Internal TikTok and ByteDance Reports Say Some Non-China User Data Is Stored in China ⇥ forbes.com

Sapna Maheshwari and Ryan Mac, New York Times:

[…] According to the documents obtained by The Times, the driver’s licenses of American users were also accessible on the platform [ByteDance’s Lark], as were some users’ potentially illegal content, such as child sexual abuse materials. In many cases, the information was available in Lark “groups” — essentially chat rooms of employees — with thousands of members.

[…]

TikTok has played down the access that its China-based workers have to U.S. user data. In a congressional hearing in March, TikTok’s chief executive, Shou Chew, said that such data was mainly used by engineers in China for “business purposes” and that the company had “rigorous data access protocols” for protecting users. He said much of the user information available to engineers was already public.

The internal reports and communications from Lark appear to contradict Mr. Chew’s statements. Lark data from TikTok was also stored on servers in China as of late last year, the four current and former employees said.

Alexandra S. Levine, Forbes:

TikTok uses various internal tools and databases from its Beijing-based parent ByteDance to manage payments to creators who earn money through the app, including many of its biggest stars in the United States and Europe. The same tools are used to pay outside vendors and small businesses working with TikTok. But a trove of records obtained by Forbes from multiple sources across different parts of the company reveals that highly sensitive financial and personal information about those prized users and third parties has been stored in China. The discovery also raises questions about whether employees who are not authorized to access that data have been able to. It draws on internal communications, audio recordings, videos, screenshots, documents marked “Privileged and Confidential,” and several people familiar with the matter.

In testimony before Congress earlier this year, TikTok CEO Shou Zi Chew claimed U.S. user data has been stored on physical servers outside China. “American data has always been stored in Virginia and Singapore in the past, and access of this is on an as-required basis by our engineers globally,” he said under oath at a House hearing in March.

[…]

“Even if TikTok was not a subsidiary of a Chinese company, this would be pretty alarming IT security malpractice,” Bryan Cunningham, a former national security lawyer for the White House and CIA, told Forbes. He described tax records as some of the most sensitive data there is.

Add these to the long list of things being investigated by European regulators since September 2021, especially as it now falls under its list of Very Large Online Platforms. If there are concerns about Europeans’ private data being intercepted by U.S. intelligence agencies, a similar level of worry should apply in this case as well.