Tiktoking civil servants

 

Image from tweedekamer.nl

While we are dealing with a nationwide network outage, strangely enough the sound of the internet radio can still be heard from my speakers. In the news bulletin I hear the following message: the House of Representatives no longer allows civil servants to use TikTok on their work phone.

Let this sink in for a moment (I'm still processing it). Parliament feels the need to express its concern about what civil servants do on their telephones. Apparently there are some civil servants who have TikTok on their phones. Why???

For those readers who don't have kids of TikTok age, I'll briefly explain what that is. TikTok is an app in the social media category, intended to make short videos – we're talking seconds – and of course share them. There is often dancing, singing and lip-syncing. The latter then produces, for example, a video of a teenage girl saying something stupid in the voice of Donald Trump. Those kind of things.

I copied the previous paragraph from the Security (b)log of July 24, 2020. At that time there was already (international) hassle around TikTok and in the Netherlands the Dutch Data Protection Authority investigated the privacy aspects of the app. Exactly one year later, the DPA fined TikTok 750,000 euros for violating the privacy of young children. At the time, I already advised not to use TikTok on your business phone.

Now back to my question: why are there civil servants who have TikTok on their government phone? Okay, somewhere in the civil service there will probably be a position where the use of such an app is plausible. Maybe somewhere in communication, because there they have to constantly think about how to reach their target groups. A police officer tiktoking about the importance of decent bicycle lighting might be a good one. But even then, the House of Representatives is right: don't do that on your regular work phone. Because of China.

TikTok is a Chinese product. And we know for sure that country loves espionage (with or without a balloon). Now – just like a little less than three years ago – people are afraid that China will collect information on our phones via TikTok. TikTok recently amended its privacy statement: they feel that TikTok employees in China should have access to data from European users, among others. But our privacy legislation, the GDPR, takes a completely different view: personal data of Europeans should remain in Europe, unless it has been established that another country handles them just as neatly as we do. Such a statement regarding China is expected to be issued around the day when pigs fly. But TikTok's privacy statement simply states that employees in certain countries also have access to your data without such an adequacy decision.

Espionage is serious business. The subject is discussed in detail in the Cyber Security Assessment Netherlands 2022. Some quotes: “Cyber attacks by state actors are the new normal”; “State actors can use the following digital means to this end: (…) Espionage, including economic or political espionage”; “The Netherlands is the target of an offensive cyber program from countries such as Russia and China”; “The Chinese digital espionage actor APT31 has carried out widespread and long-term attacks on political targets in Europe and North America. There were also targets of attacks and reconnaissance activities by this actor in the Netherlands.” The intelligence services define state threats as follows: “Coercive, subversive, misleading or covert activities by or on behalf of state actors, below the threshold of armed conflict, which can harm the national security interests of the Netherlands through a combination of the goals pursued, the means used and the effects." A state actor is just a country that does those kind of things.

So, dear colleagues: if you like TikTok, do your thing. But not with the boss's stuff. Now you may be thinking, well, I don't have any important or confidential information on my phone, this isn't about me. Think again. Your contacts alone can be interesting, and the network you form with them. Spies are puzzlers: they get a few puzzle pieces from you and the rest from others. With all those pieces together, they eventually manage to create an interesting picture.

A colleague told me that his daughter does not mind that the Chinese are watching: "Extra fans." That's one way to look at it. As a citizen. As a civil servant, you have other responsibilities.

  

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. 

• TikTok 's boss is doing his utmost to convince American politicians of the innocence of his product.
• Hyundai and KIA must provide millions of cars with a software update, courtesy of a TikTok challenge.
• you need to quickly update your iPhone or iPad.
• A US city has declared a state of emergency after a ransomware attack.
• hackers use fake certificates, hoping that error messages will be interpreted as false positives.
• you can seriously derail a password reset campaign for all your customers.
• hundreds of PyPI packages target your crypto coins.
• Internet Explorer is now really a thing of the past.
• ethical hackers in Belgium are allowed to go about their business without permission. [DUTCH]
• the Dutch Data Protection Authority is being sued. [DUTCH]
• parents are liable for the damage caused by their cybercriminal children. [DUTCH]
• the Dutch General Intelligence and Security Service has published a brochure on the safe development of AI systems. [DUTCH]
• hackers hijack Telegram accounts (and that's just another reason to ditch this app).
• you can reduce your digital footprint with these tips.
• Last year, Russian hackers nearly shut down US power plants. [DUTCH]