The U.S. has several federal policy activities underway that could place new restrictions on TikTok, the popular social media platform owned by Chinese technology company ByteDance. These developments follow former President Trump’s August 2020 executive orders to ban TikTok and WeChat in the United States — which were overturned in the courts and subsequently revoked by President Biden in June 2021.

There are a number of concerns about TikTok’s impact on people in the United States. Debates continue about the degree to which TikTok – and the Chinese government – can use the application to learn sensitive information about its users and their families. There are also many people who are worried about data security, content manipulation, disinformation, and the addictiveness of the platform for children. Alongside these debates, several government actions or proposals to restrict TikTok in the U.S. are advancing.

These federal policy developments vary in their key supporters, and they also vary in their proposed outcome: some propose a complete ban on TikTok, some propose a partial ban on TikTok, and some propose to mitigate risks through security assurances rather than bans. Perhaps most importantly, these proposed restrictions effectively take different stances on the degree to which running software from Chinese companies creates risk for the U.S. Some proposals suggest that a middle-ground policy response is possible, such as a ban on the use of TikTok by certain groups like government employees. Other proposals call for a complete ban on the use of the platform, similar to what India has done. 

Policy Development 1: Reported CFIUS-TikTok Negotiations

  • Development: The Committee on Foreign Investment in the United States (CFIUS), an interagency committee that reviews foreign investments in the U.S. for national security risks, is reportedly negotiating a security agreement with TikTok. CFIUS has jurisdiction here because ByteDance, TikTok’s parent company based in China, bought the U.S. app Musical.ly in 2017 and integrated it into TikTok. Reportedly, CFIUS is pursuing an agreement that would permit TikTok to keep operating in the U.S., while addressing the government’s security concerns.
  • Lead: CFIUS
  • Risk Population: U.S. writ large (public and government)
  • Proposed Outcome: Mitigation agreement between TikTok and CFIUS
  • Implication: There is a middle ground between a complete ban and no ban at all.

Policy Development 2: Senate Bill to Ban TikTok on U.S. Government Devices

  • Development: The Senate passed Sen. Josh Hawley (R-MO)’s No TikTok on Government Devices Act on December 15, 2022. It would require the Office of Management and Budget (OMB) to develop standards for government device-holders to remove TikTok, with exceptions in place for those conducting law enforcement, security research, and other activities on U.S. government devices. The bill was included in the Senate’s Omnibus Appropriations bill, which passed last month.
  • Lead: Sen. Josh Hawley (R-MO)
  • Risk Population: U.S. government
  • Proposed Outcome: Complete ban on TikTok use on U.S. government devices
  • Implication: There is no middle ground when it comes to mitigating the security risks posed to the U.S. government.

Policy Development 3: Bipartisan Congressional Bill to Ban TikTok Completely

  • Development: Representatives Marco Rubio (R-FL), along with Representative Mike Gallagher (R-WI) and Raja Krishnamoorthi (D-IL), introduced the Averting the National Threat of Internet Surveillance, Oppressive Censorship and Influence, and Algorithmic Learning by the Chinese Communist Party Act on December 13, 2022. They called it the ANTI-SOCIAL CCP Act for short. The bill would essentially reattempt former President Trump’s executive order banning TikTok in August 2020 by calling on the president to invoke the International Emergency Economic Powers Act (IEEPA) to prohibit U.S. transactions with TikTok and ByteDance. Additionally, the bill makes it possible for policymakers to expand the list of prohibited foreign social media companies in the future, based on a set of security criteria.
  • Lead: Rep. Marco Rubio (R-FL), Rep. Mike Gallagher (R-WI), and Rep. Raja Krishnamoorthi (D-IL)
  • Risk Population: U.S. writ large (public and government)
  • Proposed Outcome: Complete ban on TikTok use in the United States
  • Implication: There is no middle ground when it comes to mitigating the security risks posed to the U.S. public.

Policy Development 4: Commerce Department Rulemaking on Software Supply Chain Security

  • Development: Former President Trump signed Executive Order 13873 in May 2019, which called on the Commerce Department to develop criteria for the executive branch to review information and communications technology (ICT) transactions in the U.S. seeking to identify undue risks to national security. The Commerce Department released a notice of proposed rulemaking in November 2021 laying out proposed criteria for these reviews, including a lack of reliable third-party auditing, the scope and sensitivity of data collected, and ownership of the technology by someone supporting foreign military or intelligence activities. Its rulemaking process is still underway and would apply to transactions initiated, pending, or completed after E.O. 13873 was signed in May 2019.
  • Lead: Department of Commerce
  • Risk Population: U.S. writ large (public and government)
  • Proposed Outcome: Potential undoing of ICT transactions, on a case-by-case basis, under the President’s IEEPA authorities
  • Implication: ICT supply chain transactions can pose national security risks, even when there is no foreign investment involved (which is already covered by     CFIUS).

These proposals are not all compatible. For example, a ban on TikTok use on government devices could be followed by a ban on TikTok use in the U.S. writ large. However, a complete ban on TikTok use in the U.S. would contradict CFIUS’ negotiations to establish a risk mitigation agreement, under which TikTok could keep its U.S. operations intact.

Clearly, there are U.S. policymakers with continued interest in restricting TikTok use in the U.S. There is also executive branch policy developing on supply chain security that could impact TikTok, although its focus goes far beyond the one platform. As these policy actions and proposals evolve, these decisions will have broader implications for American law, policy, and regulation on the risks associated with foreign technology companies, products, and services.

— 

David Hoffman is Steed Family Professor of the Practice of Cybersecurity Policy at Duke University’s Sanford School of Public Policy.

Justin Sherman is a Senior Fellow at Duke University’s Sanford School of Public Policy and the Founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm.

David Hoffman & Justin Sherman

Read Next

Changing the Cybersecurity Mindset

Here are some recommendations to start the new year on how organizations can think differently about cybersecurity.

State Policy Blueprint Puts States at the Center of Digital Identity

State governments are perfectly positioned to lead the way in solving many of the digital identity problems. The Better Identity Coalition has six key initiatives focused on making identity systems work better.

K-12 Institutions at Risk of Cyber Attack

A new report shows that K-12 schools are at a higher risk of cyberattack from ransomware operators and hacktivists.