In August 2021, TikTok received a complaint from a British user, who flagged that a man had been “exposing himself and playing with himself” on a livestream she hosted on the video app. She also described past abuse she had experienced.
To address the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times. The British woman’s personal data — including her photo, country of residence, internet protocol address, device and user IDs — were also posted on the platform, which is similar to Slack and Microsoft Teams.
Her information was just one piece of TikTok user data shared on Lark, which is used every day by thousands of employees of the app’s Chinese owner, ByteDance, including by those in China. According to the documents obtained by The Times, the driver’s licenses of American users were also accessible on the platform, as were some users’ potentially illegal content, such as child sexual abuse materials. In many cases, the information was available in Lark “groups” — essentially chat rooms of employees — with thousands of members.
The profusion of user data on Lark alarmed some TikTok employees, especially since ByteDance workers in China and elsewhere could easily see the material, according to internal reports and four current and former employees. Since at least July 2021, several security employees have warned ByteDance and TikTok executives about risks tied to the platform, according to the documents and the current and former workers.
“Should Beijing-based employees be owners of groups that contain secret” data of users, one TikTok employee asked in an internal report last July.
The user materials on Lark raise questions about TikTok’s data and privacy practices and show how intertwined it is with ByteDance, just as the video app faces mounting scrutiny over its potential security risks and ties to China. Last week, Montana’s governor signed a bill banning TikTok in the state as of Jan. 1. The app has also been prohibited at universities and government agencies and by the military.
TikTok has been under pressure for years to cordon off its U.S. operations because of concerns that it might provide data on American users to the Chinese authorities. To continue operating in the United States, TikTok last year submitted a plan to the Biden administration, called Project Texas, laying out how it would store American user information inside the country and wall off the data from ByteDance and TikTok employees outside the United States.
TikTok has played down the access that its China-based workers have to U.S. user data. In a congressional hearing in March, TikTok’s chief executive, Shou Chew, said that such data was mainly used by engineers in China for “business purposes” and that the company had “rigorous data access protocols” for protecting users. He said much of the user information available to engineers was already public.
The internal reports and communications from Lark appear to contradict Mr. Chew’s statements. Lark data from TikTok was also stored on servers in China as of late last year, the four current and former employees said.
The documents seen by The Times included dozens of screenshots of reports, chat messages and employee comments on Lark, as well as video and audio of internal communications, spanning 2019 to 2022.
Alex Haurek, a TikTok spokesman, called the documents seen by The Times “dated” and disputed that they contradicted Mr. Chew’s statements. He said they did not accurately depict “how we handle protected U.S. user data, nor the progress we’ve made under Project Texas.”
He added that TikTok was in the process of deleting U.S. user data that it collected before June 2022, when it changed the way it handled information about American users and began sending that data to U.S.-based servers owned by a third party rather than those owned by TikTok or ByteDance.
The company didn’t respond to questions about whether Lark data was stored in China. It declined to answer questions about the involvement of China-based employees in creating and sharing TikTok user data in Lark groups, but said many of the chat rooms were “shut down last year after reviewing internal concerns.”
Alex Stamos, the director of Stanford University’s Internet Observatory and Facebook’s former chief information security officer, said securing user data across an organization was “the hardest technical project” for a social media company’s security team. TikTok’s problems, he added, are compounded by ByteDance’s ownership.
“Lark shows you that all the back-end processes are overseen by ByteDance,” he said. “TikTok is a thin veneer on ByteDance.”
ByteDance introduced Lark in 2017. The tool, which has a Chinese-only equivalent known as Feishu, is used by all ByteDance subsidiaries, including TikTok and its 7,000 U.S. employees. Lark features a chatting platform, videoconferencing, task management and document collaboration features. When Mr. Chew was asked about Lark in the March hearing, he said it was like “any other instant messaging tool” for corporations and compared it to Slack.
Lark has been used for handling individual TikTok account issues and sharing documents that contain personally identifiable information since at least 2019, according to the documents obtained by The Times.
In June 2019, a TikTok employee shared an image on Lark of the driver’s license of a Massachusetts woman. The woman had sent TikTok the picture to verify her identity. The image — which included her address, date of birth, photo and driver’s license number — was posted to an internal Lark group with more than 1,100 people that handled the banning and unbanning of accounts.
The driver’s license, as well as passports and identification cards of people from countries including Australia and Saudi Arabia, were accessible on Lark as of last year, according to the documents seen by The Times.
Lark also exposed users’ child sexual abuse materials. In one October 2019 conversation, TikTok employees discussed banning some accounts that had shared content of girls over 3 years old who were topless. Workers also posted the images on Lark.
Mr. Haurek, the TikTok spokesman, said employees were instructed to never share such content and to report it to a specialized internal child safety team.
TikTok employees have raised questions about such incidents. In an internal report last July, one worker asked if there were rules for handling user data in Lark. Will Farrell, the interim security officer of TikTok’s U.S. Data Security, which will oversee U.S. user data as part of Project Texas, said, “No policy at time.”
A senior security engineer at TikTok also said last fall that there could be thousands of Lark groups mishandling user data. In a recording, which The Times obtained, the engineer said TikTok needed to move the data “out of China and run Lark out of Singapore.” TikTok has headquarters in Singapore and Los Angeles.
Mr. Haurek called the engineer’s comments “inaccurate” and said TikTok reviewed instances where Lark groups were potentially mishandling user data and took steps to address them. He said the company had a new process for handling sensitive content and had put new limits on the size of Lark groups.
TikTok’s privacy and security division has undergone reorganizations and departures in the past year, which some employees said had slowed down or sidelined privacy and security projects at a critical juncture.
Roland Cloutier, a cybersecurity expert and U.S. Air Force veteran, stepped down last year as the head of TikTok’s global security organization, and a portion of his unit was placed on a privacy-focused team led by Yujun Chen, known to colleagues as Woody, a China-based executive who has worked at ByteDance for years, three current and former employees said. Mr. Chen previously focused on software quality assurance.
Mr. Haurek said that Mr. Chen had “deep technical, data and product engineering expertise” and that his team reported to an executive in California. He said that TikTok had multiple teams working on privacy and security, including more than 1,500 workers on its U.S. Data Security team, and that it had spent more than $1.5 billion to carry out Project Texas.
ByteDance and TikTok have not said when Project Texas will be complete. When it is, TikTok said, communications involving U.S. user data will take place on a separate “internal collaboration tool.”
Aaron Krolik contributed reporting. Alain Delaquérière contributed research.