All,
A few weeks ago, there was a news report alleging that employees of the company’s internal audit team may have attempted to improperly access users’ location data. While many of the allegations in the article were speculative, our Global Legal Compliance team immediately began an investigation into the facts alleged in the story and engaged a highly reputable law firm to assist in the investigation.
We have since learned that a deceptive plan was developed and executed last summer by a few individuals within the Internal Audit Department as part of investigating significant employee leaks of confidential company information to the media – including allegedly leaked documents, screenshots and audio recordings of internal meetings.
It is standard practice for companies to have an internal audit group authorized to investigate Code of Conduct violations. However, as part of the initiative to investigate the leaks related to this case, the individuals involved abused their authority to access TikTok user data. These individuals sought to identify potential connections between two journalists covering the contents of leaked documents and recordings — a former BuzzFeed reporter and a Financial Times reporter — and employees of the company. In turn, they hoped that information about these connections would help identify the workers responsible for the leaks. For example, the individuals looked at the IP addresses of the journalists to try and determine whether they were in the same location as the employees suspected of leaking confidential information, despite the fact that IP addresses only provide approximate location information. would yield. Not surprisingly, their ill-considered efforts failed to identify the sources of the leaks. Nevertheless, their access to user data in connection with these efforts was a significant violation of the Company’s Code of Conduct, so we are immediately taking the following steps:
None of the individuals who directly participated in or oversaw the misguided plan remain employed by ByteDance. We are continuing the investigation under the direction of the legal team.
We are restructuring the Internal Audit and Risk Control (IARC) department:
Julie Gao, CFO, will take over the IARC division and immediately start looking for the new leader, who will report to her.
The Global Investigations function that was part of IARC will be split up and restructured. Going forward, the Global Legal Compliance team will oversee all investigations previously within the scope of IARC.
We will redesign the investigation process to include an oversight board that, among other responsibilities, will oversee the development and refinement of policies and procedures governing the company’s investigative functions and oversee the functions’ compliance with applicable laws and company policies.
We have removed all access to user data and permissions for the IARC department.
In the future, where it is necessary and appropriate for IARC to access User Data of appropriate scope (for example, to investigate fraud involving Company employees), such access will be subject to, and granted only in accordance with with, the policies and protocols. This step will involve training the IARC team on the new policies and protocols.
In addition, we will continue to evaluate and improve our access controls. In this case, access to certain US user information under the misguided investigation was already restricted by the prior transfer of control to the US Data Security team, and those controls have been significantly enhanced and hardened since this initiative took place.
I also want to emphasize that we have an open and frank culture within ByteDance. It is a core part of our ByteStyles. If you are faced with an ethical dilemma or reportable challenge, notify your manager, HR or the Speak Up hotline to do so anonymously. There are many opportunities to share your concerns.
I hope we can all learn from this situation and move forward with a clear understanding and appreciation of our responsibilities – as employees and leaders – to build and run an ethical business.
Eric