TikTok has stored the most sensitive financial data of its biggest stars — including those in its “Creator Fund” — on servers in China. Earlier this year, CEO Shou Chew told Congress “American data has always been stored in Virginia and Singapore.”
Over the past several years, thousands of TikTok creators and businesses around the world have given the company sensitive financial information—including their social security numbers and tax IDs—so that they can be paid by the platform.
But unbeknownst to many of them, TikTok has stored that personal financial information on servers in China that are accessible by employees there, Forbes has learned.
TikTok uses various internal tools and databases from its Beijing-based parent ByteDance to manage payments to creators who earn money through the app, including many of its biggest stars in the United States and Europe. The same tools are used to pay outside vendors and small businesses working with TikTok. But a trove of records obtained by Forbes from multiple sources across different parts of the company reveals that highly sensitive financial and personal information about those prized users and third parties has been stored in China. The discovery also raises questions about whether employees who are not authorized to access that data have been able to. It draws on internal communications, audio recordings, videos, screenshots, documents marked “Privileged and Confidential,” and several people familiar with the matter.
In testimony before Congress earlier this year, TikTok CEO Shou Zi Chew claimed U.S. user data has been stored on physical servers outside China. “American data has always been stored in Virginia and Singapore in the past, and access of this is on an as-required basis by our engineers globally,” he said under oath at a House hearing in March.
Loading...
TikTok spokesperson Alex Haurek said in a statement that “we remain confident in the accuracy of Shou’s testimony.” ByteDance did not respond to a detailed request for comment. At publication time, neither company had answered basic questions about whether sensitive tax information of U.S. citizens is stored and accessible in China.
Over the last year, TikTok has been touting its plans to cordon off Americans’ data from China in a $1.5 billion undertaking called Project Texas. That initiative has been central to negotiations with the Biden administration on a deal that would allow the wildly popular app to continue operating in the U.S., despite longstanding national security concerns about its Chinese ownership and the potential for the platform to be used to surveil or influence the 150 million Americans using it. But since those talks hit a snag late last year, with both FBI Director Christopher Wray and Treasury Secretary Janet Yellen speaking out about national security issues with the app, the Biden administration (through the Committee on Foreign Investment in the U.S.) has demanded that TikTok split from its Chinese parent company or face a possible ban.
“There’s ongoing litigation over TikTok that is not yet resolved,” Yellen, whose department leads CFIUS, said at a hearing in March. And many in Congress have cast doubt on Project Texas altogether: “I don’t believe that it is technically possible to accomplish what TikTok says it will accomplish through Project Texas,” California Republican Jay Obernolte told the TikTok CEO at the March hearing. “There are too many backdoors.”
“Even if TikTok was not a subsidiary of a Chinese company, this would be pretty alarming IT security malpractice.”Former White House and CIA national security lawyer Bryan Cunningham
Identity theft using stolen social security numbers is not uncommon in the U.S., and the Chinese government has been accused of stealing personal financial information from Americans before. One expert told Forbes this is precisely why TikTok’s mishandling of such information is troubling.
“Even if TikTok was not a subsidiary of a Chinese company, this would be pretty alarming IT security malpractice,” Bryan Cunningham, a former national security lawyer for the White House and CIA, told Forbes. He described tax records as some of the most sensitive data there is.
“It could be just bad IT practice, it could be they felt like they had a legitimate business need,” Cunningham said of TikTok. “But whatever the nuance of that turns out to be… if you store information in the PRC, you better assume that the intelligence services can have it if they want it. They may not target you, but boy, on the face of it, it’s highly questionable.”
TikTok and ByteDance did not respond to questions about how many people at the companies can access creators’ financial information, where those employees are located and whether there has been unauthorized access to this data. They also did not respond to queries about how long TikTok users and vendors’ payment data had been stored in China and whether it still is today.
Raising regulatory alarms on both sides of the Atlantic
TikTok or ByteDance employees in China having access to American users and businesses’ sensitive financial records is potentially problematic for geopolitical reasons, particularly against the backdrop of intense regulatory scrutiny in the U.S.
Though there is no national privacy law in the U.S. to protect against the mishandling or misuse of personally identifiable information, one top contender introduced last Congress would require companies to clearly disclose in their privacy policies whether data they collect “is transferred to, processed in, stored in, or otherwise accessible to the People’s Republic of China” and other adversaries. And though a past Federal Trade Commission settlement with TikTok (then Musical.ly) dealt with a markedly separate set of issues—children’s privacy violations—the agency could take that order into consideration when evaluating the company’s conduct today.
