TikTok’s former risk manager met with congressional investigators to share his concerns that the company’s plan to protect US user data is deeply flawed, pointing to evidence that could raise lawmakers’ suspicions about the app at a time when many are considering a nationwide ban. .
TikTok’s data security plan is “deeply flawed,” claims the whistleblower
His claims threaten to undermine this $1.5 billion restructuring plan, known as Project Texas, which TikTok has widely promoted in Washington to neutralize the risk of data theft or abuse by the Chinese government.
They could also fuel speculation that the hugely popular short video app remains vulnerable to having its video recommendation algorithm and user data skewed for propaganda or espionage purposes. US authorities have not shared evidence that the Chinese government accessed TikTok’s data or code.
Since 2019, TikTok and ByteDance officials have been negotiating with a group of federal officials, the US Committee on Foreign Investment, about what privacy standards and technical safeguards they should adopt to address US national security concerns. The company finalized its proposal in August and submitted it to CFIUS, but it still needs approval, and CFIUS officials declined to explain why.
A former employee, who spoke on condition of anonymity for fear of retaliation, told congressional investigators that Project Texas does not go far enough and that a truly leak-free arrangement for Americans’ data would require a “complete redesign.” TikTok is running.
As one piece of evidence, he shared with The Post a code snippet that he said showed TikTok was able to connect to systems connected to Toutiao, the popular Chinese news app operated by ByteDance. According to him, this relationship allows covert intervention in the flow of American data.
TikTok officials said the former employee misrepresented the plan and that his termination, months before it was finalized, means he “has no knowledge of the current state of Project Texas and the significant milestones the initiative has achieved over the past year.”
Toutiao’s claim was “baseless” and the code snippet he shared did not suggest any correlation or connection between the two apps. According to them, the Toutiao code is not related to China and is “nothing more than a naming convention and a technical relic” referring to ByteDance’s first successful application.
The officials also said they had already accepted a key promise of Project Texas by moving US user data and other critical code to servers operated by US technology giant Oracle, a move they said would further undermine claims that Toutiao officials will affect TikTok’s content or operations in the United States.
The former staffer’s ability to secure meetings with key senators’ staff reinforces Washington’s extensive interest in a youth-friendly app best known for its viral dances and challenges. TikTok CEO Shou Zi Chew is likely to talk about the Texas Project and the potential for Chinese influence at a congressional hearing later this month.
His visits to Washington also come amid heightened concerns about TikTok, including two recent legislative actions that could lead to an unprecedented nationwide ban on the app. The former staffer said he met with staff from the offices of Sens. Charles E. Grassley (R-Iowa) and Mark R. Warner (D-Va.). Representatives of both offices confirmed the meeting, but declined to comment further.
Senator Warner and a bipartisan group of senators on Tuesday proposed a bill that would give the Commerce Department a direct path to ban TikTok and other apps with foreign owners after a “risk-based” assessment. Another bill introduced by the House Foreign Affairs Committee last week would allow President Biden to ban TikTok entirely.
The White House said Wednesday that it supports Warner’s bill, but is also waiting for the conclusion of CFIUS negotiations. More than two dozen states have passed measures banning the use of TikTok on government-owned devices, but a 2020 federal court decision — and a growing group of civil rights activists and congressional Democrats — argued that a nationwide ban would violate Americans’ First Amendment protections. any government law that restricts free speech.
The former employee served as head of a division within TikTok’s security operations team that oversaw technical risk management and compliance issues, including which employees had access to company devices and user data, documents shared with The Post revealed.
He argues that a nationwide ban would be unnecessary to address the technical concerns, which he says could be addressed with “feasible and workable” solutions that go beyond Project Texas protocols. He said he worked to address the privacy issues internally, but was fired after raising his concerns.
In a December letter to TikTok CEO Chew, which he shared with The Post, the former employee wrote that senior executives were “responsible for internal fraud related to the execution of the Texas Project,” which he said “deliberately lied” to the U.S. government. officials on how controls were tested and verified.
