While others have already written similar posts, given my previous position it seems necessary for me to do so as well - the Restrict Act is a no good very bad bill, and having seen the bill I realize that I was wrong to support banning TikTok. For a while I have been in favor of banning TikTok, if it does not divest its Chinese ownership and modify the software to stop collecting outside user data. TikTok is Chinese spyware. Letting it be installed on most phones, given the data it is collecting, is not something we can or should abide.
It took 3 days of TikTok use for me to realize what a ridiculous time suck it was and delete it. Amusing for a while, but Why am I doing this? But apparently young people love it so a satisfactory replacement should be provided.
As far as Acts of Congress go I wouldn’t expect anything requiring the consensus of 535 or so individual to be on the mark.
Even at the level of a medium sized company, decisions that require input from half a dozen individuals are rarely on the mark. If you spend any amount of time in an environment like that you begin to marvel that anything truly effective is ever achieved.
So, from skimming the bill, it seems like the application is fairly limited in that it only applies to technology companies controlled by Russia, Iran, North Korea, China, Venezuela, and Cuba. So I think “Patriot Act for the Internet” goes way too far, because most foreign tech won’t be covered (whereas the Patriot Act gave expansive surveillance powers into all foreign communications, even with our allied nations).
It seems to me like they need two main changes here: (1) stronger procedural protections and public notice around designating new countries, or maybe just take away the executive’s ability to designate new countries and instead require a further act of Congress to designate new ones beyond the six listed, and (2) US citizens should not be subject to prosecution for efforts to circumvent bans for their own personal access (e.g., using a VPN to circumvent the ban should not be criminalized). I assume the intent is that they don’t want Tik Tok to circumvent the law by telling everyone to install a VPN, but that should be enforceable only against Tik Tok and its agents, not random users who decide on their own that they want to circumvent the ban.
I would also favor a narrower bill that just focuses on Tik Tok, but with a few key tweaks, it does not seem to me that this bill would really grant such sweeping powers as are claimed. As a practical matter, any determinations under this law are going to be challenged in court on First Amendment grounds -- and the government will need to be very targeted in how it uses this authority if it wants its actions to withstand judicial scrutiny. The basic problem is that every bill is written like this because Congress is too slow and dysfunctional to do anything. The one set of bills they need to pass each year is appropriation legislation, which they only accomplish by invoking “emergency” procedures -- and even then, they often can’t get it done and appropriations lapse for some period (a/k/a a government shutdown). So whenever Congress encounters a novel problem, it needs to delegate some kind of authority to deal with that problem and problems of a similar class that may crop up in the future when Congress will be tied up with more interesting things like shutting down the government. As these things go, this delegation is relatively narrow -- and with some additional procedural protections built in, I think the practical reality is this power would only be used (for the foreseeable future) to ban Tik Tok.
TikTok cannot collect your face print, voiceprint, browsing history, or “basically everything you do on your phone”. No app can do that. I know you’re just quoting someone else but still it pains me to think of how badly people misunderstand the privacy issues.
TikTok gets a small amount of data from your phone, basically opaque ids to identify you, plus anything you explicitly give permission for, like if you upload your contacts. This is just how modern mobile operating systems work. Plus TikTok knows what you do in the TikTok app, like what you watch and for how long. Because how would they provide you with the app experience without knowing what experience they’re giving you?
TikTok is dumb but the privacy concerns are pretty overrated here
Not a lawyer and I'm not gonna find this precedent if it exists, but I was under the impression there is some kind of court precedent saying Congress can't pass a law targeting a single company. Thus, it has to be rules-based. Of course, the rules don't need to be this broad.
A potentially higher-EV solution: implement a GDPR-like regulation in the US, that grants users control of their data. Then TikTok and the US-based companies must all abide.
Things like data locality (US data must like in the US), data sovereignty, code/system audits, and so on, would be beneficial when applied equally to all big companies.
