As TikTok faces data-harvesting claims, spy agency warns Canadians to protect themselves

An employee looks at his mobile phone as he walks past the logo of the video-focused social networking service TikTok, at the TikTok UK offices, in London, on Feb. 9, 2022. With a billion users, TikTok has rapidly become one of the most important social media players. (Tolga Akmen/AFP/Getty Images - image credit)
An employee looks at his mobile phone as he walks past the logo of the video-focused social networking service TikTok, at the TikTok UK offices, in London, on Feb. 9, 2022. With a billion users, TikTok has rapidly become one of the most important social media players. (Tolga Akmen/AFP/Getty Images - image credit)

The man who oversees cybersecurity for the federal government says Canadians should be wary of apps that could leave their data in the "wrong hands" — a warning that comes as the wildly popular Chinese-owned social media app TikTok faces claims that it has spied on its users.

Sami Khoury, head of the Communications Security Establishment (CSE) Canadian Centre for Cyber Security, said users need to be aware of what they're agreeing to when they download an app, and should ask whether it enables access to their personal data.

"You have to ask yourself the question, do they need to access that information? Why does an application need to access all of my contact list? Why does it need to access my calendar, my email, my phone records, my [texts]?" he told CBC News.

"You layer on top of that the risk of connecting my 200 [contacts] with your 200 and then you have an aggregate ... of information. In some cases, it lands in places that don't live by the same principles of rule of law [and] respect for human rights."

TikTok, whose parent company ByteDance is based in China, has been accused of aggressive data harvesting. The European Union's data watchdog is investigating what it has called "transfers by TikTok of personal data to China".

In a statement, a spokesperson for TikTok insisted the Chinese Communist Party has no control over ByteDance, that it has never provided Canadian users' data to the Chinese government and that it would not do so if asked.

The CSE said Canadians with commercially sensitive information on their devices should be especially cautious when granting access to their devices.

"Some platforms are responsible platforms where you potentially don't have to worry about the data falling into the hands of a nation state. But other platforms are too close to that line," Khoury said.

Prime Minister Justin Trudeau said last month the CSE was keeping an eye on TikTok.

"I think people are concerned about TikTok. I think people are obviously watching very carefully," he said. "The ... CSE is one of the best cybersecurity agencies in the world and they're watching very carefully."

So far, CSE hasn't issued an advisory against using TikTok — which claims a billion visits per month. Instead, it offers general advice to Canadians about social media, including where data is stored.

Khoury said the CSE is now updating that guidance.

TikTok said it stores Canadian user data in the U.S. and Singapore.

TikTok denies sharing data with China

The U.S. already has banned federal employees from using the app on government-issued devices, citing national security concerns. A growing number of universities in the U.S. have also banned the social media platform on school-owned devices and networks.

Late last year, Republican Sen. Marco Rubio introduced a bill to ban TikTok in the United States entirely.

Drew Angerer/Reuters
Drew Angerer/Reuters

Evan Koronewski, a spokesperson for CSE, said it's closely watching what the U.S. and other allies are doing.

"We continue to monitor the situation and inform the government of Canada on the most relevant and applicable cyber security advice and guidance," he said.

"This includes working together with our federal partners at the Treasury Board Secretariat and Shared Services Canada to ensure government information systems and networks remain secure and protected."

A spokesperson for TikTok said they are open to talking with the Canadian government.

"We continue to have a constructive relationship with the Canadian government, and engage across departments to demonstrate how we protect the security and privacy of Canadian users, and to respond to any questions that officials may have," said the spokesperson.

When asked if they'd recommend their family members download TikTok, Khoury and Rajiv Gupta, associate head of the Canadian Centre for Cyber Security, urged caution.

"I turn off everything in any of the apps I use, because that's my personality," said Gupta.