The project assigned to a Beijing-based team would include accessing data about location from certain U.S. users’ devices without their consent or knowledge.
A team from China at TikTok’s parent firm, ByteDance, was planning to use the TikTok app to track the location of particular American citizens, per the documents examined by Forbes.
The team responsible for the monitoring project that is part of the company’s Internal Audit and Risk Control department is headed by Beijing-based CEO Song Ye, who reports to ByteDance co-founder and CEO Rubo Liang.
The team is primarily involved in investigating any potential misconduct of the current and former ByteDance employees. However, in two instances, it was revealed that the Internal Audit team also planned to gather TikTok data on the location of the U.S. citizen who had not had a formal employment contract with the business, as the documents show. The documentation needs to clarify whether information regarding the Americans was collected; however, the intention was for the China-based ByteDance team to collect location information of U.S. users’ devices.
TikTok spokesperson Maureen Shanahan said that TikTok gathers approximate location data from users’ IP addresses to “among many other purposes, provide relevant content and advertisements to users, ensure compliance with relevant laws, and help identify and prevent fraudulent and fraudulent behaviour.”
However, the information examined by Forbes suggests the ByteDance Internal Audit team was planning to make use of this information to spy on individual American citizens but not to track ads or any other purpose. Forbes is not divulging the purpose and nature of the surveillance plans mentioned in the documents to safeguard sources. TikTok and ByteDance have not responded to questions regarding how Internal Audit has specifically targeted anyone from the U.S. government, activists, journalists, public figures or other individuals.
TikTok is reported to be close to concluding an agreement with the Treasury Department’s Committee on Foreign-Investment in the United States (CFIUS), which assesses the security threats to national security associated with companies with foreign ownership. It has also investigated how the firm’s Chinese license could allow access to the Chinese government to gain access to the private information of U.S. TikTok users. (Disclosure about my past time, I was a policy advisor at Facebook and Spotify.)
In September, President Biden signed an executive decree outlining the specific risks CFIUS should take into account when evaluating foreign-owned companies. This order says that it plans to “emphasize . . . the dangers posed to foreign adversaries’ gain access of data from United States persons,” is focused on companies from outside the United States using the data “for surveillance, tracing and monitoring, and targeting of individual or groups of people, which could have negative consequences for the security of our nation.”
The Treasury Department did not count to a request to comment.
The Internal Audit and Risk Control team conducts regular reviews and audits of TikTok and ByteDance employees, looking for infractions such as conflicts of interest or misusing company resources and leaks of sensitive information. The internal documents reviewed by Forbes reveal that top executives such as TikTok Chief Executive Officer Shou Zhi Chew have instructed the team to investigate specific employees. It also shows that the team has investigated employees after leaving the company.
The internal audit department uses the data request system known for workers by the name of “green channel” as per documents and documents from Lark, ByteDance’s in-house system for office administration. The documents and records reveal that “green channel” requests for data about U.S. employees have pulled information directly from mainland China.
TikTok and ByteDance haven’t responded to inquiries regarding the possibility that Internal Audit has specifically targeted any member of The U.S. government, activists, journalists, public figures, or public figures.
“Like many companies of our size, we also are a part of an internal audit crew that is responsible for auditing objectively and evaluating the business and the employees’ compliance to our codes of conduct,” stated ByteDance spokesperson Jennifer Banks in a statement. “This team offers its suggestions to the executive team.”
ByteDance is one of many tech companies to think about using an app to monitor particular U.S. customers. rIn 2017, The New York Times reported that Uber had identified local regulators and politicians and offered them a different fraudulent variant of its Uber app to get around regulatory fines. In the past, Uber admitted that they operated the program, named “grey ball,” but said it was employed to deny rides to “opponents who collaborate with officials on secret “stings designed to deceive drivers” in addition to other organizations.
TikTok has yet to respond to questions regarding whether it has provided different content or experiences for regulators, government officials, journalists, or activists as opposed to the general public on the TikTok application.
