ByteDance, the China-based parent company of TikTok, said on Thursday that an internal investigation found that employees had inappropriately obtained the data of U.S. TikTok users, including two reporters.
Over the summer, a few employees on a ByteDance team responsible for monitoring employee conduct tried to find the sources of suspected leaks of internal conversations and business documents to journalists. In doing so, the employees gained access to the IP addresses and other data of two reporters and a small number of people connected to the reporters via their TikTok accounts. They were trying to determine if those individuals were in the same proximity of ByteDance employees, according to the company, which added that the efforts failed to find any leaks.
The investigation was initiated after an article was published by Forbes, and the inquiry confirms part of that report and acknowledges the privacy and security risks associated with TikTok that U.S. lawmakers, state governors and the Trump and Biden administrations have raised for more than two years. More than a dozen states have banned TikTok from government-issued devices, and the company has been in prolonged negotiations with the administration on security and privacy measures that would block any potential access of U.S. user data by ByteDance and the Chinese government.
ByteDance’s general counsel, Erich Andersen, revealed the findings of the investigation, which was conducted by an outside law firm, in an email to employees on Thursday.
One person on the team resigned and three were fired. Two of those employees were based in China and two were in the United States. ByteDance said it has restructured its global compliance team and has removed any access to U.S. data from that department. The targeted reporters wrote for BuzzFeed and The Financial Times, ByteDance said, though it declined to identify them and other affected TikTok users.
Mr. Andersen and ByteDance’s chief executive, Rubo Liang, revealed the findings of the investigation in separate emails to employees.
“I was deeply disappointed when I was notified of the situation. . . and I’m sure you feel the same,” Mr. Liang wrote. “The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals.”
The chief executive of TikTok, Shou Zi Chew, also sent an email to his employees about the investigation, expressing disappointment and stressing the company’s commitment to protect U.S. data.
“We take data security incredibly seriously,” Mr. Chew said in the email. He said that over the past 15 months, the company had worked to create a new U.S.-based data storage program as a “testament to that commitment.”
The revelations come amid growing concerns by U.S. officials about the privacy and national security risks posed by TikTok, a hugely popular video-sharing app with an estimated 100 million American users. ByteDance acquired TikTok, formerly known as Musical.ly, in 2017 and has since been the focus of national security officials who say the app is too closely aligned with its parent company in China and can put sensitive data, such as geolocation and the habits and interests of users in the United States, into the hands of the Chinese government.
In the hopes of allying national security fears, ByteDance has moved the data of U.S. users to a cloud storage system operated by Oracle, the Silicon Valley software company.
In September, TikTok’s chief operating officer, Vanessa Pappas, testified in a Senate hearing that the app did not share data with the Chinese government. The company has tried to distance the app from ByteDance, saying TikTok has its own corporate structure, with offices in Washington, Singapore, New York and Los Angeles.
TikTok has been locked in negotiations with the Biden administration on a data security plan that would put all U.S. data on Oracle’s cloud servers and erect walls around that data to prevent access by the Chinese government. The negotiations, which began during the Trump administration, have stalled in recent weeks, prompting a cascade of state and federal actions to restrict the use of TikTok.
Congress is set to vote as early as this week on a proposal that would ban TikTok from any federal devices. Intelligence officials, including the F.B.I. director Christopher Wray, has warned that Chinese officials can siphon sensitive data about U.S. citizens to use for surveillance and to spread propaganda.
TikTok is in the middle of an escalating economic and trade war between the United States and China for technology leadership. The superpowers have imposed trade restrictions on foreign-made technologies and have poured hundreds of billions of dollars into subsidies and grants to bring back tech supply chains for manufacturing within their borders.
A bill by Senator Josh Hawley, Republican of Missouri, would ban TikTok on all federal devices, in the farthest-reaching restriction of the app yet. He said that despite assurances by ByteDance and TikTok, the Chinese government has broad powers of data collection, including of U.S. users of apps connected to Chinese companies.
“TikTok is essentially a back door for the Communist Party to track keystrokes, contact lists and location, and there is no way to turn it off,” Mr. Hawley said in an interview this week. “Under Chinese law, ByteDance is obligated to turn over data and that is a major privacy risk for Americans.”