China-based employees at TikTok’s parent company, ByteDance, repeatedly accessed sensitive U.S. user data “in contravention of several public representations,” the committee said.
The Senate Intelligence Committee has sent a letter to the Federal Trade Commission asking that it open an investigation into whether TikTok misled U.S. lawmakers about China-based employees of its parent company, ByteDance, accessing American user data.
The letter, signed by committee chairman Senator Mark Warner and vice chairman Senator Marco Rubio, cites “repeated misrepresentations by TikTok concerning its data security, data processing, and corporate governance practices.” (Disclosure: In a former life, I held policy positions at Facebook.)
It references a bombshell BuzzFeed News report that China-based employees of ByteDance regularly accessed sensitive U.S. user data into early 2022, according to leaked audio from more than 80 internal meetings concerning TikTok’s efforts to reduce the flow of data from the U.S. to China through a deal with cloud provider Oracle. (TikTok has since confirmed that ByteDance employees in China can access sensitive U.S. user data.)
“While TikTok has suggested that migrating to U.S.-based storage from a U.S. cloud service provider alleviates any risk of unauthorized access, these latest revelations raise concerns about the reliability of TikTok representations,” Warner and Rubio write.
The letter also highlights BuzzFeed News’ reporting that TikTok employees who work with sensitive U.S. user data continue to report to ByteDance executives in Beijing, despite TikTok’s recent claims to the Senate Intelligence Committee that “all corporate governance decisions are wholly firewalled from their PRC-based parent, ByteDance.”
“For two years, we’ve talked openly about our work to limit access to user data across regions, and in our letter to senators last week we were clear about our progress in limiting access even further through our work with Oracle,” TikTok spokesperson Maureen Shanahan said in response to a request for comment. “As we’ve said repeatedly, TikTok has never shared U.S. user data with the Chinese government, nor would we if asked.”
The FTC confirmed receipt of the letter, but declined to comment.
TikTok has been under scrutiny since 2019, when the Committee on Foreign Investment in the United States (CFIUS) began investigating ByteDance’s acquisition of Musical.ly, the app that became TikTok, as a potential national security risk. CFIUS declined to comment.
In 2020, concerns that the Chinese government could use TikTok’s vast collection of data to surveil U.S. citizens prompted then-President Donald Trump to threaten to ban the app unless it was sold to a U.S. company. The ban never happened, but TikTok instead began working with CFIUS and Oracle to restrict access to some sensitive data about U.S. users from ByteDance employees in China, an effort called Project Texas.
While TikTok and ByteDance publicly downplayed their relationship and emphasized that U.S. user data is stored in the U.S., the leaked meetings about Project Texas reveal the extent to which China-based employees have had access to this data. “Everything is seen in China,” a member of TikTok’s Trust and Safety department said in a September 2021 meeting.
The revelation has revived lawmakers’ fears about ByteDance’s relationship with TikTok and TikTok’s plans to safeguard American data. On June 24, six senators sent a letter to the Treasury Department asking for details of the negotiation between TikTok and CFIUS, which reports into Treasury. On June 28, Federal Communications Commissioner Brendan Carr called on Apple and Google to remove TikTok from their app stores.
That same day, nine Republican senators also sent TikTok a letter, asking questions about China-based ByteDance employees’ access to U.S. user data and raising concerns that TikTok’s Head of Public Policy for the Americas Michael Beckerman “did not provide truthful or forthright answers to the Senate Commerce Committee” at a 2021 hearing.
TikTok responded to the letter by saying that ByteDance employees outside of the U.S. can access sensitive U.S. data, as long as they have been authorized to do so by a U.S.-based security team. The letter does not address the fact that employees authorized to work with U.S. user data (including the new United States Technical Services team, created as part of Project Texas) report to ByteDance leadership in Beijing.