The user materials on Lark raise questions about TikTok’s data and privacy practices and show how intertwined it is with ByteDance, just as the video app faces mounting scrutiny over its potential security risks and ties to China. Last week, Montana’s governor signed a bill banning TikTok in the state as of Jan. 1. The app has also been prohibited at universities and government agencies and by the military.
TikTok has been under pressure for years to cordon off its US operations because of concerns that it might provide data on American users to the Chinese authorities. To continue operating in the United States, TikTok last year submitted a plan to the Biden administration, called Project Texas, laying out how it would store American user information inside the country and wall off the data from ByteDance and TikTok employees outside the United States.
TikTok has downplayed the access that its China-based workers have to US user data. In a congressional hearing in March, TikTok’s CEO, Shou Chew, said that such data was mainly used by engineers in China for “business purposes” and that the company had “rigorous data access protocols” for protecting users. He said much of the user information available to engineers was already public.
The internal reports and communications from Lark appear to contradict Chew’s statements. Lark data from TikTok was also stored on servers in China as of late last year, the four current and former employees said.
The documents seen by the Times included dozens of screenshots of reports, chat messages and employee comments on Lark, as well as video and audio of internal communications, spanning 2019 to 2022.
Alex Haurek, a TikTok spokesperson, called the documents seen by the Times “dated.” He said they did not accurately depict “how we handle protected US user data, nor the progress we’ve made under Project Texas.”
He added that TikTok was in the process of deleting US user data that it collected before June 2022, when it changed the way it handled information about American users and began sending that data to US-based servers owned by a third party rather than those owned by TikTok or ByteDance.
The company didn’t respond to questions about whether Lark data was stored in China. It declined to answer questions about the involvement of China-based employees in creating and sharing TikTok user data in Lark groups, but said many of the chat rooms were “shut down last year after reviewing internal concerns.”
Alex Stamos, director of Stanford University’s Internet Observatory and Facebook’s former chief information security officer, said securing user data across an organisation was “the hardest technical project” for a social media company’s security team. TikTok’s problems, he added, are compounded by ByteDance’s ownership.
“Lark shows you that all the back-end processes are overseen by ByteDance,” he said. “TikTok is a thin veneer on ByteDance.”
ByteDance introduced Lark in 2017. The tool, which has a Chinese-only equivalent known as Feishu, is used by all ByteDance subsidiaries, including TikTok and its 7,000 US employees. Lark features a chatting platform, video conferencing, task management and document collaboration features.
When Chew was asked about Lark in the March hearing, he said it was like “any other instant messaging tool” for corporations and compared it to Slack.
Lark has been used for handling individual TikTok account issues and sharing documents that contain personally identifiable information since at least 2019, according to the documents obtained by the Times.
In June 2019, a TikTok employee shared an image on Lark of the driver’s license of a Massachusetts woman. The woman had sent TikTok the picture to verify her identity. The image — which included her address, date of birth, photo and driver’s license number — was posted to an internal Lark group with more than 1,100 people that handled the banning and unbanning of accounts.
The driver’s licence, as well as passports and identification cards of people from countries including Australia and Saudi Arabia, were accessible on Lark as of last year, according to the documents seen by the Times.
Lark also exposed users’ child sexual abuse materials. In one October 2019 conversation, TikTok employees discussed banning some accounts that had shared content of girls over 3 years old who were topless. Workers also posted the images on Lark.
Haurek, the TikTok spokesperson, said employees were instructed to never share such content and to report it to a specialised internal child safety team.
TikTok employees have raised questions about such incidents. In an internal report last July, one worker asked if there were rules for handling user data in Lark. Will Farrell, the interim security officer of TikTok’s US Data Security, which will oversee US user data as part of Project Texas, said, “No policy at time.”
A senior security engineer at TikTok also said last fall that there could be thousands of Lark groups mishandling user data. In a recording, which the Times obtained, the engineer said TikTok needed to move the data “out of China and run Lark out of Singapore.” TikTok has headquarters in Singapore and Los Angeles.
Haurek called the engineer’s comments “inaccurate” and said TikTok reviewed instances where Lark groups were potentially mishandling user data and took steps to address them. He said the company had a new process for handling sensitive content and had put new limits on the size of Lark groups.
TikTok’s privacy and security division has undergone reorganisations and departures in the past year, which some employees said had slowed down or sidelined privacy and security projects at a critical juncture.
Roland Cloutier, a cybersecurity expert and US Air Force veteran, stepped down last year as the head of TikTok’s global security organisation, and a portion of his unit was placed on a privacy-focused team led by Yujun Chen, known to colleagues as Woody, a China-based executive who has worked at ByteDance for years, three current and former employees said. Chen previously focused on software quality assurance.
Haurek said Chen had “deep technical, data and product engineering expertise” and that his team reported to an executive in California. He said that TikTok had multiple teams working on privacy and security, including more than 1,500 workers on its US Data Security team, and that it had spent more than $1.5 billion to carry out Project Texas.
ByteDance and TikTok have not said when Project Texas will be complete. When it is, TikTok said, communications involving US user data will take place on a separate “internal collaboration tool.”
Written by: Sapna Maheshwari and Ryan Mac
© 2023 THE NEW YORK TIMES
