More states are cracking down on government use of TikTok, citing concerns that the popular video-sharing app’s Chinese parent company poses security risks, including the data it collects on its millions of U.S. users.
TikTok was one target of an emergency directive signed Tuesday by Maryland Chief Information Security Officer Chip Stewart, who ordered that the app be removed from state-owned devices, as well as any personal devices used to conduct government business. While the State of Maryland and its agencies do not appear to have any presence on the platform, Stewart’s order covers a number of companies that’ve been accused of “inappropriate collection of sensitive personal information,” “algorithmic modification to conduct disinformation or misinformation campaigns” or surveillance of government activities.
TikTok’s corporate owner, ByteDance, has been accused by U.S. officials of collecting user data that could be used by the Chinese regime to conduct espionage on the United States and its residents. The federal government at one point attempted to ban the app outright, though it’s now attempting to broker a deal in which the company would migrate its American data to U.S. servers. (ByteDance says it currently stores user data in Singapore and Virginia.)
The Maryland decision came a week after South Dakota Kristi Noem became the first governor to issue a statewide ban on TikTok. But while Noem’s executive order only targeted the video app, Stewart’s directive listed a number of other technology companies based in both China and Russia, including device-makers Huawei and ZTE, e-commerce giants Tencent and Alibaba and the security software company Kaspersky Lab.
Tencent and Alibaba have been accused by U.S. officials of doing data-processing work on behalf of Beijing’s ruling Chinese Communist Party, while Huawei and ZTE have long been banned from selling their devices to the federal government. (A few states had already banned the manufacturers, though a recent Georgetown study found many state and local governments still use them.)
“At a high level, you have certain tech companies engaged in activities that go beyond the stated business purpose,” Stewart told StateScoop. “We’re not just picking on TikTok, but if an organization has a product where the intended purpose is video sharing but they engage in data collection it becomes concerning.”
Stewart said he is unaware of any state agencies using Huawei or ZTE devices, though he said that any employees who have those companies’ phones for personal use could be asked to stop accessing government networks on them.
Other states are likely to at least restrict TikTok. Texas Gov. Greg Abbott on Wednesday signed an executive order banning the app on all government-issued devices. South Carolina Gov. Henry McMaster on Monday asked his state’s Department of Administration to remove the app and block access on all government devices.
In Maryland, Stewart said his directive is modeled after federal orders issued by the likes of the Cybersecurity and Infrastructure Security Agency, which occasionally puts out binding operational directives requiring federal agencies to take steps to mitigate risks. Stewart’s office gained this authority as part of a broader cybersecurity bill Gov. Larry Hogan signed earlier this year. Stewart also said the policy was created with Kaspersky in mind — the antivirus company is accused of having ties to the Kremlin.
“We’re trying to align ourselves and set good practices to secure states against organizations that might be aligned with a foreign government,” Stewart said.
He also said that the bans on TikTok and the other companies listed Tuesday need not be permanent.
“The concern is about the activity,” he said. “If concerns around any of the vendors were to go away, the product would come off the list.”
Stewart recalled that early in the COVID-19 pandemic, Maryland temporarily restricted agencies’ use of Zoom, as the video-conferencing platform was susceptible to hijacking and other attacks. That decision was reversed in July 2020 after Zoom introduced several new security features, including end-to-end encryption for all users.