According to Forbes’ initial report from October, ByteDance has admitted that it used TikTok to track the physical locations of journalists using their IP addresses. This is how TikTok spied on Forbes journalists.
ByteDance, the parent company of video-sharing platform TikTok, conducted an internal investigation and discovered that employees monitored multiple journalists trying to cover the company, wrongfully getting access to their IP addresses and user data in an endeavor to determine whether they had been in the same locations as ByteDance employees.
According to documents reviewed by Forbes, ByteDance tracked many Forbes journalists as part of this clandestine surveillance program, which was intended to uncover the origin of leaks within the company in the aftermath of a barrage of stories exposing the company’s continuous ties to China. ByteDance terminated Chris Lepitak, its chief internal auditor who headed the group responsible for the monitoring measures, as a result of the investigation. Song Ye, the Chinese executive to whom Lepitak reported and who reports directly to ByteDance CEO Rubo Liang, resigned.
“I was deeply disappointed when I was notified of the situation… and I’m sure you feel the same,” Liang wrote in an internal email shared with Forbes. “The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals. … I believe this situation will serve as a lesson to us all.”
“It is standard practice for companies to have an internal audit group authorized to investigate code of conduct violations,” TikTok General Counsel Erich Andersen wrote in a second internal email shared with Forbes. “However, in this case individuals misused their authority to obtain access to TikTok user data.”
The surveillance techniques, which were managed by a ByteDance team based in China, were originally made public by Forbes in October. In response to questions regarding the story, ByteDance and TikTok did not dispute the surveillance, but they later stated on Twitter that “TikTok has never been used to ‘target’ any members of the U.S. government, activists, public figures or journalists,” and that “TikTok could not monitor U.S. users in the way the article suggested.” Liang stated in the internal email that TikTok had really been utilized in the manner described by Forbes.
“This is a direct assault on the idea of a free press and its critical role in a functioning democracy.”
Randall Lane, the chief content officer of Forbes
This summer, BuzzFeed News released a story based on more than 80 hours of audio recordings of internal TikTok meetings that claimed ByteDance workers had routinely accessed U.S. user data. This led to the start of the probe, internally referred to as Project Raven. ByteDance’s Chief Security and Privacy Office was involved in Project Raven, which was approved by staff members in China and was known to TikTok’s Head of Global Legal Compliance, according to internal papers reviewed by Forbes. It monitored three former BuzzFeed News employees who now work for Forbes, Emily Baker-White, Katharine Schwab, and Richard Nieva.
“This is a direct assault on the idea of a free press and its critical role in a functioning democracy,” says Randall Lane, the chief content officer of Forbes. “We await a direct response from ByteDance, as this raises fundamental questions about what they are doing with the information they compile from TikTok users.”
After this story was published, TikTok spokesperson Hilary McQuaide said, “The misconduct of certain individuals, who are no longer employed at ByteDance, was an egregious misuse of their authority to obtain access to user data. This misbehavior is unacceptable, and not in line with our efforts across TikTok to earn the trust of our users.”
“ByteDance condemns this misguided plan that violated the company’s Code of Conduct,” said ByteDance representative Jennifer Banks. She stated that ByteDance has found no evidence that the business surveilled Forbes journalists other than Baker-White, but that the inquiry is still ongoing. According to internal business documents acquired by Forbes, Schwab and Nieva were also being monitored.
Banks also stated that Catherine Razzano, its head of Global Legal Compliance, was unaware of the surveillance of journalists until late October, despite the fact that documents seen by Forbes reveal that she was aware of the Project Raven leak inquiry prior to that time.
“This new development reinforces serious concerns that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China to repeatedly access private data of U.S. users despite repeated claims to lawmakers and users that this data was protected,” Senator Mark Warner told Forbes. “The DoJ has also been promising for over a year that they are looking into ways to protect U.S. user data from Bytedance and the CCP — it’s time to come forward with that solution or Congress could soon be forced to step in.”
ByteDance discovered that many of its employees accessed the data of “a former BuzzFeed reporter and a Financial Times reporter,” as well as a “small number of people connected to the reporters,” via their TikTok accounts, according to an internal email written Thursday by Andersen. The audit was carried out by the legal firm Covington & Burling, which has previously represented TikTok in litigation against the United States government.
