ByteDance Employees Can Easily Access U.S. TikTok Data, Whistleblower Allegedly Tells Hawley

Topline

Controls preventing employees at TikTok and its China-based parent company ByteDance from accessing U.S. data might be weaker than both companies have previously suggested, according to allegations by a former ByteDance employee who spoke with Sen. Josh Hawley (R-Mo.), amid a bipartisan push to restrict the app on national security and privacy grounds—but TikTok has denied the ex-employee’s claims.

The whistleblower alleges TikTok employees can easily access U.S. user data.

AFP via Getty Images

Key Facts

Hawley outlined the whistleblower’s claims in a letter to Treasury Secretary Janet Yellen, noting the unnamed former employee described TikTok’s access controls as “superficial” at best, “where they exist at all.”

The letter—first shared with Axios—alleges TikTok employees can easily toggle between Chinese and U.S. data “just like a light switch,” and that both companies rely on software that allows Chinese engineers to gain backdoor access.

Access to U.S. data through a tool called Aeolus only requires approval from a manager and dataset owner, the whistleblower claims, adding they have seen “first-hand” China-based engineers back up and analyze non-China datasets.

Hawley said the allegations contradict testimony by TikTok COO Vanessa Pappas, who told Congress in September that the company has “strict controls in terms of who and how our data is accessed.”

TikTok denied the whistleblower’s claims in an email to Forbes, noting the tools mentioned by the “misinformed” former employee are “primarily analytic” and do not grant direct access to data, and that engineers do not have access to protected U.S. user datasets, which are managed and monitored in the United States.

News Peg

Sens. John Thune (R-S.D.) and Mark Warner (D-Va.) pushed forward a bill Tuesday that would allow the Department of Commerce to “review, block and mitigate” software and hardware made by adversarial nations, including China, Iran, Russia and North Korea. TikTok is not directly referenced, but the bill is designed in part to restrict TikTok.

What To Watch For

Hawley called for an investigation of the whistleblower’s allegations by the Committee on Foreign Investment in the U.S. (CFIUS)—an agency led by the Treasury Secretary that oversees foreign investments—and asked the agency to respond by March 20.

Key Background

The whistleblower’s allegations are the most recent blow to TikTok and ByteDance over claims the social media app poses national security and privacy risks, and fears the Chinese government could access U.S.-based users’ data. Forbes previously reported ByteDance had tracked the locations of several of its journalists, while the New York Times suggested TikTok can track users’ keystrokes, including visits to third-party websites on an in-app browser. The Commerce Department alleged in 2020 the app and its parent company have the means to “threaten national security, foreign policy and economy of the U.S.” President Joe Biden signed a bill banning TikTok from federally issued devices in January, and most state governments have now issued similar bans. A number of universities have also banned access to the app from campus Wi-Fi, including the University of Texas at Austin, the University of Oklahoma and Auburn University, among others.

Tangent

TikTok is planning to reorganize its U.S. operations and let third-party companies monitor the app’s recommendation algorithms to determine whether its code has been manipulated in some way, the Wall Street Journal reported earlier this year. The plan comes as the company negotiates with CFIUS and tries to convince the agency to allow it to remain under ByteDance control. The company also announced new standards for data security in Europe—called “Project Clover”—that would store European user data locally while minimizing data transfer outside the region.