The risk would be that TikTok funnels data out of its system even when tracking is disabled (much like the NSA installed monitoring into AT&T exchanges in the US). I think you could get a system of audits and controls strong enough that this would be difficult for TikTok to pull off undetected, but of course it’s always possible to secretly siphon data out, as the NSA knows intimately. But now you are in the game of a major corporation committing serious crimes on US soil, and you can do all the standard counter-intel stuff targeted at TikTok to detect it.
It's easy to understand why Apple wouldn't do anything about this: All those slave labor factories in China, they're not in a position to piss off Xi. Not so sure about Google, they're certainly willing enough to kick you out of their app store for not censoring enough, so it's not as though they have some principled objection to doing it.
Agree! Bad bill! And further: shouldn’t we try and avoid *all apps* that do spooky data collection, not just Chinese ones? I’m looking at you, Twitter, and recollecting a Tweet from an insider about how they were selling all sorts of location data. As you say, would be nice if Apple and Google (hah) would legislate against such apps.
> What I do not understand is why Apple and Google haven’t taken care of this for us.
They probably don't take anything the media or intelligence agencies say at face value. Media constantly shits on them with distortions and lies. The intelligence agencies break their crypto, man-in-the-middle everyone's data, and make PowerPoint slides about it with little smiley faces.
If I was Apple or Google I'd do my own verification of these reports. They probably did, and they probably found nothing there. As far as I can tell the danger is almost all hypotheticals, and even in the article you linked they fired the employees that were found to be improperly accessing data.
There's not much more TikTok can do than enforce policies and build systems with limited access. At some point employees do have to have access to this data in order to do their jobs. At Facebook we had ways to detect if you were accessing data from someone close to you on the social graph, but not even that would help in this situation. You could flag sensitive accounts, but that would probably also result in negative press: "TikTok internally identifies 521 journalist accounts."
The principle you're establishing seems to be that you can't be a Chinese company and operate a product with targeted advertising in America.
Also, is TikTok Chinese spyware any more than any other app is spyware for whatever country it hosts its data in? There's not a country on the planet that lacks legal authority to subpoena whatever data it wants. Sure, maybe some countries have more rules, but if they think it's important enough, they'll just ignore the rules. I think you've written about them doing this. And of course, they can just have their intelligence agencies make unknowing cooperators of tech companies, regardless of geographic boundaries.
I'm a little raw about this because I've seen many times the press and the government go nuts about things that are non-issues. Remember the negative emotion social contagion experiment at Facebook? This was written to cast Facebook as definitely evil, we were flooding people's feeds with downer content just to see what happens.
I saw the code for this, I read explainers from the folks who worked on it. It was regexes for like a dozen negative words. If your user id ended up hashing out to be in the experiment group, you'd have like a 1% greater chance of seeing one of those regex matches than people in the control group.
The whole point of the experiment was to know if we ought to downrank such content so that we weren't bumming people out.
See also the news cycle about evil tech companies offering egg freezing benefits because they're heartless taskmasters that just want to wring as much value as they can out of employees and don't want them disrupting their work with babies. Nonsense. This benefit was introduced when an employee needed cancer treatment and asked for it. This framing also made no sense in the context of our generous parental leave, a five thousand dollar baby cash bonus for every baby born to employees, IVF coverage, emergency daycare coverage, and a bunch more things that I'm forgetting.
I am very much NOT a lawyer, much less a CFIUS _and_ data protection law lawyer (which is what you'd want for this). I know some of them. They are smarter than me, and they sleep less, too.
But after rereading the bill text several times, and doing several Ctrl+F's to check key terms, I just don't see the "Little Timmy installs a VPN to watch his TikToks, gets a $1M fine and jail time" scenario as being within the scope of the bill. The bill seems focused on _companies_ and the nation-states that might have ownership or jurisdiction over them, and imposes a CFIUS-like mechanism to take a look at their transactions and ownership, and require mitigation measures.
The fine and jail time, as far as I can tell, is for trying to get around the mitigation measures, where "The term 'mitigation measure' means a measure agreed to in an agreement between any relevant party and the Federal Government, or ordered by the Federal Government and of which any relevant party has been notified, in any matter addressed under this Act to address any risk arising from a covered transaction or associated with a covered holding."
