Cabinet Office minister Oliver Dowden confirms TikTok is to be banned on government phones over links to China
The British government has confirmed that China’s TikTok app is to be banned from mobile devices issued to government ministers and civil servants.
The decision was announced by Cabinet Office minister Oliver Dowden this afternoon in Parliament, and is not surprising considering the number of peer nations that have already banned the short video app from official devices.
On Tuesday security minister Tom Tugendhat had hinted that a TikTok ban was likely, after he revealed that the UK’s National Cyber Security Centre (NCSC) was reviewing whether the Chinese-owned video app should be banned from government devices.
The UK is following similar actions by other countries.
US officials for a while now have alleged China’s government could force TikTok parent ByteDance to hand over data on users that could be used for intelligence or disinformation purposes.
TikTok has always denied this and chief executive Shou Zi Chew is set to testify before the US House Energy and Commerce Committee on Thursday 23 March, as American lawmakers prepare a bill that could ban TikTok entirely from the United States on national security grounds.
TikTok is currently used by more than 100 million Americans, but a countrywide ban of TikTok in the United States seems increasingly likely, after the White House last week lent its backing to the bill from a bipartisan group of a dozen US senators.
Now the UK government has announced that the TikTok ban will be applied to all mobile devices issued to government ministers and civil servants.
It should be remembered that the UK parliament last August closed down its TikTok account over concerns that its Chinese parent could be forced to hand over data to Chinese authorities.
“Given the potentially sensitive nature of information which is stored on government devices, government policy on the management of third party applications will be strengthened and a precautionary ban on TikTok on government devices is being introduced,” the government stated.
It said there was currently there is limited use of TikTok within government and limited need for government staff to use the app on work devices.
“The security of sensitive government information must come first, so today we are banning this app on government devices,” announced Chancellor of the Duchy of Lancaster Oliver Dowden. “The use of other data-extracting apps will be kept under review.”
“Restricting the use of TikTok on Government devices is a prudent and proportionate step following advice from our cyber security experts,” said Dowden.
The government pointed out that TikTok requires users to give permission for the app to access data stored on the device, which is then collected and stored by the company. Allowing such permissions gives the company access to a range of data on the device, including contacts, user content, and geolocation data.
The government said it is concerned about the way in which this data may be used.
However it should be noted that today’s ban does not extend to the personal devices for government employees, ministers or the general public. And specific exemptions for the use of TikTok on government devices are being put in place where required for work purposes.
Exemptions will only be granted by security teams on a case-by-case basis, with ministerial clearance as appropriate, and with security mitigations put in place.
These exemptions will cover areas such as individuals working in relevant enforcement roles, or for example for the purposes of work on online harms.
TikTok told Sky News it was “disappointed” with the government’s decision.
“We believe these bans have been based on fundamental misconceptions and driven by wider geopolitics, in which TikTok, and our millions of users in the UK, play no part,” the spokesperson reportedly said.
“We remain committed to working with the government to address any concerns but should be judged on facts and treated equally to our competitors.”
Meanwhile the Chinese owner ByteDance is reportedly being urged to divest itself from TikTok, to help address concerns about national security concerns.
Indeed, Reuters has reported on Thursday that the Biden administration has demanded that TikTok’s Chinese owners divest their stakes in the popular video app or face a possible US nationwide ban
TikTok spokesperson Brooke Oberwetter told Reuters that the company had recently heard from the US Treasury-led Committee on Foreign Investment in the United States (CFIUS), which demanded that the Chinese owners of the app sell their shares, and said otherwise they would face a possible US ban of the video app.
The data collection habits of TikTok and other social networking apps has long been a concern for security experts, but TikTok’s Chinese ownership has heightened these concerns.
“Although we should be cautious when using all social media platforms, no matter who owns them, TikTok is collecting massive amounts of information from consumers like user location, voiceprints, calendar information and other sensitive data,” said Adam Marrè, CISO at Arctic Wolf Networks.
“The issue is we don’t know what this data is being used for, or if a foreign government has access to it,” said Marrè. “As the number of TikTok users continues to grow, it’s good this is being addressed by the UK government.”
“With the rise of data brokers who make a living out of selling user information, this platform can serve as a vessel for malicious actors to leverage,” said Marrè. “They can then sell this information, which can be used to target people via phishing emails, influence via propaganda, or even control/access devices. Let this be a reminder than nothing is truly ‘free’ and that we should all exercise caution.”
Meanwhile Simon Mullis, CTO at Venari Security pointed to the fact that all these bans on TikTok are coming at a time of heightened geo-political sensitivity.
“News that the UK Government has banned TikTok on staff devices is an interesting development for the cyber security space and follows the EU Commission and US government bans of the app,” said Mullis. “Despite the Chinese owned company stating that it operates no differently from other social media, Governmental security is under scrutiny in an era where the prevalence and sophistication of attacks is intensifying.”
“The risk of a breach shouldn’t be underplayed,” Mullis cautioned. “This is particularly relevant in the case of public sector workers responsible for sensitive government matters and national security. In this era of heightened geo-political sensitivity, nation-state actors will be looking for every conceivable opportunity to breach cybersecurity boundaries and gain access to sensitive data.”
“Ministers and civil servants therefore need to follow the necessary regulations as a bare minimum to help maintain appropriate levels of security and robust action should be taken when these haven’t been followed,” said Mullis.
“The concerns are really rooted in the ability to assure the chain of trust of data protection from beginning to end, and at all steps in between,” said Mullis. “With TikTok, this has proven to be extremely difficult for a variety of technical and political reasons. In fairness, the ban is as much political as it is a consequence of the technical design of the application.”
“Is the TikTok design and architecture so wildly different from other social media applications in widespread use as to cause massive security fears?” asked Mullis. “The answer is ‘Probably not’.”
“There have been a number of reports of insecure protocols in use, employees repeatedly accessing non-public data from users in the US and potentially sharing this with authorities,” said Mullis.
“This last point seems to be the most compelling,” said Mullis. “So, the question: Is there anything inherent in the TikTok application that is a clear and present security risk to its users? The answer ‘Probably not’ – again – is simply not good enough for any corporate governance or end-user to assure data sovereignty and protection. It’s a question of risk. And when it comes to national security, ‘probably’ isn’t good enough.”
However Matthew Hodgson, co-founder and CEO of Element, the UK-based end-to-end-encrypted instant messaging platform, thinks the UK government is being somewhat two-faced with its ban.
“The UK government banning officials having TikTok on their phones while pushing through legislation that will give the UK government access to all UK communications screams of double standards and hypocrisy,” said Hodgson.
“Outwardly it looks like they’re taking the security of data seriously by stopping China having a backdoor into UK data (albeit only for government officials currently),” said Hodgson. “However, the UK government is pushing through the Online Safety Bill, which creates a very similar backdoor into every communications platform used by UK citizens.”
“So, it’s not OK for China to access government communications but it is OK to provide a route for them to access citizen communications via Online Safety Bill weaknesses?” asked Hodgson. “We need to protect the privacy of UK citizens today from bad actors and nation states of all shapes and sizes.”