In August 2021, TikTok received a complaint from a UK user, who indicated that a man had “exposed himself and played with himself” in a live stream she hosted on the video app. She also described the abuse she had experienced in the past.
To address the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times. The British woman’s personal details – including her photo, country of residence, internet protocol address, device and user IDs – were also posted on the platform, similar to Slack and Microsoft Teams.
Her information was just part of TikTok user data shared on Lark, which is used every day by thousands of employees of the app’s Chinese owner, ByteDance, including those in China. According to the documents obtained by The Times, US users’ driver’s licenses were also accessible on the platform, as well as potentially illegal content from some users, such as child sexual abuse material. In many cases, the information was available in Lark “groups” — essentially employee chat rooms — with thousands of members.
The glut of user data on Lark alarmed some TikTok employees, especially since ByteDance employees in China and elsewhere could easily see the material, according to internal reports and four current and former employees. According to the documents and current and former employees, since at least July 2021, several security officers have warned ByteDance and TikTok executives about the risks associated with the platform.
“Should Beijing-based employees own groups that contain secret” user data, a TikTok employee asked in an internal report last July.
The user material on Lark raises questions about TikTok’s data and privacy practices and shows how intertwined it is with ByteDance, just as the video app comes under increasing scrutiny for its potential security risks and ties to China. Last week, the governor of Montana signed a bill banning TikTok in the state from January 1. The app is also banned by universities and government agencies and by the military.
TikTok has been under pressure for years to lock down its US operations amid concerns that it could provide data on US users to Chinese authorities. To continue operating in the United States, TikTok submitted a plan to the Biden administration last year called Project Texas that outlined how it would store U.S. user information in the country and use the data of ByteDance and TikTok employees outside of the United States. United States would protect.
TikTok has downplayed the access its China-based employees have to US user data. At a congressional hearing in March, TikTok CEO Shou Chew said such data was primarily used by engineers in China for “business purposes” and that the company had “strict data access protocols” to protect users. He said much of the user information available to engineers was already public.
Lark’s internal reports and communications appear to contradict Mr. contradict Chew. Lark data from TikTok was also stored on servers in China late last year, the four current and former employees said.
The documents The Times accessed include dozens of screenshots of reports, chat messages and employee comments about Lark, as well as video and audio of internal communications spanning 2019 to 2022.
Alex Haurek, a spokesperson for TikTok, called the documents The Times had seen “dated” and disputed that they contradicted Mr Chew’s statements. He said they don’t accurately reflect “how we handle protected U.S. user data, nor the progress we’ve made under Project Texas.”
He added that TikTok was in the process of deleting US user data it collected before June 2022 when it changed the way it handled information about US users and started sending that data to US-based servers that owned by a third party rather than being owned. by TikTok or ByteDance.
The company did not respond to questions about whether Lark data was stored in China. It declined to answer questions about China-based employees’ involvement in the creation and sharing of TikTok user data in Lark groups, but said many of the chat rooms were “closed last year after reviewing internal concerns.”
Alex Stamos, the director of Stanford University’s Internet Observatory and Facebook’s former chief information security officer, said securing user data within an organization was “the most difficult engineering project” for a social media company’s security team. TikTok’s problems, he added, are compounded by ByteDance’s ownership.
“Lark shows you that all back-end processes are controlled by ByteDance,” he said. “TikTok is a thin layer on ByteDance.”
ByteDance introduced Lark in 2017. The tool, which has a Chinese equivalent known as Feishu, is used by all of ByteDance’s subsidiaries, including TikTok and its 7,000 US employees. Lark features a chat platform, video conferencing, task management, and document collaboration features. When Mr. Chew was asked about Lark at the March hearing, he said it was like “any other instant messaging tool” for businesses and compared it to Slack.
According to documents obtained by The Times, Lark has been used since at least 2019 for handling individual TikTok account issues and sharing documents containing personally identifiable information.
In June 2019, a TikTok contributor shared an image on Lark of a Massachusetts woman’s driver’s license. The woman had sent the photo to TikTok to verify her identity. The image — with her address, date of birth, photo and driver’s license number — was posted to an internal Lark group of more than 1,100 people that handled account banning and undoing.
The driver’s license, as well as passports and identity cards of people from Australia and Saudi Arabia, among others, were accessible on Lark from last year, according to documents The Times viewed.
Lark also exposed child sexual abuse material from users. In an October 2019 conversation, TikTok employees discussed banning some shared content accounts of girls over the age of 3 who were topless. Employees also posted the footage to Lark.
Mr Haurek, the TikTok spokesperson, said employees were instructed never to share such content and to report it to a specialist in-house child safety team.
TikTok employees have been asking questions about such incidents. In an internal report last July, an employee asked if there were any rules for handling user data in Lark. Will Farrell, TikTok’s US Data Security interim security officer, who will oversee US user data as part of Project Texas, said, “No policy at this time.”
A senior security engineer at TikTok also said last fall that there could be thousands of Lark groups mishandling user data. In a recording obtained by The Times, the engineer said TikTok should “move the data out of China and chase Lark out of Singapore.” TikTok has headquarters in Singapore and Los Angeles.
Mr Haurek called the engineer’s comments “inaccurate” and said TikTok was reviewing instances where Lark groups may have mishandled user data and was taking steps to address them. He said the company had a new process for handling sensitive content and had new limits on the size of Lark groups.
TikTok’s privacy and security division has undergone reorganizations and departures over the past year, which some employees said delayed or sidelined privacy and security projects at a critical time.
Roland Cloutier, a cybersecurity expert and veteran of the US Air Force, stepped down last year as head of TikTok’s global security organization, and part of his unit was placed in a privacy-focused team led by Yujun Chen, known to colleagues as Woody , a China-based executive who has been with ByteDance for years, said three current and former employees. Mr. Chen previously focused on software quality assurance.
Mr. Haurek said Mr. Chen had “deep technical, data and product engineering expertise” and that his team reported to a California executive. He said TikTok had multiple teams working on privacy and security, including more than 1,500 employees in the US Data Security team, and that it had spent more than $1.5 billion to run Project Texas.
ByteDance and TikTok have not said when Project Texas will be complete. If so, TikTok said, communication with US user data will be on a separate “internal collaboration tool.”
Aaron Krolik reporting contributed. Alain Delaqueriere contributed research.