In January 2026, a contingent of investors announced they had agreed to establish a new “U.S.” version of TikTok. The $14 billion deal came more than a year after Congress passed a law that gave the ubiquitous social media platform an ultimatum: divest from Chinese ownership or be banned.
In a recent executive order, the Trump administration certified that the new ownership structure complies with the divestment law and will “appropriately protect Americans’ data and our national security.” But does the recent deal truly resolve the national security risks originally cited by Congress to justify the TikTok ban?
“In my view, no, and, in some ways, it’s made the problem even worse,” says Timothy Edgar ’97, a Harvard Law lecturer and leading expert on cybersecurity. According to Edgar, who previously served as the first-ever privacy and civil liberties official in the White House National Security Staff, creating U.S. TikTok leaves many existing threats unresolved while exposing users to additional privacy risks.
Edgar met with Harvard Law Today on the heels of the new TikTok deal to discuss how U.S. TikTok came to be and what we can learn from the latest crusade to safeguard national security.
Harvard Law Today: Can you walk us through a brief summary of the TikTok ban?
Timothy Edgar: In the spring of 2024, Congress passed a law that said TikTok had to be sold in order to divest the Chinese-owned parent company from ownership or TikTok would be banned. It was a bipartisan law supported by Republicans and Democrats in Congress and signed by President Biden. TikTok challenged that law as a violation of the First Amendment. TikTok creators also challenged the law, and there was an expedited process that the law put in place to hear those challenges. That took place very quickly, which is very unusual — it went straight through the D.C. Circuit, the U.S. Court of Appeals for the D.C. Circuit, and then to the Supreme Court. The Supreme Court issued a ruling upholding the law just two days before it was supposed to take effect. It looked like TikTok was going to shut down, and it actually did, briefly, shut down for about an hour or two.
Then, President Trump took office and announced via executive order that he was not going to enforce the law. That was very controversial because, although the law had a provision allowing the president to delay enforcement, it was a very narrow provision that only could be used if there was already a [divestment] deal in place. That’s not what President Trump did. Instead, he basically just ignored the law and said, “I’m not going to enforce it for 75 days.” That initial extension was extended again until, eventually, the end of last year when it was announced that there was a deal in place. A group of investors were going to be buying TikTok [through a deal] to satisfy the requirements of the law to divest. Once that deal was announced, the Trump administration also announced that the deal satisfied the law. So, TikTok has remained in operation, and the deal was just recently finalized.
HLT: Is it typical for a president to ignore a deadline enacted by Congress, set a new deadline via executive order, and then extend that deadline until a condition has been met?
Edgar: In short, no. There was nothing typical about the way that the law was implemented. In 2024, Congress made it very clear that if TikTok wasn’t sold within a relatively brief period of time, it would be banned. In the United States, the only narrow, limited exception allowed for time to basically write the paperwork if a deal was already in place. That’s not what President Trump did. What he did instead was issue an executive order saying, “I’m not going to enforce the ban,” claiming to be asserting his authority as president to deal with national security. A lot of legal experts felt that claim went well beyond any authority of the president. Also, the companies that relied on that promise by the president were taking some risk in doing that because a future president may then be able to say, “That executive order wasn’t legal and I’m going to enforce penalties against you.”
Many members of Congress objected to President Trump’s decision to essentially ignore the law in order to give more time to negotiate a deal. I think one reason the president was able to get away with it is that the companies decided that it was better to stay in the administration’s good graces. As long as they did, they considered the risk that they would somehow suffer liability because they relied on that promise relatively low. Another reason is that the TikTok ban has always been much more popular on Capitol Hill than it has been among the American people. On Capitol Hill, there’s a fairly broad bipartisan consensus about the risks of Chinese cyber espionage. I think those risks are very real, but the public is much less concerned about that than they are about the possibility that a very popular social media program may just go, “Poof!”
HLT: What prompted the creation of a U.S. version of TikTok? Was that always part of the plan?
Edgar: I don’t know whether the plan was to create a U.S. version or simply that there would be a sale of the entire company to satisfy the law. It’s certainly not a surprise that there would be a U.S. version of TikTok as a result of the way the law is structured. ByteDance, the original parent company of TikTok, is a Chinese company. So, TikTok was never a universal app to begin with because, ironically, it was banned in China. We think of TikTok as being a potential national security risk because it’s owned by a Chinese parent company. But, even in the U.S., TikTok still hasn’t faced as much censorship as the Chinese government applies to its own social media platforms. In China, ByteDance offered a different platform called “Dǒuyīn” which is essentially a Chinese version of TikTok.
