US claims TikTok shipped personal data to China – very personal data

The US Department of Justice has alleged that TikTok shipped personal information to China and allowed profiling of the short video app's users based on their attitudes to some ticklish topics.

The Department's views emerged in a filing [PDF] from the US government in response to attempts by TikTok and its parent company ByteDance to strike down laws that force a sale of the platform's stateside operations – and closure if that can't be arranged.

The filing details an internal tool called Lark that TikTok staff use for internal communications. The DoJ alleges "significant amounts of restricted US user data (including but not limited to personally identifiable information)" was shared over Lark.

"This resulted in certain sensitive US person data being contained in Lark channels and, therefore, stored on Chinese servers and accessible to ByteDance employees located in China," the filing asserts.

It gets worse: the filing claims "Lark contained multiple internal search tools that had been developed and run by China-based ByteDance engineers for scraping TikTok user data, including US user data."

Those tools allowed collection of "bulk user information based on the user's content or expressions, including views on gun control, abortion, and religion." The results of those efforts could be viewed in China.

The filing also alleges that TikTok tools allow for "triggering of the suppression of content on the platform based on the user's use of certain words. Although this tool contained certain policies that only applied to users based in China, others such policies may have been used to apply to TikTok users outside of China."

It's not hard to imagine how that tool could supress anti-Beijing comment, or in concert with the profiling tool help to target campaigns to interested audiences.

The Oracle angle

The filing also makes many mentions of Oracle and the database giant's efforts to become ByteDance's US-based technology partner under a "national security agreement" (NSA) that would ideally have TikTok operate under strict conditions. Big Red offered to segment TikTok data so it could identify matter describing US-based users, segment it, and store it stateside.

The filing states that the US government didn't find that offer adequate, as it "contemplated extensive data flows of US users back to ByteDance and thus to China and because the agreement sought to maintain extensive engagement between TikTok's US operations and the leadership at ByteDance."

• No, really, please ban Chinese DJI drones from America's skies, senators are urged
• TikTok's Asian e-commerce haul quadrupled in a single year
• Oracle fears US TikTok ban will dent its cloud profits
• Trump threatens to send Meta's Mark ‘Zuckerbucks’ to prison if reelected president

A potential role for Oracle as an overseer of TikTok's source code was also rejected, on grounds that the sheer volume of the codebase – two billion lines as of 2022 – meant that a review would require at least three years of work on the code used at that time.

"But the source code is not static," the filing states. "ByteDance regularly updates it to add and modify TikTok's features. Even with Oracle's considerable resources, perfect review would be an impossibility."

The filing contains details that suggest Oracle may have been better off not getting the gig as TikTok's stateside host, observing that Big Red "would be required to sift through such data, using both untested and experimental tools to try to ascertain whether information was routed for legitimate commercial reasons or nefarious reasons at the request of PRC actors."

The DoJ asserted that Oracle, and other tech providers, just couldn't ever know if they had enough info to do the job right.

"Private parties also lack insight into ByteDance's communications with PRC officials, ByteDance's use of US user data, and ByteDance's other TikTok-related activities," the filing argues. US authorities thus "determined that the Final Proposed NSA presented too great a risk because the trusted technology provider and other monitors faced massive scope and scale hurdles that could not be overcome."

The arguments outlined above will be argued in court on September 16. As may even juicier allegations, as substantial chunks of the filing are redacted.

TikTok used its X account to reject the US action against it.

"Nothing in this brief changes the fact that the Constitution is on our side," the outfit Xeeted. "Today, once again, the government is taking this unprecedented step while hiding behind secret information. We remain confident we will prevail in court." ®