ByteDance, the Chinese parent company of popular video app TikTok, said on Thursday that some employees improperly accessed TikTok user data of two journalists and were no longer employed by the company, an email seen by Reuters shows.
(For insights on emerging themes at the intersection of technology, business and policy, subscribe to our tech newsletter Today’s Cache.)
ByteDance employees accessed the data as part of an unsuccessful effort to investigate leaks of company information earlier this year, and were aiming to identify potential connections between two journalists, a former BuzzFeed reporter and a Financial Times reporter, and company employees, the email from ByteDance general counsel Erich Andersen said.
The employees looked at IP addresses of journalists attempting to learn if they were in the same location as employees suspected of leaking confidential information.
The disclosure, reported earlier by the New York Times, could add to pressure TikTok is facing in Washington from lawmakers and the Biden administration over security concerns about U.S. user data.
A person briefed on the matter said four ByteDance employees who were involved in the incident were fired, including two in China and two in the United States. Company officials said they were taking additional steps to protect user data.
Congress is set to pass legislation this week to ban U.S. government employees from downloading or using TikTok on their government-owned devices and more than a dozen governors have barred state employees from using TikTok on state-owned devices.
The Financial Times said in a statement that "spying on reporters, interfering with their work or intimidating their sources is completely unacceptable. We’ll be investigating this story more fully before deciding our formal response."
BuzzFeed News spokesperson Lizzie Grams said the company was deeply disturbed by the report, saying it showed "a blatant disregard for the privacy and rights of journalists as well as TikTok users."
Forbes reported Thursday ByteDance had tracked multiple Forbes journalists including some who formerly worked at BuzzFeed "as part of a covert surveillance campaign" aimed at discovering the source of leaks. Randall Lane, the chief content officer of Forbes, called it "a direct assault on the idea of a free press and its critical role in a functioning democracy."
TikTok Chief Executive Shou Zi Chew said in a separate email to employees seen by Reuters that such "misconduct is not at all representative of what I know our company's principles to be."
He said the company "will continue to enhance these access protocols, which have already been significantly improved and hardened since this initiative took place."
Chew said that over the past 15 months the company had been working to build TikTok U.S. Data Security (USDS) to ensure protected TikTok U.S. user data stays in the United States.
"We are completing the migration of protected US user data management to the USDS department and have been systematically cutting off access points," he wrote.
ByteDance also said it was restructuring the Internal Audit and Risk Control department, and the global investigations function would be split out and restructured.
The U.S. government Committee on Foreign Investment in the United States (CFIUS), a national security body, has for months sought to reach a national security agreement with ByteDance to protect the data of more than 100 million U.S. TikTok users, but it appears no deal will be reached before year's end.
Republican Senator Marco Rubio said of the incident ByteDance "is desperate to tamp down growing bipartisan concerns about how it enables the Chinese Communist Party to use – and potentially weaponize – the data of American citizens. Every day it becomes more clear that we need to ban TikTok."