Jessica Rich, former director of the FTC’s Bureau of Consumer Protection, said in a case like this, the agency would likely consider whether the company had made false or deceptive statements about how it handles users’ information—in a privacy policy, for example—or if the handling of that information had created a real risk of harm. She would not comment specifically on TikTok and ByteDance.
TikTok’s policies suggest that it takes appropriate steps to protect its users’ data. Creators who join TikTok’s Creator Fund agree to “all” TikTok policies, including privacy terms stating that “certain entities within our corporate group… are given limited remote access to information we collect” if it’s necessary for the platform’s operations. They also emphasize that “we use reasonable measures to help protect information from… unauthorized access.” (It does say TikTok may transmit user data to servers outside the U.S. for storage or processing, and that no data storage or transmission is guaranteed to be secure.)
Rich, the former federal regulator, said that if any company claims to be locking down access to information but then making it available to employees around the world who do not need it, the FTC could see that as a deceptive statement and grounds for a potential data security complaint. She also said that the agency generally views financial information and social security numbers as more sensitive than email addresses or phone numbers, and that it may scrutinize those data-sharing cases more aggressively.
“I would like everything to stay in the U.S.—like, I wouldn’t see why it would ever need to be stored on a China database.”TikToker and Creator Fund member Zack Fairhurst
TikTok’s storage of European creators’ bank information in China could also be problematic under Europe’s privacy law, the General Data Protection Regulation.
Even as TikTok launched Project Clover—a Project Texas counterpart across the Atlantic—to safeguard the data of its European users, the Irish Data Protection Commission (TikTok’s lead regulator in the European Union) is already conducting two investigations into whether the company has complied with GDPR. One of those probes is looking specifically at whether TikTok has unlawfully transferred European users’ personal data from the EU to China, and whether it was adequately transparent with users about how it was handling their information. Gabriela Zanfir-Fortuna, vice president for global privacy at the Future of Privacy Forum, said ByteDance tools storing European creators’ data on servers in China could be problematic for that reason.
“This is the sort of thing that would confirm there are transfers [of personal data] to China happening, so I’m sure they would be interested in knowing this,” she said of Ireland’s privacy watchdog. (Just last week, the body issued a record $1.3 billion fine to Facebook parent Meta, one of TikTok’s biggest rivals, over its own data transfer issues.) GDPR also requires companies to restrict access to sensitive user data on a need-to-know basis, Zanfir-Fortuna added, raising questions about how broad access to these payment tools has been and whether it was necessary.
The Commission would not comment on its ongoing inquiry into TikTok except to say it expects a public update after this summer. TikTok’s policies for Europe say “certain entities in our Corporate Group, located outside your country of residence (see here), are given limited remote access to this information” and that this access is “secure and only granted where necessary under strict security controls.” The link included (“here”) lands on a 404 error page.
Creators reacts
TikToker Zack Fairhurst, a member of its Creator Fund who participated in the company’s blitz on Capitol Hill this spring, told Forbes he had no idea his tax information and social security number might be stored in China. (TikTok brought some creators to Washington in March to raise awareness around the benefits of the app.)
“It wouldn’t really make sense for it to be over there,” Fairhurst told Forbes. “I would like everything to stay in the U.S—like, I wouldn’t see why it would ever need to be stored on a China database. … I am actually surprised by that.”
Other creators recalled uploading social security and financial information into TikTok but told Forbes they were unfazed by the possibility that it’s stored in China because putting themselves out there online is par for the course for those who want to build audiences and careers through social media.
“There are so many more pressing issues in the U.S.,” Kathryn Cross, a 24-year-old creator in the TikTok program, told Forbes. “My mom grew up in China, so I just know that the Chinese government is so stringent about maintaining a proper public figure, essentially, that they would never allow something like a Cambridge Analytica scandal to compromise their global position.”
“The benefit TikTok has brought to people’s businesses and lives, and the innovation behind the For You Page, to me seems so much more valuable than any minute chance that China’s storing our data… more so it seems like a foreign policy type of conflict,” she added.
Internet star and TikTok Creator Fund member Vivian Tu—a former Wall Street trader who doles out financial advice under the handle “YourRichBFF,” said joining any app’s monetization program is “a calculated risk.”
“If you’re okay with being on TikTok,” she told Forbes, “you probably don’t care that much about your banking information being everywhere it’s stored.”
Emily Baker-White contributed reporting.
Loading...