The project, assigned to a Beijing-led team, would have involved accessing location data from some U.S. users’ devices without their knowledge or consent.
A China-based team at TikTok’s parent company, ByteDance, planned to use the TikTok app to monitor the personal location of some specific American citizens, according to materials reviewed by Forbes.
The team behind the monitoring project — ByteDance’s Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang.
The team primarily conducts investigations into potential misconduct by current and former ByteDance employees. But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected; however, the plan was for a Beijing-based ByteDance team to obtain location data from U.S. users’ devices.
TikTok spokesperson Maureen Shanahan said that TikTok collects approximate location information based on users’ IP addresses to “among other things, help show relevant content and ads to users, comply with applicable laws, and detect and prevent fraud and inauthentic behavior.”
But the material reviewed by Forbes indicates that ByteDance’s Internal Audit team was planning to use this location information to surveil individual American citizens, not to target ads or any of these other purposes. Forbes is not disclosing the nature and purpose of the planned surveillance referenced in the materials in order to protect sources. TikTok and ByteDance did not answer questions about whether Internal Audit has specifically targeted any members of the U.S. government, activists, public figures or journalists.
TikTok is reportedly close to signing a contract with the Treasury Department’s Committee on Foreign Investment in the United States (CFIUS), which evaluates the national security risks posed by companies of foreign ownership, and has been investigating whether the company’s Chinese ownership could enable the Chinese government to access personal information about U.S. TikTok users. (Disclosure: In a past life, I held policy positions at Facebook and Spotify.)
In September, President Biden signed an executive order enumerating specific risks that CFIUS should consider when assessing companies of foreign ownership. The order, which states that it intends to “emphasize . . . the risks presented by foreign adversaries’ access to data of United States persons,” focuses specifically on foreign companies’ potential use of data “for the surveillance, tracing, tracking, and targeting of individuals or groups of individuals, with potential adverse impacts on national security.”
The Treasury Department did not respond to a request for comment.
The Internal Audit and Risk Control team runs regular audits and investigations of TikTok and ByteDance employees, for infractions like conflicts of interest and misuse of company resources, and also for leaks of confidential information. Internal materials reviewed by Forbes show that senior executives, including TikTok CEO Shou Zi Chew, have ordered the team to investigate individual employees, and that it has investigated employees even after they left the company.
The internal audit team uses a data request system known to employees as the “green channel,” according to documents and records from Lark, ByteDance’s internal office management software. These documents and records show that “green channel” requests for information about U.S. employees have pulled that data from mainland China.
TikTok and ByteDance did not answer questions about whether Internal Audit has specifically targeted any members of the U.S. government, activists, public figures or journalists.
“Like most companies our size, we have an internal audit function responsible for objectively auditing and evaluating the company and our employees’ adherence to our codes of conduct,” said ByteDance spokesperson Jennifer Banks in a statement. “This team provides its recommendations to the leadership team.”
ByteDance is not the first tech giant to have considered using an app to monitor specific U.S. users. In 2017, the New York Times reported that Uber had identified various local politicians and regulators and served them a separate, misleading version of the Uber app to avoid regulatory penalties. At the time, Uber acknowledged that it had run the program, called “greyball,” but said it was used to deny ride requests to “opponents who collude with officials on secret ‘stings’ meant to entrap drivers,” among other groups.
TikTok did not respond to questions about whether it has ever served different content or experiences to government officials, regulators, activists or journalists than the general public in the TikTok app.
Both Uber and Facebook also reportedly tracked the location of journalists reporting on their apps. A 2015 investigation by the Electronic Privacy Information Center found that Uber had monitored the location of journalists covering the company. Uber did not specifically respond to this claim. The 2021 book An Ugly Truth alleges that Facebook did the same thing, in an effort to identify the journalists’ sources. Facebook did not respond directly to the assertions in the book, but a spokesperson told the San Jose Mercury News in 2018 that, like other companies, Facebook “routinely use[s] business records in workplace investigations.”
“It is impossible to keep data that should not be stored in CN from being retained in CN-based servers.”
But an important factor distinguishes ByteDance’s planned collection of private users’ information from those cases: TikTok recently told lawmakers that access to certain U.S. user data — likely including location — will be “limited only to authorized personnel, pursuant to protocols being developed with the U.S. Government.” TikTok and ByteDance did not answer questions about whether Internal Audit executive Song Ye or other members of the department are “authorized personnel” for the purposes of these protocols.
These promises are part of Project Texas, TikTok’s massive effort to rebuild its internal systems so that China-based employees will not be able to access a swath of “protected” identifying user data about U.S. TikTok users, including their phone numbers, birthdays and draft videos. This effort is central to the company’s national security negotiations with CFIUS.
At a Senate hearing in September, TikTok Chief Operating Officer Vanessa Pappas said the forthcoming CFIUS contract would “satisfy all national security concerns” about the app. Still, some senators appeared skeptical. In July, the Senate Intelligence Committee began an investigation into whether TikTok misled lawmakers by withholding information about China-based employees’ access to U.S. data earlier this year, following a June report in BuzzFeed News showing that U.S. user data had been repeatedly accessed by ByteDance employees in China.
In a statement about TikTok’s data access controls, TikTok spokesperson Shanahan said that the company uses tools like encryption and “security monitoring” to keep data secure, access approval is overseen by U.S personnel, and that employees are granted access to U.S. data “on an as-needed basis.”
It is unclear what role ByteDance’s Internal Audit team will play in TikTok’s efforts to limit China-based employees’ access to U.S. user data, especially given the team’s plans to monitor some American citizens’ locations using the TikTok app. But a fraud risk assessment written by a member of the team in late 2021 highlighted data storage concerns, saying that according to employees responsible for the company’s data, “it is impossible to keep data that should not be stored in CN from being retained in CN-based servers, even after ByteDance stands up a primary storage cetner [sic] in Singapore. [Lark data is saved in China.]” (brackets in original).
Moreover, a leaked audio conversation from January 2022 shows that the Beijing-based team was, at that point, gathering additional information on Project Texas. In the call, a member of TikTok’s U.S. Trust & Safety team recounted an unusual conversation to his manager: The employee had been asked by Chris Lepitak, TikTok’s Chief Internal Auditor, to meet at an LA-area restaurant off hours. Lepitak, who reports to Beijing-based Song Ye, then asked the employee detailed questions about the location and details of the Oracle server that is central to TikTok’s plans to limit foreign access to personal U.S. user data. The employee told his manager that he was “freaked out” by the exchange. TikTok and ByteDance did not respond to questions about this conversation.
Oracle spokesperson Ken Glueck said that while TikTok does currently use Oracle’s cloud services, “we have absolutely no insight one way or the other” into who can access TikTok user data. “Today, TikTok is running in the Oracle cloud, but just like Bank of America, General Motors, and a million other customers, they have full control of everything they’re doing,” he said.
This corroborates a January statement made by TikTok’s Head of Data Defense in another leaked audio call. In that call, the executive said to a colleague: “It’s almost incorrect to call it Oracle Cloud, because they’re just giving us bare metal, and then we’re building our VMs [virtual machines] on top of it.”
Glueck made clear that this would change if and when TikTok finalizes its contract with the federal government. “But unless and until that’s the case,” he said, Oracle is not providing anything “other than our own security” for TikTok.
TikTok did not answer questions from Forbes about the status of the company’s negotiations with CFIUS. But in a statement to Bloomberg published early this morning, TikTok spokesperson Brooke Oberwetter said: “We are confident that we are on a path to fully satisfy all reasonable U.S. national security concerns.”