The Chinese Communist Party (CCP) has been using its social media app TikTok to monitor the physical location of specific American citizens, according to reports.
The team behind the monitoring project — ByteDance’s Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang.
“The team primarily conducts investigations into potential misconduct by current and former ByteDance employees,” according to Forbes.
“But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show.
“It is unclear from the materials whether data about these Americans was actually collected; however, the plan was for a Beijing-based ByteDance team to obtain location data from U.S. users’ devices.”
TikTok is reportedly close to signing a contract with the Treasury Department’s Committee on Foreign Investment in the United States (CFIUS), which evaluates the national security risks posed by companies of foreign ownership.
CFIUS has been looking into whether the company’s Chinese ownership can let the Chinese government access personal information about U.S. TikTok users.
Biden signed an executive order in September detailing the specific risks CFIUS should look at when assessing foreign-owned companies.
The order wants to “emphasize the risks presented by foreign adversaries’ access to data of United States persons, for the surveillance, tracing, tracking, and targeting of individuals or groups of individuals, with potential adverse impacts on national security.”
“Like most companies our size, we have an internal audit function responsible for objectively auditing and evaluating the company and our employees’ adherence to our codes of conduct,” said ByteDance spokesperson Jennifer Banks in a statement.
“This team provides its recommendations to the leadership team.”
According to Forbes:
It is unclear what role ByteDance’s Internal Audit team will play in TikTok’s efforts to limit China-based employees’ access to U.S. user data, especially given the team’s plans to monitor some American citizens’ locations using the TikTok app.
But a fraud risk assessment written by a member of the team in late 2021 highlighted data storage concerns, saying that according to employees responsible for the company’s data, “it is impossible to keep data that should not be stored in CN from being retained in CN-based servers, even after ByteDance stands up a primary storage cetner [sic] in Singapore. [Lark data is saved in China.]” (brackets in original).
Moreover, a leaked audio conversation from January 2022 shows that the Beijing-based team was, at that point, gathering additional information on Project Texas.
In the call, a member of TikTok’s U.S. Trust & Safety team recounted an unusual conversation to his manager:
The employee had been asked by Chris Lepitak, TikTok’s Chief Internal Auditor, to meet at an LA-area restaurant off hours.
Lepitak, who reports to Beijing-based Song Ye, then asked the employee detailed questions about the location and details of the Oracle server that is central to TikTok’s plans to limit foreign access to personal U.S. user data.
The employee told his manager that he was “freaked out” by the exchange.
TikTok and ByteDance did not respond to questions about this conversation.
Oracle spokesperson Ken Glueck said that while TikTok does currently use Oracle’s cloud services, “we have absolutely no insight one way or the other” into who can access TikTok user data.
“Today, TikTok is running in the Oracle cloud, but just like Bank of America, General Motors, and a million other customers, they have full control of everything they’re doing,” he said.
#BREAKING SCOOP: TikTok’s China-based parent company ByteDance planned to use the TikTok app to track the physical location of specific American citizens, according to materials reviewed by Forbes. https://t.co/IUA6Cm8NwK
— Forbes (@Forbes) October 20, 2022