Power

These ByteDance apps stored US user data in China – at least until they started to disappear

TikTok may keep U.S. user data out of China, but other ByteDance apps downloaded hundreds of thousands of times in the U.S. play by a different set of rules.

These ByteDance apps stored US user data in China – at least until they started to disappear

ByteDance has several apps with U.S. users that have been storing data in China, according to their privacy policies.

Getty Images

Over the last year, TikTok's leaders have repeatedly sworn both in court and in the court of public opinion that they don't share any U.S. user data with China, where their parent company, ByteDance, is based.

But the same can't be said for several other ByteDance apps, which also have a sizable audience in the United States and abroad.

While none is as popular in the U.S. as TikTok, a Protocol investigation found that some of ByteDance's most popular apps in China, including Xigua and Toutiao, appear to have been downloaded hundreds of thousands of times in the United States. And as their privacy policies clearly state — albeit in Chinese — all of the data collected from those apps is stored in China.

According to SensorTower estimates, Xigua, a YouTube-like video streaming app, has been downloaded some 296,000 times across the Apple App Store and the Google Play Store in the U.S., while Toutiao, a news aggregation app, has been installed at least 808,000 times from the two U.S. app stores.

SensorTower's data indicates those downloads ended abruptly the week of Oct. 5, suggesting both apps were removed from U.S. app stores around that time, just as the Trump administration was pressuring ByteDance to cut ties with TikTok and sell it to a U.S. company. On Oct. 11, SensorTower's data suggests the apps were also pulled from most app stores in Europe. Now, neither app is available on app stores in the U.S. or most of the E.U. Removing an app from stores, however, does not remove it from users' phones.

Another app, GoGoKid, disappeared from the U.S. Apple App Store Thursday after Protocol asked ByteDance about the app's privacy policy, which had stated data was stored in China.

ByteDance would not confirm the download numbers or provide any of its own. In a statement, a ByteDance spokesperson said: "Toutiao and Xigua are designed for the Chinese market and are only available in Chinese. Accordingly we made a business decision to discontinue offering them in markets like the US, rather than devoting additional resources to them."

The spokesperson did not answer direct questions from Protocol about whether those apps had been storing U.S. users' data in China, as their privacy policies indicate. The spokesperson also didn't answer a question about whether U.S. users who previously downloaded these apps would be able to receive security updates and patches now that they're no longer on the app stores.

The other ByteDance app, GoGoKid, matches teachers in the U.S. and Canada with Chinese students who want to learn English. The privacy policy for GoGoKid's U.S. teacher portal says only that data may be moved outside of the country. But for Canadian teachers, the policy stipulates that data may be transferred and processed "in jurisdictions where our affiliates or service providers are located, including Singapore, China and the United States."

The privacy policy for the U.S. iPad app for students, meanwhile, was different. As of Wednesday, it stated in Chinese, "We store your personal information collected within the territory of the People's Republic of China in accordance with the provisions of laws and regulations." It is no longer available in the U.S. App Store.

In response to questions about where GoGoKid's U.S. user data is stored, another ByteDance spokesperson said, "GoGoKid is focused on giving students in the Chinese market the opportunity to learn English, and it is only available for students in Chinese." That doesn't account for the many American and Canadian teachers on the platform who are also GoGoKid users. GoGoKid's own website features testimonials from several non-Chinese teachers.

The spokesperson downplayed the app's traction in the U.S., saying GoGoKid "has only been downloaded around 1,000 times in the U.S. market," but didn't specify whether that number referred to the student app, the teacher portal or both. Data on U.S. downloads of the app among teachers is hard to come by, and SensorTower doesn't track it, but one GoGoKid Teachers Facebook group alone has more than 5,000 members.

At no point did ByteDance deny that these apps stored U.S. user data in China.

These data storage arrangements for Xigua, Toutiao and GoGoKid raise questions about why ByteDance hasn't walled off U.S. user data for those apps in the same way it's done for TikTok. Neither the White House nor the Department of Commerce, which have both issued orders related to TikTok this year, responded to Protocol's request for comment.

