TikTok users’ private data is routinely accessed by employees in China despite the video app’s promises to store data outside the country, an investigation has found.
Staff at ByteDance, the video app’s Chinese owner, are able to see non-public data about users such as their birthdays and phone numbers, according to staff recordings obtained by the news website BuzzFeed.
One employee claimed that “everything is seen in China”, adding to concerns that the app’s data could be used by Beijing to gather data on Western citizens.
TikTok, best known for short videos that are recommended to users through a recommendation algorithm, is used by more than 15m adults in Britain who spend an average of almost 30 minutes a day on the app.
The company has insisted that it has never handed over data to the Chinese government and that data for users in the UK, Europe and US is stored on computer servers in the US and Singapore.
However, the investigation found that there is little to stop this data from being accessed by employees in China.
On Friday, TikTok said that it is now storing all of its data on US users with Oracle, an American company, and working on protecting the data so that only a small number of employees could access it.
However, a data storage facility in Ireland designed to store British and European users’ data is not due to open until next year, and it is unclear if it will receive the same protections.
Recordings of staff meetings leaked to BuzzFeed showed that engineers in China were able to access user data as recently as January of this year.
One employee in Beijing was described as a “master admin” who has “access to everything”. Another said: “I feel like with these tools, there’s some backdoor to access user data in almost all of them.”
TikTok had previously told US senators that a “world-renowned, US-based security team” decides who accesses data on users.
TikTok has surged in popularity in recent years, becoming one of the world’s best known smartphone apps, but its rise has been mirrored by concerns about its Chinese ownership.
Indian authorities have banned the app and Donald Trump attempted to force the company to sell its US business before losing the 2020 election.
The company is negotiating an agreement with US authorities to protect American users’ data by storing it at an Oracle facility in Texas.
TikTok said on Friday that all of its US users’ traffic is now sent to Oracle data centres. However, it continues to be backed up on the company’s own servers, and is still establishing which staff will be able to access it.
This year the company signed a deal to build a data center in Dublin and said it would “minimise data transfers” outside Europe.
TikTok had been expected to announce that its non-US headquarters would be based in London but reportedly backed out of the plan in 2020 amid growing tensions between the Government and China.
Conservative MPs had called for it to store British users’ data in the UK as part of the plans.
TikTok said: “We know we are among the most scrutinised platforms from a security standpoint, and we aim to remove any doubt about the security of US user data.”
It did not respond to a request for comment on whether British users’ data could be accessed from China.