Proton

The RESTRICT Act, which would enable the the US government to ban TikTok from the US market, is currently working its way through Congress and has the backing of the White House. We’ve analyzed the legislation over the recent weeks, and today we’re sharing our analysis.

What’s the problem with TikTok?

TikTok has repeatedly violated the public’s trust, compromised its users’ privacy, and represents a potential entry point for the Chinese government to spy on users around the world. Chinese companies are compelled by China’s 2017 National Security Law(new window) to give the Chinese government whatever data it requests. ByteDance, TikTok’s parent company, must also have Chinese Communist Party committees within the organization. Given TikTok’s rampant data collection, which potentially includes users’ biometric information(new window) and all keystrokes in its in-app browser, many policymakers fear TikTok could siphon sensitive information on US citizens to the Chinese government.

TikTok has repeatedly denied that it hands over data to the Chinese Communist Party, but not only is this unavoidable, it’s written in Chinese law. TikTok has also made previous claims that later proved false, including that it’s building a system that prevents Chinese employees from accessing US citizen information(new window) (they still can(new window)) and denying that the app could be used to track individuals(new window) (TikTok was later caught tracking two journalists(new window)). 

Given TikTok’s aggressive data collection and troubling lack of transparency, nations have legitimate national security and privacy grounds for banning TikTok. And while TikTok is the most famous app, numerous other Chinese apps have raised similar concerns. Security experts discovered that the popular Chinese app Pindoudou contains malware(new window) and that many of the free Chinese VPN apps(new window) collect even more data than TikTok.

Is the RESTRICT Act the right solution?

However, the RESTRICT Act(new window), in its current form, has many shortcomings that make it a suboptimal piece of legislation. In particular, the powers it grants to the US government’s executive branch are far too broad and lack sufficient checks and balances, all of which may have unintended consequences for internet freedom in the long term.

The legitimate privacy and security threats posed by TikTok, Pinduoduo, and other Chinese apps don’t justify giving the US government sweeping control over what US citizens can access on the internet.

Why the current RESTRICT Act is problematic

The RESTRICT Act would grant the US Secretary of Commerce broad powers to “identify, deter, disrupt, prevent, prohibit, investigate, or otherwise mitigate … any risk arising from any covered transaction by any person, or with respect to any property” that the Secretary determines to pose “an undue or unacceptable risk”  to national security, including election interference, sabotage of communications technology, and critical infrastructure, and catastrophic effects to the digital economy. Furthermore, it imposes strict penalties for potentially circumventing restrictions (up to 20 years of jail time in the current text). This combination of factors poses four problems.  

Overly broad executive powers

First, the Secretary of Commerce should not have authority to designate foreign adversaries. The “covered transactions” portion of the law refers to any online service subject to the laws of a foreign government that the US considers an adversary. The definition of foreign adversaries includes China, Cuba, Iran, North Korea, and Venezuela, but the bill gives the Secretary of Commerce authority to designate additional governments and regimes as adversaries. This broad authority should be removed as it could easily be abused.

Ambiguous penalties for VPN usage

Second, the bill should not have any ambiguity about whether criminal or civil penalties could apply to individuals who use a VPN to access banned apps. The bill’s current language is vague and could potentially be interpreted to mean that someone using a VPN to bypass restrictions to access an application classified as a national security threat could be subject to penalties. When we reached out to Senator Warner, the sponsor of this bill, he was able to provide the following reassurance on this topic:

“This bill wouldn’t enable criminal or civil penalties against anybody just for using a VPN to access a banned app. This bill is aimed squarely at corporations, not users. I’m a firm believer in — and federal courts have consistently upheld — the First Amendment’s protection for Americans to send and receive information. The RESTRICT Act doesn’t change those vital protections.”

While Senator Warner’s statement makes clear that individuals aren’t the target of this bill, such ambiguity should still be removed from the legislative text.

Lack of transparency and judicial review

Third, the bill should include transparency and accountability mechanisms to guard against government overreach. The Freedom of Information Act gives Americans the right to request federal government records to let people see how officials make decisions. However, Section 15(f)(new window) of the RESTRICT Act exempts any communications related to covered transactions from this legal right.

Unclear enforcement

Fourth, the bill is ambiguous on how a ban on TikTok would be enforced. Would it require internet service providers (ISPs) to simply block access to TikTok IP addresses? What obligations would be imposed on ISPs if TikTok were to deploy countermeasures against IP address blocks? Would ISPs be required to create a more sophisticated firewall similar to China’s Great Firewall(new window)? This would be a massive blow to the free and open internet.

How the RESTRICT Act should be amended

There is a broad bipartisan consensus in the US that malicious Chinese apps like TikTok should be banned, but we believe Congress should strive to pass good legislation. Lawmakers should make two sets of changes to the core of the RESTRICT Act to help it strike the right balance between protecting against malicious Chinese applications while still defending online freedom.

Restrict the scope of RESTRICT

Instead of permitting the Secretary of Commerce the authority to designate additional adversaries, the scope should be limited to the list currently envisioned by Congress, namely China, Cuba, Iran, North Korea, and Venezuela. Any future expansion of this list should require the approval of Congress via the passage of amended legislation.

Prescribe effective but targeted measures

To avoid enforcement overreach and subsequent unintended consequences, the RESTRICT should specifically define what enforcement actions would be required. We believe there are specific actions that the RESTRICT Act can mandate that will diminish the risks posed by Chinese apps without compromising the future of the free and open internet. Even without resorting to overly broad censorship powers, making it difficult and costly for malicious apps to reach the US market is already possible. Examples of restrictions the US government could impose upon banned apps include:

  • Prohibiting app stores that serve US customers from featuring them
  • Prevent US advertisers from doing business with them
  • Prevent US payment processors from handling payments with them
  • Prevent US-based cloud providers from hosting them
  • Prevent US social media sites from linking to them
  • Ban US financial institutions from servicing them

These actions would mean that TikTok would likely still be available within the US for anyone determined to find it. However, ByteDance (TikTok’s owner) would not be able to make any revenue from the US market and, thus, would not have an incentive to serve the US market. The prohibition from app stores that serve US customers would also make it difficult (if not impossible) for all but the most dedicated US consumers to get the app (and those customers would be able to get the app anyways, under the current language of the RESTRICT Act).

This would achieve the legislative intent with far less risk of unintended consequences to internet freedom.

Final thoughts

Given TikTok’s repeated privacy abuses, Pinduoduo’s malicious capabilities, and their close ties to the Chinese government, we understand the need for a faster response. We simply believe that any response must be measured, proportional, applicable to future threats, and acknowledge the unique threats posed by apps and services from China. The RESTRICT Act, as it’s currently written, fails this test.

If you’re a US voter, we invite you to make your voice heard. Contact your senator and urge them to find a responsible way to mitigate TikTok’s influence and amend the RESTRICT Act.

Proton’s mission is to build a better internet where privacy is the default. Keep control of your data and stay safe online with Proton Mail, Proton VPN, and Proton Drive.

Related articles

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
en
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
en
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
en
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
en
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
en
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
en
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.