“Various TikTok executives put excessive pressure on me to come out of Project Texas as if it was a given. [a] a long time ago,” he wrote. “He demanded a swift internal investigation to ensure genuine risk management and my reinstatement”.
ByteDance’s head of global legal compliance acknowledged receipt of his letter of concern and said the company was “reviewing them as appropriate,” according to a copy of the email reviewed by The Post. According to him, the company has not offered updates since then.
The former employee said that he had not yet filed a formal whistleblower report with the SEC, and that his allegations were not supported by an official investigation.
He said he is also separate from an alleged whistleblower that Sen. Josh Hawley (R-Mo.) referred to in a Tuesday letter to the Treasury Department that was first reported by Axios. This person said that TikTok’s data access controls were ‘shallow’ and that China-based engineers could use tools that would give them ‘one-click’ access to US data,” wrote Hawley, one of TikTok’s biggest critics in Congress. These claims have also not been verified.
TikTok officials said in a statement Wednesday that “analytics tools” do not provide direct access to the data, and that protected U.S. information is now stored on Oracle’s servers, where it can only be accessed under “limited, controlled circumstances.”
Project Texas would close TikTok’s activities in the United States into a new subsidiary, TikTok US Data Security, whose managers would be controlled by the US government and report to CFIUS, according to the company’s briefing to researchers, journalists and members of Congress.
The plan would lock all U.S. user data into a system with monitored gateways for authorized use, and Oracle engineers would review TikTok’s code and recommendation algorithms and alert U.S. regulators to potential concerns.
Some people briefed on the plan praised its rigor, including Samm Sacks, a senior fellow at Yale Law School’s Paul Tsai China Center, who said it represented a serious effort to provide the U.S. government with an unprecedented level of oversight and control over the company’s operations. works.
“If it doesn’t work, if there’s a data leak or problematic content, TikTok would come under more scrutiny than any social media company in the United States,” he said.
But skeptics have argued that no technical safeguards can protect ByteDance’s ownership, which they say could force TikTok managers to censor uncomfortable topics, amplify pro-government messages or introduce vulnerabilities through lines of code. TikTok employees told The Post last year that ByteDance teams in Beijing worked on design, engineering and software tools they relied on in their day-to-day operations.
If Project Texas is rejected, some members of Congress have argued that the only solution would be to force ByteDance to sell TikTok to an American buyer, an idea first floated by the Trump administration and TikTok supporters likened it to a hostage situation. Government officials in Beijing used export laws to block a Trump proposal in 2020 and may do so again.
TikTok can collect a range of user data, including video viewing history, email addresses and contacts, although US tech giants such as Facebook and Google collect even more, including precise GPS locations, extensive biographical details and web browsing history. Post your review last month.
Chinese government authorities can legally compel tech companies to hand over user data to support “national intelligence” work. TikTok argued that Americans’ information would not be covered by the law because it was stored on servers in the United States and Singapore.
Critics of the ban argued that it would violate Americans’ right to free speech and ignore the larger need for a national law to limit the collection of personal data by all apps, not just TikTok. Digital rights group Fight for the Future said in a statement last month that the proposed ban was “xenophobic window-dressing that protects precisely no one.”
The former employee’s claims match those of a source who shared hours of tapes of internal meetings first reported by BuzzFeed last year, and company employees said they were working to shut down ways Chinese employees could they can access US data. with their CFIUS proposal.
Following the report, an internal ByteDance team used TikTok data, such as users’ IP addresses, which provide a general estimate of their location, to try to identify how the company’s information was leaked. The experiment failed, according to ByteDance officials, who announced the experiment in December and said four employees involved in the experiment had been fired.
TikTok CEO Chew, who met with The Post last month during a charm offensive across Washington, said the company is revamping its internal audit team and working to explain security controls to skeptical lawmakers and regulators. The scandal, he said, threatens to “erode all the work we do.”
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/adn/5253HTE7EZH2NMXZJOC5GPB5O4.jpg "I just got dumped by my much younger girlfriend and it still stings")
