BBC Advises Staff To Delete TikTok From Work Phones

The BBC has advised staff to delete TikTok from corporate phones because of privacy and security fears. From a report: The BBC seems to be the first UK media organisation to issue the guidance - and only the second in the world after Denmark's public service broadcaster. The BBC said it would continue to use the platform for editorial and marketing purposes for now. [...] The big fear is that data harvested by the platform from corporate phones could be shared with the Chinese government by TikTok's parent company ByteDance, because its headquarters are in Beijing.

In an email to staff on Sunday, it said: "The decision is based on concerns raised by government authorities worldwide regarding data privacy and security. If the device is a BBC corporate device, and you do not need TikTok for business reasons, TikTok should be deleted from the BBC corporate mobile device." Staff with the app on a personal phone that they also use for work have been asked to contact the corporation's Information Security team for further discussions, while it reviews concerns around TikTok. Dominic Ponsford, editor-in-chief of journalism industry trade publication the Press Gazette, said it would be interesting to see what other media organizations decide to do. He told the BBC: "I suspect everyone's chief technical officer will be looking at this very closely. Until now, news organizations have been very keen to use TikTok, because it's been one of the fastest-growing social media platforms for news publishers over the last year, and it's been a good source of audience and traffic. So most of the talk in the news media has been around encouraging TikTok rather than banning it."

Let Me Get This Straight

[zenlessyank]

Ban TikTok but let China make all our stuff.

Governments are fucking stupid.

Re: Let Me Get This Straight

[ZERO1ZERO]

What exactly is the tik tok app so capable/is doing? Stealing data? How? Is this a technical thing or a policy/signaling thing?

Re: Let Me Get This Straight

[uffe_nordholm]

Since it is an app on your phone, it could (at least potentially) get access to everything on your phone.

I have neither installed not used the TikTik app, but I assume it asks for various permissions while getting installed. If these permissions are used for legitimate purposes, the app should not be a threat. But if the permissions are used for nefarious purposes, the app is a problem, the severity of which depends on whose phone it is installed on.

To complicate matters, TikTok is a Chinese company (or at least the owners are), which makes it subject to the whims of the CCP, who have previously made it obvious that they will stop at nothing to get what they want (eg the Tian nan men massacre). If I were some high-ranking official in any organisation, I would assume that the CCP will want to eavesdrop on me: they might not get anything useful, but why miss the possibility?

Re:

[AmiMoJo]

On modern versions of Android and iOS, many permissions are requested at run-time rather than given during installation. Things like access to contacts, access to location data, access to files.

It is possible that an app contains a currently unknown exploit to get access to those things, but it seems unlikely that anyone with such an exploit would waste it on TikTok. It would quickly be discovered and fixed. To be effective, those vulnerabilities need to be targeted at individuals so that samples are harder

Re: Let Me Get This Straight

[e3m4n]

With reporters, just gaining access to your contacts could reveal potential sources. Shit talk the CCP and expose something they did, pull their contacts and look for anyone with access to that info. Then go murder the source. Its always been the CCP playbook. The vulnerability of the media is one of the least sophisticated exploits needed.

Re:

[AmiMoJo]

Yes, and access to contacts has been a run-time permission request for years.

Another option is to make use of Android's built in work profile system. Basically you can have two separate profiles on the phone, a personal one and a work one, with separate contact lists. There is an open source app called Shelter that helps manage it on a per-app basis. Very handy for isolating apps you need but don't trust.

For an org like the BBC though you'd like they could just give journalists who need TikTok for some reas

Re:

[e3m4n]

You really think your average BBC employee is that smart? The odds of good looking Tits & Ass also having a brain are astronomically against. Eye candy tends to be Ken & Barbie level stupid. Much easier to tell them to remove the app and be done with it. Its not just the journalists that are vulnerable btw. Behind the scenes there are a multitude of workers that might have to contact these sources to coordinate interviews and other aspects that could leave these contacts on their devices too, even i

Re: Let Me Get This Straight

[DrXym]

Apps ask for permissions for some things, not all things. An app could phoning home with your IP address every minute and you wouldn't know. If could be running port scans on other devices sharing the same network and you wouldn't know. It might even know of an exploit that elevates its privileges, or use the privileges you've already granted it to do extra things - track location, listen in on conversations, access photos, take video footage, send or receive an SMS.

