Exclusive: Senator's TikTok whistleblower alleges data abuses
TikTok's access controls on U.S. user data are much weaker than the company says, a former ByteDance employee told the office of Sen. Josh Hawley (R-Mo.), per a letter from Hawley to Treasury Secretary Janet Yellen shared exclusively with Axios.
Driving the news: The whistleblower's allegations, which have not been independently seen or verified by Axios, suggest that TikTok overstates its separation from its China-based owner ByteDance, relies on proprietary Chinese software that could have backdoors, and uses tools that allow employees to easily toggle between U.S. and Chinese user data.
What they're saying: "This whistleblower’s allegations are deeply concerning. They also appear to contradict public statements made by TikTok and ByteDance executives," Hawley writes.
- He cites Congressional testimony from last September by TikTok COO Vanessa Pappas stating "there are strict access controls around the data that is accessed in the United States," along with reporting from Forbes and Reuters about Bytedance employees improperly accessing TikTok's U.S. user data.
- Hawley writes: "The whistleblower describes TikTok’s access controls on U.S. data as 'superficial' at best, where they exist at all. As an example, he describes how TikTok and ByteDance employees — including members of the Chinese Communist Party known to be on ByteDance’s payroll — can switch between Chinese and U.S. data with nothing more than the click of a button using a proprietary tool called Dorado... In his words, “[i]t’s just like a light switch."
- The whistleblower told Hawley's office, per the letter: "I have seen first-hand China-based engineers flipping over to non-China datasets and creating scheduled tasks to backup, aggregate, and analyze data," adding that "TikTok and ByteDance are functionally the same company."
Context: Calls to ban or limit TikTok and other Chinese companies are popular in Congress right now. Meanwhile, a review of the company's practices by the Committee on Foreign Investment in the United States, meant to ultimately result in a security deal, has dragged on for more than two years.
- TikTok has consistently maintained it keeps U.S. user data secure and that it is committed to a strong CFIUS deal. Hawley has been supporting an outright ban on the app, while others in Congress have proposed less direct approaches that could keep the popular video app alive in the U.S.
- Yellen chairs CFIUS in her role as Treasury Secretary.
The other side: TikTok responded Wednesday to the allegations.
- "The tools described in Sen. Hawley's letter are primarily analytic tools — they don't independently grant direct access to data. Moreover, neither TikTok nor ByteDance engineers have access to protected U.S. user datasets stored in the Oracle cloud.," TikTok spokesperson Brooke Oberwetter said.
- "All access to US user data is managed in the United States by TiKTok U.S. Data Security, and can only leave the Oracle cloud environment under limited, monitored circumstances as described in our proposed agreement with CFIUS," Oberwetter said.
- She added that under Oracle's Project Texas plan all its software would be independently reviewed to "ensure that there are no back doors."
What's next: It's unclear whether this whistleblower will provide the public with any more details of his allegations or testify before Congress.
- "Our office is committed to protecting the anonymity of any whistleblower who approaches us," Hawley spokesperson Abigail Marone told Axios. "Based on our review of this whistleblower’s disclosures to our office we believe these claims deserve to be investigated by CFIUS and are asking Secretary Yellen if these concerns have come up in the course of their investigation. We’re supportive of the whistleblower determining their own level of future engagement."
Go deeper: The political realities that make a national TikTok ban tricky
Editor's note: This story has been updated with TikTok's response.