The app has been banned by various governments around the world
The UK government has officially banned the TikTok app from devices across government due to national security concerns.
Oliver Dowden, chancellor of the Duchy of Lancaster, confirmed the decision during an address in House of Commons on Thursday.
Dowden’s speech followed days of speculation that the UK would follow the decision of other governments around the world, banning the controversial app from government devices.
“Given the particular risk around government devices, which may contain sensitive information, it is both prudent and proportionate to restrict the use of certain apps, particularly when it comes to apps where a large amount of data can be stored and accessed,” he said.
“This ban applies to government corporate devices within ministerial and non-ministerial departments, but it will not extend to personal devices for government employees or ministers or the general public.”
Dowden added that there will be very specific exemptions for the use of TikTok within government “where it is required for operational reasons”.
These exemptions will only be granted by security teams and with ministerial clearance.
Tom Tugendhat, the country’s security minister, had already tasked the National Cyber Security Centre (NCSC) earlier this week with reviewing the app, according to Sky News.
What are the TikTok security concerns?
The app has raised concerns about the extent to which it harvests users’ personal data.
In June 2022, the FCC commissioner called for Apple and Google to remove the app from their stores due to its data practices.
Commissioner Brendan Carr said the app collected sensitive data, and pointed to a report which stated that Chinese officials have accessed TikTok’s sensitive data that had been collected from US citizens.
TikTok is essentially a sophisticated surveillance tool, Carr suggested, which harvests extensive amounts of personal and sensitive data. This includes browsing histories, keystroke patterns, and biometric identifiers.
Is TikTok safe to use?
Citizen Lab researchers said the app collects information about the device it’s installed on and a user’s usage patterns in a 2021 report. This is then sent to other social media companies and is used to track users across those platforms.
“While the level of user data collected by TikTok is similar to other major social media platforms, the general privacy standards for social platforms is not a high bar.
Social platforms generally do not adhere to data minimisation principles,” said Citizen Lab. “The device information and usage patterns they collect are not necessary to provide the core functions of the apps. The social media industry also largely profits from targeted advertising, which relies heavily on data collected by social platforms.”
The research unit, part of the University of Toronto, said that while there’s no overt data transmission to the Chinese government by TikTok, if any user data is stored in the country it increases the chance that the government is able to access it.
A report from Kaspersky noted that the risk to the everyday consumer is low given that they are unlikely to be storing information related to national security on their devices, adding that the risk is no greater than that presented by installing other social media apps.
The security firm highlighted the fact that no concrete evidence of the Chinese government accessing TikTok data has been established.
TikTok opened data centres in Europe last month for local storage of personal data. The decision was made to reduce latency, allowing users to access data locally, as well as helping to address concerns over the transfer of personal data to the country, Frank Jennings, partner and head of commercial at Teacher Stern LLP, said at the time.
However, Jennings said that keeping the data in the EU won’t necessarily fix all the problems the company faces when it comes to data protection.
“It wasn’t that long ago that a New York District Court forced Microsoft to hand over customer data it was holding in its Dublin data centre under the aptly named “Clarifying Lawful Overseas Use of Data” – aka the Cloud Act,” he said. “No doubt the Chinese government will have such powers too.”
What countries have banned TikTok?
Former US president Donald Trump banned TikTok in August 2020 due to concerns around security as well as a growing trade war between the US and China. The order against the app detailed that it threatened national security due to the amount of data it collected on its users.
However, this was revoked by president Joe Biden in June 2021, although he ordered the commerce secretary to determine if apps linked to the country’s rivals posed a national security risk.
Since then, 32 US states have banned the app on state-issued devices, over half of all US states, according to CNN.
In February 2023, the European Commission and Council of the EU also banned staff from having the app due to security concerns. A week later, the European Parliament followed in the footsteps of the other two institutions and implemented the same policy.
This was mirrored by Canada too, which also decided to ban TikTok from all government-issued devices. The nation’s chief information officer (CIO) reported that TikTok posed risks to privacy and security.
In March 2023, Denmark’s Defence ministry also banned the app from staff phones, according to AP. The ministry said it was due to a risk of espionage.
The move was followed by Belgium which banned the app from all government phones due to privacy and cyber security concerns.
Security experts on the UK’s TikTok ban
“I’m unsure why the UK government still needs persuading from the NCSC that TikTok is a dangerous piece of surveillance technology when the rest of the world is very aware, and is slowly but surely banning its use,” said Jamie Moles, senior technical manager at ExtraHop. “The UK government must stop its officials using technology that puts our economy at risk.”
Moles said that having the app on your phone is the same as giving the Chinese government the keys to the UK’s economy.
The ban itself isn’t only limited to the government, as many chief information security officers (CISOs) are considering banning the app from company devices, said Ismael Valenzuela, vice president of threat research and Intelligence at BlackBerry.
“I suspect that only a limited number of CISOs are aware of TikTok’s privacy policy statement. While attacks on the supply chain are a real concern today, privacy risk should also be a top priority for CISOs of high-risk organisations,” said Valenzuela.
“This is because personal data on company executives and other important individuals can be of great value in the hands of financially motivated attackers or the state.”
Adam Marrè, CISO at Arctic Wolf, said it was good that the UK government was addressing the TikTok issue, especially as more users join the platform.
“Although we should be cautious when using all social media platforms, no matter who owns them, TikTok is collecting massive amounts of information from consumers like user location, voiceprints, calendar information and other sensitive data,” said Marrè. “The issue is we don’t know what this data is being used for, or if a foreign government has access to it.”
The concerns around TikTok are due to ensuring there’s a chain of trust when it comes to data protection, said Simon Mullis, CTO at Venari Security. “This has proven to be challenging when it comes to TikTok.
“In fairness, the ban is as much political as it is a consequence of the technical design of the application,” said Mullis. “Is the TikTok design and architecture so wildly different from other social media applications in widespread use as to cause massive security fears? The answer is: ‘probably not’.”
On a technical level, Mullis said there have been reports of insecure protocols used by the company, and employees accessing US user data and potentially sharing this with Chinese authorities.
“This last point seems to be the most compelling. So, the question: Is there anything inherent in the TikTok application that is a clear and present security risk to its users? The answer ‘probably not’ – again – is simply not good enough for any corporate governance or end-user to assure data sovereignty and protection,” said Mullis.
“It’s a question of risk. And when it comes to national security, “probably” isn’t good enough.”
(futureplc)