In his testimony before the US Congress this morning, TikTok CEO Shou Zi Chew said the company plans to remove all US user data from company servers by the end of the year. The commitment was shared as part of Chew’s opening statements, which detailed the company’s initiative known as Project Texas. The plan involves moving US user data to Oracle servers in the US, where the data is then verified by US personnel.
The plan is part of TikTok’s larger agenda to prevent the popular video entertainment app from being banned by the US government over national security concerns. The company is also trying to convince Congress that it has included a number of safeguards in its app designed to keep younger users safe, which both US-based creators and small businesses rely heavily on to generate revenue, among other things.
However, with Project Texas, TikTok’s mission focuses on what Chew called a “firewall” that would shield protected U.S. user data from unauthorized foreign access — meaning, of course, the CCP. In some good branding, the name “Texas” refers to where Oracle’s headquarters are located.
TikTok’s overall plans for Project Texas were already known — the company wrote to Republican senators last June to assure them how it was working on an initiative to strengthen data security for US-based users. The letter was written in response to previous outreach from Congress that followed a BuzzFeed News report alleging that some China-based employees had access to TikTok user data in the US. In TikTok’s response, it explained how it plans to move and secure the data. However, the letter did not specify a time frame for the data to be moved.
In testimony this morning, Chew gave TikTok a deadline for that move, noting that the company expected to remove data from its own servers this year.
“Today, US TikTok data is stored on Oracle’s service by default,” Chew said. “Only vetted personnel working at a new company called TikTok US Data Security can control access to this data. In addition, we now have plans to report this company to an independent US board with strong security credentials. Now there is still some work to be done,” he continued. “We have outdated US data on our servers in Virginia and Singapore. We are removing the ones we expect to be completed this year,” he said.
“Once that’s done, all U.S. protected data will be protected by U.S. law and overseen by the U.S.-led security team. This allays the concerns some of you have shared with me that TikTok user data may be subject to Chinese law,” Chew added.
The exec was later questioned about other aspects of his data security, including whether he would commit not to sell US user data to anyone. Chew couldn’t give an unequivocal answer to this. After initially replying that TikTok would not sell to data brokers, he said he would “get back to you” on the details of whether or not to sell data to anyone, after being pushed to answer more directly.
In addition, the CEO could not clarify whether Project Texas would completely separate TikTok from its Chinese parent company, as there could be technologies that are interrelated.
And when asked whether or not workers in China would have access to U.S. data, the exec replied, “After Project Texas, … the answer is no” — an answer that begs the question of how many Chinese workers could have access to the data now.
The exec was also questioned on whether or not Chinese ByteDance employees were subject to Chinese law, including the 2017 National Intelligence Act, which requires any organization or citizen to assist and cooperate with state intelligence. Chew initially sidestepped the answer by noting that “like many companies, including many U.S. companies, we rely on a global workforce, including engineers in China.”
Asked again to answer only yes or no, he then said “in the past, yes, but we are building Project Texas and we are committed to firewalling all protected data.”