TikTok Spied On Forbes Journalists

photo: pixabay

ByteDance confirmed it used TikTok to monitor journalists’ physical location using their IP addresses, as first reported by Forbes in October.

 

An internal investigation by ByteDance, the parent company of video-sharing platform TikTok, found that employees tracked multiple journalists covering the company, improperly gaining access to their IP addresses and user data in an attempt to identify whether they had been in the same locales as ByteDance employees.

 

According to materials reviewed by Forbes, ByteDance tracked multiple Forbes journalists as part of this covert surveillance campaign, which was designed to unearth the source of leaks inside the company following a drumbeat of stories exposing the company’s ongoing links to China. As a result of the investigation into the surveillance tactics, ByteDance fired Chris Lepitak, its chief internal auditor who led the team responsible for them. The China-based executive Song Ye, who Lepitak reported to and who reports directly to ByteDance CEO Rubo Liang, resigned.

 

“I was deeply disappointed when I was notified of the situation… and I’m sure you feel the same,” Liang wrote in an internal email shared with Forbes. “The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals. … I believe this situation will serve as a lesson to us all.”

 

“It is standard practice for companies to have an internal audit group authorized to investigate code of conduct violations,” TikTok General Counsel Erich Andersen wrote in a second internal email shared with Forbes. “However, in this case individuals misused their authority to obtain access to TikTok user data.”

Forbes first reported the surveillance tactics, which were overseen by a China-based team at ByteDance, in October. Asked for comment on that story, ByteDance and TikTok did not deny the surveillance, but took to Twitter after the story was published to say that “TikTok has never been used to ‘target’ any members of the U.S. government, activists, public figures or journalists,” and that “TikTok could not monitor U.S. users in the way the article suggested.” In the internal email, Liang acknowledged that TikTok had been used in exactly this way, as Forbes had reported.

 

 

“This is a direct assault on the idea of a free press and its critical role in a functioning democracy.”

Randall Lane, the chief content officer of Forbes

 

 

The investigation, internally known as Project Raven, began this summer after BuzzFeed News published a story revealing that China-based ByteDance employees had repeatedly accessed U.S. user data, based on more than 80 hours of audio recordings of internal TikTok meetings. According to internal ByteDance documents reviewed by Forbes, Project Raven involved the company’s Chief Security and Privacy Office, was known to TikTok’s Head of Global Legal Compliance, and was approved by ByteDance employees in China. It tracked Emily Baker-White, Katharine Schwab and Richard Nieva, three Forbes journalists that formerly worked at BuzzFeed News. (Disclosure: In a previous life, I held policy positions at Facebook and Spotify.)

 

“This is a direct assault on the idea of a free press and its critical role in a functioning democracy,” says Randall Lane, the chief content officer of Forbes. “We await a direct response from ByteDance, as this raises fundamental questions about what they are doing with the information they compile from TikTok users.”

 

After this story was published, TikTok spokesperson Hilary McQuaide said, “The misconduct of certain individuals, who are no longer employed at ByteDance, was an egregious misuse of their authority to obtain access to user data. This misbehavior is unacceptable, and not in line with our efforts across TikTok to earn the trust of our users.”

 

ByteDance spokesperson Jennifer Banks added, “ByteDance condemns this misguided plan that violated the company’s Code of Conduct.” She said that ByteDance has not found evidence that the company surveilled Forbes journalists beyond Baker-White, but that the investigation is ongoing. Internal company materials reviewed by Forbes indicate surveillance of Schwab and Nieva as well.

 

Banks also noted that its head of Global Legal Compliance, Catherine Razzano, did not know about the surveillance of journalists until late October, although materials reviewed by Forbes show that she was aware of the Project Raven leak investigation before that time.

 

“This new development reinforces serious concerns that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China to repeatedly access private data of U.S. users despite repeated claims to lawmakers and users that this data was protected,” Senator Mark Warner told Forbes. “The DoJ has also been promising for over a year that they are looking into ways to protect U.S. user data from Bytedance and the CCP — it’s time to come forward with that solution or Congress could soon be forced to step in.”

 

According to an internal email sent Thursday by Andersen, ByteDance found that several of its employees obtained the data of “a former BuzzFeed reporter and a Financial Times reporter,” as well as a “small number of people connected to the reporters” through their TikTok accounts. The audit was conducted by the law firm Covington & Burling, which has represented TikTok in litigation against the U.S. government. Covington did not respond to a comment request.

