An admin in China is said to be able to access any TikTok data. TikTok apparently recruited employees who worked for Chinese state media. A TikTok data centre is said to have barely attended hard drives lying around. Scandalous reports about what goes on behind the scenes of the hyped video platform abound. And an astonishing number of them come from just one person: journalist Emily Baker-White, who first wrote for Buzzfeed News and now for Forbes.
Sources within the company repeatedly provide Baker-White with documents and descriptions of issues that TikTok would prefer to sweep under the carpet. The revelations are making TikTok sweat, especially in the USA.
Already under former President Donald Trump, but now also under Joe Biden, the US government is taking TikTok to task. Driven by negative press reports about the platform, the government is threatening to ban TikTok in the US.
Following the revelations some of those responsible at TikTok and parent company ByteDance have apparently decided to resort to strong measures. A surveillance campaign was launched to find out which sources Baker-White had met with. Later, TikTok confirmed that. According to Forbes, two other colleagues of the journalist were also targeted. A TikTok spokesperson told Forbes:
The misconduct of certain individuals, who are no longer employed at ByteDance, was an egregious misuse of their authority to obtain access to user data. This misbehaviour is unacceptable, and not in line with our efforts across TikTok to earn the trust of our users.
Surveillance of journalists is a taboo, but not unprecedented: In the past, for example, Uber is also said to have targeted disagreeable reporters. Emily Baker-White reports on how she protects herself and her sources and how TikTok is desperately trying to save its battered image.
netzpolitik.org: Emily, I wonder if it is appropriate to say that you are the journalist most hated by TikTok?
Emily Baker-White: I really hope I’m not hated by TikTok. But obviously I can’t speak to their mental state.
netzpolitik.org: How and why did TikTok’s parent company ByteDance try to spy on you as a journalist?
Baker-White: I wrote a big report last year based on many hours of recorded audio conversations from the inside of TikTok meetings. The report showed that while TikTok and ByteDance were working very hard to secure US users‘ data, so that it’s not accessible in China, there was still a lot of private data being accessed in China. That was a big deal in the US, because lawmakers were not aware of that. It also was the biggest TikTok leak during that time. TikTok and ByteDance were scared and freaked out. In response, they started an investigation to find out the source of the leak. They went to my private TikTok account, pulled the IP addresses linked to my account an then compared them to the IP-addresses linked to the accounts of their employees. This is a way to find out if people have been connected to the same Wi-Fi in the same physical place, like a café or a library.
„I meet sources with pen and paper“
netzpolitik.org: Did it work?
Baker-White: It didn’t. If I meet sources in person, I never do that which technical devices, because you never know who is surveiling you. I meet them with pen an paper. But there are also lots of ways people can get in touch with me remotely, for example using Signal, Proton Mail or Secure Drop.
netzpolitik.org: How did you find out you were the target of surveillance by TikTok?
Baker-White: It came to my attention from a source inside the company, and I came to view company materials that confirmed what the source was telling me. Although TikTok apparently did not find anything, the incident shows that my user data as a US citizen was accessible to a team that reported directly to ByteDance. Some of the people where physically in China.
netzpolitik.org: What’s the current status of the aftermath of that spying scandal?
Baker-White: I don’t think that I am still under surveillance. The first thing I did was removing the TikTok app from my phone. Now, the DoJ and FBI are investigating the case. I only know that the investigation is ongoing. It is worth noticing that a reporter from the Financial Times in London, Cristina Criddle, has also been surveilled by TikTok in an attempt to find out about her sources.
„I would not say this could never happen again“
netzpolitik.org: Spying on journalists, how deep-rooted is that in the company?
Baker-White: I don’t know how broadly it was known. The story is that it was a few bad apples, but there were also a few bad apple bosses. Some of the people involved were senior managers like chief internal auditor Chris Lepitak and China-based executive Song Ye, who Lepitak reported to. They and other people involved are no longer with the company. TikTok and ByteDance fired people after all came out.
netzpolitik.org: Do you think ByteDance and TikTok have learned from this and something like this would never happen again?
Baker-White: I would not say this could never happen again. Regarding from what I hear form people working at ByteDance and TikTok, it’s a very big place. Decision-making can be chaotic, everybody is moving fast in 100 directions at once. That is the sort of internal chaos that can allow something like this to happen. However, after we broke the story, they consulted a law firm and spent money on an internal investigation. They published what happened, went to the press and fired people. They wouldn’t have done this if they didn’t care at all.
netzpolitik.org: TikToks stresses again and again that it’s not a Chinese company and separate from ByteDance. How closely are they entwined actually?
