About a year ago, CNBC published a story claiming that all of the personal data on TikTok was was available to Byte Dance, the Chinese owners of the company. And under Chinese law, any data gathered by a Chinese company is subject to seizure at any time by the CCP. So, essentially, if Xi Jinping wants your personal info and a list of videos you’ve watched recently, all he has to do is ask. President Trump issued an executive order aimed at TikTok in August 2020, but last June President Biden revoked that order and replaced it.
Under the previous administration, TikTok remained in a precarious position as Trump sought to ban the app unless it sold to an American company…
Biden’s ascendance to the White House threw a wrench in the deal and ongoing legal proceedings between TikTok and the government.
Today, Buzzfeed has a story confirming what we already knew to be true. Based on leaked audio recordings of internal meetings at Byte Dance, it’s clear that engineers in China can look at data on Americans using the platform.
The recordings, which were reviewed by BuzzFeed News, contain 14 statements from nine different TikTok employees indicating that engineers in China had access to US data between September 2021 and January 2022, at the very least. Despite a TikTok executive’s sworn testimony in an October 2021 Senate hearing that a “world-renowned, US-based security team” decides who gets access to this data, nine statements by eight different employees describe situations where US employees had to turn to their colleagues in China to determine how US user data was flowing. US staff did not have permission or knowledge of how to access the data on their own, according to the tapes.
“Everything is seen in China,” said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a “Master Admin” who “has access to everything.”
TikTok is currently working on a deal called Project Texas which would supposedly isolate the personal data of Americans using the service at a data center run by Oracle in Texas. Earlier today, just before the Buzzfeed story went up, TikTok issued a statement saying all data was now being stored in Texas.
For more than a year, we’ve been working with Oracle on several measures as part of our commercial relationship to better safeguard our app, systems, and the security of US user data. We’ve now reached a significant milestone in that work: we’ve changed the default storage location of US user data. Today, 100% of US user traffic is being routed to Oracle Cloud Infrastructure. We still use our US and Singapore data centers for backup, but as we continue our work we expect to delete US users’ private data from our own data centers and fully pivot to Oracle cloud servers located in the US.
But as Buzzfeed points out, it doesn’t really matter where the data is physically stored if Chinese engineers have access to it.
“Physical location does not matter if the data can still be accessed from China,” Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, told BuzzFeed News in an email. He said the “concern would be that data would still end up in the hands of Chinese intelligence if people in China were still accessing.”…
As TikTok continues to negotiate over what data will be considered protected, the recordings make clear that a lot of US user data — including public videos, bios, and comments — will not be exclusively stored in the Oracle server. Instead, this data will be stored in the company’s Virginia data center, which may remain accessible from ByteDance’s Beijing offices even once Project Texas is complete. That means ByteDance’s China-based employees could continue to have access to insights about what American TikTok users are interested in, from cat videos to political beliefs.
It also appears that Oracle is giving TikTok considerable flexibility in how its data center will be run. In a recorded conversation from late January, TikTok’s head of global cyber and data defense made clear that while Oracle would be providing the physical data storage space for Project Texas, TikTok would control the software layer: “It’s almost incorrect to call it Oracle Cloud, because they’re just giving us bare metal, and then we’re building our VMs [virtual machines] on top of it.” Oracle did not respond to a request for comment.
So some of the data (your date of birth, for instance) may be protected from prying eyes in China, though even that doesn’t seem certain. Even if that happens, a lot of the data will certainly still be available to China.