Offbeat

Legal

US claims TikTok shipped personal data to China – very personal data

Not even Oracle could stop it, claims DoJ


The US Department of Justice has alleged that TikTok shipped personal information to China and allowed profiling of the short video app's users based on their attitudes to some ticklish topics.

The Department's views emerged in a filing [PDF] from the US government in response to attempts by TikTok and its parent company ByteDance to strike down laws that force a sale of the platform's stateside operations – and closure if that can't be arranged.

The filing details an internal tool called Lark that TikTok staff use for internal communications. The DoJ alleges "significant amounts of restricted US user data (including but not limited to personally identifiable information)" was shared over Lark.

"This resulted in certain sensitive US person data being contained in Lark channels and, therefore, stored on Chinese servers and accessible to ByteDance employees located in China," the filing asserts.

It gets worse: the filing claims "Lark contained multiple internal search tools that had been developed and run by China-based ByteDance engineers for scraping TikTok user data, including US user data."

Those tools allowed collection of "bulk user information based on the user's content or expressions, including views on gun control, abortion, and religion." The results of those efforts could be viewed in China.

The filing also alleges that TikTok tools allow for "triggering of the suppression of content on the platform based on the user's use of certain words. Although this tool contained certain policies that only applied to users based in China, others such policies may have been used to apply to TikTok users outside of China."

It's not hard to imagine how that tool could supress anti-Beijing comment, or in concert with the profiling tool help to target campaigns to interested audiences.

The Oracle angle

The filing also makes many mentions of Oracle and the database giant's efforts to become ByteDance's US-based technology partner under a "national security agreement" (NSA) that would ideally have TikTok operate under strict conditions. Big Red offered to segment TikTok data so it could identify matter describing US-based users, segment it, and store it stateside.

The filing states that the US government didn't find that offer adequate, as it "contemplated extensive data flows of US users back to ByteDance and thus to China and because the agreement sought to maintain extensive engagement between TikTok's US operations and the leadership at ByteDance."

A potential role for Oracle as an overseer of TikTok's source code was also rejected, on grounds that the sheer volume of the codebase – two billion lines as of 2022 – meant that a review would require at least three years of work on the code used at that time.

"But the source code is not static," the filing states. "ByteDance regularly updates it to add and modify TikTok's features. Even with Oracle's considerable resources, perfect review would be an impossibility."

The filing contains details that suggest Oracle may have been better off not getting the gig as TikTok's stateside host, observing that Big Red "would be required to sift through such data, using both untested and experimental tools to try to ascertain whether information was routed for legitimate commercial reasons or nefarious reasons at the request of PRC actors."

The DoJ asserted that Oracle, and other tech providers, just couldn't ever know if they had enough info to do the job right.

"Private parties also lack insight into ByteDance's communications with PRC officials, ByteDance's use of US user data, and ByteDance's other TikTok-related activities," the filing argues. US authorities thus "determined that the Final Proposed NSA presented too great a risk because the trusted technology provider and other monitors faced massive scope and scale hurdles that could not be overcome."

The arguments outlined above will be argued in court on September 16. As may even juicier allegations, as substantial chunks of the filing are redacted.

TikTok used its X account to reject the US action against it.

"Nothing in this brief changes the fact that the Constitution is on our side," the outfit Xeeted. "Today, once again, the government is taking this unprecedented step while hiding behind secret information. We remain confident we will prevail in court." ®

Send us news
29 Comments

Crypto-apocalypse soon? Chinese researchers find a potential quantum attack on classical encryption

With an off-the-shelf D-Wave machine

Chinese cyberspies reportedly breached Verizon, AT&T, Lumen

Salt Typhoon may have accessed court-ordered wiretaps and US internet traffic

RAC duo busted for stealing and selling crash victims' data

Roadside assistance biz praised for deploying security monitoring software and reporting workers to cops

China reportedly tells local AI buyers to ignore Nvidia

Plus: Google, Oracle, spend $9.5 billion on Asia datacenters; Philippines to tax clouds; Vietnam infosec praised; and more

China calls for realtime censorship of satellite broadband

Great Firewall reaches all the way into space

US lawmakers seek answers on alleged Salt Typhoon breach of telecom giants

Cyberspies abusing a backdoor? Groundbreaking

BBC weather glitch shows 13k mph winds in London, 404℃ in Nottingham

We'd know if it were true, and our reporters are just fine

OpenAI says Chinese gang tried to phish its staff

Claims its models aren't making threat actors more sophisticated - but is helping debug their code

China trains 100-billion-parameter AI model on home grown infrastructure

Research institute seems to have found Huawei to do it – perhaps with Arm cores - despite sanctions

US DoJ wades into Realtek lawsuit that accuses MediaTek of patent abuse

Fabless chip shop alleged to be hiring 'litigation hit men' to kneecap rival

Forget the Kia Boyz: Crooks could hijack your car with just a smartphone

Plus: UK man charged with compromising firms for stock secrets; ransomware actor foils self; and more

US govt hiding top hurricane forecast model sparks outrage after deadly Helene

Taxpayer-funded data locked behind insurance firm's paywall