Roland Cloutier, a U.S. Air Force veteran and former law enforcement officer, stepped down as TikTok’s Global Chief Security Officer in July 2022 as the Biden administration continued to evaluate the national security risks posed by TikTok’s Chinese ownership.
AChina-based ByteDance team led multiple audits and investigations into TikTok’s U.S.-based former Global Chief Security Officer, who had been responsible for overseeing efforts to minimize China-based employees’ access to American user data, according to internal company materials reviewed by Forbes.
TikTok hired Roland Cloutier as its Global Chief Security Officer in March 2020, shortly after the Treasury Department’s Committee on Foreign Investment in the U.S. (CFIUS) opened an investigation into TikTok’s ties to China. In public statements, TikTok touted the work of Cloutier, a U.S. Air Force veteran and former veterans affairs police detective, as evidence that TikTok was taking cybersecurity and data concerns seriously.
But according to current and former employees, as well as internal materials reviewed by Forbes, Cloutier’s efforts to build out a robust security team were hamstrung by ByteDance’s Internal Audit and Risk Control department, which is led by Song Ye, an executive in Beijing.
The materials show that Internal Audit launched multiple audits and investigations into Cloutier, alleging that he had pushed contracts worth millions of dollars to U.S.-based security vendors who were his personal friends. Forbes did not view materials that conclusively substantiated or refuted the veracity of these allegations.
Some current and former employees, though, characterized the probes into Cloutier as pretextual fishing expeditions designed to find a reason to push him out of the company. They noted that TikTok’s Chief Internal Auditor, Chris Lepitak, had argued that some work managed by Cloutier’s TikTok team should instead be owned by ByteDance’s Internal Audit team. The sources said Lepitak indicated that Internal Audit should oversee areas like digital forensics and insider risk, which are key to ensuring the security of user data. Lepitak reports to Song Ye, who reports to ByteDance cofounder and CEO Liang Rubo.
TikTok and ByteDance did not answer questions about why Cloutier was investigated, whether he was fired or whether he was pushed out of the company because of his work on data access controls.
One investigation into Cloutier focused specifically on the Global Security Organization’s relationship with consulting giant Booz Allen Hamilton. Several former employees at Booz currently work on TikTok’s security team. Among other things, Booz was helping TikTok manage China-based employees’ access to U.S. user data. Previously, Booz declined comment on its relationship with TikTok, and did not immediately respond to a comment request.
TikTok is currently negotiating a national security contract with CFIUS which will govern the way the Chinese-owned social media app handles Americans’ personal user data. Before he left his post at the company in July 2022, Cloutier had been working on reducing China-based employees’ access to data: In an April 2020 blog post, he wrote, “Our goal is to minimize data access across regions so that, for example, employees in the APAC region, including China, would have very minimal access to user data from the E.U. and U.S.”
BuzzFeed News reported in June that U.S. user data had been repeatedly accessed by employees in China into at least January 2022. Forbes reported last week that ByteDance’s Internal Audit department — the same one that investigated Cloutier — planned to monitor individual U.S. citizens’ locations using the TikTok app.
“Our goal is to minimize data access across regions so that, for example, employees in the APAC region, including China, would have very minimal access to user data from the E.U. and U.S.”
Cloutier did not respond to multiple requests for comment. TikTok announced that he was stepping down from his role as Chief Security Officer in July, and his LinkedIn profile says he left the company in September.
ByteDance spokesperson Jennifer Banks said in a statement that the Internal Audit team is “responsible for objectively auditing and evaluating the company and our employees’ adherence to our codes of conduct.” Banks continued that “[a]ny internal investigation is done with the intent to maintain a safe and compliant workplace,” but declined to comment on specific investigations.
TikTok did not comment on a detailed list of points and questions from Forbes about the Cloutier investigations and other investigations conducted by ByteDance’s Internal Audit team. However, in response to Forbes’s earlier report about the team, TikTok’s communications department tweeted: “Our Internal Audit team follows set policies and processes to acquire information they need to conduct internal investigations of violations of the company codes of conduct[.]”
Despite TikTok’s claim that Internal Audit is “our” team, internal materials indicate that the Internal Audit team does not report to any members of TikTok’s executive team, and instead reports directly to ByteDance executives in China. TikTok did not answer a question about why it referred to the Internal Audit team in this way.
Materials also show that the probes conducted by Internal Audit have often been extensive, including contracts with outside security firms and reviews of many thousands of emails, employee correspondences and messages in Lark, ByteDance’s internal workplace management software. Materials also show that some investigations have been kept confidential from employees’ managers and from HR.
Cloutier is also not the only U.S. executive who was targeted by the Internal Audit department. Two sources also said that at least one other executive, former TikTok Global Head of Marketing Nick Tran, was also pushed out over allegations of conflicts of interests due to personal relationships, which the sources characterized as an excuse to terminate the employee. Tran declined to comment.
Numerous senior employees felt “that themselves and their teams are just ‘figureheads’ or ‘powerless ombudsmen’” who are “functionally subject to the control of CN-based teams.”
Three current and former employees also described a list of TikTok employees — some of whom have now left the company — that ByteDance hoped to oust from their positions. Neither TikTok nor ByteDance commented on the existence of such a list. The Financial Times previously reported that TikTok had created a “kill list” for employees it wished to force out of the company. At the time, TikTok told FT that it was “unable to find any list that matched this description.”
TikTok has not yet named its next Chief Global Security Officer, but documents show that the company’s Global Security Organization is currently in the middle of a corporate restructuring, meant to address “pain points” including redundancy across teams. TikTok and ByteDance declined to answer questions about whether the restructuring would change the division of responsibilities between TikTok’s Global Security Organization and ByteDance’s Internal Audit team.
In the past, TikTok has struggled with retention of U.S.-based executives. In September, Forbes reported that at least five senior leaders at TikTok had left the company because they felt they could not contribute to key decision making. ByteDance’s Internal Audit department apparently found the same thing: A risk assessment prepared by the department in late 2021 found that numerous senior employees felt “that themselves and their teams are just ‘figureheads’ or ‘powerless ombudsmen’” who are “functionally subject to the control of CN-based teams.”
Neither TikTok nor ByteDance commented on the risk assessment.
Last month, President Biden issued an executive order instructing CFIUS to more closely consider the risks posed by foreign companies’ access to Americans’ private data. Yesterday, the Department of Justice held a press conference to announce indictments into two Chinese government intelligence officials who allegedly sought to impede a federal investigation into alleged wrongdoing by the China-based telecom giant Huawei. (Huawei did not immediately respond to a request for comment.)
At the press conference, Deputy Attorney General Lisa Monaco, who is reportedly among the officials reviewing the deal between TikTok and CFIUS, said about the Huawei case: “This case exposes the interconnection between PRC intelligence officers and Chinese companies. And it demonstrates once again why such companies, especially in the telecommunications industry, shouldn’t be trusted to securely handle our sensitive personal data and communications.”
Richard Nieva contributed reporting.