MANILA, Philippines – A report from Forbes on Friday, April 21, underscored the potential problems looming inside data centers used by embattled social media company ByteDance to store the private data of TikTok users.

According to the report, interviews from current and former employees at the Virginia data centers for TikTok – alongside photos, videos, and documents – point to security vulnerabilities and other issues at these data centers. Alongside these problems, the report notes that TikTok’s data center operations still appear to be enmeshed with ByteDance’s business in China.

Security vulnerabilities

TikTok rents server space at a Northern Virginia server farm, and these servers are managed in part by ByteDance and also by contracted workers from some data center management firms.

ByteDance, in a blog post on January 2023, said, “Our Virginia data center includes physical and logical safety controls such as gated entry points, firewalls, and intrusion detection technologies.”

In practice, however, several current and former employees interviewed by Forbes pointed to lax physical security at the data centers. While the company policy states guests, including delivery couriers, hardware vendors, electricians, and other professionals, must be escorted by an employee at all times, the practice doesn’t always occur.

“We do not have time to watch them all,” one of the interviewees, who wished anonymity for fear of reprisal, said.

There have also been lapses with internal security monitoring, such as the use of unmarked flash drives on the servers. Three of the sources added they were aware of modifications made to servers that were not reflected in any ticketing or recordkeeping system. Aside from this, photos from 2020 provided by a source pointed to unattended hard drives left in a box at the data center’s hallways.

Meanwhile, the company’s degaussers – or the machines used to wipe and destroy old hard drives – were often broken or jammed. This meant staff had to take the drives to other data centers for disposal. One person placed in this position explained, “Anyone with malicious intent could’ve just taken them, and we wouldn’t have known.” TikTok has acknowledged having this issue in the past, but told Forbes the issue has since been addressed.

Enmeshed with China

The report also suggests that TikTok’s data center operations still have connections with ByteDance’s business in China.

Forbes noted the Virginia TikTok data centers use servers produced by Inspur, a company the Pentagon said in 2020 was controlled by the Chinese military and that the US Commerce Department added to a sanctions list in March.

Documents also showed that, even in April, server work orders were sent to data center technicians by Beijing ByteDance Technology Co., Ltd., a ByteDance subsidiary partially owned by the Chinese government. TikTok has repeatedly said the Chinese government has no control over its operations.

Problems with building safety and cryptomining

Sources in the report also discussed a lack of safety in the buildings themselves, as three of the sources were occasionally asked to work in buildings under construction, while some buildings have door alarms that go off so frequently the alarms are meaningless. TikTok has said the door alarms are investigated on an as-needed basis.

Heat and fire hazards have also been said to be a potential problem point. When wooden pallets and delivery boxes are left by delivery couriers in server rooms, they can become potential hazards if a server overheats.

Forbes added, “Audio recordings of internal TikTok meetings note that heat in these data centers has been a problem before: In a September 2021 meeting, a Trust & Safety director can be heard describing an instance in which the Virginia servers overheated and US user data was routed to servers in Singapore until the issue could be fixed.”

Six of the sources interviewed also said they’d heard of employees using the servers to mine cryptocurrency. TikTok called such behavior a violation of its policies and said it has “security controls in place to identify and prevent this type of behavior.”

Why this matters

TikTok stopped routing new US user traffic to the Virginia data centers in October 2022. This means private posts, DMs, and other US user data created before October 2022 remains on these servers, but more recently created data is not.

ByteDance is currently trying to avoid troubles with the US government by moving data from these Virginia servers to servers provided by Oracle in Texas, or otherwise deleting this data outright.

TikTok CEO Shou Zi Chew admitted in March, however, that while it plans to move the data in these Virginia servers to Texas within the year, US user data is still “sitting in our servers in Virginia” today.

Must Read

Potential TikTok ban sends advertisers scrambling

ByteDance is trying to prevent TikTok from being banned in the US, following a threat by the Biden administration, which demanded its Chinese owners divest their stake in the app or face the US ban.

A bipartisan group of lawmakers has also raised concerns ByteDance’s prominence in the US could allow China to exfiltrate data about US citizens or otherwise influence US or international civic discourse.

Given this, maintaining good security practices at an all-important point in the process should be paramount, but employees said TikTok’s security at its data centers was weaker than security at other data centers they had worked at.

That said, the company appears to have sacrificed operational and physical safety standards to get these servers running.

Said one source in the Forbes report, “ByteDance just didn’t give a shit.” – Rappler.com