I tap open TikTok. The For You feed scrolls on, unchanged. Somewhere between a press release and a joint-venture claim, you can feel the quiet—too quiet.
I’ve been watching this space closely, and you should be asking the same hard questions Senator Ed Markey just put in writing.
Reporters still see the same app on their phones; the public record is thin.
Four months after ByteDance handed over TikTok’s U.S. operations to a new joint venture, the visible change to users is minimal. TikTok USDS announced a plan to “secure U.S. user data, apps and the algorithm,” but the company has released few specifics. I’ll walk you through what Markey is asking for, what Oracle’s role looks like, and why these gaps matter to anyone who scrolls the app every day.
How does TikTok protect U.S. user data?
Markey wants details. His letter asks TikTok USDS to produce the precise terms of its license agreement with ByteDance and to spell out how source-code reviews will work. The new joint venture says user data and algorithmic training will be housed on Oracle servers, but “saying” and “proving” are different things.
The files on paper promise data controls; the public hasn’t seen the files themselves.
In January, TikTok USDS outlined a mandate that includes retraining the recommendation algorithm on U.S. data and storing relevant assets on Oracle infrastructure. But none of those promises are backed by a public audit or documented workflow the way national security agreements normally are.
Markey pressed TikTok USDS for specifics: which portions of the source code will be reviewed, who will perform the review, and whether ByteDance engineers maintained any access to user-related data after the handover. Those are the exact checkpoints that would signal whether safeguards are operational or performative.
Who controls TikTok USDS?
The joint venture is run by three managing investors—Oracle, Silver Lake, and Abu Dhabi’s MGX—each holding a 15% stake. Other investors, including affiliates connected to ByteDance backers, own the rest, and ByteDance itself retained a 19.9% stake. That ownership map raises straightforward governance questions about decision-making and influence.
Senator Markey sent letters; those letters name documents and actions he wants to see.
He didn’t ask for a marketing deck—he asked for contracts and logs. To TikTok USDS he requested the specific license terms with ByteDance and a clear account of any ByteDance access to U.S. user data. To Oracle he demanded the contractual terms that define its “trusted security partner” role and the scope of algorithm retraining under its oversight.
I think of this as a legal checklist for trust: permissions, audit rights, and hands-on control of the code base. Without those items public or shared with independent auditors, trust is on paper more than in practice.
Oracle’s name sits at the center of the story; the public wants to know the fine print.
Oracle’s servers were billed as the safe harbor for U.S. data and algorithm training, but Markey’s letter singles the company out for clarification on how many algorithms will be retrained and what contractual powers Oracle holds. If Oracle is the gatekeeper, that gate needs visible hinges.
This is not just corporate PR; it’s about whether the algorithm that decides what shows up on your screen has been fenced off from foreign influence. The promise of protection without published methods is a paper shield.
Capitol Hill remembers the politics that pushed this deal into being.
Lawmakers from both parties have spent years pressing ByteDance to sell TikTok or change its structure over national security concerns tied to China. Some critics, including former Sen. Mitt Romney, have argued the pressure also reflected discomfort with political content on the platform. That political context colors questions about motive and oversight.
Markey’s move is procedural and pointed: he’s not only asking what was done, but who can verify it. That demand for verification is a wedge between spin and substance.
What happens next depends on documents, audits, and public accountability.
If TikTok USDS and Oracle hand over contracts and evidence of independent code review, that would reduce suspicion. If they do not, legislators will likely escalate oversight or push for more expansive remedies.
Has ByteDance accessed U.S. user data?
Markey asked that directly. He wants a clear accounting of any ByteDance access after the joint-venture formation. The answer will shape whether this arrangement is a firewall—or a paper promise that keeps the old pathways open.
I don’t know what those private agreements say, and neither do you yet—and that gap is the problem. You and I scroll through a platform that can influence attention and ideas; when governance is opaque, the risk is not just technical but civic. Are American users getting real protections, or just reassurances designed for headlines?