Via Sinocism. If it’s happening in the US then it’s more than likely happening here.
Buzzfeed obtained audio from 80 internal TikTok meetings that make it sound quite clear that employees in the PRC had access to American user data, even after company representatives testified under oath they did not, and repeatedly said publicly they did not. Almost simultaneous with the publication of the Buzzfeed story, TikTok released a blog post stating that “Today, 100% of US user traffic is being routed to Oracle Cloud Infrastructure”, which sure looks like an admission that the Buzzfeed story was correct. It does not really matter what data were involved if TikTok was lying about how it handled them.
For years, TikTok has responded to data privacy concerns by promising that information gathered about users in the United States is stored in the United States, rather than China, where ByteDance, the video platform’s parent company, is located. But according to leaked audio from more than 80 internal TikTok meetings, China-based employees of ByteDance have repeatedly accessed nonpublic data about US TikTok users — exactly the type of behavior that inspired former president Donald Trump to threaten to ban the app in the United States.
The recordings, which were reviewed by BuzzFeed News, contain 14 statements from nine different TikTok employees indicating that engineers in China had access to US data between September 2021 and January 2022, at the very least. Despite a TikTok executive’s sworn testimony in an October 2021 Senate hearing that a “world-renowned, US-based security team” decides who gets access to this data, nine statements by eight different employees describe situations where US employees had to turn to their colleagues in China to determine how US user data was flowing. US staff did not have permission or knowledge of how to access the data on their own, according to the tapes.
“Everything is seen in China,” said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a “Master Admin” who “has access to everything.” (While many employees introduced themselves by name and title in the recordings, BuzzFeed News is not naming anyone to protect their privacy.)
The recordings range from small-group meetings with company leaders and consultants to policy all-hands presentations and are corroborated by screenshots and other documents, providing a vast amount of evidence to corroborate prior reports of China-based employees accessing US user data. Their contents show that data was accessed far more frequently and recently than previously reported, painting a rich picture of the challenges the world’s most popular social media app has faced in attempting to disentangle its US operations from those of its parent company in Beijing. Ultimately, the tapes suggest that the company may have misled lawmakers, its users, and the public by downplaying that data stored in the US could still be accessed by employees in China.
we’ve changed the default storage location of US user data. Today, 100% of US user traffic is being routed to Oracle Cloud Infrastructure. We still use our US and Singapore data centers for backup, but as we continue our work we expect to delete US users’ private data from our own data centers and fully pivot to Oracle cloud servers located in the US.
In addition, we’re working closely with Oracle to develop data management protocols that Oracle will audit and manage to give users even more peace of mind.
We’re also making operational changes in line with this work – including the new department we recently established, with US-based leadership, to solely manage US user data for TikTok. Together, these changes will enforce additional employee protections, provide more safeguards, and further minimize data transfer outside of the US. This is an important direction from a systems and data security standpoint, and part of our focus on preserving an interconnected experience for our global community while building a security-first culture.
Despite all the rage and rancor about how scary it would be for the Chinese Communist Party to access US user data via TikTok, the Buzzfeed story revealed that what kind of data is considered “protected” data is still “being negotiated” – a euphemistic way of saying the regulation is being “watered down”.
While we don’t know what types of data are considered “protected”, it appears that at least one type of data, the UID [Unique Identifier], is apparently not:
“In a recorded January 2022 meeting, the company’s head of product and user operations announced with a laugh that unique IDs (UIDs) will not be considered protected information under the CFIUS agreement: “The conversation continues to evolve,” they said. “We recently found out that UIDs are things we can have access to, which changes the game a bit.” (Bold emphasis mine)
I emphasized the “with a laugh” detail, because it underscores just how core UID is when it comes to data access control. Any regulation that does not include core data types, like the UID, within the “protected data” definition is basically toothless.