In other words, the mitigation measures are things like, "you agree to divest this asset, no fooling, and to ensure that no folks with Russian passports have GitHub commit rights."
In that light, the $1M fine + jail time for circumventions of that oversight is more in line with analogous white-collar law -- you'd certainly want to prohibit things like, "Company X is sold to a PE firm that is secretly Russian-owned," or "Company X leaves a backdoor in their system for Russia to SSH into the servers even after the sale."
I _suppose_ you could say that the mitigation measures could in theory include something like, "TikTok just promises to prevent US IPs from access, and to take reasonable steps to block Timmies from VPN'ing in," and certainly TikTok could get in trouble if they didn't take the steps they committed to -- but I still don't see how that would lead to Timmy himself getting fined or arrested one day in 4th Period.
Worth noting that there is a different bill, S.85, which is precisely the narrowly scoped TikTok ban - short title "No TikTok on United States Devices Act". It's maybe two pages of text, it explicitly names ByteDance, and it does nothing else (except direct some agencies to submit a report on national security implications of TikTok, which, whatever).
The Restrict act is a completely different thing. I guess they've successfully gotten people to refer to it as the "TikTok ban" bill, unfortunately, but there is a much more reasonable extant bill which is much more suited to be called that.
Well, that's frustrating. The Usual Suspects doing the usual thing, more sad than surprised, and yet...to see any action proposed at all, it's so tempting to say fuck it, let's take that plunge anyway. This of course right on the heels of the FLI letter. The counterargument "regulation is never the answer" looks a lot stronger now. One could imagine much the same setup, a Patriot Act to identify and address novel tech that could threaten national security. At some probability of doom, maybe that's still an adequate tradeoff, but for all those possible worlds where there's more profit than pain...there are less costly ways to halt things.
I think the easiest answer for why the FAANGs don't do anything here is the same for why the NBA punishes players for speaking out against the CCP, or anything remotely in that ideaspace. Losing access to that sweet, sweet Chinese consumer market is just too lucrative an opportunity cost. Or if not the end users, then the manufacturing...what would happen without Foxconn? Not exactly decking ourselves in reshoring glory via CHIPS Act or whatever.
(And let's be real, Google and Facebox in particular give no shits about privacy and free expression. Totally orthogonal to going concerns.)
A disturbing amount of US internet regulation is "enacted" by arm-twisting and threatening the oligopolists (Google, Apple, Facebook...); see also election interference hearings, Twitter files. The fact that someone actually proposed a bill makes me wonder why that negotiation didn't succeed (or didn't take place) here. Surveillance-state power play is one possible explanation but I wouldn't rule out it being either a) an escalation tactic by the government to get the oligopolists to cooperate, or b) a false-flag tactic by pro-tiktok forces to destroy political consensus in favor of the ban before the oligopolists can act.
I was worried this was a trojan horse for content control and maybe antipiracy after your post. First skim of the bill's text was reassuring, this just looks like cfius expansion, not policing VPN use.
Transaction is really a term of art in this area, they mean businesses buying businesses, the other provisions allow the president to compel divestment. You can tell by the way the penalties are structured. (250k + 2*value of transaction? What if I just watch an ad, do I have to watch two ads? It's not about those transactions.)
That's how it's targeted at the bytedance case, ownership and holdings were clearly on the policy wishlist. Tencent and a few others should worry, maybe bytedance lawyers/accountants/lobbyists, insofar as they advise on sanctions evasion, but not users.
The inducement and conspiracy bits are boilerplate. Doesn't mean there's zero risk but this is really poorly drafted to sweep up secondary players, especially users.
The DNI unreviewably advising on adversaries sounds bad in the abstract but has close to zero significance in practice. It's a domain knowledge test. What do you imagine the DNI currently does. What should it do.
I'll do a more thorough read tomorrow. Maybe I missed some key parts. I consider VPNs close to sacred for democracy, if they are under threat I will full throatedly join your opposition here. I deeply want to know if you are right.
But "Congress plans to destroy internet" is classic nerdbait (it works because it is sadly so plausible), so I try to be somewhat epistemically cautious in these areas.
