Illustration by Alex Castro / The Verge
On Friday, TikTok announced that it had started routing American users’ data to US-based servers owned by Oracle. But a timely report from BuzzFeed News calls into question what TikTok’s promise really delivers, claiming TikTok employees based in China have “repeatedly” accessed US users’ data over the course of at least several months.
In recordings of internal staff meetings and presentations obtained by BuzzFeed News, TikTok employees reportedly mentioned having to ask their colleagues in China to access US user data, as they weren’t able to access this data themselves. One member of TikTok’s trust and safety department team allegedly stated that “Everything is seen in China,” while another employee said a China-based engineer “had access to everything.”
These events reportedly occurred from at least September 2021 and January 2022, and follow similar allegations detailed by CNBC last year.
TikTok has faced years of criticism for potentially exposing the data of US users to China, where TikTok’s parent company, ByteDance, is based. In 2020, former President Donald Trump threatened TikTok with a nationwide ban and attempted to force the company into separating its US-based assets from ByteDance, calling it a threat to national security.
While TikTok never really did sell its US-based assets, it discussed making American software company Oracle its “trusted technology partner.” The deal seemed like it was on its last leg after President Joe Biden took office, but ended up reemerging in March with reports of something called Project Texas.
This initiative, which refers to the Texas-based headquarters of Oracle, is supposed to guard US users’ data in Oracles servers, barring access from the China-based ByteDance. It looks like some form of this deal is underway now, as TikTok has announced its transition to Oracle’s servers.
“For more than a year, we’ve been working with Oracle on several measures as part of our commercial relationship to better safeguard our app, systems, and the security of US user data,” Albert Calamug, the head of TikTok’s US security and public policy writes. “Today, 100% of US user traffic is being routed to Oracle Cloud Infrastructure.”
The company adds that it will use its Virginia and Singapore-based servers for backups, but it aims to delete users’ private data from these servers in order to “fully pivot to Oracle cloud servers located in the US.” It’s unclear when TikTok plans on making a complete shift to Oracle’s servers, and the company didn’t immediately respond to The Verge’s request for comment.
“These are critical steps, but there is more we can do,” Calamug continues. “We know we are among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data.”