The recently-introduced bipartisan legislature may give users and lawmakers alike a bit more than they bargained for.
The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act would allow the U.S. Department of Commerce the power to review information and communications technology (ICT) products and services used by Americans.
If an ICT product (like TikTok) with millions of U.S. users (150M, specifically) is made by an entity (ByteDance) tied to a country labeled as a foreign adversary (China) – it may fall under this 55-page bill, introduced by Sen. Mark Warner (D-VA).
But What Does The RESTRICT Act Aim To Prevent?
Fundamentally, the Act aims to stop foreign adversaries from sabotaging ICT products or services, damaging critical infrastructure, interfering with Federal elections, steering U.S. policies and regulations for foreign benefit, or posing other risks to national security or the security of U.S. persons.
As for the risks these ICT products and services might pose, the main objective of the RESTRICT Act is to presumably shield critical infrastructures (like telecom and energy, for instance) that support national defense, government, and the economy from sabotage by so-called foreign adversaries.
It could protect the U.S. from risks associated with a foreign adversary having access to the content Americans share publicly and “privately” with technology that processes, stores, retrieves, or communicates information or data electronically.
But those technologies go far and beyond the likes of, say, TikTok.
They could include risks to:
Individuals who use a smartphone (like an iPhone with Chinese components) are secured with Kaspersky (Russian ties) at hospital workstations that store patient medical data.
Individuals may have their smartphone’s microphone and cameras enabled for the Telegram messenger or Badoo dating app (used by millions and developed in Russia) while working at a bank discussing consumer financial and credit information.
Individuals at organizations rely on Lenovo, a company founded in Beijing, for government, healthcare, and large enterprise solutions that process sensitive, personal information.
Individuals who discuss legal cases from a home office using a TP-Link router, founded in China, in a home secured with Blink cameras, assembled in China.
Individuals with businesses hosted on Amazon Web Services or Rackspace services in China.
What Happens To Risky Technology Under The RESTRICT Act?
While millions of U.S. shoppers may fear a ban on their favorite Chinese fashion app, SHEIN, that’s just one potential outcome for technology reviewed under the RESTRICT Act.
It’s worth noting that countries like China, Russia, and Iran block citizens from using Facebook and Twitter based on privacy concerns, what is perceived as misinformation, and national security. India blocks TikTok for similar reasons.
The U.S. Secretary of Commerce could use the Act to pressure entities from certain countries to sell holdings in technology Americans use – much like other areas of the U.S. government trying to get ByteDance, founded in Beijing, to separate TikTok U.S. from its current Chinese parent company.
Or, the Act could put pressure on companies to update data handling processes and create transparent policies.
TikTok’s latest commitments to safety and transparency seem not to affect politicians who want it banned.
Compliance with regional law can become costly for companies with global users. Those who want to succeed must have enough resources to meet all local data laws and regulations.
Bipartisan support for the RESTRICT Act includes 25 cosponsors, the Department of Commerce, and the White House.
It follows other bills recently introduced by the House and Senate to stop China from accessing U.S. citizens’ personal sensitive information, spying via the Internet, censoring American values, influencing American politics, or training algorithmic systems with Americans’ personal data.
While national security and infrastructure stability should be top priorities, the language in the RESTRICT Act leaves Americans with concerns.
What Type Of Technology Could Be Included Under The RESTRICT Act?
Unlike its predecessors, such as the DATA Act and Averting the National Threat of Internet Surveillance, Oppressive Censorship and Influence, and Algorithmic Learning by the Chinese Communist Party Act, the RESTRICT Act’s reach goes beyond a social media app.
It could be any hardware, software, product, service, or app linked to an entity in a foreign country deemed adversarial.
That encompasses various activities: web hosting, content delivery networks, cloud-based storage, artificial intelligence and machine learning, webcams, drones, desktop and mobile applications, gaming, payments, ecommerce, marketplaces, managed services, data transmission, and more.
What Data Could Be Available To The Government During Its Review Of Foreign ICT?
Each company has guidelines concerning the circumstances under which it will offer user data to law enforcement and government agencies.
TikTok outlines guidelines while acknowledging user rights. Apple offers a 20-page document on its process. Blink adheres to Amazon policies. Badoo manages a law enforcement portal.
Given that, data made available to the U.S. during this investigation could include information, documents, and reports related to an activity under investigation. The Secretary could release information unavailable to the public or commercially available if it’s of national interest or authorized by Federal law.
Would the government punish people who try to use an app banned by the RESTRICT Act through virtual private network (VPN) or onion services?
According to a Tweet from Warner:
“This bill wouldn’t enable criminal or civil penalties against anybody – regardless of their age – just for using a VPN to access a banned app. This bill is aimed squarely at corporations, not users.”
This likely means the government would punish the VPN services allowing people to connect to the banned app.
But the wording in the RESTRICT Act’s penalties section uses the word “person” 12 times before listing civil penalties (up to $250,000) and criminal penalties (up to $1,000,000 and/or 20 years in prison)”
“It shall be unlawful for a person to violate, attempt to violate, conspire to violate, or cause a violation of any regulation, order, direction, mitigation measure, prohibition, or other authorization or directive issued under this Act, including any of the unlawful acts described in paragraph (2).”
Persons are defined as citizens or nationals of the U.S. or any foreign country.
The bill has eight unlawful acts (violations), one of which is as follows:
“No person may engage in any transaction or take any other action with intent to evade the provisions of this Act, or any regulation, order, direction, mitigation measure, prohibition, or other authorization or directive issued thereunder.”
In civil and criminal cases, the United States can seize any real or tangible property or proceeds related to the unlawful acts defined in the Act.
Why Does All Of This Matter?
Data privacy and security concerns affect technology companies on a global scale.
Italy’s recent ban on ChatGPT is a reminder that anyone’s favorite product could become harder and more expensive to access if a government agency decides it’s a risk.
The RESTRICT Act is one of the most viewed and tracked bills in the U.S.
Featured image: mark reinstein/Shutterstock