For years, TikTok has responded to data privacy concerns by promising that information gathered about users in the United States is stored in the United States, rather than China, where ByteDance, the video platform’s parent company, is located. But according to leaked audio from more than 80 internal TikTok meetings, China-based employees of ByteDance have repeatedly accessed nonpublic data about US TikTok users — exactly the type of behavior that inspired former president Donald Trump to threaten to ban the app in the United States.
The recordings, which were reviewed by BuzzFeed News, contain 14 statements from nine different TikTok employees indicating that engineers in China had access to US data between September 2021 and January 2022, at the very least. Despite a TikTok executive’s sworn testimony in an October 2021 Senate hearing that a “world-renowned, US-based security team” decides who gets access to this data, nine statements by eight different employees describe situations where US employees had to turn to their colleagues in China to determine how US user data was flowing. US staff did not have permission or knowledge of how to access the data on their own, according to the tapes.
“Everything is seen in China,” said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a “Master Admin” who “has access to everything.” (While many employees introduced themselves by name and title in the recordings, BuzzFeed News is not naming anyone to protect their privacy.)
The recordings range from small-group meetings with company leaders and consultants to policy all-hands presentations and are corroborated by screenshots and other documents, providing a vast amount of evidence to corroborate prior reports of China-based employees accessing US user data. Their contents show that data was accessed far more frequently and recently than previously reported, painting a rich picture of the challenges the world’s most popular social media app has faced in attempting to disentangle its US operations from those of its parent company in Beijing. Ultimately, the tapes suggest that the company may have misled lawmakers, its users, and the public by downplaying that data stored in the US could still be accessed by employees in China.
In response to an exhaustive list of examples and questions about data access, TikTok spokesperson Maureen Shanahan responded with a short statement: “We know we’re among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data. That’s why we hire experts in their fields, continually work to validate our security standards, and bring in reputable, independent third parties to test our defenses.” ByteDance did not provide additional comment.
“Everything is seen in China.”
In 2019, the Committee on Foreign Investment in the United States began investigating the national security implications of TikTok’s collection of American data. And in 2020, then-president Donald Trump threatened to ban the app entirely over concerns that the Chinese government could use ByteDance to amass dossiers of personal information about US TikTok users. TikTok’s “data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information,” Trump wrote in his executive order. TikTok has said it has never shared user data with the Chinese government and would not do so if asked.
Most of the recorded meetings focus on TikTok’s response to these concerns. The company is currently attempting to redirect its pipes so that certain, “protected” data can no longer flow out of the United States and into China, an effort known internally as Project Texas. The vast majority of situations in the recorded meetings where China-based staff were accessing US user data was in service of halting this data access.
Project Texas is key to a contract that TikTok is currently negotiating with cloud services provider Oracle and CFIUS. Under the CFIUS agreement, TikTok would hold US users’ protected private information, like phone numbers and birthdays, exclusively at a data center managed by Oracle in Texas (hence the project name). This data would only be accessible by specific US-based TikTok employees. What data counts as “protected” is still being negotiated, but the recordings indicate that all public data, including users’ public profiles and everything they post, will not be included. (Disclosure: In a previous life, I held policy positions at Facebook and Spotify.) Oracle did not respond to a request for comment. CFIUS declined to comment.
Shortly before publication of this story, TikTok published a blog post announcing that it has changed the “default storage location of US user data” and that today, “100% of US user traffic is being routed to Oracle Cloud Infrastructure. We still use our US and Singapore data centers for backup, but as we continue our work we expect to delete US users’ private data from our own data centers and fully pivot to Oracle cloud servers located in the US.”
Lawmakers’ fear that the Chinese government will be able to get its hands on American data through ByteDance is rooted in the reality that Chinese companies are subject to the whims of the authoritarian Chinese Communist Party, which has been cracking down on its homegrown tech giants over the last year. The risk is that the government could force ByteDance to collect and turn over information as a form of “data espionage.”
There is, however, another concern: that the soft power of the Chinese government could impact how ByteDance executives direct their American counterparts to adjust the levers of TikTok’s powerful “For You” algorithm, which recommends videos to its more than 1 billion users. Sen. Ted Cruz, for instance, has called TikTok “a Trojan horse the Chinese Communist Party can use to influence what Americans see, hear, and ultimately think.”
Project Texas’s narrow focus on the security of a specific slice of US user data, much of which the Chinese government could simply buy from data brokers if it so chose, does not address fears that China, through ByteDance, could use TikTok to influence Americans’ commercial, cultural, or political behavior.
TikTok has said in blog posts and public statements that it physically stores all data about its US users in the US, with backups in Singapore. This does mitigate some risks — the company says this data is not subject to Chinese law — but it does not address the fact that China-based employees can access the data, experts say.
“Physical location does not matter if the data can still be accessed from China,” Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, told BuzzFeed News in an email. He said the “concern would be that data would still end up in the hands of Chinese intelligence if people in China were still accessing.”
TikTok itself acknowledged its access issue in a 2020 blog post. “Our goal is to minimize data access across regions so that, for example, employees in the APAC region, including China, would have very minimal access to user data from the EU and US,” TikTok’s Chief Information Security Officer Roland Cloutier wrote.
Project Texas, once completed, is supposed to close this loophole for a limited amount of data. But many of the audio recordings reveal the challenges employees have faced in finding and closing the channels allowing data to flow from the US to China.
