In August 2021, TikTook obtained a grievance from a British person, who flagged {that a} man had been “exposing himself and taking part in with himself” on a livestream she hosted on the video app. She additionally described previous abuse she had skilled.
To handle the grievance, TikTook staff shared the incident on an inner messaging and collaboration software referred to as Lark, in response to firm paperwork obtained by The New York Times. The British girl’s private information — together with her picture, nation of residence, web protocol handle, system and person IDs — have been additionally posted on the platform, which has similarities to Slack and Microsoft Teams.
Her data was only one piece of TikTook person information shared on Lark, which is used each day by hundreds of staff of the app’s Chinese proprietor, ByteDance, together with by these in China. According to the paperwork obtained by The Times, the driving force’s licenses of American customers have been additionally accessible on the platform, as have been some customers’ doubtlessly unlawful content material, comparable to little one sexual abuse supplies. In many circumstances, the knowledge was obtainable in Lark “teams” — primarily chat rooms of staff — with hundreds of members.
The profusion of person information on Lark alarmed some TikTook staff, particularly since ByteDance staff in China and elsewhere may simply see the fabric, in response to inner experiences and 4 present and former staff. Since not less than July 2021, a number of safety staff have warned ByteDance and TikTook executives about dangers tied to the platform, in response to the paperwork and the present and former staff.
“Should Beijing-based staff be house owners of teams that comprise secret” information of customers, one TikTook worker requested in an inner report final July.
The person supplies on Lark elevate questions on TikTook’s information and privateness practices and present how intertwined it’s with ByteDance, simply because the video app faces mounting scrutiny over its potential safety dangers and ties to China. Last week, Montana’s governor signed a invoice banning TikTook within the state as of Jan. 1. The app has additionally been banned at universities and authorities companies and by the navy.
TikTook has been below stress for years to cordon off its US operations due to issues that it’d present information on American customers to the Chinese authorities. To proceed working within the United States, TikTook final 12 months submitted a plan to the Biden administration, referred to as Project Texas, laying out how it could retailer American person data contained in the nation and wall off the info from ByteDance and TikTook staff outdoors the United States.
TikTook has downplayed the entry that its China-based staff should US person information. In a congressional listening to in March, TikTook’s chief govt, Shou Chew, mentioned that such information was primarily utilized by engineers in China for “enterprise functions” and that the corporate had “rigorous information entry protocols” for safeguarding customers. He mentioned that a lot of the person data that engineers accessed was already public.
The inner experiences and communications from Lark seem to contradict Mr. Chew’s statements. Lark information from TikTook was additionally saved on servers in China as of late final 12 months, the 4 present and former staff mentioned.
The paperwork seen by The Times included dozens of screenshots of experiences, chat messages and worker feedback on Lark, in addition to video and audio of inner communications, spanning 2019 to 2022.
Alex Haurek, a TikTook spokesperson, referred to as the paperwork seen by The Times “dated.” He mentioned they didn’t precisely depict “how we deal with protected US person information, nor the progress we have made below Project Texas.”
He added that TikTook was within the technique of deleting US person information that it collected earlier than June 2022, when it modified the way in which it dealt with details about American customers and started sending that information to US-based servers owned by a 3rd celebration relatively than these owned by TikTook or ByteDance.
The firm didn’t reply to questions on whether or not Lark information was saved in China. It declined to reply questions concerning the involvement of China-based staff in creating and sharing TikTook person information in Lark teams, however mentioned most of the chat rooms have been “shut down final 12 months after reviewing inner issues.”
Alex Stamos, the director of Stanford University’s Internet Observatory who was Facebook’s former chief data safety officer, mentioned that securing person information throughout a company is “the toughest technical undertaking” for a social media firm’s safety group. TikTook’s issues, he added, are compounded by ByteDance’s possession.
“Lark reveals you that each one the back-end processes are overseen by ByteDance,” he mentioned. “TikTook is a skinny veneer on ByteDance.”
ByteDance launched Lark in 2017. The software, which has a Chinese-only equal often called Feishu, is utilized by all ByteDance subsidiaries, together with TikTook and its 7,000 US staff. Lark includes a chat platform, video conferencing, process administration and doc collaboration options. When mr. Chew was requested about Lark within the March listening to, he mentioned it was like “another on the spot messaging software” for firms and in contrast it to Slack.
Lark has been used for dealing with particular person TikTook account points and sharing paperwork that comprise personally identifiable data since not less than 2019, in response to the paperwork obtained by The Times.
In June 2019, a TikTook worker shared a picture on Lark of the driving force’s license of a Massachusetts girl. The girl had despatched TikTook the image to confirm her identification. The picture — which included her handle, date of delivery, picture and driver’s license quantity — was posted to an inner Lark group with greater than 1,100 those who dealt with the banning and unbanning of accounts.
The driver’s license, in addition to passports and identification playing cards of individuals from international locations together with Australia and Saudi Arabia, have been accessible on Lark as of final 12 months, in response to the paperwork seen by The Times.
Lark additionally uncovered customers’ little one sexual abuse supplies. In one October 2019 dialog, TikTook staff mentioned banning some accounts that had shared content material of ladies over three years previous who have been topless. Workers additionally posted the photographs on Lark.
Mr. Haurek, the TikTook spokesperson, mentioned staff have been instructed to by no means share such content material and to report it to a specialised inner little one security group.
TikTook staff have raised questions on such incidents. In an inner report final July, one employee requested if there have been guidelines for dealing with person information in Lark. Will Farrell, the interim safety officer of TikTook’s US Data Security, which can oversee US person information as a part of Project Texas, mentioned, “No coverage presently.”
A senior safety engineer at TikTook additionally mentioned final fall that there may very well be hundreds of Lark teams mishandling person information. In a recording, which The Times obtained, the engineer mentioned TikTook wanted to maneuver the info “out of China and run Lark out of Singapore.” TikTook is headquartered in Singapore and Los Angeles.
Mr. Haurek referred to as the engineer’s feedback “inaccurate” and mentioned TikTook reviewed situations the place Lark teams have been doubtlessly mishandling person information and took steps to deal with them. He mentioned the corporate had a brand new course of for dealing with delicate content material and had put new limits on the dimensions of Lark teams.
TikTook’s privateness and safety division has undergone reorganizations and departures previously 12 months, which some staff mentioned had slowed down or sidelined privateness and safety tasks at a vital juncture.
Roland Cloutier, a cybersecurity knowledgeable and US Air Force veteran, stepped down final 12 months as the top of TikTook’s international safety group, and a portion of his unit was positioned on a privacy-focused group led by Yujun Chen, recognized to colleagues as Woody. a China-based govt who has labored at ByteDance for years, three present and former staff mentioned. Mr. Chen beforehand targeted on software program high quality assurance.
Mr. Haurek mentioned Mr. Chen had “deep technical, information and product engineering experience” and that his group experiences to a California-based govt. He mentioned TikTook had a number of groups engaged on privateness and safety, together with greater than 1,500 staff on its US Data Security group, and that it had spent greater than $1.5 billion to implement Project Texas.
ByteDance and TikTook haven’t mentioned when Project Texas will likely be accomplished. When it’s, TikTook mentioned, communications involving US person information will happen on a separate “inner collaboration software.”
Aaron Krolik contributed reporting. Alain Delaquerière contributed analysis.