A former high-level ByteDance executive claims the company has a “back door channel” in its code that allows members of the Chinese Community Party view data from users anywhere in the world, including the US and Hong Kong. The former executive claims CCP officials have used that tool at least once to identify users involved in pro-democracy protests in Hong Kong. If true, the accusations would confirm top concerns voiced by lawmakers around the world racing to ban access to TikTok on national security grounds.
The claims were made by a former US ByteDance head of engineering named Yintao “Roger” Yu in a wrongful dismal lawsuit filed against ByteDance seen by Gizmodo. Yu said data from users in the US and around the world is made “accessible to the CCP [Chinese Communist Party]...via a back door channel,” in the app’s underlying code. The former executive described a deep relationship between government officials and ByteDance, a claim the company and TikTok CEO Shou Zi Chew have downplayed in public statements. According to Yu’s suit, the CCP had a “special office” or unit in the company. These officials, Yu claims, were granted “superuser” credentials which he said made them the equivalent of a “god user,” able to access any and all data collected by ByteDance. The contents of Yu’s lawsuit were first spotted by The Wall Street Journal.
“His actions are clearly intended to garner media attention,”a ByteDance spokesperson told Gizmodo. The company plans to “vigorously oppose” what it believes are “baseless claims and allegations,” and the spokesperson said Yu worked on an app called Flipagram, which has since been discontinued.
“It’s curious that Mr. Yu has never raised these allegations in the five years since his employment for Flipagram was terminated in July 2018,” the spokesperson added.
In Hong Kong, Yu claims CCP officials attempted to access TikTok data from protests and civil rights activists involved in the 2018 pro-Democracy protests. Those officials, Yu alleges, were able to procure IP addresses, SIM card numbers, and other network information in an effort to identify the individuals. Officials were also allegedly able to view these users’ communications on the app. The protesters were speaking out against increasingly strict national security laws imposed in Hong Kong. The TikTok app was made unavailable in the city in 2020.
Yu, who worked at the company between August 2017 and November 2018, went on to describe what he viewed as a “culture of lawlessness” pervading the company. ByteDance, Yu claimed, had a “worldwide scheme” to systematically scrape user content from other sites and place it on ByteDance apps to make them seem larger than they were actually were. Yu similarly claimed ByteDance would create fake users and inflate its metrics.
“These actions were taken without the permission of the content creators and represented an unlawful effort to gain an edge against entrenched online video hosting websites,” the complaint reads.
Charles Yung, an attorney representing Yu, told the Journal they had decided to lodge the lawsuit now partly in response to what they viewed as “misdirection” on the part of TikTok CEO Shou Zi Chew during a recent Congressional hearing. “My client is placing himself at risk by telling his story in court,” Yung told the Journal. “But the truth is powerful, and telling the truth is what’s needed to bring social change.” Yung did not immediately respond to Gizmodo’s request for comment.
During the nearly five-hour combative TikTok hearing earlier this year, Chew danced around questions asking about Communist party influence at ByteDance and begrudgingly admitted ByteDance employees do have access to US user data “on an as-required basis.” The CEO quickly added that would no longer be the case once the company’s US data routing plan with Oracle called “Project Texas” is complete. Chew vigorously denied lawmakers’ accusations, however, that TikTok moderates content on behalf of the Chinese communist party.
“Let me state this unequivocally: ByteDance is not an agent of China or any other country,” Chew said during the hearing.
TikTok, in general has tried to assuage critics’ data security concerns by noting all US user data would be stored in the US once its project with Oracle is complete. The timeline for that project’s completion, however, remains vague. Recent reporting from The Information claimed Oracle employees had “only have limited access” to the app’s source code and suggested the partnership is “in limbo.” Chew has since tried to assuage those concerns.
At the same time, appetite for restrictions of the app in the US appears to be growing by the day. Members of Congress have introduced around half a dozen proposals that would, in one way or another, ban TikTok from private US devices on national security grounds. States are acting even faster. Last month, Montana became the first state to officially ban downloads of the app. That ban, which is slated to take effect in January 2024, is already undergoing major legal challenges.