If you know any lawyers who work on national security law or m&a ask their view after just giving them the raw text. Would also be interesting to get Orin Kerr's take.
Thanks. I think you're right, and I am updating my personal opinion to reflect this new information.
It took 3 days of TikTok use for me to realize what a ridiculous time suck it was and delete it. Amusing for a while, but Why am I doing this? But apparently young people love it so a satisfactory replacement should be provided.
As far as Acts of Congress go I wouldn’t expect anything requiring the consensus of 535 or so individual to be on the mark.
Even at the level of a medium sized company, decisions that require input from half a dozen individuals are rarely on the mark. If you spend any amount of time in an environment like that you begin to marvel that anything truly effective is ever achieved.
So, from skimming the bill, it seems like the application is fairly limited in that it only applies to technology companies controlled by Russia, Iran, North Korea, China, Venezuela, and Cuba. So I think “Patriot Act for the Internet” goes way too far, because most foreign tech won’t be covered (whereas the Patriot Act gave expansive surveillance powers into all foreign communications, even with our allied nations).
It seems to me like they need two main changes here: (1) stronger procedural protections and public notice around designating new countries, or maybe just take away the executive’s ability to designate new countries and instead require a further act of Congress to designate new ones beyond the six listed, and (2) US citizens should not be subject to prosecution for efforts to circumvent bans for their own personal access (e.g., using a VPN to circumvent the ban should not be criminalized). I assume the intent is that they don’t want Tik Tok to circumvent the law by telling everyone to install a VPN, but that should be enforceable only against Tik Tok and its agents, not random users who decide on their own that they want to circumvent the ban.
I would also favor a narrower bill that just focuses on Tik Tok, but with a few key tweaks, it does not seem to me that this bill would really grant such sweeping powers as are claimed. As a practical matter, any determinations under this law are going to be challenged in court on First Amendment grounds -- and the government will need to be very targeted in how it uses this authority if it wants its actions to withstand judicial scrutiny. The basic problem is that every bill is written like this because Congress is too slow and dysfunctional to do anything. The one set of bills they need to pass each year is appropriation legislation, which they only accomplish by invoking “emergency” procedures -- and even then, they often can’t get it done and appropriations lapse for some period (a/k/a a government shutdown). So whenever Congress encounters a novel problem, it needs to delegate some kind of authority to deal with that problem and problems of a similar class that may crop up in the future when Congress will be tied up with more interesting things like shutting down the government. As these things go, this delegation is relatively narrow -- and with some additional procedural protections built in, I think the practical reality is this power would only be used (for the foreseeable future) to ban Tik Tok.
Seems unlikely this would stand up to a first amendment challenge but I'd really rather not have to find out.
TikTok cannot collect your face print, voiceprint, browsing history, or “basically everything you do on your phone”. No app can do that. I know you’re just quoting someone else but still it pains me to think of how badly people misunderstand the privacy issues.
TikTok gets a small amount of data from your phone, basically opaque ids to identify you, plus anything you explicitly give permission for, like if you upload your contacts. This is just how modern mobile operating systems work. Plus TikTok knows what you do in the TikTok app, like what you watch and for how long. Because how would they provide you with the app experience without knowing what experience they’re giving you?
TikTok is dumb but the privacy concerns are pretty overrated here
Not a lawyer and I'm not gonna find this precedent if it exists, but I was under the impression there is some kind of court precedent saying Congress can't pass a law targeting a single company. Thus, it has to be rules-based. Of course, the rules don't need to be this broad.
tfw things are a little too orwellian
A potentially higher-EV solution: implement a GDPR-like regulation in the US, that grants users control of their data. Then TikTok and the US-based companies must all abide.
Things like data locality (US data must like in the US), data sovereignty, code/system audits, and so on, would be beneficial when applied equally to all big companies.
The risk would be that TikTok funnels data out of its system even when tracking is disabled (much like the NSA installed monitoring into AT&T exchanges in the US). I think you could get a system of audits and controls strong enough that this would be difficult for TikTok to pull off undetected, but of course it’s always possible to secretly siphon data out, as the NSA knows intimately. But now you are in the game of a major corporation committing serious crimes on US soil, and you can do all the standard counter-intel stuff targeted at TikTok to detect it.
