ProtonBlog(new window)

Ban TikTok – But we need a better version of the RESTRICT Act

The RESTRICT Act, which would enable the the US government to ban TikTok from the US market, is currently working its way through Congress and has the backing of the White House. We’ve analyzed the legislation over the recent weeks, and today we’re sharing our analysis.

What’s the problem with TikTok?

TikTok has repeatedly violated the public’s trust, compromised its users’ privacy(new window), and represents a potential entry point for the Chinese government to spy on users around the world. Chinese companies are compelled by China’s 2017 National Security Law(new window) to give the Chinese government whatever data it requests. ByteDance, TikTok’s parent company, must also have Chinese Communist Party committees within the organization. Given TikTok’s rampant data collection, which potentially includes users’ biometric information(new window) and all keystrokes in its in-app browser(new window), many policymakers fear TikTok could siphon sensitive information on US citizens to the Chinese government.

TikTok has repeatedly denied that it hands over data to the Chinese Communist Party, but not only is this unavoidable, it’s written in Chinese law. TikTok has also made previous claims that later proved false, including that it’s building a system that prevents Chinese employees from accessing US citizen information(new window) (they still can(new window)) and denying that the app could be used to track individuals(new window) (TikTok was later caught tracking two journalists(new window)). 

Given TikTok’s aggressive data collection and troubling lack of transparency, nations have legitimate national security and privacy grounds for banning TikTok. And while TikTok is the most famous app, numerous other Chinese apps have raised similar concerns. Security experts discovered that the popular Chinese app Pindoudou contains malware(new window) and that many of the free Chinese VPN apps(new window) collect even more data than TikTok.

Is the RESTRICT Act the right solution?

However, the RESTRICT Act(new window), in its current form, has many shortcomings that make it a suboptimal piece of legislation. In particular, the powers it grants to the US government’s executive branch are far too broad and lack sufficient checks and balances, all of which may have unintended consequences for internet freedom in the long term.

The legitimate privacy and security threats posed by TikTok, Pinduoduo, and other Chinese apps don’t justify giving the US government sweeping control over what US citizens can access on the internet.

Why the current RESTRICT Act is problematic

The RESTRICT Act would grant the US Secretary of Commerce broad powers to “identify, deter, disrupt, prevent, prohibit, investigate, or otherwise mitigate … any risk arising from any covered transaction by any person, or with respect to any property” that the Secretary determines to pose “an undue or unacceptable risk”  to national security, including election interference, sabotage of communications technology, and critical infrastructure, and catastrophic effects to the digital economy. Furthermore, it imposes strict penalties for potentially circumventing restrictions (up to 20 years of jail time in the current text). This combination of factors poses four problems.  

Overly broad executive powers

First, the Secretary of Commerce should not have authority to designate foreign adversaries. The “covered transactions” portion of the law refers to any online service subject to the laws of a foreign government that the US considers an adversary. The definition of foreign adversaries includes China, Cuba, Iran, North Korea, and Venezuela, but the bill gives the Secretary of Commerce authority to designate additional governments and regimes as adversaries. This broad authority should be removed as it could easily be abused.

Ambiguous penalties for VPN usage

Second, the bill should not have any ambiguity about whether criminal or civil penalties could apply to individuals who use a VPN to access banned apps. The bill’s current language is vague and could potentially be interpreted to mean that someone using a VPN to bypass restrictions to access an application classified as a national security threat could be subject to penalties. When we reached out to Senator Warner, the sponsor of this bill, he was able to provide the following reassurance on this topic:

“This bill wouldn’t enable criminal or civil penalties against anybody just for using a VPN to access a banned app. This bill is aimed squarely at corporations, not users. I’m a firm believer in — and federal courts have consistently upheld — the First Amendment’s protection for Americans to send and receive information. The RESTRICT Act doesn’t change those vital protections.”

While Senator Warner’s statement makes clear that individuals aren’t the target of this bill, such ambiguity should still be removed from the legislative text.

Lack of transparency and judicial review

Third, the bill should include transparency and accountability mechanisms to guard against government overreach. The Freedom of Information Act gives Americans the right to request federal government records to let people see how officials make decisions. However, Section 15(f)(new window) of the RESTRICT Act exempts any communications related to covered transactions from this legal right.

