29 Comments

Thanks. I think you're right, and I am updating my personal opinion to reflect this new information.

Expand full comment

It took 3 days of TikTok use for me to realize what a ridiculous time suck it was and delete it. Amusing for a while, but Why am I doing this? But apparently young people love it so a satisfactory replacement should be provided.

As far as Acts of Congress go I wouldn’t expect anything requiring the consensus of 535 or so individual to be on the mark.

Even at the level of a medium sized company, decisions that require input from half a dozen individuals are rarely on the mark. If you spend any amount of time in an environment like that you begin to marvel that anything truly effective is ever achieved.

Expand full comment

So, from skimming the bill, it seems like the application is fairly limited in that it only applies to technology companies controlled by Russia, Iran, North Korea, China, Venezuela, and Cuba. So I think “Patriot Act for the Internet” goes way too far, because most foreign tech won’t be covered (whereas the Patriot Act gave expansive surveillance powers into all foreign communications, even with our allied nations).

It seems to me like they need two main changes here: (1) stronger procedural protections and public notice around designating new countries, or maybe just take away the executive’s ability to designate new countries and instead require a further act of Congress to designate new ones beyond the six listed, and (2) US citizens should not be subject to prosecution for efforts to circumvent bans for their own personal access (e.g., using a VPN to circumvent the ban should not be criminalized). I assume the intent is that they don’t want Tik Tok to circumvent the law by telling everyone to install a VPN, but that should be enforceable only against Tik Tok and its agents, not random users who decide on their own that they want to circumvent the ban.

I would also favor a narrower bill that just focuses on Tik Tok, but with a few key tweaks, it does not seem to me that this bill would really grant such sweeping powers as are claimed. As a practical matter, any determinations under this law are going to be challenged in court on First Amendment grounds -- and the government will need to be very targeted in how it uses this authority if it wants its actions to withstand judicial scrutiny. The basic problem is that every bill is written like this because Congress is too slow and dysfunctional to do anything. The one set of bills they need to pass each year is appropriation legislation, which they only accomplish by invoking “emergency” procedures -- and even then, they often can’t get it done and appropriations lapse for some period (a/k/a a government shutdown). So whenever Congress encounters a novel problem, it needs to delegate some kind of authority to deal with that problem and problems of a similar class that may crop up in the future when Congress will be tied up with more interesting things like shutting down the government. As these things go, this delegation is relatively narrow -- and with some additional procedural protections built in, I think the practical reality is this power would only be used (for the foreseeable future) to ban Tik Tok.

Expand full comment

Seems unlikely this would stand up to a first amendment challenge but I'd really rather not have to find out.

Expand full comment

The law is content neutral and this probably fine under the First Amendment. It's targeting commercial control over data collection, not speech on a specific topic.

Expand full comment

TikTok cannot collect your face print, voiceprint, browsing history, or “basically everything you do on your phone”. No app can do that. I know you’re just quoting someone else but still it pains me to think of how badly people misunderstand the privacy issues.

TikTok gets a small amount of data from your phone, basically opaque ids to identify you, plus anything you explicitly give permission for, like if you upload your contacts. This is just how modern mobile operating systems work. Plus TikTok knows what you do in the TikTok app, like what you watch and for how long. Because how would they provide you with the app experience without knowing what experience they’re giving you?

TikTok is dumb but the privacy concerns are pretty overrated here

Expand full comment

Digging into this a bit because it seems relevant:

- It plainly can collect "face prints" and "voice prints", from the many millions of users who've given it camera and microphone permissions.

- I can't find any credible evidence that it can see your messages, Noah Smith seems to be bullshitting there.

- It can see (some of) your browser history if you opt in to trackers, as per Facebook etc. Unlike camera, mike, contacts & location, I don't see any reason for users to opt in there.

- It obviously can't see "basically everything you do on your phone", but it's equally misleading to say "a small amount of data". It scrapes a lot of misc data (location, installed apps, network settings, &c &c). Nothing exceptional for a social media app as far as I can tell.

- The various reverse engineers consistently report that it's engineered with a more obfuscatory, extensible, remote-controllable architecture than other social media apps.

