TikTok is currently the 6th most popular social media platform internationally, with over 1.6 billion users total; of that number, over 150 million are in the U.S. alone. As the platform continues to grow, organizations are increasingly concerned about potential risks posed to privacy and security. To date, TikTok bans have focused on national security risks. In this article, we will explore the unique challenges educational institutions are facing in determining whether and what action(s) are necessary for the use of this platform within their communities.
Understanding the Risks
Reports have alleged that U.S.-based TikTok user data may be regularly accessed by employees at its parent company, ByteDance, potentially compromising personal information. Similar missteps have been reported with other social platforms, including by the employees and contractors of Facebook and Twitter.
When used maliciously, personal data obtained from social media platforms can be exploited to target an individual for phishing and misinformation campaigns, infer their physical location and device details, and deliver malicious payloads through in-app communications. All of which can unintentionally cause individuals to act against their own self-interest through deception. The most significant concern raised in higher education is the potential identification and targeting of users – particularly minors, dissidents, politicians, researchers, and military personnel. Secondary concerns related to the misuse of this data include negative implications for brand image and reputation.
Related: Hear from our data privacy experts in our CyberSound podcast episode
Bans in Government and Educational Institutions
Following the federal lead, multiple U.S. states and municipalities now ban employees from using the TikTok platform. Despite this, many states with public university systems have exempted educational institutions from these bans in recognition of the app’s potential as a tool for communication, recruitment, and student life. Acting independently in response to these bans, some schools have opted to prohibit institutional use by imposing network-level blocking.
The efficacy of bans, through policy or otherwise, is debatable. For example, network-based restrictions have the potential to be bypassed through mobile networks and other means. Institutions must carefully anticipate the potential backlash from students and faculty when considering an extensive ban, given the widespread use and likely ease of sidestepping blocks. More holistically, the debate is one that applies to all social media, regardless of platform.
Social media users are inherently comfortable and willing to share personal activities with others publicly. Acknowledging and recalling this dynamic is important, especially with students who frequently use platforms like TikTok for foundational social interaction with peers. It is more effective to build community awareness of social media policies and best practices in place of prohibition.
Special Considerations for Grant-Funded Institutions
Institutions that receive government grants with stringent information security requirements face additional challenges. Many of these institutions have chosen to ban TikTok use by any grant-associated individuals, including faculty, staff, and students. Furthermore, the use of personal devices for accessing TikTok is often prohibited within these groups to minimize the risk of data breaches.
Managing the Risk: Best Practices
Clear and effective communication with community members is crucial in managing employee behavior on TikTok and other social media platforms. Organizations should revise policies governing communications, social media, privacy, and data security where necessary. Where policies are rapidly changing or poorly socialized, embark upon an awareness campaign to inform employees. These can remind individuals of their obligations and the potential consequences of privacy violations.
To effectively manage the risk of employee-caused privacy violations through TikTok and other social media, consider implementing the following best practices:
- Develop and enforce clear social media policies.
Establish comprehensive guidelines that outline the acceptable use of social media platforms, including TikTok, and educate employees about privacy and security best practices. - Foster a culture of cybersecurity.
Promote a culture of cybersecurity awareness throughout the organization. Encourage reporting of suspicious activities and provide channels for employees to seek guidance on privacy and security concerns. - Provide regular training regarding data security.
Encourage appropriate handling practices for sensitive data. Highlight the importance of safeguarding personal and organizational information due to the financial and reputational impact of a lapse. - Implement technical controls.
Utilize network-level blocking, firewalls, and content filtering to restrict access to social media on organizational networks associated with restricted or sensitive activity. Provide free-access networks to accommodate legitimate uses of social media. - When necessary, monitor and enforce compliance.
Regularly monitor employee social media activities to ensure compliance with organizational policies. Implement appropriate disciplinary measures for violations to maintain accountability. Avoid monitoring where unnecessary to ensure employees maintain a sense of privacy.
Why It Matters
Managing the risk of employee-caused privacy violations through TikTok requires a multi-faceted approach that combines clear policy expectations, enforcement where necessary, community outreach, and technical controls. Due to the fact that complete bans may not always be feasible or effective, organizations can adopt proactive measures to mitigate the risks associated with TikTok use. By prioritizing privacy, security, and open communication, organizations can strike a balance between employee engagement and protecting sensitive information in an increasingly connected world.
Interested in learning more?
Contact us to craft the appropriate policy for your institution.