Business Licenses, addresses and photos: how TikTok shares its users’ data

Licenses, addresses and photos: how TikTok shares its users’ data

In August 2021, TikTok received a complaint from a British user who denounced a man who had been “exposing himself and groping himself” in a live stream she hosted on the video app. She also described other abuses that she had experienced.

A weekly selection of stories in Spanish that you will not find anywhere else, with nes and accents.

To address the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times. The British woman’s personal details — including her photograph, country of residence, IP address, device and username — were also posted on the platform, which is similar to Microsoft’s Slack and Teams apps.

His information was just one of many TikTok user data being shared on Lark, which is used every day by thousands of employees of ByteDance, the Chinese company that owns the app, including those who work in China. According to documents obtained by the Times, US users’ driver’s licenses were also available on the platform, as was some users’ possibly illegal content, such as child sexual abuse materials. In many cases, the information was available in Lark “groups”—essentially employee chat rooms—with thousands of members.

The large amount of user data on Lark alarmed some TikTok employees, especially since ByteDance workers in China and around the world could easily view the material, according to internal reports, as well as statements from four current and former employees. . Since at least July 2021, several security employees have warned ByteDance and TikTok executives about risks related to the platform, according to the documents and the workers.

“Should employees in Beijing be in control of pools containing [datos de usuarios] secrets?” asked a TikTok employee in a July 2022 internal report.

User materials shared on Lark raise questions about TikTok’s data and privacy practices, and show how entwined it is with ByteDance, just as the video app faces increasing scrutiny over its potential security risks and its ties to China. Last week, the governor of Montana signed into law a bill that will ban TikTok in the state as of January 1. The app has also been banned from universities and government agencies, as well as the military.

For years, TikTok has been under pressure to protect its US operations due to concerns that it could provide US user data to Chinese authorities. In order to continue operating in the United States, last year he presented a plan to the Joe Biden government, called Project Texas, which explains how he would store the information of American users within the country and would leave ByteDance employees without access to the data. and TikTok outside of the United States.

TikTok has minimized the access its workers in China have to the data of users in the United States. In March, at a congressional hearing, TikTok CEO Shou Chew said that such data was almost always used by engineers in China for “business purposes” and that the company had “rigorous data access protocols” to protect users. He mentioned that much of the user information that was available to engineers was already public.

Internal reports and Lark’s communications appear to contradict Chew’s statements. TikTok data at Lark was also stored on Chinese servers until late last year, according to the four current and former employees.

The documents reviewed by the Times include dozens of screenshots of reports, chat messages and comments from employees at Lark, as well as video and audio of internal communications, dating from 2019 to 2022.

Alex Haurek, a spokesperson for TikTok, called the documents reviewed by the Times “out of date” and disputed that they contradicted Chew’s statements. He noted that they do not accurately represent “how we handle US user protected data or the progress we have made with the Texas Project.”

And it added that TikTok was in the process of deleting US user data it collected before June 2022, when it changed the way it handled information about US users and began sending that data to third-party servers located in the United States. American instead of using those owned by TikTok or ByteDance.

The company did not answer questions about whether Lark’s data was stored in China. He declined to respond to questions about the involvement of China-based employees in creating and sharing TikTok user data in Lark groups, but noted that many of the chat rooms were “closed last year after discussing internal concerns.” .

Alex Stamos, director of Stanford University’s Internet Observatory and a former chief information security officer at Facebook, called protecting user data in an organization “the toughest technical project” for a company’s security team. social networks. And he explained that TikTok’s problems are compounded because it’s part of ByteDance.

“Lark shows you that all the processes in the admin area are monitored by ByteDance,” Stamos said. “TikTok is a thin layer that covers ByteDance.”

ByteDance introduced Lark in 2017. The tool, which has a Chinese-only equivalent known as Feishu, is used by all of ByteDance’s affiliates, including TikTok and its 7,000 US employees. Lark has a platform for chat, video conferencing, task management, and document collaboration features. When Chew was asked about Lark at the March hearing, he said it was like “every other instant messaging tool” for businesses and compared it to Slack.

Lark has been used to handle individual TikTok account issues and share documents containing personally identifiable information since at least 2019, according to documents obtained by the Times.

In June 2019, a TikTok employee shared an image on Lark of a Massachusetts woman’s driver’s license. The woman had sent the image to TikTok to verify her identity. The image — which included her address, date of birth, photo and driver’s license number — was posted to an internal Lark group of more than 1,100 people managing account delisting and reinstatement.

Last year, the license, as well as passports and identity cards of people from countries including Australia and Saudi Arabia, were accessible in Lark according to documents seen by the Times.

Lark also exposed child sexual abuse materials from users. In an October 2019 conversation, TikTok employees discussed banning some accounts that had shared topless girls over the age of 3. The workers also posted the images on Lark.

Haurek, a spokesperson for TikTok, said employees were instructed never to share such content and to report it to an internal child safety team.

TikTok employees have raised concerns about these types of incidents. In an internal report last July, a worker asked if there were rules for handling user data at Lark. Will Farrell, acting US data security officer for TikTok, which will oversee US user data as part of Project Texas, said: “There is no policy at this time.”

A senior TikTok security engineer also said last fall that there could be thousands of Lark groups mishandling user data. In a recording, obtained by the Times, the engineer said TikTok should move the data “out of China and manage Lark from Singapore.” TikTok is based in Singapore and Los Angeles.

Haurek called the engineer’s comments “inaccurate” and said TikTok looked into cases where Lark’s groups were mishandling user data and took steps to fix them. He said the company has a new process for handling sensitive content and has set new limits on group sizes on Lark.

TikTok’s privacy and security division has undergone reorganizations and departures in the past year, which some employees said had slowed or sidelined privacy and security projects at a critical time.

Roland Cloutier, a cybersecurity expert and US Air Force veteran, resigned last year as head of TikTok’s global security organization. A part of his unit was placed on a privacy-focused team led by Yujun Chen, known to his colleagues as Woody, a China-based executive who has worked at ByteDance for years, three current and former employees said. Previously, Chen was involved in software quality control.

Haurek said Chen had “deep technical, data and product engineering knowledge” and that his team reported to an executive in California. He also claimed that TikTok has multiple teams working on privacy and security, including more than 1,500 workers in its US Data Security team, and that he had invested more than $1.5 billion to implement the Texas Project.

ByteDance and TikTok have not said when the Texas Project will be ready. When it is, TikTok said, communications involving US user data will take place in another “internal collaboration tool.”

Aaron Krolickcontributed to this report. Alain Delaquerière collaborated in the investigation.

Sapna Maheshwari is a business reporter covering TikTok and emerging media companies. Previously, she reported on retail and advertising. You can reach her at [email protected] @sapna • Facebook

Ryan Mac is a technology reporter who focuses on corporate responsibility in the global technology sector. He won a 2020 George Polk Award for his Facebook coverage and lives in Los Angeles. @RMac18

Source: NYT Espanol

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here