The world’s most popular app, Chinese-owned TikTok, is turning to Texas in its latest effort to gain acceptance from the U.S. government.
The short-form video platform, whose parent company ByteDance is based in Beijing, became the most downloaded app worldwide in the first quarter of 2022, according to Sensor Tower, an analytics firm. But successive administrations have been wary of TikTok amid concerns over its data security and potential to influence the U.S.’s information environment. President Trump attempted to ban the app, while Commerce Department officials are currently responsible for drawing up rules that could affect its operations in the U.S..
TikTok’s attempts to address these issues include a new plan to sequester data from its users in the U.S. in servers run by Texas-based tech giant Oracle, according to Reuters reporting — theoretically putting the information beyond the reach of the Chinese authorities.
Whether or not such a move will be enough to placate regulators is a major test for the future of Chinese social media firms continuing to operate in the U.S., experts say. If TikTok can prove its data is secure, it could serve as a model for other cross-border platforms in an age when such data is an increasingly sensitive commodity.
“It is a major experiment for platforms across the world,” says Graham Webster, a research scholar and editor-in-chief of the DigiChina Project at the Stanford Cyber Policy Center. “How can a platform under suspicion for being from a foreign country credibly commit that they are obeying local rules or addressing national security concerns? To me it will be a sign as to whether various types of things across the China divide will be possible in the future.”
TikTok — which, along with Oracle, declined several requests for comment — has in the past consistently denied claims that it shares user data with the Chinese government or that it censors content at the behest of Beijing. Analysts, in turn, are divided on the level of threat the platform poses. Despite reports of politically motivated censorship on the platform, a recent study conducted by Citizen Lab at the University of Toronto did not find any conclusive evidence. The study also concluded that TikTok does not exhibit any “overtly malicious behavior similar to those exhibited by malware,” such as collecting photos or contact lists without user consent, and behaves comparably, in terms of privacy and security, to American social media platforms, like Facebook.
Even so, TikTok is headed for increased scrutiny, after President Biden issued an executive order last summer entitled Protecting Americans’ Sensitive Data from Foreign Adversaries, which empowers the Commerce Department with drawing up rules for foreign apps. The final regulations, which concluded a public comment period in December but have yet to be announced, could include requiring apps like TikTok to submit to third-party verification and an independent examination of source code. The U.S. military already banned its members from using TikTok in 2020, while the Committee on Foreign Investment in the United States (CFIUS) is reportedly carrying on an investigation into TikTok, which was originally opened in 2019 into TikTok’s acquisition and subsequent merger with Musical.ly, an American social media app. The Commerce Department and Treasury Department did not respond to requests for comment.
“Data can trade a million times after it is collected. It doesn’t matter if TikTok collects it first or Facebook. It can be weaponized by an adversary. The issue here is over collection of data.”
Patrick Jackson, the chief technology officer at Disconnect, a digital privacy firm
The U.S. is not the only country to take action against TikTok. India banned TikTok, along with many other Chinese apps, in 2020 due to national security concerns. Stanford’s Webster says TikTok needs to formulate a convincing and lasting response to the government’s issues.
“They need to come up with a solution that really makes it hard to argue that the risk hasn’t been dealt with,” he says. “The way to do that is to employ transparency and hand over operations to companies trusted in the U.S..”
The lack of detail around TikTok’s deal with Oracle so far makes it hard to know whether or not it will quell worries about user data. The plan, known internally as “Project Texas” according to BuzzFeed News, would not be the first time the U.S. company has been linked with the app. During the Trump administration, a group of U.S. companies, including Oracle and Walmart, were in discussions with TikTok to take a majority stake in a new global company that would have control over U.S. user data. The deal was put on hold after Trump’s executive order banning TikTok encountered legal challenges and Biden came into office.
Pellaeon Lin, author of the Citizen Lab study, says that even if TikTok relinquished full control of U.S. data to Oracle servers and put in place an auditing system, there would still be a risk that engineers based in China could easily slip code into the TikTok app that would enable it to gather data from American users.
Because of technical challenges like that, Patrick Jackson, the chief technology officer at Disconnect, a digital privacy firm, says that it will always be difficult to convince skeptics that TikTok’s systems are foolproof.
“I used to work in government, and we used to say, ‘the safest computer is the one you never turn on,’” he says. “There can always be backdoors.” Jackson adds that even if TikTok thoroughly anonymized the U.S. user data it would be relatively easy to de-anonymize it if Chinese executives asked for engagement statistics from the U.S. subsidiary, for example.
To Jackson, the issue at the heart of the TikTok debacle is the amount of data that platforms are allowed to access in the first place. “Data can trade a million times after it is collected,” Jackson says. “It doesn’t matter if TikTok collects it first or Facebook. It can be weaponized by an adversary. The issue here is over collection of data.”
But in the increasingly polarized U.S.-China tech landscape, a Chinese-owned app immediately raises alarm bells. Samm Sacks, a cyber policy fellow at New America, a Washington, D.C.-based think tank, says that only focusing on TikTok is a “red herring.”
“If we are concerned about data privacy and data security,” she says, “but only focusing on Chinese companies, we are not solving the issue. We are creating a protectionist environment.”
Katrina Northrop is a journalist based in Washington D.C. Her work has been published in The New York Times, The Atlantic, The Providence Journal, and SupChina. @NorthropKatrina