In January, TikTok CEO Shou Zi Chew faced an intense grilling by skeptical U.S. lawmakers about his company’s ties to Beijing and its alleged risk to national security. Calm under the barrage, he repeatedly denied any wrongdoing and reiterated that the social media service had cut most of its connections to ByteDance, its Chinese parent.
But with the House voting in March to force ByteDance to sell its stake in TikTok, 11 former employees interviewed by Fortune tell a vastly different story. Many of those ex-workers, four of whom were employed as recently as last year, say at least some of TikTok’s operations were intertwined with its parent during their tenures, and that the company’s independence from China was largely cosmetic. A few of the former workers would only speak to Fortune on the condition of anonymity for fear of retaliation by TikTok, including the company seizing restricted stock they were given while still employees.
The allegations of close ties, made in interviews between August and April, raise more questions about the relationship between TikTok and ByteDance. They also create more fodder for critics who fear the Chinese government could use TikTok as a sort of Trojan horse to spy on Americans by sifting through the huge amounts of digital data that it collects.
Evan Turner, who worked at TikTok as a senior data scientist from April to September in 2022, said TikTok concealed the involvement of its Chinese owner during his employment. When hired, Turner initially reported to a ByteDance executive in Beijing. But later that year, after the company announced a major initiative to store TikTok’s U.S. user data only in the U.S., Turner was reassigned—on paper, at least—to an American manager in Seattle, he says. But Turner says a human resources representative revealed during a video conference call that he would, in reality, continue to work with the ByteDance executive. The stealth chain of command contradicted what TikTok’s executives had said about the company’s independence from ByteDance, Turner says.
Turner says he never met with the Seattle-based manager. Instead, Turner had weekly check-ins lasting less than seven minutes with the Beijing-based ByteDance executive. In these meetings, Turner says he merely told the executive how far along he was in completing assigned tasks—and nothing else.
Nearly every 14 days, as part of Turner’s job throughout 2022, he emailed spreadsheets filled with data for hundreds of thousands of U.S. users to ByteDance workers in Beijing. That data included names, email addresses, IP addresses, and geographic and demographic information of TikTok U.S. users, he says. The goal was to sift through the information to mine for insights like the geographical regions where users watched the most videos of a particular genre and decide how the company should invest to encourage users to be more active. It all took place after the company had started its initiative to keep sensitive U.S. user data in the U.S., and only available to U.S. workers.
“I literally worked on a project that gave U.S. data to China,” Turner says. “They were completely complicit in that. There were Americans that were working in upper management that were completely complicit in this.”
TikTok’s project to stop sharing user data with ByteDance was part of an effort to fend off regulators. The initiative, called Project Texas, started in early 2022 after President Trump tried to ban TikTok, citing its national security threat, followed by President Biden banning the service on federal devices and raising concerns about its Beijing-based parent. As part of the $1.5 billion Project Texas, TikTok’s U.S. operation moved its U.S. user data to U.S.-based data centers, according to TikTok’s Project Texas website. The company also created a new team to manage all business functions requiring sensitive user data, among other security measures.
Two years later, TikTok remains in the crosshairs. On March 13 the full House of Representatives voted 352–65 to ban TikTok unless ByteDance sold the app to a non-Chinese company. President Biden said he would sign the bill, but the Senate has yet to decide its next step.
Cybersecurity experts differ on the significance of TikTok’s alleged data sharing.
Anton Dahbura, executive director of Johns Hopkins Information Security Institute and also codirector of the school’s Institute for Assured Autonomy, says the alleged transfer of data to China in the incidents described by Turner is “very concerning.” “Even though a spreadsheet is probably a very tiny percentage of all of the information that TikTok collects, it can be extremely targeted and very damaging to certain people,” he says. Dahbura pointed out that geographic data can be used for phishing attacks. “Everyone should be really concerned,” he says.
Meanwhile, Georgia Tech cybersecurity and privacy professor Jon Lindsay chalks Turner’s story of sending U.S. user data to Chinese colleagues via email up to growing pains, and therefore far less serious. “Companies are companies, and big bureaucracies are big bureaucracies; they’re stupid and silly and do all kinds of crazy things—it’s hard to change your own habits,” says Lindsay, who has written two books on information technology and national defense. “If you’re moving things to a new place, and your friends with expertise are in other places, then, yes, you’re occasionally going to be sending them things because, maybe, they can do things you can’t do or you haven’t hired the right people or you left some machines there.”
Who’s lurking on Lark?
In another example of potential data sharing between TikTok and ByteDance, Patrick Spaulding Ryan, who was TikTok’s lead technical program manager for security engineering until 2022, and another former TikTok U.S.-based employee, cited some of the company’s internal software systems that they said were maintained and monitored by China-based ByteDance teams. Lark, a Slack-like internal messaging system that ByteDance and TikTok share, is among the most important shared software systems used by the two businesses, say the former employees. Because Lark is run by ByteDance, ByteDance workers could see discussions by TikTok employees, including ones about U.S. user data.
