In August 2021, TikTookay obtained a grievance from a British person, who flagged {that a} man had been “exposing himself and taking part in with himself” on a livestream she hosted on the video app. She additionally described previous abuse she had skilled.
To deal with the grievance, TikTookay staff shared the incident on an inside messaging and collaboration software referred to as Lark, in line with firm paperwork obtained by The New York Times. The British lady’s private information — together with her picture, nation of residence, web protocol deal with, gadget and person IDs — have been additionally posted on the platform, which has similarities to Slack and Microsoft Teams.
Her info was only one piece of TikTookay person information shared on Lark, which is used on daily basis by hundreds of staff of the app’s Chinese proprietor, ByteDance, together with by these in China. According to the paperwork obtained by The Times, the driving force’s licenses of American customers have been additionally accessible on the platform, as have been some customers’ probably unlawful content material, similar to little one sexual abuse supplies. In many circumstances, the knowledge was obtainable in Lark “teams” — basically chat rooms of staff — with hundreds of members.
The profusion of person information on Lark alarmed some TikTookay staff, particularly since ByteDance employees in China and elsewhere might simply see the fabric, in line with inside studies and 4 present and former staff. Since a minimum of July 2021, a number of safety staff have warned ByteDance and TikTookay executives about dangers tied to the platform, in line with the paperwork and the present and former employees.
“Should Beijing-based staff be homeowners of teams that comprise secret” information of customers, one TikTookay worker requested in an inside report final July.
The person supplies on Lark elevate questions on TikTookay’s information and privateness practices and present how intertwined it’s with ByteDance, simply because the video app faces mounting scrutiny over its potential safety dangers and ties to China. Last week, Montana’s governor signed a invoice banning TikTookay within the state as of Jan. 1. The app has additionally been banned at universities and authorities businesses and by the navy.
TikTookay has been underneath stress for years to cordon off its US operations due to considerations that it would present information on American customers to the Chinese authorities. To proceed working within the United States, TikTookay final 12 months submitted a plan to the Biden administration, referred to as Project Texas, laying out how it could retailer American person info contained in the nation and wall off the information from ByteDance and TikTookay staff exterior the United States.
TikTookay has downplayed the entry that its China-based employees need to US person information. In a congressional listening to in March, TikTookay’s chief govt, Shou Chew, mentioned that such information was primarily utilized by engineers in China for “enterprise functions” and that the corporate had “rigorous information entry protocols” for safeguarding customers. He mentioned that a lot of the person info that engineers accessed was already public.
The inside studies and communications from Lark seem to contradict Mr. Chew’s statements. Lark information from TikTookay was additionally saved on servers in China as of late final 12 months, the 4 present and former staff mentioned.
The paperwork seen by The Times included dozens of screenshots of studies, chat messages and worker feedback on Lark, in addition to video and audio of inside communications, spanning 2019 to 2022.
Alex Haurek, a TikTookay spokesperson, referred to as the paperwork seen by The Times “dated.” He mentioned they didn’t precisely depict “how we deal with protected US person information, nor the progress we have made underneath Project Texas.”
He added that TikTookay was within the technique of deleting US person information that it collected earlier than June 2022, when it modified the best way it dealt with details about American customers and commenced sending that information to US-based servers owned by a 3rd occasion moderately than these owned by TikTookay or ByteDance.
The firm didn’t reply to questions on whether or not Lark information was saved in China. It declined to reply questions in regards to the involvement of China-based staff in creating and sharing TikTookay person information in Lark teams, however mentioned lots of the chat rooms have been “shut down final 12 months after reviewing inside considerations.”
Alex Stamos, the director of Stanford University’s Internet Observatory who was Facebook’s former chief info safety officer, mentioned that securing person information throughout a corporation is “the toughest technical mission” for a social media firm’s safety staff. TikTookay’s issues, he added, are compounded by ByteDance’s possession.
“Lark reveals you that every one the back-end processes are overseen by ByteDance,” he mentioned. “TikTookay is a skinny veneer on ByteDance.”
ByteDance launched Lark in 2017. The software, which has a Chinese-only equal often called Feishu, is utilized by all ByteDance subsidiaries, together with TikTookay and its 7,000 US staff. Lark encompasses a chat platform, video conferencing, process administration and doc collaboration options. When mr. Chew was requested about Lark within the March listening to, he mentioned it was like “another on the spot messaging software” for firms and in contrast it to Slack.
Lark has been used for dealing with particular person TikTookay account points and sharing paperwork that comprise personally identifiable info since a minimum of 2019, in line with the paperwork obtained by The Times.
In June 2019, a TikTookay worker shared a picture on Lark of the driving force’s license of a Massachusetts lady. The lady had despatched TikTookay the image to confirm her identification. The picture — which included her deal with, date of beginning, picture and driver’s license quantity — was posted to an inside Lark group with greater than 1,100 those who dealt with the banning and unbanning of accounts.
The driver’s license, in addition to passports and identification playing cards of individuals from international locations together with Australia and Saudi Arabia, have been accessible on Lark as of final 12 months, in line with the paperwork seen by The Times.
Lark additionally uncovered customers’ little one sexual abuse supplies. In one October 2019 dialog, TikTookay staff mentioned banning some accounts that had shared content material of ladies over three years outdated who have been topless. Workers additionally posted the pictures on Lark.
Mr. Haurek, the TikTookay spokesperson, mentioned staff have been instructed to by no means share such content material and to report it to a specialised inside little one security staff.
TikTookay staff have raised questions on such incidents. In an inside report final July, one employee requested if there have been guidelines for dealing with person information in Lark. Will Farrell, the interim safety officer of TikTookay’s US Data Security, which is able to oversee US person information as a part of Project Texas, mentioned, “No coverage right now.”
A senior safety engineer at TikTookay additionally mentioned final fall that there could possibly be hundreds of Lark teams mishandling person information. In a recording, which The Times obtained, the engineer mentioned TikTookay wanted to maneuver the information “out of China and run Lark out of Singapore.” TikTookay is headquartered in Singapore and Los Angeles.
Mr. Haurek referred to as the engineer’s feedback “inaccurate” and mentioned TikTookay reviewed situations the place Lark teams have been probably mishandling person information and took steps to handle them. He mentioned the corporate had a brand new course of for dealing with delicate content material and had put new limits on the dimensions of Lark teams.
TikTookay’s privateness and safety division has undergone reorganizations and departures previously 12 months, which some staff mentioned had slowed down or sidelined privateness and safety tasks at a crucial juncture.
Roland Cloutier, a cybersecurity skilled and US Air Force veteran, stepped down final 12 months as the top of TikTookay’s world safety group, and a portion of his unit was positioned on a privacy-focused staff led by Yujun Chen, identified to colleagues as Woody. a China-based govt who has labored at ByteDance for years, three present and former staff mentioned. Mr. Chen beforehand targeted on software program high quality assurance.
Mr. Haurek mentioned Mr. Chen had “deep technical, information and product engineering experience” and that his staff studies to a California-based govt. He mentioned TikTookay had a number of groups engaged on privateness and safety, together with greater than 1,500 employees on its US Data Security staff, and that it had spent greater than $1.5 billion to implement Project Texas.
ByteDance and TikTookay haven’t mentioned when Project Texas will likely be accomplished. When it’s, TikTookay mentioned, communications involving US person information will happen on a separate “inside collaboration software.”
Aaron Krolik contributed reporting. Alain Delaquerière contributed analysis.