Cybersecurity & Tech Surveillance & Privacy

Has TikTok Implemented Project Texas?

Matt Perault
Friday, May 10, 2024, 9:40 AM
Takeaways from a recent on-the-record briefing with the company’s representatives on the progress of Project Texas.
The TikTok app for iPhone (Focal Foto, https://www.flickr.com/photos/192902634@N05/52660596099; CC BY-NC 2.0 DEED; https://creativecommons.org/licenses/by-nc/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

In January 2023, TikTok unveiled Project Texas, its plan to address the U.S. government’s national security concerns. Roughly 18 months later, the U.S. government passed legislation that will effectively ban TikTok unless ByteDance, TikTok’s parent company, sells the platform to a buyer who is not “controlled by a foreign adversary.” And earlier this week, TikTok filed a suit challenging the law on the grounds that it violates the First Amendment. More specifically, TikTok argued that, “[b]y banning all online platforms and software applications offered by ‘TikTok’ and all ByteDance subsidiaries, Congress has made a law curtailing massive amounts of protected speech.” And it argued that “the government cannot … dictate the ownership of newspapers, websites, online platforms, and other privately created speech forums.” According to TikTok, the government did not provide “any proof of a compelling interest,” including a national security risk, that would justify the law. 

The suit is almost certain to bring Project Texas back to the forefront of discussions about TikTok’s future in the United States. Under traditional First Amendment doctrine, a judge will consider whether the U.S. government had viable alternatives to the path it has chosen for the app: ban TikTok if a sale does not happen within a year. TikTok will claim that Project Texas is that alternative.

Thus, Project Texas will most likely be central to any judge’s decision in the case, and its import will require a deep understanding of its specifics. So, what exactly does Project Texas entail?

Back when TikTok first decided to publicly reveal its plans for Project Texas, it briefed reporters, academics, and civil society organizations on the details. Yale Law School fellow Samm Sacks and I attended one of those briefings and published what we learned in an article in Lawfare. In short, Project Texas included several elements designed to address the government’s concerns about data security and content manipulation, as well as auditing measures to try to monitor TikTok’s compliance with the plan.

Since then, TikTok has not said much about its progress implementing the plan. But earlier this week, after it filed its suit, TikTok briefed the Center on Technology Policy at UNC-Chapel Hill, which I direct, on the status of Project Texas (note that our center receives funding from foundations and companies, including TikTok). The briefing was led by Will Farrell, the lead security officer for TikTok’s U.S. entity, and Andy Bonillo, the U.S. entity’s general manager. 

What follows is a description of TikTok’s progress implementing Project Texas since its January 2023 announcement of the plan. The descriptions of TikTok’s progress are based entirely on TikTok’s representations, as the company described it to me. It is possible that in the course of litigation, a judge may find that those representations are inaccurate. 

Governance and Personnel

Project Texas’s key feature is the creation of a new, U.S.-based subsidiary independent from TikTok’s global operations. TikTok established this independent entity, called TikTok U.S. Data Security (USDS), in July 2022.

In the January 2023 briefing, TikTok described its planned staffing and governance structure for the entity. As Sacks and I described in the previous Lawfare piece:

The cornerstone feature of Project Texas is a new subsidiary: TikTok U.S. Data Security Inc. (USDS). TikTok established USDS in July 2022. The new entity houses the functions of TikTok’s business that are most likely to give rise to national security concerns, such as access to U.S. citizen data and decisions on content moderation. It will be governed by an independent board of directors, which TikTok will nominate and CFIUS will review. The board will report to CFIUS and not to ByteDance or to the global TikTok entity. Oracle will oversee data entering the entity and data exiting the entity so as to ensure that the data flows do not pose national security risks.

USDS will house TikTok teams that access U.S. user data, access TikTok’s software code and back-end systems, or moderate content on the platform. By design, it will replicate several of the core functions of TikTok’s global business. For instance, it will have a separate human resources team that will be responsible for hiring and managing U.S. personnel. Additional teams housed in USDS will include engineering, user and product operations, privacy operations, trust and safety, legal, threat detection and response, and security risk and compliance. Functions that do not require handling U.S. user data—such as public policy and marketing—won’t be brought into USDS. According to the briefing, about half of TikTok’s U.S. employee base has already been moved into USDS.

USDS will be led by Andy Bonillo and Will Farrell. As part of the security agreement with TikTok, CFIUS will specify requirements for hiring at USDS. Anyone working for USDS must be either a U.S. citizen or hold a green card. USDS will notify the U.S. government of any potential USDS employee, and the government will have the ability to conduct additional background checks on any potential employee and deny USDS the ability to hire the individual.

According to TikTok, many of these elements have been implemented already. Bonillo and Farrell run USDS, and all USDS employees report to them. The entity is physically separate from other TikTok operations. It houses TikTok’s teams that access U.S. user data, monitors the security of the platform, and moderates content. What’s more, the team has grown over the past 18 months: In this week’s briefing, TikTok said that USDS employed roughly 700 people in January 2023 and more than 2,000 now. 

