TikTok’s chief security officer says in new court documents that the US Commerce Department has mischaracterized how the app stores and secures user data, as the company renews its motion for a preliminary injunction against the Trump administration’s looming ban.
Roland Cloutier, global chief security officer for TikTok, says in a new court filing, in advance of an upcoming hearing in the US District Court for the District of Columbia, that the Commerce Department made several incorrect assertions about the company’s data security policies and practices.
Cloutier says a September memo from the Commerce Department outlining specific concerns with the app is inaccurate in stating TikTok is not separate from the Chinese version of the app — called Douyin — or from parent company ByteDance’s systems, and that “functionality including storage, internal management, and algorithms is still partially shared across other ByteDance products.”
He says the software stack comprising TikTok is “entirely separate” from the Douyin software stack, meaning each app’s source code and user data are maintained separately.
The government also mischaracterized how TikTok stores US user data, Cloutier says. The commerce memo states that TikTok leases servers from Alibaba Cloud in Singapore and China Unicom Americas (CUA) in the US, which constitute “significant risks.”
Cloutier says CUA provides data center space — the building and electricity — for TikTok, but doesn’t provide servers. ByteDance owns and operates all servers that are stored within the CUA facility, Cloutier says, and the servers are locked within a cage in the facility.
When TikTok does lease server space from other companies, Cloutier adds, it does not mean that company has access to TikTok’s proprietary information. User data is encrypted in storage, and sharded, meaning it’s broken into several pieces across several servers, he said.
In addition, Cloutier says, obsolete source code with Chinese IP addresses has been eliminated from legacy versions of the TikTok app. He says a bug that accessed content from TikTok users’ clipboards also has been removed, along with an anti-spam program that accessed clipboard data.
And Cloutier says if asked, TikTok would not comply with a request for user data from the Chinese government, another of the commerce department’s concerns.
Back in August, President Donald Trump issued an order saying security concerns about TikTok and WeChat, both China-based apps, constituted a national emergency. He invoked the International Emergency Economic Powers Act (IEEPA), which lets him ban transactions between US and foreign entities. The president then issued an order August 14th giving TikTok parent company ByteDance 90 days to either sell or spin off its TikTok business in the US. That order is set to go into effect on November 12th and would effectively halt the app’s operations.
On September 18th, the Commerce Department issued an order to block transactions with both ByteDance and WeChat, effective September 20th. But on September 19th, a tentative deal was announced to create a new company, TikTok Global, based in the US, that would process and store data for all US-based TikTok users. Oracle would become TikTok’s trusted security partner under the terms of the deal.
Commerce Secretary Wilbur Ross then delayed the ban until September 27th, but US District Judge Carl Nichols issued a preliminary injunction September 27th blocking the ban.
A hearing on the Justice Department’s appeal of the injunction is set for November 4th.