Nnete Matima, who worked in business development at both TikTok and ByteDance in the U.S., sold Lark to corporate customers from July 2022 to August 2023. In her sales conversations, prospective customers would ask Matima where Lark stored data that users posted on the platform. In trying to find out the answer, Matima said she spent significant time getting the “runaround” and never received a firm answer from TikTok and ByteDance management. “You could never really get any straight answers that could be solid enough to bring back to your client to basically let them know that this is a trustworthy platform, and that their American data is safe,” she recalls. “They are not transparent to the point where I had to lose a deal because I couldn’t answer basic security questions that people are entitled to.”
Matima, who is Black, was fired from the company in August 2023. In her telling, the company terminated her employment because of performance issues, but she believes she was fired in retaliation for voicing her concerns about alleged racist treatment she endured during her tenure at TikTok, according to a complaint she filed after her dismissal with the Fair Employment Practices Agencies and Equal Employment Opportunity Commission. Matima says she has already spoken to an EEOC investigator about the complaint.
Last year, the New York Times reported about Lark storing critical data in China. The company did not respond to the Times’ questions about whether Lark data was stored in China and declined to answer questions about China-based workers sharing TikTok user data on Lark. It did say, however, that many Lark chat groups were shut down “after the service had reviewed ‘internal concerns.’”
Jacob Wallach, who worked at the company from June 2020 until August 2022 on the company’s global business solutions team managing relationships with enterprise clients, was unconcerned by ByteDance’s presence and oversight of Lark. “I didn’t feel uncomfortable that Chinese workers had access…it’s like with any global entity,” he says. Wallach believes the possibility for surveillance by his former employer was equal to those of other companies he’s worked for in the U.S. He noted the infrequent interactions he had with Beijing-based counterparts and said that a requirement that TikTok be sold, as the House recently endorsed, “doesn’t make any sense.”
Another service TikTok and ByteDance share is Seal, an authenticator app and VPN network that employees were required to download on their work phones to protect their identities, data, and systems from potential risks. Often those phones were personal devices because the company did not provide phones to employees, according to Ryan, who says he led the company’s core TikTok app security team until his departure in 2022. The software gave ByteDance a foothold on the personal devices of U.S. employees, which made them vulnerable to surveillance by Beijing-based ByteDance employees, says Ryan.
Seal, which was intended for managing mobile devices, remained “completely unknown to [TikTok U.S.] employees,” says Ryan, making the point that no one knew how it worked. Members of the App Security R&D team, TikTok’s core app security unit, were unable to test the technology, he adds. Ryan, who owns tens of thousands of TikTok shares, has filed a complaint with the National Labor Relations Board that alleges the company’s non-disparagement clause in its shareholder agreement violates employees’ right to unionize, constituting an unfair labor practice.
Georgia Tech’s Lindsay describes the ex-employees’ concerns about Seal and Lark as “paranoia.” He believes any spying by China-based workers via Lark and Seal would be highly unlikely because it would compromise ByteDance’s entire enterprise business of selling the software, which ByteDance reportedly hoped would hit $940 million in global revenue by 2026. “There is tremendous risk involved when you’re talking about putting generic backdoors in mass-produced commodities because the likelihood of [the backdoors] becoming discovered, compromised, and mitigated is so high—and then losing a massive amount of market share because of that one decision, which provides nothing to the company and very tenuous intelligence benefits to the State,” Lindsay says.
In contrast, Johns Hopkins’ Dahbura thinks the ties are evidence that “ByteDance and their Chinese government associates haven’t been trying very hard to create a true firewall between their Chinese operation and their U.S. operation.” He says the former employees’ allegations about Lark’s China connection is “unsurprising.”
In late March, Politico reported that the Federal Trade Commission had been investigating TikTok over alleged “faulty data and data security practices.” Politico’s source says the FTC was investigating allegations that the company deceived users by denying China had access to their data and violating a children’s privacy law. The agency could either proceed with a settlement or take the company to court, in partnership with the Department of Justice. Spokespeople for the FTC, DOJ, and TikTok declined to comment about Politico’s story.
Not all former employees are critical of the effort by TikTok and ByteDance to separate their collection of user data. Another ex-TikTok manager, who started at the company in 2020 and left recently, said that TikTok has made progress in separating user data originally shared between the two. He says that Project Clover, the European Union’s Project Texas equivalent, as well as Project Texas, have made a “significant difference” in securing the data of European and U.S. users. “When I joined there was less of a delineation between TikTok and the parent company. Now there’s been a lot of work done to delineate it…I can’t speak to leadership decisions, but in terms of the technology stack, there’s been a lot done to delineate them.”
