Earlier this year, TikTok denied that it had ever been used to target journalists. But now it has fired employees for tracking the whereabouts of US reporters covering the company.
:format(webp)/cdn.vox-cdn.com/uploads/chorus_asset/file/23951406/STK051_VRG_Illo_N_Barclay_6_tiktok.jpg)
An internal investigation at TikTok parent company ByteDance found that several employees accessed the TikTok data of several US journalists and a “small number” of other people connected to them, according to internal emails obtained by The New York Times that were confirmed independently by The Verge. The accessed data includes the reporters’ IP addresses, which were used to see if they had been physically near TikTok employees who were leaking information to the press.
In an email to employees, ByteDance CEO Rubo Liang described the incident as “misconduct of a few individuals,” and TikTok General Counsel Erich Andersen described it as a “misguided plan [that] was developed and carried out by a few individuals” in an email you can read in full below. However, according to a report from Forbes, the investigation “involved the company’s Chief Security and Privacy Office, was known to TikTok’s Head of Global Legal Compliance, and was approved by ByteDance employees in China.”
These reports are the latest in a series of investigations that have turned up evidence of ByteDance employees in China having access to the TikTok data of Americans. The revelation comes as lawmakers make moves to restrict the app in the US. It also shows ByteDance walking back denials that it has made in the past, at least internally.
The Beijing-based company’s investigation, which was conducted by an outside law firm, revealed that two journalists who had their data accessed by ByteDance’s Internal Audit team worked for BuzzFeed and The Financial Times, according to The New York Times. Forbes, however, says three of its journalists were tracked — Emily Baker-White, Katharine Schwab, and Richard Nieva, all of whom worked for BuzzFeed until earlier this summer. The Financial Times says its reporter, Cristina Criddle, was tracked. That would bring the total up to four, instead of the two reported by the NYT and one of the internal ByteDance emails.
The New York Times writes that at least two of those employees involved were based in China, while two were working from the US. This information tracks with an October report from Forbes, which alleged that ByteDance had planned on using TikTok to track the location data of specific US citizens.
When Forbes’ report came out earlier this year, TikTok strongly denied it, saying that it lacked “rigor and journalistic integrity” and that the app does not collect precise GPS data. (At the time, the reporter behind the story pointed out that the company admitted to collecting approximate locations using IP addresses.) A tweet from the company’s corporate communications account said that “TikTok has never been used to ‘target’ any members of the U.S. government, activists, public figures or journalists” and noted that any employees using the audit system in the way Forbes described would be fired.
That’s now happened to three employees from the audit team, according to the Times, with Forbes reporting that one of those people was Chris Lepitak, who was head of the team. His boss, Song Ye, who Forbes says was an executive in China that reported directly to ByteDance’s CEO, has reportedly resigned.
The Times’ report says that the employees accessed the information “over the summer.” The big question that remains (and that we’ve asked TikTok about but didn’t receive an immediate response to) is whether it happened before or after the company started routing US users’ data through Oracle.
That switch was supposedly flipped in June and was intended to protect Americans’ data from ByteDance employees in China. Around that time, Buzzfeed News released a report that said TikTok engineers overseas had “access to everything” and repeatedly accessed US users’ information. According to Forbes, it was that report that spurred on ByteDance’s internal investigation. The BuzzFeed report was released only two days before the Oracle partnership went into effect. If the journalists’ data was obtained after that, it would raise serious questions about how effective the program is.
TikTok and ByteDance are already under a microscope when it comes to user data and privacy. Over a dozen states in the US have banned TikTok on government phones, and senators like Marco Rubio are working on legislation that would ban it outright in the US. Lawmakers involved with the bill say they’re concerned that the app gives the Chinese Communist Party the ability to monitor and influence Americans.
It’s not the first attempt to get rid of the app; former President Donald Trump attempted to ban it during his tenure, even declaring it a national emergency. He also demanded that ByteDance sell its American division off to a company based in the US, though that deal — like the ban itself — never came to fruition.
Here’s the full internal email from TikTok general counsel Erich Andersen:
All,
Several weeks ago, there was a news report alleging that employees of the company’s Internal Audit team may have attempted to inappropriately access users’ location data. Even though many of the claims in the article were speculative, our Global Legal Compliance team began an immediate investigation into the facts alleged in the story, and engaged a highly reputable law firm to assist with the investigation.
We have since learned that a misguided plan was developed and carried out by a few individuals within the Internal Audit department this past summer in the context of investigating significant leaks of confidential company information by employees to media – including purported leaked documents, screenshots, and audio recordings of internal meetings.
It is standard practice for companies to have an internal audit group that is authorized to investigate code of conduct violations. However, as part of the initiative to investigate the leaks related to this case, the individuals involved misused their authority to obtain access to TikTok user data. These individuals were aiming to identify potential connections between two journalists, who reported on the contents of leaked documents and recordings – a former BuzzFeed reporter and a Financial Times reporter – and company employees. In turn, they hoped information about these connections would help identify the employees responsible for the leaks. For example, the individuals looked at the IP addresses of the journalists to try to determine if they were in the same location as the employees suspected of leaking confidential information, notwithstanding the fact that IP addresses would only yield approximate location information. Not surprisingly, their ill-considered efforts did not result in identifying the sources of the leaks. Nonetheless, their access to user data in connection with these efforts was a significant violation of the company’s Code of Conduct, and so we are pursuing the following steps immediately:
None of the individuals found to have directly participated in or overseen the misguided plan remain employed at ByteDance. We are continuing the investigation led by the Legal team.
We are restructuring the Internal Audit and Risk Control (IARC) department:
Julie Gao, CFO, will take over the IARC department and begin an immediate search for the new leader, who will report to her.
The Global Investigations function that had been part of IARC will be split out and restructured. Going forward, the Global Legal Compliance team will have oversight of all investigations formerly within the scope of IARC.
We will be redesigning the investigations process to include an oversight council which, among other responsibilities, will oversee the development and refinement of policies and procedures governing the company’s investigative functions and monitor the functions’ compliance with applicable laws and company policies.
We have removed all user data access and permissions for the IARC department.
Going forward, where it is necessary and appropriate for IARC to be granted access to properly scoped user data (for example, to investigate fraud involving employees of the company), that access will be subject to, and only granted in accordance with, the Company’s policy and protocols. This step will be coupled with training of the IARC team regarding the new policy and protocols.
In addition, we will continue to assess and enhance our access controls. In this case in fact, access to certain US user information in the context of the misguided investigation was already limited by prior transfer of control to the US Data Security team, and those controls have been significantly improved and hardened since this initiative took place.
I also want to emphasize that we have an open and candid culture within ByteDance. It’s a core part of our ByteStyles. If you are faced with an ethical dilemma or a reportable challenge, notify your manager, HR, or the Speak Up hotline to do so anonymously. There are many avenues for you to share your concerns.
I hope we can all learn from this situation and move forward with a clear understanding and appreciation of our responsibilities – as employees and leaders – to build and operate an ethical business.
Erich
Update December 22nd, 3:55PM ET: Added independent confirmation of emails to ByteDance employees and details from Forbes and The Financial Times, including the reported names of some of the executives involved and the reporters who were tracked.
Update December 22nd, 4:09PM ET: Added full email to employees from TikTok general counsel Erich Andersen.
wazup.