunnie XO, wife of country music star Jelly Roll, with 7 million TikTok followers, has already declared her love for Mandarin Trap music after spending time on the app. The term “TikTok refugees,” referring to new US users, is trending on REDnote, according to data. Searches for REDnote have spiked 100% over the past three months, and a recent “TikTok refugees” live chat attracted more than 50,000 users across the US and China.

Meanwhile, native Chinese speakers on the app are teaching their new group of US users how to correctly pronounce REDnote’s Mandarin name, “Xiaohongshu,” which directly translates to “Little Red Book,” sharing the same name as Mao Zedong’s book of quotations. Chairman Mao founded the People’s Republic of China.

And, as US TikTok culture jokes about willingly handing over their data to a Chinese company with impunity as payback for the government’s ban of the app, the US national security over TikTok just got even more problematic, according to experts.

REDnote’s Cybersecurity Problems

ByteDance, the parent company behind TikTok, is headquartered in Singapore, and it has tried to convince the US it is run independent of the Chinese government. REDnote, on the other hand, is based in Shanghai, and it’s one of the few social media platforms allowed to operate on both sides of the Great Firewall, making spying on Americans and throttling propaganda aligned with the Chinese Communist Party (CCP) agenda seemingly much easier. For US users interested in the specific terms of service to use REDNote, they are written in Mandarin, leaving the few who want to drill down on the app’s data use to rely on Google Translate or a similar service to decipher the details.

“REDnote appears to be a more dangerous application than TikTok, as its terms of service are in Mandarin and it has not been vetted as extensively as TikTok,” Ted Miracco, CEO of Approov, says. “REDnote’s servers are primarily located in China, which means that user data is subject to Chinese cybersecurity laws that require companies to grant government access upon request. This situation contrasts with TikTok, which has made efforts to store some user data on US servers, offering a modicum of oversight by American authorities.”

That said, national security concerns about a Chinese company controlling such a huge communications platform as TikTok in the US were well founded, according to Lawrence Pingree, vice president of Dispersive.

“I think that there are some valid concerns about the involvement of government agencies in espionage and influence operations that are important issues to address,” Pingree said. “Things like data sovereignty, isolation networks and access, regular trusted third-party audits, background checks, authentication of remote employees, and, potentially, source code review are all prudent measures to require. Bans need to consider the totality of the situation, and the politics of the time.”

And the politics are indeed prickly. Chinese government-backed hackers have been ramping up their espionage activities in recent weeks with compromises of multiple telecommunications networks and a breach of the US Treasury Department systems. Just a day before the Supreme Court’s ruling, President Biden issued a sweeping new executive order on cybersecurity, directly calling out the malign activities of the Chinese government against the US.

The chances of a Chinese company like REDnote complying with any of the US’s TikTok requirements to operate, like audits and background checks for employees, seem pretty slim in this environment.

The Cyber Problem With the TikTok Ban

The ban, which technically goes into effect on Sunday, was narrowly focused on TikTok and simply doesn’t go far enough, Approov’s Miracco adds.

“As the problem of data misuse continues to escalate, focusing solely on foreign platforms like TikTok without addressing the systemic issues within domestic social media creates an incomplete solution. A comprehensive approach is needed — one that holds all social media companies accountable for their data practices and prioritizes user privacy and security across the board,” Miracco insists.

The ongoing larger problem is that legislation and lawmakers continue to lag behind technology, he adds. The ban wasn’t able to effectively meet the moment, creating unintended consequences for US national security.

“The slow pace of legislative and legal actions often fails to keep up with the rapid evolution of technology and tactics employed by bad actors,” Miracco says. “This gap can leave users unprotected against emerging threats that exploit the chaos surrounding the ban. As users seek alternatives to TikTok, they will inadvertently download less secure or malicious applications, including REDnote.”

However, the threat of users migrating to other apps shouldn’t be a deterrent to making decisions to improve US cybersecurity posture, argues Willy Leichter, chief marketing officer of AppSOC.

“The ban may inspire targeted attacks against other US-based social media platforms, but those are already happening. As a general rule, you shouldn’t let the fear of reprisals stop you from taking proactive security steps,” Leichter says. “We need to be prepared for the consequences anyway.”

About the Author

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.