Find out how TikTok shares user data

In August 2021, TikTok received a complaint from a UK user, who reported that a man had “exposed himself and played with himself” on a live stream she hosted on the video app. She also described past abuse she had suffered.

To respond to the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times. The British woman’s personal details – including her photo, country of residence, internet protocol address, device and user credentials – have also been published on the platform, which is similar to Slack and Microsoft. Teams.

His information was just part of the TikTok user data shared on Lark, which is used daily by thousands of employees of the app’s Chinese owner, ByteDance, including those in China. According to documents obtained by The Times, U.S. users’ driver’s licenses were also accessible on the platform, as was some users’ potentially illegal content, such as child sexual abuse material. In many cases, the information was available in Lark “groups” – essentially employee chat rooms – with thousands of members.

The proliferation of user data on Lark alarmed some TikTok employees, especially since ByteDance employees in China and elsewhere could easily see the material, according to internal reports and four current and former employees. Since at least July 2021, multiple security employees have warned ByteDance and TikTok executives about risks to the platform, according to the documents and current and former workers.

“Should Beijing-based employees own groups with secret data” about users, a TikTok employee asked in an internal report last July.

User material on Lark raises questions about TikTok’s data and privacy practices and shows how tied it is to ByteDance, just as the video app is coming under increasing scrutiny of its potential security risks and its ties to China. Last week, the governor of Montana signed a bill banning TikTok in the state starting January 1. The app has also been banned in universities and government agencies and by the military.

TikTok has been under pressure for years to shut down its US operations over fears it could provide US user data to Chinese authorities. To continue operating in the United States, TikTok submitted a plan to the Biden administration last year, called Project Texas, outlining how it would store US user information inside the country and block employee data. ByteDance and TikTok outside the United States.

TikTok has minimized its China-based employees’ access to US user data. During a congressional hearing in March, TikTok chief executive Shou Chew said that data was used primarily by engineers in China for “business purposes” and that the company had “access protocols to stringent data” to protect users. He said much of the user information engineers had access to was already public.

Internal reports and communications from Lark appear to contradict Mr. Chew’s statements. TikTok’s Lark data was also stored on servers in China late last year, the four current and former employees said.

Documents seen by The Times included dozens of screenshots of reports, chat messages and employee comments about Lark, as well as videos and audio of internal communications, covering the period from 2019 to 2022.

Alex Haurek, a spokesperson for TikTok, called the documents seen by The Times “dated”. He said they didn’t accurately describe “how we handle US users’ protected data, or the progress we’ve made on Project Texas.”

He added that TikTok was in the process of deleting US user data it collected before June 2022, when it changed the way it handled US user information and started sending that data to servers. based in the United States owned by a third party rather than those owned. by TikTok or ByteDance.

The company did not respond to questions about whether Lark’s data was stored in China. He declined to answer questions about the involvement of China-based employees in creating and sharing TikTok user data in Lark groups, but said many chat rooms had been “closed in the past year. after considering internal concerns”.

Alex Stamos, director of Stanford University’s Internet Observatory and former chief information security officer at Facebook, said securing user data in an organization is “the most difficult technical project” for the security team of a social media company. TikTok’s problems, he added, are compounded by ownership of ByteDance.

“Lark shows you that all back-end processes are overseen by ByteDance,” he said. “TikTok is a thin veneer on ByteDance.”

ByteDance introduced Lark in 2017. The tool, which has a Chinese equivalent only known as Feishu, is used by all ByteDance subsidiaries, including TikTok and its 7,000 US employees. Lark offers a chat platform, video conferencing, task management, and document collaboration features. When Mr Chew was asked about Lark at the March hearing, he said it was like “any other instant messaging tool” for business and compared it to Slack.

Lark has been used to handle individual TikTok account issues and share documents containing personally identifiable information since at least 2019, according to documents obtained by The Times.

In June 2019, a TikTok employee shared an image to Lark of a Massachusetts woman’s driver’s license. The woman had sent the photo to TikTok to verify her identity. The image – which included his address, date of birth, photo and driver’s license number – was posted to an internal Lark group with more than 1,100 people who were dealing with the ban and the reopening of accounts.

Driving licenses, as well as passports and identity cards of people from countries including Australia and Saudi Arabia, had been accessible on Lark since last year, according to documents seen by The Times.

Lark also exposed users’ child sexual abuse material. In an October 2019 conversation, TikTok employees discussed banning certain accounts that shared content from girls over the age of three who were topless. Workers also posted the footage to Lark.

Mr Haurek, the TikTok spokesperson, said employees were instructed never to share such content and to report it to an internal child safety team.

TikTok employees have raised questions about such incidents. In an internal report last July, a worker asked if there were any rules for handling user data in Lark. Will Farrell, TikTok’s acting chief security officer for US data security, which will oversee US user data under Project Texas, said: “No policy at this time.”

A senior security engineer at TikTok also said last fall that there could be thousands of Lark groups mismanaging user data. In a recording, obtained by The Times, the engineer said TikTok had to move the data “out of China and get Lark out of Singapore”. TikTok is headquartered in Singapore and Los Angeles.

Mr Haurek called the engineer’s comments “inaccurate” and said TikTok had looked into instances where Lark Groups were potentially mishandling user data and had taken steps to address it. He said the company had a new process for handling sensitive content and had placed new limits on the size of Lark groups.

TikTok’s privacy and security division has undergone reorganizations and departures over the past year, which some employees say has slowed or shelved privacy and security projects at a critical time. .

Roland Cloutier, cybersecurity expert and US Air Force veteran, resigned as head of TikTok’s global security organization last year, and part of his unit was placed on a privacy-focused team led by Yujun Chen, known to colleagues as Woody, a China-based executive who has worked at ByteDance for years, three current and former employees said. Mr. Chen previously focused on software quality assurance.

Mr. Haurek said Mr. Chen has “deep expertise in technical, data and product engineering” and that his team reports to a California-based executive. He said TikTok had multiple teams working on privacy and security, including more than 1,500 employees in its US data security team, and that it had spent more than $1.5 billion to implement the Texas project.

ByteDance and TikTok did not specify when the Texas project will be completed. When it does, TikTok said, communications involving U.S. user data will take place on a separate “internal collaboration tool.”

Aaron Krolik contributed report. Alain Delaqueriere contributed to the research.