While confusion still surrounds the planned sale of TikTok Inc., security and foreign policy experts said Beijing Byte Dance Telecommunications Co. Ltd.'s plan to retain a controlling stake in TikTok would leave the national security concerns around the video-sharing app unresolved.
Chinese internet company ByteDance said Sept. 21 that under a deal with the U.S. government, Oracle Corp. and Walmart Inc. will jointly acquire a 20% stake in a newly formed company dubbed TikTok Global, which will be headquartered in the U.S. ByteDance said it will retain a controlling stake, though it also plans to pursue an initial public offering for TikTok Global sometime down the road. Notably, ByteDance does not intend to transfer its algorithms or technologies to Oracle as part of the deal.
Later that same day, Ken Glueck, Oracle's executive vice president, disputed the characterization of the ownership structure. He reportedly said upon the creation of TikTok Global, "Oracle/Walmart will make their investment and the TikTok Global shares will be distributed to their owners, Americans will be the majority and ByteDance will have no ownership in TikTok Global."
The back-and-forth has left many observers confused, questioning whether the deal will in fact resolve the national security concerns that prompted the sale in the first place.
Aynne Kokas, Abe fellow and associate professor of media studies at the University of Virginia who specializes in U.S.-China media and tech relations, noted in an interview that the proposed ownership structure as detailed by ByteDance is short of previous executive branch statements around ownership.
President Donald Trump said on the morning of Sept. 21 that while the TikTok deal has his initial approval, if Oracle and Walmart do not have "total control," then his administration will not grant final approval.
Marcus Fowler, director of strategic threat at cybersecurity firm Darktrace, had questions regarding the access that U.S. companies will have to the source code.
ByteDance said while it will not transfer any algorithms or technologies, Oracle will have the authority to check the source code that TikTok uses in the U.S.
The current phrasing suggests that U.S. companies will be able to see the source code but not control it, Fowler said.
"Whenever you're using an algorithm, there's always a concern around bias or tampering with the outcome in the hopes of influence or bias towards a specific line of thought," he said in an interview.
With TikTok being a social media platform, concerns apply to disinformation in addition to user data, Fowler said.
TikTok has been under pressure to find a deal with U.S. companies that is palatable for the Trump administration following two executive orders in August targeting the company.
Among the concerns laid out by the administration is the company's data collection practices, which it said threatened to allow the Chinese Communist Party access to Americans' personal information. This access could allow the Chinese government to track the locations of federal employees and contractors and conduct corporate espionage.
Roland Cloutier, the global chief security officer for ByteDance, said in an interview with CyberScoop last month that the company has never received a request for a data transfer from the Chinese government and that U.S. user data will not be transferred outside the U.S.
However, Kokas at UVA said questions around data security remain because Oracle and Walmart will not own the algorithm.
"So what happens to this data?" said Kokas. "Is the data no longer going to train the TikTok algorithm? I find that very difficult to believe … at some point, the data would have to be transferred somewhere for it to still work within the TikTok algorithm," she said.
Kokas noted that ByteDance's engineering operations have always been in Beijing.
TikTok has said it stores all TikTok U.S. user data in the United States, with backup redundancy in Singapore.
Negotiations are set to continue, with the U.S. Commerce Department recently giving the companies more time to hammer out a deal.
In the meantime, TikTok is not the only Chinese platform facing regulatory action in the U.S. The U.S. Department of Commerce was prepared to ban U.S. app stores from distributing or maintaining Tencent Holdings Ltd.'s messaging platform WeChat, effective Sept. 20, until a judge halted the ban. The administration is reportedly set to challenge the judge's ruling.
With TikTok preparing for a sale and WeChat fighting a ban, Fowler said it remains unclear which foreign-owned online services might be targeted next. He said ideally, the administration will establish benchmarks and milestones, clarifying potential questions around issues like a company's size or transparency with hosting data — but he does not believe that has happened yet.
"I don't think this shows ... a clear path of success for another foreign-owned app," Fowler said. "I think it is going to be a little hard to tell who gets dragged out into the public square … and made an example of."
Peter Harrell, an adjunct senior fellow at the Center for a New American Security, a Washington, D.C.-based think tank, said in an interview that one lesson learned is that companies with Chinese ownership should look at making U.S. user data "independently verifiable" by third parties to make sure Chinese shareholders do not and cannot access "sensitive U.S. person data."
Kokas believes that the difference between the fates of the two companies could come down to economies of scale.
"I don't think that we could say that TikTok is a lesser security risk than WeChat is. In fact, it's probably a bigger one, because it has more users," she said. "It's much more integrated into the U.S. media landscape — it's much more integrated into the U.S. advertising landscape, so it's harder to completely end the app."