For years, TikTok has told lawmakers that the private data of its U.S. users is secured — and safe from potential influence or exfiltration — in a cluster of data centers located in Northern Virginia.
But interviews with seven current and former employees and more than 60 documents, photos and videos from the data centers reveal that the centers have faced security vulnerabilities ranging from unmarked flash drives plugged into servers to unescorted visitors to boxes of hard drives left unattended in hallways. Sources suggest that these challenges are the result of TikTok trying to grow its data storage capacity very quickly, and sometimes cutting corners along the way.
Documents, photos, and interviews also suggest that TikTok’s data center operations are still tightly enmeshed with ByteDance’s business in China. Among other suppliers, the data centers use servers produced by Inspur, a company that the Pentagon said in 2020 was controlled by the Chinese military and that the Commerce Department added to a sanctions list last month. Documents also show that as recently as last week, server work orders were sent to data center technicians by Beijing ByteDance Technology Co., Ltd., a ByteDance subsidiary partially owned by the Chinese government, which TikTok has repeatedly insisted has no control over its operations.
Governor Greg Abbott today announced a statewide model security plan for Texas state agencies to address vulnerabilities presented by the use of TikTok and other software on personal and state-issued devices. Following the Governor’s directive, the Texas Department of Public Safety and the Texas Department of Information Resources developed this model plan to guide state agencies on managing personal and state-issued devices used to conduct state business. Each state agency will have until February 15, 2023 to implement its own policy to enforce this statewide plan.
“The security risks associated with the use of TikTok on devices used to conduct the important business of our state must not be underestimated or ignored,” said Governor Abbott. “Owned by a Chinese company that employs Chinese Communist Party members, TikTok harvests significant amounts of data from a user’s device, including details about a user’s internet activity. Other prohibited technologies listed in the statewide model plan also produce a similar threat to the security of Texans. It is critical that state agencies and employees are protected from the vulnerabilities presented by the use of this app and other prohibited technologies as they work on behalf of their fellow Texans. I thank the Texas Department of Public Safety and Texas Department of Information Resources for their hard work helping safeguard the state’s sensitive information and critical infrastructure from potential threats posed by hostile foreign actors.”
To protect Texas’ sensitive information and critical infrastructure from potential threats, the model plan outlines the following objectives for each agency:
Ban and prevent the download or use of TikTok and prohibited technologies on any state-issued device identified in the statewide plan. This includes all state-issued cell phones, laptops, tablets, desktop computers, and other devices of capable of internet connectivity. Each agency’s IT department must strictly enforce this ban.
Prohibit employees or contractors from conducting state business on prohibited technology-enabled personal devices.
Identify sensitive locations, meetings, or personnel within an agency that could be exposed to prohibited technology-enabled personal devices. Prohibited technology-enabled personal devices will be denied entry or use in these sensitive areas.
Implement network-based restrictions to prevent the use of prohibited technologies on agency networks by any device.
Work with information security professionals to continuously update the list of prohibited technologies.
In December 2022, Governor Abbott directed state agency leaders to immediately ban employees from downloading or using TikTok on any government-issued devices. The Governor also informed Lieutenant Governor Dan Patrick and Speaker Dade Phelan that the Executive Branch is ready to assist in codifying and implementing any necessary cybersecurity reforms passed during the current legislative session, including passing legislation to make permanent the Governor’s directive to state agencies.
Governor Abbott has taken significant action to combat threats to Texas’ cybersecurity, including signing the Lone Star Infrastructure Protection Act in 2021 to fortify certain physical infrastructure against threats that include hostile foreign actors.
[Well, here it is. Two years ago we warned everyone who would listen that TikTok were apparatchiks for the Chinese Communist Party–by law in China because of the CCP’s civil-military fusion–“If Google is the Joe Camel of data, then TikTok is the Joe Camel of intelligence.” We did panels warning about TikTok including the CEO’s struggle session and the CCP constitution–facts, you know. Tim Ingham warned that on top of everything else, the deals suck. And then there’s Twinkletoes, who is in our view a walking, talking Foreign Agent Registration Act violation.
[According to Emily Baker White writing in Forbes:]
China-based team at TikTok’s parent company, ByteDance, planned to use the TikTok app to monitor the personal location of some specific American citizens, according to materials reviewed by Forbes.
The team behind the monitoring project — ByteDance’s Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang.
The team primarily conducts investigations into potential misconduct by current and former ByteDance employees. But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected; however, the plan was for a Beijing-based ByteDance team to obtain location data from U.S. users’ devices.
Eight states (Massachusetts, Florida, California, New Jersey, Vermont, Kentucky, Nebraska, and Tennessee) just recently announced their investigations into TikTok, which settled an Illinois privacy lawsuit for $92 million in 2021. The coordinated scrutiny arrives as TikTok – which has been described as “legitimate spyware” – remains extremely popular, reportedly boasting north of three billion downloads and more traffic than Google.
Furthermore, TikTok’s userbase reportedly skews young, and higher-ups have capitalized upon the platform’s prominence within demographics that are relatively difficult for companies to reach.