Privacy Experts Alarmed at Oracle’s Role in Proposed TikTok Deal
By Charles McDermid
The impact of the White House’s decision to ban TikTok and WeChat that began Sunday remained unclear, but global privacy experts were alarmed that Oracle Corp. could still become the “trusted technology partner” of the Chinese owner of the two widely popular apps.
They told Digital Privacy News that the possible deal marked the start of a global era of data localization, as nations scrambled to keep citizens’ personal data within their own borders.
“It’s easier for a government to request data stored on its territory, provided that its laws authorize it,” said Emmanuel Pernot-Leplay, a researcher in data-protection law at Tilburg University in the Netherlands. “It’s much more difficult when it has to make a request for such data when they are stored abroad.
“The TikTok case symbolizes the beginning of a new trend, in which personal data is a national-security issue and governments can step in to ensure the data remains in trusted hands.”
“It’s yet another example of personal data being weaponized and used for geopolitical purposes.”Emmanuel Pernot-Leplay, Tilburg University, Netherlands.
Commerce Secretary Wilbur Ross said Friday that the agency was carrying out an Aug. 6 executive order by President Donald Trump banning the apps, which are owned by Beijing-based ByteDance Ltd., from app stores in the United States.
The federal government also will bar U.S. companies from processing transactions for WeChat or hosting its internet traffic.
But the TikTok restrictions take effect Nov. 12 unless the company convinces the White House that the social media app does not threaten national security.
More than 100 million people in the United States use the apps, according to news reports.
Proposed Deal Confirmed
Treasury Secretary Steven Mnuchin confirmed last Monday that Oracle, a Silicon Valley software titan with close ties to the White House, had agreed to take over TikTok’s U.S. operations.
Under the planned deal, Oracle would become the technology partner of TikTok in the U.S., but ByteDance would retain a majority ownership stake in the new venture.
Weeks before Mnuchin confirmed the Oracle deal, TikTok was described as a cyberespionage risk by senior U.S. officials. President Trump had promised to shut down TikTok in the U.S if its operations were not sold to an American company.
“From our standpoint, we’ll need to make sure that the code is, one, secure, (that) Americans’ data is secure, that the phones are secure — and we’ll be looking to have discussions with Oracle over the next few days with our technical teams,” Mnuchin told CNBC last week.
“We’ll need to make sure that the code is, one, secure, (that) Americans’ data is secure, that the phones are secure.”Treasury Secretary Steven Mnuchin.
Emerging details of the deal indicate that ByteDance will create a company called TikTok Global, which Oracle and Walmart described in a joint statement Monday as “majority owned by American investors.”
But ByteDance also said Monday, in a Chinese-language statement, that it would retain an 80% ownership stake in TikTok Global.
ByteDance added that it would pay for the stake through a small round of pre-IPO (initial public offering) financing.
The proposed deal remains under review by the Committee on Foreign Investment in the U.S. (CFIUS), which includes Mnuchin, and will need final approval from Trump, who is known to have a good relationship with Oracle’s chairman, Larry Ellison.
“The CFIUS national-security review has often been accused of being politically charged,” Pernot-Leplay told Digital Privacy News. “It’s also accused of being an example of trade protectionism.
“It’s interesting to see that the definitions of ‘national security’ and ‘strategic sectors’ have really expanded over the years,” he added. “Up to the point that companies collecting personal data can now be in that (national security) category.
“It’s yet another example of personal data being weaponized and used for geopolitical purposes.”
Lawmakers from both parties have denounced the proposed deal. Republican Sen. Josh Hawley, Mo., told Mnuchin in an open letter that “an ongoing ‘partnership’ that allows for anything other than the full emancipation of the TikTok software from potential Chinese Communist Party control is completely unacceptable.”
But Democratic Sen. Ron Wyden, Ore., went further: “Making Oracle a middleman won’t protect Americans against Chinese government influence — and to make matters worse, Oracle has an awful record of harvesting and selling Americans’ private data to anyone with a credit card.”
‘Trusted Tech Partner’ Examined
Oracle’s responsibilities as a “trusted tech partner” continue to remain unclear.
The Financial Times quoted sources involved in the deal saying that Oracle would be charged with protecting the private data of American users “by building a clear firewall between them and ByteDance.”
“Oracle should adopt a policy to prohibit third parties from allowing TikTok user data to be used for surveillance purposes.”Kurt Opsahl, Electronic Frontier Foundation.
Other reports said Oracle, which has never managed a social media platform, would use its cloud technology to run TikTok’s operations in the U.S.
Kurt Opsahl, the deputy executive director of the Electronic Frontier Foundation, said Oracle must move fast to establish transparent policies to protect the privacy of TikTok users.
“Oracle must commit to publishing a transparency report and law-enforcement guidelines, including requiring a warrant before giving user content to law enforcement, provide advance notice to users about government data demands when possible and promise delayed notice after a gag order expires,” Opsahl told Digital Privacy News.
“To stop workarounds for access to user data, Oracle should adopt a policy to prohibit third parties from allowing TikTok user data to be used for surveillance purposes.
“And Oracle is going to need to address the concerns of TikTok users outside the U.S. that American law provides too little protection for their data.”
