TikTok犯的最大错误是,他们本来是不能直接用英美等国的用户数据的,但这次其内审团队在追查内鬼的时候越界了。
一、TikTok内审越界,后面将有更大风波
一位接近字节的人告诉雷峰网,内审部门接到的命令很可能是“不论如何,必须把内鬼找出来”。在这种巨大的压力下,字节和TikTok内审部门的人在几个月前对两位外国记者发起了追踪。
一位是英国《金融时报》的记者克利德尔,他曾经在今年6月发布TikTok的大量负面报道,指出空降Joshua Ma将“狼性文化”带入英国引发离职潮,这个报道当时在国内也传播很广;另一位是《福布斯》杂志的记者艾米丽·贝克,《福布斯》在今年10月份有过报道指控字节利用TikTok程序监控特定美国人的位置,她可能参与了这件事。
这些报道泄露了大量字节和TikTok内部谈话以及关键文件,字节高层判断这是“内鬼泄密”导致的,于是成立了专门的内审调查组进行调查。但是时间过去两个月,内审团队调查行动非行动但没有成功,他们在调查过程中的违规举动又被人泄露给了美国的媒体。
在平安夜前一天,《纽约时报》曝光了内审团队成员在调查过程中,利用TikTok用户数据监控记者的事情——内审团队在后台查看了这两名记者的IP地址等个人数据,试图判断他们是否与涉嫌泄密的员工处于同一地点。这件事被曝光后在西方社交媒体平台上引起轩然大波,各家媒体纷纷发文指责侵犯用户隐私,《金融时报》更是把事件上升到了政治层面,发文称“这是对我们民主制度的攻击”。
不久,字节跳动总法律顾问埃里希•安德森在邮件中透露,字节已经解雇了4名内审人员,其中2人在中国,2人在美国。事情过程大抵就是上面那样,后面是字节的反应。平安夜当天,字节高层数次发布内部信讨论此事。TikTok首席执行官周受资在内部邮件中表达了失望之情,并强调公司非常重视数据安全。
梁汝波在邮件中承认,公司确实有员工不当获取了两名美国记者的数据,并且说“得知这一情况后,我深感失望……我们花费巨大努力建立起来的公众信任,被少数人的不当行为严重破坏。”从周梁两个人的言辞来看,他们似乎之前都对这件事一无所知,但从现实情况来看,他们都成了最大责任方。之前,美国那边虽然批判很多,但主要还是集中在社交媒体上。
因为大家当时都还沉浸在圣诞节的节日气氛中,事情还没有真正得到发酵,只有TikTok的竞争对手比如Facebook小札这种在蠢蠢欲动。现在圣诞节已经过去,美国的各路参议员、众议员们都回来了,游说公司也渐渐活跃起来,各种针对TikTok的攻击近在眼前,麻烦其实才刚刚开始。
二、为什么会有这样的事,搞得之前努力付诸东流
一位数据合规方面的资深人士告诉雷峰网:“字节和TikTok就不应该犯这样的错误,因为这也太低级了。”按照他的说法,内审人员获取IP地址这件事其实还能解释,这里面真正麻烦的是——他们怎么匹配起来的,怎么知道哪两个账号是记者的。
因为普通用户的信息都是混合在大数据里面的,正常人根本无法获知。而跨国的互联网公司一般都会严格管控数据,比如Facebook、Google等等,他们都会对数据进行严格分级:最低级的就是经过脱敏处理结果数据,这种数据都是分析报告、结果图表的形式呈现,员工们是可以正常使用的;高一级是不可以直接定位到个人,但可以与其他内容交叉分析的数据,比如行为日志、时间记录等,这种一般就不能跨国访问了,只能当地人有限制的使用;最高级一般是地址、电话号码、IP地址,这些是可以具体定位人的数据,员工们是坚决不能使用的,更加不能跨境访问使用,乃至把数据传输到国外;而且这也不单是什么公司自己的规章制度,在欧美很多国家都是法律明文强制要求,不仅是法律要求,更是政治级别的要求。法律以此对大型互联网公司进行节制,防止他们利用数据优势伤害个人。
在此之前的2018年,美国对Facebook罚款50亿美金,欧盟通过GDPR法案,都是为了保护个人数据不受侵害。这下字节和TikTok的内审团队一脚把“外国数据”、“跨境访问”、“个人信息”三个雷都给踩了,按照这位专家的说法,他就不相信字节内审团队真的不知道这里面的麻烦,真的有那么业余。既然如此,那为什么内审团队还是会干出这样的事?
