Leaked audio from 80 internal TikTok meetings between September 2021 and January 2022 revealed that the data of American users is repeatedly accessed by China-based employees of the platform’s parent company ByteDance. The leaked audio contradicts previous statements by TikTok that data collected in the US is stored in the US and not in China.
The recordings, obtained by BuzzFeed News, include 14 statements from nine employees that indicate China-based employees have access to US data.
For instance, in a meeting held in September 2021, a member of the Trust and Safety department said “Everything is seen in China.” In another meeting the same month, an employee referenced an engineer based in Beijing as a “Master Admin” with “access to everything.”
BuzzFeed reported the statements contradict testimony by a TikTok executive in a Senate hearing that a “world-renowned US-based security team” determines who accesses US data. The recordings also indicate that staff in the US don’t have permission or do not know how to access data and have to consult their colleagues in China.
In a statement to BuzzFeed News regarding the revelations of the leaked audio, a spokesperson for TikTok said: “We know we’re among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data. That’s why we hire experts in their fields, continually work to validate our security standards, and bring in reputable, independent third parties to test our defenses.”
The suspicion that China can access US user data resulted in former President Donald Trump threatening to ban TikTok in the US.
Most of the recordings are about “Project Texas,” an effort by the company to address the concerns of US user data being accessed in China. Project Texas is a contract between CFIUS and cloud services provider Oracle. The idea is to store certain protected US user data, like birthdays and phone numbers, in a data center in Texas managed by Oracle.
The companies are currently negotiating what would count as “protected data.” But the recordings indicate public data like user-profiles and posts will not be protected.
In a recent blog post, TikTok announced that it had changed the “default storage location of US user data” adding that, currently, “100% of US user traffic is being routed to Oracle Cloud Infrastructure. We still use our US and Singapore data centers for backup, but as we continue our work we expect to delete US users’ private data from our own data centers and fully pivot to Oracle cloud servers located in the US.”
Project Texas is not very reassuring to some people because the Chinese government can still get US user data from data brokers. The recordings revealed that people working on Project Texas were finding it challenging to stop the flow of data from the US to China because of ByteDance’s internal tools.
In September 2021, a consultant told colleagues: “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting.”