New Zealand MPs warned against using TikTok on work phones as Chinese Government could access data

New Zealand politicians have been warned against using social media platform TikTok on their work devices due to concerns their data could be accessed by the Chinese Government.

The message came from Speaker Trevor Mallard via an email from the Parliamentary Service to all political parties last week.

"The Parliamentary Service strongly recommends you do not use TikTok on your Parliamentary Service devices as it could pose a security risk where data on your devices could be accessed by Byte Dance (the owner of TikTok) and the Chinese government."

The email, seen by Newshub, goes on to say if MPs continue to use the app, they should check they are comfortable with the permissions granted to it, remove its ability to access their location, not link it to other social media accounts, ensure it's up-to-date and use a different password to other accounts.

"If using this app on a personal device, you should still be aware of the above suggestions in the interest of keeping your information safe," it says.

The email then provides a link to a Buzzfeed article from June that reported China-based employees of TikTok's owner, the Chinese company ByteDance, had repeatedly accessed the data of US users. ByteDance has ties to the Chinese Government, though TikTok has said it doesn't give it any data.

After that report, TikTok admitted employees outside of the US can access user data, but said that is "subject to a series of robust cybersecurity controls and authorisation approval protocols" overseen by a US security team.

US Federal Communications Commission (FCC) chief Brendan Carr said in June that TikTok "harvests swaths of sensitive data" and called on Apple and Google to remove it from their app stores, while an Australian intelligence firm last month suggested the app was collecting an "excessive" amount of information.

In 2020, Newshub revealed Parliament's cybersecurity team had told MPs and staffers that TikTok posed "significant privacy and security risks" and "strongly recommended" anyone who had the app installed delete it. 

Government Communications and Security Bureau (GCSB) Minister Andrew Little told Newshub at the time that the app is "probably one to steer clear of at the moment".

The GCSB told Newshub last week it hadn't provided any specific briefings to ministers or MPs on security concerns regarding TikTok.

However, it does issue the New Zealand Information Security Manual (NZISM), which "is the primary source of information security guidance for New Zealand government organisations". 

"The NZISM provides principles-based guidance and frameworks for risk assessment and mitigation and requires agencies, including Parliamentary Services, which is responsible for the technological infrastructure of Members of Parliament, to take a risk-based approach to implementing systems. 

"It does not specify what systems, devices and applications organisations can use. That is a decision for individual organisations, their information security teams and ultimately Chief Executives, informed by their risk assessment and any mitigations they decide to apply."

Several New Zealand cybersecurity businesses have called on the Government and privacy watchdogs to step up their scrutiny of TikTok in recent weeks. 

“Unfortunately, like many social media companies, TikTok is cagey about the information it collects about its New Zealand users and who can access it," said Katherine Mansted, director cyber intelligence and public policy at CyberCX.

"This should be of huge concern to the government and cyber watchdogs. In this case, we should be especially worried about any access the Chinese government has to this data and how it could misuse it."