一位接近字节高层的人分析了这么几个原因:
其一,互联网巨头们在国内有恃无恐惯了。国内互联网公司侵犯用户隐私,早就不是什么新闻,什么“国内用户不在意隐私,他们可以用隐私换便利”的说法早已有之。他们只不过是把在国内的行为放在了美国人身上,思维惯性改不过来,结果被狠狠摔了一跤;
其二,字节的团队建设可能并没有跟上规模增长。字节在国内也是以“开放文化”著称的,但实际上除了OKR看起来比较透明,很多事情也很不透明。比较典型的对比是,谷歌拉里佩奇和Facebook扎克伯格这些人开员工交流会,都是每周拿出一小时,员工当场随便问问题,谁都可以问,谁想问啥都可以,而且结果也现场直播,并不躲避;字节也搞了十年CEO面对面交流会,不仅次数越来越少,从一年几次变成了一年2次,而且每次都是事先设定问题,事先挑选问题。字节的文化其实和国内其他互联网巨头已经是越来越近,开放文化已经越来越成形式了。
其三,字节集团内部缺乏信息隔离机制。从这次字节和TikTok对内审团队的惩戒来看,北京解雇了2个人,美国纽约解雇了2个人,不难发现他们都不在伦敦本地。但是,这些人竟然都能拿到数据,这说明集团在流程上就没有做好敏感信息的隔离。根据公开资料,字节已经重组了内部审计和风险团队,并且取消了该部门获取美国数据的权限,这应该是亡羊补牢的补救,但是如果真的是集团机制问题的话,现在被曝光出来的问题肯定只是一小部分,字节现在补救的还远远不够。
其四,那就是内审团队个人的原因了。内审团队成员在领导层面承担了很大压力,必须要不顾一切的去抓住“内鬼”,以至于他们顾不得违反规定,也要去把事情做成。现在的结果是,字节和TikTok严重越界,直接把手伸向了美国人的个人数据,严重触碰了美国人最敏感的数据安全问题,也给美国的竞争对手们握住了要命的把柄。字节上市的事情变得更加艰难了。
三、上市在即受到影响,高层可能背锅下台
字节目前对内股价估值大概是3000亿美金,这也大抵就是字节上市的心理价位。今年4月,字节跳动请来了一位特别的CFO高准。高淮从事律师生涯20余年,是中概股圈响当当的人物,为100多家公司的上市和其他资本市场融资项目提供过法律服务,包括美团、京东、拼多多、小米等。
圈内人评价其“深度参与了中国互联网赴美上市的半壁江山”。字节请她为的是什么?到底想释放什么信号?毫无疑问,就是上市。有资深人士对雷峰网直言,未来两年就是字节上市的窗口期。在这种关键时刻,周受资在TikTok 首席执行官任上最重要的两个任务就是:合规+营收,其中合规是肯定排在前面的。
毕竟,如果美国人不买TikTok的账,字节是无论如何也撑不起3000亿美金的。在这种情况下,周受资带领TikTok在过去一年中一直在努力向美国示好。今年6月,TikTok将美国用户的数据信息迁移到甲骨文(Oracle)公司的服务器上,并且表示,之后将完全依赖这些位于美国的服务器,会从自己位于新加坡和弗吉尼亚的数据中心删除美国用户的私人数据。
与此同时,TikTok还专门成立了一个美国数据安全团队“USDS”,这个团队将会多达数百人,其中包括内容审核、工程师、产品运营等等,他们的任务就是专门看着美国的用户信息,将美国用户信息和字节跳动公司完全隔离。这么说吧,周受资这几乎就是直接告诉美国人,自己已经将美国用户所有数据放在美国本土公司,找美国人专门看着。
事实上,TikTok与抖音的分隔也一直在同步进行,TikTok核心运营团队被迁往了新加坡,在芝加哥建立了广告团队,在田纳西建立了审核团队,在休斯顿、纽约等多个美国大城市都有办公室。周受资为了获取美国社会的信任,已经做了一切能做的努力。即便如此,美国各州和联邦还是保持了很强的敌意,在过去两年间先后两次因数据问题支付9200万美元和570万美元。
在今年12月22日美国议会通过了「联邦设备禁用 TikTok 法」,禁止在美国联邦政府的任何电子设备上安装运行 TikTok。周受资本来的境况就非常艰难,每一步都走得小心翼翼,生怕被人指摘什么,谁想到这一下子因为内审团队的问题还是被抓到了把柄,过去一年在美国社会建立的一点点信任感,眼看着就付诸东流了。现在美国那边可以说是拿着放大镜在找TikTok的问题。字节当年收购musically时,各方都觉得是两家中国公司的交易,毕竟musically的老板朱骏和阳陆育都是中国人,甚至连他们公司都在上海,也就没有向美国CFIUS进行报备。
现在这件事也被人翻出来了,直指字节收购美国公司没有审批,必须经过美国国家安全审查。这些事情都让字节上市非常被动,更让梁汝波被动。梁汝波本来被选出来就是带领公司降本增效,然后上市的,这下子内审团队犯下了这么大的错误,作为内审团队的汇报领导,他难辞其咎。《金融时报》、《福布斯》等媒体这次表现得非常强硬,据说他们是掌握了内部文档、内部录音这种实证的,而且坚持要把事情追踪到底,字节是一定要承担责任的。据知情人士透露,目前字节内审团队的汇报对象已经从CEO梁汝波转向了CFO高淮,这背后恐怕意味着,某些人的位置要动一动了。
