TikTok’s data security plan is ‘deeply flawed,’ whistleblower claims


A former risk manager at TikTok has met with congressional investigators to share his concerns that the company’s plan for protecting U.S. user data is deeply flawed, pointing to evidence that could inflame lawmakers’ suspicion of the app at a moment when many are considering a nationwide ban.

In an exclusive interview with The Washington Post, the former employee, who worked for six months in the company’s Trust and Safety division ending in early 2022, said the issues could leave data from TikTok’s more than 100 million U.S. users exposed to China-based employees of its parent company ByteDance, even as the company races to implement new safety rules walling off domestic user information.

His allegations threaten to undermine this $1.5 billion restructuring plan, known as Project Texas, which TikTok has promoted widely in Washington as a way to neutralize the risk of data theft or misuse by the Chinese government.

They could also fuel speculation that the wildly popular short-video app remains vulnerable to having its video-recommendation algorithm and user data distorted for propaganda or espionage. U.S. authorities have not shared evidence that the Chinese government has accessed TikTok’s data or code.

TikTok and ByteDance officials have since 2019 been negotiating with a group of federal officials, known as the Committee on Foreign Investment in the United States, about which privacy standards and technical safeguards they’d need to adopt to satisfy U.S. national-security concerns. The company finalized its proposal in August and presented it to CFIUS, but it has yet to be approved, and CFIUS officials have declined to explain why.

The former employee, who spoke on the condition of anonymity because of fear of retaliation, has told congressional investigators that Project Texas does not go far enough and that a truly leakproof arrangement for Americans’ data would require a “complete re-engineering” of how TikTok is run.

As one piece of evidence, he shared with The Post a snippet of code he said showed TikTok could connect with systems linked to Toutiao, a popular Chinese news app run by ByteDance. That connection, he said, could allow for surreptitious interference in the flow of U.S. data.

TikTok officials said the former employee has misconstrued the plan and that his termination, months before it was finalized, means he “would have no knowledge of the current status of Project Texas and the many significant milestones the initiative has reached over the last year.”

His Toutiao allegation was “unfounded,” they said, and the code snippet he shared did not indicate any correlation or connectivity between the two apps. The Toutiao code, they said, does not link back to China and is “nothing more than a naming convention and technical relic” harking back to ByteDance’s first successful app.

Officials also said they have already adopted one key pledge of Project Texas by moving U.S. user data and other critical code to servers run by the American tech giant Oracle — a move, they said, that would further undermine the claim that Toutiao officials could have any influence on TikTok’s U.S. content or operations.

How TikTok ate the internet

The former employee’s ability to secure meetings with key senators’ staff reinforces the expansiveness of Washington’s interest in a youth-beloved app best known for its viral dances and challenges. TikTok’s chief executive Shou Zi Chew probably will be grilled on Project Texas and the possibility of Chinese influence during a congressional hearing later this month.

His visits in Washington are also timed to accelerating concern about TikTok, including two recent legislative pushes that could lead to an unprecedented nationwide app ban. The former employee said he had met with staff in the offices of Sens. Charles E. Grassley (R-Iowa) and Mark R. Warner (D-Va.). Representatives from both offices confirmed the meetings but declined further comment.

Sen. Warner and a bipartisan group of senators on Tuesday proposed a bill that would give the Commerce Department a direct path to banning TikTok and other apps with foreign owners following a “risk-based” assessment. Another bill advanced by the House Foreign Affairs Committee last week would let President Biden ban TikTok outright.

The White House said Wednesday it supported Warner’s bill but was also waiting for the CFIUS negotiations to conclude. More than two dozen states have passed measures banning TikTok on government-owned devices, but a 2020 federal court ruling — and a growing group of civil-liberties activists and congressional Democrats — have argued that a nationwide ban would violate Americans’ First Amendment protections against any government law limiting freedom of speech.

As states ban TikTok on government devices, evidence of harm is thin

The former employee worked as head of a unit within TikTok’s Safety Operations team, which oversaw technical risk management and compliance issues, including which employees had access to company tools and user data, according to documents he shared with The Post.

He argues that a nationwide ban would be unnecessary to resolve the technical concerns, which he said could be fixed with “doable and feasible” solutions that would go beyond Project Texas’s protocols. He said he worked to address the data-privacy issues internally but was fired after raising his concerns.

