TikTok Mishandled The Data Of Hundreds Of Top American Advertisers

87
0

It’s not just TikTok users and TikTok creators whose sensitive data has been mishandled by TikTok and its Beijing-based parent company ByteDance—it’s TikTok advertisers, too, a Forbes investigation has found.

For years, data about TikTok’s prized advertisers—which range from small mom-and-pop businesses to giant multinationals—was widely available to staff at both TikTok and ByteDance, according to internal documents, communications, videos and screenshots obtained by Forbes, as well as multiple sources across TikTok. That left sensitive and competitive information from the likes of Amazon, Disney and the New York Times vulnerable to being accessed or misused by employees most anywhere, including in China, a fear now at the center of federal legislation threatening to ban TikTok in the United States.

According to the documents and multiple internal sources, employees have expressed concerns about how this client information is handled internally—particularly in light of growing geopolitical tensions with China and record scrutiny from Washington over TikTok’s ownership by a Chinese entity. The U.S. government has long had major qualms with TikTok’s handling of American data, prompting investigations or inquiries by the FBI, Justice Department, Federal Trade Commission and leaders of Congress that has culminated in a contentious new bill, supported by the White House, that would effectively shut down TikTok in the U.S. unless ByteDance divests itself of the app.

Some of the most-used programs inside TikTok’s advertising arm were built by ByteDance, according to the internal materials and five people who worked at the company in 2023 and 2024. As a result, some said, ByteDance workers had broad access not only to basics like advertisers’ emails, but also to financial agreements and tax information; data from “pixels” placed on advertisers’ websites to glean intel on customers; delicate details on how companies are targeting those customers; and creative assets that could be valuable for their competitors. Employees flagged some of these privacy and security issues to top data protection personnel at TikTok and discussed raising them with its “China Security Governance” team, internal communications show.

“If you’re an advertiser advertising on this platform, your information [could] be accessed by global employees and distributed for other purposes,” said one source who worked in TikTok’s advertising shop, which spans New York and Texas, for two years. “The advertiser platform was done in the Wild West and wasn’t done with the same things that maybe, let’s say, Meta or X have done to protect advertiser information from being shared.” (TikTok’s advertising operation is led by former longtime Meta executive Blake Chandlee, who reports to CEO Shou Chew and ByteDance chairman Lidong Zhang.)

One of the names on an internal list of TikTok’s advertisers in 2023 is, simply, “China.”

Sources in TikTok’s advertising division between 2021 and 2024 described it as an intensely chaotic environment where those in sales roles—underpaid and under the gun to meet ever-more aggressive revenue goals set by the company—had to operate under a money-at-all-costs mentality that may have forced some to adopt questionable sales tactics. One recent sales employee told Forbes they had, at their managers’ urging, used advertisers’ information to push their rivals to spend more on TikTok. That included sending their clients creative assets from competitors, as well as information about what those competitors were spending and how they were targeting their ads, the source said, to push clients to match or exceed their rivals’ ad spend on the platform. (Imagine, as an example, using private information about McDonald’s to entice Burger King to up its advertising game, and vice versa.)

“I was doing that, everyone was doing that, it was very unethical on my terms, but the rationale was, ‘Hey, this is sales, we need to do this,’” the person told Forbes. “It was very much like threatening advertisers [by] using other information. It was very scammy.”

TikTok declined to answer a detailed series of questions on record. Amazon, Disney and the New York Times did not respond to requests for comment.

TikTok drew an estimated $20 billion in ad revenue last year and, having asked advertisers to spend as much as 150 percent more with TikTok in 2024, it could generate almost $30 billion by year’s end, according to a report by The Information. (Other estimates are far smaller.)

“It was just this complete improper management of advertisers’ sensitive data. I was like, ‘How is this being held together by a bunch of bandaids and nails?’”

Brands that sign up to advertise to TikTok’s 170 million American users give the company sensitive business information to create an account—details stored in a tool called “Make More Money,” also called “MMM” or “3M” for short. The internal program, built by ByteDance as its own version of Salesforce, is an all-in-one sales hub aiding in everything from customer onboarding and contracting to billing and payments, according to the documents obtained by Forbes. The dashboard also provides analytics on ad performance, spending and other metrics, the documents show. (It is not customer-facing.)

One spreadsheet obtained by Forbes shows thousands of brands and organizations that had active ad accounts with TikTok in 2023. They include everyone from niche groups like the South Dakota Department of Tourism to household names like the NFL and MLB, Johnson & Johnson and Pfizer, Peloton and Sephora (none responded to requests for comment). One of the ad account names on the list is, simply, “China.”

