TikTok's American Credibility Problem

What happens when audio recordings of 80 internal meetings of a company are leaked to the media? A serious credibility problem.

That’s what happened to TikTok last week when the audio of, indeed, more than 80 internal meetings were leaked to Buzzfeed, which led to a bombshell story exposing the hard truth that TikTok’s promise of protecting US users’ data from China is falling short.

Now, I am not a “TikTok basher”. Over the last two years, I’ve written many posts on ByteDance – from its aggressive global expansion tactics and fledgling cloud product, to its “trust building” problems with regulators and its fascinating, enigmatic founder, Zhang Yiming. I do my best to be fair when discussing ByteDance and TikTok – give credit where credit is due, give critique where critique is due.

(To read all of our previous writings on TikTok, see “Zhang Yiming’s Last Speech” (premium content) and the ByteDance tag.)

In ByteDance’s quest to become an enduring global tech company, TikTok must succeed in its own quest to become “less Chinese” and “more American”. Thus far, it is failing.

TikTok has an “American Credibility” problem – four problems to be exact: a “whistleblower” problem, a “master admin” problem, a “protected data” problem, and an “Oracle” problem.

(To jump ahead, see "Solutions to TikTok's American Credibility Problem" on my proposed solutions to these problems.)

The “Whistleblower” Problem

Shortly before the Buzzfeed exposé was published, TikTok pre-empted the story with its own official blog post. However, both the timing and the content of the blog post shows that TikTok has a whistleblower problem.

Having worked in multiple communications offices in the past, the curious timing – publishing hours before a (really) bad media story is about to drop – looks all too familiar to me. This is how a blindsided communications department scrambles to stay ahead of a story that is both bad and true.

The timing of the blogpost implicitly admits that the audio recordings that Buzzfeed obtained were true. Additionally (and unfortunately for TikTok), the content of the blog post almost explicitly admits that the Buzzfeed story, alleging that ByteDance’s China HQ has been accessing TikTok’s US user data, is true. This phrase in the blog post gave it away:

“We've now reached a significant milestone in that work: we've changed the default storage location of US user data. Today, 100% of US user traffic is being routed to Oracle Cloud Infrastructure.”

Knowing that the blog post’s timing was forced upon TikTok, saying that “we’ve now” fixed the problem clearly indicates that the data access problem persisted during the last two-plus years, despite TikTok executives denying such fact in a sworn congressional testimony.

This internal leak is not isolated, but one among many. In the last two months, both the Wall Street Journal and the Financial Times have published long stories detailing the toxic work culture at TikTok’s US and UK offices. The FT article led a TikTok executive to “take some time off” and “step back”.

When a company’s public posture contradicts its internal operations, employees morale sags, trust is lost, and whistleblowing of all types start to occur. The first type tends to be about work culture, which is the most personal and easiest to corroborate. As media stories get published and executives get punished, employees feel more emboldened and more leaks of more problematic internal practices start to happen – like not delivering on its data governance promise and possibly lying to Congress.

We are seeing this downward spiral of continuous whistleblowing unfold in front of our eyes – similar in some ways to what TikTok’s archrival Facebook/Meta was dealing with last year with Frances Haugen. TikTok’s “whistleblower” problem may continue for a while, until either ByteDance leadership can re-establish internal trust or TikTok simply runs out of things worth whistleblowing about.

The “Master Admin” Problem

If the “whistleblower’ problem is bad, the “master admin” problem is arguably more pernicious.

The most damaging revelation of the Buzzfeed story, in my view, is this part:

“Everything is seen in China,” said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a “Master Admin” who “has access to everything.”

Despite trying to build a US-based Trust and Safety department, a well-meaning and important step in establishing a separate data governance structure, this function is of no practical use if a rank-and-file “Beijing-based engineer” who happens to have “master admin” access privilege can access any data.

Now, having a “master admin” as a function is not, in and of itself, a problem. Every company, tech or non-tech, does and should have a group of highly-skilled, highly-responsible engineers who have access to everything, so when a serious problem arises, these engineers can get to the root cause of the problem and fix it. The people who have this privileged access and power are the real life embodiments of Spiderman’s “with great power comes great responsibility” adage.

So TikTok’s “master admin” problem lies in the fact that its “Spiderman” appears to be only in China. And as long as this “master admin” role sits in China, and only China, it really doesn't matter where TikTok’s US user data is physically stored and by whom.

