CyberCX has released its annual Digital Forensics and Incident Response Year in Review Report for 2023 

Defence Force orders TikTok to be wiped from phones, as government agencies grapple with data risks

Soldiers and defence personnel were ordered to wipe TikTok from their government-issued devices in November, amid growing concerns about the video-sharing app within Western governments.

The Defence Force is not alone in developing a strict policy for the Chinese-owned TikTok app, reportedly used by more than 1 billion people across the world.

At least nine organisations do not authorise the use of the app on government devices, and the Ministry of Education, which uses TikTok to promote education programmes, only runs the app on a phone that is “isolated” from its systems.

Government agencies have been left to make their own assessments of the risk of TikTok, as New Zealand’s partners clamp down due to concern about data harvesting, concern that has been fuelled by growing tension between the West and China.

The United States and Canada this week announced TikTok would be banned on all government devices, with Canada warning TikTok’s “data collection methods provide considerable access to the contents of the phone”.

While similar concerns have been raised in New Zealand – Parliament’s Speaker warned MPs in August that downloading TikTok meant “your devices could be accessed by ByteDance (the owner of TikTok) and the Chinese Government” – the Government says it lacked the legal means to ban apps.

“We don’t have a regime in New Zealand where we ban particular apps,” Prime Minister Chris Hipkins said on Friday.

Hipkins said he does not and will not use TikTok, but people “should make their own informed decisions”.

“It’s not a platform that I have ever used before.”

Adam Boileau​​, a security expert from CyberCX, said TikTok had become “collateral damage” to rising geopolitical tension, and New Zealand would be reluctant to act as its partners had.

“We’ve been pretty reluctant to come out swinging against Chinese corporate entities, because they are our biggest trading partner … We really want to sit on the fence and not piss off the Chinese.”

Stuff asked more than 15 major government agencies whether TikTok was permitted on government-issued devices.

The agencies that did not authorise the use of TikTok included the Defence Force, Ministry of Education, Ministry of Foreign Affairs and Trade, Department of Prime Minister and Cabinet, Corrections, Police, Treasury, Ministry of Justice, and Ministry of Primary Industries.

A Defence Force spokesperson said defence personnel were issued a directive on November 2, 2022 requiring that TikTok be removed from work devices after a “risk assessment” of the app was conducted.

The directive was “a precautionary approach to protect the safety and security of our Defence Force personnel”.

Ministry of Education corporate leader Zoe Griffiths​ said TikTok was not authorised on ministry devices, with one exception – an approved Ministry of Education Tiktok channel aimed reaching young people with education promotions.

“We operate the account with strictly enforced protocols, including using an isolated phone that is not connected to the ministry system,” Griffiths said, of the “very cautious” approach.

The Ministry of Foreign Affairs and Trade had “prevented” the use of TikTok on ministry devices, a spokesperson said.

The Security Intelligence Service and Government Communications Security Bureau did not use TikTok as an external communications channel, a spokesperson said.

There was no comment on whether Tiktok was authorised for devices issued by either agency. However, both agencies’ systems are known to operate within Sensitive Compartmentalised Information Facilities (SCIFs) where external phones and devices are not permitted.

Corrections blocked all social media websites and applications from its network, except for LinkedIn. A TikTok account used for a recruitment drive was administered by a contractor.

“Corrections uses specialist security technology on work mobile phones … It is not possible to download TikTok or any other social media app within the secure work environment,” a spokesperson said.

A Department of Internal Affairs spokesperson said TikTok was “not one of the standard applications” on department devices.

Agencies that had no specific TikTok policies or restrictions included the Ministry of Social Development, Health NZ, Ministry of Business, Innovation, and Employment, Inland Revenue Department, and Ministry of Transport.

Ministry of Social Development general manager of technology Tracy Voice said staff were given general guidance “that they must only use approved technology and apps to transfer ministry information or conduct ministry business”.

Boileau said he was not surprised there was a “mish-mash” of TikTok policies, as there was no centralised guidance and an unclear idea of the risk the app posed.

“This is fundamentally about Western countries becoming more aware of a potentially belligerent China, and having to consider what that means.”

He said Western governments were concerned about the volume of data TikTok collected, given the Chinese government’s track record for using bulk datasets obtained by methods including hacking.

There was also concern about TikTok’s algorithm to be used for information warfare, he said, and concern was the app could be “co-opted” by the Chinese government in the future.

Every Chinese company ultimately answered to the Chinese Communist Party, he said, meaning the threshold for the Chinese government exploiting the app was low.

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.