www.buzzfeednews.com
Open in
urlscan Pro
151.101.2.114
Public Scan
Submitted URL: http://go2.branch.io/MzE1LUZUVC0xMjEAAAGFZNAcrJEuGfJMbCemFScQ55y8Su8M1NOvvJoh5cTre-aMTY26e_cXBpFFlpOodtYlYCjnJVA=
Effective URL: https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-tapes-us-user-data-china-bytedance-access?utm_campaign=Mobile-Gro...
Submission: On July 05 via api from US — Scanned from DE
Effective URL: https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-tapes-us-user-data-china-bytedance-access?utm_campaign=Mobile-Gro...
Submission: On July 05 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
POST https://www.buzzfeed.com/auth/signout
<form action="https://www.buzzfeed.com/auth/signout" method="post">
<input type="hidden" name="_xsrf" value="">
<a href="javascript:;" class="newsblock-mobile-navigation-menu__link" data-type="signout" data-pixiedust="{"item_name":"signout","position_in_unit":3,"unit_name":"user","unit_type":"nav","data_source_name":"","item_type":"text","internal_only":"true","target_content_type":"auth","target_content_id":"sign_out"}">Log Out</a>
</form>POST https://www.buzzfeed.com/auth/signout
<form action="https://www.buzzfeed.com/auth/signout" method="post">
<input type="hidden" name="_xsrf" value="">
<a href="javascript:;" class="xs-block link-gray" data-type="signout">Log Out</a>
</form>Text Content
WE VALUE YOUR PRIVACY
We and our partners store and/or access information on your device and process
personal data using cookies, tracking pixels and similar technologies to
recognise your device so we can understand your browsing habits and interests.
That means we can show you personalised content and personalised ads which are
more likely to be interesting to you. It also helps us to use ad and content
measurement, and audience insights to understand what's popular and what's not
so we can: develop and improve our products and services, report to our
advertisers about how their ads performed, and carry out important
administrative activities like combatting \"click fraud.\"
You can learn more and find out how to exercise your rights in our consent
centre and privacy policy.
If you're OK with this, please click \"Agree & Exit\". If you're not, you can
click \"Disagree & Exit\". Or, to make other choices, click \"More Options\".
Your preferences will apply to BuzzFeed's group of websites. You can access this
screen again at any time through our Consent Preferences Centre.
AGREE & EXIT DISAGREE & EXIT MORE OPTIONS
Skip To Content
BuzzFeed News Home Reporting To You Menu Icon
BuzzFeed News
LEAKED AUDIO FROM 80 INTERNAL TIKTOK MEETINGS SHOWS THAT US USER DATA HAS BEEN
REPEATEDLY ACCESSED FROM CHINA
* Twitter Tweet
* Facebook Share
* Copy Copy
BuzzFeed News Logo
Close
* * 🍿 Arts & Entertainment
* 📚 Books
* 👩🎤 Celebrity
* ✍️ Culture & Criticism
* ❤️ Health
* ⚖️ Inequality
* 🕵️ Investigations
* 📷 JPG
* 🏳️🌈 LGBTQ
* Opinion
* 👩🏽⚖️ Politics
* 🔬 Science
* 💻 Tech
* 🌍 World
* Sign In
* *
* Account Settings
* Log Out
* About Us
* Got a tip?
* Support Us
* buzzfeed.com
* Do Not Sell My Personal Information
* Sign In
*
* Account Settings
* Log Out
* About Us
* Got a tip?
* Support Us
* buzzfeed.com
* Sections
* Arts & Entertainment
* Books
* Celebrity
* Culture & Criticism
* Health
* Inequality
* Investigations
* JPG
* LGBTQ
* Opinion
* Politics
* Science
* Tech
* World
TRENDING
* Highland Park Shooting
* ICE Detainee Death
* Strip Club Union
* Roe V. Wade Overturned
* Travis Barker
* Sex Week
1. tech
LEAKED AUDIO FROM 80 INTERNAL TIKTOK MEETINGS SHOWS THAT US USER DATA HAS BEEN
REPEATEDLY ACCESSED FROM CHINA
“I feel like with these tools, there’s some backdoor to access user data in
almost all of them,” said an external auditor hired to help TikTok close off
Chinese access to sensitive information, like Americans’ birthdays and phone
numbers.
By Emily Baker-White
Emily Baker-White BuzzFeed News Reporter
Posted on June 17, 2022, at 12:31 p.m. ET
* Twitter Tweet
* Facebook Share
* Copy Copy
Erik Carter for BuzzFeed News
For years, TikTok has responded to data privacy concerns by promising that
information gathered about users in the United States is stored in the United
States, rather than China, where ByteDance, the video platform's parent company,
is located. But according to leaked audio from more than 80 internal TikTok
meetings, China-based employees of ByteDance have repeatedly accessed nonpublic
data about US TikTok users — exactly the type of behavior that inspired former
president Donald Trump to threaten to ban the app in the United States.
