Four employees of TikTok’s parent company ByteDance were fired after an internal investigation found they surveilled several journalists and other users in order to reveal anonymous sources who were leaking company information to the public.
The four employees, who were not named, purportedly gained account information on Emily Baker-White of BuzzFeed News (now at Forbes) and Cristina Criddle of the Financial Times, who published stories that detailed how ByteDance employees were gaining access to sensitive data of TikTok users based in the United States.
After those reports, the four ByteDance employees purportedly gained an additional trove of data in order to unmask the sources used in the earlier stories. Forbes reported on the internal probe on Thursday, based in part on a memo circulated among ByteDance employees by the company’s general counsel, Erich Anderson.
“It is standard practice for companies to have an internal audit group authorized to investigate code of conduct violations; however, in this case, individuals misused their authority to obtain access to TikTok user data,” Anderson wrote.
According to the probe, the four ByteDance employees — two of whom were based in China, where ByteDance is headquartered, and the other two in the United States — used Internet protocol (IP) addresses and geolocation information to spy on the location of the target journalists.
“The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals,” Rubo Liang, the China-based CEO of ByteDance, wrote in an e-mail to employees this week. “I believe this situation will serve as a lesson to us all.”
In addition to Baker-White and Criddle, Forbes said two other reporters — Katharine Schwab and Richard Nieva — were also targeted by ByteDance employees, though the company didn’t confirm this. Like Baker-White, Schwab and Nieva worked at BuzzFeed News before moving to Forbes.
“This is a direct assault on the idea of a free press and its critical role in a functioning democracy,” Randall Lane, the chief content officer of Fores, said in a statement. “We await a direct response from ByteDance, as this raises fundamental questions about what they are doing with the information they compile from TikTok users.”
A ByteDance spokesperson said the probe revealed “an egregious misuse of their authority to obtain access to user data.”
“This misbehavior is unacceptable, and not in line with our efforts across TikTok to earn the trust of our users,” the spokesperson said.
The incident comes as ByteDance and TikTok have faced intense pressure by government officials in the United States over the last few years over concerns that the video-centric social media platform asks too much of its users in terms of personal data and offers too few safeguards to ensure that data isn’t manipulated by outside forces — specifically, the Chinese government. China and the United States have an adversarial relationship in cyberspace, with both companies accusing each other of cyber-espionage and other illicit digital practices.
Last month, the head of the Federal Bureau of Investigation said he had a “number of concerns” over how ByteDance was collecting and using the personal data of TikTok users, including whether the company was giving the data over to the Chinese government wholesale.
“They include the possibility that the Chinese government could use it to control data collection on millions of users or control the recommendation algorithm, which could be used for influence operations if they so chose, or to control software on millions of devices, which gives it an opportunity to potentially technically compromise personal devices,” Christopher Wray, the director of the FBI, told Congress in November.
The concerns were based in part on reports published by BuzzFeed News and Forbes that ByteDance employees had accessed personal information like birthdays, phone numbers and geolocation information for some U.S.-based users of the social media website.
“That’s plenty of reason by itself to be extremely concerned,” Wray said.
Two years ago, then-President Donald Trump ordered American-based app stores to stop distributing TikTok to smartphone and tablet users unless ByteDance sold its American business to a U.S.-based company. (At the time, Walmart and Oracle emerged as potential buyers.) That plan was put on hold when current President Joseph Biden took office last year.
To ease concerns, ByteDance said it was transitioning data of American users to Oracle’s cloud computing and storage solutions, which would presumably put that data out of the reach of Chinese government officials should they request it. But the data at the center of ByteDance’s most recent probe — the data on the surveilled journalists — had not been migrated over to Oracle’s cloud and was still available to staffers in the United States and abroad, ByteDance executives affirmed this week.
“No one should be surprised or fooled by ByteDance’s public apology,” Senator Marco Rubio of Florida, who is a ranking member of the Senate Intelligence Committee, said in a statement on Thursday, noting that the latest incident made it “more clear that we need to ban TikTok.”