SAN FRANCISCO — A California college student has accused popular video-sharing app TikTok in a class-action lawsuit of transferring private user data to servers in China, despite the company’s assurances that it does not store personal data there.
The allegations may deepen legal troubles in the United States for TikTok, which is owned by Beijing ByteDance Technology Co but operates entirely outside of China and has developed an especially devoted fan base among U.S. teenagers.
The company is already facing a U.S. government national security probe over concerns about data storage and possible censorship of political sensitive content.
The lawsuit, filed in the U.S. District Court for the Northern District of California last Wednesday and originally reported by The Daily Beast, alleges TikTok has surreptitiously “vacuumed up and transferred to servers in China vast quantities of private and personally-identifiable user data.”
TikTok did not immediately respond to a request for comment on the allegations, but maintains that it stores all U.S. user data in the United States with backups in Singapore.
The documents identify the plaintiff as Misty Hong, a college student and resident of Palo Alto, California, who downloaded the TikTok app in March or April 2019 but never created an account.
Months later, she alleges, she discovered that TikTok had created an account for her without her knowledge and produced a dossier of private information about her, including biometric information gleaned from videos she created but never posted.
According to the filing, TikTok transferred user data to two servers in China - bugly.qq.com and umeng.com - as recently as April 2019, including information about the user’s device and any websites the user had visited.
Bugly is owned by Tencent, China’s largest mobile software company, which also owns social network WeChat, while Umeng is part of Chinese e-commerce giant Alibaba Group.
The lawsuit also claims that source code from Chinese tech giant Baidu is embedded within the TikTok app, as is code from Igexin, a Chinese advertising service, which security researchers discovered in 2017 was enabling developers to install spyware on a user’s phone.
The legal documents did not provide evidence of the data transfers or the existence of Baidu or Igexin source code in the app. Hong and her legal representatives could not immediately be reached for comment.