The recently introduced RESTRICT Act (S. 686, Sen. Warner and Sen. Thune) rightfully is causing a lot of concern. This bill is being called a “TikTok ban,” but it’s more complicated than that. As we wrote in our initial review of the bill, the RESTRICT Act would authorize the executive branch to block “transactions” and “holdings” of “foreign adversaries” that involve “information and communication technology” and create “undue or unacceptable risk” to national security and more.
We've explained our opposition to the RESTRICT Act and urged everyone who agrees to take action against it. But we've also been asked to address some of the concerns raised by others. We do that here in this post.
At its core, RESTRICT would exempt certain information services from the federal statute, known as the Berman Amendments, which protects the free flow of information in and out of the United States and supports the fundamental freedom of expression and human rights concerns. RESTRICT would give more power to the executive branch and remove many of the commonsense restrictions that exist under the Foreign Intelligence Services Act (FISA) and the aforementioned Berman Amendments.
But S. 686 also would do a lot more.
EFF opposes the bill, and encourages you to reach out to your representatives to ask them not to pass it. Our reasons for opposition are primarily that this bill is being used as a cudgel to protect data from foreign adversaries, but under our current data privacy laws, there are many domestic adversaries engaged in manipulative and invasive data collection as well. Separately, handing relatively unchecked power over to the executive branch to make determinations about what sort of information technologies and technology services are allowed to enter the U.S. is dangerous. If Congress is concerned about foreign powers collecting our data, it should focus on comprehensive consumer data privacy legislation that will have a real impact, and protect our data no matter what platform it’s on—TikTok, Facebook, Twitter, or anywhere else that profits from our private information. That’s why EFF supports such consumer data privacy legislation. Foreign adversaries won't be able to get our data from social media companies if the social media companies aren't allowed to collect, retain, and sell it in the first place.
TELL CONGRESS: DON'T PASS THE RESTRICT ACT
Would the RESTRICT Act result in a “ban” on the personal use of TikTok? It’s unclear.
This bill is not a “ban” on personal use, or even on a technology directly. The bill may result in a ban on TikTok because it grants the Commerce Department such broad authority. That ban may take the form of removing it from app stores or a forced sale, or other mitigation measures imposed against the owners of the technologies. The RESTRICT Act makes use of mitigation measures that have been used under the International Emergency Economic Powers Act and by the Committee on Foreign Investment in the United States. The bill applies to six “foreign adversaries” (China, Cuba, Iran, North Korea, Russia, and Venezuela), and could be expanded to other countries. Though the bill is being referred to as a TikTok ban by many, it can be applied to other companies, like Huawei or Kaspersky, which are headquartered in those countries; indeed, Sen. Warner, the bill’s co-sponsor has identified those companies as the bill’s primary targets.
As of yet, the U.S. government has not shared information that would justify a forced sale or ban of TikTok from app stores, or other possible mitigation measures. As we’ve written, the government will have to demonstrate that any mitigation measure is narrowly tailored to prevent the harm it has identified.
Unfortunately, three provisions of the RESTRICT Act make it less likely that the public would ever learn whether U.S. officials actually have information to justify the mitigation measures authorized by the bill.
First, while Congress can override the designation or de-designation of a “foreign adversary,” it has no other role.
Second, any lawsuit challenging a ban would be constrained in scope and the amount of discovery—again, limiting what the public could learn about how the bill is applied. Discovery can lead to the release of information that helps the public learn how a law is applied and why, but this law would limit what the public could learn, as well as the ways in which a case could proceed.
Third, the executive branch need not publicly explain its application of the law if doing so is not “practicable” and “consistent with … national security and law enforcement interests.” Those “interests” are also not defined, and we have written many times before about the problems with overclassification of national security information. In this case, that means crucial transparency is missing from the process.
Overall, the law authorizes the executive branch to make decisions about which technologies can enter the U.S. with extremely limited oversight by the public or its representatives about the law’s application.
Could a person be punished under the law for using a VPN to access TikTok if its U.S. access is restricted? Potentially.
Recent comments by one of the authors, Sen. Warner, indicate that the bill is meant to be used to punish companies, not users who might access a product like TikTok after it is restricted. But the law does not itself place limits on mitigation measures or bar individual user prohibitions, and the resulting uncertainty is troubling.
The bill authorizes the Department of Commerce to impose “mitigation measures” without any restrictions on what those measures might be. Couple that with a vague enforcement provision that grants the power to broadly punish any person who “evades” these undefined “mitigation measures,” and the result is a law that can be read as criminalizing common practices like using a VPN to get a prohibited app, side-loaded installations, or using an app that was lawfully downloaded somewhere else.
Even if the bills’ sponsors do not intend it, giving the Commerce Department broad authority to impose crushing criminal penalties on any person trying to evade a “mitigation measure” is dangerous. For example, in the case of a mitigation measure that bars the importation of TikTok into the U.S., it authorizes penalties, including 25 years of prison time, for any person who brings TikTok into the U.S., whether by use of a VPN or downloading it while in another country.
Congress absolutely should tighten this penalty language to remove all possibility of prosecution against individuals who use an app.
TELL CONGRESS: DON'T PASS THE RESTRICT ACT
Is the RESTRICT Act a surveillance bill that would allow the government access to your devices? Not exactly. But it is far too broad in the power it gives to investigate potential user data.
Under the bill, the Commerce Secretary can demand information from “any party to a transaction or holding under review or investigation.” In theory, a company designated under the bill, such as TikTok, could be required to cough up user data during these investigations. There are some important confidentiality requirements protecting this data, but it could be shared with other government entities in some specific circumstances.
We find another concern that others have raised to be largely misplaced. Some have read the bill as authorizing investigations into any website that has a foreign entity's pixel embedded in it. These companies would then have to produce user data to the Commerce Department. We don't share this concern because it would require interpreting the law to say that merely using a website pixel means your site is a holding of a foreign adversary. Thankfully, the definition of “holding” under the bill is not this broad.
This misinterpretation and other overly strained readings of the law have been shared widely on both social media and in the news, and are understandable given the broad language in the bill. This is sweeping legislation that would have Congress abdicate much of its responsibility in holding the executive branch accountable, and leaving any room for misinterpretation is a problem. The confusing language here is another failure of the bill.
For those concerned about such sweeping surveillance powers, we encourage you to ask your representative to reform Section 702 of the Foreign Intelligence Surveillance Act. Under Section 702, the FBI conducted up to 3.4 million warrantless searches of Section 702 data to find Americans’ communications in 2021 alone. Join this fight and you will be in good company: we and a large number of civil liberties and civil rights groups have been fighting for FISA reform for a decade.
The RESTRICT Act is absolutely the wrong approach to protecting data privacy. It would open the door to wide-ranging government bans on hardware or software from foreign countries with no explanations needed, little transparency, limited challenges via litigation, and limited congressional oversight.
The law also intentionally removes current checks on executive power, which are necessary even in the realm of foreign relations. RESTRICT skirts these checks by providing only minimal Congressional review. The free flow of information, even if it’s your enemy speaking, is an essential democratic principle. The U.S. government often condemns similar actions that restrict certain communications technologies in other countries. Going around these protocols could weaken our credibility when doing so in the future.
RESTRICT is also vague and broadly written, and could be interpreted (and has) in various troubling ways. Numerous organizations oppose the bill, including ACLU, Fight for the Future, and the Center for Democracy and Technology. As such, we encourage you to reach out to your representative to tell them not to pass the bill.
TELL CONGRESS: DON'T PASS THE RESTRICT ACT