Since 2019, TikTok has been negotiating with the U.S. government to address concerns about potential national security risks posed by the platform. Failure to reach an agreement that satisfies the U.S. government’s concerns could have severe consequences for TikTok’s ability to continue operating in the United States: TikTok would likely be banned or required to sell off a majority stake in the company.
In the past several months, rumors have swirled about what the contours of such an agreement might be and when it might be announced. While some details have emerged about Project Texas, the code name for TikTok’s plans to implement that agreement, to date those details have been based on rumors and limited disclosures. Alongside those rumors, debates about TikTok’s risks to U.S. national security have intensified, with many policymakers calling for an outright ban. The federal government and several states have passed new laws to restrict the use of TikTok on government devices. Negotiations between the Committee on Foreign Investment in the United States (CFIUS) and the company over a national security agreement remain ongoing.
As the New York Times reported this morning, senior TikTok officials briefed academics, think tank scholars, and others about the newest details of Project Texas last week. We attended the briefing, which was held in TikTok’s Washington, D.C., offices. Participants were not provided copies of the slides that executives used in their presentation, but they were permitted to take detailed notes during the presentation. They were not required to sign nondisclosure agreements.
Those notes provide the basis for the following description of Project Texas. Note that the Center on Technology Policy at UNC-Chapel Hill, which one of us (Perault) directs, has received funding from TikTok.
What is the purpose of Project Texas?
TikTok developed Project Texas in the wake of executive orders issued by President Trump in the summer of 2020: one banned TikTok, and the other required divestiture. The first order was struck down in federal court and then subsequently withdrawn and replaced by the Biden administration. The second order was put in abeyance while the government and TikTok negotiated a national security agreement to address the risks identified by the government. The Trump administration asserted that the orders were necessary because TikTok’s parent company is ByteDance, a Chinese company.
These negotiations have occurred against the backdrop of a CFIUS investigation of ByteDance’s acquisition of TikTok’s predecessor, Musical.ly. The investigation was initiated during the Trump administration and remains ongoing, though public, official information about its status is limited.
Authorized by Section 721 of the Defense Production Act, CFIUS is a U.S. government agency charged with reviewing and monitoring foreign investments in the United States to protect against national security threats. When CFIUS determines that a transaction may pose a risk to national security, it may enter into a mitigation agreement with the entity, and then conduct ongoing monitoring to ensure that the entity complies. The Biden administration recently issued an executive order enumerating factors CFIUS must consider in its reviews, including whether “foreign investments in United States businesses that have access to or that store United States persons’ sensitive data, including health and biological data, involve a foreign person who might take actions that threaten to impair the national security of the United States.” CFIUS also recently issued enforcement and penalty guidelines, specifying the process it uses to determine penalties for noncompliance.
According to reports and company officials, negotiations between TikTok and CFIUS have focused on addressing three specific risks raised by the government:
According to the company, the discussions with the government provided the basis for the contours of an agreement that would mitigate those concerns. Those contours, filled in by negotiations with CFIUS, are the basis for Project Texas.
What does Project Texas do?
The cornerstone feature of Project Texas is a new subsidiary: TikTok U.S. Data Security Inc. (USDS). TikTok established USDS in July 2022. The new entity houses the functions of TikTok’s business that are most likely to give rise to national security concerns, such as access to U.S. citizen data and decisions on content moderation. It will be governed by an independent board of directors, which TikTok will nominate and CFIUS will review. The board will report to CFIUS and not to ByteDance or to the global TikTok entity. Oracle will oversee data entering the entity and data exiting the entity so as to ensure that the data flows do not pose national security risks.
USDS will house TikTok teams that access U.S. user data, access TikTok’s software code and back-end systems, or moderate content on the platform. By design, it will replicate several of the core functions of TikTok’s global business. For instance, it will have a separate human resources team that will be responsible for hiring and managing U.S. personnel. Additional teams housed in USDS will include engineering, user and product operations, privacy operations, trust and safety, legal, threat detection and response, and security risk and compliance. Functions that do not require handling U.S. user data—such as public policy and marketing—won’t be brought into USDS. According to the briefing, about half of TikTok’s U.S. employee base has already been moved into USDS.
USDS will be led by Andy Bonillo and Will Farrell. As part of the security agreement with TikTok, CFIUS will specify requirements for hiring at USDS. Anyone working for USDS must be either a U.S. citizen or hold a green card. USDS will notify the U.S. government of any potential USDS employee, and the government will have the ability to conduct additional background checks on any potential employee and deny USDS the ability to hire the individual.
What role will Oracle play in monitoring USDS?
Oracle Cloud will host the TikTok platform in the United States, including the algorithm and the content moderation functions. It will be responsible for monitoring data flowing into USDS and out of USDS to ensure that no data illicitly transits the USDS boundary. All U.S. data traffic will be routed through Oracle Cloud. In the briefing, TikTok stated that all U.S. user data is already stored in Oracle Cloud.
To enable TikTok users to engage with TikTok users in other countries, some data necessarily must flow outside the country. In the briefing, TikTok stated that it raised this issue with CFIUS, and that CFIUS agreed that the service should continue to operate globally and should continue to offer U.S. users the ability to engage with users outside the country.
Because TikTok will continue to operate globally, some data will transit the USDS boundary and leave the United States. For instance, user videos often have an audience outside the United States. For a foreign user to like a video that originates in the United States, data will need to leave USDS. Similarly, data will leave USDS if a user decides to message someone outside the United States. Finally, data might leave USDS for safety reasons, such as if a U.S. user deletes a video that has been viewed by users outside of the country. To delete the video outside of the United States, TikTok must send data beyond the boundaries of USDS. TikTok indicated that each of these three data fields—public data, interoperability data, and safety tools—was vetted by CFIUS.
