TikTok Ban: A Seed of Genuine Security Concern Wrapped in a Thick Layer of Censorship

It is ironic that, while purporting to protect America from China’s authoritarian government, President Trump is threatening to ban the TikTok app. Censorship of both speech and social media applications, after all, is one of the hallmarks of the Chinese Internet strategy.  While there is significant cause for concern with TikTok’s security, privacy, and its relationship with the Chinese government, we should resist a governmental power to ban a popular means of communication and expression.  

As is too often the case with government pronouncements, the Trump administration has proposed a ban without specifying what the ban would actually be or what authority allows for it. Rather, the President has said broadly, “we’re banning them from the United States,” or most recently, “it’s going to be out of business in the United States.” This could mean a ban on using the app, or perhaps a ban on distributing TikTok in app stores, or maybe something else. Any way you slice it, an effective ban of the scope suggested cannot be squared with the Constitution. 

Banning Americans From Using TikTok Would Violate the First Amendment

Banning Americans from using the TikTok app would infringe the First Amendment rights of those users to express themselves online. Millions of users post protected speech to TikTok every day, choosing the app over other options for its features or for its audience. Courts will generally not uphold a categorical ban on speech. As the Supreme Court has recognized, to “foreclose access to social media altogether is to prevent the user from engaging in the legitimate exercise of First Amendment rights.”  Noting that the Court had previously struck down a law prohibiting protected speech in just one venue (the Los Angeles International Airport), the Court explained: “the State may not enact this complete bar to the exercise of First Amendment rights on websites integral to the fabric of our modern society and culture.” While some may not consider TikTok integral to their own lives, these good-bye videos show how much TikTok means to its users.

Moreover, if the Trump Administration’s true motives are based on perceived anti-Trump content on TikTok, as some have contended, the ban would be an impermissible restriction based on content and viewpoint, subjecting the ban to more constitutional scrutiny, which it could not survive.

Even if the courts reviewed the ban as just a content-neutral restriction on the manner of speech, a complete TikTok ban is overly broad and not narrowly tailored to achieve the government’s national security purpose.  The vast majority of TikTok videos are not in any way related to national security, nor are their posters in substantially more danger of Chinese government spying than the users of other Chinese-owned technologies.

Banning App Stores From Distributing TikTok Also Raises Serious First Amendment Concerns 

Banning app stores from distributing TikTok would raise the First Amendment rights of the app stores to distribute software. As courts have held, code is speech, and the Supreme Court has recognized that software is a protected means of expression (addressing age warnings for video games). Just as bookstores have a right to sell books protected by the First Amendment, so too do app stores have a right to distribute protected software. Of course, it would be up to Apple and Google to challenge a purported distribution ban on their app store.

As a practical matter, an app store ban would not be particularly effective, as close to 100 million people in the U.S. already have the app. However, an inability to get updates—as a result of a ban—would create a security nightmare. Major vulnerabilities left unpatched would leave TikTok users susceptible to a variety of attackers, up to and including the Chinese government.

Unclear Legal Authority to Ban TikTok

It is also unclear what statutory authority would support any type of TikTok ban. Lawfare’s primer is a good starting point, looking at potential actions against TikTok through requiring its parent company, Bytedance, to divest its acquisition of Musical.ly, via the Committee on Foreign Investment in the United States (CFIUS), under the Defense Production Act, as well as a ban through the International Emergency Economic Powers Act (IEEPA).

While CFIUS may be able to require the Musical.ly divestment, it is unclear whether that would be effective beyond its use as a punitive measure against ByteDance. In 2018, Musical.ly was merged into ByteDance’s prior app to make today’s TikTok, while consolidating the user accounts. TikTok has had quite a bit of growth and software development since then, so it’s unclear whether undoing that acquisition (potentially unwinding the merged user accounts and giving back rights in some technologies) would amount to an effective ban.

