Nearly five percent of CIty of Vancouver-issued staff mobile devices included TikTok before city hall blocked the controversial, Chinese-owned video app in March.
But city employees were allowed to continue using TikTok on their own devices, even when accessing city systems.
According to internal email obtained under freedom of information law, the city’s chief technology officer Tadhg Healy initially expressed reluctance after the federal government announced Feb. 27 that it had banned TikTok on federal devices. Healy noted that Apple and Google extensively vet the apps they carry.
“At this point we don't have evidence pointing at TikTok being a security risk for the City of Vancouver,” Healy told city manager Paul Mochrie.
Later that day, B.C. Citizens’ Services Minister Lisa Beare followed the federal lead and banned B.C. government staff from using TikTok on provincial government devices.
Mochrie mentioned Feb. 28 that B.C.’s information and privacy commissioner Michael McEvoy had announced a joint investigation with federal, Ontario and Alberta commissioners the previous week.
“Are the province or feds sharing any more intel regarding their decisions on this? Is there something beyond ‘based in China’?” Mochrie asked on March 1.
Healy told him that the issue was privacy, rather than cybersecurity, “given that TikTok harvests a lot of data about the user and their behaviours and that that data is potentially available to the Chinese government in a similar fashion to the data harvested by apps such as Facebook could be made available to the U.S. government.”
The city had 132 iPhones containing TikTok out of its fleet of 2,700 devices. Approximately 100 Android devices were deployed in a locked-down configuration, so that users could only choose from a list of approved apps.
“TikTok is not one of them,” Healy wrote. “So it is only iPhones we need to worry about.”
On March 4, Healy told Mochrie that Delta, Maple Ridge and Metro Vancouver were implementing TikTok bans on all staff devices. "At this point I believe we should strongly consider this option,” he said. “Let me know if you want to have a quick chat on it.”
Before doing so, Mochrie asked Healy on March 6 to draft a note to Mayor Ken Sim and city council.
“If there is any major heartburn for them, it would be good for us to understand before we
implement,” Mochrie wrote.
Mochrie sent the memo the next day, recommending the app be blocked from city-issued devices at 3 p.m. March 14, citing the data harvested from contacts, calendars and keystroke patterns.
“Can we also ban Twitter? :)” replied Park Board general manager Donnie Rosa on March 8. “I guess that's wishful.”
Instead of “heartburn,” there was support for the ban and questions about the process from the only politician to reply, ABC Coun. Lenny Zhou. Zhou wondered about the technical feasibility and whether a council motion was necessary.
Deputy city manager Karen Levitt said that city technology-use policies allowed staff to act without council approval and that the city was not planning to follow Toronto’s example by issuing a news release.
“Our device management software allows us to block the app so once that block is in place it’s not possible to download it,” Levitt wrote. “Our technology services department can also run periodic scans to confirm that the app has not been downloaded to city issued devices.”
Zhou responded: “Great to see CoV takes leadership in protecting privacy and security of the use of mobile devices.”
City hall notified the Vancouver Police Department (VPD), Vancouver Public Library and Vancouver Economic Commission (VEC) the day after the ban took effect.
In response to Kyle Kennedy, the VEC senior finance and operations manager, Kyle Foster, the city’s acting director of infrastructure and operations, clarified that the ban “has no effect on city employees using city credentials on other devices.”
VPD information and communications technology director Raymond Lai told Healy that users in the force can only install apps from an allowed list.
“TikTok is not on the list,” said Lai. “We also blocked TikTok from our firewall. We also supplied one standalone phone to public affairs for their TikTok needs.”
The Citizen Lab in the Munk School of Global Affairs at the University of Toronto studied TikTok in 2021. Director Ron Deibert cautioned TikTok gobbles up a lot of personal data, just like other social media apps, and the company is not transparent about what it does with user data.
“Our analysis was explicit about having no visibility into what happened to user data once it was collected and transmitted back to TikTok’s servers,” Deibert wrote in March. “Although we had no way to determine whether or not it had happened, we even speculated about possible mechanisms through which the Chinese government might use unconventional techniques to obtain TikTok user data via pressure on ByteDance.”
Benjamin Fung, a professor in the School of Information Studies at McGill University, said TikTok’s claim that data is housed on U.S. servers is hollow because workers in China are legally obliged under the National Security Law to co-operate when the Chinese government demands to see data.