Inside Project Texas, TikTok’s Big Answer To US Lawmakers’ China Fears

TikTok is rebuilding its systems to keep US user data in the US and putting a new US-based team in control. But for now, that team reports to executives in China.

Over the past year, thousands of TikTok employees have scrambled to move the company’s stores of information about its US users to data centers inside the US, and to restrict access to that data abroad. The effort, which is ongoing, is known internally as “Project Texas.” According to seven current and former TikTok employees, it represents the company’s response to concerns from regulators that the Chinese government could use the app, owned by the Chinese corporation ByteDance, to access sensitive information about US citizens.

The heart of Project Texas has been the creation of US-specific clones of TikTok’s internal systems. Some of these systems are tracking and analytics tools, like the ones that employees use to monitor content virality, while others affect what users see, like the recommendation algorithm that powers TikTok’s popular “For You” page. The new US-specific systems, including all US user data, will be hosted in data centers owned by Oracle, TikTok’s “trusted technology partner.” (The project name is a nod to Oracle’s headquarters in Austin.) New controls will restrict access to the systems to a new US-based team, called US Tech Services (USTS). Once Project Texas is complete, TikTok plans to replicate it in Europe.

One critical part of Project Texas has not yet been decided: how much control Beijing will have over the USTS team. Today, USTS employees report to middle managers in the United States, who report to a ByteDance executive in China. But the company is discussing legal models to restrict Chinese managers’ access to USTS information, according to two people familiar with the discussions.

TikTok declined to answer a detailed set of questions from BuzzFeed News about Project Texas. Company spokesperson Maureen Shanahan instead offered a statement: “TikTok is committed to protecting the privacy and security of our community. User data is stored in data centers in the US and Singapore, and we continue to invest in data security as part of our overall work to keep our users and their information safe.”

Shanahan declined to comment on TikTok’s discussions about creating a separate data governance entity, and on the fact that the USTS team reports to a ByteDance employee.

Project Texas comes at a critical time in TikTok’s short history. TikTok was the world’s most-visited website in 2021, overtaking YouTube in US watch time and Facebook in app downloads for the first time. (Disclosure: In a previous life, I held policy positions at Facebook and Spotify.) But ever since TikTok became popular in the US, it has been fighting the perception that its Chinese ownership makes it dangerous. In 2019, the Committee for Foreign Investment in the United States (CFIUS) began investigating whether TikTok posed a risk to national security, and the US Navy and Army banned TikTok from soldiers’ work phones. In August 2020, President Donald Trump announced that he would ban the app if it was not sold to a US company. As US tech giants Oracle and Microsoft explored a deal to buy TikTok from ByteDance, the Chinese government reclassified TikTok’s algorithm as a “sensitive technology” potentially ineligible for sale to a US company.

Despite this complication, a tentative deal was reached between Oracle and ByteDance, but the sale was put on hold in February 2021 after Trump left office. Reuters earlier reported that TikTok and Oracle are nearing a deal for the US tech company to store all American user data, and that access to that data would be limited to a specific team. The Biden administration is currently in the process of developing new regulations for apps that could enable foreign governments to obtain US citizen data.

Senator Marsha Blackburn, however, said she will be concerned as long as "product developers and key decision makers are based out of the PRC. TikTok is saying what they think will help them escape scrutiny from lawmakers, but that won't happen as long as they remain the arm of the CCP."

Fears that China could use TikTok to access US citizens’ data or shape US civic discourse are not unfounded. In 2019, the Guardian reported that TikTok had censored videos on topics of Chinese political importance. TikTok had nearly 40 million US users at the time. In February 2021, the company agreed to pay $92 million to settle a class action lawsuit alleging it had transferred US user data to servers in China.

Since the CFIUS investigation began, ByteDance has separated teams working on TikTok from those working on Douyin, the app’s mainland China equivalent, and considered creating a new “management board” and a US headquarters. In November 2021, TikTok’s CEO Shou Zi Chew stepped down from his role as ByteDance’s CFO (a job he had held while also running TikTok). But to date, no action by the company has changed the core relationship between the companies: ByteDance still owns and controls TikTok today.

Others described their managers handing down key product decisions after they had “talked to Beijing.”

Interviews with 19 current and former TikTok employees show that ByteDance’s control over TikTok is not merely structural. Employee accounts portray the companies as sometimes so closely entwined that it is unclear where TikTok stops and ByteDance begins. Some workers described instances where senior leadership decisions were made by unknown actors in Beijing. Others said their managers handed down key product decisions after they had “talked to Beijing.” One employee described hesitation after being asked to enter sensitive information into a .cn domain. Two others said they’d occasionally been tasked with work on other ByteDance products, though their employment agreement was with TikTok. Others noted the opacity of the company’s org chart: 10 employees who spoke to BuzzFeed News did not know the identities of the people that their managers (or their managers’ managers) reported to.

TikTok and ByteDance declined to comment on TikTok employees working on other ByteDance products and receiving direction from ByteDance employees. Instead, Shanahan said in a statement: “TikTok’s CEO has full autonomy for all decisions about TikTok’s operations.”

ByteDance also tightly controls TikTok’s workplace infrastructure — and reserves the right to share internal company communications with governments, including the government of China. TikTok employees’ work email addresses are tied to ByteDance’s domain. They primarily use ByteDance’s workplace toolsuite, Lark, for chat, email, videoconferencing, translation, reimbursement, and other administrative tasks. Lark’s privacy policy says that the company may share data (which is stored in Singapore) “to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority.”

