Finger tapping TikTok logo on mobile phone showing TikTok employee claims of user data leak

Former TikTok Employee Claims User Data Still Leaking to China, Company Was “Intentionally Lying” to US Regulators

TikTok’s “Project Texas” plan to assure users that their data is safe and private has too many holes to be useful, according to a whistleblower that has been speaking to congressional investigators. The anonymous former TikTok employee also granted an interview to the Washington Post, in which they claimed that user data could not possibly be kept out of China without a total ground-up redesign of the app.

TikTok has responded by saying that the employee left the company over a year ago and has no current knowledge of the Project Texas status, and that they misunderstood what they claim to see in the app’s code. TikTok has already begun shifting US user data to servers owned by Oracle, which has entered an agreement to independently monitor how that data is accessed.

Former TikTok employee says app has too many holes, potential backdoors to be secured

The former TikTok employee worked as a risk manager in the company’s Safety Operations division for six months, departing in early 2022. They claim that a “complete re-engineering” of the app is the only way to ensure that user data does not wind up making its way to servers in China, far beyond the scope of what is happening with Project Texas, and that the Chinese government still has avenues by which to influence news and recommendation feeds if it so desires.

One example the TikTok employee shared with Washington Post reporters is a piece of code that links it with a China-based news app called Toutiao that publisher ByteDance also runs. That code allegedly gives employees, or someone with access to Toutiao’s internal systems, a backdoor into TikTok that would allow for interception of user data. TikTok responded to the piece by saying that the two apps are no longer linked and that the whistleblower misunderstood what they were seeing in the code.

The TikTok employee also shared documents with Post reporters that they claim demonstrate that the app could be secured and user data could be successfully siloed geographically, but that it would take more than the scope of the current Project Texas parameters. The whistleblower says that they wrote a letter presenting this case to TikTok CEO Shou Zi Chew, in which they also disclosed that some senior managers were “intentionally lying” to US regulators about its testing process and controls. ByteDance acknowledged that it had received this letter but has provided no further comment on it.

Though the former TikTok employee is speaking to congressional investigators, they are not part of formal investigation at the moment. They have not filed a whistleblower complaint with the Securities and Exchange Commission (SEC), and the investigation has not verified their claims as of yet.

Series of internal leaks has called TikTok user data protections into question

Project Texas is critical to fending off calls to extensively ban the app from the US, which have grown both in quantity and in terms of bipartisan support over the past year. The project was first discussed in 2019, when federal officials first began formally exploring the possibility that the app could be a national security threat due to conditions in China, and is proceeding under the watch of the Committee on Foreign Investment in the United States (CIFUS). CIFUS has yet to issue formal approval, and has also not explained why; the likely reason is a string of leaks about internal practices that date back to mid-2022, and often come from TikTok employees.

Chew is scheduled to testify before Congress in a matter of days, and this string of leaks is very likely to be a central component of the questioning. Something else that is likely to come up is the testimony of another former TikTok employee, who has made contact with Senator Josh Hawley. This second whistleblowing TikTok employee claims that there are assorted vulnerabilities that remain available to engineers in China: the ability to access US user data with just a click of a button, that members of the ruling Chinese Communist Party have access to this ability, and that managers of the Chinese and American branches are in constant contact with each other and can approve requests for international data transfer with no more than permission from a dataset owner. Hawley is one of the voices in Congress calling for a national ban on the app, along with prohibiting parent company ByteDance from doing any further business in the country.

TikTok does not collect as much personal information as some other social media services, but can collect certain things that might be useful for intelligence purposes, such as video viewing records and personal contacts. This has prompted bans that have already taken it off the devices of federal agencies and many state employees as well, but concern remains that the Chinese government will use it as a propaganda tool.