L
In August 2021, TikTok obtained a grievance from a British consumer, who flagged {that a} man had been “exposing himself and enjoying with himself” on a livestream she hosted on the video app. She additionally described previous abuse she had skilled.
To deal with the grievance, TikTok staff shared the incident on an inside messaging and collaboration instrument known as Lark, in response to firm paperwork obtained by The New York Occasions. The British girl’s private knowledge — together with her photograph, nation of residence, web protocol handle, system and consumer IDs — have been additionally posted on the platform, which is analogous to Slack and Microsoft Groups.
Her info was only one piece of TikTok consumer knowledge shared on Lark, which is used on daily basis by 1000’s of staff of the app’s Chinese language proprietor, ByteDance, together with by these in China. In keeping with the paperwork obtained by The Occasions, the driving force’s licenses of American customers have been additionally accessible on the platform, as have been some customers’ probably unlawful content material, comparable to little one sexual abuse supplies. In lots of instances, the knowledge was accessible in Lark “teams” — primarily chat rooms of staff — with 1000’s of members.
The profusion of consumer knowledge on Lark alarmed some TikTok staff, particularly since ByteDance employees in China and elsewhere may simply see the fabric, in response to inside experiences and 4 present and former staff. Since no less than July 2021, a number of safety staff have warned ByteDance and TikTok executives about dangers tied to the platform, in response to the paperwork and the present and former employees.
“Ought to Beijing-based staff be house owners of teams that include secret” knowledge of customers, one TikTok worker requested in an inside report final July.
The consumer supplies on Lark elevate questions on TikTok’s knowledge and privateness practices and present how intertwined it’s with ByteDance, simply because the video app faces mounting scrutiny over its potential safety dangers and ties to China. Final week, Montana’s governor signed a invoice banning TikTok in the state as of Jan. 1. The app has additionally been prohibited at universities and authorities companies and by the navy.
TikTok has been below strain for years to cordon off its U.S. operations due to issues that it’d present knowledge on American customers to the Chinese language authorities. To proceed working in america, TikTok final 12 months submitted a plan to the Biden administration, known as Challenge Texas, laying out how it might retailer American consumer info contained in the nation and wall off the information from ByteDance and TikTok staff outdoors america.
TikTok has downplayed the entry that its China-based employees must U.S. consumer knowledge. In a congressional hearing in March, TikTok’s chief executive, Shou Chew, stated that such knowledge was primarily utilized by engineers in China for “enterprise functions” and that the corporate had “rigorous knowledge entry protocols” for safeguarding customers. He stated a lot of the consumer info accessible to engineers was already public.
The interior experiences and communications from Lark seem to contradict Mr. Chew’s statements. Lark knowledge from TikTok was additionally saved on servers in China as of late final 12 months, the 4 present and former staff stated.
The paperwork seen by The Occasions included dozens of screenshots of experiences, chat messages and worker feedback on Lark, in addition to video and audio of inside communications, spanning 2019 to 2022.
Alex Haurek, a TikTok spokesman, known as the paperwork seen by The Occasions “dated.” He stated they didn’t precisely depict “how we deal with protected U.S. consumer knowledge, nor the progress we’ve made below Challenge Texas.”
He added that TikTok was within the technique of deleting U.S. consumer knowledge that it collected earlier than June 2022, when it modified the best way it dealt with details about American customers and commenced sending that knowledge to U.S.-based servers owned by a 3rd occasion slightly than these owned by TikTok or ByteDance.
The corporate didn’t reply to questions on whether or not Lark knowledge was saved in China. It declined to reply questions concerning the involvement of China-based staff in creating and sharing TikTok consumer knowledge in Lark teams, however stated lots of the chat rooms have been “shut down final 12 months after reviewing inside issues.”
