- The project, assigned to a Beijing-led team, would have involved accessing location data from some U.S. users’ devices without their knowledge or consent.
- The team primarily conducts investigations into potential misconduct by current and former ByteDance employees.
- Forbes is not disclosing the nature and purpose of the planned surveillance referenced in the materials in order to protect sources.
According to documents Forbes obtained, a China-based team at TikTok’s parent firm, ByteDance, intended to utilize the TikTok app to track the whereabouts of a select group of American people.
The team behind the monitoring project — ByteDance’s Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang.
The team primarily conducts investigations into potential misconduct by current and former ByteDance employees.
But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show.
TikTok spokesperson Maureen Shanahan said that TikTok collects approximate location information based on users’ IP addresses to “among other things, help show relevant content and ads to users, comply with applicable laws, and detect and prevent fraud and inauthentic behavior.”
Forbes is not disclosing the nature and purpose of the planned surveillance referenced in the materials in order to protect sources.
TikTok is reportedly close to signing a contract with the Treasury Department’s Committee on Foreign Investment in the United States (CFIUS), which evaluates the national security risks posed by companies of foreign ownership and has been investigating whether the company’s Chinese ownership could enable the Chinese government to access personal information about U.S. TikTok users. (Disclosure: In my past life, I held policy positions at Facebook and Spotify.)
In September, President Biden signed an executive order enumerating specific risks that CFIUS should consider when assessing companies of foreign ownership.
The order, which states that it intends to “emphasize . . .the risks presented by foreign adversaries’ access to data of United States persons,” focuses specifically on foreign companies’ potential use of data “for the surveillance, tracing, tracking, and targeting of individuals or groups of individuals, with potential adverse impacts on national security.”
The Treasury Department did not respond to a request for comment.
The Internal Audit and Risk Control team runs regular audits and investigations of TikTok and ByteDance employees, for infractions like conflicts of interest and misuse of company resources, and also for leaks of confidential information.
Internal materials reviewed by Forbes show that senior executives, including TikTok CEO Shou Zi Chew, have ordered the team to investigate individual employees, and that it has investigated employees even after they left the company.
The internal audit team uses a data request system known to employees as the “green channel,” according to documents and records from Lark, ByteDance’s internal office management software.
These documents and records show that “green channel” requests for information about U.S. employees have pulled that data from mainland China.
Internal audit function
“Like most companies our size, we have an internal audit function responsible for objectively auditing and evaluating the company and our employees’ adherence to our codes of conduct,” said ByteDance spokesperson Jennifer Banks in a statement.
“This team provides its recommendations to the leadership team.”
ByteDance is not the first tech giant to have considered using an app to monitor specific U.S. users.
In 2017, the New York Times reported that Uber had identified various local politicians and regulators and served them a separate, misleading version of the Uber app to avoid regulatory penalties.
TikTok did not respond to questions about whether it has ever served different content or experiences to government officials, regulators, activists, or journalists than the general public in the TikTok app.
Both Uber and Facebook also reportedly tracked the location of journalists reporting on their apps.
Uber did not specifically respond to this claim.
Facebook did not respond directly to the assertions in the book, but a spokesperson told the San Jose Mercury News in 2018 that, like other companies, Facebook “routinely use[s] business records in workplace investigations.”
This effort is central to the company’s national security negotiations with CFIUS.
In a statement about TikTok’s data access controls, TikTok spokesperson Shanahan said that the company uses tools like encryption and “security monitoring” to keep data secure, access approval is overseen by U.S personnel, and that employees are granted access to U.S. data “on an as-needed basis.”
Leaked audio call
Oracle spokesperson Ken Glueck said that while TikTok does currently use Oracle’s cloud services, “we have absolutely no insight one way or the other” into who can access TikTok user data.
“Today, TikTok is running in the Oracle cloud, but just like Bank of America, General Motors, and a million other customers, they have full control of everything they’re doing,” he said.
This corroborates a January statement made by TikTok’s Head of Data Defense in another leaked audio call.
Glueck made clear that this would change if and when TikTok finalizes its contract with the federal government.
TikTok did not answer questions from Forbes about the status of the company’s negotiations with CFIUS.
Did you subscribe to our newsletter?
It’s free! Click here to subscribe!