“Physical location does not matter if the data can still be accessed from China.”
Fourteen of the leaked recordings include conversations with or about a team of consultants from Booz Allen Hamilton. One of the consultants told TikTok employees that they were brought on in February 2021 to help manage the Project Texas data migration, and a TikTok director told other TikTok employees that the consultants reported to TikTok’s chief of US data defense. In recordings, the consultants investigate how data flows through TikTok and ByteDance’s internal tools, including those used for data visualization, content moderation, and monetization.
In September 2021, one consultant said to colleagues, “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting.”
When asked for comment, Booz Allen Hamilton spokesperson Jessica Klenk said something about the above information was incorrect, but refused to specify what it was. “[A]t this point I’m not in a position to further discuss or even confirm/deny our relationship with any client. But I can tell you that what you’re asserting here is inaccurate.”
Additionally, four of the recordings contain conversations in which employees responsible for certain internal tools could not figure out what parts of those tools did. In a November 2021 meeting, a data scientist explained that for many tools, “nobody has really documented, uh, like, a how-to. And there are items within the tools that nobody knows what they’re for.”
The complexity of the company’s internal systems and how they enable data to flow between the US and China underscores the challenges facing the United States Technical Services team, a new dedicated engineering team TikTok has begun hiring as part of Project Texas.
“Chinese nationals are not actually allowed to join.”
To demonstrate the USTS team’s independence from Chinese-owned ByteDance, one team member told a colleague in January that “not everyone can join” the team. “Chinese nationals are not actually allowed to join,” he said. (A former employee who spoke to BuzzFeed News on condition of anonymity for fear of retribution corroborated this account.) When asked for comment on this practice, TikTok did not respond.
But while the mandate of this team is to control and manage access to sensitive US data, the USTS team reports to ByteDance leadership in China, as BuzzFeed News reported in March. In a recorded January 2022 meeting, a data scientist told a colleague: “I get my instructions from the main office in Beijing.”
TikTok’s goal for Project Texas is that any data stored on the Oracle server will be secure and not accessible from China or elsewhere globally. However, according to seven recordings between September 2021 and January 2022, the lawyer leading TikTok’s negotiations with CFIUS and others clarify that this only includes data that is not publicly available on the app, like content that is in draft form, set to private, or information like users’ phone numbers and birthdays that is collected but not visible on their profiles. A Booz Allen Hamilton consultant told colleagues in September 2021 that what exactly will count as “protected data” that will be stored in the Oracle server was “still being ironed out from a legal perspective.”
In a recorded January 2022 meeting, the company’s head of product and user operations announced with a laugh that unique IDs (UIDs) will not be considered protected information under the CFIUS agreement: “The conversation continues to evolve,” they said. “We recently found out that UIDs are things we can have access to, which changes the game a bit.”
What the product and user operations head meant by “UID” in this circumstance is not clear — it could refer to an identifier for a specific TikTok account, or for a device. Device UIDs are typically used by ad tech companies like Google and Facebook to link your behavior across apps, making them nearly as important an identifier as your name.
As TikTok continues to negotiate over what data will be considered protected, the recordings make clear that a lot of US user data — including public videos, bios, and comments — will not be exclusively stored in the Oracle server. Instead, this data will be stored in the company’s Virginia data center, which may remain accessible from ByteDance’s Beijing offices even once Project Texas is complete. That means ByteDance’s China-based employees could continue to have access to insights about what American TikTok users are interested in, from cat videos to political beliefs.
It also appears that Oracle is giving TikTok considerable flexibility in how its data center will be run. In a recorded conversation from late January, TikTok’s head of global cyber and data defense made clear that while Oracle would be providing the physical data storage space for Project Texas, TikTok would control the software layer: “It’s almost incorrect to call it Oracle Cloud, because they’re just giving us bare metal, and then we’re building our VMs [virtual machines] on top of it.” Oracle did not respond to a request for comment.
Meanwhile, TikTok’s national security lawyer hopes the negotiation will have ripple effects in the tech industry and beyond. “There is going to be national security law that comes down from the Commerce Department,” they said, referencing the Biden administration’s development of regulations to govern apps that could be exploited “by foreign adversaries to steal or otherwise obtain data.”
“The question is whether the company will go far enough.”
“The law will be promulgated and codified in probably the next 18 months, I would say — and that’s how every Chinese company is going to be able to operate in the US,” the lawyer said.
TikTok’s efforts with Project Texas may ultimately pay off for the company. According to Graham Webster, a research scholar at Stanford’s Cyber Policy Center, if TikTok commits to being “transparent and high-integrity, and China-based employees won’t be able to access user data,” then “from a data security perspective, it should be possible to convince good-faith skeptics they have done enough.
“The question is whether the company will go far enough and whether skeptical authorities are truly open to being convinced,” he told BuzzFeed News.
The details of the arrangement between CFIUS, TikTok, and Oracle were still under discussion as of January 2022, when the recordings end. But even though Project Texas’s goal is to cordon off access to the most sensitive details about Americans that exist on TikTok’s servers, one policy employee had doubts that will actually prevent ByteDance’s employees in China from accessing this data.
“It remains to be seen if at some point product and engineering can still figure out how to get access, because in the end of the day, it’s their tools,” they said in a September 2021 meeting. “They built them all in China.” ●