Feds conducting 'broader review' of social media after banning TikTok from work devices
Apps collect vast amount of information that may identify the user, including location, address and contacts
After banishing TikTok from the mobile devices of public servants, the federal government is taking a look at possible threats from other social-media applications.
The government said in February that TikTok, a wildly popular app for sharing short videos, posed an unacceptable level of risk to privacy and security.
Federal officials are conducting "a broader review" of social-media applications on work devices and will share the results when they are available, said Treasury Board Secretariat spokesperson Martin Potvin.
The government is working to improve cybersecurity in Canada by identifying threats and vulnerabilities, including from social-media platforms, to ensure the protection of systems and networks, he said.
Internal government notes say the most effective way to minimize risk is to prevent employees from installing any social-media apps on work phones unless there is a clear business need to do so.
Such apps collect a vast amount of information that may identify the user, including location, internet protocol addresses and contacts, say the notes. They were released under the Access to information Act to Matt Malone, an assistant professor in the law faculty at British Columbia's Thompson Rivers University.
While the information that apps collect is largely used to target advertising to users, it also can be employed by "malicious actors for a variety of reasons," the notes say. The risks include:
- Unintentionally helping adversaries to gather information about the government or its employees, and to track work-related activities;
- Introduction of malware to a device or network through social media by clicking on a link, photo or advertisement;
- Providing information that allows someone to impersonate an employee and send targeted emails containing malware to their colleagues.
Government devices could include pre-loaded privacy software to significantly reduce collection of information by blocking most trackers embedded in social-media applications, the internal notes say. They warn, however, that as long as apps are installed on a device, "the risk of collection remains."
These applications "need to be assessed" against government requirements for security and for the protection of federal information, the notes say.
In an interview, Malone said all social-media apps should be banned from government devices unless there are compelling reasons to keep them, given the sensitive data "that's being vacuumed up."
Malone said the collection of vast amounts of data creates "power imbalances" with users.
"You have no idea where this information is going, who controls it, who sees it, what's done with it," he said. "We really need to get serious about privacy regulation."
Treasury Board President Mona Fortier said in February that TikTok's data collection methods provide considerable access to the contents of a mobile device.
"The decision to remove and block TikTok from government mobile devices is being taken as a precaution, particularly given concerns about the legal regime that governs the information collected from mobile devices, and is in line with the approach of our international partners," she said.
A TikTok spokesperson said at the time that singling out an app in this way only prevents officials from reaching the public on a platform loved by millions of Canadians.
A September 2022 intelligence brief, disclosed under the access law along with the government notes, provides fresh insight into the government's concerns about TikTok.
The brief by the Privy Council Office's Intelligence Assessment Secretariat says that TikTok is the first Chinese-owned app to reach over a billion users beyond China, "creating a globally embedded and ubiquitous collection and influence platform for Beijing to exploit."
"Despite assurances, there is growing evidence that TikTok's data is accessible to China," says the heavily edited brief, based on open sources and classified information.