Breaking: social media platform accesses users’ personal data

Basic ignorance about social media platforms creates phrases like "The TikTok Tapes"
20 June 2022

Microsoft’s offer to buy TikTok was rejected in 2020, leaving Oracle the sole remaining US bidder at the time, ahead of an imminent deadline for the Chinese-owned video app to sell, or shut down its US operations. (Photo by NICOLAS ASFOURI / AFP)

Late last week, Buzzfeed News “broke” the story that they had procured access to leaked audio from over 80 internal TikTok meetings, revealing that ByteDance employees in China had repeatedly accessed non-public data of US TikTok users. The audio reportedly contained at least 14 references from nine different TikTok employees — recorded in circumstances ranging from meetings with company leaders and consultants, to all-hands presentations with the TikTok policy team — in a period between September 2021 and January this year, at least. The audio files are allegedly corroborated by screenshots and other documentation.

Ever since Donald Trump’s tenure as President of the United States, Chinese technology companies have been fighting an uphill battle against allegations, and subsequent legal rulings against them, of spying on US user data and sharing them with Beijing. Trump paid particular attention to Chinese tech juggernauts like telecommunications leader Huawei and ByteDance’s TikTok, which in 2020 overtook Facebook to establish itself as the most popular social media platform globally.

ByteDance ultimately struck a partnership deal with Oracle to be a ‘secure cloud provider’ in late 2020, giving the US businesses a 12.5% stake in the popular short video app in return for assurances of providing a more secure, US-approved technology framework State-side. Then Trump lost the elections, the pressure was alleviated off the Chinese tech giants, and the plans of Oracle and others like Microsoft to buy TikTok’s US operations outright were pushed back indefinitely.

TikTok cited security from Oracle, against claims that non-public US user data was repeatedly accessed by employees at its Chinese parent company

The Beijing, China headquarters of ByteDance, the parent company of video sharing app TikTok. (Photo by GREG BAKER / AFP)

The “revelation” prompted a swift response from TikTok, which last year toppled perennial pacesetter Google to become the most accessed web platform in the world, alongside being the most downloaded app of the pandemic era. TikTok’s US security public policy advisor published a blog emphasizing that Oracle safeguards all data from its US users, “how we [TikTok] address potentially harmful content and how we protect against unauthorized access to user data”, in a bid to allay fears about data safety in the hands of a platform owned by a Chinese digital giant.

They critical wordplay here is “unauthorized access.” Access to users’ data is how social media platforms operate – it’s more than a daily occurrence, it’s the business model. TikTok told AFP it is trying to minimize that kind of system privilege.

“Similar to industry peers, we will continue to drive our goal of limiting the number of employees who have access to user data and the scenarios where data access is enabled,” TikTok chief information security officer Roland Cloutier said in a blog post highlighted by the company. “Our goal is to minimize data access across regions so that, for example, employees in the [Asia Pacific] region, including China, would have very minimal access to user data from the EU and US.” Your definition of “very minimal” may be different from any other, and details are lacking.

What’s particularly interesting about the TikTok statement is the following: “[…] we expect to delete US users’ private data from our own data centers and fully pivot to Oracle cloud servers located in the US. In addition, we’re working closely with Oracle to develop data management protocols that Oracle will audit and manage to give users even more peace of mind.” There is an implication that simply by using infrastructure that’s US based and managed by a US company, data held is somehow off limits to TikTok employees. As any user of a cloud provider knows, the hyperscalers have very little to do with the content hosted on their infrastructure other than making sure the disks it’s stored on don’t catch fire. And having Oracle “audit and manage” data management protocols could mean just about anything. One thing it certainly won’t mean is independently enlightening TikTok users about what is or isn’t happening to their data, at least, not without the stamp of approval from the people who are paying the bills – TikTok.

TikTok has been adamant that it has never given US user data to Chinese officials, and that it would refuse if asked to do so. Last month, TikTok created a new US data security devoted to strengthening protection policies and protocols to safeguard user information, a TikTok spokesperson told AFP.

“We’ve brought in world class internal and external security experts to help us strengthen our data security efforts,’ the spokesperson said. TikTok will continue to use its own datacenters in Virginia and Singapore to backup information as it works to “fully pivot” to relying on Oracle in the United States, it said in a post.

“We know we are among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data,” said Albert Calamug, who handles US security public policy at TikTok.

TikTok cited security from Oracle, against claims that non-public US user data was repeatedly accessed by employees at its Chinese parent company

TikTok’s new office space at the C3 campus in Culver City, westside of Los Angeles, that opened in 2020 amidst talk of a looming US buyout of the ultra-popular app from its Chinese owners. (Photo by Chris DELMAS / AFP)

President Joe Biden last year revoked executive orders from his predecessor Donald Trump seeking to ban Chinese-owned apps TikTok and WeChat (owned and operated by gaming technology behemoth Tencent) from US markets on national security concerns. Biden’s new executive order nixed the unimplemented ban and called for “an evidence-based analysis to address the risks” from internet applications controlled by foreign entities.

For the vast majority of social media users, the only choice is whether it’s a Chinese company or a US one that owns, monetizes and disseminates their information. As the saying goes, if an online service is free, you’re the product. If that isn’t a concern for a user, the geography from where their data is being monetized is surely irrelevant?