Opsahl warned that user privacy and security would not come solely through a bill of sale.
“Oracle must also conduct a thorough code review, to give users confidence that there are no backdoors in the app and to find bugs that may compromise security,” he said.
The company, Opsahl added, “should re-think its approach to computer security and be more open to outside security researchers investigating its products, including TikTok.”
Fall of a Chinese Tech Star
The optics of the proposed partnership are in contrast with the current U.S.-China power struggle over technology.
“U.S. national security is improved, but not in a sustainable or sensible way.”Tom Uren, International Cyber Policy Centre, Australia.
ByteDance, for example, reportedly refused to hand over the algorithms behind TikTok in accordance with a new Chinese trade rule.
“I think referring to Oracle as a ‘trusted tech partner’ is probably meant to contrast with TikTok, the implication being that the U.S. cannot trust any Chinese company,” said Tom Uren, senior analyst at the International Cyber Policy Centre of the Australian Strategic Policy Institute.
“The concern with TikTok or WeChat is that they could be forced by the (People’s Republic of China) to take actions that would be contrary to U.S. national security interests,” he told Digital Privacy News.
“The administration wouldn’t have that concern about Oracle, so it is not really about what a trusted tech partner would do so much as what it wouldn’t do.”
No Winner in Deal
Uren said he saw only losers in the proposed deal, including data-privacy advocates. He cited ByteDance’s possible loss of the lucrative U.S. market and American TikTok fans now faced with disruptions of the app.
He added that one of China’s true global tech success stories had been diminished and tarnished.
“U.S. national security is improved,” Uren said, “but not in a sustainable or sensible way — but rather in a way that takes the superficially appealing easy choice, rather than a more effective, far-more-difficult approach of increased regulation and transparency.”
Koustubh “K.J.” Bagchi, senior policy counsel at the Open Technology Institute in Washington, observed: “The question of safeguards for Americans’ personal data goes far beyond TikTok, or any one company.
“We sorely need comprehensive privacy legislation.”Koustubh “K.J.” Bagchi, Open Technology Institute, Washington.
“There aren’t enough legal privacy safeguards for anyone’s data, to protect us from any company — and we sorely need comprehensive privacy legislation.”
The potential partnership between TikTok and Oracle strikes a deep concern among privacy activists: What happens to the data of U.S. users who are using an app controlled by the Chinese government?
Without global laws and regulations, experts say, the answer is unknowable.
“Unlike the E.U., the U.S. does not forbid personal data from being sent abroad,” Tilburg University’s Pernot-Leplay told Digital Privacy News. “It can be sent out freely.
“Blocking a foreign investor from acquiring a U.S. company that handles personal data is the main way to ensure a certain foreign actor won’t hold that data.
“To this, CFIUS will review the deal to spot any issue related to national security,” he added. “This is an indirect way to prevent U.S. personal data from being controlled by a Chinese actor.”
Pernot-Leplay said an essential part of today’s techno-political battleground is controlling the location of the host servers on which personal data is stored.
It is believed that TikTok’s data on American users will stay in the U.S., presumably under Oracle’s watchful eye.
Kyung-Sin Park, director of the American Law Center at Korea University and head of Open Net Korea, said the TikTok-Oracle proposal was not so much about winners and losers, but the principles of privacy being abandoned.
“China does violate human rights domestically, but is data localizing a measured response (from Washington)?” he posed to Digital Privacy News. “Is it really for the protection of privacy or for economic supremacy?”
Park added that the European Union’s General Data Protection Regulation (GDPR) has specific rules for data localization, which broadly means that the personal data of a nation’s citizens is stored inside the country.
“This is weaponizing privacy for an economic war with China.”Kyung-Sin Park, Open Net Korea.
In one GDPR application, the United Kingdom forced Facebook to set up servers there.
“The TikTok deal is a different case, because the GDPR does not require data localization but rates countries by level of privacy protection and prevents data from going ‘downhill,’” Park said.
“What the U.S. is requiring TikTok to do is data localization specifically within the U.S., and only singling out Chinese companies,” he added. “This is weaponizing privacy for an economic war with China.”
The push for data localization is not lost on Beijing.
Facebook and Google are banned in China in part because they refused to set up host servers that would give the government access.
The shadowy role of the White House in the TikTok-Oracle proposal also could be compared to Beijing’s involvement in certain tech-industry deals, Park said.
“China has used these tactics for a long time — and I’m afraid we will see more of this, because the U.S. just stooped so low,” he told Digital Privacy News.
“One thing is clear: China will never undo its digital walls now that the U.S. has started doing the same.”
Charles McDermid is a writer in Asia.
Sources (external links):
- Reuters: U.S. lawmakers raise questions about proposed Bytedance-Oracle deal
- Wall Street Journal: Oracle Wins Bid for TikTok in U.S., Beating Microsoft
- Business Insider: Major US tech companies blocked from operating in China
- CNN: TikTok is a national security threat, US politicians say. Here’s what experts think
- The Associated Press: US bans WeChat, TikTok from app stores, threatens shutdowns
- CNBC: ByteDance says it’ll own 80% of US-based TikTok Global, refutes $5 billion taxes claim