Claudia E. Aanonsen: Is TikTok a threat to Norway’s security?

Commissioned by the Norwegian Ministry of Justice and Public Security (MoJ), the National Security Authority (NSM) presented an assessment in early March 2023 that discourages public sector employees from downloading the Chinese social media app TikTok. This includes all mobile devices connected to internal digital infrastructures or services of the public sector as well as employees of private companies that are partly or fully subject to the National Security Act. In this regard, questions should be raised as to why TikTok is considered an imperative security threat in the Norwegian context compared to other apps that harvest the equivalent volume of data through similar methods. 

NSM’s recommendation to avoid TikTok (and the Russian-owned app Telegram) is based on the yearly risk report from 2022 which states that ‘a large part of Chinese-produced technology can be used as a platform for obtaining illegal intelligence’. The timing of the assessment was in part due to the discovery that several ministers in Norway had TikTok downloaded on their work devices, raising concerns and considerable media attention. This accelerated when the US and Taiwan banned the app on the phones of government officials in late 2022. Since then, other states and institutions have discouraged public sector employees from downloading TikTok, including the UK, France, Australia, and the European Commission. NSM warns that having TikTok on work devices poses a ‘high risk’ to national security, owing to the fact that the China’s Intelligence Act demands Chinese companies and individuals to hand over any information deemed significant to the government’s intelligence authorities.

Prior to NSM’s assessment and recommendations, a recent survey did not find that any companies in Norway had enforced regulations on the use of Chinese apps for employees. Shortly after NSM presented the recommendations, numerous public agencies, municipalities, and companies strongly discouraged using TikTok on employees’ work devices. Notably, the abrupt response was not prompted by a discovery of risks or new security threats posed on TikTok users. Rather, once NSM made the recommendations publicly available, it triggered an immediate change in policy among public and private companies. This conceivably illustrates that private companies rely on and trust government guidelines, but also that they do not have the capacity (or authority) to solely depend on their own judgement to measure and mitigate risks related to use of technological services and devices.

Although most digital infrastructure is owned and operated by private companies, NSM functions as the chief authority when it comes to cybersecurity in Norway. There are two notable observations to make from this. Firstly, a paradoxical moment occurs when Norway’s security strategy strongly invests in making private companies responsible for and capable of ensuring their own cybersecurity. With a strategic aim to enhance collective digital resilience through knowledge and skill development, the government also legally obligates the compliance of private companies subjected to the Security Act. This puts the respective companies in a quandary. As illustrated by the case with TikTok (and the dispute surrounding Huawei building Norway’s 5G infrastructure), private companies are not necessarily in a position to perpetually deal with risks and vulnerabilities in technological devices and supply chains to meet the demands determined by the Security Act without government directives. Yet legally, companies are expected to be held accountable for their own security. 

Secondly, and more crucially, discouraging the use of a Chinese social media app carries far more potential political and economic repercussions than security and privacy for users. It is worth noting that TikTok is not the only app undertaking comprehensive data collection, such as requesting users’ geolocation, device-ID, and contact list. The most widely used social media apps in Norway and across the world harvest a comparable volume of private data though similar methods. Depending on national legal restrictions and obligations, apps and digital services are not necessarily prohibited from selling the data abroad to other governments, intelligence authorities, or intermediaries (such as data brokers). As we have historically seen through the premises of US-owned services such as Facebook and Twitter, these too have harbored spaces for illicit data collection by foreign and non-state actors. However, although there is no physical evidence at the present time, the vast extent of TikTok’s comprehensive data collection and what it does with it in real-time we are yet to find out. But in principle, China (or any other government or corporation) does not need to own a social media platform to collect and share personal data but can simply buy it on the market.  

Questions should therefore be raised to the extent of why TikTok represents a more imperative threat in comparison to other apps and digital services. Although public sector employees should undeniably act with precaution when it comes to the use of digital services and devices, instating ‘bans’ on TikTok, Huawei or Russia’s Telegram is a sign of acting on a political momentum. Considering the lack of attention paid to security risks associated with other apps and services, the question is about the political and economic relations between China and the US and the West rather than simply issues of privacy and security. For Norway, turning to the bigger picture when it comes to the potential economic and political ramifications of pointing fingers at TikTok should be carefully thought-out and contextualized in the current geopolitical climate.