The recordings, which were reviewed by BuzzFeed News, contain 14 statements from
nine different TikTok employees indicating that engineers in China had access to
US data between September 2021 and January 2022, at the very least. Despite a
TikTok executive’s sworn testimony in an October 2021 Senate hearing that a
“world-renowned, US-based security team” decides who gets access to this data,
nine statements by eight different employees describe situations where US
employees had to turn to their colleagues in China to determine how US user data
was flowing. US staff did not have permission or knowledge of how to access the
data on their own, according to the tapes.
ADVERTISEMENT
“Everything is seen in China,” said a member of TikTok’s Trust and Safety
department in a September 2021 meeting. In another September meeting, a director
referred to one Beijing-based engineer as a “Master Admin” who “has access to
everything.” (While many employees introduced themselves by name and title in
the recordings, BuzzFeed News is not naming anyone to protect their privacy.)
The recordings range from small-group meetings with company leaders and
consultants to policy all-hands presentations and are corroborated by
screenshots and other documents, providing a vast amount of evidence to
corroborate prior reports of China-based employees accessing US user data. Their
contents show that data was accessed far more frequently and recently than
previously reported, painting a rich picture of the challenges the world’s most
popular social media app has faced in attempting to disentangle its US
operations from those of its parent company in Beijing. Ultimately, the tapes
suggest that the company may have misled lawmakers, its users, and the public by
downplaying that data stored in the US could still be accessed by employees in
China.
In response to an exhaustive list of examples and questions about data access,
TikTok spokesperson Maureen Shanahan responded with a short statement: "We know
we're among the most scrutinized platforms from a security standpoint, and we
aim to remove any doubt about the security of US user data. That's why we hire
experts in their fields, continually work to validate our security standards,
and bring in reputable, independent third parties to test our defenses."
ByteDance did not provide additional comment.
> "Everything is seen in China."
In 2019, the Committee on Foreign Investment in the United States began
investigating the national security implications of TikTok’s collection of
American data. And in 2020, then-president Donald Trump threatened to ban the
app entirely over concerns that the Chinese government could use ByteDance to
amass dossiers of personal information about US TikTok users. TikTok’s “data
collection threatens to allow the Chinese Communist Party access to Americans’
personal and proprietary information,” Trump wrote in his executive order.
TikTok has said it has never shared user data with the Chinese government and
would not do so if asked.
Most of the recorded meetings focus on TikTok’s response to these concerns. The
company is currently attempting to redirect its pipes so that certain,
“protected” data can no longer flow out of the United States and into China, an
effort known internally as Project Texas. In the recordings, the vast majority
of situations where China-based staff accessed US user data were in service of
Project Texas's aim to halt this data access.
Project Texas is key to a contract that TikTok is currently negotiating with
cloud services provider Oracle and CFIUS. Under the CFIUS agreement, TikTok
would hold US users’ protected private information, like phone numbers and
birthdays, exclusively at a data center managed by Oracle in Texas (hence the
project name). This data would only be accessible by specific US-based TikTok
employees. What data counts as “protected” is still being negotiated, but the
recordings indicate that all public data, including users’ public profiles and
everything they post, will not be included. (Disclosure: In a previous life, I
held policy positions at Facebook and Spotify.) Oracle did not respond to a
request for comment. CFIUS declined to comment.
Shortly before publication of this story, TikTok published a blog post
announcing that it has changed the “default storage location of US user data”
and that today, “100% of US user traffic is being routed to Oracle Cloud
Infrastructure. We still use our US and Singapore data centers for backup, but
as we continue our work we expect to delete US users' private data from our own
data centers and fully pivot to Oracle cloud servers located in the US.”
Lawmakers’ fear that the Chinese government will be able to get its hands on
American data through ByteDance is rooted in the reality that Chinese companies
are subject to the whims of the authoritarian Chinese Communist Party, which has
been cracking down on its homegrown tech giants over the last year. The risk is
that the government could force ByteDance to collect and turn over information
as a form of “data espionage.”
There is, however, another concern: that the soft power of the Chinese
government could impact how ByteDance executives direct their American
counterparts to adjust the levers of TikTok’s powerful “For You” algorithm,
which recommends videos to its more than 1 billion users. Sen. Ted Cruz, for
instance, has called TikTok “a Trojan horse the Chinese Communist Party can use
to influence what Americans see, hear, and ultimately think.”
Project Texas’s narrow focus on the security of a specific slice of US user
data, much of which the Chinese government could simply buy from data brokers if
it so chose, does not address fears that China, through ByteDance, could use
TikTok to influence Americans’ commercial, cultural, or political behavior.