The “Protected Data” Problem

TikTok’s “protected data” problem is more complicated to dissect, because the responsibility in fixing this problem is not solely on TikTok, but also on the US regulators, as well as every lawyer and lobbyist in between.

Despite all the rage and rancor about how scary it would be for the Chinese Communist Party to access US user data via TikTok, the Buzzfeed story revealed that what kind of data is considered “protected” data is still “being negotiated” – a euphemistic way of saying the regulation is being “watered down”.

While we don’t know what types of data are considered “protected”, it appears that at least one type of data, the UID, is apparently not:

“In a recorded January 2022 meeting, the company’s head of product and user operations announced with a laugh that unique IDs (UIDs) will not be considered protected information under the CFIUS agreement: “The conversation continues to evolve,” they said. “We recently found out that UIDs are things we can have access to, which changes the game a bit.” (Bold emphasis mine)

I emphasized the “with a laugh” detail, because it underscores just how core UID is when it comes to data access control. Any regulation that does not include core data types, like the UID, within the “protected data” definition is basically toothless.

A quick technical aside: UID stands for “unique identifier”. It is a string of numbers or alphanumerics, often automatically generated, that serves as the “locator” of data in a database or spreadsheet. To find a piece of data, you would usually query the UID plus a column or field’s name, like “age” or “email”, to find that data.

UID is basically the key to find all the data within a database. If the UID is accessible and not considered “protected data” by US regulators, then it is almost impossible to guarantee that TikTok’s US user data are shielded from access by engineers or data analysts located in China, let alone people with “master admin” privilege.

And since TikTok has already announced it is routing all user traffic to Oracle Cloud, it’s worth noting that in the official Oracle Database documentation, it states that a “UID returns an integer that uniquely identifies the session user (the user who logged on).”

In Oracle land, a UID most certainly leads to user data…which brings us to our last problem.

The “Oracle” Problem

Oracle has somehow cornered the cloud infrastructure business of “tech companies with a China problem” – first with Zoom, then with TikTok. (My post “Why Zoom Chose Oracle” from two years ago goes into Oracle’s unique positioning in the US-China tech war.)

However, precisely because the business opportunity is so big for an otherwise small Oracle Cloud unit, it is not certain whether Oracle can be trusted either.

This problem was hinted at in this passage of the Buzzfeed report:

“It also appears that Oracle is giving TikTok considerable flexibility in how its data center will be run. In a recorded conversation from late January, TikTok’s head of global cyber and data defense made clear that while Oracle would be providing the physical data storage space for Project Texas, TikTok would control the software layer: “It’s almost incorrect to call it Oracle Cloud, because they’re just giving us bare metal, and then we're building our VMs [virtual machines] on top of it.” Oracle did not respond to a request for comment.” (Bold emphasis mine)

Another quick technical aside: “bare metal” refers to the raw servers, microprocessors, networking cables, and storage units in a cloud data center, literally the metal hardware. VMs or virtual machines refer to the low-level software that is one layer above the hardware – a crucial layer that controls the logic of how the hardware will be used and accessed, for example, who can access the data saved on the storage units.

It’s possible that Oracle’s interest is sandwiched between US regulators and TikTok. On the one hand, Oracle obviously wants to earn the trust of Washington, by closely monitoring TikTok’s US user data access. But on the other hand, TikTok is also an important source of business and validation for Oracle Cloud – a tiny player in the cloud industry.

How important?

When Oracle released its full fiscal 2022 earnings last week, the stock price spiked 12% while the NASDAQ dropped 4.7%, because Oracle Cloud grew 20+% and its CEO projects the unit will grow 30+% in fiscal 2023.

TikTok is a huge part of that growth. When the TikTok blog post that was meant to pre-empt the Buzzfeed story was published, the part about routing all US traffic to Oracle Cloud was well-received by Wall Street analysts who cover Oracle.

How much “flexibility” will Oracle continue to give to TikTok to keep its business, while assuaging Washington regulator’s concerns remains a big question mark.

All in all, TikTok has a serious “American Credibility” problem – some of that is within its control to fix, some of that requires both Oracle and relevant US regulators to act responsibly as well.

How can this credibility problem be resolved? How can TikTok be trusted as truly “American”?

See "Solutions to TikTok's American Credibility Problem" on how I think TikTok can fix its credibility problems.