So, at this stage, there’s Dǒuyīn, the Chinese version of TikTok, the U.S. version of TikTok, and the TikTok for the rest of the world. Each of those platforms has a different ownership structure, but they’re all very similar in terms of how they actually operate. Over the past several years, governments across the world have come to recognize just how powerful and important these platforms are in terms of shaping public opinion. So, it’s not a surprise that TikTok U.S. is going to be split off from the others. Even before the law was passed, we were already moving in that direction by the decisions TikTok was making to try to avoid any potential ban in the U.S. and alleviate the concerns of Congress.
HLT: What sort of things was TikTok already doing to avoid the ban?
Edgar: They had, for example, already agreed to partner with Oracle to locate their data and their algorithm in the U.S. as part of what they called “Project Texas.” So, the fact that Oracle then becomes a big investor in the TikTok U.S. deal is also not terribly surprising. The oversight TikTok basically imposed on themselves through Project Texas in order to try to alleviate concerns in the U.S. had to do with both the security of the data as well as the integrity of the algorithm to make sure it was not being influenced or manipulated by pressure from the Chinese government. This had all already happened a long time ago, though — before Congress passed the law, and before the sale took place. So, [creating U.S. TikTok] is just kind of the logical next step now that the sale has taken place. We’d been seeing this general trend towards localization of the data and oversight of how the algorithm is written to make sure it’s not manipulated by pressure from foreign adversaries. That’s been part of their plan all along, and this new U.S. version is just the next step in satisfying the law that Congress passed in 2024.
HLT: Has the recent deal mitigated the national security risks originally cited by Congress to justify the TikTok ban?
Edgar: In my view, no, and, in some ways, it’s made the problem even worse. As with any major social media platform, there are data privacy risks simply from the business model of collecting massive amounts of user data. We don’t have comprehensive privacy regulations in the U.S. So, it’s pretty much fair game for all these big [social media] platforms using that same business model. On top of that, there’s the national security risks of foreign adversaries gaining access to that data, and they could gain access in many different ways. They can gain access through hacking or insider threats. If they have an insider they’ve subverted, they can gain access by buying the information either openly through advertising networks or clandestinely through the dark web. None of those risks have changed by changing the ownership structure of TikTok. You have the same risks of the data that TikTok is still collecting on Americans. You have the same risks of espionage by Chinese or other adversary hackers.
“We don’t have comprehensive privacy regulations in the U.S. So, it’s pretty much fair game for all these big [social media] platforms using that same business model.”
HLT: So, it sounds like the risks are mostly the same. Why do you think they’ve gotten worse?
Edgar: When TikTok was owned by a Chinese parent company, there was a lot of scrutiny because of those Chinese owners. There was legal scrutiny from the Committee on Foreign Investment in the United States, established by the Defense Production Act, which caused TikTok to voluntarily create a variety of safeguards through Project Texas. Those included technical safeguards in terms of data storage and ensuring that the algorithm had integrity and wasn’t being manipulated. That was all done in a very detailed, more than 100-page, national security agreement with the United States that was being negotiated up until the time that Congress stuck its nose in and decided to terminate that process by coming up with a special law just for TikTok. During that time, TikTok continued to observe many of those safeguards voluntarily to deal with the political ramifications of this delicate situation.
Now that it’s been sold, that pressure comes off, and TikTok is now in the same position as other social media companies. So, I would see very little reason why a major social media platform is going to put itself under that level of scrutiny when its competitors don’t have to comply with those kinds of safeguards. In a very real sense, the privacy and security safeguards that were being applied to TikTok prior to the sale now don’t apply anymore, so those risks actually go up. Now, to be fair, the risk posed by ByteDance being subject to legal pressure from the Chinese government has been mitigated — although ByteDance retains a nearly 20% sake in TikTok US, and MGX, an Emerati investor, reportedly has a 15% stake. When you add up all the other risks that I mentioned — you’ve mitigated the risk of TikTok being controlled by a Chinese parent company to some extent, but there is still considerable foreign influence in the new ownership structure and you’ve made the other risks worse.
HLT: If TikTok were to violate its own privacy terms and treat user data in unauthorized ways, would there be recourse or cause of action on the part of the users?
Edgar: So, there are many barriers for users to engage in civil causes of action over terms of service. One of them can often be the terms of service themselves. Many social media companies have arbitration clauses in their terms of service, for example, or other limitations that courts generally enforce. So, there may be civil recourse, but there are often legal barriers.
