NZDF orders TikTok off phones
The Defence Force ordered TikTok to be wiped from phones due to concern its staff could be impersonated by ‘‘high-quality deep fake’’ videos.
The concern about deep fakes was one of many issues with the Chinese-owned app cited in the Defence Force directive issued about TikTok in November. A partially redacted copy of the directive has been obtained under the Official Information Act.
‘‘There is a realistic possibility cyber-threat actors will exploit TikTok software vulnerabilities to target users of the applications,’’ the directive reads.
‘‘User and device data can be used to create unique ‘fingerprints’ to track user activity on the platform, and across other internet services. This can enable targeting for intelligence operations.’’ The Defence Force is among at least nine government agencies that do not authorise TikTok on government-owned devices. The Parliamentary Service earlier this month advised MPs to wipe the app from Parliament devices.
The video sharing app has sparked concern across Western capitals for its ability to harvest users’ data, and for the relationship between its Chinese owners, ByteDance, and the Chinese Government. Countries including the United States and Canada have issued government-wide bans on the app.
Government agencies in New Zealand have been left to make their own assessment of the risk posed by TikTok, often with the advice of the Government Communications Security Bureau.
The Defence Force had initially determined TikTok ‘‘presents no immediate disruptive cyber-threat to the NZDF specifically’’, according to the November directive.
However, the Defence Force chief information security office subsequently decided the app should be deleted from Defence devices ‘‘immediately’’, that it should not be downloaded in the future, and access to the platform’s website should be restricted.
Portions of the directive were redacted as the information could ‘‘prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand’’.
‘‘TikTok is owned by ByteDance, who are headquartered in Beijing ... TikTok reportedly collects significant amounts of user data, such as contact lists, calendars, the contents of a person’s hard drive, and can geolocate a user’s device on an hourly basis,’’ the directive reads.
‘‘The Cyberspace Administration of China (CAC) requires Chinese companies to register Internet Information Service Algorithms under the auspices of improving security governance and promoting CCP values.’’
It said TikTok could be used by ‘‘threat actors’’ to identify and track ‘‘current and future’’ Defence personnel, and the ‘‘rich’’ biometric data contained in video posted to TikTok could be used for face or voice recognition, building biometric databases, or training recognition algorithms.
‘‘A plausible scenario for targeting NZDF members is the use of zero-click and one-click exploits by threat actors, using bespoke or commercially procured malware, to conduct cyberespionage against high value targets.
‘‘A threat actor could edit and re-post any NZDF content to undermine messages, or spread dis-and-misinformation, potentially being viewed more than NZDF’s original content.’’
The directive required personnel to remove TikTok from Defence devices within 10 working days.
‘‘There is a realistic possibility cyber-threat actors will exploit TikTok software vulnerabilities to target users of the applications.’’ Defence Force directive