ByteDance employees in China have repeatedly accessed non-public data about American TikTok users, behavior that inspired former President Donald Trump to threaten to ban the app in the United States.
Engineers in China had access to US data between September 2021 and January 2022, at the very least.
In many instances, US employees have had to turn to colleagues in China to determine how user data flows in the US. The US employees did not have permission or knowledge of how to access the data themselves.
The company has misled lawmakers, users and the public by downplaying the importance of data stored in the US that employees in China can still access.
ByteDance is currently trying to redirect data so that some protected data cannot flow from the United States to China, an effort known internally as Project Texas.
The vast majority of situations in which employees based in China gained access to US user data were in service of Project Texas' goal of stopping access to that data.
Project Texas is key to a contract that TikTok is currently negotiating with cloud service provider Oracle and the US Committee for Foreign Investment.
Under the US Foreign Investment Commission agreement, TikTok maintains protected private information of US users, such as phone numbers and birthdays, exclusively in a data center operated by Oracle in Texas.
This data can only be accessed by TikTok employees residing in the United States. However, which data is considered protected is still being negotiated.
It seems that all public data, including users' public profiles and everything they post, will not be protected.
Lawmakers' concerns stem from the Chinese government's ability to obtain US data through ByteDance.
These fears are rooted because Chinese companies are subject to the whims of the Chinese Communist Party, which cracked down on local tech giants last year.
Frequent access from China to Americans' data
The risk is that the government may force ByteDance to collect and deliver information as a form of data espionage.
Another concern is that the Chinese government's soft power could influence how ByteDance executives direct their American counterparts to fine-tune the TikTok For You algorithm, which recommends videos to more than a billion users.
Senator Ted Cruz described TikTok as a Trojan horse that the Chinese Communist Party can use to influence what Americans see, hear and think.
Project Texas' narrow focus on the security of a particular slice of user data in the United States, much of which the Chinese government can buy from data brokers if it chooses, does not address concerns that China, through ByteDance, could use TikTok to influence trade behaviour. or cultural or political for Americans.
TikTok said in public statements and statements that it stores all data about its American users in the United States, with backups in Singapore. This mitigates some of the risks. The company says this data is not subject to Chinese law. But this does not address the fact that employees based in China have access to the data.
And it doesn't matter the actual location of the data storage if it can still be accessed from China. The concern may be that the data may remain in the hands of Chinese intelligence if people in China are still accessing it.
TikTok itself acknowledged the access issue in 2020. She wrote: Our goal is to reduce data access across regions so that, for example, employees in the Asia Pacific region, including China, have very little access to user data from the European Union and the States United.
Project Texas, once completed, should fill this gap with a limited amount of data. But there are many challenges employees face in finding and closing the channels that allow data to flow from America to China.
The danger is still there
Tik Tok has many internal tools that allow data to flow. This includes tools used for data visualization, content modification, and monetization, which are backdoors to accessing user data.
In addition, there are many situations in which the personnel responsible for some internal tools have not been able to know the parts of those tools. There are items inside the tools that no one knows their purpose.
The complexity of the company's internal systems and how they enable data flows between the United States and China underscores the challenges facing the United States Technical Services Team, a new engineering team assigned as part of Project Texas.
To prove the independence of the US Technical Services team from China-owned ByteDance, not everyone can join the team. Chinese citizens are not allowed to join.
This team is dedicated to controlling and managing access to sensitive US data. But he reports to the ByteDance leadership in China. He also gets his instructions from the main office in Beijing.
TikTok, through Project Texas, aims to make the data stored within the Oracle server secure. Besides, it cannot be accessed from China or anywhere else in the world.
However, this only includes data that is not publicly available through the app, such as content that is in draft form or is set as private, or information such as users' phone numbers and birthdays, that is collected but does not appear in their profiles.
Also, the UID will not be considered protected information. It is currently unclear what is meant by a UID. But it may refer to an identifier for a specific TikTok account, or for a device.
Usually, advertising technology companies like Google and Facebook use a UID to associate your behavior across apps.
Tik Tok signs an agreement with Oracle
TikTok continues to negotiate which data is considered protected. But not much US user data will be stored exclusively in the Oracle server. Including public videos, bios and comments.
Instead, this data is stored in the company's data center in Virginia. This center may still be accessible from the ByteDance offices in Beijing even after the completion of Project Texas.
This means that employees in China can continue to gain insights into what American users care about.
It also appears that Oracle is giving TikTok significant flexibility in how it operates its data center. While Oracle provides the physical data storage space for Project Texas, TikTok controls the software layer.
Details of the agreement between the Committee on Foreign Investment in the United States, TikTok and Oracle were under discussion as of January 2022.
Although Project Texas' goal is to cordon off access to the most sensitive details about Americans found on TikTok's servers. But there are still doubts about preventing ByteDance employees in China from accessing this data.