The IRS is not in compliance with the No TikTok on Government Devices Act, according to a Treasury Inspector General for Tax Administration (TIGTA) report released this week.
As the official IRS watchdog, TIGTA examined the criminal investigation (CI) division of the IRS, a unit which frequently handles highly sensitive personal taxpayer data.
The report stated:
“The IRS does not comply with the OMB’s mandate as computers and mobile devices assigned to CI [criminal investigation] employees continue to have the functionality to access TikTok and other related websites. For example, TIGTA identified more than 2,800 mobile devices used by CI that could access TikTok’s website and approximately 900 CI employees that had the ability to get access to TikTok’s website via computers assigned to CI.”
The watchdog urged the IRS to “ensure that access to TikTok is blocked on mobile devices and work with the OMB to determine whether an exception process is needed for the approximately 900 CI employees who can access TikTok on their computers.”
The IRS allows many employees to use their personal devices for official business at the IRS. This is referred to internally as “BYOD” — bring your own device. As noted by the report, “This program offers employees the convenience of using their personally owned mobile device to access, process, transmit, or store IRS information.”
But these devices are running afoul of the TikTok ban. When confronted by TIGTA, the IRS tried to assert such devices were not subject to the ban.
Then the IRS told TIGTA they would check with the Office of Management and Budget to see if the BYOD devices were covered by the ban. But after several months went by, the IRS still hadn’t bothered to ask.
The report states:
IRS officials have not responded to our e-mail alert issued in May 2023. During our discussions, the IRS stated that they will reach out to the OMB to ensure that the BYOD program is in compliance with OMB guidance.
When we met with IRS management in August 2023, they reiterated that personally owned devices approved for the BYOD program do not apply to the Act. As we note above, our discussions with representatives from the OMB confirmed that BYOD programs fall within the purview of the Act. When we asked IRS management if they discussed their position with the OMB, they informed us that they did not reach out to the OMB for guidance and/or confirmation. IRS officials state that they can neither dictate nor enforce what users do on their personally owned devices without violating constitutional rights.
Nobody is forcing these employees to bring their own device. The fact that the IRS tried to assert that the ban didn’t apply to such devices is another indication the IRS thinks it is above the law.
The IRS with much foot-dragging eventually agreed to check with OMB but then said if there are any changes needed, it won’t happen until October 2024!
The inspector general called out the IRS for their inability to grasp the seriousness of the situation.
The report states:
“The IRS’s implementation date of October 2024 does not indicate an understanding of the risk and expeditiousness with which agencies were required to ensure compliance with the No TikTok on Government Devices Act.”