Tag: data security

TikTok’s Divestment Ouroboros: How the “Sale” Changed the Optics but Not the Leverage

When the TikTok USDS deal was announced under the Protecting Americans from Foreign Adversary Controlled Applications Act, it was framed as a clean resolution to years of national-security concerns expressed by many in the US. TikTok was to be reborn as a U.S. company, with U.S. control, and foreign influence neutralized. But if you look past the press language and focus on incentives, ownership, and law, a different picture emerges.

TikTok’s “forced sale” under the PAFACA (not to be confused with COVFEFE) traces back to years of U.S. national-security concern that TikTok’s owner ByteDance—one of the People’s Republic of China’s biggest tech companies founded by Zhang Yiming among China’s richest men and a self-described member of the ruling Chinese Communist Party—could be compelled under PRC law to share data or to allow the CCP to influence the platform’s operations. TikTok and its lobbyists repeatedly attempted to deflect the attention of regulators through measures like U.S. data localization and third-party oversight (e.g., “Project Texas”). However, lawmakers concluded that aggressive structural separation—not promises which nobody was buying—was needed. Congress then passed, and President Biden signed, legislation requiring either divestiture of “foreign adversary controlled” apps like TikTok or face a total a U.S. ban. Facing app-store and infrastructure cutoff risk, TikTok and ByteDance pursued a restructuring to keep U.S. operations alive and maintain an exit to US financial markets.

Lawmakers’ concerns were real and obvious. By trading on social media addiction, TikTok can compile rich behavioral profiles—especially on minors—by combining what users watch, like, share, search, linger on, and who they interact with, along with device identifiers, network data, and (where permitted) location signals. At scale, that kind of telemetry can be used to infer vulnerabilities and target susceptibility. For the military, the concern is not only “TikTok tracks troop movements,” but also that social media posts, aggregated location and social-graph signals across hundreds of millions of users could reveal patterns around bases, deployments, routines, or sensitive communities—hence warnings that harvested information could “possibly even reveal troop movements,” hence TikTok’s longstanding bans on government-issued devices.

These concerns shot through government circles while the Tok became ubiquitous and carefully engineered social media addiction gripped the US, and indeed the West. (TikTok just this week settled out of the biggest social media litigation in history.) Congress was very concerned and with good reason—Rep. Mike Gallagher demanded that TikTok “Break up with the Chinese Communist Party (CCP) or lose access to your American users.”  Rep. Cathy McMorris Rodgers said the bill would “prevent foreign adversaries, such as China, from surveilling and manipulating the American people.” Sen. Pete Ricketts warned “If the Chinese Communist Party is refusing to let ByteDance sell TikTok… they don’t want [control of] those algorithms coming to America.” 

And of course, who can forget a classic Marsha line from Senator Marsha Blackburn. I don’t know how to say “Bless your heart” in Mandarin, but in English it’s “we heard you were opening a TikTok headquarters in Nashville and what you’re probably going to find is that the welcome mat isn’t going to be rolled out for you in Nashville.”

So there’s that.

TikTok can compile rich behavioral profiles—especially on minors—by combining what users post, watch, like, share, search, linger on, and who they interact with, along with device identifiers, network data, and location signals. At scale, that kind of telemetry can be used to infer vulnerabilities and targeting susceptibility. These exploits have real strategic value. With the CCP’s interest in undermining US interests and especially blunting the military, the concern is not necessarily that “the CCP tracks troop movements” directly (although who really knows), but that aggregated location and social-graph signals could reveal patterns around bases, deployments, routines, or sensitive communities—hence warnings that harvested information could “possibly even reveal troop movements,” and the TikTok’s longstanding bans on government-issued devices.  You know, kind of like if you flew a balloon across the CONUS. military bases.

It must also be said that when you watch TikTok’s poor performance before Congress at hearings, it really came down to a simple question of trust. I think nobody believed a word they said and the TikTok witnesses exuded a kind of arrogance that simply does not work when Congress has a bit in the teeth. Full disclosure, I have never believed a word they said and have always been troubled that artists were unwittingly leading their fans to the social media abattoir.

I’ve been writing about TikTok for years, and not because it was fashionable or politically easy. After a classic MTP-style presentation at the MusicBiz conference in 2020 where I laid out all the issues with TikTok and the CCP, somehow I never got invited back. Back in 2020, I warned that “you don’t need proof of misuse to have a national security problem—you only need legal leverage and opacity.” I also argued that “data localization doesn’t solve a governance problem when the parent company [Bytedance] remains subject to foreign national security law,” and that focusing on the location of data storage missed “the more important question of who controls the system that decides what people see.” The forced sale didn’t vindicate any one prediction so much as confirm the basic point: structure matters more than assurances, and control matters more than rhetoric. I still have that concern after all the sound and fury.

