TikTok app on phone screen showing ByteDance denials of tracking location data and surveillance

ByteDance Denies Forbes Report That Finds TikTok Planned to Track Location Data of Targeted U.S. Citizens

The final year of the Trump administration was a rough one for TikTok, as the company was repeatedly threatened with bans from the United States and delisting from the app stores over concerns about espionage and its potential use to spread propaganda by China. After an extended period of inactivity under the Biden administration, the company is facing uncomfortable scrutiny again over the possibility that it has doubled back on promises to keep US location data out of China. A new report from Forbes indicating that the app may have been used to track specific American citizens is the company’s latest issue of this nature, but ByteDance is denying any wrongdoing.

The Forbes report claims that the company’s Internal Audit and Risk Control department, which operates out of its Beijing headquarters, had plans to surveil at least two American citizens that were not associated with the company in any way. TikTok’s American user data is supposed to be siloed from employees in China; ByteDance says that foreign access to US location data is only granted on an “as-needed” basis.

Forbes reports plans for location data characterized as “surveillance”

“Project Texas” was the means by which TikTok was able to back the Trump administration off from a ban and maintain a relatively uneventful relationship (thus far) with the Biden administration. The project is a massive restructuring of TikTok’s servers so that US data stays out of the Chinese mainland, inaccessible to anyone working there without special permission granted from the US side. But TikTok is already under investigation by the Senate Intelligence Committee following reports over the summer that engineers in China retain essentially unlimited access to US personal and location data.

ByteDance’s Internal Audit department is based in Beijing, headed up by local executive Song Ye, and reports directly to CEO Rubo Liang. The team is tasked with investigating potential misconduct by current and former employees, something that could provide a legitimate reason to request location data from the US side. However, the Forbes reporters say the materials that they reviewed did not involve current or former employees. The Internal Audit department appears to have been drafting plans to access the location data of at least two individuals in the US that were not affiliated with the company, without the knowledge or consent of these users.

Forbes does not name the individuals, what their jobs are, or what the intention of the surveillance was, and for its part ByteDance denies there was any wrongdoing. A TikTok spokesperson said that the app collects approximate location data for the purpose of targeting ads, preventing fraud and complying with local laws.

Timing poor for TikTok as company looks to finalize agreement with Treasury Department

Any location data controversies are poorly timed for TikTok as it looks to shore up its status with the US government, currently in the midst of working on a contract developed by the Treasury Department’s Committee on Foreign Investment in the United States (CFIUS). The CFIUS contract involves an evaluation of the potential security risks that TikTok poses, particularly if the company’s Beijing branch could be wielded by the Chinese government to spy on Americans. Access to US TikTok user data is supposed to be limited to “authorized personnel” under this arrangement, but it remains unclear exactly who in China would be authorized.

The Project Texas effort to silo US data locally is vital not just in demonstrating TikTok’s intentions, but because China’s cybersecurity laws require that its domestic companies turn over user data to authorized government agencies upon request. Even if TikTok has the best of intentions as an individual company, it must provide a technical mechanism insulating US data from servers in China from which the government could extract it upon demand. That arrangement was on shaky ground even before the location data issue cropped up, with leaks from internal company meetings and chats over the summer providing multiple indications that engineers in China remain able to freely access US user data (despite assurances from the company to the contrary).

The status of the CFIUS negotiations remains unknown. A follow-up tweet from TikTok suggested that the Forbes article could not be accurate as the app does not collect “precise” location data in the way that it suggests, but other reporters quickly noted that the TikTok privacy policy says that the app can indeed collect precise location data if the user gives it permission. TikTok’s response also notably included that it does not target specific groups of people or serve different content to specific demographics, such as government employees or journalists, but did not offer an assurance that it never tracks anyone in this way.