However, several US-based employees also said they used Feishu, ByteDance’s Lark equivalent for mainland China. Feishu’s privacy policy says that the company may share users’ data (which is stored in China) when it is “directly related to” national security, public safety, or other “major public interests.”

ByteDance’s access to internal TikTok communications raises the possibility that governments could require ByteDance to turn over sensitive company communications, like those between TikTok and other governments, or internal investigations into disinformation campaigns.

According to Jennifer Banks, a spokesperson for ByteDance, the Chinese government has never requested TikTok employee communications from Feishu or Lark. (She did not answer a follow-up question about whether other governments have done so and if ByteDance has complied with such requests.) But James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies, told BuzzFeed News that it would not be able to prevent such a request in the future. He said: “There are no legal protections for a company in China. If the party leadership decides they want everyone to dye themselves blue with woad, then they have to do it.”

“There are no legal protections for a company in China. If the party leadership decides they want everyone to dye themselves blue with woad, then they have to do it.”

So far, Project Texas appears to be primarily an exercise in geography, one that seems well-positioned to address concerns about the Chinese government accessing Americans' personal information. But it does not address other ways that China could weaponize the platform, like tweaking TikTok algorithms to increase exposure to divisive content, or adjusting the platform to seed or encourage disinformation campaigns.

Adam Segal, director of the Digital and Cyberspace Policy program at the Council on Foreign Relations, told BuzzFeed News that the Chinese government's influence on TikTok’s algorithms is a more pressing concern than data exfiltration. “I’ve never seen a particularly good argument about what the Chinese could get from TikTok data that they can’t get from hundreds of other sources,” he said. But he did point to examples of the Chinese Communist Party using technology to warp digital discourse, including TikTok’s previous censorship of speech harmful to China’s “national honor,” and a 2020 attempt by a China-based Zoom employee to disrupt video meetings commemorating the Tiananmen Square massacre.

TikTok vehemently denies accusations that it censors speech critical of China today. And members of TikTok’s Trust & Safety team, which makes and enforces content policies for the company, portrayed it as comparatively well insulated from ByteDance influence. Employees described Trust & Safety workers as having less frequent contact with Beijing, and clearer lines of reporting, than other employees that BuzzFeed News spoke to — and described TikTok’s Trust & Safety practices as similar to those adopted by US-based tech giants. Nonetheless, the question of reporting structure looms large: Like other senior TikTok officials, its head of Trust & Safety reports to TikTok’s CEO, who reports to ByteDance as TikTok’s corporate owner. And as long as the buck stops with ByteDance, “there is a ceiling” to how much TikTok can distance itself from the Chinese government, Lewis said.

US lawmakers have made clear that their concerns about TikTok go beyond where data is stored. In a 2019 tweet, Sen. Chuck Schumer said that under Chinese law, TikTok and ByteDance “can be compelled to cooperate with intelligence work controlled by China’s Communist Party.” At an October 2021 Senate hearing, TikTok’s Head of Public Policy for the Americas Michael Beckerman testified that TikTok’s privacy policy allows it to share the information it collects (including US user data) with ByteDance. He declined to answer questions from Sen. Ted Cruz about whether the policy allows TikTok to share that data with Beijing ByteDance Technology, another ByteDance subsidiary that is partially owned by the Chinese Communist Party.

At the same hearing, Sen. Marsha Blackburn asked Beckerman whether ByteDance employees had access to TikTok’s algorithm. Beckerman, not directly answering the question, said that US user data is kept in the US. Blackburn also asked whether there are programmers, product developers, and data teams in China working on TikTok. Beckerman confirmed that there are.

Lawmakers beyond the US have also raised concerns about TikTok’s relationship with China. In June 2020, the Indian government banned TikTok, WeChat, and more than 50 other Chinese apps after a clash on the India–China border that killed 20 Indian soldiers. India’s regulatory body, the Ministry of Electronics and Information Technology, alleged that the apps were “stealing and surreptitiously transmitting” Indian user data to data centers outside of India. In August 2020, intelligence agencies in Australia began investigating whether TikTok poses a security threat to the country. In September 2021, Ireland’s Data Protection Commission opened an investigation into how TikTok transfers user data to countries outside the EU.

The similarities between different countries’ regulatory concerns about TikTok and China emphasize the potential importance of Project Texas. If it succeeds in the US, the project may serve as a roadmap for TikTok in other jurisdictions (perhaps even in India, where it has been banned). It may also serve as a model for other large companies, like Amazon, Facebook, and Google, which face similar concerns from overseas regulators about collecting their citizens’ personal information.

Graham Webster, editor-in-chief of the Stanford–New America DigiChina Project at the Stanford University Cyber Policy Center, sees TikTok as “a guinea pig” for lawmakers’ inherent skepticism about foreign companies collecting their citizens’ data. Still, Webster says he’s optimistic, because ByteDance has a heavy incentive to get regulators fully comfortable with TikTok.

“This is a company that is looking for a way for this to actually work,” he said. “They’re going to keep trying until there’s an obvious defeat, because the amount of money on the table is enormous.” ●

UPDATE

This story has been updated to include comment from Senator Marsha Blackburn.

Topics in this article