It's easy to understand why Apple wouldn't do anything about this: All those slave labor factories in China, they're not in a position to piss off Xi. Not so sure about Google, they're certainly willing enough to kick you out of their app store for not censoring enough, so it's not as though they have some principled objection to doing it.
Agree! Bad bill! And further: shouldn’t we try and avoid *all apps* that do spooky data collection, not just Chinese ones? I’m looking at you, Twitter, and recollecting a Tweet from an insider about how they were selling all sorts of location data. As you say, would be nice if Apple and Google (hah) would legislate against such apps.
> What I do not understand is why Apple and Google haven’t taken care of this for us.
They probably don't take anything the media or intelligence agencies say at face value. Media constantly shits on them with distortions and lies. The intelligence agencies break their crypto, man-in-the-middle everyone's data, and make PowerPoint slides about it with little smiley faces.
If I was Apple or Google I'd do my own verification of these reports. They probably did, and they probably found nothing there. As far as I can tell the danger is almost all hypotheticals, and even in the article you linked they fired the employees that were found to be improperly accessing data.
There's not much more TikTok can do than enforce policies and build systems with limited access. At some point employees do have to have access to this data in order to do their jobs. At Facebook we had ways to detect if you were accessing data from someone close to you on the social graph, but not even that would help in this situation. You could flag sensitive accounts, but that would probably also result in negative press: "TikTok internally identifies 521 journalist accounts."
The principle you're establishing seems to be that you can't be a Chinese company and operate a product with targeted advertising in America.
Also, is TikTok Chinese spyware any more than any other app is spyware for whatever country it hosts its data in? There's not a country on the planet that lacks legal authority to subpoena whatever data it wants. Sure, maybe some countries have more rules, but if they think it's important enough, they'll just ignore the rules. I think you've written about them doing this. And of course, they can just have their intelligence agencies make unknowing cooperators of tech companies, regardless of geographic boundaries.
I'm a little raw about this because I've seen many times the press and the government go nuts about things that are non-issues. Remember the negative emotion social contagion experiment at Facebook? This was written to cast Facebook as definitely evil, we were flooding people's feeds with downer content just to see what happens.
I saw the code for this, I read explainers from the folks who worked on it. It was regexes for like a dozen negative words. If your user id ended up hashing out to be in the experiment group, you'd have like a 1% greater chance of seeing one of those regex matches than people in the control group.
The whole point of the experiment was to know if we ought to downrank such content so that we weren't bumming people out.
See also the news cycle about evil tech companies offering egg freezing benefits because they're heartless taskmasters that just want to wring as much value as they can out of employees and don't want them disrupting their work with babies. Nonsense. This benefit was introduced when an employee needed cancer treatment and asked for it. This framing also made no sense in the context of our generous parental leave, a five thousand dollar baby cash bonus for every baby born to employees, IVF coverage, emergency daycare coverage, and a bunch more things that I'm forgetting.
I am very much NOT a lawyer, much less a CFIUS _and_ data protection law lawyer (which is what you'd want for this). I know some of them. They are smarter than me, and they sleep less, too.
But after rereading the bill text several times, and doing several Ctrl+F's to check key terms, I just don't see the "Little Timmy installs a VPN to watch his TikToks, gets a $1M fine and jail time" scenario as being within the scope of the bill. The bill seems focused on _companies_ and the nation-states that might have ownership or jurisdiction over them, and imposes a CFIUS-like mechanism to take a look at their transactions and ownership, and require mitigation measures.
The fine and jail time, as far as I can tell, is for trying to get around the mitigation measures, where "The term 'mitigation measure' means a measure agreed to in an agreement between any relevant party and the Federal Government, or ordered by the Federal Government and of which any relevant party has been notified, in any matter addressed under this Act to address any risk arising from a covered transaction or associated with a covered holding."
In other words, the mitigation measures are things like, "you agree to divest this asset, no fooling, and to ensure that no folks with Russian passports have GitHub commit rights."