In sworn testimony as part of TikTok's legal battles against the Trump administration this year, the company's chief security officer, Roland Cloutier, described at length the difference between TikTok's tech stack and that of its Chinese counterpart, Douyin. Cloutier wrote that the "source code and user data for TikTok are maintained separately from the source code and user data for Douyin (and other ByteDance products)." Cloutier went on to state that TikTok "would not comply with a request for U.S. user data from the Chinese government."

That argument, it seems, has been compelling in court, where TikTok has been winning case after case against the Trump administration's attempts to ban the app under the guise of a national security emergency. But while TikTok was carefully spinning off its own servers for U.S. users, ByteDance appears to have taken no such precautions with its other apps.

ByteDance's acquisition of the app that predated TikTok, called Musical.ly, was the subject of an investigation by the Committee on Foreign Investment in the United States, which vets foreign acquisitions of U.S. companies. But both Toutiao and Xigua are homegrown Chinese apps that just happen to have U.S. users, which would place them outside of the purview of CFIUS, said Shannon Reaves, special counsel at the law firm Stroock, who specializes in CFIUS reviews.

"The establishment of that entity and its operation is not subject to CFIUS review," Reaves said, adding, "[CFIUS] could certainly look at that to inform their views about the TikTok acquisition and what they think might happen with the data from TikTok."

The Trump administration was under no such constraints, however, and tried (unsuccessfully) to to ban all transactions with ByteDance through executive order. The order paid particular attention to TikTok, and a subsequent directive from the Commerce Department specifically prohibited TikTok (again, unsuccessfully) from operating in the U.S. after a certain date. But neither order made any mention of these apps.

There are differences of course, between TikTok and Xigua or Toutiao. For one thing, TikTok has tremendous scale in the U.S.; recent court filings revealed that the company has 100 million monthly active U.S. users. SensorTower's data suggests Toutiao and Xigua combined have only around 1 million users in the U.S. And while TikTok is clearly marketed directly to Americans, complete with a huge American staff, Xigua and Toutiao are delivered internationally in Chinese and seem entirely geared toward Chinese people and the Chinese diaspora. That may make these apps less of a target to U.S. regulators and politicians, but it doesn't make their U.S. users' data any more secure.

GoGoKid, on the other hand, is very clearly marketed to teachers in the U.S. and Canada. While some teachers expressed anxiety about President Trump's executive orders this fall, fearing it might interfere with income they made from GoGoKid, the teacher app is still available in the U.S.

The Federal Trade Commission recently ordered ByteDance and U.S. social media companies to hand over information about how they collect data from users. In response to a question about whether the FTC will be looking at ByteDance's other properties beyond TikTok, spokesperson Juliana Gruenwald said, "The orders focus on any and all social media and video streaming services" that these companies own, adding that the investigation will look into not just how data is collected, but also how and where it is stored.

Protocol | Workplace

Instacart workers are on strike. How far can it get them?

Instacart activists want a nationwide strike to start today, but many workers are too afraid of the company and feel they can't afford a day off of work.

Gig workers protest in front of an Amazon facility in 2020.

Photo: Michael Nagle/Bloomberg via Getty Images

Starting today, an Instacart organizing group is asking the app's gig workers to go on a nationwide strike to demand better payment structures, benefits and other changes to the way the company treats its workers — but if past strikes are any indication, most Instacart users probably won't even notice.

The majority of Instacart workers on forums like Reddit and Facebook appear either unaware of the planned strike or don't plan to participate because they are skeptical of its power, afraid of retaliation from the company or are too reliant on what they do make from the app to be able to afford to take even one day off of the platform. "Not unless someone is going to pay my bills," "It will never work, you will never be able to get every shopper to organize" and "Last time there was a 'strike' Instacart took away our quality bonus pay," are just a few of the comments Instacart shoppers have left in response to news of the strike.

Keep Reading Show less
Anna Kramer

Anna Kramer is a reporter at Protocol (Twitter: @ anna_c_kramer, email: akramer@protocol.com), where she writes about labor and workplace issues. Prior to joining the team, she covered tech and small business for the San Francisco Chronicle and privacy for Bloomberg Law. She is a recent graduate of Brown University, where she studied International Relations and Arabic and wrote her senior thesis about surveillance tools and technological development in the Middle East.

