- Documents obtained by Forbes reveal that a China-based team at TikTok’s parent firm, ByteDance, planned to use the TikTok app to follow the locations of a select group of Americans.
- The documents, however, show that the Internal Audit team also planned to obtain information from TikTok about a U.S. citizen’s location in at least two instances who had never worked for the company.
- According to the 2021 book An Ugly Truth, Facebook used a similar tactic to identify the journalists’ sources.
- It is unclear what role ByteDance’s Internal Audit team will play in TikTok’s efforts to restrict access to user data by workers stationed in China, given that the team intends to use the TikTok app to track the locations of some American citizens.
- In addition, an audio recording of a conversation from January 2022 shows that the Beijing-based team was already compiling further information regarding Project Texas at that time.
According to documents Forbes obtained, a China-based team at TikTok’s parent company, ByteDance, intended to utilize the TikTok app to track the locations of some particular American individuals.
ByteDance’s Internal Audit and Risk Control department, which is in charge of the monitoring initiative, is run by Beijing-based executive Song Ye and reports to ByteDance co-founder and CEO Rubo Liang. The China-based company doesn’t seem to be getting enough of the scandal these days. Recently, we’ve covered how TikTok takes up to 70% of the donations made to Syrian families.
Did ByteDance use TikTok to track the location of American citizens?
The team’s primary focus is looking into alleged wrongdoing by current and former ByteDance workers. However, the files reveal that the Internal Audit team also intended to get TikTok information regarding a U.S. citizen’s location in at least two instances who had never worked for the company. Although it is unclear from the documents whether information about these Americans was ever gathered, the idea was for a Beijing-based ByteDance team to acquire location information from the devices of American users.
According to Maureen Shanahan, a spokesperson for TikTok, the app uses users’ IP addresses to gather approximate location data in order to, among other things, “help show relevant content and ads to users, comply with applicable laws, and detect and prevent fraud and inauthentic behavior.”
However, the information Forbes has seen indicates that ByteDance’s Internal Audit team intended to utilize this location data to monitor specific American individuals, not to target advertisements or for any of these other purposes. In order to safeguard sources, Forbes did not identify the type of monitoring that is being planned or why it is being done. If any activists, public personalities, journalists, or members of the U.S. government have been explicitly targeted by Internal Audit, they have not been identified by TikTok or ByteDance.
The Treasury Department’s Committee on Foreign Investment in the United States (CFIUS), which assesses the risks to national security posed by businesses with foreign ownership, is reportedly close to signing a contract with TikTok, according to NYT. CFIUS has been looking into whether the company’s Chinese ownership could give the Chinese government access to the personal information of American TikTok users. (Full disclosure: I formerly worked for Facebook and Spotify in policy positions.)
An executive order outlining particular risks that CFIUS should take into account when evaluating enterprises with foreign ownership was signed by President Biden in September. The order focuses specifically on foreign companies’ potential use of data “for the surveillance, tracing, tracking, and targeting of individuals or groups of individuals, with potential adverse impacts on national security.” The order states that it intends to “emphasize the risks presented by foreign adversaries’ access to data of United States persons.”
Regular audits and investigations of TikTok and ByteDance workers are conducted by the internal audit and risk control team to check for violations such as conflicts of interest, improper use of corporate resources, and disclosure of sensitive data. Senior executives, including TikTok CEO Shou Zi Chew, had instructed the team to look into specific workers, and the investigation continued even after those employees had departed the business, according to Forbes.
ByteDance’s internal office management software, the internal audit team, employs a data request system called the “green channel,” which is known to staff. These documents and records demonstrate how “green channel” requests for data on American personnel resulted in the retrieval of that information from the Chinese mainland.
“Like most companies our size, we have an internal audit function responsible for objectively auditing and evaluating the company and our employees’ adherence to our codes of conduct. This team provides its recommendations to the leadership team,” stated ByteDance spokesperson Jennifer Banks.
The software industry leader ByteDance is not the first to have contemplated deploying an app to track certain American consumers. The Uber app was supplied to a number of local politicians and regulators in a different, deceptive form in order to escape regulatory penalties, according to a 2017 New York Times article. At the time, Uber acknowledged using the “greyball” technology but said it was used, among other things, to refuse trip requests from “opponents who collude with officials on secret ‘stings’ meant to entrap drivers.”
