Under Project Texas, TikTok’s proposed data security plan, the company’s sensitive U.S. user data will be stored in a cloud operated by Oracle, accessible only by vetted TikTok employees housed in a subsidiary overseen by the federal government — that is, aside from a few ambiguous “limited exceptions” for third-party access. It’s not clear what kinds of third-party access will qualify for these exceptions, which is concerning, as a review of active ByteDance job postings shows employees of the Chinese parent company still interact extensively with TikTok, and may have ample reason to request cloud access from Oracle.

According to TikTok, Oracle will allow for flexibility in its data access restrictions under “emergency situations” when TikTok needs to act quickly to “protect public safety,” as well as for routine business operations necessary for TikTok to “maintain global interoperability and continue to run [its] business.” Active ByteDance job postings describe extensive cross-collaboration between the company’s US-based employees and TikTok, as well as network infrastructure and corporate processes that span all ByteDance products — interactions that would seem to necessitate access to TikTok data, and may therefore be eligible for Oracle’s exceptions.

Job listings on ByteDance’s website suggest the Chinese-owned company has:

• a global payments team that provides “cross-border payment solutions for all ByteDance products,” including TikTok, with US-based ByteDance engineers working on “transaction monitoring” and “payment risk and compliance backend development”;

• a network infrastructure team with that provides “data-center networking solutions” for multiple ByteDance products, including TikTok, being worked on by US-based engineers;

• a “unified authorization service” used “by all ByteDance employees daily” — including TikTok employees — that’s being worked on by US-based software engineers; and

• an internal audit team, open to US-based ByteDance employees, that reports directly to the Chinese Board of Directors on the efficacy of company activities “across the globe.”

Other job postings hinted at further cross-collaboration between TikTok and ByteDance’s other product teams. A posting for “Overseas Strategy Lead” describes a ByteDance “music team” designed to “address the growing importance of independent musical creators on TikTok and ByteDance platforms across [the] Americas.” The employee is expected to “formulate strateg[ies] for working with musical creators across ByteDance services and platforms.” A senior software engineer with responsibilities including “database scaleout, backup/restore, [and] database monitoring,” would collaborate with “product managers and engineers from different teams” across ByteDance on “backend support for cloud database service products.”

The job postings raise questions about the sufficiency of Project Texas, TikTok’s plan to address US national security concerns and thereby avoid a nationwide ban. Project Texas is designed to alleviate US concerns about Chinese Communist Party access to American user data and influence over content on the platform. It stipulates that all TikTok employees with access to sensitive user data will be housed in a new subsidiary, U.S. Data Security, Inc (USDS), subject to oversight by the federal government through the Committee on Foreign Investment in the United States (CFIUS). All USDS data will be stored in a cloud managed by Oracle, an American company. Oracle will monitor all data flowing into or out of the cloud, flag any improprieties, and report them to the CFIUS.

The question is what counts as a data impropriety. Brooke Oberwetter, speaking on behalf of TikTok, told me that only vetted USDS employees will have access to TikTok data on Oracle’s cloud — not TikTok employees housed outside of USDS, nor any other ByteDance-affiliated employees, on U.S. soil or overseas. However, TikTok’s own description of Project Texas notes two major exceptions to that rule: limited exceptions will be granted by Oracle for third party access in emergency situations, and for business operations essential to the continued viability and global interoperability of TikTok as a company. If — under the guise of these exceptions — a USDS employee shares data with a member of ByteDance’s internal audit team, cross-product network infrastructure team, unified authorization team, or global payments team, will Oracle flag the data flow as an impropriety? 

Oracle did not respond to a request for comment, but if TikTok wants America to accept Project Texas, its data partner must address the ambiguities of the proposal’s “limited exceptions” stipulations. Oracle’s third-party cloud access protocols are essential to Project Texas, and the company should face a level of scrutiny comparable to that faced by TikTok. For now, we’re left with a $1.5 billion unanswered question: exactly what circumstances will warrant exceptions to Oracle’s third-party cloud access restrictions?

— Nick Russo