India’s 150 million users were forced to stop using the Chinese-owned app in 2020. But an internal tool reviewed by Forbes showed that ByteDance and TikTok employees can still mine some of their most sensitive data. One employee called it “NSA-To-Go.”
By Alexandra S. Levine, Forbes Staff
Almost three years after TikTok’s largest market, India, banned the Chinese-owned social media app over geopolitical tensions, troves of personal data of Indian citizens who once used TikTok remain widely accessible to employees at the company and its Beijing-based parent, ByteDance, Forbes has learned.
The revelation comes as President Joe Biden’s administration threatens to ban the platform used by more than 100 million Americans if TikTok’s Chinese owner does not sell its stake. Officials in the highest levels of the U.S. government see a blanket TikTok ban as a possible solution to the country’s national security concerns about the potential for China to surveil or manipulate Americans. Some have called India a “guide star,” urging the U.S. to follow its lead.
“I don’t think [Indians are] aware of how much of their data is exposed to China right now, even with the ban in place,” a current TikTok employee told Forbes.
According to the employee and a review of internal TikTok and ByteDance programs by Forbes, almost anyone at the companies with basic access to their tools can retrieve and analyze granular data about past TikTok users in India. (ByteDance has more than 110,000 employees around the world, including in China and Russia, but reportedly fired its entire India staff last month.) Another source also independently confirmed that Indians’ data has been accessible since the country banned the app.
“I don’t think [Indians are] aware of how much of their data is exposed to China right now, even with the ban in place.”
One social mapping tool—which the TikTok employee jokingly called “NSA-To-Go”—can spit out a list of any public or private user’s closest connections on TikTok and personally identifiable information about them, and it still pulls up the TikTok profiles of people in India, according to a review by Forbes. Staff can plug in a TikToker’s unique identifier or UID, a string of numbers tied to more detailed data about the person, to retrieve the TikTok usernames (often, first and last name) of hundreds of friends and acquaintances; the region where they live; and how they share TikTok content with phone contacts and users across other social platforms. The same UID can be used across TikTok and ByteDance’s other internal tools to find even more information about the person—including their search behavior. The TikTok employee described it as a key to building a “digital dossier” on any user, including those with private accounts.
“We have steadfastly complied, and continue to remain in full compliance, with the Government of India order since it was implemented,” TikTok spokesperson Jason Grosse said in an email. “All user data is subject to our robust internal policy controls surrounding access, retention, and deletion.” ByteDance did not respond to a request for comment.
The purpose of India’s 2020 ban appears to have focused on preventing public access to TikTok in the country going forward, given concerns about the app potentially sending data it had collected on Indian users back to China. (Nikhil Gandhi, who was then head of TikTok in India, said at the time that TikTok had “not shared any information of our users in India with any foreign government, including the Chinese government.”) The ban did not seem to call for deletion of app data that had already been captured and stored.
As a result, the profiles of Indian users who once used TikTok can still be found online, though their owners haven’t been able to post since the 2020 ban. The company would not say how many Indian accounts can be viewed in the internal tool, but TikTok had roughly 150 million monthly active users there at the time it was shut down, according to data analytics firm Sensor Tower. The data in this particular tool appears to be frozen in time for the India users; for other countries like the U.S., where TikTok is widely used today, it updates in real-time.
The current TikTok employee told Forbes that nearly anyone with basic access to company tools—including employees in China—can easily look up the closest contacts and other sensitive information about any user. That includes everyone from prominent public figures to the average person, according to the employee and a Forbes review of the tool. In the wrong hands, the employee noted, that information could be dangerous.
“From [their social graphs], if you want to start a movement, if you want to divide people, if you want to do any kind of operation to influence the public on the app, you can just use that information to target those groups,” they said. This powerful demographic data, especially on TikTok’s unmatched Gen Z userbase, could also be highly valuable for commercial purposes, the employee added.
“We can’t ban them from the data they already have.”
Beyond the India case, company-wide access to a tool like this could be highly problematic in the context of geopolitical conflict. Data on users from Ukraine and Russia, including details about who they communicate with on the app, has been available in the tool, according to the TikTok employee and internal materials obtained by Forbes. Though there is no known instance of this tool or others at TikTok being used against foreign adversaries, such information could jeopardize the safety of soldiers and citizens alike.
“When an authoritarian country like China is able to amass a lot of information about citizens in another country, that’s going to raise all sorts of red flags,” former National Security Agency general counsel Glenn Gerstell told Forbes. He said that while he thought it might be hard for China to actually weaponize that information in practice, it “absolutely raises concerns, heightens tensions [and] puts them in a position potentially to do mischief with the data. And that’s obviously a threat.”
TikTok has already used its arsenal of tools to target individuals and their networks. A December Forbes investigation revealed that ByteDance had tracked multiple journalists who cover the company, gaining access to their IP addresses and other data to try to uncover which ByteDance employees may have been in proximity to them and potentially leaking information. The company vehemently denied that report until its own internal investigation proved it to be accurate, heightening fears across the U.S. government that such surveillance could be conducted on Americans more broadly. The FBI and Justice Department are now investigating ByteDance’s use of TikTok to spy on journalists, as Forbes first reported. The White House has also ordered federal agencies to wipe TikTok from government employees’ devices by the end of this month.
Got a tip about TikTok or ByteDance? Reach out securely to the author, Alexandra S. Levine, on Signal/WhatsApp at (310) 526–1242, or email her at [email protected].
TikTok’s retention of Indians’ data shows why, stateside, a consensual agreement between TikTok and the Committee on Foreign Investment in the U.S. might be far more effective than a ban, Gerstell said. (CFIUS and TikTok have been in talks since 2019 on a deal to address national security concerns about the app.) He said a CFIUS deal could lock down historical data, which the India ban apparently failed to do, and that it would give the U.S. government the ability to set the terms around what happens to Americans’ data from past and present. Though a consensual deal wouldn’t guarantee that China won’t find a way to access that old data, it could afford other protections, he explained.
“If it’s a ban—which is the same thing in India—we can’t ban them from the data they already have,” Gertstell said. “Whatever the data is up to that moment of the ban is TikTok’s, is ByteDance’s…and we have no legal basis, if all we’re doing is banning the thing, to tell them what to do with [it].” It gets even more complicated if the data is already stored outside U.S. jurisdiction, he added.
“The politicians, and the people pounding the table when they talk about bans, in their mind think they’re solving a problem,” he told Forbes, “and they absolutely aren’t.”
Emily Baker-White contributed reporting.
How AI Will Impact The Next Generation Workforce
The RISE Of RISC-V: Accelerating Adoption Through Collaboration And Coordination
Notion Projects Aims To Revolutionize Workplace Collaboration, With The Help Of AI