TikTok is working on a plan to better safeguard the data of its U.S. users, the company said in an open letter [PDF] to several U.S. Senators that have expressed concern that the China-based app is a national security risk.
Shared by The New York Times, the letter outlines a multi-pronged undertaking called "Project Texas," aimed at strengthening data security. TikTok says that 100 percent of U.S. user data is stored in an Oracle cloud environment located in the U.S., and it is working with Oracle on more advanced data security controls that will be finalized "in the near future."
TikTok is planning to delete U.S. data from its servers and store information with Oracle exclusively. The company says all data sharing outside of the United States will be pursuant to "protocols and terms approved by the U.S. government."
Concerns over TikTok have heightened over the last two weeks following a BuzzFeed News report that suggested TikTok engineers in China had access to the data of U.S. users between September 2021 and January 2022. "Everything is seen in China," said one TikTok employee in recordings reviewed by BuzzFeed, with the recordings also referencing a "Master Admin" engineer in China who "has access to everything."The broad goal for Project Texas is to help build trust with users and key stakeholders by improving our systems and controls, but it is also to make substantive progress toward compliance with a final agreement with the U.S. Government that will fully safeguard user data and U.S. national security interests. We have not spoken publicly about these plans out of respect for the confidentiality of the engagement with the U.S. Government, but circumstances now require that we share some of that information publicly to clear up the errors and misconceptions in the article and some ongoing concerns related to other aspects of our business.
Given the concerns over U.S. data access, the United States Federal Communications Commission earlier this week asked Apple and Google to remove TikTok from their app stores because of a "pattern of surreptitious data practices."
TikTok in its letter confirmed that some China-based employees are indeed able to access data from U.S. TikTok users, "subject to a series of robust cybersecurity controls" overseen by a U.S.-based security team. TikTok says that it has an internal data classification system and approval process in place that assign levels of access based on the sensitivity of the data. It will work with the Biden Administration going forward to continue to limit data access.
In response to a question on why TikTok does not plan to block all U.S. user data from the view of employees in China, TikTok said that "certain China-based employees will have access to a narrow, non-sensitive set of TikTok U.S. user data" in order to ensure global interoperability. Employees will also be able to develop the TikTok video recommendation algorithm using U.S. data, though training of the algorithm will be limited to Oracle's servers.
TikTok promises that access will be "very limited" and will not include "private TikTok U.S. user information." TikTok says that it has not been asked to provide data to the Chinese government, and would not provide data if the CCP requested information.
Apple and Google have not as of yet responded to the FCC's request to remove the TikTok app from their app stores.
Article Link: TikTok Says Some China-Based Employees Can Access U.S. User Data, Outlines Plan for Better Safeguards