TikTok Deal: The Enterprise Risk Dilemma Persists

With a deal about the future of TikTok in the US beginning to take shape, the question for cybersecurity professionals now is how and to what extent changes to the company’s structure will alter its risk profile.

The Wall Street Journal and other media outlets this week reported on US and Chinese negotiators working on a plan that would give a consortium of US technology companies, venture capital firms, and private equity investors ownership of around 80% of TikTok’s US operations. The consortium will include Oracle, which currently already hosts and manages TikTok’s US user data, venture capital firm Andreessen Horowitz, and private equity firm Silver Lake.

New US-Based Entity

The deal calls for a new US-based entity with a majority US board — which will include one government-designated member — to operate TikTok in the country. It is largely similar to a deal presented to the Trump Administration in April just before the tariff war with China started.

The goal is to find a way to allow TikTok to operate in the US in a manner that addresses deep and widespread concern over the social media giant’s data management practices and its potential for spreading misinformation.

China-based ByteDance, which owns TikTok, is beholden, like all Chinese companies, to provide data to the Chinese government when ordered under the country’s national security laws. Many perceive this as presenting a major data privacy and security risk for the 170 million or so US users of the social media platform, and to organizations where employees might be using TikTok on work devices.

Related:7 Lessons for Securing AI Transformation From Former CIA Digital Guru

In April 2024, then President Joe Biden signed a law that required ByteDance to sell its ownership in TikTok to a US company within a year or face a total ban in the country. When the US Supreme Court upheld the ban in January 2025, TikTok briefly went dark in the US before restoring service after President Trump signed an executive order that offered a temporary reprieve.

Wide Concerns

Concerns over TikTok’s data handling practices and its obligations to the Chinese government are not unique to the US. Earlier this year, the Irish Data Protection Commission (DPC) slapped a €530 million fine on TikTok over alleged violations of the EU’s General Data Protection Regulation (GDPR) in relation to the company’s handling of protected data. In 2023, the European Commission and Council of the EU banned government employees and contractors from using TikTok over data security fears. Canada too has banned TikTok from government devices and last November ordered TikTok’s Canadian subsidiary to be shuttered.

Related:Critical Bugs in Chaos Mesh Enable Cluster Takeover

The question now is how far the proposed deal for TikTok’s US operations will go in alleviating these concerns. If the proposal goes through as presently structured, it would address the major issue of where TikTok stores its US data and who controls it, says Adam Marrè, chief information security officer (CISO) at Arctic Wolf. “Moving US operations under majority US ownership, with Oracle managing data in Texas, would reduce the risk of direct foreign state access,” Marrè says. “But ownership and geography alone are not enough to make a platform safe. Transparency, accountability, and ongoing oversight matter just as much.”

A Step in the Right Direction

From a cybersecurity and data privacy standpoint, the proposed deal could give consumers more confidence that their personal data isn’t flowing directly overseas. For businesses, though, the risk profile doesn’t change much, Marrè says. “TikTok is still a highly data-intensive application, and that means any employee using it on a company device or network could introduce risk.”

Organizations cannot afford to assume that TikTok is safe once any restructuring is complete. The app will still collect a significant amount of device and behavioral data, Marrè says. “That information can be misused, and the biggest enterprise risk continues to be social engineering and data leakage through employee activity.”

Related:SecurityScorecard Buys AI Automation Capabilities, Boosts Vendor Risk Management

Lily Li, founder of Metaverse Law, points out that storing TikTok data in Oracle-owned facilities in Texas would immunize it against China’s cybersecurity laws. The Chinese government would not be able to ask Oracle to decrypt and provide data from these facilities. “The ultimate structure and organization of this US entity is still up in the air,” Li says. 

However, there’s a need for transparency about the people who will have administrative access to Oracle’s production systems and data. “To prevent enterprise data leaks abroad or espionage by foreign actors, the individuals who maintain the administrative access, controls, and encryption keys should be US individuals who report to management in the US,” Li says.

It’s important to keep in mind also that additional controls by themselves are not enough, because TikTok still will be a publicly available social media platform. “Organizations that maintain sensitive information, including the identity and location of military and government assets, should still have policies in place prohibiting the disclosure of such information on social media,” Li says. In addition, if individuals are not careful about how or when they post, they could still inadvertently share sensitive geolocation or device data based on their interactions with TikTok, the TikTok pixel, and other trackers, she warns.

The Recommendation Algorithm Issue

There’s also the issue of TikTok’s content recommendation algorithms. According to The Wall Street Journal, TikTok engineers are recreating a set of such algorithms for the US version of the app, using technology licensed from ByteDance. “This is the part that’s hardest to solve,” Marrè says. Algorithms shape what people see and believe, and if the code is still licensed from ByteDance without full transparency, it’s likely that concerns about hidden data collection or influence operations will remain unaddressed. “The influence angle may be as important as the privacy one. We need to recognize that security isn’t just about where the data sits — it’s also about how the platform shapes behavior and discourse.”

Satish Swargam, principal security consultant at Black Duck, says the TikTok recommendation algorithms that the US operation will license from ByteDance need to be carefully evaluated for data leaks and the potential for influence operations. “Oracle and other US-based companies are not new to such deals,” he says, pointing to Oracle’s $28.3 billion purchase of healthcare giant Cerner as an example. Even so, caution is warranted with the TikTok deal. 

“There is potential for non-US-based algorithms to extract user data and influence campaigns in the US,” Swargam says. “The TikTok deal calls for tighter security controls, comprehensive security analysis of all software artifacts involved and a deep dive threat model.”