TikTok confirms that China-based employees can access US user data under specific circumstances
TikTok confirmed in a letter that ByteDance staff members headquartered in China may have access to US user data in some situations. This letter was written mostly in response to questions about the topic from nine Republican senators. It describes how employees situated outside of the US, including those in China, have access to user data belonging to US citizens. But he noted that it depends on stringent “cybersecurity controls” and “authorization approval standards,” which are overseen by the security team stationed in the US. He continued by mentioning the platform’s “internal data classification system” and the “established approval process” that establishes access levels.
These depend on the classification of the data, and access to US user data requires authorization. In addition, he explained that the degree of approval required depends largely on how sensitive the data is in accordance with the classification system. According to reports, ByteDance, the parent company of TikTok, had access to US data and actively participated in the decision-making process for the video streaming service. Sal Rodriguez, currently a correspondent for The Wall Street Journal, wrote the piece for CNBC in 2021.
Concerns over privacy and security received more attention after a revelation on the audio of internal meetings. It detailed how ByteDance workers had routinely accessed such user data over the course of at least four months. Additionally, how US-based staff was denied access to it. A corporate spokeswoman acknowledged in a statement that they were one of the “most scrutinized platforms” in terms of security. They continued by saying that their intention was to dispel any uncertainty regarding “the security of US user data.”
TikTok announced that “100% of US user traffic” is in the process of being routed to Oracle Cloud Infrastructure on a specific day that the report was published. Instead of the traffic being collected in its own data centers in Singapore or the US, this was the case. Also mentioned in the letter was Chew’s observation that the report contained ‘allegations and insinuations’ that were untrue or supported by facts.