In August 2021, TikTok received a complaint from a user in the UK who reported that a man was “exposing and playing with himself” in a livestream he hosted on the video app. She also spoke about her past abuse that she experienced herself.
To address the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to an internal document obtained by The New York Times. The British woman’s personal data, including her photo, country of residence, internet protocol address, device and user ID, were also posted to platforms similar to Slack and Microsoft Teams.
Her information is only a small part of the TikTok user data shared on Lark, which includes thousands of employees of the app’s owner, China ByteDance, including employees in China. used daily by Documents obtained by The Times show that the platform also gave access to the driver’s licenses of American users and potentially illegal content, such as child sexual abuse materials of some users. In many cases, the information was available in her Lark “group” (basically an employee chat her room) with thousands of members.
According to an internal report and four current and former employees, the vast amount of user data on Lark meant that some TikTok employees could easily see the material, especially by ByteDance employees in countries such as China. It is said that it gave anxiety to Since at least July 2021, several security employees have warned ByteDance and TikTok executives about the risks associated with the platform, according to documents and current and former employees.
In an internal report last July, one TikTok employee asked: “Should a Beijing-based employee be the owner of a group containing sensitive user data?”
Lark’s user material raises questions about TikTok’s data and privacy practices, and just as the video app faces heavy scrutiny for potential security risks and its ties to China, TikTok’s relationship with ByteDance. It shows how they are intertwined. The governor of Montana signed a bill last week banning TikTok in the state starting January 1. The app has also been banned by universities, government agencies and the military.
TikTok has long been under pressure to shut down its U.S. operations over concerns that it could provide data of U.S. users to Chinese authorities. To continue operating in the U.S., TikTok last year submitted a plan called “Project Texas” to the Biden administration to keep U.S. user information in the country and protect it from ByteDance and TikTok employees outside the U.S. defined how to block the data of
TikTok has downplayed the ability of its China-based employees to access U.S. user data. At a congressional hearing in March, TikTok Chief Executive Shu Zhu said such data was primarily used by Chinese engineers for “business purposes” and that the company had “strict rules” to protect its users. data access protocol”. He said much of the user information the engineers accessed was already public.
Internal reports and communications from Lark appear to contradict Mr. Chu’s statements. TikTok’s Lark data was also stored on servers in China as of the end of last year, four current and former employees said.
Documents reviewed by The Times included dozens of screenshots of Lark reports, chat messages, and employee comments, as well as video and audio of internal communications from 2019 to 2022.
TikTok spokesman Alex Howrek said the document seen by The Times was “old.” He said the documents do not accurately portray “how we handle protected US user data and our progress under Project Texas.”
He added that TikTok was in the process of deleting U.S. user data it collected before June 2022, and in doing so changed the way it handled information about U.S. users, rather than the server that owned that data. It added that it began sending to servers in the United States owned by third parties. By TikTok or ByteDance.
The company did not respond to questions about whether Lark’s data is stored in China. While it declined to answer questions about the involvement of its China-based employees in creating and sharing TikTok user data within the Lark group, many in the chatroom said, “After considering our internal concerns, It’s closed,” he said.
Alex Stamos, former chief information security officer at Facebook and director of Stanford University’s Internet Observatory, said securing user data across the organization was “the most difficult technical project for a social media company’s security team.” ‘ said. He added that TikTok’s problems are exacerbated by ByteDance’s ownership.
“Lark shows that all backend processes are monitored by ByteDance,” he said. “TikTok is ByteDance’s facade.”
ByteDance introduced Lark in 2017. The tool has a Chinese-only equivalent known as Feishu and is used by TikTok and all of his ByteDance subsidiaries, including 7,000 US employees. Lark features a chat platform, video conferencing, task management and document collaboration capabilities. When asked about Lark at a public hearing in March, Chu said it was like “any other instant messaging tool” for businesses, comparing it to Slack.
Lark has been used to handle issues with individual TikTok accounts and share documents containing personally identifiable information since at least 2019, according to documents obtained by The Times.
In June 2019, a TikTok employee shared an image of a Massachusetts woman’s driver’s license on Lark. The woman had sent a photo to TikTok to confirm her identity. The image includes her address, date of birth, photo, driver’s license number, and her Lark internal group of over 1,100 employees responsible for banning and unbanning accounts. Posted in
Drivers licenses, passports and ID cards from countries such as Australia and Saudi Arabia were accessible on Lark as of last year, according to documents obtained by The Times.
Lark also exposed user child sexual abuse material. In an October 2019 conversation, TikTok employees discussed banning some accounts that shared content of topless girls over the age of three. Workers also posted images to Lark.
Howlek, a TikTok spokesperson, said employees were instructed to never share such content and to report it to the company’s dedicated child safety team.
TikTok employees have questioned the incident. In an internal report last July, an employee asked if Lark had rules about how user data was handled. “There is no policy at this time,” said Will Farrell, interim security officer for US data security at TikTok, which oversees US user data as part of Project Texas.
A senior security engineer at TikTok also said last fall that thousands of Lark groups may be mishandling user data. In a recording obtained by The Times, the tech said TikTok would have to move the data “out of China and kick Lark out of Singapore.” TikTok is headquartered in Singapore and Los Angeles.
Howrek called the engineer’s comments “inaccurate,” and said TikTok had investigated and taken steps to address instances where the Lark group may have mishandled user data. He said the company has introduced new processes for handling sensitive content and placed new limits on the size of Lark Group.
TikTok’s privacy and security division has undergone a series of reorganizations and departures over the past year, with some employees saying it delayed or set aside critical privacy and security projects. rice field.
Cybersecurity expert and U.S. Air Force veteran Rolando Courtier stepped down as head of TikTok’s global security organization last year, with part of his force headed by Yujun Cheng, known to his colleagues as Woody. Assigned to a focused team. According to three current and former employees, the person is a China-based executive who has worked for ByteDance for many years. Mr. Chen previously focused on software quality assurance.
Howlek said Cheng has “deep technical, data and product engineering expertise” and that his team reports directly to California-based executives. He said TikTok has multiple teams working on privacy and security, including more than 1,500 employees in the U.S. Data Security Team, which has spent more than $1.5 billion implementing Project Texas.
ByteDance and TikTok have not disclosed when Project Texas will be completed. TikTok said that in that case, communications involving U.S. user data would take place over a separate “internal collaboration tool.”
Aaron Crollik Contributed to the report. Alain Dracheriere Contributed to research.
