TikTok stores the most sensitive financial data of its biggest stars, including members of its “Creator Fund,” on servers in China. “U.S. data has always been stored in Virginia and Singapore,” CEO Hsu Chu told Congress earlier this year.
○In recent years, Thousands of TikTok creators and businesses around the world have provided the company with sensitive financial information, including Social Security and tax ID numbers, to enable payments through the platform.
But unbeknownst to many of them, TikTok stored their personal financial information on servers in China that were accessible to Chinese employees. forbes Have learned.
TikTok uses various internal tools and databases from Beijing-based parent company ByteDance to manage payments to creators who earn money through the app, including many of the biggest stars in the United States and Europe. The same tools are used to pay external vendors and small businesses that work with TikTok. However, the mountain of records I obtained was forbes Information from multiple sources across various departments within the company has revealed that highly sensitive financial and personal information about these valuable users and third parties is stored in China . This discovery also raises the question of whether employees who were not authorized to access that data were able to access it. The document is based on internal communications, audio recordings, videos, screenshots, documents marked “privileged and confidential,” and several people familiar with the matter.
In testimony before Congress earlier this year, TikTok CEO Shou Zi Chew claimed that U.S. user data is stored on physical servers outside China. “U.S. data has always been stored in Virginia and Singapore and accessed by engineers around the world on an as-needed basis,” he said under oath during a House hearing in March.
“We remain confident in the accuracy of Mr. Shaw's testimony,” TikTok spokesperson Alex Howrek said in a statement. ByteDance did not respond to requests for detailed comment. At the time of publication, neither company had answered the basic question of whether U.S. citizens' sensitive tax information is stored and accessible in China.
TikTok has been touting plans for the past year to cut off Americans' data from China in a $1.5 billion operation called “Project Texas.” The initiative allows the wildly popular app to continue operating in the U.S. despite long-standing national security concerns about Chinese ownership and the potential for the platform to be used for surveillance and influence. has been at the center of negotiations with the Biden administration on a deal that would allow for 150 million Americans use it. However, since these negotiations stalled late last year when FBI Director Christopher Wray and Treasury Secretary Janet Yellen spoke out about the app's national security concerns, the Biden administration (through the Committee on Foreign Investment in the United States) However, if it is not separated from its Chinese parent company, it could be banned.
Yellen, who heads the CFIUS division, said at a hearing in March that “the litigation surrounding TikTok is ongoing and not yet resolved.” And many in Congress are completely questioning Project Texas. “I don't think it's technically possible for TikTok to accomplish what it says it's going to accomplish through Project Texas,” California Republican Jay Obernolte told TikTok's CEO at a hearing in March. “There are too many backdoors.”
“Even if TikTok were not a subsidiary of a Chinese company, this would be a pretty alarming IT security breach.”
Identity theft using stolen Social Security numbers is common in the United States, and the Chinese government has been accused of stealing personal financial information from Americans before.One expert said: forbes This is exactly why TikTok's mishandling of this information is problematic.
“Even if TikTok were not a subsidiary of a Chinese company, this would be a pretty alarming IT security fraud,” said Brian Cunningham, a former White House and CIA national security lawyer. forbes. He explained that tax records are some of the most sensitive data.
“It could just be bad IT practices, or it could be that they feel there's a legitimate business need,” Cunningham said of TikTok, “but whatever the nuances are. “If you're going to store information in China, it's better to store it within China.” ”
TikTok and ByteDance did not respond to questions about how many companies have access to creators' financial information, where their employees are located, and whether there was any unauthorized access to this data. The company also did not respond to questions about how long TikTok user and vendor payment data was stored in China or whether it is still stored there.
Regulations sound alarm bells on both sides of the Atlantic
TikTok or ByteDance The ability of Chinese employees to access sensitive financial records of U.S. users and companies could be potentially problematic for geopolitical reasons, especially given the intense regulatory scrutiny in the U.S.
The United States does not have a national privacy law that protects against the mishandling or misuse of personally identifiable information, but one of the leading candidates introduced in the last Congress requires that the data collected be “transferred to, processed, and processed.'' and is stored or otherwise accessible to the People's Republic of China and other adversaries. Additionally, a previous settlement between the Federal Trade Commission and TikTok (then Musical.ly) dealt with a completely separate issue of children's privacy violations, but the agency is not considering the company's actions today. , may take that order into account.
