TikTok had better hope this overview is correct.
The platform has provided an update on its “Project Clover” data separation project, which aims to ensure that European user data is not being accessed by China-based employees and officials.
Which it says is now largely in effect.
As per TikTok:
“As part of our industry-leading initiative Project Clover, TikTok has been building additional protections around our European user data that incorporate security gateways to further restrict access. We can now announce that the gateways that relate to employee access to data and data transmission have been launched and are functioning. These gateways are designed to enforce technical protocols so that only approved employees can access certain data types. Since last summer, for example, new security protocols have been in place designed to ensure that restricted data stored in our new European data enclave, such as private videos and phone numbers, cannot be accessed by employees based in China.”
So on the content front, that covers private videos, which are the minority of TikTok uploads. But what about public posts?
“We are also applying technologies such as pseudonymisation to de-identify allowable data types before they can be accessed by China-based employees. This is data, such as public videos or a user’s privacy settings, that needs to flow internationally for our app to function and for our 150 million European users to participate in the global TikTok community.”
As such, China-based TikTok staff, or staff from parent company ByteDance, are still able to access European TikTok user data, and it seems like a lot of it, but that info will be obscured by new processes to ensure that individual user data is not re-shared back to China.
Which is seemingly in line with EU data regulations, but it also potentially misses a key point, in that TikTok may not necessarily be used as a data gathering tool, but more a propaganda platform, where pro-China messaging can be seeded to Western users.
Which is still a contentious element, and there’s no definitive evidence to suggest that ByteDance is manipulating user feeds in any way to promote or quash certain narratives. But given that ongoing China-based influence operations are attempting to do this in other big social apps, it seems likely that TikTok could be a vector for the same, and Project Clover won’t necessarily protect against such, based on this overview.
Nevertheless, it’s in line with the expectations of EU officials, while TikTok also notes that cybersecurity firm NCC Group has inspected its code, and will continue to re-examine future code updates over time.
TikTok also says that it’s building three new data centers in Europe to house EU user data, two of which (Ireland and Norway) are already active, with the remaining center to come online next year.
So, in a broader sense, TikTok is creating a more secure environment for managing EU user data, in isolation from its Chinese parent company, in order to meet EU requirements, and avoid a potential sell-off push in the region, similar to the U.S.
But there is an argument to be made that the speculative threat of TikTok remains, particularly when you also consider that EU cybersecurity officials specifically raised concerns about Chinese influence activity in the lead-up to their polls earlier this year.
So while Project Clover may seek to address the key data sharing elements, I doubt it will quell all the concerns linked to the app.
And if TikTok is eventually removed from the U.S., I suspect that there will be enhanced pressure for other regions to follow suit.