TikTok’s parent company accessed the data of US journalists
Several weeks ago, there was a news report alleging that employees of the company’s Internal Audit team may have attempted to inappropriately access users’ location data. Even though many of the claims in the article were speculative, our Global Legal Compliance team began an immediate investigation into the facts alleged in the story, and engaged a highly reputable law firm to assist with the investigation.
We have since learned that a misguided plan was developed and carried out by a few individuals within the Internal Audit department this past summer in the context of investigating significant leaks of confidential company information by employees to media – including purported leaked documents, screenshots, and audio recordings of internal meetings.
It is standard practice for companies to have an internal audit group that is authorized to investigate code of conduct violations. However, as part of the initiative to investigate the leaks related to this case, the individuals involved misused their authority to obtain access to TikTok user data. These individuals were aiming to identify potential connections between two journalists, who reported on the contents of leaked documents and recordings – a former BuzzFeed reporter and a Financial Times reporter – and company employees. In turn, they hoped information about these connections would help identify the employees responsible for the leaks. For example, the individuals looked at the IP addresses of the journalists to try to determine if they were in the same location as the employees suspected of leaking confidential information, notwithstanding the fact that IP addresses would only yield approximate location information. Not surprisingly, their ill-considered efforts did not result in identifying the sources of the leaks. Nonetheless, their access to user data in connection with these efforts was a significant violation of the company’s Code of Conduct, and so we are pursuing the following steps immediately:
None of the individuals found to have directly participated in or overseen the misguided plan remain employed at ByteDance. We are continuing the investigation led by the Legal team.
We are restructuring the Internal Audit and Risk Control (IARC) department:
Julie Gao, CFO, will take over the IARC department and begin an immediate search for the new leader, who will report to her.
The Global Investigations function that had been part of IARC will be split out and restructured. Going forward, the Global Legal Compliance team will have oversight of all investigations formerly within the scope of IARC.
We will be redesigning the investigations process to include an oversight council which, among other responsibilities, will oversee the development and refinement of policies and procedures governing the company’s investigative functions and monitor the functions’ compliance with applicable laws and company policies.
We have removed all user data access and permissions for the IARC department.
Going forward, where it is necessary and appropriate for IARC to be granted access to properly scoped user data (for example, to investigate fraud involving employees of the company), that access will be subject to, and only granted in accordance with, the Company’s policy and protocols. This step will be coupled with training of the IARC team regarding the new policy and protocols.
In addition, we will continue to assess and enhance our access controls. In this case in fact, access to certain US user information in the context of the misguided investigation was already limited by prior transfer of control to the US Data Security team, and those controls have been significantly improved and hardened since this initiative took place.
I also want to emphasize that we have an open and candid culture within ByteDance. It’s a core part of our ByteStyles. If you are faced with an ethical dilemma or a reportable challenge, notify your manager, HR, or the Speak Up hotline to do so anonymously. There are many avenues for you to share your concerns.
I hope we can all learn from this situation and move forward with a clear understanding and appreciation of our responsibilities – as employees and leaders – to build and operate an ethical business.