We are experiencing an unmistakable acceleration in the long creeping global trend toward internet balkanization. Nations around the world are increasingly skeptical of friends and foes alike, from the European Union rethinking international data transfers to data localization mandates in India. Of course, no one tracing President Trump’s rhetoric was surprised to see the United States join the fray with a retaliatory response – the President campaigned on “America first” and never even so much as hinted that he would veer away from that. Yet, it is similarly unmistakable that the “America first” doctrine, when applied to the internet—a globally interconnected network whose smooth running hinges on resource sharing and cooperation—often results in outcomes that actually harm American internet users more than it helps them.
The much discussed TikTok Executive Order is perhaps most emblematic of the President’s counterproductive forays into internet governance. Back in August 2020, President Trump issued an Executive Order prohibiting U.S. businesses or entities subject to U.S. jurisdiction from performing transactions with TikTok, a subsidiary of Chinese company ByteDance, essentially banning the service in the United States at the expiration of a 45-day grace period. The Administration justified this action by claiming that TikTok’s terms of service allow it to collect wide swaths of data about its users that could endanger U.S. national security interests due to ByteDance’s obligations under Chinese law to share data with Chinese government authorities upon request. While a federal judge recently halted the order, writing that the “government’s own descriptions of the national security threat posed by the TikTok app are phrased in the hypothetical,” the harms would have been very real. As many, including the App Association, pointed out at the time, for the three months before the Executive Order was to take full effect, “banning TikTok” really just meant preventing future software updates – the Administration had no authority to delete existing apps from users’ phones. Opposite of its stated intention to protect consumer privacy, the order would restrict access to security updates and patches needed to keep the apps secure and safe.
Some in Congress are seeking to address the security concerns embedded in the Administration’s recent actions, introducing similarly targeted bills. For example, Senator Marco Rubio (R-FL) recently introduced S. 4869, the Adversarial Platform Prevention Act of 2020 (APP Act), which would require “high-risk” software providers (defined as any software provider operating out of, or storing the data of a U.S. person in, a “high-risk” country, such as China, Russia, Cuba, and Venezuela, among others) to provide a series of disclosures and prohibit any data collected on U.S. persons to be stored outside of the United States. Likewise, Republicans on the House Energy and Commerce Committee renewed efforts on their own legislation (H.R. 6969, the Telling Everyone the Location of data Leaving the U.S. Act or TELL Act), that would require websites and apps that maintain or store “information,” a term left undefined in the bill, in China to disclose whether that information can be accessed by the Chinese Communist Party. And in an bipartisan effort, Senators Rick Scott (R-FL) and Catherine Cortez Masto (D-NV) joined forces to introduce a bill (S. 4669, also called the APP Act – only this time APP Act stands for the American Privacy Protection Act) that would also require disclosures as to the storage location of data collected by an app.
Like the President’s Executive Order, these measures are intended to address real security issues associated with foreign adversaries accessing data on U.S. persons. But the compliance exercise would be deceptively complicated for app makers and the potential benefits of the disclosures these bills would require are diminished by the complexity of real-time, cloud-driven data storage. Many developers cobble together their product from open source software and lines of code created around the world. How useful would a consumer find a disclosure indicating that a developer in Venezuela wrote a single line of code in their app, for instance? On the other hand, ephemeral data storage in locations around the world are directly in the user’s interest. For instance, developers often rely on cloud providers that in turn rely on local caching to ensure a copy of the user’s data is proximate to them, so the user has convenient recall of the data. Similarly, cloud providers need to be able to move data around quickly for load balancing purposes and to create failover capacity. Without this capability, there likely would be widespread service interruptions to teleconferencing products, including at the outset of the COVID-19 pandemic. Disclosures around ephemeral data locations would be exceedingly difficult to arrange and of marginal value to consumers.
In the broader scope, the Trump administration and Congress’ efforts signal a disconcerting willingness to erect the foundations of a “domestic firewall” to counter China’s own firewall. That’s quite an about-face to the long-standing U.S. strategy to win over hearts and minds abroad by projecting liberal values of openness and freedom. Moreover, this posture also ignores a common-sense policy lever easily within reach that could help the United States lead by example, instead of drawing it into a tit-for-tat internet balkanization arms-race with China: comprehensive federal privacy legislation.
Such legislation, as has been introduced by members of both parties and that the App Association supports, would put guardrails around the type of sensitive information that large entities like TikTok can collect from users and share with third parties, naturally reducing the ability for foreign authorities to leverage such information against U.S.-based users and the country writ-large. Simply shutting off access to foreign-owned services and outlawing foreign data transfers, by contrast, fails to reckon with the underlying fact that such large troves of social media data exist to begin with – data that is not, in fact, exclusive to TikTok or particularly inaccessible to the Chinese government even if it does not reside on Chinese servers. The United States ought to combat China and compete in the global marketplace by setting a higher standard for data protection, transparency, and a commitment to the open internet, rather than taking cues from an authoritarian regime we are seeking to best.
Despite the unfortunate developments detailed above, the good news is that future policymaking is by no means path-dependent. The incoming Biden administration can and will likely overturn the TikTok Executive Order and spare us the tedium of any future appeals. It can be convinced to prioritize comprehensive privacy legislation over short-term fixes and wishful thinking of the APP Act(s) or the TELL Act. Such decisive action will take courage – after all, nationalist internet policies are a global phenomenon, and reprisal glows with bipartisan appeal. For the App Association, revealing how much of that glow is an illusion and explaining how the free and open internet protects both app developers and end users will be a key priority of the next four years.