Greg Baker / AFP via Getty Images
The headquarters of ByteDance, the parent company of video-sharing app TikTok,
in Beijing.
ADVERTISEMENT
TikTok has said in blog posts and public statements that it physically stores
all data about its US users in the US, with backups in Singapore. This does
mitigate some risks — the company says this data is not subject to Chinese law —
but it does not address the fact that China-based employees can access the data,
experts say.
“Physical location does not matter if the data can still be accessed from
China,” Adam Segal, director of the Digital and Cyberspace Policy Program at the
Council on Foreign Relations, told BuzzFeed News in an email. He said the
“concern would be that data would still end up in the hands of Chinese
intelligence if people in China were still accessing.”
TikTok itself acknowledged its access issue in a 2020 blog post. “Our goal is to
minimize data access across regions so that, for example, employees in the APAC
region, including China, would have very minimal access to user data from the EU
and US,” TikTok’s Chief Information Security Officer Roland Cloutier wrote.
Project Texas, once completed, is supposed to close this loophole for a limited
amount of data. But many of the audio recordings reveal the challenges employees
have faced in finding and closing the channels allowing data to flow from the US
to China.
ADVERTISEMENT
Interested in Tech articles?
Thanks for the feedback! This helps us improve your experience.
> "Physical location does not matter if the data can still be accessed from
> China."
Fourteen of the leaked recordings include conversations with or about a team of
consultants from Booz Allen Hamilton. One of the consultants told TikTok
employees that they were brought on in February 2021 to help manage the Project
Texas data migration, and a TikTok director told other TikTok employees that the
consultants reported to TikTok's chief of US data defense. In recordings, the
consultants investigate how data flows through TikTok and ByteDance’s internal
tools, including those used for data visualization, content moderation, and
monetization.
In September 2021, one consultant said to colleagues, “I feel like with these
tools, there’s some backdoor to access user data in almost all of them, which is
exhausting.”
When asked for comment, Booz Allen Hamilton spokesperson Jessica Klenk said
something about the above information was incorrect, but refused to specify what
it was. “[A]t this point I’m not in a position to further discuss or even
confirm/deny our relationship with any client. But I can tell you that what
you’re asserting here is inaccurate.”
Additionally, four of the recordings contain conversations in which employees
responsible for certain internal tools could not figure out what parts of those
tools did. In a November 2021 meeting, a data scientist explained that for many
tools, “nobody has really documented, uh, like, a how-to. And there are items
within the tools that nobody knows what they’re for.”
The complexity of the company’s internal systems and how they enable data to
flow between the US and China underscores the challenges facing the United
States Technical Services team, a new dedicated engineering team TikTok has
begun hiring as part of Project Texas.
> "Chinese nationals are not actually allowed to join."
To demonstrate the USTS team’s independence from Chinese-owned ByteDance, one
team member told a colleague in January that “not everyone can join” the team.
“Chinese nationals are not actually allowed to join,” he said. (A former
employee who spoke to BuzzFeed News on condition of anonymity for fear of
retribution corroborated this account.) When asked for comment on this practice,
TikTok did not respond.
But while the mandate of this team is to control and manage access to sensitive
US data, the USTS team reports to ByteDance leadership in China, as BuzzFeed
News reported in March. In a recorded January 2022 meeting, a data scientist
told a colleague: “I get my instructions from the main office in Beijing.”
Aaronp / GC Images
TikTok headquarters in Culver City, California.
ADVERTISEMENT
TikTok’s goal for Project Texas is that any data stored on the Oracle server
will be secure and not accessible from China or elsewhere globally. However,
according to seven recordings between September 2021 and January 2022, the
lawyer leading TikTok’s negotiations with CFIUS and others clarify that this
only includes data that is not publicly available on the app, like content that
is in draft form, set to private, or information like users’ phone numbers and
birthdays that is collected but not visible on their profiles. A Booz Allen
Hamilton consultant told colleagues in September 2021 that what exactly will
count as “protected data” that will be stored in the Oracle server was “still
being ironed out from a legal perspective.”
In a recorded January 2022 meeting, the company’s head of product and user
operations announced with a laugh that unique IDs (UIDs) will not be considered
protected information under the CFIUS agreement: “The conversation continues to
evolve,” they said. “We recently found out that UIDs are things we can have
access to, which changes the game a bit.”
What the product and user operations head meant by “UID” in this circumstance is
not clear — it could refer to an identifier for a specific TikTok account, or
for a device. Device UIDs are typically used by ad tech companies like Google
and Facebook to link your behavior across apps, making them nearly as important
an identifier as your name.
