TikTok’s response to USG concerns about the imaginary threat to national security it poses was heard again at State of the Net 2023. It is hard to conceive of a more iron-clad technical solution than “Project Texas,” given the $1.5 billion that was sunk into it. Like the state it is named after, Project Texas is an enormous undertaking, but also a disturbing one.
We can’t really begrudge TikTok for pioneering a new institutional arrangement that (they think) might keep them in the U.S. market. That said, the arrangement sets a terrible precedent for digital media regulation and the global digital economy writ large. The dangers posed by this approach were quickly illustrated on the same day as TikTok’s SOTN presentation when two Senators unveiled the appropriately-named RESTRICT Act, which proposes to generalize the power to ban any apps, services, or software from foreign countries.
Let’s consider some of the potential long-term implications of Project Texas and what the enduring consequences for users and businesses could be. The relevance of Project Texas goes far beyond the fate of one company.
Summary of Project Texas
In a nutshell, Project Texas is a data localization arrangement involving the forcible intermediation of Tiktok’s American operations by a US-based cloud vendor (Oracle) and a new U.S. government-controlled corporation, U.S. Data Security (USDS). USDS will be independent of TikTok; its board members will be approved by the U.S. government and be subject to layers upon layers of red tape and private audits. Tiktok’s presenter repeatedly said USDS would be like a “government contractor.”
As a result of its negotiations with the secretive and unaccountable Committee on Foreign Investment in the U.S. (CFIUS), TikTok incorporated United States Data Security back in July 2022 as a new entity to subsume all TikTok operations involving US user data. The entire purpose of USDS is to put the U.S. government in charge of Tiktok’s social media data to handle all aspects of data governance. TikTok US was left in charge of functions like public policy and marketing as a separate corporate entity but all of the actual engineering, operations, privacy, legal, human resources, compliance, and so on, are now under the USDS bureaucratic web. This bureaucracy is set up to coordinate data reviews and software audits with Oracle and other third parties under the auspices of the Committee on Foreign Investment in the US (CFIUS).
Oracle, the “trusted technology provider,” is now TikTok’s exclusive cloud services provider. Practically, when the TikTok app is launched on a phone, it is compiled and loaded on a secure enclave that Oracle then sends to the App stores. This technical feat is unprecedented for an App of this scale and it’s amazing how it was pulled off technically without much impact on the user experience.
So why should we even care? Because in response to a security threat that really does not exist, this policy is…
Straight out of the Communist Party playbook
China and its allied governments in the Shanghai Cooperation Organization consider the free flow of information across national borders to be a cybersecurity and national security threat. They have invoked that principle repeatedly to justify their blocking and censorship of American and Western information sources.
Doesn’t it sound familiar to the attacks on TikTok, and Project Texas?
The Chinese Communist Party’s 2017 Cybersecurity Law and its 2021 Data Security Law require all cloud service providers to run on locally owned facilities and all incoming and outgoing data to be approved by the state. Similarly, Project Texas puts the U.S. government in direct control of a media outlet’s data and asserts a blanket right to review and censor its algorithms and content. It gives the government the power to harass a publisher if it releases content that is deemed politically controversial.
With Project Texas, should USDS fail to censor the alleged CCP propaganda on the TikTok App, is Oracle supposed to step in and perform content moderation? In a world of thorny content issues, how would they adjudicate, what are their incentives and where do they draw the line? Given how lucrative this arrangement is for them, it is natural to expect Oracle to be heavily influenced by US political pressures lest they become a more convenient target for takedown requests.
The use of “national security” claims to institute trade protectionism is increasingly common. Project Texas is just the latest example of it. A new market entrant, TikTok threatened the dominance of Facebook, Instagram, and YouTube. While American lawmakers and politicians pay lip service to “competition,” they are (in response to heavy lobbying and spending by Meta) greeting a successful new competitor by threatening to ban them or force them to use specific American companies, simply because the entrepreneurs and parent companies are foreign. The nondiscriminatory “national treatment” principle, which the U.S. fought hard for when setting up the WTO, is being thrown out the window.
What Project Texas means is that foreign platforms operating in the US will be unable to react to shifting consumer preferences. That demand signal will be obscured by the deadweight loss of forcible intermediation (or worse) and increasing self-censorship. Welcome to the new software value chain. What our militant Senators don’t seem to realize is that the big losers in a world of digital trade protectionism will be American firms. As other countries follow this model, we will validate entry barriers and the exposure and regulation of source code and algorithms. US platforms should brace for equivalent treatment overseas.
Encouraging digital sovereignty
Last year, the United States announced the Declaration for the Future of the Internet (DFI), a commitment signed by 61 like-minded nations to reclaim the promise of the early internet i.e., keeping it open, free, and global in the face of 21st-century challenges. If we read between the lines of the DFI, this diplomatic exercise was a line in the sand between liberal democracies and authoritarian states. The United States articulated a values-based commitment to an open digital economy.
But the TikTok agreement contradicts that vision. And the world will not fail to notice this. Non-aligned BRICS nations are already prone to techno-nationalist and data-protectionist policies. Many have refused to ratify the principles, citing either procedural or substantive misgivings. Some BRICS countries like India, Brazil, and South Africa typically play on strategic ambiguity, paying lip service to multistakeholder principles steered in one direction or the other as a result of political bargaining and negotiations. They are increasingly abiding by digital nationalism.
It should come as no surprise to anyone that the global world order is increasingly shifting to a more fractured rival pro-US and pro-China blocks. But what is often missed by state department officials due to a lack of high-level coherence in national strategy is that digital sovereignty – the insistence on national ownership and control of information flows – contributes to digital authoritarianism globally, including in the US and Canada. Maintaining the Internet as a bastion of free expression and open e-commerce markets cannot succeed if the U.S. tries to play by a double standard.
Sets the template for the new US data governance regime
Project Texas is a security theater with a $1.5 billion price tag. It imposes enormous costs and restrictive policies to address a threat that does not exist. We have in another report fully debunked the claims that TikTok is a national security threat. Absent comprehensive data privacy legislation, the US is creating an ad hoc data governance regime. Worse, Project Texas as a solution reaffirms how since the Trump administration, the USG is tortuously amalgamating the relationship between national interest, national security, economic security, and innovation without a coherent strategy guiding the process.