 

In addition to the firing of TikTok’s Chief Internal Auditor, Chris Lepitak, who was suspended after Forbes’ initial report about the surveillance scheme in October, ByteDance fired two additional TikTok employees in the United States and China as a result of the findings. Lepitak did not immediately respond to a request for comment. “None of the individuals found to have directly participated in or overseen the misguided plan remain employed at ByteDance,” Andersen wrote in the internal email.

 

“This new development reinforces serious concerns that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China to repeatedly access private data of U.S. users despite repeated claims to lawmakers and users that this data was protected.”

Senator Mark Warner

 

The team that oversaw the surveillance campaign was ByteDance’s Internal Audit and Risk Control department, a Beijing-based unit primarily responsible for conducting investigations into potential misconduct by current and former ByteDance employees.

 

TikTok chief executive Shou Zi Chew wrote in his own email to employees, “We take data security incredibly seriously,” adding that the company’s Project Texas, which would limit China-based access to U.S. user data (and which was first reported by Baker-White at BuzzFeed News) was a “testament to that commitment.”

 

In 2021, TikTok became the most visited website in the world, but the app’s ownership by Chinese tech giant ByteDance has raised serious concerns about the company’s access to the personal information of millions of U.S. citizens, as well as its capacity to manipulate and influence user content. The company is currently negotiating a national security contract with the Treasury Department’s Committee on Foreign Investment in the U.S. (CFIUS), which will govern the way the Chinese-owned social media app handles Americans’ personal user data. The company has also sought to assuage concerns about ties to China by working to move some U.S. user information stateside to be stored at a data center managed by Oracle as part of Project Texas.

 

“In this case individuals misused their authority to obtain access to TikTok user data.”

Erich Andersen, TikTok General Counsel

 

Forbes reported in October that the same China-based ByteDance internal audit and investigations team that oversaw the surveillance campaign against journalists also investigated TikTok global security chief Roland Cloutier, a U.S. Air Force veteran, who was tasked with overseeing efforts to limit Chinese employees’ access to American user data. Cloutier stepped down in July 2022. At least five senior employees who led departments at TikTok recently left the company over revelations that they could not meaningfully influence decision-making, Forbes also found.

 

TikTok and ByteDance declined to comment on specific employee investigations or on the departures.

 

In August, Forbes additionally found LinkedIn profiles for three hundred ByteDance employees that showed they previously worked for Chinese state media publications. Twenty-three of the profiles appeared to have been created by ByteDance directors. At the time, ByteDance spokesperson Jennifer Banks said the company makes “hiring decisions based purely on an individual’s professional capability to do the job. For our China-market businesses, that includes people who have previously worked in government or state media positions in China. Outside of China, employees also bring experience in government, public policy, and media organizations from dozens of markets.”

 

ByteDance is not the first tech giant to use an app to monitor specific users. In 2017, the New York Times reported that Uber had identified various local politicians and regulators and served them a separate, misleading version of the Uber app to avoid regulatory penalties. At the time, Uber acknowledged that it had run the program, called “greyball,” but said it was used to deny ride requests to “opponents who collude with officials on secret ‘stings’ meant to entrap drivers,” among other groups.

 

Both Uber and Facebook also reportedly tracked the location of journalists reporting on their apps. A 2015 investigation by the Electronic Privacy Information Center found that Uber had monitored the location of journalists covering the company. Uber did not specifically respond to this claim. The 2021 book An Ugly Truth alleges that Facebook did the same thing, in an effort to identify the journalists’ sources. Facebook did not respond directly to the assertions in the book, but a spokesperson told the San Jose Mercury News in 2018 that, like other companies, Facebook “routinely use[s] business records in workplace investigations.”

 

But an important factor distinguishes ByteDance’s collection of private users’ information from those cases: TikTok told lawmakers in June that access to certain U.S. user data — likely including location — will be “limited only to authorized personnel, pursuant to protocols being developed with the U.S. Government.”

 

Brendan Carr, an FCC commissioner who called on Apple and Google to ban TikTok following the June BuzzFeed News report, said: “At the precise moment when TikTok is trying to convince U.S. officials that it can be trusted—when it has every incentive to ensure the security of user data—its Beijing-based parent company abused its systems to obtain data on reporters that are covering TikTok? This should be the final nail in the coffin for the idea that U.S. officials can trust TikTok.”

 

This story has been updated to incorporate additional information from TikTok and ByteDance.

Tags

highlighted news

Sorry, we couldn't find any posts. Please try a different search.

Related posts