TikTok in a blog post dated 5th July 2022, TikTok has responded to allegations of harvesting US user data in China and other third-party TikTok organizations like ByteDance. The post made by Michael Beckerman, Vice President, Head of Public Policy, Americas, detailed who and where the US user data through TikTok is accessed.
Mr. Beckerman made it clear that the data entrusted to TikTok is a top priority despite the recent call out by America Lawyer Brendan Carr currently serves as a commissioner of the Federal Communications Commission. In the post, he wrote:
We have sent a letter to Congress addressing these issues and others, and also want to share with our community the steps we take to secure our US user data as well as where we’re headed in our commitment to keeping US user data safe, private, and secure.
As we announced in May, we recently stood up a new division called US Data Security (USDS) to bring heightened focus and governance to our ongoing efforts to strengthen our data protection policies and protocols, further protect our users, and build confidence in our systems and controls in the United States.
The creation of USDS was an important milestone in the goals we laid out in a blog post two years ago: minimizing employee access to US user data and minimizing data transfers across regions – including to China. We are addressing who has access (and why they need it) and where those people are as two critical parts of our security protocols.
Who Has Access To US User Data And Why They Need It
As a rule, security teams want to minimize the number of people who have access to data and limit it only to people who need that access in order to do their jobs. We have policies and procedures that limit internal access to user data by our employees, wherever they’re based, based on need. Like many global companies, TikTok has engineering teams around the world—including in Mountain View, London, Dublin, Singapore, and China—and those teams might need access to data for engineering functions that are specifically tied to their roles.
That access is subject to a series of robust controls, safeguards like encryption for certain data, and authorization approval protocols overseen by our US-based security team. To facilitate those approvals, we also have an internal data classification system; the level of approval required for access is based on the sensitivity of the data according to the classification system. The intention of these processes and protocols is to ensure that the data is only accessed by those that need it to allow our business and our service to function.
Where People With Access Are Located?
To the extent possible for a global company, we want to limit not just who is accessing data, but also where there is access to data. That’s why, in addition to routing all U.S. traffic through Oracle Cloud Infrastructure, we are also working to build up our US-based engineering capacity to reduce the need for data transfers across regions.
As we recently shared with members of Congress, we are working toward a new system in which access to US user data by anyone outside of USDS will be limited by, and subject to, robust data access protocols with monitoring and oversight mechanisms by Oracle.
Managing Cyber Threats
In addition to our US-specific work, our global security team is constantly working to stay ahead of next-generation cyber threats. We continually work to validate our security standards and collaborate with industry-leading experts to test our defenses. In the past year, we’ve earned ISO 27001 certifications in the U.S., UK, Ireland, Singapore, and India for investing in the people, processes, and technology to keep our community safe. The ioXt Alliance also certified TikTok for meeting rigorous standards and commitments to cybersecurity, transparency, and privacy.
We’re dedicated to earning and maintaining the trust of our global community, and we will remain focused on protecting our platform and providing a safe, welcoming, and enjoyable experience.