翻译:
ikTok’s biggest mistake was that its internal audit team had crossed the line in their hunt for a mole when it was not allowed to directly use user data from countries such as the US and UK.
First, TikTok’s internal audit is out of line, and there will be a bigger storm
A person close to Byte.com told Leifeng that the order to the internal audit department was likely to be “one way or another, the mole must be found.” Under such intense pressure, Byte and TikTok’s internal audit team went after two foreign journalists a few months ago.
One is the Financial Times reporter Credell, who in June posted TikTok’s heavily negative report, suggesting that Joshua Ma parachuted into the UK to bring “Wolf culture” and sparked a wave of departures, a story that was widely shared in the country at the time; The other is Emily Baker, a reporter for Forbes magazine, who may have been involved in a Forbes story in October that accused Byte of using TikTok to monitor the location of specific Americans.
Emily Baker for Forbes Magazine
These reports leaked a large number of Bytei and TikTok internal conversations and key documents, which Bytei’s executives concluded was caused by an “insider leak” and set up a special internal audit investigation team to investigate. But over the past two months, the internal audit team has unsuccessfully investigated irregularities in their investigation, which have been leaked to the American press.
On the day before Christmas Eve, The New York Times exposed how members of its internal audit team had used TikTok user data to spy on reporters during an investigation — the internal audit team looked behind the scenes at personal data like the IP addresses of the two journalists, trying to determine whether they were in the same location as the employees suspected of leaking. The story caused an uproar on Western social media platforms, with various media outlets accusing users of violating their privacy. The Financial Times took the story to a political level, saying, “This is an attack on our democracy.”
