Home Affairs review of TikTok was merely for staff use on its network

It wasn't a sweeping review on whether the social media app was handling data on its users in a manner consistent with Australian law, nor did it provide the Prime Minister with assurances the app was safe to use.

The Department of Home Affairs has confirmed that a review it undertook on controversial video-sharing platform TikTok was simply a standard network evaluation.

Addressing the Select Committee on Foreign Interference through Social Media on Friday, Home Affairs first assistant secretary Hamish Hansford said a risk assessment was undertaken on TikTok internally for departmental systems in January 2020 by the department's cybersecurity risk area.

"We routinely look at areas of vulnerability across our departmental protected network, as well as our systems, as well as our mobile devices, and that's a routine function undertaken by our cybersecurity risk area sitting within our information and communication technology area of the department," he said.

"That conforms with some of the guidance by the Australian Signals Directorate around application whitelisting, application control, locking down systems from macros -- that type of thing -- so that was done in the context of departmental systems."

Hansford said the Home Affairs review was portrayed in a different way. He said the internal review was completely distinct from the role that his division plays in relation to cybersecurity policy advice to government.

See also: JCPAA calls for Commonwealth entities to be cyber assessed annually by ANAO

There was no advice provided to government on TikTok as a result of this review.

Prime Minister Scott Morrison in August said that he had a "good look" at TikTok and there was no evidence to suggest the misuse of any person's data.

"We have had a look, a good look at this, and there is no evidence for us to suggest, having done that, that there is any misuse of any people's data that has occurred, at least from an Australian perspective, in relation to these applications," he told the Aspen Security Forum.

"You know, there's plenty of things that are on TikTok which are embarrassing enough in public. So that's sort of a social media device."

Morrison said the same issues are present with other social media companies, such as Facebook.

"Enormous amounts of information is being provided that goes back into systems. Now, it is true that with applications like TikTok, those data, that data, that information can be accessed at a sovereign state level. That is not the case in relation to the applications that are coming out of the United States. But I think people should understand and there's a sort of a buyer beware process," the prime minister added.

"There's nothing at this point that would suggest to us that security interests have been compromised or Australian citizens have been compromised because of what's happening with those applications."

The committee was hoping to ascertain how Morrison came to this conclusion.

While Hansford took on notice where Morrison received such advice, he said he assumed it was from the Australian Signals Directorate (ASD).

Speaking during Senate Estimates in October, Director-General of the ASD Rachel Noble said her team was involved in providing the advice to Morrison but didn't detail what that advice was.

Noble did say, however, that the ASD's role is to provide technical advice when it comes to departmental staff using TikTok on work-issued phones.

"It's ultimately a matter for any individual department to make its own risk judgement about whether, on balance, they wish to provide said application on their work-provided iPhone, for example. And that will be their own judgement weighed against the potential utility of the application to the proper running of their own organisation," she said.

"We have provided quite extensive public advice about social media apps … the nature of that advice in the broad, is that it's important to remember that all social media apps' business model is to monetise your personal information that you provide them but also to on-sell the nature of your activity and engagement … that is a big moneymaking business model.

"Our advice really encourages people to consider that and proceed with great caution. Be thoughtful about what personal information you are willing to provide."

A question on whether TikTok receives the same scrutiny from the Australian government as Huawei was offloaded to the Australian Cyber Security Centre.

HERE'S MORE