According to documents examined by Forbes, the parent company of TikTok, ByteDance has planned to track specific Americans’ physical locations.
ByteDance’s Internal Audit and Risk Control division, overseen by Beijing-based executive Song Ye, who answers to ByteDance cofounder and CEO Rubo Liang, was in charge of the project.
Visit Forbes’ Emily Baker-White for more.
The team’s primary focus is looking into alleged wrongdoing by current and former ByteDance workers. However, the documents reveal that the Internal Audit team also intended to get TikTok information about a U.S. citizen’s location in at least two instances who had never worked for the company. Although it is unclear from the documents whether information about these Americans was ever gathered, the idea was for a Beijing-based ByteDance team to acquire location information from the devices of American users.
According to Maureen Shanahan, a spokesperson for TikTok, the app uses users’ IP addresses to gather approximate location data in order to, among other things, “help show relevant content and ads to users, comply with applicable laws, and detect and prevent fraud and inauthentic behavior.”
Subscribe to GreatGameIndia
However, the information Forbes has seen shows that ByteDance’s Internal Audit team intended to utilise this location data to monitor specific American citizens, not to target ads or for any of these other purposes. In order to safeguard sources, Forbes is not identifying the type of monitoring that is being planned or why it is being done. If any activists, public figures, journalists, or members of the U.S. government have been explicitly targeted by Internal Audit, they have not been identified by TikTok or ByteDance.
TikTok is reportedly close to signing a contract with the Treasury Department’s Committee on Foreign Investment in the United States (CFIUS), which evaluates the national security risks posed by companies of foreign ownership, and has been investigating whether the company’s Chinese ownership could enable the Chinese government to access personal information about U.S. TikTok users.
In September, President Biden signed an executive order enumerating specific risks that CFIUS should consider when assessing companies of foreign ownership. The order, which states that it intends to “emphasize . . . the risks presented by foreign adversaries’ access to data of United States persons,” focuses specifically on foreign companies’ potential use of data “for the surveillance, tracing, tracking, and targeting of individuals or groups of individuals, with potential adverse impacts on national security.”
The Treasury Department did not respond to a request for comment.
Regular audits and investigations of TikTok and ByteDance workers are conducted by the internal audit and risk control team to check for violations like conflicts of interest, improper use of corporate resources, and disclosure of sensitive data. According to internal documents Forbes reviewed, senior executives, including TikTok CEO Shou Zi Chew, had instructed the team to look into specific workers, and the investigation had continued even after those employees had departed the business.
Documents and records from Lark, ByteDance’s internal office management software, show that the internal audit team employs a data request method known to workers as the “green channel.” These documents and records demonstrate that information about American employees was obtained from the Chinese mainland through “green channel” requests.
“Like most companies our size, we have an internal audit function responsible for objectively auditing and evaluating the company and our employees’ adherence to our codes of conduct,” said ByteDance spokesperson Jennifer Banks in a statement. “This team provides its recommendations to the leadership team.”
ByteDance is not the first tech giant to have considered using an app to monitor specific U.S. users. In 2017, the New York Times reported that Uber had identified various local politicians and regulators and served them a separate, misleading version of the Uber app to avoid regulatory penalties. At the time, Uber acknowledged that it had run the program, called “greyball,” but said it was used to deny ride requests to “opponents who collude with officials on secret ‘stings’ meant to entrap drivers,” among other groups.
TikTok did not respond to questions about whether it has ever served different content or experiences to government officials, regulators, activists or journalists than the general public in the TikTok app.
According to reports, Facebook and Uber both kept tabs on the whereabouts of journalists using their apps. According to a 2015 investigation by the Electronic Privacy Information Center, Uber had tracked the whereabouts of journalists who covered the business. Uber did not directly address this assertion. An Ugly Truth, a book published in 2021, claims that Facebook engaged in a similar practise to identify the journalists’ sources. Although a spokesman told the San Jose Mercury News in 2018 that Facebook “routinely use[s] business records in employment investigations,” Facebook did not specifically address the claims made in the book.
However, a crucial aspect sets apart ByteDance’s planned collection of personal user data from those instances: In a recent letter to lawmakers, TikTok stated that “only authorised personnel, in accordance with protocols being developed with the U.S. Government,” will have access to certain U.S. user data, likely including location. If Internal Audit executive Song Ye or other members of the division are considered “approved personnel” for the purposes of these protocols, TikTok and ByteDance did not respond to inquiries regarding this.
These assurances are a part of TikTok’s massive Project Texas effort to rebuild its internal systems so that Chinese employees won’t have access to a variety of “protected” identifying information about users of the TikTok app in the United States, such as their phone numbers, birthdays, and draught videos. The company’s efforts in this area are crucial.
Vanessa Pappas, the chief operating officer of TikTok, stated at a Senate hearing in September that the upcoming CFIUS contract will “satisfy all national security concerns” over the app. However, a few senators showed scepticism. Following a June BuzzFeed News report revealing that ByteDance employees in China had repeatedly accessed U.S. user data, the Senate Intelligence Committee launched an investigation into whether TikTok misled lawmakers by withholding information about the access of U.S. data earlier this year by employees based in China.
The company uses methods including encryption and “security monitoring” to keep data secure, access approval is monitored by U.S. staff, and employees are given access to U.S. data “as-needed,” according to a statement from TikTok spokeswoman Shanahan.
It’s unclear what part ByteDance’s Internal Audit team will play in TikTok’s efforts to restrict access to U.S. user data by personnel headquartered in China, particularly given the team’s ambitions to track the movements of some American citizens using the TikTok app. However, a fraud risk assessment prepared by a team member in late 2021 raised issues with data storage, stating that, in the opinion of the staff members in charge of the company’s data,“it is impossible to keep data that should not be stored in CN from being retained in CN-based servers, even after ByteDance stands up a primary storage cetner [sic] in Singapore. [Lark data is saved in China.]” (brackets in original).
Furthermore, a leaked audio discussion from January 2022 reveals that the Beijing-based team was already gathering further details about Project Texas at that time. A member of TikTok’s U.S. Trust & Safety team described an odd chat to his manager during the call: Chris Lepitak, TikTok’s Chief Internal Auditor, had urged the employee to meet at a restaurant in the LA area after hours. The employee was then questioned in-depth by Lepitak, who answers to Song Ye in Beijing, regarding the location and specifics of the Oracle server, which is essential to TikTok’s intentions to restrict foreign access to sensitive user data in the United States. The worker admitted to his manager that the interaction had “freaked him out.” When contacted about this exchange, neither TikTok nor ByteDance provided a response.