TikTok’s parent company accessed the data of US journalists

An internal investigation at TikTok parent company ByteDance found that several employees accessed the TikTok data for several US journalists and a “small number” of other people connected to them, according to internal emails obtained by The New York Times that were confirmed independently by The Verge. The accessed data includes the reporters’ IP addresses, which were used to see if they had been physically near TikTok employees who was leaking information to the press.

In an email to employees, ByteDance CEO Rubo Liang described the incident as “misconduct of a few individuals,” and the company’s general council described it as a “misguided plan was developed and carried out by a few individuals within the Internal Audit department this past summer,” according to The Financial Times. However, according to a report from Forbes, the investigation “involved the company’s Chief Security and Privacy Office, was known to TikTok’s Head of Global Legal Compliance, and was approved by ByteDance employees in China.”

These reports are the latest in a series of investigations that have turned up evidence of ByteDance employees in China having access to the TikTok data of Americans. The revelation comes as lawmakers make moves to restrict the app in the US. It also shows ByteDance walking back denials that it has made in the past, at least internally.

The Beijing-based company’s investigation, which was conducted by an outside law firm, revealed that two journalists had their data accessed by ByteDance’s Internal Audit team worked for BuzzFeed and The Financial Times, according to The New York Times. Forbes, however, says three of its journalists were tracked — Emily Baker-White, Katharine Schwab, and Richard Nieva, all of whom worked for BuzzFeed until earlier this summer. The Financial Times says its reporter, Cristina Criddle, was tracked. That would bring the total up to four, instead of the two reported by the NYT.

The New York Times writes that at least two of those employees involved were based in China, while two were working from the US. This information tracks with an October report from Forbes, which alleged that ByteDance had planned on using TikTok to track the location data of specific US citizens.

When Forbes’ report came out earlier this year, TikTok strongly denied it, saying that it lacked “rigor and journalistic integrity” and that the app does not collect precise GPS data. (At the time, the reporter behind the story pointed out that the company admitted to collecting approximate locations using IP addresses.) A tweet from the company’s corporate communications account said that “TikTok has never been used to ‘target’ any members of the U.S. government, activists, public figures or journalists” and noted that any employees using the audit system in the way Forbes described would be fired.

That’s now happened to three employees from the audit team, according to the Times, with Forbes reporting that one of those people was Chris Lepitak, who was head of the team. His boss, Song Ye, who Forbes says was an executive in China that reported directly to ByteDance’s CEO, has reportedly resigned.

The Times’ report says that the employees accessed the information “over the summer.” The big question that remains (and that we’ve asked TikTok about but didn’t receive an immediate response to) is whether it happened before or after the company started routing US users’ data through Oracle.

That switch was supposedly flipped in June and was intended to protect Americans’ data from ByteDance employees in China. Around that time, Buzzfeed News released a report that said TikTok engineers overseas had “access to everything” and repeatedly accessed US users’ information. According to Forbes, it was that report that spurred on ByteDance’s internal investigation. The BuzzFeed report was released only two days before the Oracle partnership went into effect. If the journalists’ data was obtained after that, it would raise serious questions about how effective the program is.

TikTok and ByteDance are already under a microscope when it comes to user data and privacy. Over a dozen states in the US have banned TikTok on government phones, and senators like Marco Rubio are working on legislation that would ban it outright in the US. Lawmakers involved with the bill say they’re concerned that the app gives the Chinese Communist Party the ability to monitor and influence Americans.

It’s not the first attempt to get rid of the app; former President Donald Trump attempted to ban it during his tenure, even declaring it a national emergency. He also demanded that ByteDance sell its American division off to a company based in the US, though that deal — like the ban itself — never came to fruition.

Alex Heath contributed reporting for this story.

Update December 22nd, 3:55PM ET: Added independent confirmation of emails to ByteDance employees and details from Forbes and The Financial Times, including the reported names of some of the executives involved, and the reporters who were tracked.