If Bytedance wasn't so subject to Chinese state control, I wouldn't really see anything notable here. As it is, it seems quite likely that Tiktok is serving as a platform for targeted spook exploits - why wouldn't it be?

The correct compromise would be for the US government to lean on Apple to force Tiktok to reengineer their client code for transparency - a nuisance for all involved, but plainly doable.

Expand full comment

Not a lawyer and I'm not gonna find this precedent if it exists, but I was under the impression there is some kind of court precedent saying Congress can't pass a law targeting a single company. Thus, it has to be rules-based. Of course, the rules don't need to be this broad.

Expand full comment

They can't pass a "bill of attainder," which is legislation that punishes a specific person or company. But this wouldn't likely qualify even if it named Tik Tok specifically.

Expand full comment

No, it is a real risk and fear of legal challenges as a bill of attainder was a specific factor for how the Senate drafted this bill. See https://www.axios.com/2023/03/07/senate-tiktok-legislation-warner-thune-biden. There is a much better chance for the bill to hold up if it's generally applicable. Being able to control f and not seeing tick tock is the point.

Expand full comment

I think you're responding to a different point. My point, re Adam's question, is that it's not unlawful to have a law targeting single companies. There are all kinds of laws and regs that apply only to a handful of companies or even just one when first adopted.

I agree with you that it is *helpful* to have the law drafted as more general legislation rather than literally naming the one specific company it applies to, but I can envision scenarios (e.g., just removing the IEEPA exemption Byte Dance would otherwise benefit from) that would probably pass muster even if Tik Tok were named specifically. In that scenario Byte Dance would still have a process before it's subject to any change in its legal rights.

We're used to most laws today being public laws (with a public law number and codification in US Code etc), but historically Congress passed tons of private laws, literally legislation that named a specific person or company and effectuated some change in their legal rights. Bill of attainder is a narrow category where Congress imposes a forfeiture to punish a specific person. It's good that they're trying to avoid that challenge, but naming ByteDance in the bill doesn't automatically cross some constitutional line.

Expand full comment

One example of this is that Washington state has many laws that were crafted to apply only to Boeing.

One such law applies special tax rates to manufacture of “super efficient airplanes,” defined as “a twin aisle airplane that carries between two hundred and three hundred fifty passengers, with a range of more than seven thousand two hundred nautical miles, a cruising speed of approximately mach .85, and that uses fifteen to twenty percent less fuel than other similar airplanes on the market.”

That’s just a tax on 787s.

Expand full comment

tfw things are a little too orwellian

Expand full comment

A potentially higher-EV solution: implement a GDPR-like regulation in the US, that grants users control of their data. Then TikTok and the US-based companies must all abide.

Things like data locality (US data must like in the US), data sovereignty, code/system audits, and so on, would be beneficial when applied equally to all big companies.

The risk would be that TikTok funnels data out of its system even when tracking is disabled (much like the NSA installed monitoring into AT&T exchanges in the US). I think you could get a system of audits and controls strong enough that this would be difficult for TikTok to pull off undetected, but of course it’s always possible to secretly siphon data out, as the NSA knows intimately. But now you are in the game of a major corporation committing serious crimes on US soil, and you can do all the standard counter-intel stuff targeted at TikTok to detect it.

Expand full comment

Just to clarify, GDPR does not require any data sovereignty. However, it requires companies which transfer data to have a legal basis, and to own the risk of transferring the data to other countries and run an alaysis of things like law enforcement access without redress.

Expand full comment

It's easy to understand why Apple wouldn't do anything about this: All those slave labor factories in China, they're not in a position to piss off Xi. Not so sure about Google, they're certainly willing enough to kick you out of their app store for not censoring enough, so it's not as though they have some principled objection to doing it.

Expand full comment

Agree! Bad bill! And further: shouldn’t we try and avoid *all apps* that do spooky data collection, not just Chinese ones? I’m looking at you, Twitter, and recollecting a Tweet from an insider about how they were selling all sorts of location data. As you say, would be nice if Apple and Google (hah) would legislate against such apps.

Expand full comment

> What I do not understand is why Apple and Google haven’t taken care of this for us.

