Only centrally approved third-party applications will be allowed on Whitehall devices – but government remains tight-lipped on what might make the cut or how
Government devices will only be permitted to contain third-party applications that have been centrally pre-approved for official use, under new plans announced by ministers.
But, despite questions from MPs and journalists, government has thus far failed to provide any details of which apps might make the cut or the process by which they will be assessed and approved and how the policy will be implemented over the coming months.
The centrepiece of the announcement, made in parliament last week by Chancellor of the Duchy of Lancaster Oliver Dowden, was that government is going to “ban the use of TikTok on government devices”.
The minister also revealed plans to implement wider restrictions in which departments will be required to adopt “a system where government devices will only be able to access third-party apps that are on a pre-approved list”.
In immediate response to the announcement, Dowden’s counterpart in Labour’s shadow cabinet, Angela Rayner, asked “how does the ban on TikTok differ from it simply not being on that approved list?”. She also enquired for further details on “what criteria will be used for the list of pre-approved apps that… which apps will be included and which will not, [and] on what grounds?”
Dowden did not directly answer either question, but responded that: “We already have an approved list of apps but it does not apply to every government department. We are now ensuring that it applies across all government departments. I do not believe there is a risk extant at the moment; this is about ensuring that we continue to guard against risk on an ongoing basis.”
Following the announcement, PublicTechnology asked the Cabinet Office to provide any available additional detail on the apps that are featured on the list, whether there is an application system or other process by which programs will be assessed and added, and whether the new policy will be retroactively applied to apps that are already installed on official devices but are not on the list currently.
The department declined to answer this query and indicated that no further information or comment beyond the ministers’ announcement would be provided.
In parliament, Dowden said that the use of a safelist is a “system [that] is already in place across many departments, and now it will be the rule across government”.
‘Horse has bolted’
Discussing the specific “ban” on TikTok, the minister said: “Given the particular risk around government devices that may contain sensitive information, it is both prudent and proportionate to restrict the use of certain apps, particularly when it comes to apps where a large amount of data can be stored and accessed. This ban applies to government corporate devices within ministerial and non-ministerial departments, but it will not extend to personal devices for government employees or ministers or the general public. That is because, as I have outlined, this is a proportionate move based on a specific risk with government devices. However, as is always the case, we advise individuals to practise caution online and to consider each social media platform’s data policies before downloading and using it.”
In response, Rayner accused the government of “closing the stable door after the horse has bolted”.
“If the minister was serious about overhauling security at the heart of government, why was the review limited only to the use of third-party apps on government devices? Why not carry out a root-and-branch review of the technology used by his colleagues? The reality is that this government’s track record of upholding security at the heart of government is appalling, from their chronic use of private emails to the hacking of the phone of the former foreign secretary, [Liz Truss].”
One of Dowden’s ministerial colleagues at the Cabinet Office recently pledged that the guidance on the use of non-government communications accounts to conduct official business – advice which has remained unchanged since 2013 – will be updated “as soon as possible”.
The revision comes in light of a year-long investigation by the Information Commissioner’s Office which identified “systemic risks” posed by government’s use of non-corporate messaging systems, such as WhatsApp and Gmail. The regulator called for the government to conduct its own review and update the guidance subsequently.
Last week in parliament, Dowden responded to Rayner to say: “We are updating the guidance on non-corporate communications to ensure that we have a consistent approach across government, but, again, I do not believe that we have serious concerns on that.”