Employees of ByteDance – parent company of social network TikTok – would have had access to American user data, shows an investigation conducted by BuzzFeed News published on June 17th.
Recordings of internal meetings
The media had access to more than 80 recordings of internal meetings in which 9 employees of the Chinese company said they were able to dissect non-public information between September 2021 and January 2022. These allegations were not actually surprising but contrary to the discourse TikTok held for several months when he wanted to reassure users about the dangers of disclosing their personal data to Chinese authorities.
This is the fear presented by the Trump government when it wanted to force ByteDance to cede its operations in the United States to an American company under the penalty of an application ban. A soap opera that eventually ended with the suspension of ByteDance’s agreement with Oracle and Walmart. Under the Trump administration’s promises, it’s not about a acquisition but about a cloud hosting contract. In fact, stored on American soil, the data of American users should in theory be protected from any Beijing predation.
Fear of an influence campaign
American authorities have two fears: that the Chinese Communist Party will be able to access Americans ’data through ByteDance and that the application’s algorithm is influencing users by highlighting certain videos. US Senator Ted Cruz described TikTok as “Trojan horse that the Chinese Communist Party can use to influence what Americans see, hear, and think“.
In the face of this defiance, TikTok has repeatedly said in blog posts and public statements that it physically stores the data of its US users in a data center in Virginia, with backups in Singapore. The company says that this way the data will not be subject to Chinese laws, some of which require domestic companies to disclose data to authorities, similar to the CLOUD Act in the United States.
These statements are therefore incorrect. Because even hosted on American soil, the data will be accessible from China.
An agreement with Oracle to store data in the United States
Calendar coincidence, or not, on the same day of publication of this survey, TikTok announced that “100% traffic from US users“has now been brought to Oracle data centers in the United States. The backup is still being done in Singapore but”as we continue our work, we plan to remove private data of US users from our own data centers and fully failover to Oracle cloud servers located in the US“.
However, based on records viewed by BuzzFeed, the status of data stored exclusively on U.S. soil is unclear. The product operations manager and user of TikTok said “unique identifiers“will not be considered protected information under the Oracle agreement.
What does he mean “unique identifier“in this situation it is not clear. It can specify an identifier for a particular TikTok account or for a device. Unique device identifiers are commonly used by technology companies – such as Google and Facebook – to link a user’s habits through applications.
Either way, BuzzFeed says, Oracle provides TikTok “great flexibility in how to manage its data center“In fact, TikTok’s head of global cyber defense and data clarified that while Oracle will provide physical data storage space, TikTok will be controlled at the software layer.”It’s almost incorrect to call it Oracle Cloud, because they just give us bare metal, and then we build our virtual machines on it.“, he declared.
Two surveys at the European level
The United States should not be the only one to worry about the fate of personal data passing through the application. In September, the Data Protection Commission (DPC) – the equivalent of the National Commission for Computing and Freedoms (CNIL) in Ireland – announced the opening of two investigations into TikTok. One is about processing the data of users under the age of 18 and the other is about transferring personal data to China. They still continue.