Driver's Licenses, Addresses, Photos: Inside How TikTok Shares User Data

Employees of the Chinese-owned video app TikTok have regularly posted user information on a messaging and collaboration tool called Lark, according to internal documents. The New York Times: In August 2021, TikTok received a complaint from a British user, who flagged that a man had been "exposing himself and playing with himself" on a livestream she hosted on the video app. She also described past abuse she had experienced. To address the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times. The British woman's personal data -- including her photo, country of residence, internet protocol address, device and user IDs -- were also posted on the platform, which is similar to Slack and Microsoft Teams. Her information was just one piece of TikTok user data shared on Lark, which is used every day by thousands of employees of the app's Chinese owner, ByteDance, including by those in China.

According to the documents obtained by The Times, the driver's licenses of American users were also accessible on the platform, as were some users' potentially illegal content, such as child sexual abuse materials. In many cases, the information was available in Lark "groups" -- essentially chat rooms of employees -- with thousands of members. The profusion of user data on Lark alarmed some TikTok employees, especially since ByteDance workers in China and elsewhere could easily see the material, according to internal reports and four current and former employees. Since at least July 2021, several security employees have warned ByteDance and TikTok executives about risks tied to the platform, according to the documents and the current and former workers. "Should Beijing-based employees be owners of groups that contain secret" data of users, one TikTok employee asked in an internal report last July. The user materials on Lark raise questions about TikTok's data and privacy practices and show how intertwined it is with ByteDance, just as the video app faces mounting scrutiny over its potential security risks and ties to China.

Color me shocked

[redmid17]

Whether or not this was malicious indifference or just carelessness, this is just another reason why TikTok needs strict oversight and a complete separation from chinese ownership. I don't have a good roadmap for extrication or whatever and realize there are huge constitutional implications.

Re:Color me shocked

[BardBollocks]

to pretend it's just an issue at tik-tok, and not a global issue amongst all social media, is just plain wrong.

As someone not living in China, where Chinese authorities have no impact on my life at all, I am more worried about the corruption in authorities in my own country, plus our immediate neighbours.

we need LAWS to prevent personal data being stored AT ALL.

encryption doesn't cut it.

transactional data should have a lifetime of that transaction. not be stored in a data vault that will later be 'accidentally' accessed by authorities or other parties.

Of course, the history ignorant can't see what this 'fuck china' narrative is about. god save us from ignorants.

sure, it WOULD force a shakeup in big data, but honestly - it SHOULD be shaken up.

Re:

[Anonymous Coward]

to pretend it's just an issue at tik-tok, and not a global issue amongst all social media, is just plain wrong.

Ayup.

we need LAWS to prevent personal data being stored AT ALL.

Some sort of, well, several sorts of, means to not need to store all that, too. That's technical, administrative, bureaucratic, and so on. The mindset behind how our software gets built and our governments run and so on needs to change.

(And yeah, I'm working on something, as are several others. But there's 200-or-so governments that need to learn, then teach their bureaucracies and corporates and so on. That's going to take some doing.)

Re:

[Askmum]

Don't think for a second that this is tik-tok or China only. What do you think happens with the information you have to share to prove your identity on any platform anywhere. Like proving you are 18+ on an adult website. Do you think that information is safe? Do you thing the GDPR effectively removes all posibilities to abuse this data?

Not just TikTok

[peterww]

Imagine basically every single corporation that handles data like this. They are all doing this stuff. And there is no federal law or regulation that says they can't.

The only regulations that apply are for PHI (Personal Health Information) due to HIPAA, and credit card information due to SOX. If it's not financial and it's not health-related, companies can do pretty much whatever they want with your information.

The exception is for government vendors, who must comply with regulations that apply to the government itself. For example: https://www.gsa.gov/reference/... [gsa.gov] This page lists 3 vendors (Uber4Business, Non-Federal Lyft, and LexisNexis) that must describe how they keep PII of government workers safe. It's actually kinda interesting, as you can quickly discover how most of your data is just protected by SSH tunnels or the like, and thus one attack (or misconfigured client config) might expose all those users' data.

States have begun passing laws to try to force businesses to not be asshats with your personal data: https://iapp.org/media/pdf/res... [iapp.org] But it's still only a handful of states, and because they all have different laws, it's harder to implement them all, versus one federal law.

Good thing DMV sells driver license data.

[Anonymous Coward]

It's a well known fact that they have been doing this for years.

E.g. https://www.newsweek.com/dmv-d... [newsweek.com]

the nature of corporate "social media"

[sdinfoserv]

Anything you post online anywhere, any time is - forever - recorded, sold, traded and otherwise no longer yours. Let's be 100% clear, "social media" are corporations who profit in collecting, analyzing and selling... you. This is not about laws, this is about stupid "consumers" that are really the product not the customer. And for some reason - despite years of horrifying anecdotes, continual breaches, endless cybercriminals, and mounting research indicating social media is emotionally and socially harmful - continue posting private information on social media and are then shocked when said info becomes public.

Driver's license?

[thomn8r]

How in the hell does TikTok (or any other social media company) get copies of your driver's license?

Re:Driver's license?

[Anonymous Coward]

It's all freely sold. It's a well known fact.

https://www.newsweek.com/dmv-d... [newsweek.com]

Say what?

[jenningsthecat]

The British woman's personal data -- including her photo... were also posted on the platform...

AND

the driver's licenses of American users were also accessible on the platform

Why in the name of all that's sane and sensible are people giving this kind of personal data to ANYONE other than family, possibly friends, and government agencies if required? How thoughtlessly stupid does one have to be to give this info to social media corporations, of all entities?

Yes, it's a rhetorical question. Still, I'm gobsmacked by this kind of behaviour, in a shocked-but-not-surprised way. It continues to boggle my mind that people do this shit. "Here, take all my privacy - would you like me t