Many apps have legitimate reasons for needing permissions and so they make perfect vehicles for governments who might want to spy on opponents or critics. I imagine TikTok is such an vehicle so it is prudent to ban it from government devices. But I'd say that all social media should be banned from such devices unless a person has a legitimate reason for needing them for their job.

Re:

[AmiMoJo]

Apps could do all that, and get past the Play Store security. But that's not a TikTok issue, there are millions of apps and any of them could be doing it. In fact we know for a fact that Facebook's app is rather nosy.

You can make the argument, but it needs to say why TikTok specifically. There are lots of other apps, many of them from Chinese or unknown vendors.

Re:

[Dutch Gun]

You can make the argument, but it needs to say why TikTok specifically. There are lots of other apps, many of them from Chinese or unknown vendors.

Because TikTok has specifically been caught exfiltrating journalists' information in an attempt to track down their sources. This is not a speculative concern. It's literally already happened. Isn't that reason enough? Or do you believe ByteDance when they say this was just the work of rogue employees, and that they've been fired, and they pinky swear it will never happen again?

As to the issue that there are lots of Chinese apps... yes, and I'd trust precisely zero of them. Not just Chinese, but any un

Re:

[DrXym]

Yes and that's why I think government devices should have whitelists of approved apps. Run that other shit on your own personal device on the outside of the private network.

But in the case of TikTok it is *known* to have been used to spy on people so it poses a unique threat. And its ubiquity means it would be a more effective attack vector for state actors than some random app that a person may or may not have.

Re:

[AmiMoJo]

But Facebook has been known to spy on people too. What is unique about TikTok?

Re:

[Canberra1]

So how is Groogle, Amacon, FaceChook also not harvesting your data? Under the USA Cloud Law, they are beholden to the US. The only time I use social media is to give false messages, like I will vote for A because.. But really vote B. As you grow older, you become my cynical and 'Nudges and targeted marketing' achieve the opposite.

Re:

[Kurrelgyre]

You also become incapable of calling things by their actual names for some reason?

Re:

[Gilmoure]

Afraid the Groogle Cops will track him down.

Re:

[Canberra1]

Yes. In some countries it can be defamation and damages against you, even if it is true, and what they did was illegal! Or you poke fun at allies. But parody is mostly OK, although some cartoonists get cancelled for a factual statement. See Dilbert backlash and cancellations. Even large companies headlines read like 'A major financial company who was hacked and customers private details and ID stolen' go unnamed. Everything here is alleged - 'A pair of youths allegedly driving a stolen car that crashed' k

Re: Let Me Get This Straight

[DrXym]

ByteDance have used it in the past to spy on journalists and identify whistleblowers so there's that. And the general perception that the company is under the thumb of the Chinese government. Not hard to see why government & journalistic outlets, including the BBC should be extremely wary of TikTok.

Of course it's not the only app that should ring alarm bells. It would be sensible for governments, political parties and big orgs to whitelist what apps they allow on their devices, or their networks and impress upon users the importance of sticking to those rules.

Re:

[DrXym]

Facebook, Twitter, Instagram etc. Ban the lot of them. Few people in governments need social media accounts on their work devices, and if they do they can be special cased.

Re:

[nightflameauto]

It's horning in on all the other governments siphoning our data. We all know the US does it, and the chances that the UK doesn't do it as well are so vanishingly small as to be absent altogether. That's really what it amounts to.

I mean, I wish we could stop all the governments of the world from siphoning all our data all the time everywhere, but I guess it's a nice virtue signal to get all upset about China doing it. What, exactly, they're going to gain from tons of videos of dancing pre-teen girls I'm not

Re:

[slazzy]

Neither, it's allowing citizens of a "free" country communicate too freely with each other. It has the potential to topple governments, tilt elections, enable protests, etc.

Re:

[geekmux]

What exactly is the tik tok app so capable/is doing? Stealing data? How? Is this a technical thing or a policy/signaling thing?

