French gov't bans "recreational apps" from devices

OK, so what constitutes "recreational" precisely, please?

French gov't bans "recreational apps" from devices

France has moved to ban TikTok and all “recreational applications” from government devices – saying the new rules applied “immediately and uniformly” but without specifying what constitutes a recreational application. (The Stack has contacted the Ministry of Transformation and Public Service for further details on the ban.)

TikTok was banned from UK government devices on March 16. The US and Canadian governments along with the European Commission have made similar moves. The UK described it as “precautionary” and said that broader “government policy on the management of third party applications will be strengthened.”

The European Commission earlier told staffers to remove the app by 15 March. Those who do not comply will lose access to their commission email and Skype for Business on their devices the EC said. It was not immediately clear if these devices were all remotely managed and if not how compliance would be tracked.

France TikTok ban comes amid BYOD security complications

The rise of remote work and widespread use of phones for work purposes, along with the use of user-owned devices for work (BYOD), has complicated security and device management efforts by IT security leaders.

Employees perhaps understandably do not want to have their personal devices remotely managed by their employers but even remotely managed enterprise devices can run into user understanding issues over privacy fears; the deployment of well-known endpoint protection software that tracks a degree of user behaviour on the centrally issued laptops of academics at Penn University recently triggered a civil liberties spat for example.

https://twitter.com/alpha_convert/status/1620847576164732928

The French ministry said in a March 24 notice (our translation) that “recreational applications do not have the levels of cybersecurity and protection of sufficient data to be deployed on administrative equipment [and can therefore] constitute a risk to the protection of the data of these administrations and their public officials.”

Whilst huge numbers of applications downloaded without a moment’s reflection by end users have extensive permissions (demanding access to microphones, photographs, locations and more), TikTok’s ownership by China’s ByteDance has raised concerns that it could be used for surveillance purposes by a government that has an increasingly problematic relationship with many Western partners. The company’s privacy policy is straightforward about what it collects, down to and including “keystroke patterns or rhythms.”

For some observers the ability of TikTok to potentially selectively and strategically deploy Chinese government talking points (propaganda) into the grids of its 50 million+ day active users in the US and 23 million+ users in the UK is also a legitimate concern. In 2021 for example NATO highlighted the growing need for it to respond to “cyber, hybrid, and other asymmetric threats, including disinformation campaigns, and by the malicious use of ever-more sophisticated emerging and disruptive technologies” and having a wildly popular application as an easy conduit for disinformation or information warfare would be a genuine coup for Chinese authorities.

https://twitter.com/HackingButLegal/status/1640114115883483136

The French government has been a strong advocate of "data sovereignty" and a critic of US cloud-based applications and their extensive telemetry. It runs intra-ministerial communications on a home-grown application that uses Matrix as its underlying (open source) protocol, for example, rather than WhatsApp or Slack. (The launch of that application, Tchap, did not come without its own security issues, albeit ones patched impressively swiftly...)

See also: The US Army is letting staff BYOD. First up, the CIO