TikTok cops to running “covert surveillance campaign” on Western journalists

ByteDance admits abuses of power —

Fired employees “misused their authority to obtain access to TikTok user data.”

Following an internal investigation, TikTok owner ByteDance today confirmed reports from this fall that claimed some of its employees used the popular app to track multiple journalists, including two in the US. The ByteDance employees’ goal? To identify anonymous sources who were leaking information to the media on the company’s ties to the Chinese government, according to The New York Times.

Forbes reported that multiple reporters from its own publication were “part of this covert surveillance campaign.” A Buzzfeed reporter and UK-based Financial Times journalist Cristina Criddle were also surveilled, FT reported. ByteDance employees reportedly accessed reporters’ TikTok accounts to obtain IP and user data, assessing whether there was any overlap with pings from known locations of ByteDance employees suspected of leaking. ByteDance confirmed that these tactics became so broad that the employees also monitored the data of some of the journalists’ associates.

According to Forbes, ByteDance fired Chris Lepitak, the chief internal auditor responsible for the company’s Internal Audit and Risk Control department. ByteDance confirmed Lepitak’s team was behind the surveillance campaign. In October, Forbes reported that Lepitak was also seemingly seeking information on the “location and details of the Oracle server that is central to TikTok’s plans to limit foreign access to personal US user data.” That server is key to the Biden administration’s ongoing discussions with TikTok over national security concernswith the US increasingly wary of China-based ByteDance employees gaining access to US-stored data.

Forbes received access to one internal email from TikTok General Counsel Erich Andersen, which confirmed that Lepitak’s team “misused their authority to obtain access to TikTok user data” in tracking journalists.

FT reported that four employees were involved, and Forbes reported that ByteDance fired two employees based in the US and two in China. ByteDance spokesperson Hilary McQuaide echoed Andersen’s email in a statement saying that “the misconduct of certain individuals, who are no longer employed at ByteDance, was an egregious misuse of their authority to obtain access to user data.”

Ars could not immediately reach ByteDance for comment.

Earlier today, Reuters reported that TikTok began offering the US more concessions, seemingly willing to take any step but put itself up for sale to alleviate concerns about China-based employees accessing American user data. The deal will be that much harder to close after ByteDance confirmed that American journalists and civilians have already been tracked by China-based employees. Already, some US lawmakers have been voting to remove TikTok from government devices, and Congress is considering passing a nationwide ban.