Oracle will use a combination of automated processes and human review to monitor the data flows for security breaches or improprieties. Among other measures, it will conduct spot checks to review data transmitting the USDS border, and will follow up with more detailed reviews if any of the checks review data flows that are out of compliance.
Oracle will also lead a security review process that will examine all TikTok software. Oracle will conduct its own assessment of all TikTok code, alongside a third-party inspector who must be approved by CFIUS. Once the code passes this inspection, it is digitally signed by Oracle. After that, the software is permitted to run. If Oracle does not provide a digital signature, the software cannot run. Oracle will also be responsible for delivering updates to the Google and Apple app stores.
This vetting process will occur inside transparency centers, physical locations where outside auditors can review TikTok’s source code. The presence of these centers will allow Oracle to review the code without TikTok needing to transfer it to them. The transparency centers will also be accessible to the U.S. government, so that it can conduct its own reviews of the code. According to TikTok’s presentation, Oracle has been conducting an initial review of the source code since August 2022.
At a minimum, Oracle will be responsible for identifying malicious code, security vulnerabilities, and any issues concerning TikTok’s content recommendation system. If it finds indications of a critical security threat, it must notify USDS, CFIUS, and the third-party monitor (see below) within one day.
What role will USDS play in content moderation?
USDS will house TikTok’s content moderation functions in the United States. Currently, TikTok moderates content in three primary ways: It enforces its community guidelines, it recommends videos based on user behavior, and it promotes videos based on its editorial policies. For U.S. users, each of these processes will move to USDS.
Oracle will conduct oversight of the moderation system, the recommendation engine, and promoted content. If it identifies a potential risk, it will flag that risk for the government, which will then have the authority to inspect the issue in more detail.
Who will conduct oversight over Project Texas?
If TikTok and CFIUS reach an agreement to mitigate security risk, then CFIUS will play an ongoing role in monitoring TikTok’s compliance with the agreement. CFIUS currently monitors dozens of mitigation agreements and provides regular reports to Congress on its efforts to ensure that companies comply with its agreements.
In the presentation, TikTok listed six additional entities that will monitor Project Texas to ensure compliance with its public representations and the national security agreement:
According to TikTok, all third-party auditors and monitors will be required to provide reports to CFIUS. CFIUS will have the right to appoint additional monitors as necessary.
What will USDS cost TikTok?
TikTok estimates that it will cost $1.5 billion to stand up USDS, and that its annual operating costs will be between $700 million and $1 billion. In addition, if TikTok grows, it will often need to make duplicate hires when USDS houses a duplicate function: one new employee in the global company and one in USDS.
TikTok did not provide specific estimates of the impact of Project Texas on the app’s performance, though they did acknowledge that the complexity of the USDS data storage model would likely have some impact on app performance and stability. In general, app performance lags when there is a greater distance between the location where data is stored and the user trying to access that data. Creating USDS will require some user data to transit significantly longer distances. In addition, because most data held outside the U.S. will not be able to flow into USDS, USDS will not be able to use large portions of TikTok’s global data set to train its algorithm in the United States.
What comes next?
Our intent here is to summarize TikTok’s plans for Project Texas, not to evaluate whether those plans are sufficient to address the national security concerns that have been raised about the platform. We have also deliberately not tackled a discussion of the long-term implications of Project Texas for the internet sector as a whole, including whether it will fuel data localization proposals in other countries that will have enduring consequences for technology users and businesses.
But at the very minimum, the establishment of USDS and the controls on data flows will have legal and policy implications for TikTok’s ability to transfer data outside of the United States, even absent any additional requirements imposed as part of an agreement with CFIUS.
First, TikTok will need to revise its privacy policy. Because the new policy will specify that data will be permitted to flow out of USDS only in specific, limited circumstances, TikTok indicated that the new privacy policy will not include the broad “affiliate sharing” provision that has existed in TikTok’s privacy policy to date. Many commentators have pointed to this provision as a vehicle for the Chinese government to access data: It enables TikTok to legally transfer data to its parent, ByteDance, and because ByteDance is a Chinese company, it would be required to provide data in response to any request from the Chinese government. The narrowing of the “affiliate sharing” provision will cut off that route for data transfer.
Second, because TikTok’s privacy policy will limit affiliate data sharing between USDS and the Chinese parent, it will be liable under Section 5 of the Federal Trade Commission Act if it makes data transfers in violation of its policy. The Federal Trade Commission has used this provision to pursue enforcement action against technology platforms when it believes their public commitments to their users are out of step with their actual practices.
Third, in most cases, the Stored Communications Act bars technology companies from disclosing account content to foreign governments. If the Chinese government were to request content data from USDS, U.S. law would prohibit USDS from providing that data. If USDS provided that data in violation of U.S. law, it would be subject to prosecution.
The debate about the risks posed by TikTok’s operations in the United States should be grounded in the realities of its current and planned operations, rather than in speculation about what those operations might be. Our hope is that with a more concrete understanding of the details of Project Texas, experts and policymakers will be able to debate whether TikTok’s plans adequately mitigate the risks. If not, we hope that they will offer alternatives that will enable both TikTok and CFIUS to consider specific modifications that will protect Americans’ safety and security, protect users’ ability to use tech products they enjoy, and protect platforms’ ability to innovate.
© 2023 The Lawfare Institute