It's 2023. Decades after social media came along. If you're still asking these kinds of questions, then you are still unaware that you are The Product being bought and sold.

One would have thought a 19-year old Mark Zuckerberg would have made that clear back when his business justification was summed up in two words: Dumb Fucks.

Re:Let Me Get This Straight

[thegarbz]

Stupid is generalisations. There's a difference between you getting some random Chinese person to make something and a large company working with software created by a company with demonstrably close ties to the government.

There's nothing stupid about the concept of a sliding scale of risk assessment. The only thing stupid is a black and white all and nothing approach.

Re:

[dknj]

with demonstrably close ties to the government.

Ah, you mean like Facebook? [theguardian.com]

Re:

[Finallyjoined!!!]

So much so wrong in such a short statement.

Note to self: Shouldn't feed Trolls..

Re:

[queazocotal]

It has changed notably in the last decade or so.

At this point, it's basically nearly completely corporately a tory mouthpiece.

There are individual presenters who have a different view, but this doens't help that much when (for example) the chairman of the BBC gave the PM a very large loan shortly before being appointed.

Re:

[Finallyjoined!!!]

(for example) the chairman of the BBC gave the PM a very large loan shortly before being appointed.

"helped him to secure a loan" is not quite the same as "gave", sorry.

Re:

[greytree]

Yes, of course. The Conservative UK government runs the stupidly woke BBC. That must be it.

There are now Pro-TikTok commercials!

[beforewisdom]

I was watching a television show on FreeVee.com ( free, commercial laden Amazon Prime ) when a Pro TikTok commercial (propaganda) came up. I haven't seen anything like that before. TikTok must be worried.

Re: There are now Pro-TikTok commercials!

[e3m4n]

Well Amazon is so beholden to cheap knockoff chinese made crap, Bezos probably produced the propaganda himself using one of his prime video studios.

Re:

[real_nickname]

a Pro TikTok commercial (propaganda)

You mean ads? What is so surprising?

Why ask?

[thegarbz]

If you're concerned block the app with MDM policy. This "asking" screams of incompetent IT, as do all the stories of banning the app on government phones (the app shouldn't have been installed on a sensitive device in the first place).

IT people out there: Do your job.

Re: Why ask?

[e3m4n]

They are too busy on social media apps themselves. The old guard IT got better jobs or moved into management as we hit 50/60. That leaves the snot nosed brats born with a smartphone and snapchat account at the age of 5. They have never known a world before facebook/myspace. Let alone tiktok, snapchat, etc. Geocities? What the hell is that? Lol.

Re: Why ask?

[SeeKay]

Problem is the continuously diminishing boundary between work issued phones and personal phones used for work. Donâ(TM)t think a lot of people will be too happy about having apps removed off their personal phones because they have Teams installed for convenience and have unwittingly enrolled in the MDM system..

Re:

[thegarbz]

Nope. You enrolled in MDM, tough. That's the whole point of enrolling in MDM. You want the convenience of a hybrid device then you need a device with dedicated sandboxing of work / non work environments and a company that allows it.

If you have MDM on your personal phone it's not your personal phone, it's one someone else is managing for you.

If you want to work in a company / organisation which requires managing data exfiltration (i.e. the kind that asks you not to bring your personal phone on site at all),

Re:

[coofercat]

What if you're not sure? I don't think there's anything wrong with middle-ground. I also think you're being a bit hard on the IT folks.

Perhaps actually IT know that:

1) There's a bit of anti-Chinese news floating about. Such news makes journos more of a target than usual, but journos already have a no-TikTok rule, so can't be hacked this way directly.
2) If there's more anti-Chinese news, then maybe the CCP will invest more heavily in their hacking attempts, so will go after the people that surround the journ

Re:

[thegarbz]

What if you're not sure? I don't think there's anything wrong with middle-ground. I also think you're being a bit hard on the IT folks.

No you misunderstand my point. IT doesn't need to make a policy. The policy has been made. Someone has made the decision that TikTok shouldn't be on the phones. What they are doing is asking staff to remove TikTok. That's not how to enact security policy at an organisation. Instead they should announce to staff that TikTok will be remotely removed from their devices.

