The 'Insanely Broad' RESTRICT Act Could Ban Much More Than Just TikTok

The RESTRICT Act, a proposed piece of legislation which provides one way the government might ban TikTok, contains “insanely broad” language and could lead to other apps or communications services with connections to foreign countries being banned in the U.S., multiple digital rights experts told Motherboard.

The bill could have implications not just for social networks, but potentially security tools such as virtual private networks (VPNs) that consumers use to encrypt and route their traffic, one said. Although the intention of the bill is to target apps or services that pose a threat to national security, these critics worry it may have much wider implications for the First Amendment.

“The RESTRICT Act is a concerning distraction with insanely broad language that raises serious human and civil rights concerns," Willmary Escoto, U.S. policy analyst for digital rights organization Access Now told Motherboard in an emailed statement. 

Riana Pfefferkorn, researcher scholar at the Stanford Internet Observatory, told Motherboard in an email “This bill certainly is troubling in that it would grant a great amount of power to the executive branch. That should be unsettling in any context: recent examples around the world, from Israel to China, are showing us the risks that arise from upsetting checks and balances to favor executive power.”

“It absolutely does implicate those free speech rights for Congress to give the President the power to take ‘appropriate’ action—up to and including banning—against a particular ICTS in the name of national security or Americans’ security and safety. (Even if you trust Joe Biden with this power, would you trust Donald Trump — who tried to ban TikTok as well as WeChat while in office — with it?),” she added.

The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act is led by Senators Mark Warner (D-VA) and John Thune (R-SD). The pair introduced the bill earlier this month, which is deliberately not limited to just TikTok. 

Under the RESTRICT Act, the Department of Commerce would identify information and communications technology products that a foreign adversary has any interest in, or poses an unacceptable risk to national security, the announcement reads. The bill only applies to technology linked to a “foreign adversary.” Those countries include China (as well as Hong Kong); Cuba; Iran; North Korea; Russia, and Venezuela.

The bill’s language includes vague terms such as “desktop applications,” “mobile applications,” “gaming applications,” “payment applications,” and “web-based applications.” It also targets applicable software that has more than 1 million users in the U.S.

“The RESTRICT Act could lead to apps and other ICT services with connections to certain foreign countries being banned in the United States. Any bill that would allow the US government to ban an online service that facilitates Americans' speech raises serious First Amendment concerns,” Caitlin Vogus, deputy director of the Center for Democracy & Technology’s Free Expression Project, told Motherboard in an emailed statement. “In addition, while bills like the RESTRICT Act may be motivated by legitimate privacy concerns, banning ICT services with connections to foreign countries would not necessarily help protect Americans' privacy. Those countries may still obtain data through other means, like by purchasing it from private data brokers.”

Escoto from Access Now added, “As written, the broad language in the RESTRICT Act could criminalize the use of a VPN, significantly impacting access to security tools and other applications that vulnerable people rely on for privacy and security.”

“Many individuals and organizations, including journalists, activists, and human rights defenders, use VPNs to protect their online activity from surveillance and censorship. The RESTRICT Act would expose these groups to monitoring and repression, which could have a chilling effect on free speech and expression,” Escoto wrote.

(Many VPN companies engage in misleading marketing practices which exaggerate their importance and alleged security benefits. Used correctly, and with a provider that does not introduce its own issues such as logging users’ traffic, VPNs can be a useful tool for digital security). 

Rachel Cohen, communications director for Senator Warner, responded by telling Motherboard in an email “This legislation is aimed squarely at companies like Kaspersky, Huawei and TikTok that create systemic risks to the United States’ national security—not at individual users.” She added “The threshold for criminal penalty in this bill is incredibly high—too high to ever be concerned with the actions of someone an individual user of TikTok or a VPN.”

With the bill’s introduction, Warner and Thune instead pointed to other foreign-linked companies that may pose their own security and privacy issues.

“Before TikTok, however, it was Huawei and ZTE, which threatened our nation’s telecommunications networks. And before that, it was Russia’s Kaspersky Lab, which threatened the security of government and corporate devices,” Warner said in a statement at the time. “We need a comprehensive, risk-based approach that proactively tackles sources of potentially dangerous technology before they gain a foothold in America, so we aren’t playing Whac-A-Mole and scrambling to catch up once they’re already ubiquitous.” 

Sens. Tammy Baldwin (D-WI), Deb Fischer (R-NE), Joe Manchin (D-WV), Jerry Moran (R-KS), Michael Bennet (D-CO), Dan Sullivan (R-AK), Kirsten Gillibrand (D-NY), Susan Collins (R-ME), Martin Heinrich (D-NM), and Mitt Romney (R-UT) are co-sponsors of the proposed legislation

Both Vogus and Escoto pointed to another potential solution: the U.S. passing a more fundamental privacy law.

“If Congress is serious about addressing risks to Americans’ privacy, it could accomplish far more by focusing its efforts on passing comprehensive privacy legislation like the American Data Privacy and Protection Act,” Vogus said.

Update: This piece has been updated to include comment from Senator Warner’s office and Riana Pfefferkorn.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.