In August 2021, TikTookay obtained a criticism from a British person, who flagged {that a} man had been “exposing himself and taking part in with himself” on a livestream she hosted on the video app. She additionally described previous abuse she had skilled.
To tackle the criticism, TikTookay workers shared the incident on an inside messaging and collaboration instrument referred to as Lark, based on firm paperwork obtained by The New York Times. The British girl’s private information — together with her photograph, nation of residence, web protocol tackle, system and person IDs — have been additionally posted on the platform, which has similarities to Slack and Microsoft Teams.
Her info was only one piece of TikTookay person information shared on Lark, which is used every single day by 1000’s of workers of the app’s Chinese proprietor, ByteDance, together with by these in China. According to the paperwork obtained by The Times, the driving force’s licenses of American customers have been additionally accessible on the platform, as have been some customers’ probably unlawful content material, comparable to baby sexual abuse supplies. In many circumstances, the knowledge was accessible in Lark “teams” — primarily chat rooms of workers — with 1000’s of members.
The profusion of person information on Lark alarmed some TikTookay workers, particularly since ByteDance employees in China and elsewhere might simply see the fabric, based on inside studies and 4 present and former workers. Since no less than July 2021, a number of safety workers have warned ByteDance and TikTookay executives about dangers tied to the platform, based on the paperwork and the present and former employees.
“Should Beijing-based workers be house owners of teams that comprise secret” information of customers, one TikTookay worker requested in an inside report final July.
The person supplies on Lark increase questions on TikTookay’s information and privateness practices and present how intertwined it’s with ByteDance, simply because the video app faces mounting scrutiny over its potential safety dangers and ties to China. Last week, Montana’s governor signed a invoice banning TikTookay within the state as of Jan. 1. The app has additionally been banned at universities and authorities businesses and by the army.
TikTookay has been underneath stress for years to cordon off its US operations due to issues that it would present information on American customers to the Chinese authorities. To proceed working within the United States, TikTookay final 12 months submitted a plan to the Biden administration, referred to as Project Texas, laying out how it might retailer American person info contained in the nation and wall off the information from ByteDance and TikTookay workers outdoors the United States.
TikTookay has downplayed the entry that its China-based employees need to US person information. In a congressional listening to in March, TikTookay’s chief government, Shou Chew, mentioned that such information was primarily utilized by engineers in China for “enterprise functions” and that the corporate had “rigorous information entry protocols” for safeguarding customers. He mentioned that a lot of the person info that engineers accessed was already public.
The inside studies and communications from Lark seem to contradict Mr. Chew’s statements. Lark information from TikTookay was additionally saved on servers in China as of late final 12 months, the 4 present and former workers mentioned.
The paperwork seen by The Times included dozens of screenshots of studies, chat messages and worker feedback on Lark, in addition to video and audio of inside communications, spanning 2019 to 2022.
Alex Haurek, a TikTookay spokesman, referred to as the paperwork seen by The Times “dated.” He mentioned they didn’t precisely depict “how we deal with protected US person information, nor the progress we have made underneath Project Texas.”
He added that TikTookay was within the means of deleting US person information that it collected earlier than June 2022, when it modified the way in which it dealt with details about American customers and started sending that information to US-based servers owned by a 3rd celebration relatively than these owned by TikTookay or ByteDance.
The firm didn’t reply to questions on whether or not Lark information was saved in China. It declined to reply questions concerning the involvement of China-based workers in creating and sharing TikTookay person information in Lark teams, however mentioned most of the chat rooms have been “shut down final 12 months after reviewing inside issues.”
Alex Stamos, the director of Stanford University’s Internet Observatory who was Facebook’s former chief info safety officer, mentioned that securing person information throughout a corporation is “the toughest technical undertaking” for a social media firm’s safety staff. TikTookay’s issues, he added, are compounded by ByteDance’s possession.
“Lark exhibits you that every one the back-end processes are overseen by ByteDance,” he mentioned. “TikTookay is a skinny veneer on ByteDance.”
ByteDance launched Lark in 2017. The instrument, which has a Chinese-only equal often known as Feishu, is utilized by all ByteDance subsidiaries, together with TikTookay and its 7,000 US workers. Lark contains a chat platform, video conferencing, process administration and doc collaboration options. When Mr. Chew was requested about Lark within the March listening to, he mentioned it was like “some other on the spot messaging instrument” for firms and in contrast it to Slack.
Lark has been used for dealing with particular person TikTookay account points and sharing paperwork that comprise personally identifiable info since no less than 2019, based on the paperwork obtained by The Times.
In June 2019, a TikTookay worker shared a picture on Lark of the driving force’s license of a Massachusetts girl. The girl had despatched TikTookay the image to confirm her id. The picture — which included her tackle, date of delivery, photograph and driver’s license quantity — was posted to an inside Lark group with greater than 1,100 people who dealt with the banning and unbanning of accounts.
The driver’s license, in addition to passports and identification playing cards of individuals from nations together with Australia and Saudi Arabia, have been accessible on Lark as of final 12 months, based on the paperwork seen by The Times.
Lark additionally uncovered customers’ baby sexual abuse supplies. In one October 2019 dialog, TikTookay workers mentioned banning some accounts that had shared content material of ladies over three years previous who have been topless. Workers additionally posted the pictures on Lark.
Mr. Haurek, the TikTookay spokesperson, mentioned workers have been instructed to by no means share such content material and to report it to a specialised inside baby security staff.
TikTookay workers have raised questions on such incidents. In an inside report final July, one worker requested if there have been guidelines for dealing with person information in Lark. Will Farrell, the interim safety officer of TikTookay’s US Data Security, which can oversee US person information as a part of Project Texas, mentioned, “No coverage on the time.”
A senior safety engineer at TikTookay additionally mentioned final fall that there may very well be 1000’s of Lark teams mishandling person information. In a recording, which The Times obtained, the engineer mentioned TikTookay wanted to maneuver the information “out of China and run Lark out of Singapore.” TikTookay is headquartered in Singapore and Los Angeles.
Mr. Haurek referred to as the engineer’s feedback “inaccurate” and mentioned TikTookay reviewed cases the place Lark teams have been probably mishandling person information and took steps to deal with them. He mentioned the corporate had a brand new course of for dealing with delicate content material and had put new limits on the dimensions of Lark teams.
TikTookay’s privateness and safety division has undergone reorganizations and departures previously 12 months, which some workers mentioned had slowed down or sidelined privateness and safety initiatives at a essential juncture.
Roland Cloutier, a cybersecurity knowledgeable and US Air Force veteran, stepped down final 12 months as the pinnacle of TikTookay’s international safety group, and a portion of his unit was positioned on a privacy-focused staff led by Yujun Chen, recognized to colleagues as Woody, a China-based government who has labored at ByteDance for years, three present and former workers mentioned. Mr. Chen beforehand targeted on software program high quality assurance.
Mr. Haurek mentioned Mr. Chen had “deep technical, information and product engineering experience” and that his staff studies to a California-based government. He mentioned TikTookay had a number of groups engaged on privateness and safety, together with greater than 1,500 employees on its US Data Security staff, and that it had spent greater than $1.5 billion to implement Project Texas.
ByteDance and TikTookay haven’t mentioned when Project Texas will likely be accomplished. When it’s, TikTookay mentioned, communications involving US person information will happen on a separate “inside collaboration instrument.”
Aaron Krolik contributed reporting. Alain Delaquerière contributed analysis.