In a December letter to TikTok’s CEO Chew, which he shared with The Post, the former employee wrote that senior managers were “responsible for the internal fraud pertaining to implementation of Project Texas,” which he said involved them “intentionally lying” to U.S. government officials about how its controls had been tested and verified.

“Various TikTok executives were unduly pressuring me to sign off on Project Texas as if it was something accomplished [a] long time ago,” he wrote. He demanded a “rapid internal investigation to ensure true risk management and my reinstatement.”

ByteDance’s head of global legal compliance acknowledged receiving his letter of concerns and said the company would “review them with expediency,” according to a copy of the email reviewed by The Post. The company, he said, has not offered any updates since.

The former employee said he has not yet filed an official whistleblower complaint with the SEC, and his claims have not been corroborated by an official investigation.

He said he is also separate from an alleged whistleblower referenced in a Tuesday letter that Sen. Josh Hawley (R-Mo.) sent to the Treasury Department, first reported by Axios. That person said TikTok’s data-access controls were “superficial” and that China-based engineers could use tools to access U.S. data with “the click of a button,” wrote Hawley, one of TikTok’s biggest critics in Congress. Those claims have also not been verified.

TikTok officials said in a statement Wednesday that the “analytic tools” did not grant direct access to data and that protected U.S. information is now stored on Oracle servers where it can be accessed only in “limited, monitored circumstances.”

As Washington wavers on TikTok, Beijing exerts control

Project Texas would wall off TikTok’s U.S. operations into a new subsidiary, TikTok U.S. Data Security, whose leaders would be vetted by the U.S. government and report to CFIUS, according to briefings the company has given to researchers, journalists and members of Congress.

All U.S. user data would be siloed in a system with monitored gateways for authorized use, according to the plan, and TikTok’s code and recommendation algorithms would be reviewed by engineers from Oracle, who could alert U.S. regulators to possible concerns.

Some briefed on the plan have commended its rigor, including Samm Sacks, a senior fellow at Yale Law School’s Paul Tsai China Center, who said it reflected a serious effort that would give the U.S. government an unprecedented level of supervision and control into how the company works.

“If it’s not working, if there’s data leakage or content that’s problematic, TikTok would be subject to more oversight than any social media company operating in the U.S.,” she said.

But skeptics have argued that no technical safeguard can protect from ByteDance’s ownership, which they say could pressure TikTok managers to censor inconvenient topics, boost pro-government messages or introduce vulnerabilities through lines of code. TikTok employees told The Post last year that ByteDance teams in Beijing worked on design, engineering and software tools that they relied on for daily operations.

If Project Texas is rejected, some members of Congress have argued that the only solution would be to force ByteDance to sell TikTok to an American buyer — an idea, first floated by the Trump administration, that TikTok’s supporters have compared to hostage-taking. Government authorities in Beijing used export laws to block the Trump proposal in 2020 and could do so again.

TikTok can collect a large range of user data, including video viewing histories, email addresses and contacts, though American tech giants such as Facebook and Google gather even more, including precise GPS locations, extensive biographical details and web-browsing histories, according to a Post review last month.

Is TikTok really giving your data to China?

Chinese government authorities can, by law, compel tech companies to hand over user data to support “national intelligence” work. TikTok has argued that Americans’ information would not be subject to that law because it is stored in servers in the U.S. and Singapore.

Critics of a ban have argued it would violate Americans’ free-speech rights and fail to address the bigger need for a national law restricting how personal data is collected by all apps, not just TikTok. The digital rights group Fight for the Future said in a statement last month that the ban proposal amounted to “xenophobic showboating that does exactly nothing to protect anyone.”

The former employee’s claims match those from a source who shared hours of internal meeting recordings, first reported by BuzzFeed last year, in which company employees said they were working to close up ways in which U.S. data could be accessed by employees in China, in line with their CFIUS proposal.

Following that report, an internal ByteDance team used TikTok data such as users’ IP addresses, which offer a general estimate of their location, in an attempt to identify how company information had been leaked. The attempt failed, according to ByteDance officials, who announced the attempt in December and said the four employees involved in the effort had been fired.

Chew, the TikTok CEO who met with The Post last month during a cross-Washington charm offensive, said the company was restructuring its internal-audit team and working to explain its safety controls to skeptical lawmakers and regulators. The scandal, he said, threatened to “erode all the work that we have done.”

Add a Comment

Your email address will not be published. Required fields are marked *