There is also a legitimate constitutional concern with PAFACA: a government-mandated divestiture risks resembling a Fifth Amendment taking if structured to coerce a sale without just compensation. PAFACA deserved serious scrutiny even given the legitimate national security concerns. Had the dust settled with the CCP suing the U.S. government under a takings theory, it would have been both too cute by half and entirely on-brand—an example of the CCP’s “unrestricted warfareapproach to lawfare, exploiting Western legal norms strategically. (The CCP’s leading military strategy doctrine, Unrestricted Warfare poses terrorism (and “terror-like” economic and information attacks such as TikTok’s potential use) as part of a spectrum of asymmetric methods that can weaken a technologically superior power like the US.)

Indeed, TikTok did challenge the divest-or-ban statute in the Supreme Court and mounted a SOPA-style campaign that largely failed. TikTok argued that a government-mandated forced sale violated the First Amendment rights of its users and exceeded Congress’s national-security authority. The Supreme Court upheld (unanimously) the PAFACA law, concluding that Congress permissibly targeted foreign-adversary control for national-security reasons rather than suppressing speech, and that the resulting burden on expression did not violate the First Amendment. The case ultimately underscored how far national-security rationales can narrow judicial appetite to second-guess political branches in foreign-adversary disputes no matter how many high-priced lawyers, lobbyists and spin doctors line up at your table. And, boy, did they have them. I think at one point close to half the shilleries in DC were on the PRC payroll.

In that sense, the TikTok deal itself may prove to be another illustration of Master Sun’s maxim about winning without fighting, i.e., achieving strategic advantage not through open confrontation, but by shaping the terrain, the rules, and the opponent’s choices in advance—and perhaps most importantly in this case…deception.

But the deal we got is the deal we have so let’s see what we actually have achieved (or how bad we got hosed this time). As I often say, it’s a damn good thing we never let another MTV build a business on our backs.

The Three Pillars of TikTok

TikTok USDS is the U.S.-domiciled parent holding company for TikTok’s American operations, created to comply with the divest-or-ban law. It is majority owned by U.S. investors, with ByteDance retaining a non-controlling minority stake (reported around 19.9%) and licensing core recommendation technology to the U.S. business. (Under U.S. GAAP, 20%+ ownership is a common rebuttable presumption of “significant influence,” which can trigger less favorable accounting and more scrutiny of the relationship. Staying below 20% helps keep the stake looking purely passive which is kind of a joke considering Byte still owns the key asset. And we still have to ask if BD (or CCP) has any special voting rights (“golden share”), board control, dual-class stock, etc.)

The deal appears to rest on three pillars—and taken together, they point to something closer to an ouroboros than a divestment: the structure consumes itself, leaving ByteDance, and by extension the PRC, in a position that is materially different on paper but strikingly similar in practice.

Pillar One: ByteDance Keeps the Crown Jewel

The first and most important point is the simplest: ByteDance retains ownership of TikTok’s recommendation algorithm.

That algorithm is not an ancillary asset. It is TikTok’s product. Engagement, ad pricing, cultural reach, and political concern all flow from it. Selling TikTok without selling the algorithm is like selling a car without the engine and calling it a divestiture because the buyer controls the steering wheel.

Public reporting strongly suggests the solution was not a sale of the algorithm, but a license or controlled use arrangement. TikTok USDS may own U.S.-specific “tweaks”—content moderation parameters, weighting adjustments, compliance filters—but those sit on top of a core system ByteDance still owns and controls.

That distinction matters, because ownership determines who ultimately controls:

  • architectural changes,
  • major updates,
  • retraining methodology,
  • and long-term evolution of the system.

In other words, the cap table changed, but the switch did not necessarily move.

Pillar Two: IPO Optionality Without Immediate Disclosure

The second pillar is liquidity. ByteDance did not fight this battle simply to keep operating TikTok in the U.S.; it fought to preserve access to an exit in US financial markets.

The TikTok USDS structure clearly keeps open a path to an eventual IPO. Waiting a year or two is not a downside. There is a crowded IPO pipeline already—AI platforms, infrastructure plays, defense-adjacent tech—and time helps normalize the structure politically and operationally.

But here’s the catch: an IPO collapses ambiguity.

A public S-1 would have to disclose, in plain English:

  • who owns the algorithm,
  • whether TikTok USDS owns it or licenses it,
  • the material terms of any license,
  • and the risks associated with dependence on a foreign related party.