As TikTok continues to negotiate over what data will be considered protected,
the recordings make clear that a lot of US user data — including public videos,
bios, and comments — will not be exclusively stored in the Oracle server.
Instead, this data will be stored in the company’s Virginia data center, which
may remain accessible from ByteDance’s Beijing offices even once Project Texas
is complete. That means ByteDance’s China-based employees could continue to have
access to insights about what American TikTok users are interested in, from cat
videos to political beliefs.
ADVERTISEMENT
It also appears that Oracle is giving TikTok considerable flexibility in how its
data center will be run. In a recorded conversation from late January, TikTok’s
head of global cyber and data defense made clear that while Oracle would be
providing the physical data storage space for Project Texas, TikTok would
control the software layer: “It’s almost incorrect to call it Oracle Cloud,
because they’re just giving us bare metal, and then we're building our VMs
[virtual machines] on top of it.” Oracle did not respond to a request for
comment.
Meanwhile, TikTok’s national security lawyer hopes the negotiation will have
ripple effects in the tech industry and beyond. “There is going to be national
security law that comes down from the Commerce Department,” they said,
referencing the Biden administration’s development of regulations to govern apps
that could be exploited “by foreign adversaries to steal or otherwise obtain
data.”
> "The question is whether the company will go far enough."
“The law will be promulgated and codified in probably the next 18 months, I
would say — and that’s how every Chinese company is going to be able to operate
in the US,” the lawyer said.
TikTok’s efforts with Project Texas may ultimately pay off for the company.
According to Graham Webster, a research scholar at Stanford’s Cyber Policy
Center, if TikTok commits to being “transparent and high-integrity, and
China-based employees won’t be able to access user data,” then “from a data
security perspective, it should be possible to convince good-faith skeptics they
have done enough.
“The question is whether the company will go far enough and whether skeptical
authorities are truly open to being convinced,” he told BuzzFeed News.
The details of the arrangement between CFIUS, TikTok, and Oracle were still
under discussion as of January 2022, when the recordings end. But even though
Project Texas’s goal is to cordon off access to the most sensitive details about
Americans that exist on TikTok’s servers, one policy employee had doubts that
will actually prevent ByteDance’s employees in China from accessing this data.
“It remains to be seen if at some point product and engineering can still figure
out how to get access, because in the end of the day, it’s their tools,” they
said in a September 2021 meeting. “They built them all in China.” ●
* Twitter Tweet
* Facebook Share
* Copy Copy
* Contact Emily Baker-White at emily.bakerwhite@buzzfeed.com.
Got a confidential tip? Submit it here.
Want to see more from Tech?
No Yes
TRENDING NEWS
1. Don’t Worry, Eat Your Hot Dog, Experts Say, But This Photo May Make You
Think Twice
2. TikTok Shop Customers Are Worried That They’re Buying Fake Products
3. Cumdumping Is A Misunderstood Kink. We Tried To Get To The Bottom Of It.
4. The Curious Timing Of The Confirmation That Prince Charles Met His
Granddaughter Lilibet
5. An ICE Detainee Complained Of Pain For Weeks And Lost 17 Pounds. Then He
Died.
ADVERTISEMENT
TRENDING NEWS
1. Don’t Worry, Eat Your Hot Dog, Experts Say, But This Photo May Make You
Think Twice
2. TikTok Shop Customers Are Worried That They’re Buying Fake Products
3. Cumdumping Is A Misunderstood Kink. We Tried To Get To The Bottom Of It.
4. The Curious Timing Of The Confirmation That Prince Charles Met His
Granddaughter Lilibet
5. An ICE Detainee Complained Of Pain For Weeks And Lost 17 Pounds. Then He
Died.
TOP BUZZ
1. I Am Genuinely Curious Which Of These Celebrity DMs You'd Respond To First
2. I'm NGL, These 35 Twitter Reactions To "Stranger Things" Season 4 Ending
Fully Sum Up The Whole Viewing Experience
3. "Running Up That Hill" And 16 Other Songs That Were Reintroduced To
Audiences By A Movie Or TV Show
4. Rob Irwin Just Dropped His First Ever Fashion Shoot And People Are Losing It
At The Pics
5. There's A Viral Hack Involving Chia Seeds Called The "Internal Shower"
That's Supposed To Help You Poop, So I Tried It
SECTIONS
* Arts & Entertainment
* Books
* Celebrity
* Culture & Criticism
* Health
* Inequality
* Investigations
* JPG
* LGBTQ
* Opinion
* Politics
* Science
* Tech
* World
FOLLOW US
* Facebook Facebook
* Twitter Twitter
* Instagram Instagram
COMPANY
* Support Us
* BuzzFeed.com
* Privacy Policy
* User Agreement
BuzzFeed News Home a BuzzFeed brand