ByteDance, the Chinese owner of viral social media platform TikTok, has admitted it inappropriately obtained the data of users, including a Financial Times journalist, in order to analyse their location as part of an internal leaks investigation.
Over the summer, four employees on the ByteDance internal audit team looked into the sharing of internal information to journalists.
Two members of staff in the US and two in China gained access to the IP addresses and other personal data of FT journalist Cristina Criddle, to work out if she was in the proximity of any ByteDance employees, the company said. However, the company failed to find any leaks.
A BuzzFeed journalist and a number of users connected to the reporters through their TikTok accounts were also targeted.
Since June, the FT has run a series of stories led by Criddle which revealed dozens of workers had left TikTok’s London office since the beginning of this year, with some reporting working 12 hours a day or being demoted after taking leave. Some staff have also described a “kill list” of colleagues that the company wanted to force out of its London office.
Joshua Ma, the ByteDance executive in charge of its ecommerce expansion in Europe, was replaced after the FT revealed he had told London-based employees he “didn’t believe” in maternity leave.
The findings of ByteDance’s internal investigation, which was led by its global legal compliance team together with an external law firm, were announced today in an email to staff and first reported by the New York Times. The inquiry was triggered by an article in Forbes about lawmakers banning the app in the US due to privacy and security concerns.
General counsel Erich Andersen wrote to staff that a “misguided plan was developed and carried out by a few individuals within the Internal Audit department this past summer”, adding that those involved “misused their authority to obtain access to TikTok user data” in violation of its code of conduct.
In a separate email to staff, ByteDance chief executive Liang Rubo wrote that the company needed to “deeply reflect on our actions and think about how we can prevent similar incidents from happening again”.
TikTok declined to comment further.
On the back of Thursday’s revelations, one person on the employee conduct team resigned, while the other three were fired. ByteDance has since restructured its internal audit team and removed access to US data from that department.
News of the tracking comes as TikTok is already facing a mounting political backlash in the US over national security concerns that data it collects on American users could be passed to the Chinese government and Communist party — claims that it denies.
On Thursday, the US Senate passed a bill that included a measure barring federal employees from using TikTok on government-issued devices, which is set for a vote in the House on Friday. Meanwhile, several US states, including Maryland, Texas and Iowa, have also taken action to bar employees from installing TikTok on government devices.
For months, TikTok has been working on a national security deal with the US government in response to the scrutiny. The deal, which has yet to be agreed, would involve partnering with Oracle to put American user data on the servers of the US cloud software company, and introducing tighter controls over whether and how Chinese staffers can access that data.
The Financial Times said: “Spying on reporters, interfering with their work or intimidating their sources is completely unacceptable. We’ll be investigating this story more fully before deciding our formal response.”