TikTok employees in China have secret access to US user data, leaked meetings suggest

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

TikTok data from users in the United States has been allegedly transferred to China and accessed by the social media app’s parent company ByteDance.

The news, which broke via leaked recordings of over 80 internal TikTok meetings, mirrors the allegations made by former president Donald Trump as he proposed a ban on the app in the United States – something which, ultimately, did not happen.

Buzzfeed News, which first broke the story, said that the recordings included 14 statements from nine different TikTok employees suggesting that engineers in China had access to US data between September 2021 and January 2022 at least.

“Everything is seen in China,” said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another recording, a director referred to one Beijing-based engineer as a “Master Admin” who “has access to everything.”

Buzzfeed News alleged that “the tapes suggest that the company may have misled lawmakers, its users, and the public by downplaying that data stored in the US could still be accessed by employees in China.”

TikTok is reportedly working on ‘Project Texas’, a way to redirect “protected” data so that it does not flow into China. What counts as “protected” is still being debated inside the company.

“The conversation continues to evolve,” the company’s head of product and user operations said. “We recently found out that UIDs [unique IDs] are things we can have access to, which changes the game a bit.”

What a ‘unique ID’ means in this context is unclear; it could be an identifier for a specific account or a specific device.

It appears that a lot of US user data – including public videos, bios, and comments – would not be exclusively stored in the United States.

TikTok, as this story developed, said in a blog post that 100 per cent “of US user traffic is being routed to Oracle Cloud Infrastructure. We still use our US and Singapore data centers for backup, but as we continue our work we expect to delete US users’ private data from our own data centers and fully pivot to Oracle cloud servers located in the US.”

Oracle was announced to be purchasing TikTok in September 2020 to avoid former president Trump’s ban, but the deal fell through.

However, TikTok’s head of global cyber and data defense reportedly said in the conversations that while Oracle would be providing the physical data storage space for Project Texas, TikTok would control the software layer.

“It’s almost incorrect to call it Oracle Cloud, because they’re just giving us bare metal, and then we’re building our [virtual machines] on top of it”, they said.

TikTok says that it physically stores all data in the United States, but that seemingly does not stop employees in China from accessing it.  “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting”, one employee reportedly said.

In a statement to Buzzfeed, TikTok said: "We know we’re among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data. That’s why we hire experts in their fields, continually work to validate our security standards, and bring in reputable, independent third parties to test our defenses."