Continue reading the main story
Continue reading the main story
According to internal documents, employees of the Chinese video app regularly posted user information to a messaging and collaboration tool called Lark.
Send a story to a friend
As a subscriber, you have10 gift itemsto give every month. Everyone can read what you share.
TypeSapna MaheshwariInRyan Mac
Sapna Maheshwari and Ryan Mac reviewed dozens of internal TikTok documents.
Read Simplified ChineseRead the traditional Chinese version
Im August 2021,Tick Thank youreceived a complaint from a UK user who said a man "uncovered and played with himself" in a live stream she was hosting on the video app. She also described the abuse she had experienced in the past.
To investigate the complaint, TikTok employees shared the incident through an internal messaging and collaboration tool called Lark, company documents obtained by The New York Times show. The Brit's personal information, including her photo, country of residence, internet protocol address, device and user IDs, has also been made public on the platform, similar to Slack and Microsoft Teams.
Her information was just part of the TikTok user data shared on Lark, used daily by thousands of employees of the app's Chinese owner.ByteDance, also in China. According to documents obtained by The Times, the platform also had access to US users' driver's licenses, as well as potentially illegal content from some users, such as child sexual abuse material. In many cases, the information was available in Lark "groups" — essentially employee chat rooms — with thousands of members.
The flood of user data on Lark worried some TikTok employees, especially since ByteDance employees in China and elsewhere were able to easily view the material, according to internal reports and four current and former employees. According to the documents, as well as current and former employees, since at least July 2021, several security officials have been warning ByteDance and TikTok executives about the risks associated with the platform.
"Should Beijing-based employees own groups containing secret" user data, a TikTok employee asked in an internal report last July.
User material on Lark raises questions about TikTok's data and privacy practices and how closely intertwined it is with ByteDance as the video app comes under increasing scrutiny for its potential security risks and ties to China. Last week, the governor of Montana signed a bill into lawBan of TikTok in the statefrom 1 Jan. The app is also banneduniversitiesand government agencies, as well as by the military.
TikTok has been under pressure for years to suspend its US operations amid fears it could leak data about US users to Chinese authorities. To continue operating in the US, TikTok filed an application last yeara planto the Biden government, dubbed Project Texas, and explained how it would store US user information in the country and protect the data of ByteDance and TikTok employees outside the US.
TikTok has restricted its China-based employees from accessing US user data. in onehearing in CongressMarch,TikTok-Topman Shou Chew, said such data is mainly used by engineers in China for "business purposes" and that the company has "strict data access protocols" to protect users. He said much of the user information available to engineers is already public.
Lark's internal reports and communications appear to contradict Mr. disagree Chew. Lark data from TikTok was also stored on servers in China late last year, the four current and former employees said.
Documents accessed by The Times include dozens of screenshots of reports, chat messages and staff comments about Lark, as well as video and audio recordings of internal communications from 2019 to 2022.
Alex Haurek, a TikTok spokesman, called the documents The Times had seen "out of date" and denied they contradicted Mr Chew's statements. He said they don't accurately reflect "how we are handling protected US user data, nor the progress we've made as part of Project Texas."
He added that TikTok is in the process of deleting US user data it collected prior to June 2022, when it changed the way it handles information about US users and began sending that data to servers in the US USA owned by a third party and not to servers owned by a third party by a third party. from TikTok or ByteDance.
The company did not respond to questions about whether Lark data was stored in China. It declined to answer questions about China-based employees' involvement in the creation and sharing of TikTok user data in Lark Groups, but said many of the chat rooms "were closed last year after internal concerns were examined."
Alex Stamos, the director of Stanford University's Internet Observatory and former Facebook chief information security officer, said securing user data in an organization is "the most difficult technical project" for a social media company's security team. He added that TikTok's problems would be compounded by ownership of ByteDance.
"Lark shows you that all back-end processes are controlled by ByteDance," he said. "TikTok is a thin layer on top of ByteDance."
ByteDance introduced Lark in 2017. The tool, which has a Chinese equivalent called Feishu, is used by all of ByteDance's subsidiaries, including TikTok and its 7,000 US employees. Lark offers a chat platform, video conferencing, task management, and document collaboration features. When asked about Lark at the March hearing, Mr Chew said it was like "any other instant messaging tool" for businesses, comparing it to Slack.
According to documents obtained by The Times, Lark has been used since at least 2019 to troubleshoot individual TikTok accounts and share documents containing personal information.
In June 2019, a TikTok contributor shared a picture of a Massachusetts woman's driver's license on Lark. The woman had sent the photo to TikTok to verify her identity. The picture -- with her address, date of birth, photo, and driver's license number -- was posted to an internal Lark group of more than 1,100 people, who worked to get the account suspended and revoked.
The driving licenses, passports and ID cards of people from Australia and Saudi Arabia, among others, have been accessible on Lark since last year, according to documents viewed by The Times.
Lark has also revealed child sexual abuse material from users. In an October 2019 conversation, TikTok employees discussed banning some shared content accounts of girls over 3 who were topless. Employees also posted the footage to Lark.
Mr Haurek, TikTok's spokesman, said employees have been instructed never to share such content and to report it to a specialist in-house child safety team.
TikTok employees have asked questions about such incidents. In an internal report last July, an employee asked if there were any rules for handling user data in Lark. Will Farrell, the interim security officer for US TikTok firm Data Security, which will monitor US user data as part of Project Texas, said, "There are no guidelines at this time."
A senior security engineer at TikTok also said last fall that there could be thousands of Lark groups improperly handling user data. In a recording obtained by The Times, the engineer said TikTok should "move the data out of China and expel Lark out of Singapore." TikTok has headquarters in Singapore and Los Angeles.
Mr Haurek called the engineer's comments "inaccurate" and said TikTok is reviewing cases where Lark groups may have mishandled user data and taking action to address it. He said the company introduced a new process for handling sensitive content and set new limits on the size of Lark groups.
TikTok's privacy and security department has seen reshuffles and departures over the past year, leading to the delay or cancellation of privacy and security projects at a critical time, according to some employees.
Roland Cloutier, a cybersecurity expert and US Air Force veteran, resigned as head of TikTok's global security organization last year and part of his unit was moved to a privacy-focused team led by Yujun Chen, known to colleagues as Woody. A China-based executive who has worked at ByteDance for years said three current and former employees. Previously, Mr. Chen focused on software quality assurance.
Mr. Haurek said Mr. Chen has "deep technical, data and product development expertise" and his team reports to a California manager. He said that TikTok has multiple teams working on privacy and security, including more than 1,500 employees in the US data security team, and that the company spent more than $1.5 billion to complete Project Texas.
ByteDance and TikTok have not said when Project Texas will be completed. If so, TikTok says communication with US user data will be done through a separate "internal collaboration tool."
Aaron Krolik contributed coverage. Alain Delaquériere has made a research contribution.
Sapna Maheshwari is a business reporter for TikTok and emerging media companies. She previously covered retail and advertising. Contact them firstname.lastname@example.org. @dream • Facebook
Ryan Mac is a technology reporter specializing in corporate responsibility in the global technology industry. He won a 2020 George Polk Award for his Facebook reporting and lives in Los Angeles. @RMac18
A printed version of this article appears at, Section
, book page
the New York edition
with the headline:
The way TikTok is sharing user data is alarming even for its employees.order reprints|Today's Newspaper|Subscribe to
Continue reading the main story