Soon after, ByteDance general counsel Erich Anderson revealed in an email that ByteDance had fired four internal auditors, two in China and two in the United States. That’s basically how it goes, and then there’s the byte reaction. On Christmas Eve, Byte executives sent out several internal letters discussing the matter. TikTok’s chief executive, Zhouzi Zhou, expressed disappointment in an internal email and stressed that the company takes data security very seriously.
In his email, Mr. Liang acknowledged that some of the company’s employees had improperly obtained the data of the two American journalists, adding, “I am deeply disappointed to learn of this situation… The public trust we have worked so hard to build has been severely undermined by the misconduct of a few.” From the words of Zhou Liang and Liang, it seems that neither of them knew anything about this matter before, but from the reality of the situation, they became the most responsible party. There has been a lot of criticism from the U.S. side, but it has mostly been on social media.
Since everyone was still in the holiday spirit of Christmas, things hadn’t really boiled over yet, except for TikTok’s competitors like Facebook Zah. Now that Christmas is over, senators and representatives are back, lobbying firms are getting active, TikTok attacks are looming, and the trouble is just beginning.
Two, why is there such a thing, make the previous efforts in vain
“Byte and TikTok shouldn’t have made such a mistake, because it’s too low level,” a senior figure in data compliance told Leifeng. According to him, the fact that internal auditors obtained IP addresses could explain the real trouble – how they matched up and how they knew which two accounts belonged to journalists.
Because the information of ordinary users is mixed in big data, normal people can not know. Transnational Internet companies generally strictly control the data, such as Facebook, Google and so on, they will strictly classify the data: the lowest level is the desensitized data, which is presented in the form of analysis reports and charts, and employees can use it normally; The higher level is the data that can not be directly located to individuals, but can be cross-analyzed with other content, such as behavior logs, time records, etc., which generally cannot be accessed across borders, but can only be used by local people with restrictions. The highest level is generally address, telephone number, IP address, these can be specific location of people’s data, employees are determined not to use, more not cross-border access to use, and even the data transmission to foreign countries; And this is not only what the company’s own rules and regulations, in many countries in Europe and the United States are explicitly mandated by law, not only the legal requirements, but also the requirements of the political level. The law is designed to rein in big Internet companies and prevent them from using data to their advantage to harm individuals.
This follows a $5 billion fine imposed by the US on Facebook in 2018 and the EU’s GDPR legislation, both designed to protect personal data. In doing so, Byte and TikTok’s internal audit team hit all three “foreign data,” “cross-border access,” and “personal information.” According to the expert, he doesn’t believe the byte audit team really has no idea what’s going on here, and is really that amateurish. So why did the internal audit team do it anyway?
A person close to the byte hierarchy analyzed several reasons:
One is that the Internet giants have no problem at home. It is not news that domestic Internet companies violate users’ privacy. The saying “domestic users don’t care about privacy, they can trade privacy for convenience” has long been heard. They simply put their domestic behavior on the Americans, can’t change the habit of thinking, and get badly tripped;
Second, Byte’s team building may not have kept up with scale. Byte is also known for its “open culture” in China, but in fact, apart from the fact that OKR seems more transparent, many things are also very opaque. In a typical comparison, Larry Page of Google and Zuckerberg of Facebook hold staff meetings for one hour every week. Employees can ask any question on the spot, anyone can ask anything they want, and the results are broadcast live. Byte also held face-to-face CEO meetings for a decade. Not only did they become less frequent, from a few times a year to two times a year, but they were always pre-set and pre-selected. Byte culture and other domestic Internet giants have been closer and closer, open culture has become more and more form.
Third, there is a lack of information isolation mechanism within byte groups. Judging from Byte and TikTok’s reprimanding of the internal audit team, Beijing has fired two people and New York has fired two people, none of whom are based in London. However, the fact that these people had access to the data shows that the group has not done a good job in its procedures to isolate sensitive information. According to public data, Byte-has restructured its internal audit and risk teams and stripped the department of its access to U.S. data, which should be a quick fix, but if it is really a corporate problem, the problems that have come to light are surely only a small part of what Byte-has remedied.
