TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.

“100 percent of US user traffic is being routed to Oracle Cloud Infrastructure,” TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users’ private data from its own servers and to “fully pivot to Oracle cloud servers located in the US.”

That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

“Employees outside the US, including China-based employees, can have access to TikTok US user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our US-based security team,” the letter states.

It goes on to describe “Project Texas,” an initiative to strengthen the company’s data security practices in conjunction with Oracle and consultancy Booz Allen.

“The broad goal for Project Texas is to help build trust with users and key stakeholders by improving our systems and controls, but it is also to make substantive progress toward compliance with a final agreement with the US government that will fully safeguard user data and US national security interests,” Chew’s letter explained.

The letter stated TikTok’s data handling is being reviewed by the Committee on Foreign Investment in the United States (CFIUS), “to help ensure compliance and enhance protection of US user data defined as ‘protected.'”

Not all data will be defined as “protected.” Employees based outside the US, including those in China, “will have access to a narrow set of non-sensitive TikTok US user data, such as public videos and comments” for the sake of global interoperability, the letter explained.

One has to wonder if Beijing’s intelligence agencies ordering ByteDance to hand over Americans’ information counts as global interoperability or a narrow set of data access.

A TikTok spokesperson said the company does not share correspondence with Congress but confirmed the authenticity of the letter published by the newspaper.

TikTok’s letter represents a response to several Republican senators who penned a letter on June 27, 2022 to TikTok’s CEO demanding answers within three weeks to eleven questions about how the company handles US users’ data.

The lawmakers’ missive notes that at a Senate subcommittee hearing in October, 2021, Michael Beckerman, TikTok’s Head of Public Policy for the Americas, had indicated that TikTok is not transmitting data to Beijing and that the data associated with US TikTok users is stored in the US. The senators questioned whether the company made false statements in light of reports that contradict its claims.

In his response, Chew claims that TikTok did not, at any point, mislead Congress about company data and security controls and practices.

TikTok has been under fire since the Trump administration two years ago tried to have the app banned from the US in an effort to force its China-based parent company to sell to a US-based owner. A year ago, President Biden revoked the Trump-era executive orders that would have banned TikTok and other apps operated by Chinese companies. But he did so in executive orders promoting the protection of Americans’ data and directing the Commerce Department to look into the issue.

The change of administrations has not really diminished concerns about data privacy, data sovereignty, and supply chain security. Nor has it diminished political grandstanding. On Thursday, Brendan Carr, a Republican FCC Commissioner, asked Apple CEO Tim Cook and Google CEO Sundar Pichai to remove the TikTok app from the iOS App Store and Google Play. Carr’s letter to the two CEOs cites past reports about TikTok as evidence that the TikTok app presently violates App Store and Google Play policies.

“TikTok doesn’t just see its users’ dance videos,” said Carr via Twitter. “It collects search and browsing histories, keystroke patterns, biometric identifiers, draft messages and metadata, plus it has collected the text, images, and videos that are stored on a device’s clipboard.”

TikTok, which discloses extensive data collection that isn’t significantly different from American social media apps, continues to be available through the iOS App Store and Google Play. ®