Alex Stamos, the director of Stanford College’s Web Observatory and Fb’s former chief info safety officer, stated securing consumer knowledge throughout a corporation was “the toughest technical mission” for a social media firm’s safety crew. TikTok’s issues, he added, are compounded by ByteDance’s possession.
“Lark exhibits you that every one the back-end processes are overseen by ByteDance,” he stated. “TikTok is a skinny veneer on ByteDance.”
ByteDance launched Lark in 2017. The instrument, which has a Chinese language-only equal often called Feishu, is utilized by all ByteDance subsidiaries, together with TikTok and its 7,000 U.S. staff. Lark contains a chatting platform, videoconferencing, activity administration and doc collaboration options. When Mr. Chew was requested about Lark within the March listening to, he stated it was like “another instantaneous messaging instrument” for companies and in contrast it to Slack.
Lark has been used for dealing with particular person TikTok account points and sharing paperwork that include personally identifiable info since no less than 2019, in response to the paperwork obtained by The Occasions.
In June 2019, a TikTok worker shared a picture on Lark of the driving force’s license of a Massachusetts girl. The girl had despatched TikTok the image to confirm her identification. The picture — which included her handle, date of delivery, photograph and driver’s license quantity — was posted to an inside Lark group with greater than 1,100 folks that dealt with the banning and unbanning of accounts.
The driving force’s license, in addition to passports and identification playing cards of individuals from nations together with Australia and Saudi Arabia, have been accessible on Lark as of final 12 months, in response to the paperwork seen by The Occasions.
Lark additionally uncovered customers’ little one sexual abuse supplies. In a single October 2019 dialog, TikTok staff mentioned banning some accounts that had shared content material of ladies over 3 years outdated who have been topless. Employees additionally posted the photographs on Lark.
Mr. Haurek, the TikTok spokesman, stated staff have been instructed to by no means share such content material and to report it to a specialised inside little one security crew.
TikTok staff have raised questions on such incidents. In an inside report final July, one employee requested if there have been guidelines for dealing with consumer knowledge in Lark. Will Farrell, the interim safety officer of TikTok’s U.S. Knowledge Safety, which can oversee U.S. consumer knowledge as a part of Challenge Texas, stated, “No coverage at time.”
A senior safety engineer at TikTok additionally stated final fall that there may very well be 1000’s of Lark teams mishandling consumer knowledge. In a recording, which The Occasions obtained, the engineer stated TikTok wanted to maneuver the information “out of China and run Lark out of Singapore.” TikTok has headquarters in Singapore and Los Angeles.
Mr. Haurek known as the engineer’s feedback “inaccurate” and stated TikTok reviewed situations the place Lark teams have been probably mishandling consumer knowledge and took steps to deal with them. He stated the corporate had a brand new course of for dealing with delicate content material and had put new limits on the dimensions of Lark teams.
TikTok’s privateness and safety division has undergone reorganizations and departures prior to now 12 months, which some staff stated had slowed down or sidelined privateness and safety initiatives at a essential juncture.
Roland Cloutier, a cybersecurity knowledgeable and U.S. Air Power veteran, stepped down final 12 months as the top of TikTok’s international safety group, and a portion of his unit was positioned on a privacy-focused crew led by Yujun Chen, identified to colleagues as Woody, a China-based government who has labored at ByteDance for years, three present and former staff stated. Mr. Chen beforehand targeted on software program high quality assurance.
Mr. Haurek stated that Mr. Chen had “deep technical, knowledge and product engineering experience” and that his crew reported to an government in California. He stated that TikTok had a number of groups engaged on privateness and safety, together with greater than 1,500 employees on its U.S. Knowledge Safety crew, and that it had spent greater than $1.5 billion to hold out Challenge Texas.
ByteDance and TikTok haven’t stated when Challenge Texas will likely be full. When it’s, TikTok stated, communications involving U.S. consumer knowledge will happen on a separate “inside collaboration instrument.”
Aaron Krolik contributed reporting. Alain Delaquérière contributed analysis.
