In August 2021, TikTok received a complaint from a U.K. user who said a man “exposed and played with himself” in a livestream she hosted on the video app. She also described the abuse she suffered in the past.
To deal with complaints, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times. The British woman’s personal data — including her photo, country of residence, internet protocol address, device and user ID — was also posted on the platform, which is similar to Slack and Microsoft Teams.
Her information is simply a share of TikTok user data shared on Lark that is used every day by thousands of employees of the app’s Chinese owner, ByteDance, including those in China. The platform also had access to U.S. users’ driver’s licenses, as well as potentially illegal content on some users, such as child sexual abuse material, according to documents obtained by The Times. In many cases, this information is available in Lark “groups” — essentially employee chat rooms — that have thousands of members.
The sheer amount of user data on Lark has alarmed some TikTok employees, not least because of the ease with which ByteDance employees in China and elsewhere can see the material, according to internal reports and four current and former employees. Beginning at least July 2021, several security employees have warned Bytedance and TikTok executives about the risks associated with the platform, according to documents and current and former employees.
A TikTok employee asked in an internal report last July whether “Beijing employees should have groups containing user secrets” data.
User profiles on Lark have raised questions about TikTok’s data and privacy practices, and show how its ties to ByteDance are as intertwined as the video app’s potential security risks and ties to China. More and more reviews like that. Last week, the governor of Montana signed a bill banning TikTok in the state starting Jan. 1. Universities, government agencies and the military are also banned from using the app.
TikTok has been under pressure to block its U.S. operations for years over fears it could provide Chinese authorities with data on U.S. users. In order to continue operating in the United States, TikTok submitted a plan called the “Texas Plan” to the Biden administration last year, setting out how to store American user information in the country and isolate ByteDance and TikTok employees outside the United States The data.
TikTok has downplayed the access its employees in China have to the data of U.S. users. At a congressional hearing in March, TikTok Chief Executive Zhou Shou said the data was mainly used by engineers in China for “commercial purposes” and that the company had “strict data access protocols” to protect users. Much of the user information available to engineers is already public, he said.
Lark’s internal reports and communications appear to contradict Mr. Chew’s statements. Lark data from TikTok was also stored on servers in China as of late last year, four current and former employees said.
Documents reviewed by The New York Times included screenshots of dozens of reports from 2019 to 2022, chat messages and employee comments about Lark, as well as video and audio of internal communications.
Alex Haurek, a TikTok spokesman, called the documents seen by The Times “dated” and denied that they contradicted Mr. Zhou’s statement. He said they did not describe precisely “how we handle protected U.S. user data or the progress we have made under Project Texas.”
He added that TikTok is deleting U.S. user data it collected until June 2022, when it changes how it handles U.S. user information and begins sending that data to U.S. servers owned by third parties, rather than those owned by Servers via TikTok or ByteDance.
The company did not respond to questions about whether Lark data is stored in China. It declined to answer questions about the involvement of Chinese employees in creating and sharing TikTok user data in Lark groups, but said many chatrooms “closed last year after a review of internal issues”.
Protecting user data across the organization is the “most difficult technical project” for the social media company’s security team, said Alex Stamos, director of Stanford University’s Internet Observatory and former chief information security officer at Facebook. TikTok’s problems are compounded by ByteDance’s ownership, he added.
“Lark shows you that all the backend processes are overseen by ByteDance,” he said. “TikTok is a thin veneer for ByteDance.”
Bytedance launched Lark in 2017. The tool has a Chinese-only Feishu tool that is used by all of ByteDance’s subsidiaries, including TikTok and its 7,000 U.S. employees. Lark features a chat platform, video conferencing, task management, and document collaboration. When Mr Zhou was asked about Lark at the hearing in March, he said it was like “any other instant messaging tool” for businesses, comparing it to Slack.
Lark has been used since at least 2019 to troubleshoot personal TikTok accounts and share files containing personally identifiable information, according to documents obtained by The Times.
In June 2019, a TikTok employee shared an image of a female Massachusetts driver’s license on Lark. The woman has sent the photo to TikTok to verify her identity. The photo — including her address, date of birth, photo and driver’s license number — was posted to an internal Lark group of more than 1,100 people who handle banning and unbanning accounts.
As of last year, the driver’s licenses of people from countries such as Australia and Saudi Arabia, as well as passports and ID cards, were accessible on Lark, according to documents seen by The Times.
Lark also exposed child sexual abuse material from users. In a conversation in October 2019, TikTok employees discussed banning some accounts that shared content featuring topless girls over the age of 3. The staff also posted the pictures on Lark.
Mr. Haurek, a TikTok spokesman, said employees were instructed never to share such content and to report it to a dedicated internal child safety team.
TikTok employees have raised questions about such incidents. In an internal report last July, a staff member asked Lark if it had rules for handling user data. “There is no policy at this time,” said Will Farrell, interim security officer for TikTok’s U.S. data security division.
A senior TikTok security engineer also said last fall that there may be thousands of Lark groups mishandling user data. In a recording obtained by The Times, the engineer said TikTok needed to move data “out of China and Lark out of Singapore.” TikTok has headquarters in Singapore and Los Angeles.
Mr. Haurek called the engineer’s comments “inaccurate” and said TikTok reviewed instances of possible mishandling of user data by Lark Group and took steps to address them. The company has a new process for handling sensitive content and has placed new limits on the size of Lark groups, he said.
TikTok’s privacy and security department has undergone restructuring and departures in the past year, with some employees saying privacy and security projects were slowed down or put on hold at critical times.
Roland Cloutier, a cybersecurity expert and U.S. Air Force veteran, resigned as head of TikTok’s global safety organization last year, putting him in part on a privacy-focused team led by Chen Yujun, known to colleagues as Woody, three A Chinese executive who has worked at ByteDance for many years, according to current and former employees. Mr. Chen previously focused on software quality assurance.
Mr. Chen has “deep technology, data and product engineering expertise,” and his team reports to an executive in California, Mr. Haurek said. TikTok has multiple teams working on privacy and security, including more than 1,500 employees in its US data security team, and has spent more than $1.5 billion on the Texas project, he said.
ByteDance and TikTok did not say when the Texas project would be completed. TikTok said communications involving U.S. user data would then take place on a separate “internal collaboration tool.”
Aaron Krolick Contribution report. Alain de la Querrier contributed research.