What IT think they know is irrelevant. They are incompetent at managing the policy in place. To your example you're suggesting they are also in

It's ironic because

[Rosco P. Coltrane]

Organizations around the world advise their staff to delete the data-pilfering TikTok app from their data-pilfering Android and iOS cellphones.

How amusing....

Facebook good, TikTok bad...

[damn_registrars]

So they're saying it's bad if TikTok does exactly what Facebook exists to do, even though in both cases the user is the product. Facebook is pretty open about stealing your data (ie everything you post and like), while TikTok might be stealing your data.

Personally I don't use either. I don't care if people use either or both. I just think the double standard is interesting. Certainly our concerns about what the Chinese government might do with personal information on Westerners has some connection to reality, I'm just amused that nobody is the least bit concerned about what a Western company is doing with personal information.

Re: Facebook good, TikTok bad...

[e3m4n]

No they are saying that as a member of the media you need to protect your confidential sources. The CCP will use tiktok to get access to your contact list. Media people are not geniuses, so they likely store said confidential sources in their smartphone contacts. So to prevent getting your source murdered by the CCP, uninstall the app.

Re:Facebook good, TikTok bad...

[Goose In Orbit]

USA is not seen as likely to want to bump off our journos sources

I'd pop into Belmarsh if I were you - I'll wager Assange has a thing or two to say on that blinkered viewpoint.

Workplace distractions.

[Anonymous Coward]

I'm not really sure why more companies don't ban all distraction apps from corporate devices as a whole.

20 years ago, it was only sales and marketing that had access to social media. The rest of the plant did not have a justified reason. Quite a few didn't even justify an external email address, which cut down on SPAM and email-based risks considerably. Today, you would be labeled some kind of "monster" if you were to impose such internet "sanctions" on the social media addicts walking in the door lookin

Re: Workplace distractions.

[monkeyxpress]

I donâ(TM)t know what you think BBC stands for, but itâ(TM)s a big tv, radio, internet and mobile media organisation, so accessing social media apps is very much something most of their employees are paid to do.

Re:

[geekmux]

I donâ(TM)t know what you think BBC stands for, but itâ(TM)s a big tv, radio, internet and mobile media organisation, so accessing social media apps is very much something most of their employees are paid to do.

The BBC sits within a country that is not only a member of NATO, but is also a member of Five Eyes.

The owner/operator of TikTok, is most certainly not.

In other words, they know damn well what can be done against citizens with social media. China sure as hell isn't educating anyone in that regard.

the framework is to blame

[TheGratefulNet]

meaning, the o/s.

if you have to WORRY about data leakage and security from an APP, then your whole o/s is all wrong and untrustable.

which is exactly what I think of anything google makes that is android or android-like (they change names for some reason). I do have a recent pixel phone but the system is still a freaking mess. it does the wrong thing (swipes SUCK, dammit. bring back buttons, even screen buttons, that are stable) and while its permission system has gotton better, if you STILL have to worry about a rogue app, then you never did your job as a system architect to begin with.

I wont go with apple for many reasons. they have their own problems. almost the exact opposite, in fact.

really sucks we have no portable computers that run honest actual linux in the way desktop does. I feel fully in control of my linux boxes at home. I feel like I'm renting my phone, when it comes to android. and so I dont give it much of my life, I dont pile up on the apps and I dont use web much on it, either (no good blockers like I have at home).

state of mobile has sucked and will always suck. its why we cant have nice things (grin)

Re:

[subreality]

if you have to WORRY about data leakage and security from an APP, then your whole o/s is all wrong and untrustable.

That's true of most OSes. On Linux any app I run has free reign over my homedir. If Chrome pushes a patch that scrapes my .ssh directory, they can get my keys. There are ways to contain programs like SELinux and AppArmor, but how many people are going to build custom profiles for the software they install?

Android is quite a bit better in that regard. Every app has private storage. The shared/common SD storage isn't accessible unless you grant access, and you only have to do so for apps that need it. i

Why is it there in the first place?

[AidanApWord]

Why would a BBC staff member need tiktok on their work phone in the first place?

Re:

[0xG]

It's for *entertainment*. Doesn't belong on any government or corporate device.