TikTok has responded to a letter from Republican senators, sharing new details about its plans to protect American user data from ByteDance, its China-based parent company. The letter was prompted by a BuzzFeed News investigation published last month that showed how ByteDance employees based in China repeatedly accessed American users’ data via TikTok, despite repeated avowals they had not.
In the response to the nine lawmakers, obtained by the New York Times, TikTok CEO Shou Zi Chew said that the video-sharing platform will be run from servers in Texas owned by Oracle, a Silicon Valley database giant whose headquarters are in Austin. Its operations and algorithms, the letter says, will also be vetted by a third party.
“We know we are among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of U.S. user data,” Chew wrote.
Over the years, American policymakers and lawmakers have scrutinized TikTok’s data-sharing and privacy practices thanks to its links to ByteDance. Questions about the level of ByteDance’s involvement in the day-to-day operations and decision making of TikTok have persisted. In 2020, then-president Donald Trump threatened to ban the app over concerns that the Chinese Communist Party could use it to surveil millions of Americans. Trump later proposed a deal that would have compelled ByteDance to sell a part of TikTok to Oracle in order to function in the US, although that plan never materialized. Last month, BuzzFeed News published a report based on leaked audio from more than 80 internal TikTok meetings that contained 14 statements from nine different TikTok employees showing that the company’s engineers in Beijing had accessed data of American TikTok users as recently as this year.
BuzzFeed News’ report sparked fresh backlash against the company, prompting an FCC commissioner to write to the CEOs of Apple and Google asking them to remove TikTok from their app stores.
In the letter, Chew acknowledges that ByteDance employees in China can access US users’ sensitive information, noting, however, that the management of that access is via a security team that is based in the US. Chew does not go into detail as to how decisions are made about access.
TikTok is currently negotiating with the Committee on Foreign Investment in the United States on what data should be considered “protected.” Under the agreement, private information, such as phone numbers and birthdays, would need to be stored on servers in Texas owned by Oracle. But BuzzFeed News’ investigation showed that public data, which includes people’s profiles, comments, and what they post, will not be included, potentially providing China-based ByteDance employees with massive insights into what TikTok’s American users care about and their media consumption habits, based on the enormous amount of information that could be included in the “unprotected” bucket of data.
TikTok employees around the world, including those in China, would still have access to this “narrow set of non-sensitive TikTok U.S. user data, such as public videos and comments,” Chew’s response to the senators states. “This access will be very limited, it will not include private TikTok U.S. user information, and it will only occur pursuant to protocols being developed with the U.S. Government.”
The letter does not give insight into the management structure of US-based TikTok employees reporting to China-based ByteDance higher-ups, one of the key points of BuzzFeed News’ previous reporting.