The staff attempted to use the IP addresses — numbered codes assigned to any internet-connected device that can provide a rough estimate of a person’s location — to determine if the journalists and their staff were in contact with ByteDance employees , according to the investigation. The attempt failed to identify the source of the leaks.
The investigation was uncovered in emails that ByteDance’s general counsel sent to employees on Thursday, which the company told the Washington Post. The New York Times first reported on the investigation.
The findings are likely to increase tensions over TikTok, one of the world’s most popular apps, as its company owners scramble to convince the US government that their Chinese holdings pose no privacy or surveillance threats.
Sen. Josh Hawley (R-Mo.), one of TikTok’s biggest critics in Congress, cited the investigation on a Thursday tweet. “That’s why Congress needs to ban TikTok on all federal devices now,” he said.
Nineteen states recently passed legislation banning the use of TikTok on state-owned phones, and congressmen on Tuesday included a similar ban on federal employees in their must-pass omnibus spending bill.
The company has been negotiating an agreement with a government body known as the Committee on Foreign Investment in the United States since 2019. In August, it proposed a major overhaul of its US operations that would further restrict access to US user data and give federal officials veto power over key decisions, including its board of directors, The Post reported this week, citing people familiar with it are discussions.
CFIUS officials have yet to approve the deal, saying they continue to review the company for potential national security concerns.
How TikTok Ate the Internet: A Three Part Series
Erich Andersen, general counsel of ByteDance, said the company’s global legal compliance team engaged an outside law firm to help launch an investigation into claims in a news report that the company inappropriately used users’ location data collected.
A ByteDance spokeswoman declined to name the law firm, saying only that it was “a prominent law firm” and said the company was in communication with Congress and CFIUS.
The investigation, Andersen said, found that employees of ByteDance’s internal audit department this summer engaged in a “misguided plan” to use TikTok user data to investigate whether the journalists had contacted current employees by using their IP get addresses.
Company officials didn’t name the journalists, but some of the details match exactly an October report by Emily Baker-White, a former BuzzFeed journalist now at Forbes, who has written articles sharing internal documents, screenshots, and meeting transcripts quoted.
ByteDance laid off the four employees and reorganized its internal audit and risk control department, including by creating a board of directors to help set new guidelines for its employees’ investigations, Andersen said.
ByteDance CEO Rubo Liang said in an email to employees on Thursday that he was “deeply disappointed” by the situation, saying, “The public trust that we have built with tremendous effort is being eroded by the misconduct of some less significantly undermine individuals.”
“Regardless of the cause or outcome, this misguided investigation seriously violates the company’s code of conduct and is condemned by the company,” he added. “We simply cannot take integrity risks that damage the trust of our users, employees and stakeholders.”
In a third email, TikTok CEO Shou Zi Chew outlined how the company had begun moving and backing up US user data in recent months, and “systematically providing access points” to the information for all but a select group of authorized users to interrupt the officer.
“We must continue to prioritize these efforts and not allow the ill-considered actions of a few people to undermine the work of tens of thousands,” he said.
The findings could question TikTok’s ability to convince federal lawmakers that its international operations pose no threat to the safety of US users.
TikTok has repeatedly stated that it is not influenced by the Chinese government and that employees at ByteDance’s Beijing office, where crucial parts of TikTok’s code are designed and built, are barred from accessing Americans’ information.
TikTok officials have held briefings for members of Congress and their staff to outline their proposal to CFIUS that would separate the decision-making of the TikTok-US team from ByteDance and give US authorities veto power over appointments to lead the US operation said four people with knowledge of the discussions spoke to The Post on condition of anonymity as they were not authorized to discuss the work publicly.
The company said it spent more than $1.5 billion implementing the plan, known internally as Project Texas, and that it would tie the company to a level of public scrutiny and oversight that’s more involved than any US technology company currently.
Some skeptics in Washington, including many leading Republicans, argue that a Chinese tech giant’s ownership of TikTok poses an insurmountable risk to US privacy and have called for a full divestment or ban.