Staff at Government departments and agencies have been told to remove TikTok from their official devices following a detailed risk review by the National Cyber Security Centre (NCSC).
According to the NCSC, its assessment was aligned with processes in other countries and “leant heavily on the experiences” of the European Commission, the European Union, the UK and elsewhere.
Several jurisdictions, including the UK and the Netherlands, have restricted the use of the social media app on Government devices due to data protection and privacy concerns linked to the relationship between the company and the Chinese state.
Under the Acceptable Usage Policy terms set out to Irish State employees, use of the app is now no longer permitted.
An email, seen by The Irish Times, setting out the direction was circulated to parent departments and then to employees on Friday. In it, they were told it was no longer permissible to install the Chinese owned social media app, and to delete it where it was already in use.
A spokesman for the Department of Communications, which oversees the NCSC, said the ban applies to all Government departments and agencies or bodies under their remit except in “exceptional cases where there is a business need”.
“This recommendation was informed by a detailed risk assessment carried out by the NCSC, and extensive engagement with relevant stakeholders, including the Data Protection Commission (DPC), the European Commission and other Member States,” the spokesman said.
It is also viewed by the department as being complimentary to existing security measures based on the 2021 Cyber Security Baseline Standards Framework designed to improve the resilience and security of public sector ICT systems.
[ Karlin Lillington: Long past time for closer scrutiny of TikTokOpens in new window ]
[ European Commission bans staff from using TikTokOpens in new window ]
The move came as little surprise to analysts following similar such bans elsewhere including the European Commission and the US, which has aired its concerns over data protection.
“The primary concern they have is that TikTok may be forced by the Chinese Government to hand over data from their user base and if some of them are Government employees that may enable the Chinese Government to do espionage or surveillance on those people,” said Brian Honan, chief executive BH Consulting, which specialises in cybersecurity and data protection. “It’s no big surprise the Irish Government has [gone] the same way.”
Speaking on RTÉ radio on Friday afternoon, NCSC director Richard Browne said the issue regarding security concerns was “not what we know to be happening ... [but] what we can’t rule out is happening.”
Its review, which began in March and ran into early April, “leaned heavily” on the experiences of the European Commission, the European Union, the UK and elsewhere.
“[TikTok] gathers and stores very large amounts of user data including sensitive personal data. So it is on the very high, if not the highest, end in terms of the data it collects,” Mr Browne said.
“Given that it is a Chinese headquarters and given that Chinese Intelligence gathering laws it means that TikTok and its employees are subject to Chinese law and the application of a number of different measures to the company.”
Last month, Minister of State for eGovernment Ossian Smyth indicated the NCSC was due to issue new guidance to Government departments around policies for devices assigned to their civil servants.
“That guidance doesn’t name specific companies; it describes how to measure the type of risk from different types of apps and what type of precautions to take in which circumstances. It doesn’t particularly name any apps or any companies,” he said.
The type of data that is potentially accessible from social media apps includes contacts, photographs, location and user interaction with other apps.
However, Mr Honan pointed out that other social media apps, based in other jurisdictions, operate similarly.
“If you’re going to ban TikTok well then we should be banning other social media apps as well,” he said in reference to State agency staff and other potentially vulnerable users.
Friday’s move is an indication of deepening discomfort with China and related security considerations. Last February, the European Commission ordered its staff to remove the app from all corporate and personal devices that use commission apps as soon as possible.
From mid-March, apps such as Skype for Business or the commission’s internal email were due to be no longer available on devices that continue to use TikTok, which is owned by Beijing-based ByteDance.
In response to the decision by the commission, TikTok said it was “disappointed with the decision, which we believe to be misguided and based on fundamental misconceptions”. The company has insisted it would not allow Chinese Government access to user data but that has done little to ease concerns in an era of rising geopolitical tensions.