TikTok is not a Trojan but can be dangerous. Expert explains the ban

At a meeting on Monday, the Polish Digitization Council (RdC) voted on a recommendation to remove the TikTok app from official devices in public administration. According to data provided on Tuesday by RdC chairman Jozef Orzel, 16 people voted in favor of the resolution. and one abstained.

Therefore, the institution accepted a recommendation recommending that Prime Minister Mateusz Morawiecki remove TikTok from the official devices of parliamentarians and officials. Janusz Cieszynski also independently referred to the decision of the Council, explaining the issue in detail in the official position. However, the statement by the State Secretary of the Prime Minister’s Office in charge of digitalization was criticized by commentators.

We asked Dr. Karolina Malagotskaya, a cybersecurity expert at Kozminsky University, to interpret recent events.

Krzysztof Sobepan, Wprost.pl: The Digitization Council expressed “a positive opinion on the order of officials and employees of the public administration to remove the Chinese TikTok application from office phones.” Exactly what we expected, right?

Dr. Karolina Malagotska, Kozminski University: Yes, this is the position we expected. The removal of TikTok from work devices is part of a broader global trend to limit access to the Chinese app for government employees. For example, very similar rules have been adopted by all three bodies of the European Union: the Parliament, the Council and the European Commission.

The position of Janusz Cieszynski is interesting here. He says that yes, the recommendation has been accepted, but it “doesn’t really change anything about the situation with TikTok in Poland.” Is it really true?

If we analyze the structure of Polish TikTok users based on the latest company information, we can draw the following conclusions. First, the application is dominated by young people under the age of 20. Secondly, another large group is people over 40 years old. We can assume that these are people involved in TikTok professionally. For example, organizing marketing or communication campaigns on the platform.

Politicians or civil servants probably do not make up a significant group of TikTok users in our country. Therefore, the ban on installing the application may concern a fairly small group of people. In this sense, nothing changes for the company.

However, I would not focus on whether the recommendation to remove TikTok would affect five, ten or fifty people in Poland. It is important that there is an open discussion about data security and the separation of personal and business data.

This is not just about a ban on watching TV shows on a company laptop, but rather about compliance with the information security policy of an institution.

Another thesis is the fact that public institutions in Poland should already have an information security policy, including, among other things, a ban on the installation of entertainment applications such as TikTok on corporate devices. So the Council’s recommendation is just a formality?

It seems to me that until now a culture of mutual trust has prevailed among public administration employees or employees of larger companies in Poland. The unwritten rule is that shop equipment should be used for work, not play.

Employees are still very unhappy with, for example, decisions by the IT department to top down certain websites, features, or apps on company-owned devices. Blocking streaming services is a sure signal to employees that they should focus on work.

When it comes to data security in institutions, we have two main strategies. The first is BYOD, or Bring Your Own Device. This means employees are allowed to bring their devices into the office or headquarters. However, there is a risk of mixing personal data and confidential institution data.

The second way is COPE, from Company Owned Personally Enabled. Here, phones or laptops are the property of the company and it is the employer who decides what the employee can do on the device given to him. In this case, you can block access to certain websites or applications.

At the same time, the company may agree to use the office phone for personal purposes outside of business hours. As such, COPE is not completely immune to the installation of entertainment apps such as TikTok.

TikTok is “definitely not the biggest threat that awaits us in cyberspace,” Cieszynski says. But does this mean that we should ignore the risks associated with TikTok, sweep it under the rug?

Every year we have a whole bunch of ratings of the “top threats on the Internet.” Indeed, TikTok does not appear on them, but this is too big a generalization. Cybersecurity experts pay special attention to malware: Trojans, viruses or ransomware, i.e. programs that encrypt data and demand a ransom.

TikTok is not overtly malicious software, there are no attacks on infrastructure or companies, and user information such as logins or passwords is not stolen. As a rule, there are no such functions in the Chinese application now.

Today, we don’t know if TikTok is being used for spying or will be used for intelligence gathering in the future. Technically, there is such a possibility, and the Chinese application already collects a lot of data about its users.

In the Digitization Council position, Cieszynski focuses on possible security gaps or vulnerabilities in the TikTok app. He almost completely ignores the fact that TikTok collects a lot of information and potentially sends it to China. Isn’t that the main problem?

This is a mixture of two orders. The application may or may not be malicious. The point is whether it contains unwanted code that poses a potential threat to the user - loss of data, secret information, accounts or money.

The possible risks associated with the collection and transmission of data should be measured entirely separately. It’s not that the TikTok app itself is dangerous. We are talking about the potential threat associated with the collected data, which may face the Chinese government.

However, ByteDance Corporation collects data that can theoretically be sold to various organizations. Polish citizens would probably not feel safe if their personal data was sold to the Russian government, right?

The Resolution of the Digitalization Council is not a law, but a recommendation. How to evaluate this step and what can happen next?

It should be clearly emphasized - it’s very good that they created a recommendation for TikTok. It is on these topics that the Digital Council should have a strong voice, because it speaks on a topic that is critical to the cybersecurity of Western countries. The TikTok case is currently under review in the US, EU, UK and France.

The Council’s position is intended to set an example of enhanced digital hygiene and data security practices in institutions. Such rules must be followed not only by state institutions, but also by almost all companies operating in Poland.

This is one of the first official positions on data security in Poland, which clearly sets the boundaries of what and to what extent business devices can and should be used.