Wallach, the former TikTok global sales manager, also dismissed the criticism around TikTok’s data practices. He argued that TikTok is facing undue criticism as a result of its Chinese parent and U.S. popularity. Wallach, who has worked at tech and consulting companies and was at TikTok for over two years, says that the data collection practices of Meta, Google, and Amazon are far more concerning. “TikTok has had to do things to the 10th or 11th degree compared to what Meta or Google has had to do—solely because they’re owned by a Chinese company,” he says.
TikTok ignored a detailed list of questions sent by Fortune about the allegations by its former employees. Rather, a TikTok spokesperson responded: “These are completely unfounded assertions brought forth by disgruntled ex-employees. It is incredible that Fortune would solely rely on individuals with clear motives and agendas to spread anonymous lies and distortions.”
Four of the ex-employees interviewed by Fortune were fired from the company, while the other seven exited voluntarily from 2021 through 2023. Four of those interviewed have filed complaints with government agencies related to their treatment as TikTok employees and shareholders. Matima and Jöel Carter, a former ad policy manager, filed a joint complaint with the EEOC. A third employee complained to the National Labor Relations Board and Internal Revenue Service. The fourth filed a complaint with the Securities and Exchange Commission.
In public, TikTok executives are adamant that TikTok has changed its practices involving ByteDance. In an internal memo from December viewed by the Wall Street Journal, the company told workers it planned to provide Project Texas employees with new tools and devices for sharing data and communicating with one another after employees voiced concern about ByteDance potentially accessing their ByteDance-owned hardware and software.
In January of this year and March 2023, TikTok CEO Chew reiterated before Congress that the company is independent. He emphasized that three of ByteDance’s five board members are American (the other two are Chinese), and that the service has spent the last two years building a “firewall” that seals “protected U.S. user data from unauthorized foreign access,” referring to Project Texas. “The bottom line is this American data is stored on American soil by an American company overseen by American personnel,” he said during last year’s testimony.
TikTok is working hard to maintain its image of independence
Katie Puris, TikTok’s former head of global business marketing, sued the company in February for discrimination, saying that her Beijing-based bosses expected her to be demure, and that it led to her firing in the fall of 2022. In her complaint, she also revealed details about the alleged involvement of ByteDance in TikTok’s business.
Beginning in 2020, Puris said in her complaint, filed in the U.S. District Court in New York’s Southern District, that ByteDance executives began asserting more control over TikTok’s day-to-day operations, counter to what TikTok said in public. They did so by organizing bimonthly meetings led by ByteDance chairman Lidong Zhang so that executives like Puris could talk about their achievements and form plans for the following two months with top officers at ByteDance. “Despite its attempts to appear independent, TikTok’s day-to-day management and business decisions came directly from ByteDance’s top-level management in China,” the lawsuit says.
Through her attorney, Puris did not respond to requests to be interviewed by Fortune. TikTok has not commented on the lawsuit.
The involvement of ByteDance in TikTok’s U.S. operations has been documented in a number of other publications. Last year, a worker at ByteDance in China told the Wall Street Journal that the Chinese government had accessed TikTok user data in 2018 to spy on Hong Kong’s pro-democracy protesters, including their network information, SIM card IDs, and IP addresses. A TikTok spokeswoman told the Journal these allegations were “baseless claims” by an employee who had not spoken out in the five years following his 2018 termination and was now suing the company to “garner media attention.”
Additionally, in 2022, Buzzfeed News reported that ByteDance employees in China repeatedly accessed U.S. user data. A TikTok spokesperson denied the allegation to BuzzFeed, saying, “We aim to remove any doubt about the security of U.S. user data” and “continually work to validate” security standards by bringing in “reputable, independent third parties to test [its] defenses.”
Forbes also found that ByteDance and TikTok staff, including personnel in China, have access to top politicians’ and celebrities’ closest contacts on the app and that TikTok stored data in China of many top global users. In response, a TikTok spokesperson told Forbes it was impossible to answer the publication’s questions without the name of the “specific tool in question” and stated it remained “confident in the accuracy” of CEO Chew’s March congressional testimony. During the testimony, Chew said the “firewall protected U.S. data from unwanted foreign access,” noting that once the company finished deleting legacy data stored on servers in Virginia and Singapore, “all protected U.S. data will be under the protection of U.S. law and under the control of the U.S.-led security team.”
TikTok has tried to mitigate any damage caused by workers talking to reporters about China. One ex-TikTok worker who left in 2021, for instance, says TikTok gave him talking points to help deny links to China, if asked about the topic.
External criticism about China was a big topic inside the company, too. Yet another former senior employee, who left in 2022, recalls having to assuage fears internally across TikTok’s entire workforce about its dependence on ByteDance. “I would say things that just weren’t the case,” she says, admitting that she felt it was part of her job to downplay to colleagues the ties with ByteDance. “It undermined my credibility with the company, with the employees I was friends with, and everything else.”
Subscribe to the Eye on AI newsletter to stay abreast of how AI is shaping the future of business. Sign up for free.