Fourth, that is the internal audit team personal reason. Internal audit team members are under so much pressure at the leadership level to be so desperate to catch the “mole” that they don’t have to break the rules to get things done. Now, as a result, Byte and TikTok have seriously overstepped the mark, reaching directly into Americans’ personal data, taking a serious swipe at their most sensitive data security issue, and giving American rivals a deadly hold. Byte listings just got a lot tougher.
Three, listed in the immediate impact, the top may be blamed for stepping down
Byte is currently valued at around $300 billion internally, which is roughly the price at which Byte went public. In April, ByteDance hired a special CFO, Gao Zhun. Gao Huai has been a lawyer for more than 20 years and is a prominent figure in China Concept stock market. He has provided legal services for more than 100 companies to go public and other capital market financing projects, including Meituan, Jingdong, Pin-Duo, Xiaomi, etc.
Insiders say that it “deeply participated in half of the Chinese Internet listing in the United States”. What did Byte invite her for? What kind of signal are you trying to send? Go public, no doubt. There are senior people to Lei Feng net bluntly, the next two years is byte listed window period. At such a critical moment, Zhou’s two most important tasks as TikTok’s CEO are compliance + revenue, of which compliance is definitely high on the list.
After all, if Americans don’t buy TikTok, bytes won’t last $300 billion anyway. In this context, Mr. Zhou has led TikTok’s efforts over the past year to court the United States. TikTok moved American users’ data to Oracle’s servers in June and said it would then rely entirely on those servers in the United States, deleting the private data of American users from its data centers in Singapore and Virginia.
TikTok, meanwhile, has set up an American data security team called “USDS,” which will consist of hundreds of people, including content moderators, engineers, product operations, and more, who will be tasked with looking at American user information and keeping it completely separate from ByteDance. Let’s just say that Zhou Zouzi is almost directly telling Americans that he has put all the data of American users in American companies and asked Americans to look at it.
In fact, TikTok’s separation from TikTok has been in sync, with TikTok’s core operations team moving to Singapore, an advertising team in Chicago, a moderation team in Tennessee, and offices in several major U.S. cities, including Houston and New York. Zhou Zouzi has done all he can to gain the trust of American society. Even so, the states and the federal government have remained fiercely hostile, paying $92m and $5.7m over data issues in the past two years.
On December 22, the US Congress passed the Ban TikTok on Federal Devices Act, banning TikTok from being installed and operated on any electronic device owned by the US federal government. The situation of Zhou was very difficult, and he took every step carefully for fear of being criticized. Who would have thought that he would be caught suddenly because of the internal audit team’s problems, and the little sense of trust built in the American society over the past year would be wasted. Right now, the U.S. is holding a magnifying glass to TikTok. At the time of Byte’s acquisition, musically was viewed as a deal between two Chinese companies. After all, musically’s bosses, Jun Zhu and Luyu Yang, were both Chinese, and their companies were based in Shanghai, so no CFIUS filing was made.
Now this story has also been unearthed, pointing to Byte’s acquisition of a US company without approval and must go through a US national security review. These things make byte listing very passive, but also let Liang Rubo passive. Liang Rubo was elected to lead the company to reduce costs and increase efficiency, and then listed, now the internal audit team made such a big mistake, as the internal audit team reporting leadership, he can not take the blame. The Financial Times, Forbes and other media outlets are taking a strong stance this time, saying that they have the evidence of internal documents and recordings, and insist that byte must be held accountable to get to the bottom of things. According to people familiar with the matter, the current byte audit team has been transferred from CEO Liang Rubo to CFO Gao Huai, which may mean that someone’s position will change.
作者:林觉民;编辑/翻译:数字化转型网默然。
免责声明: 本网站(http://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