Unclear enforcement

Fourth, the bill is ambiguous on how a ban on TikTok would be enforced. Would it require internet service providers (ISPs) to simply block access to TikTok IP addresses? What obligations would be imposed on ISPs if TikTok were to deploy countermeasures against IP address blocks? Would ISPs be required to create a more sophisticated firewall similar to China’s Great Firewall(new window)? This would be a massive blow to the free and open internet.

How the RESTRICT Act should be amended

There is a broad bipartisan consensus in the US that malicious Chinese apps like TikTok should be banned, but we believe Congress should strive to pass good legislation. Lawmakers should make two sets of changes to the core of the RESTRICT Act to help it strike the right balance between protecting against malicious Chinese applications while still defending online freedom.

Restrict the scope of RESTRICT

Instead of permitting the Secretary of Commerce the authority to designate additional adversaries, the scope should be limited to the list currently envisioned by Congress, namely China, Cuba, Iran, North Korea, and Venezuela. Any future expansion of this list should require the approval of Congress via the passage of amended legislation.

Prescribe effective but targeted measures

To avoid enforcement overreach and subsequent unintended consequences, the RESTRICT should specifically define what enforcement actions would be required. We believe there are specific actions that the RESTRICT Act can mandate that will diminish the risks posed by Chinese apps without compromising the future of the free and open internet. Even without resorting to overly broad censorship powers, making it difficult and costly for malicious apps to reach the US market is already possible. Examples of restrictions the US government could impose upon banned apps include:

  • Prohibiting app stores that serve US customers from featuring them
  • Prevent US advertisers from doing business with them
  • Prevent US payment processors from handling payments with them
  • Prevent US-based cloud providers from hosting them
  • Prevent US social media sites from linking to them
  • Ban US financial institutions from servicing them

These actions would mean that TikTok would likely still be available within the US for anyone determined to find it. However, ByteDance (TikTok’s owner) would not be able to make any revenue from the US market and, thus, would not have an incentive to serve the US market. The prohibition from app stores that serve US customers would also make it difficult (if not impossible) for all but the most dedicated US consumers to get the app (and those customers would be able to get the app anyways, under the current language of the RESTRICT Act).

This would achieve the legislative intent with far less risk of unintended consequences to internet freedom.

Final thoughts

Given TikTok’s repeated privacy abuses, Pinduoduo’s malicious capabilities, and their close ties to the Chinese government, we understand the need for a faster response. We simply believe that any response must be measured, proportional, applicable to future threats, and acknowledge the unique threats posed by apps and services from China. The RESTRICT Act, as it’s currently written, fails this test.

If you’re a US voter, we invite you to make your voice heard. Contact your senator and urge them to find a responsible way to mitigate TikTok’s influence and amend the RESTRICT Act.

Proton’s mission is to build a better internet where privacy is the default. Keep control of your data and stay safe online with Proton Mail, Proton VPN, and Proton Drive.

Protect your privacy with Proton
Create a free account

Related articles

passwordless future
With the advent of passkeys, plenty of people are predicting the end of passwords. Is the future passwordless, though? Or is there room for both types of authentication to exist side-by-side?  At Proton, we are optimistic about passkeys and have int
At Proton, we have always been highly disciplined, focusing on how to best sustain our mission over time. This job is incredibly difficult. Everything we create always takes longer and is more complex than it would be if we did it without focusing on
is icloud keychain safe
If you’re on any Apple device, you’re familiar with the iCloud Keychain, the Apple password manager. It’s a handy tool that stores passwords for you and helps you manage your logins.  For a program that stores all your most sensitive data in one pla
We recently announced that Proton Pass now supports passkeys for everyone across all devices. Universal compatibility is a unique approach to implementing passkeys, unfortunately. Even though passkeys were developed by the FIDO Alliance and the Worl
How to upload and share private video
Your private videos are for your eyes only. However, not all cloud storage services are good at storing videos securely, let alone privately. In this article we explain what you can do to keep file sharing companies from having access to the videos y
Many email services, citing security reasons, require a phone number for identity verification. This creates an unfortunate paradox in which you must give up a highly sensitive piece of personal data to Big Tech. But there are simple ways to create
Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec