New Limits on TikTok User Data Access by Chinese Workers

In a letter meant to address privacy concerns from Republican lawmakers, TikTok CEO Shou Zi Chew says the company will soon be introducing new limits on access to private American user data by workers in China. Under the proposed plan, access to "protected" U.S. user data by workers outside of the U.S. "will be limited by, and subject to, robust data access protocols."

"As we recently reported, we now store 100% of U.S. user data by default in the Oracle (NYSE: ORCL) cloud environment," the announcement reads, "and we are working with Oracle on new, advanced data security controls that we hope to finalize in the near future."

Oracle is a California-based cloud infrastructure provider. Chew writes that, once all U.S. data is rerouted entirely through Oracle, it will be deleted from TikTok's company servers. Non-sensitive information, like public videos and comments, will still be accessible by non-U.S. workers.

Chew's announcement was sent in response to a letter he received from nine Republican senators regarding their concerns about how American TikTok user data is stored and accessed. On June 27, Senators Marsha Blackburn, Roger Wicker, John Thune, Roy Blunt, Ted Cruz, Jerry Moran, Shelley Moore Capito, Cynthia Lummis, and Steve Daines wrote to CEO Chew with 11 questions about how the platform functions.

In their letter to the Chew, the Republican Senators alleged that TikTok had lied in its testimony to Congress regarding Chinese access to U.S. data. The lawmakers also asked multiple questions regarding the amount of control parent-company ByteDance has over TikTok's operations, as well as questions about the relationship between TikTok and another ByteDance platform, Douyin.

"We are confident that when you review our responses, you will see that TikTok has not, at any point, misled Congress about our data and security controls and practices," Chew wrote.

Chew said that China-based ByteDance plays a role in TikTok's operations, "as would be expected of any global company with subsidiaries." According to Chew's response, TikTok and ByteDance app Douyin utilize "the same underlying basic technology building blocks." The Chinese government owns a 1% stake in Douyin, something Chew says the company had to support in order to access certain licenses. Still, Chew denied that the Chinese Communist Party (CCP) has any influence over TikTok itself.

"The Chinese government does not directly or indirectly have the right to appoint board members or otherwise have specific rights with respect to any ByteDance entity within the chain of ownership or control over the TikTok entity," Chew wrote.

One question that Chew doesn't seem to answer is what exactly the company could do to resist requests for U.S. user data from the CCP.

"If the Chinese Communist Party asked you for U.S. user data, what is to stop you from providing it? Can the CCP compel you to provide this data, regardless of response? Can they access it, regardless of response?" the Senators asked.

Chew's answer fails to respond to these questions and instead simply states that the company hasn't received a request for U.S. user data from the CCP.

"We have not been asked for such data from the CCP," Chew said. "We have not provided U.S. user data to the CCP, nor would we if asked."

At least one of the Republican Senators mentioned in Chew's letter was unsatisfied with his response.

"TikTok's response confirms that our fears regarding CCP influence within the company are well-founded," Senator Marsha Blackburn said in a statement. "They should have come clean from the start but instead tried to shroud their work in secrecy. Americans need to know that if they are on TikTok, Communist China has their information."

TikTok first came under serious fire from the U.S. government in 2020 when then-President Donald Trump threatened to ban the platform. Trump alleged that TikTok could be used by the Chinese government to collect private information about American citizens. TikTok's parent company, ByteDance, has repeatedly denied these claims, but privacy concerns persist.

The Senator's questions to Chew were sent following a June 17 report in which BuzzFeed News claimed to have recordings showing that TikTok workers in China had accessed American data. BuzzFeed notes that the workers who accessed the American data in China were doing so as a part of so-called Project Texas, the company's internal name for its efforts to make it impossible for certain "protected" data from the U.S. to be accessed by workers in China.

"The broad goal for Project Texas is to help build trust with users and key stakeholders by improving our systems and controls, but it is also to make substantive progress toward compliance with a final agreement with the U.S. Government that will fully safeguard user data and U.S. national security interests," the TikTok CEO wrote.

In other words, the China-based workers mentioned in BuzzFeed's report that triggered the Senator's letter were accessing the private data as a part of their project to stop workers from having that same sort of access.