In that light, the $1M fine + jail time for circumventions of that oversight is more in line with analogous white-collar law -- you'd certainly want to prohibit things like, "Company X is sold to a PE firm that is secretly Russian-owned," or "Company X leaves a backdoor in their system for Russia to SSH into the servers even after the sale."
I _suppose_ you could say that the mitigation measures could in theory include something like, "TikTok just promises to prevent US IPs from access, and to take reasonable steps to block Timmies from VPN'ing in," and certainly TikTok could get in trouble if they didn't take the steps they committed to -- but I still don't see how that would lead to Timmy himself getting fined or arrested one day in 4th Period.
Worth noting that there is a different bill, S.85, which is precisely the narrowly scoped TikTok ban - short title "No TikTok on United States Devices Act". It's maybe two pages of text, it explicitly names ByteDance, and it does nothing else (except direct some agencies to submit a report on national security implications of TikTok, which, whatever).
The Restrict act is a completely different thing. I guess they've successfully gotten people to refer to it as the "TikTok ban" bill, unfortunately, but there is a much more reasonable extant bill which is much more suited to be called that.
Well, that's frustrating. The Usual Suspects doing the usual thing, more sad than surprised, and yet...to see any action proposed at all, it's so tempting to say fuck it, let's take that plunge anyway. This of course right on the heels of the FLI letter. The counterargument "regulation is never the answer" looks a lot stronger now. One could imagine much the same setup, a Patriot Act to identify and address novel tech that could threaten national security. At some probability of doom, maybe that's still an adequate tradeoff, but for all those possible worlds where there's more profit than pain...there are less costly ways to halt things.
I think the easiest answer for why the FAANGs don't do anything here is the same for why the NBA punishes players for speaking out against the CCP, or anything remotely in that ideaspace. Losing access to that sweet, sweet Chinese consumer market is just too lucrative an opportunity cost. Or if not the end users, then the manufacturing...what would happen without Foxconn? Not exactly decking ourselves in reshoring glory via CHIPS Act or whatever.
(And let's be real, Google and Facebox in particular give no shits about privacy and free expression. Totally orthogonal to going concerns.)
A disturbing amount of US internet regulation is "enacted" by arm-twisting and threatening the oligopolists (Google, Apple, Facebook...); see also election interference hearings, Twitter files. The fact that someone actually proposed a bill makes me wonder why that negotiation didn't succeed (or didn't take place) here. Surveillance-state power play is one possible explanation but I wouldn't rule out it being either a) an escalation tactic by the government to get the oligopolists to cooperate, or b) a false-flag tactic by pro-tiktok forces to destroy political consensus in favor of the ban before the oligopolists can act.
I was worried this was a trojan horse for content control and maybe antipiracy after your post. First skim of the bill's text was reassuring, this just looks like cfius expansion, not policing VPN use.
Transaction is really a term of art in this area, they mean businesses buying businesses, the other provisions allow the president to compel divestment. You can tell by the way the penalties are structured. (250k + 2*value of transaction? What if I just watch an ad, do I have to watch two ads? It's not about those transactions.)
That's how it's targeted at the bytedance case, ownership and holdings were clearly on the policy wishlist. Tencent and a few others should worry, maybe bytedance lawyers/accountants/lobbyists, insofar as they advise on sanctions evasion, but not users.
The inducement and conspiracy bits are boilerplate. Doesn't mean there's zero risk but this is really poorly drafted to sweep up secondary players, especially users.
The DNI unreviewably advising on adversaries sounds bad in the abstract but has close to zero significance in practice. It's a domain knowledge test. What do you imagine the DNI currently does. What should it do.
I'll do a more thorough read tomorrow. Maybe I missed some key parts. I consider VPNs close to sacred for democracy, if they are under threat I will full throatedly join your opposition here. I deeply want to know if you are right.
But "Congress plans to destroy internet" is classic nerdbait (it works because it is sadly so plausible), so I try to be somewhat epistemically cautious in these areas.
If you know any lawyers who work on national security law or m&a ask their view after just giving them the raw text. Would also be interesting to get Orin Kerr's take.