Saltar a la navegación Saltar al contenido principal Ir al pie de página

Project Clover: a year on

30 septiembre 2024

By NCC Group

As we mark the one-year anniversary of NCC Group’s involvement in TikTok’s Project Clover, we’re taking the opportunity to reflect on our work on this high profile and complex programme which aims to give European and UK users assurance and confidence that their data is being kept safe and secure. It is fair to say that the scale and complexity of this initiative, presented a unique set of technical and operational challenges but through our collective capability; experience and creativity, we have been able to deliver on this ground-breaking project, underscoring our technical leadership in cyber security. 

 

Deploying cross-capability expertise  

The different areas of our cyber business are widely recognised as being high quality in their own right, but our real strength comes when we bring together our collective capability to deliver for our clients. On Project Clover, we have a phenomenal network of colleagues from across our different capability areas – cyber security, data protection and physical security - from different regions -The Netherlands, Spain and the United Kingdom all coming together to collaborate, innovate and create value. 

We are a great example of Aristotle’s phrase, “the whole is greater than the sum of its parts”. 

 

Advice, assessment, assurance  

Every day, our colleagues support clients through assessing their cyber security or data protection posture, which naturally means looking at what is already, or about to be, deployed. They also support new systems or changes to existing ones, providing organisations with security and data protection advice based on many hours of experience. 

Our role on Project Clover includes advisory activities as well as the extensive assessment and assurance work we are doing. Our mission includes assuring the code that makes up the security gateways protecting user data in the European Enclave, the Cloud environments that house those gateways and mechanisms used by TikTok’s engineers to maintain their infrastructure. In addition, our team regularly assesses the main application and mobile applications, including a data collection assessment to understand what user data is actually collected.  

All of this is overlaid with that advisory function through constant collaboration between the NCC Group and TikTok teams. 

 

Cutting-edge solutions  

Privacy enhancing technologies (PETs) are the (relatively) new kids on the block and TikTok is introducing them at scale to provide enhanced protection to user data, balancing privacy risk with utility. Our work in this particular area has been to review the proposed approach, including looking at the underlying code base, to provide recommendations on how to improve it, alongside assurance testing to ensure that the output created via the PETs is as intended. 

As TikTok's Community Guidelines Enforcement Report published in June 2024 shows, in our role as independent security provider, we do find areas for improvement and TikTok acts on remediating them in line with our recommendations and within agreed timeframes. 

Our Managed Service team on Project Clover is going beyond a typical security operations centre and is establishing an event monitoring centre that does all the usual security stuff but also looks at the activities of authorised TikTok people to ensure that they are not doing anything that goes against the spirit of Project Clover.  

One of the more challenging areas has been the data collection assessment that is mentioned earlier. It was important that we were able to understand and inspect the application data flows so that we can assess for ourselves what is being collected and where it is going. To address this, we developed custom tools and a methodology that provides a high degree of assurance, which includes decrypting or decoding the data to then analyse it to determine whether it contains user data.  

 

More to come 

Over the past year, our technical team has made significant strides in supporting TikTok to advance the objectives of Project Clover. The complexity of the tasks undertaken has been met with innovative solutions and a truly dedicated team effort, resulting in numerous milestones being achieved.  

It is important to mention that this has not just been a technical project, it has been a true showcase of how technical delivery, resource management, finance, compliance and legal teams work together on exciting projects to share their expertise for the benefit of our clients. 

As we look ahead, we are excited about the next phase of the project. 

NCC Group

NCC Group

NCC Group exists to make the world safer and more secure.

As global experts in cyber security and risk mitigation, NCC Group is trusted by over 14,000 customers worldwide to protect their most critical assets from the ever-changing threat landscape.