TikTok staff in China allegedly accessed U.S. user data

The ByteDance-owned TikTok has always been the subject of privacy concern, with critics often fearing that data about U.S. users may end up stored in China. While TikTok has repeatedly offered assurances that U.S. data is stored in the United States, a report claims that Chinese employees can still access the sensitive data trove.

Leaked audio from more than 80 internal TikTok meetings reviewed by Buzzfeed include 14 statements from nine separate TikTok employees revealing engineers in China had access to U.S. data between September 2021 and January 2022, at a minimum.

The allegations surface despite sworn testimony by a TikTok executive in October informing the Senate that a "world-renowned US-based security team" dictates who can or cannot see the data.

In some instances, the recordings describe how U.S. employees talk to China-based counterparts to discuss U.S. user data, with U.S. staff either not knowing how to access the data on their own, or not having permission to do so.

In another recording, a member of TikTok's Trust and Safety department mentions how "Everything is seen in China," while another brings up a China-based engineer who is a "Master Admin" who has "access to everything."

The allegations are problematic for TikTok, considering the uneasy political relationship between the U.S. and China. Indeed, the potential access and fear of exploitation led to an executive order in 2020 demanding the sale of TikTok citing national security concerns, followed by many months of legal challenges.

Responding to the report, TikTok spokesperson Maureen Shanahan said "We know we're among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of U.S. user data. That's why we hire experts in their fields, continually work to validate our security standards, and bring in reputable, independent third-parties to test our defenses."

On Friday, TikTok proclaimed it had reached a "significant milestone" in changing the way it stored U.S. user data by default to U.S. servers operated by Oracle, rather than using data centers in the U.S. and Singapore. The latter will continue to be used for backups for the moment but data is expected to be deleted as the company fully pivots to Oracle's cloud servers.