In August 2021, TikTok received a complaint from a British user, who noted that a man had been “exposing himself and toying himself” in a live stream she hosted on the video app. She also described abuse that she had experienced in the past.
To address the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times. The British woman’s personal details, including her photo, country of residence, internet protocol address, device and user ID, were also published on the platform, which is similar to Slack and Microsoft Teams.
Their information was just part of the TikTok user data shared on Lark, which thousands of employees of the app’s Chinese owner, ByteDance, use every day, including in China. According to documents obtained by The Times, US users’ driver’s licenses were also accessible on the platform, as was some users’ potentially illegal content, such as child sexual abuse materials. In many cases, the information was available in Lark’s “groups,” essentially employee chat rooms, with thousands of members.
The profusion of user data on Lark alarmed some TikTok employees, especially since ByteDance workers in China and elsewhere could easily view the material, according to internal reports and four current and former employees. Since at least July 2021, several security employees have warned ByteDance and TikTok executives about risks related to the platform, according to the documents and current and former workers.
“Should Beijing-based employees own groups that contain secret data” from users, a TikTok employee asked in an internal report last July.
User materials on Lark raise questions about TikTok’s data and privacy practices and show how entwined they are with ByteDance, just as the video app faces increasing scrutiny over its potential security risks and ties to China. Last week, the governor of Montana signed a bill banning TikTok in the state as of January 1. The app has also been banned from universities and government agencies and by the military.
TikTok has been under pressure for years to cordon off its US operations over concerns that it could provide data on US users to Chinese authorities. To continue operating in the United States, TikTok submitted a plan to the Biden administration last year, called Project Texas, laying out how it would store American user information inside the country and isolate ByteDance and TikTok employee data outside. from United States.
TikTok has minimized the access its workers in China have to US user data. At a congressional hearing in March, TikTok CEO Shou Chew said engineers in China used such data primarily for “business purposes” and that the company had “rigorous data access protocols” in place to protect users. users. He said that much of the user information available to engineers was already public.
Internal reports and communications from Lark appear to contradict Mr. Chew’s statements. Data from TikTok’s Lark was also stored on servers in China late last year, the four current and former employees said.
The documents seen by The Times included dozens of screenshots of reports, chat messages and employee comments about Lark, as well as video and audio of internal communications, spanning from 2019 to 2022.
Alex Haurek, a TikTok spokesperson, called the documents seen by The Times “dated” and questioned whether they contradicted Mr Chew’s statements. He said they did not accurately describe “how we handle protected US user data, or the progress we have made under the Texas Project.”
It added that TikTok was in the process of deleting US user data it collected before June 2022, when it changed how it handled information about US users and began sending that data to US-based servers owned by TikTok. from a third party instead of their own. by TikTok or ByteDance.
The company did not respond to questions about whether Lark’s data was stored in China. He declined to answer questions about China-based employees’ involvement in creating and sharing TikTok user data in Lark’s groups, but said many of the chat rooms were “shut down last year after review internal concerns”.
Alex Stamos, director of Stanford University’s Internet Observatory and a former chief information security officer at Facebook, said protecting user data in an organization was “the most difficult technical project” for an organization’s security team. social media company. TikTok’s problems, he added, are compounded by ByteDance’s ownership.
“Lark shows you that all the back-end processes are monitored by ByteDance,” he said. “TikTok is a thin layer of ByteDance.”
ByteDance introduced Lark in 2017. The tool, which has a Chinese-only equivalent known as Feishu, is used by all of ByteDance’s subsidiaries, including TikTok, and its 7,000 US employees. Lark features a platform for chat, video conferencing, task management and document collaboration features. When Mr. Chew was asked about Lark at the March hearing, he said it was like “every other instant messaging tool” for corporations and compared it to Slack.
Lark has been used to handle individual TikTok account issues and share documents containing personally identifiable information since at least 2019, according to documents obtained by The Times.
In June 2019, a TikTok employee shared an image on Lark of a Massachusetts woman’s driver’s license. The woman had sent the image to TikTok to verify her identity. The image, which included her address, date of birth, photo and her driver’s license number, was posted to an internal Lark group of more than 1,100 people handling the ban and account termination.
Driver’s licenses, as well as passports and ID cards of people from countries including Australia and Saudi Arabia, had been available at Lark since last year, according to documents seen by The Times.
Lark also exposed users’ child sexual abuse materials. In an October 2019 conversation, TikTok employees discussed banning some accounts that had shared topless girls over the age of 3. The workers also posted the images on Lark.
Mr. Haurek, the TikTok spokesman, said employees were instructed never to share such content and to report it to an internal team specializing in child safety.
TikTok employees have raised questions about such incidents. In an internal report last July, a worker asked if there were rules for handling user data at Lark. Will Farrell, the acting security officer for TikTok’s US Data Security, which will oversee US user data as part of Project Texas, said: “There is no policy at this time.”
A senior TikTok security engineer also said last fall that there could be thousands of Lark groups mishandling user data. In a recording, obtained by The Times, the engineer said TikTok needed to get the data “out of China and get Lark out of Singapore.” TikTok is based in Singapore and Los Angeles.
Mr. Haurek called the engineer’s comments “inaccurate” and said TikTok reviewed cases where Lark groups were potentially mishandling user data and took steps to address them. He said the company had a new process for handling sensitive content and had put new limits on the size of Lark’s groups.
TikTok’s privacy and security division has undergone reorganizations and exits in the past year, which some employees say has slowed or shelved privacy and security projects at a critical time.
Roland Cloutier, a cybersecurity expert and US Air Force veteran, resigned last year as head of TikTok’s global security organization, with a portion of his unit being placed on a privacy-focused team. Led by Yujun Chen, known among his colleagues as Woody, a China-based executive who has worked at ByteDance for years, three current and former employees said. Mr. Chen previously focused on software quality assurance.
Mr. Haurek said that Mr. Chen had “deep technical, data and product engineering experience” and that his team reported to an executive in California. He said TikTok had multiple teams working on privacy and security, including more than 1,500 workers on its US data security team, and that he had spent more than $1.5 billion to get the Texas Project done.
ByteDance and TikTok have not said when the Texas Project will be completed. When it is, TikTok said, communications involving US user data will take place in a separate “internal collaboration tool.”
Aaron Krolik contributed reporting. Alain Delaquériere contributed research.