Do you have tips for TikTok or ByteDance? Contact author Alexandra S. Levine securely at Signal/WhatsApp (310) 526–1242 or email alevine@forbes.com.
Jessica Rich, former director of the FTC's Bureau of Consumer Protection, said that in a case like this, the FTC would likely ask whether the company made false or deceptive statements about how it handles user information, such as in its privacy policy. He said he would consider it. or the handling of that information creates a real risk of harm. She did not specifically comment on TikTok and ByteDance.
TikTok's policies indicate that it takes appropriate measures to protect users' data. Creators participating in TikTok's Creator Fund are subject to a privacy policy that states that “certain entities within our group…will be given limited remote access to the information we collect” when necessary to operate the platform. You agree to all of TikTok's policies, including: It also emphasizes that “we…take reasonable steps to protect information from unauthorized access.” (TikTok states that user data may be transferred to servers outside the United States for storage or processing, and that the security of data storage or transmission cannot be guaranteed.)
Rich, a former federal regulator, says that if a company claims to have locked access to information while making it available to employees around the world who don't need it, the FTC will It said it could be considered a deceptive statement and a basis for potential misconduct. Complaints regarding data security. He also said government agencies generally view financial information and social security numbers as more sensitive than email addresses or phone numbers, and may scrutinize such data-sharing incidents more aggressively. Ta.
“I want all my stuff to stay in the US. I don't see why it would need to be stored in a database in China.”
TikTok storing European creators' banking information in China could also be problematic under Europe's privacy law, the General Data Protection Regulation.
Even as TikTok launched Project Clover, the transatlantic equivalent of Project Texas, to protect European users' data, the Irish Data Protection Commission (TikTok's lead regulator in the European Union) has already conducted two investigations into whether the company complies with the law. GDPR. One of those investigations is whether TikTok illegally transferred European users' personal data from the EU to China, and whether TikTok is adequately transparent with its users about how it handles their information. We are specifically investigating whether or not there was one. Gabriela Zanfir Fortuna, vice president of global privacy at the Future of Privacy Forum, said ByteDance's tools, which store European creators' data on servers in China, could be problematic for that reason. He said there is.
“This is like confirming that there is a transfer [of personal data] I’m sure they’ll want to know about this because it’s happening in China,” she said of Ireland’s privacy watchdog. (Just last week, the group imposed a record $1.3 billion fine on Meta, the parent company of Facebook, one of TikTok's biggest rivals, over its own data transfer issues.) GDPR also requires that access to sensitive user data be limited to need-to-know situations. Zamfir Fortuna added that it also raised questions about how widespread access to these payment tools has been and whether it was necessary.
The commission declined to comment on its ongoing investigation into TikTok, other than to say an update will be released after this summer. TikTok's European policy states that “certain entities within our group located outside your country of residence (see here) have limited remote access to this information.” It says it is “safe and will only be allowed when necessary and under strict security controls.” ” The included link (“here”) will take you to a 404 error page.
Creator's reaction
TIktoker zach fairhurst, said a member of the Creators Fund who participated in the company's blitz on Capitol Hill this spring. forbes He had no idea that his tax information and social security number might be stored in China. (TikTok brought some creators to Washington in March to raise awareness about the benefits of the app.)
“It really doesn't make sense for it to be there,” Fairhurst said. forbes. “I want all my stuff to stay in the United States. I don't see why it would need to be stored in a database in China. … I'm really surprised.”
Other creators recalled uploading social security and financial information to TikTok, but said: forbes They were unfazed by the possibility that it was stored in China. Because putting yourself out there online is a given for anyone who wants to build an audience and build a career through social media.
“There are so many more pressing issues in America,” said Kathryn Cross, 24, the creator of the TikTok program. forbes. “My mother grew up in China, so the Chinese government is very strict about maintaining proper public figureheading, and basically doing things like the Cambridge Analytica scandal to undermine their global standing. I just know that I will never forgive you.”
“The benefits that TikTok has brought to people's businesses and lives, and the innovation behind the For You page, make me think it's worth far more than the remote possibility that China will store our data. It seems…more like a kind of foreign policy conflict,” she added.
Internet star and TikTok Creator Fund member Vivian Tu, a former Wall Street trader who offers financial advice under the handle “YourRichBFF,” will join the app's monetization program. He said it was a “calculated risk.”
“If you're okay with joining TikTok,” she said Forbes, “You probably don't care all that much about where your banking information is stored.”
Emily Baker-White contributed reporting.
More from Forbes
