Former ByteDance Executive Alleges Chinese Government Used ‘God Credential’ to Access User Data and Track Hong Kong Activists

ByteDance, the Beijing-based parent company of short-form video platform TikTok, allegedly gave Chinese Communist Party (CCP) officials a “superuser” credential that allowed them unfettered access to user data, which they are said to have used to monitor activists and protesters in Hong Kong, according to a court filing submitted Monday by a former executive at the company. ByteDance denies the claims.

Yu Yintao, who used to lead the engineering team in the U.S. for ByteDance, said in his latest court filing as part of a wrongful dismissal lawsuit that a special committee of CCP officials within the company were able to view all data ByteDance collected, including those of U.S.-based users.

“This was a backdoor to any barrier ByteDance had supposedly installed to protect data from the CCP’s surveillance,” the filing to the Superior Court of San Francisco read. “The superuser credential was commonly discussed between employees at various levels of the company, including senior executives.”

Benjamin Ho, coordinator of the China Programme at the S. Rajaratnam School of International Studies in Singapore (RSIS), says that if the allegations regarding CCP access to user data are proven to be true, it is likely to exacerbate existing geopolitical tensions between the U.S. and China. “The United States will certainly be very pissed off,” he tells TIME.

ByteDance’s TikTok, which has 150 million users in the U.S., has already been under intense governmental scrutiny in Washington due to security concerns, with some lawmakers even proposing a ban on the app. China’s national intelligence law allows the CCP to pull data upon request from companies based in the nation. TikTok CEO Shou Zi Chew has testified before Congress and denied that China has access to the subsidiary social app’s user data.

ByteDance has not responded to TIME’s request for comment, though a spokesperson told the Wall Street Journal, which first reported on the filing, that Yu’s allegations are “baseless” and “clearly intended to garner media attention.”

What do we know about the former ByteDance executive?

Yu, a California resident who was based in ByteDance’s Menlo Park office, was the company’s head of engineering from August 2017 to November 2018, according to his wrongful dismissal lawsuit.

The suit says that shortly after joining ByteDance, Yu found that the company was engaged in a global scheme to steal and profit from content posted on other platforms, like Instagram and Snapchat. ByteDance had allegedly developed a program that would scrape competitor platforms’ user content, which would then be posted by fake social media accounts to populate ByteDance’s own video services. Yu claims, according to the suit, that he raised this issue to his higher-ups but that the practice continued and he was allegedly fired in retaliation.

Yu’s lawyer told the Journal that his client chose to come forward with his wide-ranging allegations now in response to Shou’s congressional testimony in March, explaining that Yu viewed the TikTok CEO’s statements defending the company as “misdirection.”

What ByteDance data has the Chinese government allegedly obtained? How might the U.S. react?

In an addendum to his case filed on Monday, June 5, Yu claimed he saw how the superuser credential—or “god credential”—had been used by ByteDance’s special committee of CCP officials and external investigators to identify and locate Hong Kong protesters and their supporters in 2018, during which a groundswell of anti-mainland Chinese sentiment had been growing amid eroding freedoms in the former British colony.

Yu detailed how users’ device identifiers were allegedly tracked in addition to network information, SIM card identifications, and IP addresses to determine their identity and locations.

“From the logs, I saw that the Committee accessed the protestors’, civil rights activists’, and supporters’ unique user data, locations, and communications,” reads the filing.

In the May complaint, Yu also accused ByteDance of being a “useful propaganda tool” for the CCP by promoting or demoting content according to its interests: “Yu observed that ByteDance demoted content that expressed support for the protests in Hong Kong (‘Umbrella Revolution’), while it promoted content that expressed criticisms of the protests in Hong Kong.” (TikTok discontinued operating in Hong Kong in 2020 after the implementation of a controversial national security law in the city.)

Still, while “the allegations carry serious weight,” Muhamad Faizal, another RSIS research fellow, says China’s alleged tracking of Hong Kong protesters is unlikely to prompt a global retaliation against ByteDance. Given Hong Kong’s status as a Chinese territory, the user data in question was not utilized to conduct extraterritorial surveillance. “If the U.S. calls this a reason to ban TikTok, China could call out how the U.S. obtained data from American [telecommunication] and tech giants to track down protesters who were involved in the January 2021 Capitol riots,” Faizal told TIME via email. “The U.S. could rally its allies to impose sanctions that would hurt ByteDance, but this may not be geopolitically tenable if the U.S. wants to convince China to resume meaningful communications and dialogue to ease tensions.”

“The Chinese government emphasizes control and stability of the cyberspace,” Faizal added. “But digital surveillance is not limited to China.”