However, two elements of the governance structure have not yet been implemented. USDS does not yet have an independent board of directors to oversee it. TikTok says that it has provided its nominees for the directors to the U.S. government, but the government has not yet approved them. In short, to achieve independence, USDS requires action by the U.S. government, and so in the absence of that action, there is not—and cannot be—independent governance. 

In addition, USDS does not yet house the full human resources function. According to TikTok, that transition is in process but not completed.

In its January 2023 briefing, TikTok emphasized a range of employment oversight duties that the U.S. government would perform, such as specifying requirements for hiring and conducting background checks. The U.S. government has not yet assumed those oversight duties because an agreement is not in place. Instead, TikTok is conducting some elements on its own, such as background screenings.

Data Access

One of the primary national security concerns is the possibility that the Chinese government could access TikTok U.S. user data. In the January 2023 briefing, TikTok described its plans to address these concerns:

Oracle Cloud will host the TikTok platform in the United States, including the algorithm and the content moderation functions. It will be responsible for monitoring data flowing into USDS and out of USDS to ensure that no data illicitly transits the USDS boundary. All U.S. data traffic will be routed through Oracle Cloud. In the briefing, TikTok stated that all U.S. user data is already stored in Oracle Cloud.

To enable TikTok users to engage with TikTok users in other countries, some data necessarily must flow outside the country. In the briefing, TikTok stated that it raised this issue with CFIUS, and that CFIUS agreed that the service should continue to operate globally and should continue to offer U.S. users the ability to engage with users outside the country. 

Because TikTok will continue to operate globally, some data will transit the USDS boundary and leave the United States. For instance, user videos often have an audience outside the United States. For a foreign user to like a video that originates in the United States, data will need to leave USDS. Similarly, data will leave USDS if a user decides to message someone outside the United States. Finally, data might leave USDS for safety reasons, such as if a U.S. user deletes a video that has been viewed by users outside of the country. To delete the video outside of the United States, TikTok must send data beyond the boundaries of USDS. TikTok indicated that each of these three data fields—public data, interoperability data, and safety tools—was vetted by CFIUS. 

Oracle will use a combination of automated processes and human review to monitor the data flows for security breaches or improprieties. Among other measures, it will conduct spot checks to review data transmitting the USDS border, and will follow up with more detailed reviews if any of the checks review data flows that are out of compliance.

According to TikTok, every U.S. user now communicates with a version of TikTok that is run in the Oracle environment. As detailed in the previous Lawfare piece on Project Texas, TikTok continues to send U.S. user data outside of USDS in specific circumstances to maintain global product and security functionality. For U.S. user videos to go viral globally, data must flow outside the United States, for instance. This global functionality was part of the negotiations between TikTok and the Committee on Foreign Investment in the United States (CFIUS), and TikTok stated that CFIUS approved this functionality.

Two planned elements of the data storage features of Project Texas are not yet completed. First, TikTok planned for Oracle to build a “wrapper” of its app called the Oracle Sandbox. The purpose of this wrapper is to provide an additional layer of security and monitoring capability.

Second, TikTok planned to delete all U.S. user data from foreign servers. For users who joined the service prior to the implementation of Project Texas, some data of theirs was stored in data centers outside the United States—TikTok has not yet deleted all of this data. It has retained a U.S. auditing firm to review its data deletion process to ensure that no U.S. user data is stored outside the United States, but this audit has not yet been completed. 

Content Moderation and Interference

The U.S. government’s second significant national security concern is the possibility that the Chinese government could manipulate content on TikTok to serve its own objectives. For example, members of Congress have contended that content sensitive to the Chinese government is less visible on TikTok than other platforms. Here’s how TikTok previously described Project Texas features designed to address this risk:

USDS will house TikTok’s content moderation functions in the United States. Currently, TikTok moderates content in three primary ways: It enforces its community guidelines, it recommends videos based on user behavior, and it promotes videos based on its editorial policies. For U.S. users, each of these processes will move to USDS.

Oracle will conduct oversight of the moderation system, the recommendation engine, and promoted content. If it identifies a potential risk, it will flag that risk for the government, which will then have the authority to inspect the issue in more detail.

Today, USDS and third parties conduct a review of all updates to the TikTok app that are initiated outside the United States. According to TikTok, all software updates are deployed by USDS personnel. It described “multiple gates and checks on quality,” including a process where USDS and third parties approve any editorial decision on algorithmic promotion and filtering, such as increasing visibility of content related to Taylor Swift or the World Cup. 

TikTok emphasized that Oracle reviews these moderation decisions as well, and that it plans to work with three additional firms—which have not yet been publicly identified—to monitor source code for foreign interference. Oracle reviews the code in dedicated transparency centers, which are located in Columbia, Maryland; Denver, Colorado; the United Kingdom; and Australia. The locations outside the United States were selected at Oracle’s request, since the company has existing personnel in those locations. 

For human moderation of TikTok’s Community Guidelines, any moderation that involves “Protected Data” (non-public data, like a direct message) is conducted by USDS employees. If the moderation involves only public data, such as a public video that is visible globally, then both USDS employees and global employees may moderate the content.