According to reports, Facebook and Uber both kept tabs on the whereabouts of journalists using their programs. According to a 2015 investigation by the Electronic Privacy Information Center, Uber had tracked the whereabouts of journalists who covered the business. Uber did not directly address this assertion. An Ugly Truth, a book published in 2021, claims that Facebook engaged in a similar practice to identify the journalists’ sources. Although a spokesman told the San Jose Mercury News in 2018 that Facebook “routinely use[s] business records in employment investigations,” Facebook did not specifically address the claims made in the book.
However, a crucial aspect sets apart ByteDance’s planned gathering of personal user data from those instances: In a recent letter to Congress, TikTok stated that “limited only to authorized personnel, pursuant to protocols being developed with the U.S. Government,” will have access to sensitive U.S. user data, possibly including location. If Internal Audit executive Song Ye or other members of the division are considered “authorized personnel” for the purposes of these protocols, TikTok and ByteDance did not respond to inquiries regarding this.
These assurances are a part of TikTok’s massive Project Texas effort to rebuild its internal systems so that Chinese employees won’t have access to a variety of “protected” identifying information about users of the TikTok app in the United States, such as their phone numbers, birthdays, and draft videos. This endeavor is crucial to the company’s discussions with CFIUS over national security.
Vanessa Pappas, the chief operating officer of TikTok, stated at a Senate hearing in September that the upcoming CFIUS contract will “satisfy any national security concerns” over the app. However, a few senators showed skepticism. Following a June BuzzFeed News report revealing that ByteDance employees in China had repeatedly accessed U.S. user data, the Senate Intelligence Committee launched an investigation into whether TikTok misled lawmakers by withholding information about the access of U.S. data earlier this year by employees based in China.
The firm employs methods including encryption and “security monitoring” to keep data secure, access approval is overseen by U.S. personnel, and employees are given access to U.S. data “as needed,” according to a statement from TikTok spokeswoman Shanahan.
Given that the team intends to utilize the TikTok app to track the locations of some American residents, it is unclear what part ByteDance’s Internal Audit team will play in TikTok’s efforts to restrict access to user data by personnel stationed in China. However, a fraud risk assessment prepared by a team member in the latter half of 2021 raised questions about data storage, stating that, in the opinion of the staff members in charge of the company’s data, “it is impossible to keep data that should not be stored in CN from being retained in CN-based servers, even after ByteDance stands up a primary storage center [sic] in Singapore. [Lark data is saved in China.],” Forbes reports.
Furthermore, a recorded audio discussion from January 2022 reveals that the Beijing-based team was already gathering further details about Project Texas at that time. A member of TikTok’s U.S. Trust & Safety team described an odd chat with his manager during the call: Chris Lepitak, TikTok’s Chief Internal Auditor, had urged the employee to meet at a restaurant in the LA area after hours.
The employee was then questioned in-depth by Lepitak, who answered Song Ye in Beijing, regarding the location and specifics of the Oracle server, which is essential to TikTok’s intentions to restrict foreign access to sensitive user data in the United States. The worker admitted to his manager that the interaction had “freaked him out.” When contacted about this exchange, neither TikTok nor ByteDance provided a response.
While TikTok currently uses Oracle’s cloud services, according to Ken Glueck, an Oracle spokesperson, “we have absolutely no insight one way or the other” into who has access to TikTok user data. TikTok is currently operating in the Oracle cloud, but, like Bank of America, General Motors, and a million other clients, they have complete control over everything they do, he said.
This supports a claim made by TikTok’s head of data defense in a leaked audio call from January. “It’s almost inaccurate to call it Oracle Cloud,” the executive added to a colleague during the discussion. “They’re just giving us bare metal, and we’re building our VMs [virtual machines] on top of it.”
Glueck made it plain that if and when TikTok finalizes its deal with the federal government, this situation would change. Oracle, he added, is not providing TikTok anything “other than our own security” unless and until that is the case.
TikTok declined to respond to inquiries from Forbes regarding the state of the business’s discussions with CFIUS. But a spokesman for TikTok, Brooke Oberwetter, told Bloomberg in an early-morning statement: “We are confident that we are on a path to fully satisfy all reasonable U.S. national security concerns.”