The workers tried to use the IP addresses — numbered codes assigned to every internet-connected device that can give a rough estimate of a person’s location — to see whether the journalists and their associates had been in contact with ByteDance employees, the investigation found. The attempt did not identify the source of the leaks.
The investigation was revealed in emails that ByteDance’s general counsel sent to employees on Thursday, which the company shared with The Washington Post. The New York Times first reported the investigation.
The findings will likely intensify tensions over TikTok, one of the world’s most popular apps, as its corporate owners strive to persuade the U.S. government that its Chinese ownership poses no data-privacy or surveillance threat.
Sen. Josh Hawley (R-Mo.), one of TikTok’s biggest critics in Congress, cited the investigation in a tweet on Thursday. “This is why Congress must BAN TikTok on all federal devices now,” he said.
Nineteen states have recently passed laws prohibiting the use of TikTok on government-owned phones, and members of Congress on Tuesday included a similar ban for federal employees in its must-pass omnibus spending bill.
The company has since 2019 been negotiating an agreement with a government panel known as the Committee on Foreign Investment in the United States. In August, it proposed a major restructuring of its U.S. operations that would further restrict who can access U.S. users’ data and give federal officials veto power over key decisions, including its board of directors, The Post reported this week, citing people familiar with the discussions.
CFIUS officials have not yet approved the deal, saying they continue to review the company for potential national-security concerns.
Erich Andersen, ByteDance’s general counsel, said the company’s Global Legal Compliance team brought in an external law firm to help launch an investigation into claims made in a news report alleging the company had inappropriately gathered users’ location data.
A ByteDance spokeswoman declined to name the law firm, saying only that is “a prominent firm,” and said the company is communication with Congress and CFIUS.
The investigation, Andersen said, found that employees in ByteDance’s internal-audit department had carried out a “misguided plan” this summer to use TikTok user data to examine whether the journalists had made contact with current employees by pulling their IP addresses.
Company officials did not name the journalists, but some of the details match closely with an October report from Emily Baker-White, a former BuzzFeed journalist, now at Forbes, who has written articles citing internal documents, screenshots and meeting recordings.
ByteDance fired the four employees and has restructured its Internal Audit and Risk Control department, including by adding an oversight council to help set new policies for its employee investigations, Andersen said.
ByteDance’s chief executive, Liang Rubo, said in an email to employees Thursday that he was “deeply disappointed” by the situation, saying, “The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals.”
“No matter what the cause or the outcome was, this misguided investigation seriously violated the company’s Code of Conduct and is condemned by the company,” he added. “We simply cannot take integrity risks that damage the trust of our users, employees, and stakeholders.”
In a third email, TikTok’s chief executive, Shou Zi Chew, outlined how the company had in recent months begun moving and safeguarding U.S. user data and “systematically cutting off access points” to the information for all but a select group of authorized officials.
“We must continue to prioritize these efforts and not let the poorly conceived acts of a few people undermine the work of the tens of thousands,” he said.
The findings could challenge TikTok’s ability to persuade federal lawmakers that its international operation poses no threat to U.S. user security.
TikTok has said repeatedly that it is not influenced by the Chinese government and that employees in ByteDance’s Beijing office, where critical parts of TikTok’s code are designed and built, are restricted from accessing Americans’ information.
TikTok officials have held briefings for members of Congress and their staff to detail their proposal to CFIUS, which would sever the TikTok U.S. team’s decision-making from ByteDance and give U.S. authorities veto power over the appointment of the U.S. operation’s leadership, according to four people with knowledge of the discussions, who spoke to The Post on the condition of anonymity because they were not authorized to discuss the work publicly.
The company said it has spent more than $1.5 billion on implementing the plan, known internally as Project Texas, and that it would bind the company to a level of public scrutiny and oversight more involved than any U.S. technology firm currently faces.
Some skeptics in Washington, including many top Republicans, argue that TikTok’s ownership by a Chinese tech conglomerate poses an insurmountable risk to U.S. data privacy and have called for a full divestiture or ban.
