State Secretary Van Huffelen (Kingdom Relations and Digitalization) answers questions about banning applications (apps) on cell phones of government officials. Member of Parliament Dekker-Abdulaziz (D66) asked the questions. The state secretary also offers the advice of the General Intelligence and Security Service (AIVD) on the use of apps.
On February 2, 2023, written questions were asked, with reference 2023Z01674, by Member Dekker-Abdulaziz (D66) about the possibility of banning the Chinese application TikTok on mobile devices of Rijksoverheid employees. In the debate In inzet algoritmes en data-ethiek binnen de Rijksoverheid (Deployment of algorithms and data ethics within the Rijksoverheid ) on February 15 last, I promised to investigate further. In that debate, some parties also asked whether the Netherlands should not, like the United States, impose a ban on use by civil servants because of the potentially high security risk. Since the debate, the European Commission, Council of the European Union, and the European Parliament have suspended the use of TikTok. In this letter, I will comment on the investigation conducted, and indicate the policy I will follow. Also attached are the answers to the written questions, also on behalf of the Minister of the Interior and Kingdom Relations.
Based on the Chamber's questions, the AIVD was asked to provide an opinion. Its conclusion is that the use and presence of cell phones and the applications installed on them at all times constitute an inherent espionage risk. It is therefore advisable to always make a thorough assessment between the need to install a particular application on the one hand and the associated risk on the other. Use of apps from companies in countries with an offensive cyber program by civil servants employed by the rijksoverheid (1) increases this risk. Examples of countries with such an offensive cyber program are Russia, China, Iran and North Korea. Switching to employer-managed devices is a more structural solution to this risk. The AIVD's consideration, which was the basis for further interdepartmental research, is attached to this letter for information.
In a general sense, applications often access all data on the cell phone. Apps often request prior permission for this through the terms of use. The user can also add information himself. This can include personal data of the user such as contact information, files such as photos, or contacts of the user. But also data about the specific device and networks used. In specific cases, users' keystrokes are intercepted. There was also close contact in my research with a number of partner countries in the EU and the European Commission, about their assessments and their policy choices regarding apps on mobile devices in use by their government officials. From this, the picture emerges that countries are making different choices, but that many countries have taken measures to secure phones of their officials. A few countries have chosen to specifically ban TikTok, a number of countries discourage or more generically ban the use of apps from companies from certain countries because of the inherent risks. A number of countries have indicated that they have chosen to set up their mobile devices so that only pre-authorized apps can be installed and used. We are also following developments outside the European Union. In doing so, we have noted the UK's precautionary ban on TikTok on government devices, working toward strengthening policies around third-party apps. We are also following the measures and steps taken by the United States, to which attached questions also already refer.
In light of the risks mentioned above and the AIVD's consideration, I consider it necessary to take additional steps in the area of mobile device security in the Rijksoverheid . The first step is to immediately discourage civil servants employed by the Rijksoverheid government from having apps installed and used on their mobile work devices of companies from countries with offensive cyber programs against the Netherlands and/or Dutch interests. In order to properly inform civil servants employed by the rijksoverheid about this, communication will be developed in the short term.
At the same time, we will soon be working towards a situation in which mobile devices issued to civil servants in the employ of the rijksoverheid are set up in such a way that only previously authorized apps, software and/or functionalities can be installed and used on them. As a whole, they will then become so-called "managed devices," for which it has been determined which apps can be installed and used on them by the user. Apps from companies from countries with an offensive cyber program against the Netherlands and/or Dutch interests will then not be allowed. I want this policy set up as soon as possible, in cooperation with the 'shared service organizations' (SSOs) that manage these mobile devices.
In doing so, I also consider the bring your own device policy used by parts of the rijksoverheid . An exception to the above measures applies when such an application is or may be necessary for the performance of a primary task of a central government organization. This could include inspection and supervision, investigation or intelligence interests. This exception will be further elaborated in cooperation with the departments in the coming period. App use in society This letter has so far focused on risks for the rijksoverheid. Apps are also used by other governments and especially by citizens, including children. It is important to raise awareness about data processing by these types of apps. Therefore, the government is going to focus on this in the coming period. We will get back to you on this before the summer.
The State Secretary of the Interior and Kingdom Relations Digitalization and Kingdom Relations Alexandra C. van Huffelen.
1 These are all civil servants employed by departments and agencies and other implementing organizations under them.
