In a letter, TikTok gave the confirmation of China-based employees of ByteDance being able to access US user data under specific circumstances. Mainly, this letter was in response to inquiries from nine Republican senators’ regarding the matter. In it, chief executive Shou Zi Chew how workers outside the US, which includes ones based in China, have the ability to access data of US users.
However, he stated how it is dependent on extensive ‘cybersecurity controls,’ along with ‘authorisation approval protocols’ which the security team based in the US oversees. He added how the platform possesses ‘an internal data classification system,’ as well as a process of approval established that provides access levels.
These are based on the classification of the data, and needs approvals for accessing US user data. Moreover, he stated how this particular approval level needed is mainly based on how sensitive the data is in accordance with the system of classification.
“The level of approval required is based on the sensitivity of the data according to the classification system.”
TikTok parent company ByteDance was reported to have access to data from the US, was firmly involved in making decision for the video streaming service. The reported for CNBC in 2021 was by Sal Rodriguez who is presently a reporter with the The Wall Street Journal.
Following another report focused on the audio of internal meetings, added attention was drawn towards concerns based on privacy and security. It stated how employees of ByteDance had repeatedly accessed such user data over a span of a minimum of four months. Along with it, how employees based in the US were not permitted to access it.
In a statement, a spokesperson from the company specified how they were aware of being one of the ‘most scrutinised platforms’ from the security perspective. They added how their goal was to get rid of any doubt regarding ‘the security of US user data.’
On the particular day of the story being published, TikTok made an announcement stating how ‘100% of US user traffic’ is in the process of getting routed to Oracle Cloud Infrastructure. This was rather than the traffic being collected in its own data centres in either Singapore or US. Moreover, Chew noted in the letter how the report consisted of ‘allegations and insinuations’ that are not correct or ‘supported by facts.’