The TikTok ban on U.S. government devices is proving hard to enforce. A month after the IRS was found to be in non-compliance with the federally mandated ban on the Beijing-based video app, two Republican senators are asking the IRS why it’s still allowing some of the agency’s employees to access the social network, and what that means for the security of Americans’ IRS data.
The letter, announced today, was sent to the IRS on Thursday by U.S. Senators Marsha Blackburn (R-TN), a member of the Subcommittee on Taxation and IRS Oversight, and John Thune (R-SD), ranking member of the Subcommittee on Taxation and Internal Revenue Service (IRS) Oversight. In it, they press the IRS to respond to questions about why the ban is not being upheld, suggesting that the confidential nature of taxpayer data could be compromised by TikTok’s data collection practices.
In fact, The Wall Street Journal reported today that TikTok employees still sometimes shared data with their China-based parent company ByteDance, despite the operation code-named “Project Texas” that TikTok implemented to keep U.S. user data on Oracle servers in the states. That initiative had been designed to convince the U.S. government that U.S. user data was safe. The WSJ found that, instead, managers would sometimes instruct employees at TikTok to share data with others through unofficial channels, including private data, like a user’s email, birth date or IP address.
The timing of the report around IRS use of TikTok may raise concern among lawmakers that TikTok’s U.S. user data isn’t as protected as once hoped. It also demonstrates how unenforceable such bans could be amid the U.S. government’s bureaucracy and red tape, offering a preview of what it could be like to enforce such a ban at the federal level for all Americans — a move that some politicians from both parties believe should take place.
As for the IRS, a report from the Treasury Inspector General for Tax Administration (TIGTA) last month found that the IRS’ Criminal Investigation unit’s staff were still able to access TikTok on both their computers and mobile devices, long after The Office of Management and Budget (OMB) issued its “No TikTok on Government Devices” guidance in February 2023. The IRS hadn’t asked for the Criminal Investigation division to be exempt from the ban through official channels, nor had it cut off employees’ TikTok access, the report said.
The IRS countered it didn’t need an exception because the TikTok app was only used via third-party software — in other words, their devices weren’t directly connecting with TikTok. It also pushed back at the idea that the Criminal Investigation division chief should come up with a plan to fully cut off employee access to the app, saying it would use its own internal process to determine exceptions. In total, 2,800 mobile devices in the division were found to be able to access TikTok, TIGTA said.
In other areas, the IRS largely complied with the ban. When TIGTA found that TikTok was accessible on 23 phones used by employees in the Communications and Liaison group, which monitors social media, they were cut off from the app. The agency also said that it would update its “Bring Your Own Device” (BYOD) policy guidance to align with the ban by October 2024.
In the senators’ letter to TikTok, they pressed the IRS on its delay for implementing the ban within its BYOD program and the exception made for Criminal Investigation staff, writing, “Not only has the IRS failed to comply with the law, but its lack of action with regard to implementation of the No TikTok on Government Devices Act has potentially compromised confidential taxpayer information located on devices that have TikTok, which has close ties to the Chinese Communist Party and alarming data practices.”
The letter asks the IRS to respond to a series of questions by February 8, 2024. These include questions about how many IRS employees use their own devices, how many of those access TikTok with the same devices they use for IRS-related functions and what security protocols IRS employees must follow to protect taxpayer data, among other things. The senators also want to know if the IRS has removed TikTok from the Criminal Investigation mobile devices, and why they needed it in the first place.
TikTok has been asked for comment, but one was not provided by the time of publication.
The IRS is only one facet of the wider U.S. TikTok ban on government devices, which last February gave government agencies 30 days to ensure they no longer had the app on their employees’ phones and computers. The order had followed similar bans from dozens of U.S. states and others from outside the U.S., including the EU, Canada, India and more. However, many bans are being challenged in the courts. For instance, Montana’s ban on TikTok is now on hold, a federal judge ruled last month.
Letter to Daniel Werfel Commissioner, Internal Revenue Service by TechCrunch on Scribd