A feature of Project Texas that was not described in the previous briefing is the artificial intelligence (AI) training process, which involves using user data to train TikTok’s algorithms. TikTok stated that all the algorithm training involving protected U.S. user data occurs in the United States by USDS personnel operating inside the Oracle environment. According to TikTok, U.S. user data is not used outside the United States for training purposes.

One key feature has not yet been established, however: U.S. government review of risks identified by Oracle. USDS cannot establish a process for reporting risk to the U.S. government because the U.S. government has not agreed to serve in that role.

Auditing and Oversight

The final component of Project Texas is oversight to ensure that it is operating in accordance with TikTok’s representations. In our prior article, Sacks and I described the oversight plan for Project Texas as follows:

If TikTok and CFIUS reach an agreement to mitigate security risk, then CFIUS will play an ongoing role in monitoring TikTok’s compliance with the agreement. CFIUS currently monitors dozens of mitigation agreements and provides regular reports to Congress on its efforts to ensure that companies comply with its agreements.

In the presentation, TikTok listed six additional entities that will monitor Project Texas to ensure compliance with its public representations and the national security agreement:

  • Oracle, the trusted technology provider
  • A source code inspector nominated by Oracle and approved by CFIUS to conduct an independent inspection of the source code
  • A data deletion auditor to verify that all U.S. person data held on TikTok servers in Singapore and Virginia prior to the creation of USDS has been successfully deleted 
  • A cybersecurity auditor to perform a one-time cybersecurity audit of the US TikTok platform
  • A third-party monitor to ensure compliance with the deal
  • A third-party auditor to conduct annual compliance assessments, at CFIUS’s request

According to TikTok, all third-party auditors and monitors will be required to provide reports to CFIUS. CFIUS will have the right to appoint additional monitors as necessary.

Today, Oracle serves as the trusted technology partner for Project Texas. It hosts data, monitors data flows in and out of USDS, and monitors source code for cybersecurity threats and foreign manipulation. As noted above, TikTok also plans to use three additional firms to serve as the source code inspectors and to assess security threats and vulnerabilities. An audit firm has been selected as the data deletion monitor, though as noted above, it has not yet completed its work. A separate audit firm has been retained as the cybersecurity monitor. According to TikTok, that firm has completed an initial cybersecurity maturity assessment.

Two of the six planned monitors are not yet in place: a third-party monitor that USDS planned to use to ensure compliance with a CFIUS agreement and a third-party auditor to conduct annual compliance with the agreement. Because no agreement is in place, USDS cannot set up these monitoring processes.

In this week’s briefing, I asked TikTok whether it would consider additional third-party monitors, such as Citizen Lab at the University of Toronto, which published a review of TikTok’s source code in 2021, or the Krebs Stamos Group—both of which are well-respected independent cybersecurity assessors. TikTok said it is looking into options for retaining additional auditors but have not yet decided whether to do so.

In the lawsuit, TikTok stated that in the course of trying to negotiate an agreement with CFIUS, it agreed to establish a “shut-down option,” which would allow the government to “suspend TikTok in the United States in response to specified acts of noncompliance” with the agreement. That shutdown functionality is now operational: Oracle has the ability to stop all data flows, rendering the app inoperable for U.S. users.

One additional source of oversight is TikTok’s public representations about Project Texas. If TikTok acts contrary to its public commitments or its privacy policy, it could be liable for engaging in an unfair and deceptive trade practice, in violation of Section 5 of the Federal Trade Commission Act. TikTok has provided some public representations about Project Texas’s operations on a dedicated website. If evidence surfaces that it misrepresented how it stores and secures data, or how it attempts to protect its content moderation function from foreign interference, it could be held liable in court.

The Future of Project Texas

What lies ahead for Project Texas is uncertain. TikTok indicated that it is continuing to implement its plan and stated that several of the outstanding elements of Project Texas are moving toward completion. In the litigation—first in the district court and then on appeal, potentially including Supreme Court review—judges will assess the merits of Project Texas in addressing the U.S. government’s national security concerns and will examine how much it burdens speech relative to the U.S. government’s “divest or ban” legislation. As Alan Rozenshtein convincingly argued in Lawfare a few weeks ago, observers should expect judges to make determinations based on “their own open-ended balancing of the interests at stake.”

One question worth considering is whether Project Texas would survive a sale. Project Texas is expensive—in its lawsuit, TikTok maintains that it has spent more than $2 billion on Project Texas. And because of the complex and burdensome data storage design it requires, the project degrades the quality and performance of the app. In the January 2023 briefing and again in the briefing this week, TikTok conceded that Project Texas likely degrades app performance. 

A potential purchaser would most likely seek to use other means—most likely, the U.S.-based location of the acquiring entity and the U.S. citizenship of the leadership of that entity—to assuage the U.S. government’s national security concerns. If it can do so, then it would almost certainly prefer to toss Project Texas to the side and instead employ a data storage and cybersecurity model more focused on reducing costs and increasing performance. 

Will the United States be safer in that scenario? Depending on the outcome of the case TikTok filed this week, the answer may soon become clear. 


Matt Perault is a contributing editor at Lawfare, the director of the Center on Technology Policy at the University of North Carolina at Chapel Hill, and a consultant on technology policy issues.

Subscribe to Lawfare