The Australian government recently announced it would ban TikTok on government-issued devices citing “Significant security and privacy risks.” Australia is far from the first country to implement such a ban, with Canada and the European Union itself introducing similar restrictions. In an even bolder move, the state of Montana is set to become the first US state to ban it from all personal devices.
TikTok is owned by Chinese company Bytedance and there is a fear it could share, or indeed be ordered to share TikTok user data, including browsing history, location and biometric identifiers, with the Chinese government. This is despite TikTok maintaining that it doesn’t share data with the Chinese government and disputing it collects any more user data than other U.S. social media companies, like Meta for example.
When it comes to TikTok, there’s no denying that our data is being collected. What we don’t know is its utilisation or manipulation outside of the app’s stated purpose.
Is banning TikTok the right call?
It makes sense that governments are leading the way in banning TikTok on government-issued devices. When it comes to data privacy, they need to lead by example and stay on the front foot to ensure their own infrastructure isn’t at risk from third-party apps.
The problem is that TikTok is not the first app to have stirred national security concerns, and definitely won’t be the last. WeChat, which is subject to tight controls from the Chinese Communist Party, has been blocked, banned or not approved by 14 Australian government departments across their networks and devices.
For government devices, the risk outweighs the inconvenience for staffers, so it makes sense. But this doesn’t completely solve the issue, there are still threats to government agencies from personal devices of government staffers and as TikTok themselves pointed out, there are other apps collecting a whole lot of data on us that could very easily fall into the wrong hands.
There are always going to be new apps posing security threats. It’s not realistic, or best security practice to play whack-a-mole as a form of defence. Instead, we need to be proactive about putting the right safeguards in place.
People, process and technology
As the lines between work and personal devices continue to blur, naturally, the network perimeter is expanding. This leaves organisations more vulnerable to threats as that perimeter becomes harder and harder to defend.
The banning of specific apps is one piece of a much larger puzzle. It’s the implementation of a process that will help reduce the threat it poses, however, there are also people and technology considerations to be made.
For starters, we need better education for not just staff, whether in government or the private sector, but also the population more broadly on security and privacy risks posed by apps. In the workplace, this should mean training sessions and clear guidelines (that are enforced) to help educate employees as to the risks posed by any app, not just those coming out of China or other adversarial states.
The other important element in mitigating threats posed by apps is building broader resilience through technology. Organisations need to be able to see what is coming in and out of the network so they can block threats or remediate issues before the damage is done. For example, Secure Access Service Edge (SASE) technology helps organisations deliver secure access to network resources from anywhere, ensuring security controls are in place no matter where or from what device people are accessing them.
It’s not enough to simply put bans in place. We’re never going to be able to adequately address threats posed by apps with this method alone. It’s going to take a mixture of people, process, and technology to find the right balance between security and convenience. TikTok is today’s stress test on Australian privacy controls, but it certainly won’t be the last.