Negotiations over TikTok’s future in the United States are moving forward, but for CISOs and enterprise security teams, the risks tied to the platform remain stubbornly familiar. Even if ownership shifts to a U.S.-controlled entity, TikTok’s appetite for data and influence over user behavior will keep it high on the watchlist.
Why the Deal Matters
TikTok’s parent company, ByteDance, is subject to Chinese national security laws that can compel access to user data—a fact that has fueled years of concern in Washington, Brussels, and Ottawa. The proposed solution is the creation of a new U.S.-based entity where American investors hold an 80% stake. Oracle would manage TikTok’s U.S. data from Texas, joined by backers Andreessen Horowitz and Silver Lake. A majority U.S. board, including a government-appointed director, would oversee the operation.
This arrangement addresses the most obvious issue: the possibility of direct state access from Beijing. But security professionals caution that restructuring on paper is not the same as securing the platform in practice.
What Regulators Already Know
Global regulators have already taken action against TikTok, making clear that concerns about its practices are not confined to the United States. The Irish Data Protection Commission fined the company €530 million for GDPR violations. The European Commission and Council of the EU banned TikTok from government devices, citing security fears. Canada went further, ordering a nationwide ban on government devices and directing the platform’s Canadian subsidiary to be shuttered.
The message is consistent: reshuffling ownership does not erase the risks embedded in TikTok’s design.
Data Controls vs. Reality
For many experts, the question isn’t where TikTok stores its data, it’s how much data the platform continues to collect. Adam Marrè, CISO at Arctic Wolf, notes that while a U.S. ownership structure would reduce the likelihood of direct Chinese government access, it doesn’t change the fact that TikTok is built to harvest massive amounts of user information. “Ownership and geography alone are not enough to make a platform safe,” he says. “Transparency, accountability, and oversight matter just as much.”
That point is echoed by Lily Li, founder of Metaverse Law, who highlights the need for operational safeguards. Storing U.S. data in Oracle facilities may shield it from Chinese security laws, but, she argues, it won’t prevent insider risk unless controls are strict. “To prevent enterprise data leaks or espionage, administrative access and encryption keys must remain in the hands of U.S.-based personnel who are accountable to U.S. management,” Li says.
Together, their perspectives emphasize that even with new ownership, the data TikTok collects, and who can access it, remains a live concern for enterprises.
The Algorithm Problem
Infrastructure is only one layer of the challenge. At the heart of TikTok’s influence is its recommendation engine, which will reportedly remain licensed from ByteDance for the U.S. market. Algorithms determine what users see, how narratives spread, and where public attention shifts. Without visibility into how those algorithms function, experts warn that the risks of hidden data collection and influence operations persist.
Marrè frames this as a behavioral problem as much as a privacy one. “Security isn’t just about where the data sits,” he explains. “It’s about how the platform shapes behavior and influences users.”
Satish Swargam, principal security consultant at Black Duck, takes the concern further. He warns that any non-U.S.-based software artifacts tied to TikTok’s algorithm need to be examined in depth. “There is potential for non-U.S.-based algorithms to extract data and fuel influence campaigns,” he says. “The TikTok deal calls for tighter security controls, comprehensive artifact analysis, and a deep-dive threat model.”
What Enterprises Should Focus On
Whether or not the restructuring closes, CISOs should continue treating TikTok as a high-risk application. At a minimum, that means:
- Policy Enforcement: Restrict or prohibit TikTok use on corporate-owned devices and networks.
- Awareness Training: Educate staff about the risks of oversharing, especially around geolocation and activity tracking.
- Monitoring and Detection: Watch for data leakage through the TikTok pixel or other trackers embedded in business systems.
- Sector-Specific Controls: For defense, healthcare, and government contractors, bans should remain firm given the sensitivity of the data involved.
The Bottom Line
The TikTok restructuring plan would change who manages U.S. data, but it does little to address the broader enterprise risks of social engineering, insider abuse, and algorithm-driven influence. As Marrè, Li, and Swargam all stress in different ways, the challenge is not just data sovereignty, it’s how TikTok’s infrastructure, code, and design continue to create openings for risk.
For security teams, that means the burden does not disappear with new ownership. TikTok will remain a security concern, no matter whose name is on the servers.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
