Under a draft agreement between ByteDance and CFIUS, Oracle would be TikTok’s partner — and a government proctor. But stuck in limbo, the companies’ relationship has soured.
By Emily Baker-White, Forbes Staff
There is an area within TikTok’s “dedicated transparency center” built for Oracle employees to review the app’s source code for influence operations, covert changes and other manipulation. It looks like a regular office: there’s a front desk where guests can check in, TikTok logos on the walls and a safe by the door where the employees of the database giant secure their phones before entering. Once they do so, they sit at desks beneath overhead cameras controlled by TikTok — a requirement that, according to two sources, came directly from the Chinese government.
The number and position of these cameras has been a source of contention between TikTok’s parent company ByteDance and Oracle in recent months, according to four sources in position to know and internal documents reviewed by Forbes. ByteDance had planned to place a camera above each Oracle employee as they worked, but Oracle pushed back, saying the cameras would enable ByteDance to see their passwords and other proprietary information.
The relationship between ByteDance and Oracle has become deeply untrusting and adversarial, according to five sources. One source with knowledge of the companies’ actions characterized Oracle’s stance toward ByteDance as a “counterintelligence operation,” rather than a normal customer relationship. Meanwhile, some ByteDance employees wonder if Oracle just wants to run up their bill. The TikTok contract, known internally at Oracle as Project Telesis, has made ByteDance one of Oracle’s most lucrative customers.
Details from a Summer 2022 draft of the agreement between ByteDance and the Biden Administration, reviewed by Forbes and reported here for the first time, show that if the parties were able to reach an agreement, TikTok’s relationship with Oracle would go beyond that of a typical service provider. The draft agreement, as it was being negotiated at the time, appeared to give Oracle the power to determine whether TikTok’s source code matched ByteDance’s representations to the U.S. government — and, if it found they didn’t — to suspend TikTok’s functionality in the United States, withholding the app from its 150 million U.S. users.
The draft agreement would also have given the government the right to require ByteDance to temporarily stop TikTok from functioning in the U.S. in certain circumstances — including if Oracle claimed that TikTok and ByteDance had not provided the necessary funds for it to carry out its responsibilities.
TikTok spokesperson Alex Haurek initially did not comment on the relationship between TikTok and Oracle or the draft agreement, nor did he answer a detailed list of questions. Instead, he provided this statement: “Cameras are part of standard physical security protocols throughout the industry to protect valuable enterprise assets and their purpose here is simply to protect the company’s intellectual property. Importantly, these cameras would be controlled and operated by USDS personnel. We have reached a working-level agreement with Oracle on camera placement and usage and, importantly, Oracle will have complete freedom to conduct its code review and its other work confidentially.” Haurek added that the video feed from the cameras does not leave the Dedicated Transparency Center.
Oracle and the U.S. government declined to comment.
In September 2020, just weeks before an executive order signed by President Donald Trump would have effectively banned TikTok, the app’s parent company, ByteDance, submitted a proposal to the Trump Administration that named Oracle as its “trusted technology provider.” Over the next two years — and a shift in presidential administrations — that proposal would evolve to spell out how Oracle, or another TikTok “trusted technology provider,” might help save the app from a ban in the United States by becoming both the company’s primary service provider, and an informant to the government should it misbehave.
ByteDance had planned to place a camera above each Oracle employee as they worked, but Oracle pushed back, saying the cameras would enable ByteDance to see their passwords.
TikTok has been open about the portion of the draft agreement that would’ve put Oracle in charge of monitoring TikTok’s recommendations algorithms for irregularities. But it appears the contract would also have made TikTok and ByteDance the ones responsible for ensuring that Oracle actually carries out its duties, even when those duties involved monitoring communication between TikTok and ByteDance, and, if necessary, notifying the government that they were failing to comply with the national security agreement.
After publication of this story, Haurek provided additional statements noting that Oracle would be responsible to Executive Branch agencies and that it would work with independent third-party monitors.
Before Oracle agreed to partner with TikTok, it tried to buy it. In Summer 2020, President Donald Trump announced that he would ban the app in the U.S. unless ByteDance sold it to a U.S. company. The threat set off a bidding war between Oracle, Microsoft, and Wal-Mart — and Trump threw his support behind Oracle, which was founded by then-Trump donor Larry Ellison. Trump’s endorsement, though, made little difference. Just before the sale was finalized, the Chinese government changed its export rules to scuttle it, requiring ByteDance to obtain a government license in order to sell TikTok’s famous recommendations algorithm. (Disclosure: in a past life, I held policy positions at Facebook and Spotify.)
So Oracle accepted a consolation prize: a hosting contract for TikTok’s U.S. business that could net it as much as $1 billion a year in revenue. And, after President Trump lost reelection, the company began working with TikTok and ByteDance to continue negotiating the CFIUS agreement, under which its role would expand beyond data host to encompass cybersecurity, auditing and code review functions.
Do you have information about TikTok, Oracle, or CFIUS that the public should know? Reach out securely to Emily Baker-White at firstname.lastname@example.org.
One thing that Oracle couldn’t do under the draft agreement is actually change the source code of the TikTok algorithm. At the time it was being negotiated, that technical right would be reserved for ByteDance only, which would continue to own and develop parts of the code. (After publication of this story, Haurek added that Oracle, along with the government, would be able to demand that ByteDance change the code or face a potential suspension of the app under the draft agreement.)
This may be because the recommendations algorithm is subject to the same Chinese export laws that tanked Oracle’s first attempt to buy TikTok. The draft agreement, though, appeared to have planned for that limitation. Twice, it warned that ByteDance and TikTok would be responsible for getting all foreign legal and regulatory authorizations necessary, including those in China, for them to carry out their responsibilities under the contract.
That could put ByteDance in a difficult position, committing to obtain licenses in a country where licensing rules could change at any time. And it’s already in a tough spot. In March, TikTok told reporters that CFIUS had issued an ultimatum to ByteDance: sell the app, or face a ban in the U.S. The company at first did not answer questions about when it last met with CFIUS for negotiations, or when the government last updated the draft agreement. After this story was published, Haurek said: “Conversations are ongoing.”
Alexandra Levine contributed reporting.
This story has been updated with additional comment from TikTok.