TikTok, the viral app resident on millions of devices, was recently banned from executive branch devices in the United States, as set out in in the recent Omnibus Bill signed by President Joe Biden.The Omnibus Bill, as detailed in CSO Online\u2019s overview, highlighted that the \u201clegislation required the Office of Management and Budget in consultation with the administrator of general services, the director of CISA, the director of national intelligence, and the secretary of defense, to develop within two months standards and guidelines for executive agencies requiring the app\u2019s removal.\u201d Duly noted was the action taken by the House of Representatives, which immediately voted to ban the app from the phones of House members and staff amid protestations from TikTok, owned by China-based ByteDance.The federal government is not alone.State government TikTok bansState governments have also stepped up and have acted or plan to take action to ban TikTok from official devices, including:Tennessee: Governor Bill Lee banned TikTok in December 2022.Texas: Governor Greg Abbott on December 7, 2022.Indiana: Banned by the Indiana Office of Technology on December 7, 2022.Utah: Banned by Governor Spencer Cox on December 12, 2022It\u2019s important to note that this is not just a US versus ByteDance\/China dance. The UK has warned government entities of the risk associated with TikTok, which has resulted in the closure of TikTok accounts within Parliament. Sweden\u2019s Sveriges Television has asked employees to delete the app from their work phones due to \u201csafety concerns.\u201d India, which has a track record of banning Chinese applications from devices for national security reasons, continues to do so. In 2020, India banned TikTok and a number of additional apps of Chinese origin, citing national security concerns. An action they had previously taken in 2018 when 40 apps were banned by India.Universities banning TikTokIn addition, a\u00a0number of universities, hubs of research and development where the future is often seen up close, have banned TikTok from their devices and network access.University of OklahomaLangston UniversityOklahoma State UniversityUniversity of Central OklahomaNorthwestern Oklahoma State UniversityBoise State UniversityIdaho State UniversityAuburn UniversityUniversities within Oklahoma were directed by the governor\u2019s office to banish TikTok from their networks, as the governor noted: \u201cMaintaining the cybersecurity of state government is necessary to continue to serve and protect Oklahoma citizens and we will not participate in helping the Chinese Communist Party gain access to government information.\u201dTikTok spokesperson Brooke Oberwetter was quoted by CNET as taking exception with the bans by universities as based on \u201cunfounded falsehoods" about the app that won't advance cybersecurity. Oberwetter also called the schools\u2019 policies \u201crushed\u201d and said they'd have unintended consequences when it comes to recruiting students, sharing information, and building various student communities.CIFUS continues to reviewThe Committee on Foreign Investment in the US (CFIUS) review should continue, and if TikTok\u2019s \u201cProject Texas\u201d has legs and will successfully demonstrate the separation of US user data from the rest of the globe, perhaps a rethink will be in order. It would seem a very high bar, however, given that less than six months ago we noted here on CSO Online that Internet 2.0, an Australian cybersecurity firm, had produced the pointedly titled It\u2019s Their Word Against Their Source Code \u2013 TikTok Report. Their research showed that the app does indeed connect to China and requests \u201calmost complete access to the contents of the phone while the app is in use. That data includes calendar, contact lists, and photos.\u201dTikTok can and has collected user dataFurthermore, there was also the recent revelation that TikTok had indeed used its platform to monitor Forbes journalists. TikTok\u2019s claim that an internal investigation discovered that \u201cindividuals misused their authority to obtain access to TikTok user data,\u201d is doing nothing to help TikTok\u2019s position that they won\u2019t and can\u2019t monitor individual users, as clearly it is technologically possible.National security threatIn early December 2022, FBI Director Christopher Wray called out TikTok as a national security threat and highlighted how the app could be used by China to shape the content seen by users. In other words, as a funnel for Chinese propaganda into the United States. He also observed, in much the same way as noted above, how China could use the app to harvest information, which he characterized as \u201cmore traditional espionage.\u201dIs TikTok touching your users and network?With nations banning TikTok from their infrastructure and devices, universities attempting to protect the PII and intellectual property within their ecosystems, and the national security concerns highlighted, every CISO must be asking the question: What could TikTok harvest from our user\u2019s devices that would put our entity at risk?If the answer to that question is \u201cI don\u2019t know,\u201d then perhaps a bit of research is in order to quantify the risk, if any. If the answer is \u201cour intellectual property, information on network configuration, personal information on our employees, email archives one employee at a time, and calendar and contact data of every employee who uses TikTok,\u201d then perhaps a discussion should be had on why TikTok is allowed on corporate devices that touch corporate infrastructure.