An IEEPA-based ban would run into more trouble. In 1994, Congress amended IEEPA to create an exception for information and communications. The President does not have the authority “to regulate or prohibit, directly or indirectly—(1) any … personal communication, which does not involve a transfer of anything of value; [or the import or export of] any information or informational materials.” The word ‘Indirectly’ here is important, because many possible bans would not speak of the TikTok messages, but the app or the company. Jarred Taylor’s 2012 law review article Information Wants to be Free (of Sanctions) cogently explains why this amendment means the President cannot prohibit foreign access to social media under U.S. export regulations. Likewise, the President cannot prohibit American access to foreign social media.

While it remains unclear which legal authorities the Administration would rely upon, ByteDance may well have grounds to challenge the President’s statutory authority to invoke a ban.

Ban Aside, Security Concerns About TikTok Persist

Just because the President does not have the power to ban TikTok does not mean there are not important security concerns with the app. Any time we talk about security, the first question is “security from what?” and “security for whom?”  For some users, installing TikTok on their phone is a potentially dangerous move.

There are people who may have concerns about China having access to their data who have not had the same concerns about the US or EU countries: student protesters in Hong Kong, Uighurs, Covid 19 researchers, executives at Fortune 500 companies concerned about theft of IP, journalists with sources in China that they want to protect, US government employees, military personnel stationed abroad. Citing security concerns, both the RNC and DNC have warned their campaign not to use TikTok, and Wells Fargo has banned the app internally. But you can acknowledge that there are genuine security concerns for certain populations while opposing efforts to unilaterally ban an app used by millions of Americans. It’s possible, even in this day and age, to have multiple thoughts about a complex issue.

TikTok is not notably less secure than equivalent social media apps, though it has had its share of vulnerabilities, privacy violations, and dubious practices. But it is different from apps such as Facebook or Twitter in that its data is stored in China and it has employees in China.  Your data is vulnerable to pressure by the government of the country where it is physically located or where employees are located. Governments have a disturbing history of arresting employees to add pressure to their data demands.

TikTok has said that they haven’t handed over any data to the Chinese government, but it’s reasonable to be skeptical of that claim. TikTok may be under a gag order that prevents the company from being honest about its data demands. More recently, TikTok withdrew the app from Hong Kong after Hong Kong enacted new powers to punish Internet companies that failed to comply with data demands. This may stop, at least for now, obtaining data from communications within Hong Kong, but it’s not a complete protection against pressure from the Chinese government.

It’s of no import that China blocks some U.S. based companies from operating in China. Nor should we be swayed that India has blocked TikTok, along with 58 other Chinese apps. The United States should not be taking its human rights tips from the Chinese government or the authoritarian Modi administration in India, which has banned apps as part of a broader effort by India to respond to a border conflict and stoke nationalist sentiment against China.

Moving Forward, Any TikTok Buyer Must Adopt Best Practices

Of course, we may never get to a formal ban or divestment order.  ByteDance is considering selling TikTok, and sale to a U.S. company would help alleviate the stated concern for data leaking to a foreign power. Right now, the likely purchaser appears to be Microsoft.

But even if TikTok is acquired by a U.S. company, there would remain legitimate security and privacy concerns, which need to be addressed regardless of whether ByteDance is the owner. 

Like Microsoft has, any new TikTok company must commit to publishing a transparency report and law enforcement guidelines. They must require a warrant before giving user content to law enforcement, provide advance notice to users about government data demands whenever possible, and promise delayed notice after a gag order expires. To stop workarounds for access to user data, they should adopt a policy to prohibit third parties from allowing TikTok user data to be used for surveillance purposes. And it’s going to need to address the concerns of TikTok users outside the U.S. that American law provides too little protection for their data. Beyond the policies to protect privacy, the new TikTok should be sure to follow best practices in transparency and accountability content moderation.  

They must also conduct a thorough code review, to give users confidence that there are no backdoors in the app and to find bugs that may compromise security. TikTok’s direct messages would be more private and secure with end-to-end encryption. That TikTok is disturbingly far from alone in its need to address these shortcomings is no excuse for inaction. User privacy and security, however, will not come through a bill of sale alone.

Go to Source
Author: Eva Galperin

Comments