Australian Senator catches TikTok in a lie

By Morsten Plack

• Australian Senator James Paterson wrote to TikTok on 3 July 2022 following revelations in a BuzzFeed article on 17 June 2022 by Emily Baker-White where he asked if Australian user data is accessible in China to the Chinese Communist Party.
• A representative for TikTok, Mr Brent Thomas, responded on 12 July 2022 confirming that Australian user data is accessible in mainland China but that TikTok would not provide it to the Chinese Government if asked.
• If TikTok denied such a request by the Chinese Communist Party to share its data on Australian users they would be breaking a number of Chinese laws.

BuzzFeed Catalyst

The recordings, which were reviewed by BuzzFeed News, contain 14 statements from nine different TikTok employees indicating that engineers in China had access to US data between September 2021 and January 2022, at the very least. Despite a TikTok executive’s sworn testimony in an October 2021 Senate hearing that a “world-renowned, US-based security team” decides who gets access to this data, nine statements by eight different employees describe situations where US employees had to turn to their colleagues in China to determine how US user data was flowing. US staff did not have permission or knowledge of how to access the data on their own, according to the tapes.

“Everything is seen in China,” said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a “Master Admin” who “has access to everything.”

Source Leaked Audio From 80 Internal TikTok Meetings Shows That US User Data Has Been Repeatedly Accessed From China by Emily Baker-White.

National Intelligence Law of the P.R.C. (2017)

(Passed on June 27, 2017 by 28th meeting of the Standing Committee of the 20th National People's Congress)

Article 7: All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.

The State protects individuals and organizations that support, assist, and cooperate with national intelligence efforts.

Source China Law Translate - National Intelligence Law of the P.R.C. (2017)

2016 Cybersecurity Law

Article 28: Network operators shall provide technical support and assistance to public security organs' and state security organs; lawful activities preserving national security and investigating crimes.
...
Article 37: Personal information and other important data gathered or produced by critical information infrastructure operators during operations within the mainland territory of the People's Republic of China, shall store it within mainland China. Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State network information departments and the relevant departments of the State Council to conduct a security assessment; but where laws and administrative regulations provide otherwise, follow those provisions.

Source China Law Translate - 2016 Cybersecurity Law

Letter from Senator James Paterson to TikTok

3 July 2022

Lee Hunter
General Manager
TikTok Australia Via email

CC Brent Thomas
Director of Public Policy
Via email

Dear Mr Hunter,

I write regarding correspondence between your US counterpart and members of the United States Senate which followed reports in Buzzfeed on 17 June that TikTok user data has been accessed, and remains accessible in mainland China.

In the letter, TikTok CEO Shou Zi Chew acknowledges "China-based employees, can have access to TikTok U.S. user data..."

Could you please confirm:

Is Australian user data also accessible by TikTok or ByteDance employees in mainland China? Has that data been previously accessed?

If so, on what basis could they refuse a request from the Chinese government under the National Security Law for access to that Australian user data?

I would be grateful for any clarification you can provide on these matters, in particular noting your letter to members of the Australian Parliament of 13 July 2020, in which you stated "TikTok's Australian user data is stored in Singapore and the United States" and that "We have never provided TikTok user data to the Chinese government, nor would we do so if asked."

Kind regards,
Senator James Paterson
Shadow Minister for Cyber Security
Shadow Minister for Countering Foreign Interference
Liberal Senator for Victoria

Source: Senator James Paterson Twitter

Response from Mr Brent Thomas of TikTok to Senator James Paterson

12 July 2022

Senator James Paterson
Shadow Minister for Cyber Security
Via email

Dear Senator Paterson

Thank you for your letter dated 3 July 2022.

TikTok is an entertainment platform with a mission to inspire creativity and bring joy. Since we established in Australia late in 2019, millions of Australians have found community on TikTok. Our platform enables people to express themselves creatively, to learn, discover and be entertained. For many Australian businesses, it's also been a great place to reach new customers, helping them to grow and thrive.

While TikTok is not the go to place for news or politics, we note that a number of politicians and organisations of all political stripes have also used TikTok to engage with the community, including former Prime Minister Scott Morrison and former Treasurer Josh Frydenberg.

As you may recall, in September 2020, TikTok representatives appeared before the Australian Senate's Select Committee on Foreign Interference through Social Media, and provided considerable detail about our stringent data and security practices. During 2020, there were also reported investigations initiated by the then Coalition Government, led by Prime Minister Morrison, which found no evidence to suggest that the security interests of the nation, or individual citizens, were being compromised by TikTok.

The evidence we provided to the Committee on 25 September 2020 was accurate then, and it is accurate now. Indeed, since then, we have continued our work to drive and improve safety and protections for our community and their data.

In response to your questions, I draw your attention to the following extracts from the Hansard from our U.S.-based Chief Security Officer, Mr Roland Cloutier, with respect to data access and security processes:

"First and foremost, the information is not resident in China... That information is protected with significant levels of protection in encryption. It's protected with access and identity management solutions that are in our hosting environment, our enterprise environment. It's protected by state-of-the-art monitoring capabilities...

"With our protection, it doesn't matter at what level of the company an individual is, it is based on the need to access data... Those principles, technologies and protections are applied through a US security team as well. They're overseen by a global security monitoring group that operates across the globe.

"These principles are applied globally, they are applied strictly, and they are managed with significant oversight. That applies internally to our enterprise protection, to our hosted protected Internet data centres, as well as to the data elements themselves within the product, and even on the application."

With respect to the Chinese Government (and noting your specific concern), Mr Cloutier stated clearly and accurately: "We would never give Australian user data to the Chinese government." To reiterate, we have never provided Australian user data to the Chinese government, we have never been asked for Australian user data by the Chinese Government, and we would not provide it if we were asked.

There are strict protocols in place to protect Australian user data. Australian user data is stored in Singapore and the U.S. Our security teams minimise the number of people who have access to data and limit it only to people who need that access in order to do their jobs. We have policies and procedures that limit internal access to Australian user data by our employees, wherever they're based, based on need.

Access is subject to a series of robust controls, safeguards like encryption for certain data, and authorisation approval protocols overseen by our U.S.-based security team. To facilitate those approvals, we also have an internal data classification system, and the level of approval required for access is based on the sensitivity of the data according to the classification system. The purpose of these processes and protocols is to ensure data is only ever accessed by those who require it to allow our business and our service to function. Whenever a specific job has been completed, permissions to access are once again removed.

You have our wholehearted agreement that Australian user data integrity and protection is of the utmost importance, and its integrity and security is at the core of our daily operations and commitments to our community. Our global security team is constantly working to stay ahead of next-generation cyber threats. We continually work to validate our security standards and collaborate with industry-leading experts to test our defences. In the past year, we've earned ISO 27001 certifications and the ioXt Alliance also certified TikTok for meeting rigorous standards and commitments to cybersecurity, transparency and privacy.

Since 2020, TikTok has continued our focus on driving ever greater user data and security protections, including further tightening of access and data controls. We've also continued to partner very closely with a range of Australian Government agencies, including the Australian Electoral Commission and the Department of Home Affairs. In recent months, we have taken the Australian House of Representatives Select Committee on Social Media and Online Safety through our Transparency and Accountability Centre tour (we would be happy to welcome you to a similar tour if you are interested), and released more important information through our regular reporting processes, details of which are available online. Our work to drive improvement never stops and the safety and privacy of our community is a top priority.

We look forward to hearing if you would like to undertake a tour of our Transparency and Accountability Centre.

Sincerely,

Brent Thomas
Director of Public Policy, Australia and New Zealand

Source: Senator James Paterson Twitter

Source Documents