Leaks from within ByteDance, the Chinese company that owns the popular TikTok short-video sharing app, show Chinese company employees repeatedly accessed U.S. user data despite assurances that such data would only be accessible in the U.S. It’s not clear whether the Chinese government has used the data for its spying efforts.
On Friday, Buzzfeed published leaked audio recordings from more than 80 internal ByteDance meetings, which contain 14 different instances in which nine different China-based TikTok employees described being able to access the data of U.S. users. This comes despite the company’s public claims that U.S. data is only stored in the U.S. and Singapore, and not in China where it may legally be accessed by the Chinese government.
In one September 2021 meeting, a member of TikTok’s Trust and Safety department said, “Everything is seen in China.” In another meeting that month, a company director referred to one of its Beijing-based engineers as a “Master Admin” who “has access to everything.”
According to Buzzfeed, the recordings indicate Chinese TikTok employees have been able to access U.S. data far more frequently and more recently than previously known to the general public. According to Buzzfeed, the recordings may even indicate the company has misled lawmakers about employees’ ability to access user data.
Buzzfeed reported most of the internal recordings related to how the TikTok would address concerns about being able to access U.S. data in China and how the Chinese side of the company would wall off its access to such U.S. data going forward, through an effort known as “Project Texas.”
Project Texas is an ongoing effort by TikTok to move certain protected U.S. data over to cloud storage managed by the U.S. company Oracle at a data center in Texas, and delete U.S. data from its own data centers in the U.S. and Singapore. Project Texas is part of a larger agreement with the Committee on Foreign Investment in the U.S. (CFIUS) to allow the company to continue its operations in the U.S.
U.S. officials have raised concerns about the app in recent years. In 2019, the Pentagon advised military service members and civilian employees to be careful about using the app, and U.S. military branches went a step further by banning the app in some instances. In 2020, President Donald Trump sought to ban the app in the U.S. or force ByteDance to hand over its U.S.-based operations to a U.S. firm. Last year, President Joe Biden signed an executive order, ending the Trump-era effort to ban the app in the U.S.
In a statement released by TikTok just before Buzzfeed published its article, the company said it has already “changed the default storage location of U.S. user data.”
“Today, 100% of U.S. user traffic is being routed to Oracle Cloud Infrastructure,” TikTok added. “We still use our U.S. and Singapore data centers for backup, but as we continue our work we expect to delete U.S. users’ private data from our own data centers and fully pivot to Oracle cloud servers located in the U.S. In addition, we’re working closely with Oracle to develop data management protocols that Oracle will audit and manage to give users even more peace of mind. We’re also making operational changes in line with this work – including the new department we recently established, with U.S.-based leadership, to solely manage U.S. user data for TikTok.”
