TIKTOK WHISTLEBLOWER: Hawley Demands Thorough Review of Explosive New Allegations

Wednesday, March 08, 2023

Today U.S. Senator Josh Hawley (R-Mo.) sent a letter to U.S. Secretary of the Treasury Janet Yellen, in her capacity as Chairman of the Committee on Foreign Investment in the United States (CFIUS), demanding a thorough review of the whistleblower allegations recently brought to Senator Hawley.

“I write regarding new information brought to my attention by a former ByteDance employee with direct knowledge of TikTok’s operating practices,” wrote Senator Hawley. “As Chair of the Committee on Foreign Investment in the United States (CFIUS), you are responsible for reviewing certain foreign transactions in the United States to determine potential threats to national security. This whistleblower’s allegations are deeply concerning. They also appear to contradict public statements made by TikTok and ByteDance executives.”

He continued, “These highly disturbing allegations are yet another reason why we should ban TikTok in the United States. Despite TikTok’s many reassurances that members of the Chinese Communist Party do not have access to U.S. data, it seems more and more likely that they do.”

Allegations include:

  • TikTok and ByteDance employees – including members of the Chinese Communist Party known to be on ByteDance’s payroll – can switch between Chinese and U.S. data with nothing more than the click of a button.
     
  • TikTok and ByteDance employees use tools that allow for easy access to U.S. data. Some tools only require approval from a manager and a dataset owner before a China-based employee can access U.S. data.
     
  • TikTok coordinates activities with its Chinese parent company, ByteDance. They use the same data analysis tools and chat apps, and managers are in constant contact.

In his letter, Senator Hawley pressed Secretary Yellen on whether or not CFIUS is already looking into the processes alleged by the whistleblower.

In January, Senator Hawley introduced the No TikTok on United States Devices Act to prohibit TikTok from being downloaded on U.S. devices and ban commercial activity with TikTok’s parent company, ByteDance. 

Last year, Senator Hawley’s No TikTok on Government Devices Act prohibiting TikTok on federal government devices was signed into law. It went into effect last week.

Read his new letter here or below.

March 8, 2023

The Honorable Janet Yellen
Secretary
U.S. Department of the Treasury
1500 Pennsylvania Avenue N.W.
Washington, D.C. 20220

Dear Secretary Yellen,

I write regarding new information brought to my attention by a former ByteDance employee with direct knowledge of TikTok’s operating practices. As Chair of the Committee on Foreign Investment in the United States (CFIUS), you are responsible for reviewing certain foreign transactions in the United States to determine potential threats to national security. This whistleblower’s allegations are deeply concerning. They also appear to contradict public statements made by TikTok and ByteDance executives.

On September 14, 2022, TikTok’s Chief Operating Officer, Vanessa Pappas, testified to Congress that “[w]e have strict controls in terms of who and how our data is accessed.” She went on to say, “[w]e believe we have the strictest controls out there.” Furthermore, “[a]nyone who has access to U.S. user data has” this in order “to perform daily duties,” such as “site management [or] bug handling.” But, she testified, “there are strict access controls around the data that is accessed in the United States.” That is because, “[f]or our U.S. users, the data is sorted and housed in the United States.”

Recent events cast substantial doubt on just how robust TikTok’s access controls really are. On October 20, 2022, for instance, Forbes reported that a China-based ByteDance team planned to use the TikTok app to monitor American citizens’ personal locations. Reuters similarly reported on December 22, 2022, that TikTok employees accessed user data from two American journalists.

Now, a TikTok whistleblower has come forward with allegations that shed new light on these troubling reports. The whistleblower describes TikTok’s access controls on U.S. data as “superficial” at best, where they exist at all. As an example, he describes how TikTok and ByteDance employees – including members of the Chinese Communist Party known to be on ByteDance’s payroll – can switch between Chinese and U.S. data with nothing more than the click of a button using a proprietary tool called Dorado. In his words, “[i]t’s just like a light switch.”

Other tools used by TikTok and ByteDance employees allegedly allow for similarly easy access to U.S. data. According to the whistleblower, some tools, such as Aeolus, only require approval from a manager and a dataset owner before an employee can access U.S. data. Most concerningly, the whistleblower reports: “I have seen first-hand China-based engineers flipping over to non-China datasets and creating scheduled tasks to backup, aggregate, and analyze data.”

Finally, the whistleblower describes in detail how TikTok coordinates activities with its Chinese parent company, ByteDance. As he puts it, “TikTok and ByteDance are functionally the same company. They use the same data analysis tools and chat apps, and managers are in constant contact.” The whistleblower also points out that, unlike other social media companies, TikTok and ByteDance rely on proprietary software they engineered in China, thereby reducing foreign scrutiny and enabling Chinese engineers to insert software backdoors.

These highly disturbing allegations are yet another reason why we should ban TikTok in the United States. Despite TikTok’s many reassurances that members of the Chinese Communist Party do not have access to U.S. data, it seems more and more likely that they do. These explosive whistleblower allegations deserve a thorough review and should support a final determination by CFIUS that blocks TikTok’s continued operation in the United States.

So that Congress can consider remedial legislation, please provide the following information by March 20, 2023:

  1. Has TikTok or ByteDance disclosed to CFIUS any software tools, datasets facilities, or internal products named Dorado, Big Service Management, Coral, Triton, or Aeolus? 
     
  2. Has TikTok or ByteDance disclosed to CFIUS whether employees in China have the ability to toggle between U.S. and Chinese data through any of the tools listed above? If so, please explain the access controls on these systems. 
     
  3. Has TikTok disclosed to CFIUS whether U.S. data can be accessed on systems like Dorado by engineers based in China? 
     
  4. Has CFIUS obtained any details relating to the internal approval process for accessing U.S. data by TikTok or ByteDance employees? Please list all access controls protecting U.S. data. 
     
  5. Is it your understanding that China-based companies and their employees are subject to Article 7 of China’s National Intelligence Law, which provides “Any organization or citizen shall support, assist and co-operate with the state intelligence work in accordance with the law”?

Sincerely, 

Josh Hawley 
United States Senator

Issues