This is where old Obama-era China-listing tricks no longer work. Based on what I’ve read, TikTok USDS would likely be a U.S. issuer with a U.S.-inspectable auditor. ByteDance can’t lean on the old HFCAA/PCAOB opacity playbook, because HFCAA is about audit access—not about shielding a related-party licensor from scrutiny.

ByteDance surely knows this. Which is why the structure buys time, not relief from transparency. The IPO is possible—but only when the market is ready to price the risk that the politics are currently papering over.

Pillar Three: PRC Law as the Ultimate Escape Hatch

The third pillar is the quiet one, but it may be the most consequential: PRC law as an external constraint. As long as ByteDance owns the algorithm, PRC law is always waiting in the wings. Those laws include:

Export-control rules on recommendation algorithms.
Data security and cross-border transfer regimes.
National security and intelligence laws that impose duties on PRC companies and citizens.

Together, they form a universal answer to every hard question:

  • Why can’t the algorithm be sold? PRC export controls.
  • Why can’t certain technical details be disclosed? PRC data laws.
  • Why can’t ByteDance fully disengage? PRC legal obligations.

This is not hypothetical. It’s the same concern that animated the original TikTok controversy, just reframed through contracts instead of ownership.

So while TikTok USDS may be auditable, governed by a U.S. board, and compliant with U.S. operational rules, the moment oversight turns upstream—toward the algorithm, updates, or technical dependencies—PRC law reenters the picture.

The result is a U.S. company that is transparent at the edges and opaque at the core. My hunch is that this sovereign control risk is clearly spelled out in any license document and will get disclosed in an IPO.

Putting It Together: Divestment of Optics, Not Control

Taken together, the three pillars tell a consistent story:

  • ByteDance keeps the algorithm.
  • ByteDance gets paid and retains an exit.
  • PRC law remains available to constrain transfer, disclosure, or cooperation.
  • U.S. regulators oversee the wrapper, not the engine.

That does not mean ByteDance is in exactly the same legal position as before. Governance and ownership optics have changed. Some forms of U.S. oversight are real. But in terms of practical control leverage, ByteDance—and by extension Beijing—may be uncomfortably close to where they started.

The foreign control problem that launched the TikTok saga was never just about equity. It was about who controls the system that shapes attention, culture, and information flow. If that system remains owned upstream, the rest is scaffolding.

The Ouroboros Moment

This is why Congress is likely to be furious once the implications sink in.

The story began with concerns about PRC control.
It moved through years of negotiation and political theater.
It ends with an “approved structure” that may leave PRC leverage intact—just expressed through licenses, contracts, and sovereign law rather than a majority stake.

The divestment eats its own tail.

Or put more bluntly: the sale may have changed the paperwork, but it did not necessarily change who can say no when it matters most. And that’s control.

As we watch the People’s Liberation Army practicing its invasion of Taiwan, it’s not rocket science to ask how all this will look if the PRC invades Taiwan tomorrow and America comes to Taiwan’s defense. In a U.S.–PRC shooting war, TikTok USDS would likely face either a rapid U.S. distribution ban on national-security grounds (already blessed by SCOTUS), a forced clean-room severance from ByteDance’s algorithm and services, or an operational breakdown if PRC law or wartime measures disrupt the licensed technology the platform depends on.

The TikTok “sale” looks less like a divestiture of control than a divestiture of optics. ByteDance may have reduced its equity stake and ceded governance formalities, but if it retained ownership of the recommendation algorithm and the U.S. company remains dependent on ByteDance by license, then ByteDance’s—and by extension the CCP’s—legal leverage over ByteDance—can remain in a largely similar control position in practice.

TikTok USDS may change the cap table, but it doesn’t necessarily change the sovereign. As long as ByteDance owns the algorithm and PRC law can be invoked to restrict transfer, disclosure, or cooperation without CCP approval, the end state risks looking eerily familiar: a U.S.-branded wrapper around a system Beijing can still influence at the critical junctions. The whole saga starts with bitter complaints in Congress about “foreign control,” ends with “approved structure,” but largely lands right back where it began—an ouroboros of governance optics swallowing itself.

Surely I’m missing something.

TikTok After Xi’s Qiushi Article: Why China’s Security Laws Are the Whole Ballgame

Xi Jinping’s new article in Qiushi (the Chinese Communist Party Central Committee’s flagship theoretical public policy journal) repackages a familiar message: China will promote the “healthy and high-quality development” of the private economy, but under the leadership of the Chinese Communist Party. This is expressed in China’s statutory law as the “Private Economy Promotion Law.”  And of course we have to always remember that under the PRC “constitution,” statutes are primarily designed to safeguard the authority and interests of the Chinese Communist Party (CCP) rather than to protect the rights and privileges of individuals—because individuals don’t really have any protections against the CCP.  

