Top politicians are not allowed to have TikTok on their phones. But why?
Other apps also collect a lot of information. TikTok stands out in that it is owned by a company in China, and China is not a Western ally in terms of security, researchers say.
On March 21, it became known that Norwegian ministers, state secretaries and political advisers are no longer allowed to have TikTok or Telegram on official phones or tablets.
The decision came after an assessment by the Norwegian National Security Authority (NSM).
The NSM concluded that TikTok or Telegram "should not be installed on public employee service phones that are connected to the organization’s internal digital infrastructure or services."
The Storting, the Norwegian parliament, also bans TikTok on service phones. Bergen and Oslo are two of several municipalities that have also decided to ask employees to delete TikTok from their work mobiles following the security assessment.
Minister of Justice Emilie Enger Mehl has previously received criticism for giving unclear answers about her use of TikTok on a work phone.
Restrictions in several countries
A number of Western countries now ban or discourage the use of TikTok on official telephones for civil servants or members of the government.
In February, government offices in the United States were asked to delete TikTok within 30 days on service devices. The EU Parliament has also introduced a ban.
Is the fear of TikTok justified or exaggerated?
Data and ownership
The reason for the scepticism is that TikTok is owned by a Chinese company, called ByteDance, and that the app collects a lot of information.
“I think there are good reasons why ministers and other people in vulnerable positions in society should not use TikTok on their phone,” says Gaute Bjørklund Wangen.
Wangen is an associate professor at the Department of Information Security and Communication Technology at the Norwegian University of Science and Technology (NTNU) in Gjøvik and head of technology at the company Diri AS.
The fact that TikTok collects a lot of data is in itself problematic, especially when it comes to elected officials and decision-makers, Wangen believes.
Furthermore, the Chinese authorities have legal authority to extract data collected by companies located in China, he says.
These are covered by the TikTok ban in Norway
Political leadership and employees of the ministries and their subordinate enterprises are advised not to use TikTok. The advice also applies to employees in the private sector who are subject to the Norwegian Security Act in whole or in part, according to a press release from the Ministry of Justice and Public Security.
A long list
Wangen gives examples of information collected by the app: profile information, instant messages, published and unpublished content, contacts, technical information about the mobile and your location.
What is collected is described on TikTok's website. The user can change settings and, for example, change access to their location.
Information that is collected automatically includes what you watch, what interests you have, and what is said and shown in videos you post.
Keystroke patterns or rhythms can be recorded when the platform is used, the website says.
The app, like many others, has to be given access to the microphone and camera in order for it to be used.
Interesting for intelligence
All the information that the app collects is generally of interest to intelligence services, says Wangen.
“This was revealed by Snowden in 2013,” Wangen said.
Edward Snowden leaked documents that revealed collaboration between the US intelligence agency NSA and internet companies. This made it possible to monitor large amounts of telecommunications and data communications, according to Wikipedia.
Among the revelations was that the NSA could extract information from servers from Facebook, Google and Yahoo, among others, according to the BBC.
There is no public proof that China has actually obtained data from TikTok to use it in intelligence work, according to CNN Business.
TikTok's management has denied that the company has ever shared data with Chinese authorities and that they would agree to it.
The US is now threatening to ban the app. Recently, TikTok CEO Shou Zi Chew assured the US that it has nothing to worry about.
“TikTok has never shared, or ever received a request to share, US user data with the Chinese government. Nor will we comply with such a request if it was made," he declared, according to Reuters.
Must assume that it can happen
Wangen says that no one can confirm whether or not the Chinese authorities have used data from TikTok.
“In practice, you’d have to travel to China and get access, and no one gets that. But the indications here are so strong that we just have to assume that they do,” Wangen said.
The data are interesting for intelligence, and China has invested large sums in espionage and data acquisition in cyberspace, Wangen said.
Geir Myrdahl Køien is professor of cyber security at the University of South-Eastern Norway.
He agrees that there are good reasons to ban TikTok on ministers' service phones.
“It’s an unnecessary risk,” he said.
He also points out that Chinese legislation obliges companies to cooperate with the authorities and release information if required.
