ByteDance confirmed it used TikTok to monitor journalists’ physical location using their IP addresses, as first reported by Forbes in October.
An internal investigation by ByteDance, the parent company of video-sharing platform TikTok, found that employees tracked multiple journalists covering the company, improperly gaining access to their IP addresses and user data in an attempt to identify whether they had been in the same locales as ByteDance employees.
According to materials reviewed by Forbes, ByteDance tracked multiple Forbes journalists as part of this covert surveillance campaign, which was designed to unearth the source of leaks inside the company following a drumbeat of stories exposing the company’s ongoing links to China. As a result of the investigation into the surveillance tactics, ByteDance fired Chris Lepitak, its chief internal auditor who led the team responsible for them. The China-based executive Song Ye, who Lepitak reported to and who reports directly to ByteDance CEO Rubo Liang, resigned.
“I was deeply disappointed when I was notified of the situation… and I’m sure you feel the same,” Liang wrote in an internal email shared with Forbes. “The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals. … I believe this situation will serve as a lesson to us all.”
“It is standard practice for companies to have an internal audit group authorized to investigate code of conduct violations,” TikTok General Counsel Erich Andersen wrote in a second internal email shared with Forbes. “However, in this case individuals misused their authority to obtain access to TikTok user data.”
Forbes first reported the surveillance tactics, which were overseen by a China-based team at ByteDance, in October. Asked for comment on that story, ByteDance and TikTok did not deny the surveillance, but took to Twitter after the story was published to say that “TikTok has never been used to ‘target’ any members of the U.S. government, activists, public figures or journalists,” and that “TikTok could not monitor U.S. users in the way the article suggested.” In the internal email, Liang acknowledged that TikTok had been used in exactly this way, as Forbes had reported.
“This is a direct assault on the idea of a free press and its critical role in a functioning democracy.”
The investigation, internally known as Project Raven, began this summer after BuzzFeed News published a story revealing that China-based ByteDance employees had repeatedly accessed U.S. user data, based on more than 80 hours of audio recordings of internal TikTok meetings. According to internal ByteDance documents reviewed by Forbes, Project Raven involved the company’s Chief Security and Privacy Office, was known to TikTok’s Head of Global Legal Compliance, and was approved by ByteDance employees in China. It tracked Emily Baker-White, Katharine Schwab and Richard Nieva, three Forbes journalists that formerly worked at BuzzFeed News.
“This is a direct assault on the idea of a free press and its critical role in a functioning democracy,” says Randall Lane, the chief content officer of Forbes. “We await a direct response from ByteDance, as this raises fundamental questions about what they are doing with the information they compile from TikTok users.”
After this story was published, TikTok spokesperson Hilary McQuaide said, “The misconduct of certain individuals, who are no longer employed at ByteDance, was an egregious misuse of their authority to obtain access to user data.”
MORE FROM FORBESTikTok’s China ProblemBy Emily Baker-White
“This new development reinforces serious concerns that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China to repeatedly access private data of U.S. users despite repeated claims to lawmakers and users that this data was protected,” Senator Mark Warner told Forbes. “The DoJ has also been promising for over a year that they are looking into ways to protect U.S. user data from Bytedance and the CCP — it’s time to come forward with that solution or Congress could soon be forced to step in.”
According to an internal email sent Thursday by Andersen, ByteDance found that several of its employees obtained the data of “a former BuzzFeed reporter and a Financial Times reporter,” as well as a “small number of people connected to the reporters” through their TikTok accounts. The audit was conducted by the law firm Covington & Burling, which has represented TikTok in litigation against the U.S. government. Covington did not respond to a comment request.
In addition to the firing of TikTok’s Chief Internal Auditor, Chris Lepitak, who was suspended after Forbes’ initial report about the surveillance scheme in October, ByteDance fired two additional TikTok employees in the United States and China as a result of the findings. Lepitak did not immediately respond to a request for comment. “None of the individuals found to have directly participated in or overseen the misguided plan remain employed at ByteDance,” Andersen wrote in the internal email.
“This new development reinforces serious concerns that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China to repeatedly access private data of U.S. users despite repeated claims to lawmakers and users that this data was protected.”
The team that oversaw the surveillance campaign was ByteDance’s Internal Audit and Risk Control department, a Bei
