TikTok’s parent company ByteDance said Thursday it had fired four employees after an internal investigation found they had accessed data on two journalists and other U.S. users while attempting to track down a company leak, a revelation that could further inflame doubts in Washington over the company’s Chinese roots.
The workers tried to use the IP addresses — numbered codes assigned to every internet-connected device that can give a rough estimate of a person’s location — to see whether the journalists and their associates had been in contact with ByteDance employees, the investigation found. The attempt did not identify the source of the leaks.
The investigation was revealed in emails that ByteDance’s general counsel sent to employees on Thursday, which the company shared with The Washington Post. The New York Times first reported the investigation.
The findings will likely intensify tensions over TikTok, one of the world’s most popular apps, as its corporate owners strive to persuade the U.S. government that its Chinese ownership poses no data-privacy or surveillance threat.
Sen. Josh Hawley (R-Mo.), one of TikTok’s biggest critics in Congress, cited the investigation in a tweet on Thursday. “This is why Congress must BAN TikTok on all federal devices now,” he said.
Governors in 19 states have recently prohibited the use of TikTok on state-owned phones, and members of Congress on Tuesday included a similar ban for federal employees in its must-pass omnibus spending bill.
TikTok has since 2019 been negotiating an agreement with a government panel known as the Committee on Foreign Investment in the United States. In August, the company proposed a major restructuring of its U.S. operations that would further restrict who can access U.S. users’ data and give federal officials veto power over many key decisions, including who sits on its board of directors, The Post reported this week, citing people familiar with the discussions.
CFIUS officials have not yet approved the deal, saying they continue to review the company for potential national-security concerns.
Erich Andersen, ByteDance’s general counsel, said the company’s Global Legal Compliance team brought in an external law firm to help investigate claims made in an October news report alleging the company had inappropriately gathered users’ location data.
A ByteDance spokeswoman declined to name the law firm or the targeted journalists and said the company is communicating with Congress and CFIUS.
The investigation, Andersen said, found that employees in ByteDance’s internal-audit department had carried out a “misguided plan” this summer to use TikTok user data to examine whether the journalists had made contact with current employees by pulling their IP addresses.
The Financial Times said journalist Cristina Criddle had been targeted after reporting on a culture clash inside TikTok’s London office. In a statement, the newspaper said, “Spying on reporters, interfering with their work or intimidating their sources is completely unacceptable. We’ll be investigating this story more fully before deciding our formal response.”
ByteDance said its investigation revealed that one former BuzzFeed reporter had been tracked. Forbes reported Thursday that it believed three of its journalists who had formerly worked at BuzzFeed News — Emily Baker-White, Richard Nieva and Katharine Schwab — were tracked, an assertion ByteDance disputed. “We stand by our reporting and our sources,” Forbes spokeswoman Jocelyn Swift said in an email.
Forbes’ chief content officer Randall Lane called the data gathering “a direct assault on the idea of a free press and its critical role in a functioning democracy.”
Baker-White wrote a story in June that cited recordings of internal meetings where access of U.S. user data by ByteDance workers inside China was discussed. In October, she reported on the internal location-tracking effort that had triggered ByteDance’s investigation. The company at the time fiercely denied the report, saying “TikTok has never been used to ‘target’ any … journalists” and that it “could not monitor U.S. users in the way the article suggested.”
ByteDance fired the four employees and has restructured its Internal Audit and Risk Control department, including by adding an oversight council to help set new policies for its employee investigations, Andersen said.
ByteDance’s chief executive, Liang Rubo, said in an email to employees Thursday that he was “deeply disappointed” by the situation, saying, “The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals.”
“No matter what the cause or the outcome was, this misguided investigation seriously violated the company’s Code of Conduct and is condemned by the company,” he added. “We simply cannot take integrity risks that damage the trust of our users, employees, and stakeholders.”
In a third email, TikTok’s chief executive, Shou Zi Chew, outlined how the company had in recent months begun moving and safeguarding U.S. user data and “systematically cutting off access points” to the information for all but a select group of authorized officials.
“We must continue to prioritize these efforts and not let the poorly conceived acts of a few people undermine the work of the tens of thousands,” he said.
The findings could challenge TikTok’s ability to persuade federal lawmakers that its international operation poses no threat to U.S. user security.
TikTok has said repeatedly that it is not influenced by the Chinese government and that employees in ByteDance’s Beijing office, where critical parts of TikTok’s code are designed and built, are restricted from accessing Americans’ information.
TikTok officials have held briefings for members of Congress and their staffs to detail their proposal to CFIUS, which would sever the TikTok U.S. team’s decision-making from ByteDance and give U.S. authorities veto power over the appointment of the U.S. operation’s leadership, according to four people with knowledge of the discussions, who spoke to The Post on the condition of anonymity because they were not authorized to discuss the work publicly.
The company said it has spent more than $1.5 billion on implementing the plan, known internally as Project Texas, and that it would bind the company to a level of public scrutiny and oversight more involved than any U.S. technology firm currently faces.
Some skeptics in Washington, including many top Republicans, argue that TikTok’s ownership by a Chinese tech conglomerate poses an insurmountable risk to U.S. data privacy and have called for a full divestiture or ban.
ByteDance’s attempt to use internal data to out journalists’ sources follows similar attempts from the U.S. tech giants Uber and Facebook, who used location data and other information to find employees and contractors they suspected had shared information with journalists.