TikTok concerns: Andrew Little says New Zealanders should be wary of applications from China

Kiwis should be wary of any applications that originate out of China and consider the risk they place their personal information at when using them, Andrew Little says.

New Zealand cybersecurity businesses have been calling on the Government and privacy watchdogs to increase their scrutiny of the social media application TikTok, owned by Chinese company ByteDance, over concerns it is harvesting sensitive user data.

Parliament's Speaker Trevor Mallard last week warned MPs against downloading the application on their work devices as it could "pose a security risk" as data "could be accessed" by ByteDance and the Chinese Government. 

Little, the minister responsible for the Government Communications Security Bureau and the NZ Security Intelligence Service, said on Tuesday people should be "somewhat circumspect" about applications and devices that "originate out of China". 

"There are statutory obligations that Chinese corporates are under when it comes to cooperating with their government and the various organs of the state, including their intelligence agencies," Little told reporters.

While ByteDance has close ties to the Chinese Government -  state enterprises have a stake in it and an official sits on its board - it has denied ever sending authorities user data. Chinese laws require companies to cooperate with officials if information is requested.

Little was aware of the public reports about TikTok data concerns and said people "will have to think carefully about the risk they put their personal information at when they use apps like it".

"There's information that indicates that personal information that you have on your device is potentially at risk. I just think people have to know that that is a real risk, and they will make their decisions accordingly."

He wouldn't tell Newshub whether he has received any information suggesting data on TikTok is being passed on to the Chinese government.

"There is information in the public arena to suggest that there is a potential risk here and people should think carefully about that," he said.

In June, Buzzfeed reported that Chinese-based employees of ByteDance had repeatedly accessed data of US users. Following that report, US Federal Communications Commission (FCC) chief Brendan Carr said TikTok "harvests swaths of sensitive data" and called on Apple and Google to remove it from their app stores. An Australian intelligence firm later said TikTok collected an "excessive" amount of information and checked users' locations at least once an hour.

TikTok admitted in July that employees outside of the US can access user data, but said that is "subject to a series of robust cybersecurity controls and authorisation approval protocols" overseen by a US security team.

The Speaker's message last week said if MPs continue to use TikTok they should check they are comfortable with the permissions granted to it, remove its ability to access their location, not link it to other social media accounts, ensure it's up-to-date and use a different password to other accounts.

"If using this app on a personal device, you should still be aware of the above suggestions in the interest of keeping your information safe," the email said.

It also provided a link to the Buzzfeed article.

In 2020, Newshub revealed Parliament's cybersecurity team had told MPs and staffers that TikTok posed "significant privacy and security risks" and "strongly recommended" anyone who had the app installed delete it. Little said at the time that TikTok was "probably one to steer clear of at the moment".

The GCSB told Newshub last week it hadn't provided any specific briefings to ministers or MPs on security concerns regarding TikTok.

However, it does issue the New Zealand Information Security Manual (NZISM), which "is the primary source of information security guidance for New Zealand government organisations".

"The NZISM provides principles-based guidance and frameworks for risk assessment and mitigation and requires agencies, including Parliamentary Services, which is responsible for the technological infrastructure of Members of Parliament, to take a risk-based approach to implementing systems. 

"It does not specify what systems, devices and applications organisations can use. That is a decision for individual organisations, their information security teams and ultimately Chief Executives, informed by their risk assessment and any mitigations they decide to apply."