The Canadian Press (CP) recently reported that the federal government, following its ban of TikTok on government-issued devices, is now “taking a look at possible threats from other social-media applications.” It should proceed with banning all social media on government-issued devices, with exceptions as necessary and with the onus on the government actor to justify using such services.
The federal government itself is already well aware of the merits of this approach. According to the CP report, internal notes from the Treasury Board Secretariat, the federal institution that provides advice on the regulation and administration of the core public service, suggest “the most effective way to minimize risk is to prevent employees from installing any social-media apps on work phones unless there is a clear business need to do so” (emphasis added).
Yet the federal government has only acted on this concern with TikTok on government-issued devices. According to a recent internal intelligence assessment prepared by the Privy Council Office and titled “Economic Security and Technology: TikTok Takeover,” which I received via an access-to-information (ATI) request filed earlier this year, the government is concerned about TikTok’s access to highly sensitive data from its billions of users beyond China — data that includes individual users’ “location, contacts, content, preferences, and patterns” and “name, age, gender, and interests” — as well as about the app’s “collection of biometric identifiers and biometric information.”
But TikTok is hardly the only social media app engaging in such practices. Moreover, this is not the first time the federal government has been warned by its own experts about the dangers stemming from its employees’ use of social media. Other internal documents from the federal government have been sounding the same alarm.
A May 2022 internal briefing from the Department of National Defence (DND), which I obtained through the ATI system, notes particularly heightened risks for Canadian Armed Forces (CAF) members using social media. “The data that is provided to these services is extremely dangerous in aggregate,” the brief notes, underscoring that this data “could cause significantly grave injury to Canadian Forces Locations, Personnel and Operations if it fell into the wrong hands.”
The briefing provides numerous examples of such threats. For example, it highlights how Bellingcat, an investigative journalism group based in the Netherlands, tracked Russian troops in 2014 using their posts on VKontakte, a social media service. It also gives the more recent example of how details of a granite kitchen countertop visible in photos posted on social media by US Air National Guard member Jack Teixeira led investigators to identify him as the leaker of Pentagon-classified information to a Discord chat group; the classified documents had been photographed in the same setting.
Particularly concerning for the CAF are “dating/hookup apps,” which it notes “gather an obscene amount of data on their users.” These concerns specifically relate to the collection of location data, which makes users…vulnerable to triangulation attacks.
Unfortunately, the Canadian government has exhibited neither a serious concern for the threats posed by social media use by federal employees, nor any urgency in updating its privacy legislation, nor a particularly strong resolve vis-à-vis social media companies.
The DND briefing also singles out serious problems with aggregate data collection and trading, including by data brokers — a largely unregulated industry in Canada that the government’s languishing privacy bills continue to ignore, even as peer jurisdictions are moving toward regulation. Given obvious concerns about threat actors’ potential use of sensitive personal information, it is also noteworthy that the Special Economic Measures (Russia) Regulations, enacted in response to Russia’s invasion of Ukraine, do not mention personal information or similar data.
The DND briefing criticizes well-known social media companies like Facebook, Google, LinkedIn and Twitter for their approaches to handling data breaches and lacklustre cybersecurity. For example, it highlights that Russian companies purchased advertising data from Google and Meta, even after the Russian invasion of Ukraine. LinkedIn is referred to as a “candy store” or “directory” for threat actors seeking to target government figures. Snapchat’s ties to the Federal Security Bureau (FSB), Russia’s domestic security agency, earned it a spot on the FSB’s “snitch list.”
Particularly concerning for the CAF are “dating/hookup apps,” which it notes “gather an obscene amount of data on their users.” These concerns specifically relate to the collection of location data, which makes users — especially government employees working in sensitive areas, who might be using these apps anonymously — vulnerable to triangulation attacks.
With such conduct raising serious concerns internally in the federal government, the lack of action is surprising. The collection and storage of Canadians’ personal information on servers located in certain jurisdictions remains equally troubling. Canadian privacy legislation does not require data residency, except in a few narrow categories, such as public surveys, even though data residency is highly popular with Canadians. Once again, the federal government’s proposed privacy reforms avoid the subject.
The foregoing suggests the federal government needs to take a stronger stance in restricting public service employees’ access to social media on government-issued devices. The CAF itself raises the decibel on the future of such threats. The DND briefing notes that it is “HIGHLY LIKELY” that CAF members’ personal data “will become increasingly valuable for Enemy Cyber and Intelligence operations” and “will command a premium from Foreign Intelligence services as a relatively cheap way of monitoring troops.” The new president of the Treasury Board Secretariat, Anita Anand, is likely well aware of these risks, given her previous role at DND.
While exceptions may need to be made for those employees whose work involves using social media, the approach should be flipped from its current laissez-faire default to a more rigorous requirement whereby employees must justify their use of these services. This approach would also stymie government officials’ use of apps with disappearing message chats, which would help bolster the duty to document, the failure of which is already a major problem of the access to information system.
To be sure, the enforceability of internal government directives will remain dependent on government resolve. But the government should start listening to its own experts sounding the alarm. The call, as they say, is coming from inside the house.