Regulatory action is usually undertaken by the Federal Trade Commission or FTC, which has the authority to bring an enforcement action against companies that violate their own terms or their own privacy policies or other promises that they make because they say it’s an unfair or deceptive act or practice in commerce. The FTC has brought cases for more than two decades against companies for that and most major social media companies have at times fallen afoul of the FTC. Now that TikTok has been sold, that doesn’t change at all. The basic rules about what social media companies can do are set by Congress. There’s a regulatory structure that includes the FTC, but there are real weaknesses in that whole structure and it’s difficult to bring civil causes of action. We don’t have a comprehensive privacy law in the United States. We do have this consumer protection model for privacy, which the FTC has done a pretty good job of pioneering over the past couple of decades. But that would still be the same today as it was two years ago, when this all started with TikTok.
HLT: If the people in control of TikTok wanted to suppress or promote certain kinds of content in users’ feeds, are there laws or regulations around the selection of content?
Edgar: That issue brings up a lot of difficult questions involving the First Amendment and the right of platforms to decide how they want to moderate their content. Platforms have different approaches to moderating content and whether the government has a role here is a contested issue. Platforms will say that they have a First Amendment right to exercise some degree of editorial discretion over the content that they have and how they display it. Many members of Congress and elected officials have argued that’s not correct and platforms are somehow distinct from traditional publishers. Platforms have certain immunity under federal law for user-generated content, which makes them legally distinct from the way traditional publishers are treated, but that’s a matter of liability and not of constitutional law. So, there’s been a big debate over whether the government should have more of a role in overseeing social media and their content moderation decisions. But, as of now, we basically have a laissez-faire environment in which platforms are free to design their algorithms and their content moderation policies as they wish. I would say that they have a lot of valid First Amendment arguments in saying that they should be given a good deal of freedom in making those decisions. As a practical matter, it would be Congress and whoever’s elected president who would be enforcing those policies. Of course, they may have views that we don’t like or disagree with. That’s why we have the First Amendment in the first place.
“I am worried about the threat of foreign adversaries too, but if that’s all you’re focused on, you’re not going to actually effectively deal with the foreign adversaries.”
HLT: Would it be illegal for TikTok to take a payout from, for instance, a political action committee or super PAC to promote or suppress a particular viewpoint?
Edgar: It might cause a scandal, but it’s not at all clear that a payout like this would be illegal. Looking at just the history of traditional publishers, those kinds of side deals certainly have existed in the past. If we’re talking about a campaign for federal office, it might run afoul of Federal Election Campaign law if it were considered an in-kind contribution to a campaign. So, there could be reasons why it would be a legally risky thing to do, but there’s no rule that says that a publisher can’t have a business arrangement with someone to promote particular content. It certainly illustrates how these are the kinds of questions I think Congress should be looking at and thinking about.
Underlying all of this is the general principle of the First Amendment, where businesses in the business of speech have a great deal of independence and discretion under our system. And they should because, if they don’t, then those who are in power can use their power to manipulate and lean on those businesses to suppress speech they don’t like and to promote speech they do like. That’s not always very satisfying, because, of course, we are in a capitalist society and that puts a lot of power in the hands of media barons. So, we want to make sure we have antitrust regulation to ensure there are a variety of different viewpoints in the marketplace of ideas. Sometimes, if there are issues of scarcity, like there are in the case of traditional broadcasters, we have regulations to ensure that ownership isn’t too concentrated. There are things Congress can do here, but the general notion is that if I have a platform and I want to be a platform for conservatives, for example, I have a right to do that and if you don’t like that, then you can create your platform for progressives.
HLT: Are there any restrictions on TikTok selling data to certain buyers?
Edgar: Congress passed a law that basically limits the ability of data brokers to sell American data to foreign adversary countries. So, TikTok isn’t allowed to sell to certain countries that aren’t allowed to participate in that market — China, Russia, North Korea, Iran, Venezuela, and Cuba, for example, are on that list. That being said, it’s difficult to enforce that law because the data broker market is still very largely unregulated. What stops TikTok from selling its data to a German company that then sells that data to a company in Dubai that then sells that data to China? If TikTok is aware of this arrangement, then it would be in violation of that law that Congress passed. If it’s not aware, it’s very hard to control. Congress has passed this very limited law and has been very fixated on the threat of foreign adversaries. I am worried about the threat of foreign adversaries too, but if that’s all you’re focused on, you’re not going to actually effectively deal with the foreign adversaries. That’s because the bigger problem is the completely laissez faire way in which personal data is treated. In the U.S., we don’t have comprehensive privacy rules and regulation. Without that, we’re never going to be able to protect against those bad actors just by focusing only on them.
Want to stay up to date with Harvard Law Today? Sign up for our weekly newsletter.