They probably don't take anything the media or intelligence agencies say at face value. Media constantly shits on them with distortions and lies. The intelligence agencies break their crypto, man-in-the-middle everyone's data, and make PowerPoint slides about it with little smiley faces.

If I was Apple or Google I'd do my own verification of these reports. They probably did, and they probably found nothing there. As far as I can tell the danger is almost all hypotheticals, and even in the article you linked they fired the employees that were found to be improperly accessing data.

There's not much more TikTok can do than enforce policies and build systems with limited access. At some point employees do have to have access to this data in order to do their jobs. At Facebook we had ways to detect if you were accessing data from someone close to you on the social graph, but not even that would help in this situation. You could flag sensitive accounts, but that would probably also result in negative press: "TikTok internally identifies 521 journalist accounts."

The principle you're establishing seems to be that you can't be a Chinese company and operate a product with targeted advertising in America.

Also, is TikTok Chinese spyware any more than any other app is spyware for whatever country it hosts its data in? There's not a country on the planet that lacks legal authority to subpoena whatever data it wants. Sure, maybe some countries have more rules, but if they think it's important enough, they'll just ignore the rules. I think you've written about them doing this. And of course, they can just have their intelligence agencies make unknowing cooperators of tech companies, regardless of geographic boundaries.

I'm a little raw about this because I've seen many times the press and the government go nuts about things that are non-issues. Remember the negative emotion social contagion experiment at Facebook? This was written to cast Facebook as definitely evil, we were flooding people's feeds with downer content just to see what happens.

I saw the code for this, I read explainers from the folks who worked on it. It was regexes for like a dozen negative words. If your user id ended up hashing out to be in the experiment group, you'd have like a 1% greater chance of seeing one of those regex matches than people in the control group.

The whole point of the experiment was to know if we ought to downrank such content so that we weren't bumming people out.

See also the news cycle about evil tech companies offering egg freezing benefits because they're heartless taskmasters that just want to wring as much value as they can out of employees and don't want them disrupting their work with babies. Nonsense. This benefit was introduced when an employee needed cancer treatment and asked for it. This framing also made no sense in the context of our generous parental leave, a five thousand dollar baby cash bonus for every baby born to employees, IVF coverage, emergency daycare coverage, and a bunch more things that I'm forgetting.

Expand full comment

Or we can just take the same approach china does and not these apps be the ones built by foreigners. Literally nobody is talking about how bad china is for having these policies, and yet suggesting we follow suit is inconceivably bad.

There's simply no good reason that china has to be the ones supplying these stupid apps.

Expand full comment

That appears to not be the case, there are businesses that will assist you in complying with the many regulations, but being Chinese is not a requirement. Here's an example: https://www.appinchina.co

I'm aware that the Great Firewall makes for an unfair playing field, with Chinese companies able to reach the U.S. market but lots of American companies unable to do the same. But I don't think tit-for-tat here is worth sacrificing our principles of free speech and free association.

Expand full comment

I am very much NOT a lawyer, much less a CFIUS _and_ data protection law lawyer (which is what you'd want for this). I know some of them. They are smarter than me, and they sleep less, too.

But after rereading the bill text several times, and doing several Ctrl+F's to check key terms, I just don't see the "Little Timmy installs a VPN to watch his TikToks, gets a $1M fine and jail time" scenario as being within the scope of the bill. The bill seems focused on _companies_ and the nation-states that might have ownership or jurisdiction over them, and imposes a CFIUS-like mechanism to take a look at their transactions and ownership, and require mitigation measures.

The fine and jail time, as far as I can tell, is for trying to get around the mitigation measures, where "The term 'mitigation measure' means a measure agreed to in an agreement between any relevant party and the Federal Government, or ordered by the Federal Government and of which any relevant party has been notified, in any matter addressed under this Act to address any risk arising from a covered transaction or associated with a covered holding."

In other words, the mitigation measures are things like, "you agree to divest this asset, no fooling, and to ensure that no folks with Russian passports have GitHub commit rights."

