- The Strategist - https://www.aspistrategist.org.au -

Australia needs a cybersecurity overhaul—not whack-a-mole bans on apps like TikTok

Posted By on April 17, 2023 @ 12:00

Australia has joined other countries in announcing a ban [1] on the use of TikTok on government devices, with some states and territories following suit [2]. The rationale was based on security fears and, in particular, the risk that the platform will be used for foreign interference operations by China.

TikTok [3] is a video-sharing platform operated by ByteDance [4], a company headquartered in Beijing but incorporated in the Cayman Islands. Data is allegedly stored [5] in the US and Singapore.

Like those of similar sites, TikTok’s privacy policy [6] indicates an expansive approach to the collection and use of personal information. The app can collect information from users and third parties (such as advertisers), and it can draw inferences about its users’ interests. All of this information can then be shared with TikTok’s partners and service providers to, among other things, personalise content and advertising.

The policy also says information will be shared when there is a legal requirement to do so. China’s national intelligence law [7] obliges citizens and organisations to support, assist and cooperate with national intelligence efforts, which could include ByteDance sharing people’s TikTok data.

While TikTok denies it would hand over data [8] in such circumstances, there are reports that data from American users has been accessed [9] by China-based employees. TikTok has also censored [10] content that is politically sensitive in China.

While the Australian government’s response can be explained through this logic, questions remain.

Given the ban only affects government devices, couldn’t the same people be susceptible to foreign interference through their use of TikTok on personal devices [11]? And what about other apps, such as Facebook, that collect significant amounts of user data. Are they more secure than TikTok?

Even if other digital platforms don’t have connections with China, couldn’t they share or sell data to other entities, such as advertisers, data brokers or business partners? And mightn’t those third parties have connections with China? Or other countries with similar laws?

But the problem of digital security and foreign interference is bigger than just one app or the use of government devices. Russia has run [12] information campaigns designed to influence US elections using platforms [13] such as YouTube, Tumblr, Google, Instagram, PayPal, Facebook and Twitter.

Indeed, the Department of Home Affairs notes [14] that foreign interference activities are not only directed towards governments, but also academia, industries, the media and other communities (which is actually everyone).

Banning TikTok on government devices may eliminate one risk, but the broader pool of risks remains, both in government and beyond.

The government is currently developing [15] a new cybersecurity strategy to replace the one put in place by the previous government [16] just three years ago. A discussion paper [17] on the new strategy was released earlier this year. This process will hopefully result in a more holistic strategy on how to manage the cybersecurity and foreign interference concerns that led to the TikTok ban.

Rather than the whack-a-mole tactical response of banning one app at a time, the strategy could provide clarity on how the government will manage the issue of weak security on mobile apps (particularly when used by people in sensitive sectors), as well as the potential for this to be an entry point for foreign interference.

This could include such things as:

  • educating people on digital security and foreign interference
  • streamlining the reporting channels for data breaches, foreign interference attempts, cybercrime, bugs and vulnerabilities
  • developing or recommending the use of appropriate standards on cybersecurity, which could include references to international standards in areas such as information security and data governance
  • strengthening cooperation between government and platforms and civil society
  • introducing targeted prohibitions, which may include bans on apps that could share data with countries that might then use it for foreign interference.

This kind of strategic approach, particularly on the education side, would give Australians better tools to arm themselves against foreign interference online, which, as Home Affairs emphasises [18], is the ‘best defence’ available.

Another relevant policy development is the government’s review [19] of the Privacy Act [20], which is the primary Australian law on data protection.

Changing the rules about how data is collected and used by platforms could provide less fodder for those running foreign interference operations. This could include banning unfair uses, such as targeted messaging based on a psychological profile. If the platforms don’t facilitate these uses, it becomes more difficult for foreign governments to use these tools for manipulation.

Enhancing funding for the primary data regulator, the Office of the Australian Information Commissioner, could also strengthen enforcement across the board.

These two reform initiatives exist within a maze of others, including inquiries or proposals relating to online privacy [21]digital platform services [22]the influence of international digital platforms [23]electronic surveillance [24] and digital economy regulation [25].

Beyond Australia, at the United Nations level, some questions about whether international law can be applied to cyberspace have been resolved [26], while others remain open [27]. Australia’s position on these issues could also be clarified.

