A TikTok ban on U.S. government devices has proven difficult to enforce. A month after the IRS was found not complying with a federally mandated ban, two Republican senators are questioning why the agency still allows some agency employees to access the social network and what that means for the security of IRS data.

The letter announced today was sent to the IRS on Thursday by U.S. Senators Marsha Blackburn (Tenn.), a member of the Taxation and IRS Oversight Subcommittee, and John Thune (South Dakota), ranking member of the Taxation and IRS Oversight Subcommittee. They asked the IRS to respond to questions about why it would not uphold the ban, saying TikTok's data collection practices could compromise the confidentiality of taxpayer data.

In fact, the Wall Street Journal reported today that even though TikTok implemented an operation code-named "Project Texas" to store U.S. user data on Oracle's servers in the United States, TikTok employees sometimes still share data with its Chinese parent company ByteDance. The move is intended to reassure the U.S. government that U.S. user data is safe. The Wall Street Journal found that TikTok managers sometimes instruct employees to share data with others through unofficial channels, including private data such as users' emails, birthdays or IP addresses.

The timing of the report surrounding the IRS's use of TikTok could raise concerns among lawmakers that TikTok's U.S. user data is not as protected as hoped. It also shows how difficult such a ban would be to enforce amid the bureaucracy and red tape of the U.S. government, while also foreshadowing what it would look like to enforce such a ban on all Americans at the federal level -- an action that some politicians on both sides of the aisle believe should be taken.

As for the IRS, a report last month from the Treasury Inspector General for Tax Administration (TIGTA) found that IRS Criminal Investigation Division employees were still able to access TikTok on computers and mobile devices, long after the Office of Management and Budget (OMB) issued guidance in February 2023 to "ban the use of TikTok on government devices." According to the report, the IRS did not request the criminal investigation department to be exempted from the ban through official channels, nor did it cut off employees’ access to TikTok.

The IRS countered that it did not need an exception because the TikTok app was only used through third-party software, in other words, their devices were not directly connected to TikTok. The IRS also pushed back against the idea that the director of criminal investigations should come up with a plan to completely cut off employees' access to the app, saying it would use its own internal procedures to determine exceptions. TIGTA said that a total of 2,800 mobile devices in the department were found to be able to access TikTok.

Otherwise, the IRS has largely complied with the ban. When TIGTA discovered that 23 employees in the communications and contact group responsible for monitoring social media were using phones with access to TikTok, they were prompted to ban the app. The agency also said it will update its "bring your own device" (BYOD) policy guidance by October 2024 to align with the ban.

In a letter to TikTok, the senators pressed the IRS over its delay in enforcing the ban and providing exceptions for criminal investigators in the BYOD program. "Not only is the IRS failing to comply with the law, but its lack of action in enforcing the TikTok on Government Devices Act could expose confidential taxpayer information on devices with TikTok, which has close ties to the Chinese Communist Party and whose data practices are alarming," they wrote.

The letter asks the IRS to answer a series of questions by February 8, 2024. Those questions include: how many IRS employees use their own devices, how many of them use devices with the same IRS-related functionality to access TikTok, and what security protocols IRS employees must follow to protect taxpayer data. Senators also want to know whether the IRS has removed TikTok from criminal investigations of mobile devices and why they needed TikTok in the first place.

TikTok has been asked for comment but had not received one as of press time.

The IRS is just one aspect of the U.S.'s ban on TikTok on government devices. Last February, the U.S. government gave government agencies 30 days to ensure that the app was no longer installed on their employees' phones and computers. The order follows similar bans issued by dozens of U.S. states and other countries outside the U.S., including the European Union, Canada, India and others. Montana's ban on TikTok, for example, is now on hold after a federal judge ruled last month.