In that light, the $1M fine + jail time for circumventions of that oversight is more in line with analogous white-collar law -- you'd certainly want to prohibit things like, "Company X is sold to a PE firm that is secretly Russian-owned," or "Company X leaves a backdoor in their system for Russia to SSH into the servers even after the sale."

I _suppose_ you could say that the mitigation measures could in theory include something like, "TikTok just promises to prevent US IPs from access, and to take reasonable steps to block Timmies from VPN'ing in," and certainly TikTok could get in trouble if they didn't take the steps they committed to -- but I still don't see how that would lead to Timmy himself getting fined or arrested one day in 4th Period.

Expand full comment

Worth noting that there is a different bill, S.85, which is precisely the narrowly scoped TikTok ban - short title "No TikTok on United States Devices Act". It's maybe two pages of text, it explicitly names ByteDance, and it does nothing else (except direct some agencies to submit a report on national security implications of TikTok, which, whatever).

The Restrict act is a completely different thing. I guess they've successfully gotten people to refer to it as the "TikTok ban" bill, unfortunately, but there is a much more reasonable extant bill which is much more suited to be called that.

Expand full comment

Well, that's frustrating. The Usual Suspects doing the usual thing, more sad than surprised, and yet...to see any action proposed at all, it's so tempting to say fuck it, let's take that plunge anyway. This of course right on the heels of the FLI letter. The counterargument "regulation is never the answer" looks a lot stronger now. One could imagine much the same setup, a Patriot Act to identify and address novel tech that could threaten national security. At some probability of doom, maybe that's still an adequate tradeoff, but for all those possible worlds where there's more profit than pain...there are less costly ways to halt things.

I think the easiest answer for why the FAANGs don't do anything here is the same for why the NBA punishes players for speaking out against the CCP, or anything remotely in that ideaspace. Losing access to that sweet, sweet Chinese consumer market is just too lucrative an opportunity cost. Or if not the end users, then the manufacturing...what would happen without Foxconn? Not exactly decking ourselves in reshoring glory via CHIPS Act or whatever.

(And let's be real, Google and Facebox in particular give no shits about privacy and free expression. Totally orthogonal to going concerns.)

Expand full comment

A disturbing amount of US internet regulation is "enacted" by arm-twisting and threatening the oligopolists (Google, Apple, Facebook...); see also election interference hearings, Twitter files. The fact that someone actually proposed a bill makes me wonder why that negotiation didn't succeed (or didn't take place) here. Surveillance-state power play is one possible explanation but I wouldn't rule out it being either a) an escalation tactic by the government to get the oligopolists to cooperate, or b) a false-flag tactic by pro-tiktok forces to destroy political consensus in favor of the ban before the oligopolists can act.

Expand full comment

I was worried this was a trojan horse for content control and maybe antipiracy after your post. First skim of the bill's text was reassuring, this just looks like cfius expansion, not policing VPN use.

Transaction is really a term of art in this area, they mean businesses buying businesses, the other provisions allow the president to compel divestment. You can tell by the way the penalties are structured. (250k + 2*value of transaction? What if I just watch an ad, do I have to watch two ads? It's not about those transactions.)

That's how it's targeted at the bytedance case, ownership and holdings were clearly on the policy wishlist. Tencent and a few others should worry, maybe bytedance lawyers/accountants/lobbyists, insofar as they advise on sanctions evasion, but not users.

The inducement and conspiracy bits are boilerplate. Doesn't mean there's zero risk but this is really poorly drafted to sweep up secondary players, especially users.

The DNI unreviewably advising on adversaries sounds bad in the abstract but has close to zero significance in practice. It's a domain knowledge test. What do you imagine the DNI currently does. What should it do.

I'll do a more thorough read tomorrow. Maybe I missed some key parts. I consider VPNs close to sacred for democracy, if they are under threat I will full throatedly join your opposition here. I deeply want to know if you are right.

But "Congress plans to destroy internet" is classic nerdbait (it works because it is sadly so plausible), so I try to be somewhat epistemically cautious in these areas.

If you know any lawyers who work on national security law or m&a ask their view after just giving them the raw text. Would also be interesting to get Orin Kerr's take.

Expand full comment