Ultimately, what’s needed is a strategy, rather than tactics, and better coordination of relevant policies across government. The TikTok example also highlights a truism that we shouldn’t think in terms of privacy or security, but rather privacy and security.

While there’s an occasional need to choose between these two values (for example, when government agencies surveil those suspected of a crime, terrorism or espionage), in the vast majority of situations security is enhanced when the privacy of personal information is protected.

For example, the more personal information a foreign agent can access about citizens working in sensitive areas, the better it can target espionage and influence operations. If social media companies are restricted in how they collect, use and share Australians’ data, we can take significant steps towards protecting everyone from foreign interference and other harms.

We need all the policies and associated agencies (cyber, privacy, education, platform regulation, international relations, national security and more) working together if we are to meet the challenges. It may make sense to ban TikTok on government devices, but we need to address this problem more than one app at a time.The Conversation



Article printed from The Strategist: https://www.aspistrategist.org.au

URL to article: https://www.aspistrategist.org.au/australia-needs-a-cybersecurity-overhaul-not-whack-a-mole-bans-on-apps-like-tiktok/

URLs in this post:

[1] announcing a ban: https://www.abc.net.au/news/2023-04-04/tiktok-ban-australian-government-devices/102183478

[2] following suit: https://www.msn.com/en-au/news/australia/chris-minns-announces-tiktok-ban-on-nsw-government-devices/ar-AA19wid0

[3] TikTok: https://www.tiktok.com/

[4] ByteDance: https://www.bytedance.com/en/

[5] stored: https://www.lifehacker.com.au/2020/07/why-banning-tiktok-in-australia-isnt-a-straightforward-solution/

[6] privacy policy: https://www.tiktok.com/legal/page/row/privacy-policy/en

[7] national intelligence law: https://www.chinalawtranslate.com/en/national-intelligence-law-of-the-p-r-c-2017/

[8] denies it would hand over data: https://www.politico.eu/article/tiktok-china-west-europe-ban-app-espionage-surveillance/

[9] has been accessed: https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-tapes-us-user-data-china-bytedance-access

[10] censored: https://www.bbc.com/news/technology-49826155

[11] their use of TikTok on personal devices: https://www.smh.com.au/cbd/naughty-naughty-which-mps-are-active-on-tiktok-despite-government-ban-20230410-p5czdv.html

[12] has run: https://www.reuters.com/world/us/russias-prigozhin-admits-interfering-us-elections-2022-11-07/

[13] platforms: https://www.bbc.com/news/technology-46590890

[14] notes: https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/countering-foreign-interference

[15] developing: https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy

[16] one put in place by the previous government: https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/australias-cyber-security-strategy-2020

[17] discussion paper: https://www.homeaffairs.gov.au/reports-and-pubs/files/2023-2030_australian_cyber_security_strategy_discussion_paper.pdf

[18] Home Affairs emphasises: https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/countering-foreign-interference#:%7E:text=It%2520is%2520important%2520to%2520understand%2520the%2520difference%2520between,by%252C%2520or%2520on%2520behalf%2520of%2520a%2520foreign%2520actor

[19] review: https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report

[20] Privacy Act: https://www.legislation.gov.au/Details/C2022C00361

[21] online privacy: https://consultations.ag.gov.au/rights-and-protections/online-privacy-bill-exposure-draft/

[22] digital platform services: https://www.accc.gov.au/inquiries-and-consultations/digital-platform-services-inquiry-2020-25

[23] the influence of international digital platforms: https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Economics/Digitalplatforms

[24] electronic surveillance: https://www.ag.gov.au/crime/publications/reform-australias-electronic-surveillance-framework-discussion-paper

[25] digital economy regulation: https://consult.industry.gov.au/automated-decision-making-ai-regulation-issues-paper

[26] resolved: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N21/075/86/PDF/N2107586.pdf?OpenElement

[27] open: https://bpb-us-w2.wpmucdn.com/campuspress.yale.edu/dist/8/1581/files/2017/08/Schmitt_Grey-Areas-in-the-International-Law-of-Cyberspace-1cab8kj.pdf

Copyright © 2024 The Strategist. All rights reserved.