Baker-White: Practically, they are very, very entwined – or at least they have been. Some TikTok employees had email-addresses „@bytedance“, some told me they got their pay checks and tax documentation from ByteDance. Internally, many of the tools TikTok employees use day to day are ByteDance tools, like VPN or team software. Some employees I’ve talked to don’t even know which of the two companies formally employs their colleagues. However, none of this is necessarily nefarious. At first, TikTok was just another app from ByteDance. The effort to formally separate TikTok and ByteDance is something very recent.
„They could buy data from a data broker in the US“
netzpolitik.org: Is TikTok more or equally dangerous compared to US-based social networks like Facebook or Twitter?
Baker-White: I think TikTok faces a lot of similar issues. Issues about data protection, dangerous content going viral or information campaigns affecting people. For example, we know that the Russian government was able to influence one of our elections via Facebook. Those are big, scary things! When it comes to data protection, there are no strong privacy laws in the US. China does not even need to harvest data from TikTok, they could buy data from a data broker in the US, and there’s nothing illegal about this. One might say to the Congress: If you’re serious about protecting user data, you should make stronger data protection laws. However, when it comes to TikTok, there is a another layer on top of these common issues, and that is a geopolitical layer.
netzpolitik.org: Does the concern revolve around the fact that China, as an authoritarian state, has different values than a democracy like the US?
Baker-White: I would not say it is about values, but about laws. If the US police goes to Meta CEO Mark Zuckerberg and demands private users‘ Facebook data, Zuckerberg can ask for a warrant or go to court. Companies in the US are not forced to turn over everything or to pin propaganda a the top of the feed. In China, defences are not that strong. The fear is, that members of the Chinese government go to ByteDance employees in China and ask for anything, because they can’t say no.
netzpolitik.org: TikTok claims something like this has never happened. And TikTok promises to prevent any future access to US user data from China by implementing a new infrastructure called Project Texas. It seems to me, TikTok uses Project Texas as its major lifesaving ring in the debate about a possible TikTok ban in the US.
netzpolitik.org: Project Texas means that US user data shall only be stored on US servers. Back in the days people would have called it storing user data in just another „cloud“, but TikTok CEO Shou Zi Chew speaks of „American soil“. What do you think about this change of metaphors?
Baker-White: It does not matter where data is physically stored, if it can be accessed from anywhere. It’s the same with my personal emails, which I can access wherever I go to. Data access matters more than the physical location of data. But Project Texas considers that as well. TikTok says that under Project Texas data would only be accessible by a team in the US, which does not report directly to ByteDance. The company proposed that the team would instead report to an independent board that TikTok and the US government would create together. They are still negotiating about that.
„Scoring political points by ranting about China“
netzpolitik.org: Can Project Texas actually improve anything?
Baker-White: TikTok puts a lot of effort into trying to make this happen. However, if they can pull it off is a big question I cannot answer yet.
netzpolitik.org: TikTok also promised to give access to internal data to academics. What do you expect from this?
Baker-White: Currently, there’s no aggregate way to watch if someone runs an influence campaign on TikTok. Everyone has their personal feed, you cannot even monitor trending videos. I have high hopes that TikTok starts sharing those information with academics in a way that matters.
netzpolitik.org: And then there was that bizarre hearing of the TikTok-CEO before US Congress. He was humiliated. Did you pity him?
Baker-White: I don’t know if pity is the word I would use. I think they were very unfair to him. They asked questions and did not even allow him to answer. I didn’t a learn a lot from the hearing. As with many tech hearings in the US, you often get lawmakers spending most of their time not actually trying to get answers but making a presentation. I think there are a lot of politicians in Washington who feel like they can score political points by ranting about China.
„A comms person that I worked with called me“
netzpolitik.org: Talking about fairness, did you ever get a personal apology from TikTok for spying on you?
Baker-White: The company did not reach out to me earlier than to everyone else in the media, when they published a report about the internal investigation. A comms person that I worked with called me the morning the results of the investigation appeared. She told me I was affected and she apologized. It did genuinely appreciate the apology.
netzpolitik.org: How did the surveillance campaign impact you and your work?
Baker-White: It has impacted me personally. People at TikTok and ByteDance could have pulled data about which cafés I go to or which videos I have watched. However, there are other people who are much more at risk than I am, like members of the military or citizens the Chinese state. The fact that TikTok and ByteDance were so threatened that they started a surveillance campaign showed me that what we reported was very newsworthy. The story about data access from China is going to be important for a lot of governments, not only the in the US and the EU. In the end, the surveillance campaign made me more eager to report on this company.