TikTok has been recently redoubling its efforts on rebutting concerns that it is a national security risk. Critics of the app have consistently voiced their skepticism that the Chinese government does not influence the app in some ways, and that it can request private American user data at any time from TikTok’s parent company ByteDance (part-owned by the Chinese state) and then use TikTok to influence Americans’ commercial or political behaviour.

Donald Trump voiced these concerns in 2020 and demanded that ByteDance sell TikTok to keep the app in American app stores. TikTok has consistently responded to privacy questions by insisting that US user data is stored in the United States and not in China, where ByteDance is based, but they have not addressed the question of whether the data on these servers can be accessed from China.

Now, according to leaked audio, obtained by BuzzFeed from internal TikTok meetings, evidence appears to show that China-based employees of ByteDance have repeatedly accessed private data about US TikTok users.

The leaked recordings contain statements from nine different TikTok employees indicating that engineers in China had access to US user data at least between September 2021 and January 2022. The recordings cover situations where TikTok’s US employees had to turn to colleagues in China to determine how US user data was flowing. US staff, it appears, did not have permission or knowledge of how to access the data on their own, according to the leaked recordings. In a recorded January 2022 meeting, a data scientist told a colleague: “I get my instructions from the main office in Beijing.”

The recordings show that US data was accessed far more frequently and recently than TikTok has previously reported, illustrating the challenges the app has faced in attempting to disentangle its US operations from those of its parent company in Beijing.

In response to the BuzzFeed investigation, nine US Senators wrote to TikTk demanding to know

• Do China-based employees indeed have access to US users’ private data?
• What role do Chinese employees play in shaping TikTok’s algorithm?
• Is any US user data shared with the Chinese government?

TIkTok’s responded in a letter insisting that only China-based employees who clear a number of robust internal security protocols can access certain information on TikTok’s US users, including public videos and comments, and that none of that information is shared with the Chinese government.

Project Texas

TikTok gave more details in their letter about how they plans to keep data about American users separate from ByteDance. In the letter TikTok’s CEO, Shou Zi Chew, explained how the company plan to operate the app from servers controlled by Oracle. Under a project codenamed Project Texas. He also reiterated a plan to store 100% American users’ personal information with Oracle, rather than on TikTok’s servers.

“We know we are among the most scrutinised platforms from a security standpoint, and we aim to remove any doubt about the security of U.S. user data.”

Shou Zi Chew, CEO TikTok’

But in defining what user data will be considered ‘personal’, the leaked recordings make clear that, even after Project Texas is complete, significant amounts of US user data – including elements like public videos, comments and bios – won’t be exclusively stored on the Oracle server. This type of data will be stored in the company’s Virginia data centre, which may remain accessible from ByteDance’s Beijing offices even once Project Texas is complete.

How to stop TikTok collecting your data

A lot of TikTok’s data collection is necessary to enable you to enjoy the full functionality of the app but there are a few things you can do to tighten up your privacy and security:

• To turn Personalised ads off, go to Me and select … to open your settings. Then go to Privacy, Safety, Personalise and data and turn the feature to Off.
• Avoid linking your account to other social profiles such as Facebook and Google.
• To request your data and see what TikTok knows about you, go to Profile and tap … to open your settings. Go to Privacy, Personalise and Data, Download TikTok Data.
• To set your account as private, go to Me, tap …, Privacy, Turn Private Account On. Or, you can limit the audience for your videos in TikTok’s Privacy settings. (TikTok warns however that with a private account other users won’t be able to Duet, Stitch, or download your videos.)

Setting your account to private is an essential first step, especially for younger users, but be aware that this will simply guard you from information being shared with others, rather than with TikTok itself. If you’re concerned about your data privacy you need to question how much you really need to use the app.