Both Uber, as well as Facebook, has also been reported to track the locations of journalists who were reporting via their applications. An investigation in 2015 by the Electronic Privacy Information Center found that Uber was monitoring the areas of journalists who were covering the company. Uber did not respond to the claim. In 2021, the publication An Unfortunate Truth asserted that Facebook had done the same to trace journalists’ sources. Facebook did not directly respond to the claims contained in the journal. However, an official said to the San Jose Mercury News in 2018 that, just like other businesses, Facebook “routinely uses [s] documents from business investigations in a workplace investigation.”
But a significant difference separates ByteDance’s plans to collect users’ private information from other similar instances: TikTok recently told lawmakers that access to specific U.S. user data -likely including location information “limited to authorized employees, according to protocols being developed by The U.S. Government.” TikTok and ByteDance didn’t respond to concerns about the extent to which Internal Audit executive Song Ye or other employees from the department count as “authorized personnel” to be used following these protocols.
The promises are part of Project Texas, TikTok’s massive attempt to revamp its internal systems to ensure that employees from China will not have access to the vast amount of “protected” personal information regarding U.S. TikTok users, such as their names, birthdays, phone numbers and draft videos. This is a vital part of the company’s negotiations for national security with CFIUS.
In a Senate session in September, TikTok CEO Vanessa Pappas stated that the upcoming CFIUS contract would “satisfy all security concerns of the nation” regarding the application. Still, some senators appeared skeptical. In July, senators from the Senate Intelligence Committee began an investigation to determine if TikTok was misleading lawmakers by omitting information on Chinese-based employees having accessibility to U.S. data earlier this year. This was in response to a June news report from BuzzFeed News showing that U.S. user data was repeatedly accessed through ByteDance personnel in China.
In a statement on the data access control system at TikTok, TikTok spokesperson Shanahan said that the company utilizes encryption tools as well as “security control” to protect data Access approval is monitored by U.S employees, and employees have access to U.S. information “based on need.”
It’s not clear what the role of the ByteDance Internal Audit team will play in TikTok’s efforts to limit access for employees from China the U.S. user data, particularly given the plans of the team to monitor certain American citizens’ location using the TikTok application. However, a risk assessment of fraud completed by a member of the team in the final quarter of 2021 raised issues with data storage, stating that according to employees who are responsible for the data stored by the business, “it is impossible to stop data that shouldn’t keep inside CN from being stored on the servers of CN regardless of when ByteDance establishes a primary storage server at Singapore. Data from the Lark database is kept in China. [Lark data is saved in China” (brackets in the original).
Furthermore, a leaked audio recording from January 2022 indicates how the Beijing team was gathering more information about Project Texas at the time. In the conversation, one of TikTok’s U.S. Trust & Safety team members recalled an unorthodox discussion with his manager. The employee was asked to meet with Chris Lepitak, TikTok’s Chief Internal Auditor, to visit an eatery in the LA area during off hours. Liptak, under the supervision of the Beijing-based Song Ye, then asked the employee specific questions regarding the location of the Oracle server, which is integral to the company’s plans to restrict access to private U.S. user data. The employee told his supervisor they were “freaked by the revelations” over the incident. TikTok and ByteDance did not reply to questions regarding this exchange.
Oracle spokesperson Ken Glueck said that while TikTok uses Oracle’s cloud-based service, “we do not know one way or other” about who can access TikTok users’ information. “Today, TikTok is running within the Oracle cloud and, as Bank of America, General Motors, and millions of other customers, they’re in complete control over everything they do,” he said.
This is in line with a January announcement by TikTok’s head of Data Defense in another leaked audio chat. In the audio call, the executive explained to an employee: “It’s almost incorrect to refer to it as Oracle Cloud because they’re only giving us bare-metal, which we then build our VMs [virtual machine] on top of that.”
Glueck clarified that this would be changed if and when TikTok concludes its contract with the Federal government. “But as long as this is the case,” he said, Oracle will not provide any other services “other than security from our side” to TikTok.
TikTok did not respond to questions in Forbes regarding the state of its negotiations with CFIUS. However, in a statement sent to Bloomberg released early in the morning, TikTok spokeswoman Brooke Oberwetter stated: “We are confident that we are on track to satisfy any legitimate U.S. national security concerns.”