Opinion editor's note: Star Tribune Opinion publishes a mix of national and local commentaries online and in print each day. To contribute, click here.
Broad scope of proposed 'TikTok ban' law is trouble
The RESTRICT act, like the Computer Fraud and Abuse Act before it, promises to be a playground for prosecutors.
By J.T. Davies
•••
The RESTRICT Act — introduced to the U.S. Senate by Democrat Mark Warner of Virginia and Republican John Thune of South Dakota — is purported to be an effort to protect the privacy of Americans from "foreign adversaries," naming specifically China, Cuba, Iran, North Korea, Russia and the Maduro government of Venezuela. The bill has been characterized in the popular press as a "TikTok ban," referencing the popular China-based video streaming service (and the associated legitimate privacy concerns), but the actual scope of the law is far broader — and far more dangerous.
While the stated intention of the bill is only to target large, foreign firms that are believed to pose national security risks, it grants the government broad powers to regulate what online services Americans can access, and its language is broad enough to potentially allow for the prosecution of individual users of VPN services, which (while often overhyped by their providers for consumer use) remain a vital tool for journalists and human rights defenders.
The dangers of vague wording in technology law are not a matter of speculation. The Computer Fraud and Abuse Act of 1986 — which was inspired not by expert research but by Hollywood's 1983 Matthew Broderick thriller "War Games" — was originally intended to protect national security and intellectual property, but has instead been used as a blunt instrument to try and force plea deals by federal prosecutors, most infamously in the case of activist Aaron Swartz, who took his own life after being charged with 13 felonies by a prosecutor who wanted — in Swartz's lawyer's words — "juicy looking" cybercrime cases that would get "their name in the newspaper."
Swartz's crime? Violating the terms of service of a website. Swartz's method was more technically sophisticated than something like sharing a Netflix password, but the legal grounds for his prosecution had no distinction between the two. The prosecution proceeded despite the website's owners not wanting to press any criminal charges; advocates likened Swartz's prosecution to charging grand theft after someone checked too many books out of a library.
Tim Wu, former Biden administration adviser on tech issues, called the CFAA "the worst law in technology" in 2006. The key issue is the extremely broad language — it imposes criminal penalties if a user "exceeds authorized access" on a computer, but does not define in technical detail what "authorized access" is — this allowed for the prosecution of Swartz and many others, and was only decisively resolved in the 2021 case Van Buren v. United States, which ruled that "unauthorized access" did not include a user, on a computer they were allowed to access, accessing files that the computer allowed them to access — i.e., users would need to actually circumvent the intended function of the computer to be charged with a CFAA violation.
We don't need a second CFAA — and if the government is concerned with privacy rather than power, we've already seen successful models of laws to protect citizens' rights online. The European Union's General Data Protection Regulation establishes a sort of "digital bill of rights" for users, and has received praise from not only privacy groups and free software advocates but also Big Tech CEOs — Mark Zuckerberg called it "a very positive step for the internet," even as Facebook was taken to court twice by Austrian privacy activist Max Schrems.
The RESTRICT Act's name is telling — it's about restriction. It grants the Department of Commerce the unprecedented power to cut off access to services in the name of national security. Much like the PATRIOT Act before it, it uses fears of foreign influence to justify a substantial an ill-defined expansion of executive power. I do not doubt that the senators only intend to target large companies and perceived direct threats, but with textualism being the rule of the day in the Supreme Court, the intentions of the senators are little more than empty words.
TikTok's access to Americans' data is not some sinister scheme from Beijing, but the natural result of America's lax privacy protections. If we can take one lesson from the last few years, it's that we need to treat the disease, not the symptoms — even if it's more politically convenient to just blame everything on China.
J.T. Davies is an educator whose recent master's degree from the University of Minnesota was concentrated on human rights and technology.
about the writer
J.T. Davies
There are multiple reasons to dispute this debate assertion by JD Vance.