“3M,” rolled out gradually to U.S. staff starting in 2021, was originally built as a solution to a problem not uncommon for young companies that experience explosive growth overnight, as TikTok had when the pandemic hit in 2020. Advertiser data was being managed “really scrappily… where it could be easily downloaded, accessible, shared and seen by other team members who aren’t working on that division,” said one recent TikTok advertising employee, who recalled haphazardly working off spreadsheets in Lark (called Feishu in China), ByteDance software akin to Microsoft Office or G Suite. “It was just this complete improper management of advertisers’ sensitive data. I was like, ‘How is this being held together by a bunch of bandaids and nails?’”

“We are excited to announce the upcoming decoupling of 3M for TikTok and 3M China.”

But even with 3M, according to three sources and internal material, privacy, security and access control issues persisted. Until partway through 2023, the Make More Money platform used by staff in the U.S. and China was one in the same, the internal material shows. The system was shared at least until around the time that TikTok’s CEO testified before Congress for the first time and the threat of a national ban on the app escalated. As work on Project Texas—TikTok’s $1.5 billion project to unwind its U.S. and China operations with the help of Oracle—accelerated, workers received a memo about the imminent “decoupling” of 3M for TikTok and 3M China.

“We are excited to announce the upcoming decoupling of 3M for TikTok and 3M China Interface,” said a communication from March 2023 obtained by Forbes. “Over the coming days you will see the 3M for TikTok interface live apart from the 3M China interface. Both will provide independent domain names.”

The change means “no more unexpected switch between the two interfaces,” the document said, and “upgraded access control of 3M for TikTok, [which] protects you from data access loss.”

“This is honestly perfect timing,” the note concluded, without mentioning Project Texas or the heightened attention on TikTok’s ownership in China.

Forbes also obtained several documents dated 2023 of PR-guided and “Myth vs. Fact” talking points for fielding outside partners’ questions. One covered topics including Project Texas, data security and access controls, ByteDance ownership and China-based employees. Another answered queries about how TikTok uses data that businesses share with it: “We do not share any insights or reporting specific to one advertiser with another advertiser,” read one response.

“It was common practice for employees to request access to data structures or dashboards… without providing a rationale, and it would be granted.”

The changes to this popular advertising tool illustrate TikTok’s attempts to disconnect key parts of its business here from ByteDance’s functions in China. But it’s also another datapoint showing just how enmeshed the two have long been, and how ByteDance has historically struggled with access problems jeopardizing privacy and security. Forbes reporting has repeatedly revealed the extent to which TikTok and ByteDance are entangled and data from one company is often accessible by both. The sensitive financial information of American creators and small businesses working with TikTok was stored on servers in China and accessible by personnel there, one recent Forbes investigation revealed, while celebrities and politicians on the platform have had their closest personal contacts exposed to TikTok and ByteDance employees around the world, Forbes found in another.

TikTok declined to comment on whether the Make More Money separation was ever completed, but two ex-staffers questioned that it had been and told Forbes the overlap continued into last summer.

“The request and approval processes for access to data was fast and loose,” said Joel Carter, who used 3M regularly while working in advertising policy until August 2023, when he says he was wrongfully terminated. “It was common practice for employees to request access to data structures or dashboards… without providing a rationale, and it would be granted.”

Similar problems had also plagued “Ads Integrity,” a separate ByteDance tool used to review ads submitted to TikTok to ensure they met certain criteria and followed company rules, three recent TikTok employees said and internal documents show. In 2022, access controls were so lax that nearly anyone at TikTok and ByteDance could easily edit, moderate or add violations to a campaign.

Some employees were concerned about the privacy implications of advertisers’ sensitive information, such as their email addresses and targeting preferences, being widely available, sources said and materials show. Others worried that people meddling in the system without permission could take action on ads—labeling them with tags like “Misleading&False Content,” “Adults & Sexual Content,” “Violence&Horror&Dangerous Activity,” “Politics&Religion&Culture” or “Intellectual Property Infringement”—that could lead to the videos being rejected or advertisers being suspended altogether.

They also said those freely accessing these ads could potentially use them to market rival products, or that the information could provide a competitive advantage in China, issues that have been of broader concern across TikTok’s ad division, according to multiple sources.

“The potential harm is that you don’t know what’s being done with your information that you’re uploading to the platform,” they added—noting that pixels are one of the most sensitive examples of this that endangers both advertisers and consumers.

“As soon as you put that pixel on your website, that data is accessed by TikTok,” they said. “All that information about your customer transactions, all that information about what’s going on on the backend to help improve your ad performance, is being fed directly to ByteDance. What is ByteDance doing with that?”

Emily Baker-White contributed reporting.

[Read More…]