TikTok’s effort to wall off U.S. user data only focused on the ‘front door’ while leaving the back door wide open, former employees say

Alexandra Sternlicht

TikTok's high-profile push to wall off U.S. user data from its China-based parent, as critics had demanded, failed to cut ties between the two because of its complex computer network structure, says the company’s former lead technical program manager for security engineering.

ByteDance, TikTok's owner, retained control over some computer systems used by TikTok employees including messaging as well as product and tech management software, according to Patrick Spaulding Ryan, who led TikTok's security compliance from March 2020 to June 2022.

Employees routinely shared user data, including U.S. user data, on these internal systems for testing, product development, and troubleshooting, said Ryan, whose account was corroborated by another former employee who left TikTok in early 2023. The practice left U.S. user data vulnerable to snooping by China-based ByteDance workers, Ryan and the other source said, at least while both were still on TikTok’s payroll.

“There’s a front door that everyone is looking at, but the way to access the network is through employees,” said Ryan.

The allegation further undermines TikTok's insistence that it kept U.S. user data out of the hands of its parent company. Critics have worried that the data could be used by Chinese government officials to spy on Americans, whose locations and online behaviors are tracked in minute detail by online services like TikTok, though there is no evidence of this actually happening.

In response to the latest allegations, a TikTok spokesperson said in a statement: “This reporting is inaccurate and is clearly driven by anonymous sources with a preconceived agenda.” TikTok’s user data, the company said, was stored in Virginia and Singapore in 2022, and away from China. It declined to respond to allegations that some of its enterprise systems were hosted in China though at least 2022.

On Wednesday, President Biden, worried by potential snooping, signed a bill that forces ByteDance to sell TikTok to a non-China-based company. The law gives ByteDance nine months to sell TikTok, with a potential three month extension, if needed, or face a ban on TikTok in the U.S.

In a statement on X, the former Twitter, TikTok described the new law as unconstitutional and said it would challenge it in court. “We believe the facts and the law are clearly on our side, and we will ultimately prevail. The fact is, we have invested billions of dollars to keep U.S. data safe and our platform free from outside influence and manipulation,” TikTok said.

In 2021, while facing a U.S. ban by then-President Trump, TikTok started an initiative to keep U.S user data away from ByteDance. The company ultimately beat back the ban, but continued what’s known as Project Texas, a $1.5 billion effort to store U.S. user data in the U.S. within a secure cloud environment hosted by tech giant Oracle.

“That server is in China; it’s run by the Chinese.”

The separation of TikTok’s U.S. user data into its own system, and away from other systems used by the rest of the company, put the team that manages U.S. data in an unusual place while he worked there, says Ryan. In order to communicate and cooperate with colleagues, the so-called U.S. Data Security team, or USDS, which was focused on keeping U.S. user data sequestered, had to frequently move data from its isolated environment, says Ryan and the other former TikTok employee.

This ex-TikTok employee, who would speak only on the condition of anonymity for fear of TikTok retaliating by seizing the restricted stock units that person holds in the company, says USDS had its own version of Lark, TikTok’s proprietary Slack-like internal communications system. The Lark platform was, along with U.S. user data, hosted in an Oracle data center in the U.S. Yet, the team rarely used that version of Lark because TikTok workers elsewhere in the company didn't have access, making it impossible for USDS workers to communicate outside of their team. Instead, they used a different version that all employees could access, called Feishu by Chinese workers, that was controlled by ByteDance in China, says Ryan and the other ex-TikTok worker.

“When [USDS] makes any decisions, they have to be in the Chinese corporate version of Lark or Feishu, as people want to call it,” the former TikTok worker says. “That server is in China; it’s run by the Chinese.”

In response to Fortune’s question about where Lark’s servers are located, a TikTok spokesperson said they're hosted in multiple regions, including in the United States. The spokesperson declined to say whether he was referring to the servers used by TikTok specifically or more widely, including by TikTok corporate customers that license Lark for their internal employee messaging systems. The version of Lark that is licensed to enterprise customers has its main servers outside of China—in Singapore and other countries, says Ryan.

TikTok has given conflicting timelines for when it completed shifting the version of Lark used by U.S. data security workers to be entirely in the U.S. Asked by The New York Times in May 2023 about the topic, a TikTok spokesperson said U.S. user data was still being moved. When that transfer was complete, messages involving U.S. user data would be hosted on a separate “internal collaboration tool” (alluding to the U.S.-based Lark), the spokesperson said.

But more than a year later, TikTok’s policy team gave a different story in a post on X. It said the “secure environment for protected U.S. data,” overseen by the U.S. data security team, had been completed in January 2023—months before the Times published its story.

In response to a question by Fortune about the discrepancy, a TikTok spokesperson provided yet another timeline. In this telling, the secure data environment, or servers and data centers, for the U.S.-only version of Lark was completed in January 2023. But Project Texas, the actual isolation of U.S. user data within that infrastructure, is ongoing, the spokesperson said without giving an expected date of completion.

Some of TikTok’s other software that is used by employees to do their jobs also leaves the door open to monitoring by ByteDance’s China-based workers, Ryan said. That’s because these services are mostly hosted in, or accessible from ByteDance and TikTok’s internal network, which is largely based in China, says Ryan. In theory, ByteDance workers with certain clearances may be able to see what U.S.-based TikTok employees using these systems are doing. However, Ryan couldn’t point to specific instances of U.S. user data being shared across these systems, which included Atlassian’s Jira product management software and Asana, used for tracking the status of tasks assigned to workers and for project management.

TikTok’s spokesperson responded to the allegations that ByteDance could access internal TikTok systems by invoking its effort to isolate U.S. user data through Project Texas. But the company also acknowledged that Project Texas is incomplete, leaving open the possibility that workers in China can still gain access.

Ryan pointed to Atlassian’s Jira product management software, used within TikTok and ByteDance, as a potential weak point. An Atlassian spokesperson couldn’t say whether ByteDance employees in China have access to TikTok’s version because customers using the on-premise version, as Ryan described at TikTok, decide themselves about the security settings and other configurations. This includes “where they choose to store or process data,” the Atlassian spokesperson noted in an emailed statement.

Ryan said TikTok also relied on a second service called Feishu Project that ByteDance-built and is used for tracking projects. This service, which is used far more frequently than Jira by TikTok employees, is also hosted in China, according to Ryan.

TikTok did not directly address these allegations about privacy vulnerabilities created by third-party systems.

TikTok has faced a deluge of news reports from various media outlets about vulnerabilities in its data practices. For example, last week, Forbes reported that ByteDance workers in China could access U.S. advertiser data, including tax information. Forbes also on TikTok stored creator data was stored in China. Also this month, Fortune published an article in which former TikTok workers described the service's close ties with ByteDance despite TikTok's claims of independence.

In response, several federal officials went on the offensive against TikTok, before ultimately passing the TikTok bill into law. Federal Communications Commission Commissioner Brendan Carr summarized Fortune’s story, noting that an employee sharing U.S. data in spreadsheets with counterparts at ByteDance in Beijing occurred after TikTok’s Project Texas started. Meanwhile, Sen. Josh Hawley (R-MO), called the Fortune article, “Piece of evidence #10,571 that TikTok is transferring Americans’ data to China. And lying about it. Constantly.”

This story was originally featured on Fortune.com

Advertisement