15 July 2022

BuzzFeed: “US TikTok User Data has been repeatedly Accessed from China, leaked audio shows”

The recordings, which were reviewed by BuzzFeed News, contain 14 statements from nine different TikTok employees indicating that engineers in China had access to US data between September 2021 and January 2022, at the very least. Despite a TikTok executive’s sworn testimony in an October 2021 Senate hearing that a world-renowned, US-based security team decides who gets access to this data, nine statements by eight different employees describe situations where US employees had to turn to their colleagues in China to determine how US user data was flowing. US staff did not have permission or knowledge of how to access the data on their own, according to the tapes.


TikTok’s goal for Project Texas is that any data stored on the Oracle server will be secure and not accessible from China or elsewhere globally. However, according to seven recordings between September 2021 and January 2022, the lawyer leading TikTok’s negotiations with CFIUS and others clarify that this only includes data that is not publicly available on the app, like content that is in draft form, set to private, or information like users’ phone numbers and birthdays that is collected but not visible on their profiles. A Booz Allen Hamilton consultant told colleagues in September 2021 that what exactly will count as “protected data” that will be stored in the Oracle server was still being ironed out from a legal perspective.

In a recorded January 2022 meeting, the company’s head of product and user operations announced with a laugh that unique IDs (UIDs) will not be considered protected information under the CFIUS agreement: The conversation continues to evolve, they said. We recently found out that UIDs are things we can have access to, which changes the game a bit.

Emily Baker-White

Shocker! Regardless of the outcome, this whole controversy around TikTok does a good job of highlighting the various failings and hypocrisy of the US government: they fail to pass federal-level privacy laws, so they have to judge each case individually; they failed to act in 2020, when Trump was trumpeting the issue, as not to give any credit to him, but also let the matter unresolved during the Biden administration; they feign outrage that China might access US user data, while at the same time pressuring others – mainly the EU – for US access to their citizens’ data.

Illustration of a smartphone with TikTok surveillance cameras and a Chinese flag on the back
TikTok employees who work with sensitive US user data continue to report to ByteDance executives in Beijing, despite TikTok’s recent claims to the Senate Intelligence Commitee. Illustration by Stephanie Jones for Forbes, Photos by Vicente Méndez/Getty Images, Issarawat Tattong/Getty Images

This investigative report appears to have kicked off another round of scrutiny against TikTok: Brendan Carr, a FCC commissioner, sent a letter to Apple and Alphabet asking them remove TikTok from their app stores over China-related data security concerns, and the Senate Intelligence Committee asked the FTC to investigate TikTok in light of this article. Whether this would result in any significant measures against the company remains to be seen…

In Europe, TikTok also tried to slip a major privacy change past regulators, claiming they don’t need user consent to run “personalized” ads, but instead they would process user data on “legitimate interest” grounds – for now this policy change is paused, as it almost certainly breaches the ePrivacy Directive and GDPR.

Post a Comment