- TikTok denies it would share user data with the government of China, home to its parent company.
- But a data watchdog has said it “may” be sending data to the country, if not the government.
- Author Chris Stokel-Walker, who is researching for TikTok for a book, explains how it does send data to China.
- See more stories on Insider’s business page.
The Irish data-protection commissioner, Helen Dixon, told an online conference earlier in March that engineers in China “may” be accessing the data of European TikTok users.
In writing a book on TikTok, I’ve learned there’s no “may” about it: The hugely popular video app does send some European and American data to China. Multiple sources within the company have confirmed it to me over the past year.
Whether TikTok, whose parent firm ByteDance is headquartered in Beijing, sends this data to China is an awkward question. The company has more than 100 million monthly active users in the US and a similar number in Europe.
There’s the concern that the Chinese government may requisition that data at any time under the guise of national security, breaching Western users’ privacy. There are also wider tensions between the West and China.
TikTok maintains that the user data it collects could never be scooped up by China’s ruling party. This is why Dixon’s cautious remarks immediately made headlines.
I understand she carefully chose the word “may” to avoid prejudicing the outcome of any future investigation, should it occur. The Irish Data Protection Commission has been designated as the lead for any European Union investigations into TikTok’s data practices.
But this is what’s really happening to your data, based on conversations with TikTok insiders and public statements.
TikTok was right when it told NPR in August that individual user data was not shipped wholesale from the West to China, despite what some of the company’s most hawkish detractors allege.
TikTok maintains that the data it collects — comparable to that collected by other social-media firms, such as details gathered when you sign up, plus how you use the app — would never be shared with the Chinese government, and journalists like me have found no proof it has or would.
An analysis of TikTok’s app code published this week by Citizen Lab shows nothing unusual.
But on some occasions, data does make its way to China, I learned.
New feature development, cybersecurity defenses, and more are still mostly the responsibility of engineers in ByteDance offices in China. While TikTok’s day-to-day user data is stored on servers in Singapore — where the company is rumored to be looking to base its global headquarters — and the US, some is transferred to China for a handful of specific purposes.
These include identifying bots trying to spam TikTok with comments and boosting views in exchange for money, or troubleshooting problems that users encounter as they browse.
TikTok has spent the past 18 months starting to build out teams of local executives and editorial staffs so it relies less on those in China. Its headcount in Europe, for instance, has doubled in six months.
But it hasn’t yet built out its engineering teams in sufficient numbers. As of October, TikTok reportedly had only 1,000 engineering staff members outside China, about 1% of ByteDance’s total workforce. It plans to hire at least another 3,000 globally.
And one senior source at TikTok told me the data of small numbers of Western users, including personally identifiable information, was put into spreadsheets that were sent through Lark, ByteDance’s
TikTok declined to comment when I asked whether some Western employees accessed Lark through a URL — bytedance.feishou.cn — that is based in China. I’ve been told some of ByteDance’s Western-based workers communicate with bosses in China through the messaging system.
TikTok executives insist this information cannot be accessed by the Chinese state
TikTok hasn’t explicitly denied that some user data, in some form, may be going to China.
Theo Bertram, TikTok’s director of government relations and public policy in Europe, the Middle East, and Africa, told UK lawmakers in September that “there is no access to individual user data from China.”
That is technically true, as when data is fed back to TikTok’s engineering team in China, it is usually grouped and anonymized.
Bertram was pressed to confirm that “from nowhere in the world can data be fed back to China” even though TikTok’s parent company is headquartered in Beijing. Bertram emphasized in his reply that the Chinese state was unable to access any data, without denying that data was being sent to China.
He said no one in China could access data “in the way that you are suggesting” on behalf of the Chinese state “to carry out mass surveillance.”
But, with the majority of the workforce needed to monitor and maintain an enormous social network still in China, TikTok has no choice but to send user data there.
TikTok has been directing journalists who ask about this to a public blog post from August.
Erich Andersen and Roland Cloutier, the general counsel and chief information security officer, respectively, wrote that “employees who work to support TikTok may access user data to do their jobs, subject to internal data controls, technical safeguards such as encryption, and policies designed to ensure confidentiality of user data.”
While they did not name China, they added that in the future they would further restrict access so “employees outside the countries where TikTok is available cannot access individual user records.” This is a clear reference to China, as it is the only market where TikTok is unavailable but ByteDance has a presence.
TikTok also said the number of Chinese employees with access to the data and the level of that access were strictly limited and said this was standard practice.
At the time, TikTok said it planned to limit the access employees have to Western user data through “new, innovative secure development technology that ensures the protection of personal data.”
“This method,” it continued, “would allow engineers to run tests to fine-tune the operation of our platform, for instance, but restrict access to individual user information.”
My understanding is there is no specific timeframe for when this will be complete.
TikTok declined to comment on Helen Dixon’s remarks.