For U.S. policymakers weighing what to do about TikTok, this is not reassuring rhetoric in my view. It is instead a reminder that, in China, private platforms ultimately operate within a legal-and-political framework that gives state-security organs binding powers over companies, the Chinese people, and their data.

According to the South China Morning Post:

In another show of support for China’s private sector, Beijing has released the details of a speech from President Xi Jinping which included vows the country would guarantee a level playing field for private firms, safeguard entrepreneurs’ lawful rights and interests, and step up efforts to solve their long-standing challenges, including overdue payments.

The full address, delivered in February to a group of China’s leading entrepreneurs, had not been made available to the public before Friday, when Qiushi – the ruling Communist Party’s theoretical journal – posted a transcript on its website.

“The policies and measures to promote the development of the private economy must be implemented in a solid and thorough manner,” Xi said in February. “Whatever the party Central Committee has decided must be resolutely carried out – without ambiguity, delay, or compromise

I will try to explain why the emphasis of Xi’s policy speech matters, and why the divest-or-ban logic for TikTok under US law (and it is a law) remains intact regardless of what may seem like “friendly” language about private enterprise.  It’s also worth remembering that whatever the result of the TikTok divestment may be, it’s just another stop along the way in the Sino-American struggle­—or something more kinetic.  As Clausewitz wrote in his other famous quotation, the outcomes produced by war are never final. (See Book I Chapter 1 aka the good stuff.)  Even the most decisive battlefield victory may have no lasting political achievement.  As we have seen time and again, the termination of one conflict often produces the necessary conditions for future conflict.

What Xi’s piece actually signals

Xi’s article combines pro-private-sector language (property-rights protection, market access, financing support) with an explicit call for Party leadership and ideological guidance in the private economy. In other words, the promise is growth within control, and not just any control but the control of the Party. There is no carve‑out from national-security statutes, no “TikTok exemption,” and no suggestion that private firms can decline cooperation when state-security laws apply consistent with China’s “unrestricted warfare” doctrine.

Recall that the CCP has designated the TikTok algorithm as a strategic national asset, and “national” in this context and the context of Xi’s article means the Chinese Communist Party of which Xi is President-for-Life.  This brother is not playing.

The laws that define the TikTok Divestment risk (not the press releases)

The core concern about TikTok is jurisdiction, or the CCP’s extra-territorial jurisdiction, a concept we don’t fully comprehend. Xi’s Qiushi article promises support for private firms under Party leadership. That means that the National Intelligence Law, Cybersecurity Law, Counter‑Espionage Law, and China’s data‑export regime remain in force and are controlling authority over companies like TikTok. For U.S. reviewers like CIFIUS, that means ByteDance‑controlled TikTok is, by design, subject to compelled, confidential cooperation with state‑security organs. 

As long as the TikTok platform and algorithm is ultimately controlled by a company subject to the CCP’s security laws, U.S. reviewers correctly assume those laws can reach the service, even if operations are partly localized abroad. MTP readers will recall the four pillars of China’s statutory security regime that matter most in this context, being:

National Intelligence Law (2017). Requires all organizations and citizens to support, assist, and cooperate with state intelligence work, and to keep that cooperation secret. Corporate policies and NDAs do not trump statutory duties, especially in the PRC.

Cybersecurity Law (2017). Obligates “network operators” to provide technical support and assistance to public‑security and state‑security organs, and sets the baseline for security reviews and Multi‑Level Protection (MLPS) obligations.

Counter‑Espionage Law (2023 amendment). Broadens the scope of what counts as “espionage” to include data, documents, and materials related to national security or the “national interest,” increasing the zone where requests can be justified.

Data regime (Data Security Law (DSL)Personal Information Protection Law (PIPL), and the Cyberspace Administration of China (CAC) regulatory measures). Controls cross‑border transfers through security assessments or standard contracts and allows denials on national‑security grounds. Practically, many datasets can’t leave China without approval—and keys/cryptography used onshore must follow onshore rules.

None of the above is changed by the Private Economy Promotion Law or by Xi’s supportive tone toward entrepreneurs. The laws remain superior in any conflict such as the TikTok divest-or-ban law.

