TikTok staff accessed data to track journalists, ByteDance finds

Chinese parent company of popular video app says the employees responsible are no longer with the company.

The logo for TikTok
TikTok's Chinese parent company has said some employees improperly accessed the user data of two journalists [File: Kiichiro Sato/AP Photo]

ByteDance, the Chinese parent company of popular video app TikTok, said some employees improperly accessed the TikTok user data of two journalists and were no longer employed by the company, an email seen by the Reuters news agency shows.

ByteDance employees accessed the data as part of an unsuccessful effort to investigate leaks of company information earlier this year and were aiming to identify potential connections between two journalists – a former BuzzFeed reporter and Financial Times reporter – and company employees, according to the email sent on Thursday by ByteDance lawyer Erich Andersen.

The employees looked at journalists’ IP addresses attempting to learn if they were in the same location as employees suspected of leaking confidential information.

The disclosure, reported earlier by the New York Times, could add to the pressure TikTok is facing in Washington from legislators and President Joe Biden’s administration over security concerns about US users’ data.

A person briefed on the matter said four ByteDance employees who were involved in the incident were fired, including two in China and two in the United States. Company officials said they were taking additional steps to protect user data.

“The misconduct of certain individuals, who are no longer employed at ByteDance, was an egregious misuse of their authority to obtain access to user data,” a TikTok spokesperson told Al Jazeera.

“This misbehavior is unacceptable, and not in line with our efforts across TikTok to earn the trust of our users. We take data security incredibly seriously, and we will continue to enhance our access protocols, which have already been significantly improved and hardened since this incident took place.”

A ByteDance spokesperson condemned the employees’ “misguided initiative”.

“We have taken disciplinary measures and none of the individuals found to have directly participated in or overseen the misguided plan remain employed at ByteDance,” the spokesperson told Al Jazeera.

The US Congress is set to pass legislation this week to ban federal employees from downloading or using TikTok on their government-owned devices. More than a dozen governors have barred state employees from using TikTok on state-owned devices.

The Financial Times said in a statement that “spying on reporters, interfering with their work or intimidating their sources is completely unacceptable. We’ll be investigating this story more fully before deciding our formal response.”

BuzzFeed News spokesperson Lizzie Grams said the company was deeply disturbed by the report, adding it showed “a blatant disregard for the privacy and rights of journalists as well as TikTok users”.

Forbes reported on Thursday that ByteDance had tracked multiple Forbes journalists, including some who formerly worked at BuzzFeed “as part of a covert surveillance campaign” aimed at discovering the source of leaks.

Randall Lane, the chief content officer of Forbes, called it “a direct assault on the idea of a free press and its critical role in a functioning democracy”.

TikTok Chief Executive Shou Zi Chew said in a separate email to employees seen by Reuters that such “misconduct is not at all representative of what I know our company’s principles to be”.

He said the company “will continue to enhance these access protocols, which have already been significantly improved and hardened since this initiative took place”.

Chew said that over the past 15 months, the company had been working to build TikTok US Data Security (USDS) to ensure protected user data stays in the US.

“We are completing the migration of protected US user data management to the USDS department and have been systematically cutting off access points,” he wrote.

ByteDance also said it was restructuring the Internal Audit and Risk Control department, and the global investigations function would be split out and restructured.

The Committee on Foreign Investment in the United States (CFIUS), a national security body, has for months sought to reach a national security agreement with ByteDance to protect the data of more than 100 million US TikTok users but it appears no deal will be reached before year’s end.

Republican Senator Marco Rubio said of the incident that ByteDance “is desperate to tamp down growing bipartisan concerns about how it enables the Chinese Communist Party to use – and potentially weaponise – the data of American citizens. Every day it becomes more clear that we need to ban TikTok”.

Source: Al Jazeera, Reuters