TikTok’s Global Chief Security Officer Roland Cloutier is stepping down following news that American data is ‘routinely’ accessed from China.
“With our recent announcement about data management changes in the US, it’s time for me to transition from my role as Global Chief Security Officer into a strategic advisory role focusing on the business impact of security and trust programs, working directly with Shou, Dingkun, and other senior leaders,” Cloutier writes about the news.
Cloutier has been with TikTok since 2020 and will vacate his post as CSO on September 2. TikTok announced in June 2022 that it had started routing US data to Oracle servers over concerns of Chinese government access to US data. These changes were advertised as a way to “minimize concerns about the security of user data in the US.” But those changes also change the scope of the job Cloutier has held for two years.
TikTok has faced increased scrutiny in the United States, especially after a June 2022 report by BuzzFeed. That report gathered from leaked internal TikTok meetings shows that backdoor access is built into all of TikTok’s administration tools for its backend from September 2021 to January 22 at least.
“Despite a TikTok executive’s sworn testimony in an October 2021 Senate hearing that ‘world-renowned, US-based security team’ decides who gets access to this data, nine statements by eight different employees describe situations where US employees had to turn to their colleagues in China to determine how US user data was flowing,” the BuzzFeed report determined. US TikTok staff did not have permission or knowledge of how to access this data on their own – without input from China.
“Everything is seen in China,” said a member of TikTok’s Trust and Safety Department in a September 2021 meeting. Another engineer called a Beijing engineer and employee of ByteDance as the ‘Master Admin’ who “had access to everything.” In response to these reports and calls from the FCC Commissioner to ban TikTok, a group of Republican Senators has questioned the validity of the company’s testimony on data privacy.