Skip to content

Emails reveal months of TikTok spyware fears at B.C. cybersecurity department

A year before U.S. lawmakers targeted TikTok, B.C. government cybersecurity department scrambled to remove the app.
tiktok-credit-pixabay
Emails reveal monthslong effort to remove TikTok due to concerns over security risks.

A year before the U.S. Congress voted to demand China’s ByteDance sell the popular TikTok video app, B.C.’s Office of the Chief Information Officer (OCIO) was busy removing it from government devices.

At the end of February 2023, the B.C. government followed the lead of the federal Treasury Board, which determined TikTok posed a national security and privacy risk. That triggered a high-level summary for B.C. information security staff that warned China’s national security laws could allow the government there to demand data about TikTok users in B.C.

“This authority to gather sensitive personal information, proprietary information, and intellectual property could be used as a tool for spying and espionage,” said the review presentation, obtained under freedom of information.

Staff contacted each user individually to inform them of the ban. Names of users were censored from documents released by the Ministry of Citizens Services, but a partial list showed devices containing the app were used in Child and Youth Mental Health, Corrections Branch, Prevention and Loss Management Services and Prince George Youth Custody Centre.

As of Feb. 28, 2023, 17 users were identified as “VIPs.” One of the emails said one of the VIPs was an assistant deputy minister, but did not name the ministry. Two days later, a report said the app had been removed by 126 users, but 332 remained, the vast majority on Apple iOS devices.

Brian Horncastle, manager of vulnerability and risk management, delivered a TikTok security and privacy review, and threat and risk assessment to chief information officer Gary Perkins on March 9, 2023.

“Recommend continued ban as, given present situation when compared with the business value, represents an unacceptable risk to government systems,” Perkins concluded four days later.

The assessment also recommended the province investigate further if any security/privacy breaches or incidents occurred involving provincial data or the personal information of employees. Horncastle suggested that Dale Land, the director of cyber intelligence and investigation, could determine whether any such information was for sale by hackers on the dark net, “where it might appear to have originated from TikTok.”

OCIO staff also worked with experts from IBM (NYSE:IBM) spinoff Kyndryl to remove the app.

“It sounds like there is a way to purge this from the machine in an automated way, if we give them direction to do so,” Horncastle wrote to Don Costello, the chief information security officer. “Or, we could reach out and ask the end users to remove, however, this may be complicated for them to do so.”

A month after the ban, TikTok was still installed on 10 devices, two more since the prior week. More than two hours later, the number was down to zero. One user “seems angered by the repeated calls they have been receiving,” wrote cybersecurity analyst Camden Leith. “They have requested if it is possible to be issued a new device as they have confirmed multiple times that it is not on their device.”

B.C. staff were also in contact with counterparts in other provinces, such as Prince Edward Island chief information officer Michael Muise, who had been contacted by TikTok lobbyist PAA Inc.

“Their website says they are a national public affairs and strategic communications firm. I received a note from them recently asking for a meeting on behalf of TikTok to discuss our concerns,” Muise wrote. “At this time I have no plans to meet with them.”

The government released correspondence between March 9 and April 1, 2023, to a reporter. But the province has delayed for almost a year the disclosure of earlier records for the period of Jan. 31 to March 8, 2023.

The Information and Privacy Commissioner has granted three extensions. The latest, for 75 business days, expires June 5.

Commissioner Michael McEvoy and privacy watchdogs from the federal, Quebec and Alberta governments began investigating TikTok more than a year ago.

The federal Liberal government revealed Thursday that cabinet quietly ordered a national security review of TikTok’s Canadian operations last September.

B.C.’s corporate registry shows that Network Sense Ventures Ltd., a company founded in 2016 in Gastown by Hank Horkoff, changed its name in August 2020 to TikTok Technology Canada Inc. That happened the week after ByteDance investor relations director Zhao Liu of Hong Kong replaced human resources head Wei Hua of Beijing as a Network Sense director.

Zhao changed his address to Singapore in 2022, but Joshua Bloom of Toronto, TikTok’s Canadian general manager, replaced him last August.

ByteDance CEO Shou Zi Chew appeared at the TED Conference in Vancouver in April 2023, where “curator” Chris Anderson asked whether the app could be used to interfere in a U.S. election.

“I can say that we are building all the tools to prevent any of these actions from happening,” Chew said. “And I'm very confident that, with an unprecedented amount of transparency that we're giving on the platform, we can reduce this risk to as low as zero, as possible.”

Anderson was not convinced: “I mean, how would the world know?”

Benjamin Fung, a professor in the School of Information Studies at McGill University, said TikTok’s claim that data is housed on U.S. servers is hollow because workers in China are legally obliged to co-operate when the Chinese government demands to see data.

Fung said TikTok is built on a very powerful “recommender system,” a machine learning algorithm that helps decide what the user sees. 

“This tool has the power to change people’s perception on some particular issues,” Fung said.

twitter.com/bobmackin