TikTok could be (and likely is) sending user date to China — still.
On Friday Chinese-owned TikTok announced it completed the migration of its American user data to Oracle-owned U.S.-based servers, ostensibly bringing to close a years-long national security debate between the company and the U.S. government. We say “ostensibly” because the announcement came within hours of a new report citing leaked audio from TikTok meetings that allegedly confirms U.S. user data has repeatedly been accessed from China.
Those claims come by way of a Friday BuzzFeed News report which cites leaked audio from more than 80 internal, China-based TikTok meetings. (Chinese tech giant ByteDance owns TikTok). Specifically, BuzzFeed claims the recordings include 14 statements from nine employees who admit engineers had access to U.S. user data for five months between September 2021 and January 2022.
Gizmodo could not independently confirm the contents of the reported leaked audio.
While TikTok executives previously assured U.S. lawmakers an American security team decides who gets the final say on accessing data, the leaked audio allegedly calls into question that commitment. According to BuzzFeed, eight different employees reportedly said they weren’t granted permission to access data on their own and described situations where they had to turn to their China-based colleagues for approval. Fourteen of the recordings allegedly involved conversations with or about Booz Allen Hamilton employees, who were reportedly brought on to assist with data migration efforts, according to one recorded consultant
Summing up the claims during a September 2021 meeting, one member of TikTok’s Trust and Safety department allegedly admitted, “Everything is seen in China.” In another recording, one TikTok data analyst allegedly told a colleague: “I get my instructions from the main office in Beijing.”
TikTok did not immediately respond to Gizmodo’s request for comment and dodged the allegation in its response to BuzzFeed.
“We know we’re among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data.” a TikTok spokesperson said. “That’s why we hire experts in their fields, continually work to validate our security standards and bring in reputable, independent third parties to test our defenses.”
Hours before the BuzzFeed report went live BuzzFeed released a blog postmentioning its migration of U.S. user data to Oracle servers. Previously, TikTok claims U.S. user data was held on data servers in Virginia, with backup servers in Singapore. Now, according to the company, 100% of U.S. user data will be routed through Oracle’s Cloud Infrastructure. The Virginia and Singapore servers will still be used as backups.
“We’re dedicated to earning and maintaining the trust of our community and will continue to work every day to protect our platform and provide a safe, welcoming, and enjoyable experience for our community,” the company wrote.
While TikTok’s efforts to move U.S. user data out of Chinese servers do little to alleviate all the concerns voiced by national security groups, the fact that China-based employees can still allegedly access that data worries some experts. In an interview with BuzzFeed, Adam Segal, the Director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, said such a situation could potentially result in a Chinese employee sharing that data with a Chinese intelligence agency.
It’s also unclear just how much of an effect the Oracle data hosting will have. According to BuzzFeed, the leaked recordings suggest a portion of U.S. users’ data, including video bios and comments, will still be stored in the previous U.S.-based Virginia data center. Information from that data center, the report alleges, may still be accessible by Chinese-based ByteDance employees.
To say TikTok’s history in the U.S. has been messy is an understatement. Hawkish lawmakers have for years wondered if TikTok could function as a useful espionage tool for nosey Chinese intelligence officials. Those concerns reached a fever pitch several years into the Trump administration when the former president signed an executive order threatening to ban the app unless ByteDance sold the U.S segment of its business to an American firm. A number of U.S. companies, including Walmart and Microsoft, reportedly feigned interest in the explosive app, but Oracle ended up looking like the strongest contender when all was said and done. Oracle and TikTok danced around the deal, opting instead to move forward as a “trusted technology partner.”
The Biden Administration last year acted to cool the temperature around TikTok and reportedly “shelved” talks of a TikTok, Oracle deal. Though Biden stepped back from the Trump era deal, his administration didn’t necessarily abandon the festering national security concerns full-bore. In a Wall Street Journal interview at the time, National Security Council spokeswoman EmilyHorne said the administration was still evaluating how to properly approach TikTok and other Chinese-owned apps.
“We plan to develop a comprehensive approach to securing U.S. data that addresses the full range of threats we face,” Horne said. “This includes the risk posed by Chinese apps and other software that operate in the U.S. In the coming months, we expect to review specific cases in light of a comprehensive understanding of the risks we face.”
Though Biden had softened the U.S. edges around TikTok, it’s possible the new BuzzFeed report, if verified, could change the temperature.
We thought everyone already assumed that TikTok data was going to China because, despite what they say, it’s still a Chinese tech giant-owned company. They aren’t stupid.