In his testimony before the U.S. Congress this morning, TikTok CEO Shou Zi Chew said the company plans to delete all U.S. user data from company servers by year-end. The commitment was shared as part of Chew’s opening statements, which detailed the company’s initiative known as Project Texas. The plan involves the relocation of U.S. user data to Oracle servers based in the U.S. where the data would then be overseen by American personnel.
The plan is one part of TikTok’s larger agenda to stop the popular video entertainment app from being banned by the U.S. government over national security concerns. The company also aims to convince Congress that it has a number of protections included in its app designed to keep younger users safe, and is heavily relied on by both U.S.-based creators and small businesses to generate income, among other things.
With Project Texas, however, TikTok’s mission is focused on what Chew referred to as a “firewall” that would seal off protected U.S. user data from unauthorized foreign access — meaning, of course, the CCP. In a bit of good branding, the name “Texas” refers to where Oracle is headquartered.
TikTok’s general plans for Project Texas were already known — the company last June wrote to Republican senators to assure them how it was working on an initiative to bolster data security for U.S.-based users. The letter was written in response to earlier Congressional outreach that had followed a report from BuzzFeed News that claimed some China-based employees had access to TikTok U.S. user data. In TikTok’s response, it explained how it intended to relocate and safeguard the data. However, the letter did not then commit to a timeframe for the data’s relocation.
In the testimony this morning, Chew gave TikTok a deadline for that move, noting the company expected to delete data from its own servers this year.
“Today, U.S. TikTok data is stored by default in Oracle’s service,” Chew said. “Only vetted personnel operating in a new company called TikTok U.S. Data Security can control access to this data. Now additionally, we have plans for this company to report to an independent American board with strong security credentials. Now there’s still some work to do,” he continued. “We have legacy U.S. data sitting in our servers in Virginia and in Singapore. We’re deleting those we expect that to be complete this year,” he said.
“When that is done, all protected U.S. data will be under the protection of U.S. law and under the control of the U.S.-led security team. This eliminates the concern that some of you have shared with me that TikTok user data can be subject to Chinese law,” Chew added.
The exec was later questioned on other aspects of its data security, including whether or not it would commit to not selling U.S. user data to anyone. Here, Chew couldn’t provide a straightforward answer. After initially responding that TikTok wouldn’t sell to data brokers, he said he would have “get back to you” on the details around whether or not it sold data to anyone, after being pushed to answer more directly.
In addition, the CEO couldn’t clarify if Project Texas would completely separate TikTok from its Chinese parent, as there could be technologies that were interconnected.
Plus, when questioned about whether or not any employees in China would have access to U.S. data, the exec responded, “After Project Texas,…the answer is no” — an answer that begs the question as to how many Chinese employees could access the data now.
The exec was also questioned as to whether or not Chinese ByteDance employees were subject to Chinese law, including the 2017 National Intelligence Law which requires any organization or citizen to assist and cooperate with state intelligence work. Chew sidestepped answering at first by noting that, “like many companies, including many American companies, we rely on a global workforce including engineers in China.”
Asked again to respond just yes or no, he then said “in the past, yes, but we are building Project Texas and we’re committed to firewalling off all protected data.”