It is these laws that are at the bottom of U.S. concerns about TikTok’s data scraping–it is, after all, spyware with a soundtrack.  There’s a strong case to be made that U.S. artists, songwriters, creators and fans are all dupes of TikTok as a data collection tool  in a country that requires its companies to hand over to the Ministry of State Security all it needs to support the intelligence mission (MSS is like the FBI and CIA in one agency with a heavy ration of FSB).

Zhang Yiming, founder of ByteDance and former public face of TikTok, stepped down as CEO in 2021 but remains Chairman and key shareholder. He controls more than half of the company’s voting rights and retains about a 21% stake. That also makes him China’s richest man. Though low-profile publicly, he is actively guiding ByteDance’s AI strategy and long-term direction. Mr. Zhang does not discuss this part.  It should come as no surprise–according to his Wikipedia page, Mr. Zhang understands what happens when you don’t toe the Party line:

ByteDance’s first app, Neihan Duanzi, was shut down in 2018 by the National Radio and Television Administration. In response, Zhang issued an apology stating that the app was “incommensurate with socialist core values“, that it had a “weak” implementation of Xi Jinping Thought, and promised that ByteDance would “further deepen cooperation” with the ruling Chinese Communist Party to better promote its policies.

ByteDance’s AI strategy is built on aggressive large-scale data scraping including from TikTok. Its proprietary crawler, ByteSpider, dominates global web-scraping traffic, collecting vast amounts of content at speeds far beyond rivals like OpenAI. This raw data fuels TikTok’s recommendation engine and broader generative AI development, giving ByteDance rapid adaptability and massive training inputs. Unlike OpenAI, which emphasizes curated datasets, ByteDance prioritizes scale, velocity, and real-time responsiveness, integrating insights from TikTok user behavior and the wider internet. This approach positions ByteDance as a formidable AI competitor, leveraging its enormous data advantage to strengthen consumer products, expand generative AI capabilities, and consolidate global influence.

I would find it very, very hard to believe that Mr. Zhang is not a member of the Chinese Communist Party, but in any event he understands very clearly what his role is under the National Intelligence Law and related statutes.  Do you think that standing up to the MSS to protect the data privacy of American teenagers is consistent with “Xi Jinping Thought”?

Why this makes TikTok’s case harder, not easier

For Washington, the TikTok problem is not market access or entrepreneurship. It’s the data governance chain. Xi’s article underscores that private firms are expected to align with the Party Center’s decisions and to embed Party structures. Combine that political expectation with the statutory duties described above, and you get a simple inference: if China’s security services want something—from data access to algorithmic levers—ByteDance and its affiliates are obliged to give it to them or at least help, and are often barred from disclosing that help.

That’s why divestiture has become the U.S. default: the only durable mitigation against TikTok is to place ownership and effective control outside PRC legal reach, with clean technical and organizational separation (code, data, keys, staffing, and change control). Anything short of that leaves the fundamental risk untouched.

Where the U.S. law and process fit

Congress’s divest‑or‑ban statute requires TikTok to be controlled by an entity not subject to PRC direction, on terms approved by U.S. authorities. Beijing’s export‑control rules on recommendation algorithms make a full transfer difficult if not impossible; that’s why proposals have floated a U.S. “fork” with separate code, ops, and data. But Xi’s article doesn’t move the ball: it simply reinforces that CCP jurisdiction over private platforms is a feature, not a bug, of the system.

Practical implications (policy and product)

For policymakers: Treat Xi’s article as confirmation that political control and security statutes are baked in. Negotiated “promises” won’t outweigh legal duties to assist intelligence work. Any compliance plan that assumes voluntary transparency or a “hands‑off” approach is fragile by design.

For platforms: If you operate in China, assume compelled and confidential cooperation is possible and in this case almost a certainty if it hasn’t already happened. Architect China operations as least‑privilege, least‑data environments; segregate code and keys; plan for outbound data barrrers as a normal business condition.

For users and advertisers: The risk discussion is about governance and jurisdiction, not whether a particular management team “would never do that.” They would.  Corporate intent can’t override state legal authority particularly when the Party’s Ministry of State Security is doing the asking.

Now What?

Xi’s article does not soften TikTok’s regulatory problem in the United States. If anything, it sharpens it by reiterating that the private economy advances under the Party’s direction, never apart from it. When you combine Mr. Zhang’s role with Bytedance in China’s AI national champions, it’s pretty obvious whose side TikTok is on.

Wherever the divest-or-ban legislation ends up, it will inevitably set the stage for the next conflict.  If I had to bet today, my bet is that Xi has no intention of making a deal with the US that involves giving up the TikTok algorithm in violation of the Party’s export-control rules and access to US user data for AI training.