The way we work has fundamentally changed. COVID-19 upended business dealings and office work processes, putting into hyperdrive a move towards digital collaboration platforms that allow teams to streamline processes and communicate from anywhere. According to the International Data Corporation, the revenue for worldwide collaboration applications increased 32.9 percent from 2019 to 2020, reaching $22.6 billion; it's expected to become a $50.7 billion industry by 2025.

"While consumers and early adopter businesses had widely embraced collaborative applications prior to the pandemic, the market saw five years' worth of new users in the first six months of 2020," said Wayne Kurtzman, research director of social and collaboration at IDC. "This has cemented collaboration, at least to some extent, for every business, large and small."

Keep Reading Show less
Kate Silver

Kate Silver is an award-winning reporter and editor with 15-plus years of journalism experience. Based in Chicago, she specializes in feature and business reporting. Kate's reporting has appeared in the Washington Post, The Chicago Tribune, The Atlantic's CityLab, Atlas Obscura, The Telegraph and many other outlets.

Protocol | China

WeChat promises to stop accessing users’ photo albums amid public outcry

A tech blogger claimed that popular Chinese apps snoop around users' photo libraries, provoking heightened public concerns over privacy.

A survey launched by Sina Tech shows 94% of the some 30,000 responding users said they are not comfortable with apps reading their photo libraries just to allow them to share images faster in chats.

Photo: S3studio via Getty Images

A Chinese tech blogger dropped a bombshell last Friday, claiming on Chinese media that he found that several popular Chinese apps, including the Tencent-owned chat apps WeChat and QQ, as well as the Alibaba-owned ecommerce app Taobao, frequently access iPhone users' photo albums in the background even when those apps are not in use.

The original Weibo post from the tech blogger, using the handle of @Hackl0us, provoked intense debates about user privacy on the Chinese internet and consequently prompted WeChat to announce that it would stop fetching users' photo album data in the background.

Keep Reading Show less
Shen Lu

Shen Lu is a reporter with Protocol | China. Her writing has appeared in Foreign Policy, The New York Times and POLITICO, among other publications. She can be reached at shenlu@protocol.com.

Protocol | Enterprise

As businesses struggle with data, enterprise tech is cleaning up

Enterprise tech's vision of "big data" largely fell flat inside silos. But now, an army of providers think they've figured out the problems. And customers and investors are taking note.

Corporate data tends to settle in silos that makes it harder to understand the bigger picture. Enterprise tech vendors smell a lucrative opportunity.

Photo: Jim Witkowski/Unsplash

Data isn't the new oil; it's the new gold. And in any gold rush, the ones who make the most money in the long run are the tool makers and suppliers.

Enterprise tech vendors have long peddled a vision of corporate America centered around so-called "big data." But there was a big problem: Many of those projects failed to produce a return. An army of new providers think they've finally figured out the problem, and investors and customers are taking note.

Keep Reading Show less
Joe Williams

Joe Williams is a senior reporter at Protocol covering enterprise software, including industry giants like Salesforce, Microsoft, IBM and Oracle. He previously covered emerging technology for Business Insider. Joe can be reached at JWilliams@Protocol.com. To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or JPW53189@protonmail.com.

Protocol | Policy

What Frances Haugen’s SEC complaint means for the rest of tech

Haugen argues Facebook misled investors by failing to disclose its platforms' harms. If the SEC bites, the rest of tech could be next.

The question is whether the SEC will find the contents of Haugen's complaint relevant to investors' interests.

Photo: Matt McClain-Pool/Getty Images

Whistleblowers like former Facebook staffer Frances Haugen have pretty limited options when it comes to actually seeking redress for the harms they've observed and documented. There's no federal privacy law in the U.S. to speak of, Section 230 protects platforms for online speech and companies like Facebook are under no obligation to share any information with lawmakers, or anyone else, about what's happening on their sites.

But there is one agency that not only governs all publicly-traded companies, including in tech, but also offers whistleblowers like Haugen the opportunity for a payout: the Securities and Exchange Commission.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Latest Stories