Following its interrogation in congress, how does TikTok actually share user data? In one case of August 2021, a British female user reported that a male follower was “exposing himself and playing with himself” on a livestream she hosted on the video app. She also described past abuse she had experienced.

To address the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times. The British woman’s personal data — including her photo, country of residence, internet protocol address, device and user IDs — were also posted on the platform, which is similar to Slack and Microsoft Teams.

Her information was just one piece of TikTok user data shared on Lark, which is used every day by thousands of employees of the app’s Chinese owner, ByteDance, including those in China. According to the documents obtained by The Times, the driver’s licenses of American users were also accessible on the platform, as were some users’ potentially illegal content, such as child sexual abuse materials. In many cases, the information was available in Lark “groups” — essentially chat rooms of employees — with thousands of members.

Seeing that the user content on Lark could be viewed by any ByteDance employee it seriously raised questions about user safety. Since at least July 2021, several security employees have warned ByteDance and TikTok executives about risks tied to the platform, according to the documents and the current and former workers. The user materials on Lark raise questions about TikTok’s data and privacy practices and show how intertwined it is with ByteDance, just as the video app faces mounting scrutiny over its potential security risks and ties to China. Last week, Montana’s governor signed a bill banning TikTok in the state as of Jan. 1. The app has also been prohibited at universities and government agencies and by the military.

To continue operating in the United States, TikTok last year submitted a plan to the Biden administration, called Project Texas, laying out how it would store American user information inside the country and wall off the data from ByteDance and TikTok employees outside the United States.

That brings us to the infamous congressional hearing held in March of this year where TikTok’s chief executive, Shou Chew, said that such data was mainly used by engineers in China for “business purposes” and that the company had “rigorous data access protocols” for protecting users. He said much of the user information available to engineers was already public.

The company didn’t respond to questions about whether Lark data was stored in China. It declined to answer questions about the involvement of China-based employees in creating and sharing TikTok user data in Lark groups, but said many of the chat rooms were “shut down last year after reviewing internal concerns.

ByteDance introduced Lark in 2017. The tool, which has a Chinese-only equivalent known as Feishu, is used by all ByteDance subsidiaries, including TikTok and its 7,000 U.S. employees. Lark features a chatting platform, videoconferencing, task management and document collaboration features. When Mr. Chew was asked about Lark in the March hearing, he said it was like “any other instant messaging tool” for corporations and compared it to Slack.

Lark has been used for handling individual TikTok account issues and sharing documents that contain personally identifiable information since at least 2019, according to the documents obtained by The Times.

Categorized in: