top of page

Canada: TikTok Is Banned From Government Devices

Canada has banned the use of the TikTok app on all government-issued mobile devices due to concerns over the Chinese-owned video sharing app's security and data privacy. The move follows similar action taken by the European Union and over half of US states and Congress. Canada's federal privacy watchdog and its provincial counterparts in British Columbia, Alberta, and Quebec have also launched an investigation into whether TikTok complies with Canadian privacy legislation.


TikTok, which is owned by Chinese company ByteDance, has become increasingly popular with young people, but fears have been raised that Beijing could use it to collect data on Western users or push pro-China narratives and misinformation. The app will be removed from Canadian government-issued phones on Tuesday.


TikTok's data collection methods have been criticized for providing considerable access to the contents of the phone. While no evidence of government information being compromised has been found, the Chief Information Officer of Canada has determined that TikTok presents an unacceptable level of risk to privacy and security. TikTok has called the move "curious" and has said it is always available to discuss the privacy and security of Canadians.

Ismael Valenzuela

Ismael Valenzuela, Vice President of Threat Research & Intelligence at BlackBerry shared his insights on the recent TikTok ban decision by Canada and what security concerns remain for CISOs at enterprises with corporate devices.

"I’m not surprised. Canada isn’t the first government to make this decision, and it likely won’t be the last. I believe this is the first time the EU has banned a mobile app, indicating that there are valid reasons to enforce this policy. On top of the bans from the U.S. government in 31 states and the White House’s decision to ban it on government-issued devices, I only expect more to follow. For example, just a few days ago, one of the most popular Australian politicians on TikTok said he refuses to use the Chinese-owned video app on his government or personal phones due to concerns about the security of his data, and UK politicians have started to receive pressure to do the same.

The potential of this ban is not limited to government devices, either. I know for a fact many CISOs are considering banning TikTok from their corporate devices. Many commercial organizations, especially those with bring your own device (BYOD) policies, may not follow this type of policy, but I anticipate others in highly-regulated environments, such as the financial sector, will conduct their own product security testing and legal review of the privacy policy terms to restrict its use, at least on corporate devices or by high-value users. It’s no secret nation state groups often target large corporations for intelligence gathering or even for financial gain, so it’s not difficult to see why corporations may make a similar decision on this policy. Organizations that regularly update their threat model based on contextual intelligence, and that have mature asset management practices and unified management endpoint solutions, are definitely in a better position to manage this risk enterprise-wide.

This highlights the importance of managing risk through organizations and the need to assess the security impact that introducing a new product, technology, even an apparently innocuous chat or social media apps, can have on the overall security of an organization. Supply chain attacks are a real concern, but privacy risks should also be top agenda items for CISOs of high-risk organizations. How many CISOs are aware of the statements in TikTok’s privacy policy? How valuable would this data collected by TikTok be in the hands of financially motivated attackers or nation states, when coming from high value individuals (i.e. executives)? "


###

Comments


bottom of page