Name and surname, nationality, IP address, devices used, identity documents. All data that, according to an investigation by the New York Times, TikTok would have shared on Lark, an internal messaging service of the company. Where they would be accessible to many employees of ByteDance, the Chinese company that owns both software.
TikTok shares user data on Lark, privacy risk
The New York Times report would reveal how TikTok would have shared user data on the Lark service, owned by a homonymous company controlled by ByteDance, the same owner of the short video app. It’s a platform not unlike Slack or Teams, which offers a platform for business chats and video conferencing.
According to the investigation, based on internal documents and interviews with former employees, TikTok would send Lark sensitive information of those who file complaints or ban requests on TikTok. The first example reported by the Times is of a British woman who reported a man masturbating during a livestream. The information of the woman who filed the complaint ended up on Lark, such as the telephone number, email address, geographic location and user preferences.
The Times reports that the data would have been in clusters “easily accessible” by ByteDance users, the parent company of both software. Despite TikTok having assured the American authorities that it would not share personal data with the parent company in China.
However, a company spokesman explained to the Times that the screenshots of the conversations would be “dated” and that they do not represent “how we handle the data of American usersnor the progress we’ve made with Project Texas,” which promises to handle data only in the United States.
The Times also reports on other occasions where former TikTok employees shared personal data, including user documents, in chats. “that have up to 1,100 participants”. Something that testifies to problematic data processing, according to privacy experts heard by the Times.
TikTok is considering several options to reassure privacy regulators in the US and EU, including the Project Texas e il Project Cloverfield, which promises to process user data only in America and Europe. But it’s unclear whether these measures will satisfy lawmakers.