In August 2021, TikTookay obtained a criticism from a British person, who flagged {that a} man had been “exposing himself and enjoying with himself” on a livestream she hosted on the video app. She additionally described previous abuse she had skilled.
To deal with the criticism, TikTookay staff shared the incident on an inner messaging and collaboration instrument referred to as Lark, based on firm paperwork obtained by The New York Times. The British lady’s private knowledge — together with her photograph, nation of residence, web protocol deal with, gadget and person IDs — had been additionally posted on the platform, which is analogous to Slack and Microsoft Teams.
Her info was only one piece of TikTookay person knowledge shared on Lark, which is used on daily basis by hundreds of staff of the app’s Chinese proprietor, ByteDance, together with by these in China. According to the paperwork obtained by The Times, the driving force’s licenses of American customers had been additionally accessible on the platform, as had been some customers’ probably unlawful content material, resembling youngster sexual abuse supplies. In many circumstances, the data was accessible in Lark “teams” — primarily chat rooms of staff — with hundreds of members.
The profusion of person knowledge on Lark alarmed some TikTookay staff, particularly since ByteDance staff in China and elsewhere might simply see the fabric, based on inner studies and 4 present and former staff. Since no less than July 2021, a number of safety staff have warned ByteDance and TikTookay executives about dangers tied to the platform, based on the paperwork and the present and former staff.
“Should Beijing-based staff be house owners of teams that comprise secret” knowledge of customers, one TikTookay worker requested in an inner report final July.
The person supplies on Lark increase questions on TikTookay’s knowledge and privateness practices and present how intertwined it’s with ByteDance, simply because the video app faces mounting scrutiny over its potential safety dangers and ties to China. Last week, Montana’s governor signed a invoice banning TikTookay within the state as of Jan. 1. The app has additionally been banned at universities and authorities companies and by the army.
TikTookay has been underneath strain for years to cordon off its US operations due to issues that it would present knowledge on American customers to the Chinese authorities. To proceed working within the United States, TikTookay final yr submitted a plan to the Biden administration, referred to as Project Texas, laying out how it will retailer American person info contained in the nation and wall off the info from ByteDance and TikTookay staff exterior the United States.
TikTookay has downplayed the entry that its China-based staff must US person knowledge. In a congressional listening to in March, TikTookay’s chief government, Shou Chew, stated that such knowledge was primarily utilized by engineers in China for “enterprise functions” and that the corporate had “rigorous knowledge entry protocols” for safeguarding customers. He stated that a lot of the person info that engineers accessed was already public.
The inner studies and communications from Lark seem to contradict Mr. Chew’s statements. Lark knowledge from TikTookay was additionally saved on servers in China as of late final yr, the 4 present and former staff stated.
The paperwork seen by The Times included dozens of screenshots of studies, chat messages and worker feedback on Lark, in addition to video and audio of inner communications, spanning 2019 to 2022.
Alex Haurek, a TikTookay spokesperson, referred to as the paperwork seen by The Times “dated.” He stated they didn’t precisely depict “how we deal with protected US person knowledge, nor the progress we have made underneath Project Texas.”
He added that TikTookay was within the technique of deleting US person knowledge that it collected earlier than June 2022, when it modified the way in which it dealt with details about American customers and started sending that knowledge to US-based servers owned by a 3rd get together somewhat than these owned by TikTookay or ByteDance.
The firm didn’t reply to questions on whether or not Lark knowledge was saved in China. It declined to reply questions in regards to the involvement of China-based staff in creating and sharing TikTookay person knowledge in Lark teams, however stated most of the chat rooms had been “shut down final yr after reviewing inner issues.”
Alex Stamos, the director of Stanford University’s Internet Observatory who was Facebook’s former chief info safety officer, stated that securing person knowledge throughout a corporation is “the toughest technical mission” for a social media firm’s safety crew. TikTookay’s issues, he added, are compounded by ByteDance’s possession.
“Lark exhibits you that each one the back-end processes are overseen by ByteDance,” he stated. “TikTookay is a skinny veneer on ByteDance.”
ByteDance launched Lark in 2017. The instrument, which has a Chinese-only equal referred to as Feishu, is utilized by all ByteDance subsidiaries, together with TikTookay and its 7,000 US staff. Lark includes a chat platform, video conferencing, activity administration and doc collaboration options. When mr. Chew was requested about Lark within the March listening to, he stated it was like “some other prompt messaging instrument” for companies and in contrast it to Slack.
Lark has been used for dealing with particular person TikTookay account points and sharing paperwork that comprise personally identifiable info since no less than 2019, based on the paperwork obtained by The Times.
In June 2019, a TikTookay worker shared a picture on Lark of the driving force’s license of a Massachusetts lady. The lady had despatched TikTookay the image to confirm her identification. The picture — which included her deal with, date of delivery, photograph and driver’s license quantity — was posted to an inner Lark group with greater than 1,100 people who dealt with the banning and unbanning of accounts.
The driver’s license, in addition to passports and identification playing cards of individuals from international locations together with Australia and Saudi Arabia, had been accessible on Lark as of final yr, based on the paperwork seen by The Times.
Lark additionally uncovered customers’ youngster sexual abuse supplies. In one October 2019 dialog, TikTookay staff mentioned banning some accounts that had shared content material of ladies over three years outdated who had been topless. Workers additionally posted the pictures on Lark.
Mr. Haurek, the TikTookay spokesperson, stated staff had been instructed to by no means share such content material and to report it to a specialised inner youngster security crew.
TikTookay staff have raised questions on such incidents. In an inner report final July, one employee requested if there have been guidelines for dealing with person knowledge in Lark. Will Farrell, the interim safety officer of TikTookay’s US Data Security, which is able to oversee US person knowledge as a part of Project Texas, stated, “No coverage right now.”
A senior safety engineer at TikTookay additionally stated final fall that there may very well be hundreds of Lark teams mishandling person knowledge. In a recording, which The Times obtained, the engineer stated TikTookay wanted to maneuver the info “out of China and run Lark out of Singapore.” TikTookay is headquartered in Singapore and Los Angeles.
Mr. Haurek referred to as the engineer’s feedback “inaccurate” and stated TikTookay reviewed situations the place Lark teams had been probably mishandling person knowledge and took steps to handle them. He stated the corporate had a brand new course of for dealing with delicate content material and had put new limits on the dimensions of Lark teams.
TikTookay’s privateness and safety division has undergone reorganizations and departures up to now yr, which some staff stated had slowed down or sidelined privateness and safety tasks at a essential juncture.
Roland Cloutier, a cybersecurity professional and US Air Force veteran, stepped down final yr as the top of TikTookay’s international safety group, and a portion of his unit was positioned on a privacy-focused crew led by Yujun Chen, recognized to colleagues as Woody. a China-based government who has labored at ByteDance for years, three present and former staff stated. Mr. Chen beforehand centered on software program high quality assurance.
Mr. Haurek stated Mr. Chen had “deep technical, knowledge and product engineering experience” and that his crew studies to a California-based government. He stated TikTookay had a number of groups engaged on privateness and safety, together with greater than 1,500 staff on its US Data Security crew, and that it had spent greater than $1.5 billion to implement Project Texas.
ByteDance and TikTookay haven’t stated when Project Texas will probably be accomplished. When it’s, TikTookay stated, communications involving US person knowledge will happen on a separate “inner collaboration instrument.”
Aaron Krolik contributed reporting. Alain Delaquerière contributed analysis.