As a consequence of the revelations, ByteDance dismissed two additional TikTok employees in the United States and China, in addition to TikTok’s Chief Internal Auditor, Chris Lepitak, who was suspended following Forbes’ initial expose about the surveillance scheme in October. “None of the individuals found to have directly participated in or overseen the misguided plan remain employed at ByteDance,” Andersen wrote in the internal email.
“This new development reinforces serious concerns that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China to repeatedly access private data of U.S. users despite repeated claims to lawmakers and users that this data was protected.”
Senator Mark Warner
The group in charge of overseeing the surveillance operation was from ByteDance’s Internal Audit and Risk Control department, which has its headquarters in Beijing and is primarily in charge of looking into allegations of potential wrongdoing by current and former ByteDance employees.
“We take data security incredibly seriously,” TikTok CEO Shou Zi Chew wrote in an email to workers, adding that the company’s Project Texas, which might restrict China-based access to U.S. user data (and was first reported by Baker-White at BuzzFeed News), was a “testament to that commitment”.
TikTok emerged as the most popular website in the world in 2021, however the app’s ownership by Chinese internet firm ByteDance has generated substantial worries about the company’s access to millions of US individuals’ personal information, as well as its ability to control and influence user content. The Chinese-owned social media app is now negotiating a national security agreement with the Treasury Department’s Committee on Foreign Investment in the United States (CFIUS), which will regulate how the Chinese-owned social media app manages personal user data of Americans. As part of Project Texas, the corporation has also worked to alleviate worries about its ties to China by relocating some US customer data to a data center maintained by Oracle.
“In this case individuals misused their authority to obtain access to TikTok user data.”
Erich Andersen, TikTok General Counsel
The U.S. Air Force veteran and TikTok global security chief Roland Cloutier was the target of an investigation by the same China-based ByteDance internal audit and investigations team that supervised the monitoring campaign against journalists. Roland Cloutier was in charge of overseeing efforts to restrict Chinese employees’ access to American user information. In July 2022, Cloutier resigned. According to Forbes, at least five senior workers who oversaw departments at TikTok recently left the company after learning they had no real effect on policy.
In August, Forbes discovered LinkedIn profiles for 300 ByteDance employees that revealed they had previously worked for Chinese official media publications. ByteDance directors appeared to have developed twenty-three of the profiles. At the time, ByteDance representative Jennifer Banks claimed the company makes “hiring decisions based purely on an individual’s professional capability to do the job. For our China-market businesses, that includes people who have previously worked in government or state media positions in China. Outside of China, employees also bring experience in government, public policy, and media organizations from dozens of markets.”
The software industry leader ByteDance is not the first to employ an app to track certain users. According to a 2017 New York Times article, Uber selected a number of local lawmakers and regulators and provided them a special, deceptive version of the Uber app in order to dodge regulatory penalties. At the time, Uber acknowledged using the “greyball” technology, but said it was used, among other things, to refuse ride requests from “opponents who collude with officials on secret ‘stings’ meant to entrap drivers.”
According to reports, Facebook and Uber both kept tabs on the whereabouts of journalists using their programs. Uber was revealed to have tracked the locations of journalists who covered the company, according to a 2015 study by the Electronic Privacy Information Center. Uber did not directly address this assertion. An Ugly Truth, a book published in 2021, claims that Facebook engaged in a similar practice to identify the journalists’ sources. Although a spokesman told the San Jose Mercury News in 2018 that Facebook “routinely use[s] business records in workplace investigations,” Facebook did not specifically address the claims made in the book.
However, one crucial distinction separates ByteDance’s gathering of private users’ information from those cases: TikTok told Congress (read below) in June that access to some U.S. user data, possibly including location, would be “limited only to authorized personnel, pursuant to protocols being developed with the U.S. Government.”
Brendan Carr, an FCC commissioner who called on Apple and Google to prohibit TikTok after a BuzzFeed News exposé in June, stated: “At the precise moment when TikTok is trying to convince U.S. officials that it can be trusted—when it has every incentive to ensure the security of user data—its Beijing-based parent company abused its systems to obtain data on reporters that are covering TikTok? This should be the final nail in the coffin for the idea that U.S. officials can trust TikTok.”
According to documents examined by Forbes, the parent company of TikTok, ByteDance has planned to track specific Americans‘ physical locations.
Read the document below:
Support GreatGameIndia
