TikTok Slows Security Implementation

FILE: TikTok app logo is seen in this illustration taken August 22, 2022.

TikTok has put on hold a hiring process for consultants that would help it implement a potential security agreement with the United States, two people familiar with the matter said, as opposition to such a deal among U.S. officials grows.

The program involves hiring a third-party monitor, a source-code inspector, and three auditors, including one dedicated to cyber security and one to ensure that U.S. user data on existing TikTok servers will be deleted following migration to Oracle Corp, the two people familiar with the matter said.

These positions would be paid for by TikTok, but report to U.S. government officials.

TikTok informed the consultants vying for one of the roles late last month that the hiring process was on hold and that it would update them by the end of January on whether it will restart, the sources said.

In its explanation to consultants, TikTok cited "recent developments", without elaborating, one of the sources said.

A spokeswoman for TikTok confirmed it had paused the hiring process for the third-party security vendors and said this was because CFIUS has not yet approved the security agreement. TikTok had hoped it would have reached a deal by now, she added.

The spokeswoman also said that TikTok was hiring "rapidly" for data security roles that do not require security approval.

TikTok sent out requests for proposals for some of these roles in early December with an aim to put forward potential candidates for approval to the Committee on Foreign Investment in the United States (CFIUS), the security panel that has been scrutinizing ByteDance's ownership of the popular app.

TikTok's decision to freeze the hiring came after its admission in December that some of its employees improperly accessed TikTok user data of two journalists in a bid to identify the source of information leaks to the media.

This unsettled some U.S. officials who were supportive of a security deal with TikTok and strengthened the hand of China hawks in the U.S. government calling for Biden to order ByteDance to divest the app, according to people familiar with the deliberations.

It remains unclear when the U.S. government will make a decision about TikTok's future.

President Joe Biden revoked an executive order in 2021 by his predecessor Donald Trump to ban TikTok in the United States, but talks between his administration and the social media company have continued over a potential deal that would spare ByteDance from being forced to divest TikTok.

Biden signed a spending bill into law last month banning federal employees - about 4 million - from using TikTok on government-issued devices, following similar bans by some states and local authorities.

U.S. lawmakers seeking to crack down on China as part of a broader set of disputes over trade, intellectual property and human rights have seized on the security concerns over TikTok to pressure the White House to take a hard line against Beijing.

TikTok has already unveiled several measures aimed at appeasing the U.S. government, including an agreement for Oracle to store user data in the United States and a U.S. security division (USDS) to oversee data protection and content moderation. It has spent $1.5 billion on hiring and reorganization to build that unit.

The headcount in the USDS division is expected to reach 2,500 for roles including engineering, security and trust and safety, more than double current levels, the spokeswoman said.

Chris Griner, a Stroock & Stroock & Lavan LLP security lawyer who is not involved in the TikTok negotiations, said TikTok's misuse of journalists' data undermined previous assurances to protect user information.

"We have done many reviews before CFIUS over decades – and trust is a critical component in successful reviews," Griner told Reuters. "Once gone, it is exceedingly hard to get it back."

TikTok CEO Shou Zi Chew will meet European Union antitrust chief Margrethe Vestager in Brussels this coming week to discuss issues such as the protection of personal data by online platforms and the implementation of the EU's Digital Services Act.