“From the point of view of Chinese intelligence, what Norwegian ministers do is of interest,” he said.
Køien also agrees that we must assume that such data can be delivered, although we cannot know for sure.
Can be abused
Information that the app collects allows you to form a picture of both people's habits and where they have been, says Køien.
“It may be of interest. If not right here and now, then there may be interest in a year or two. And it is clear that this is seen in the context of any other data they may have collected about these people in other areas. It's about the overall picture,” Køien said.
It can be difficult to comprehend the extent to which information can be misused, Wangen said.
He gives an example from a story from the Norwegian Broadcasting Corporation, NRK, in 2020. NRK was able to purchase location data that showed where tens of thousands of Norwegians had moved in 2019. They selected a random mobile phone, were able to identify the person who owned it and find out a lot about his life.
“When you have government officials, decision makers, people who manage critical infrastructure, and can create a map of where they have been, who they are, what they like, what they are triggered by, then it is clear that this is data that can be used to manipulate people and achieve goals,” Wangen said.
Worse than others?
Does TikTok collect more information than Facebook, Instagram and other apps and services?
The TikTok app is notorious for being worse than most when it comes to what users give permission for, Køien said.
“But having said that, it’s generally a problem if you give away lots of rights, then at one point or another you will have revealed a lot about yourself and your habits,” he said.
“It may not mean that much for most people. But with this total possibility of monitoring digital tracks, it is clear that it can be problematic,” he said.
The big difference between TikTok and other popular apps in use is that TikTok has owners in China, and that China is not our ally in terms of security, according to both Køien and Wangen.
The fact that the US potentially gets access to data is seen as more acceptable than if China does, because Norway cooperates with the US on security policy, Køien said.
“You can agree or disagree with that assessment,” he said.
Apps such as Facebook, Messenger and WhatsApp also collect a lot of data, Wangen pointed out.
“They collect as much as they can until they are no longer allowed,” he said. “The big tech suppliers in the US are no great friends of privacy.”
Patching a sieve
Banning TikTok and Telegram is sort of like trying to put a patch on a sieve, says Køien.
“We should take a holistic view, and know what we are trying to achieve, and what vulnerabilities and weaknesses we are trying to avoid,” Køien said.
Lars Gjesvik agrees. He believes that the problem should be looked at more broadly. Gjesvik is a senior researcher and co-leader of the Norwegian Institute of International Affairs Centre for Digitalization and Cyber Security Studies.
“I think this is a problem that has been highlighted because TikTok is a Chinese company. But if you only limit the debate to TikTok, I think you may not be having the right debate. It’s the wrong definition of the problem,” he said.
Gjesvik thinks it is reasonable that TikTok be banned on service phones for ministers, state secretaries and political advisers.
“I think that when you see that there are security issues around TikTok, this is a limited, reasonable measure with respect to people with access to sensitive data on sensitive networks,” he said.
He points out that he does not know the details of how service telephones are used, what kinds of information users can access via them, and what kind of security measures are already in place.
At the same time, he thinks that the security challenges of TikTok are a little poorly defined.
“Slightly different things are often jumbled together. We talk about influencing people and information. There is talk of data collection. And then there is talk of TikTok as a possible backdoor to gain access to the phone,” Gjesvik said.
“I think that this almost has to be addressed on an individual basis. If you are afraid of what kinds of digital footprints data ministers leave behind and what this information can be used for, then I can understand that it poses a security challenge. But this is broader than TikTok,” he said.
Gjesvik thinks that it is appropriate for ministers to be subject to stricter precautions than the average person.
“But if it only concerns TikTok as an individual app and doesn’t include the bigger picture, then it seems a bit strange, but I would think it is part of a larger assessment of risk,” he said.
Other apps can also be revealing. Gjesvik pointed out that activity maps (called heat maps) from the training app Strava have been used to identify military bases around the world, which was reported widely when it was first discovered in 2018.
“If this is part of a bigger picture related to the security advice given to ministers and how they use technology, at least when they are at work, then I think that it’s both important and appropriate that we think a lot about security and have a high security awareness,” he said.
Translated by: Nancy Bazilchuck
Read the Norwegian version of this article on forskning.no