The controversy surrounding TikTok has dominated political discussions for years. Critics claim the app is a national security risk, a data funnel to the Chinese Communist Party, and a vehicle for foreign propaganda. TikTok, on the other hand, insists that its U.S. user data is safeguarded under some of the most stringent security measures in the industry. In an exclusive report, journalist Lisa Remillard was granted unprecedented access to TikTok’s U.S. Data Security (USDS) operation, where she was given a tour by Andy Bonillo, the general manager of USDS, at the Washington, D.C., location. As part of her reporting, she also interviewed Matt Miller, senior vice president of HaystackID, an independent security firm auditing TikTok’s infrastructure.
Inside the high-security USDS office in Washington, D.C., Bonillo walked Remillard through the measures to protect the data of the 170 million Americans using the platform. A former Secret Service agent, Bonillo described his transition to TikTok as an extension of his previous work in national security. “I’m committed to protecting Americans. It’s my business to do it,” he said. “If Americans are going to be on a platform, I want to be there to help protect them.”
Bonillo explained that in 2022, TikTok restructured its operations to create USDS, a separate American subsidiary designed to safeguard U.S. user data and firewall it from any external influence, including its parent company, ByteDance. Data from American users, he said, is stored exclusively on Oracle Cloud servers located on U.S. soil. “As of January 2023, USDS was fully operational and only USDS personnel have access to that Oracle cloud and your data,” he told Remillard.
To further prove its security commitment, TikTok brought in third-party auditors to inspect its systems. One of those firms, HaystackID, has been conducting an independent security review of TikTok’s U.S. operations. In her reporting, Remillard interviewed Matt Miller about the firm’s findings. After more than six months of forensic investigation, he stated, “We have not uncovered any evidence of, we haven’t found anything that indicates unauthorized access to the network or compromise of U.S. citizens’ data or personal information.” He also noted, “We have not found yet any evidence indicating that there’s been code manipulation or anything passed from China into the United States in order to promote or disperse propaganda from the CCP.”
When asked whether HaystackID’s conclusions could be trusted, given that TikTok’s USDS division hired the firm, Miller acknowledged the financial relationship but emphasized that such an arrangement is standard in the industry. “USDS does pay HaystackID, which is, by the way, standard in the industry,” he said. He added that professional integrity was paramount for firms like his, especially when working on matters scrutinized by the U.S. government. “Absolutely in our best interest to tell the truth,” he said. “It promotes goodwill, and that’s what we need, is that integrity and trust with both the client and the government.”
Despite TikTok’s efforts, the U.S. government has remained unconvinced. In 2024, Congress passed legislation requiring ByteDance to sell TikTok or face a national ban. When TikTok fought the law in court, the Supreme Court declined to block it, siding with lawmakers who argued that security measures put in place were not sufficient.
Bonillo strongly rejected the allegations that TikTok was transferring data to China. “Those are egregious allegations,” he said. “The facts are that that’s not the case.” He pointed to Oracle’s oversight as proof. “We’ve given Oracle the full keys,” he said. “They can look at every bit of source code, 100% of it.”
A major U.S. concern is that ByteDance could manipulate TikTok’s recommendation algorithm to spread propaganda. Bonillo insisted that such interference was not possible. “The algorithm sits inside of Oracle, it’s trained by my team inside of US Data Security, and it’s trained and reviewed with U.S. user data here in the United States by my team,” he said. “We have full confidence that the algorithm in the United States is free of influence.” He also emphasized that TikTok’s independence applied to all governments, not just China. “We don’t want any government manipulating the platform. This is meant to be free of influence across the board.”
Bonillo acknowledged that past incidents, such as when TikTok employees—including some in China—accessed the location data of U.S. journalists in 2022, had fueled distrust. However, he insisted that TikTok’s security framework had evolved to prevent such incidents from happening again. “All those would’ve been mitigated in what we built today,” he said. “That cannot happen again.”
As TikTok fights for its survival in the U.S., the question remains whether its efforts to prove its security measures will be enough. Miller suggested that some skepticism may stem from outdated concerns. “There may be some legacy information out there of, prior to TikTok U.S. Data Security getting involved, when there was information spread out or dispersed into data centers in Singapore,” he explained. “But that’s no longer the case. Ever since they stood up U.S. Data Security, they’ve taken control over all U.S. personal data.”
Bonillo, despite the legal and political battles ahead, remains steadfast. “I respect the Supreme Court, and I respect all our lawmakers, and we’re here to follow the law,” he said. “What I do know is that we’re protecting against sophisticated adversaries and adversaries all over the world that want to have access to TikTok’s data to manipulate the platform, and we do that at scale all the time.” His final words reflected his confidence in the security measures TikTok had put in place. “I’m here because I believe Americans are safe, that my family is safe, and that, again, I can sleep very well at night knowing that we’re doing all the right things.”
The debate over TikTok’s future in the U.S. is far from over. Lawmakers, courts, and users are left to decide whether TikTok’s security measures are enough—or whether the risk remains too great.
News Source
- Remillard, Lisa. “Exclusive Special Report: Inside TikTok Data Security.” TikTok, 12 Mar. 2025, https://www.tiktok.com/t/ZT2VgXW6g/ Accessed [13 Mar 2025].
- TikTok U.S. Data Security Maintains Compliance as HaystackID Validates Cybersecurity Measures (Newsline)
Assisted by GAI and LLM Technologies
Source: HaystackID published with permission from ComplexDiscovery OÜ
