Government’s TikTok ban is official but many questions remain

Federal and state jurisdictions now preparing for an official ban on Chinese social media and video sharing app TikTok on government mobiles will have to contend with literally hundreds of thousands of private ‘BYOD’ devices enabled with ostensibly secure access to government systems.

As agencies across Australia prepare for the federal curtain call to finally be made on the app favoured by celebrities, so-called influencers, and marketers, the advice to agencies that provide workplace access to employees through private devices remains unclear.

The much-anticipated TikTok ban was officially announced by attorney-general Mark Dreyfus on Tuesday. It came after weeks of anticipation and dropped on the first day of the Australian Strategic Policy Institute’s (ASPI) Sydney Dialogue, which brings together securocrats, ministers and intelligence operatives from around the world.

“After receiving advice from intelligence and security agencies, today I authorised the Secretary of the Attorney-General’s Department to issue a mandatory direction under the Protective Security Policy Framework to prohibit the TikTok app on devices issued by Commonwealth departments and agencies, Drefus sain in a statement.

“The direction will come into effect as soon as practicable. Exemptions will only be granted on a case-by-case basis and with appropriate security mitigations in place.”

“The Government has recently received the Review into Foreign Interference through Social Media Applications and its recommendations remain under consideration, Dreyfus said.

The TikTok ban was foreshadowed by The Mandarin ahead of the Australian Information Security Association’s Cyber Conference last week, where most delegates regarded the nixing of the Chinese-owned social app an already done deal, with deletions coming ahead of a statement.

As a Five Eyes-aligned thinktank, ASPI has been agitating for an Australian ban on TikTok for several years, largely to better align national security posture with that of the US, UK and Europe, where potential avenues of software exploitation are being systematically eradicated.

But there’s a rub for public servants and forward-thinking agencies across many jurisdictions: namely, whether the great workplace trend of Bring-Your-Own-Device (BYOD) will be hit by the new edict, and whether the public sector TikTok ban will extend to privately-owned devices used for work. Having two or more phones could soon be a reality for many public servants.

A major challenge for those imposing bans is that kids, for better or worse, are still heavy users of TikTok to share content; that means parents and other grown-ups need to keep an eye on what’s being shared — not really practicable if the app is destined for imminent deletion.

Major corporates with employee and contractor BYOD policies have already given TikTok a wide berth. They include the Commonwealth Bank of Australia, which has stuck to other social channels for its comms.

One feature of the CBA and other corporate BYOD policies is that employees using their own equipment usually have to agree to install security software that compartmentalises and secures work apps, and also gives employers the legal and practical option of bricking compromised employee devices.

Known as ‘mobile device management’, the system usually works by installing an app with the highest user privilege settings that can be used by an employer to lock, track and wipe devices that are stolen or believed to be compromised or going rogue.

Bricking phones is less an issue than it used to be, namely because most valuable data is usually stored off-device or in the cloud by way of automatic back-ups, although bricking can be annoying if you are using a phone for public transport.

While IT security practitioners refer to BYOD as ‘Bring Your Own Disaster’ because of the lack of control over network topography, tech-savvy users frustrated by clunky old kit or so-called ‘scabby spec’ machines — those running the bare minimum configuration — prefer the option of being able to self-cater.

The use of iPads and other tablets over laptops is a classic example.

Some organisations deliberately down-spec their work-issued machines as a way of shifting device provisioning back onto end users as a way of avoiding device fleet costs. Many tech companies expect employees to self-provision, remitting an allowance to cover the expense.

Banning TikTok does raise some questions there, namely whether there will be additional costs incurred by agencies and employers forced to re-issue hardware as a result of heightened security requirements.

Many agencies and employers already run ‘approved’ device whitelists for BYOD that mostly exclude older, vulnerable and officially suspect devices, like those made by Huawei and ZTE.

Comms and marketing agencies selling into government will also have a new challenge post-TikTok ban: how to communicate to a demographic hooked on a platform without being able to use that same platform.

That’s likely to look like an outsourcing deal of some sort for campaigns targeting the youth segment of specific communities known to have a strong presence on TikTok, like those economies that have not banned Huawei.

So here’s the question that will inevitably come up at senate estimates: if a government agency has banned TikTok on its own devices, is it still permissible to use it as a digital marketing platform for government-funded campaigns? And will any of the target market watch anti-vaping ads on another platform?

Bans. So easy to impose, so difficult to police.

This article was first published by The Mandarin.