In September 2020, at the conclusion of a UK parliamentary committee hearing during which TikTok executives were grilled, in public, for the first time, committee member Kevin Brennan offered his colleagues a frank assessment of how he thought the questioning went.
‘At the end of the session I got the distinct feeling that the committee, talented as we all are, had failed to land a single blow on the witness,’ he admitted. Brennan, the MP for Cardiff West, clearly couldn’t get rid of a niggling suspicion that he and his colleagues had missed something fundamental.
Brennan’s intuition was right—something very fundamental had been missed, but not for want of trying. His colleague Damian Green asked TikTok executive Theo Bertram, a former adviser to UK prime ministers Tony Blair and Gordon Brown, more than once, in a manner of words, if TikTok user data was being sent back to China, but Bertram, the experienced political operator, had equivocated.
‘I have explained several times that we have systems in place to protect our users’ data from access from overseas, in China specifically,’ Bertram told the committee before answering a question that had not actually been asked of him: ‘No employee in China can access TikTok data in the way that you are suggesting on behalf of the CCP [Chinese Communist Party] to carry out mass surveillance. That is not possible.’
Two days later, at an Australian parliamentary committee hearing, TikTok executives were at pains to minimise the extent to which TikTok was in any way connected to China, let alone reveal whether its users’ data was being accessed from there. Their talking points—that TikTok user data was stored in Singapore and the United States and that the company would never hand over the data to the Chinese government even if it were asked—were beside the point.
The location in which any data is stored is immaterial if it can be readily accessed from China. Moreover, TikTok’s parent company, ByteDance, couldn’t realistically refuse a request from the Chinese government for TikTok user data because a suite of national security laws effectively compels individuals and companies to participate in Chinese ‘intelligence work’. If the authorities requested TikTok user data, the company would be required by law to assist the government and then would be legally prevented from speaking publicly about the matter.
In the two years since these parliamentary inquiries, TikTok executives have continued to duck and weave, including in an appearance before the US Congress. In October last year, TikTok vice president and former Republican congressional aide Michael Beckerman parried back and forth for seven minutes with Republican Senator Ted Cruz, desperately trying to avoid answering a simple question about whether TikTok user data, based on the platform’s privacy policy, can go back to an affiliate based in the People’s Republic of China.
‘You have dodged the questions more than any witness I have seen in my nine years serving in the Senate,’ Cruz said to Beckerman. ‘In my experience, when a witness does that, it is because they are hiding something.’
The politicos-turned-TikTok-executives have been savvy enough to avoid a made-for-TV moment when they admit that their users’ data is being accessed from China. But, as I and my ASPI colleagues made clear in our 2020 report on the app, they have never completely denied that that’s the case.
Specifically, a 2020 blog post from TikTok Chief Security Officer Roland Cloutier stated that it was TikTok’s goal for China-based employees to have minimal access to user data. In other words, not only was TikTok user data being accessed in China, but it wasn’t even the company’s intention at the time to completely cut off that access.
In an under-reported September 2020 sworn affidavit, Cloutier was even more explicit. ‘TikTok relies on China-based ByteDance personnel for certain engineering functions that require them to access encrypted TikTok user data,’ he admitted. ‘According to our Data Access Approval Process, these China-based employees may access these encrypted data elements in decrypted form based on demonstrated need and only if they receive permission from our US-based team.’
Last month, a bombshell report from BuzzFeed, based on leaked audio from more than 80 internal TikTok meetings, blew away any pretence that user data was being properly protected by TikTok’s ‘world-renowned, US-based security team’. Instead, as one member of TikTok’s trust and safety department put it in a September 2021 meeting, ‘Everything is seen in China’. In another meeting that month, a director referred to one Beijing-based engineer as a ‘master admin’ who ‘has access to everything’.
When asked about the report by a group of nine Republican senators, TikTok CEO Shou Zi Chew finally acknowledged that China-based employees ‘can have access to TikTok US user data’ and outlined a plan dubbed ‘Project Texas’ that the company had hastily announced in an effort to counteract BuzzFeed’s exposé.
Despite this newfound transparency, this week, Brent Thomas, a former Labor candidate for the seat of Hughes and now TikTok Australia’s director of public policy, continued the kabuki theatre. In his own 900-word response to a letter from Shadow Cybersecurity Minister James Paterson in which he and TikTok Australia CEO Lee Hunter were asked if Australian TikTok users’ data was also accessible in China, Thomas vacillated.
In answering Paterson’s straightforward question, Thomas gave a convoluted answer that drew heavily on previous, vaguely worded statements made by Cloutier, but curiously failed to cite his 2020 affidavit that plainly states that TikTok user data is being accessed by the company’s China-based employees. Only an extremely close reading of the letter reveals that TikTok did not deny what has now become painfully obvious.
At some stage—and hopefully soon—politicians will bring in legislation to properly protect Australians’ privacy and data from all of the big tech companies, whether they’re from the US or China. In the meantime, TikTok Australia needs to be straight with its users so they can make up their own minds.