The Broad, Vague RESTRICT Act is a Dangerous Substitute for Comprehensive Data Privacy Legislation

By Jason Kelley and David Greene

The recently introduced RESTRICT Act (S. 686, Sen. Warner and Sen. Thune) rightfully is causing a lot of concern. This bill is being called a “TikTok ban,” but it’s more complicated than that. As we wrote in our initial review of the bill, the RESTRICT Act would authorize the executive branch to block “transactions” and “holdings” of “foreign adversaries” that involve “information and communication technology” and create “undue or unacceptable risk” to national security and more.

We’ve explained our opposition to the RESTRICT Act and urged everyone who agrees to take action against it. But we’ve also been asked to address some of the concerns raised by others. We do that here in this post.

At its core, RESTRICT would exempt certain information services from the federal statute, known as the Berman Amendments, which protects the free flow of information in and out of the United States and supports the fundamental freedom of expression and human rights concerns. RESTRICT would give more power to the executive branch and remove many of the commonsense restrictions that exist under the Foreign Intelligence Services Act (FISA) and the aforementioned Berman Amendments.

But S. 686 also would do a lot more.

EFF opposes the bill, and encourages you to reach out to your representatives to ask them not to pass it. Our reasons for opposition are primarily that this bill is being used as a cudgel to protect data from foreign adversaries, but under our current data privacy laws, there are many domestic adversaries engaged in manipulative and invasive data collection as well. Separately, handing relatively unchecked power over to the executive branch to make determinations about what sort of information technologies and technology services are allowed to enter the U.S. is dangerous. If Congress is concerned about foreign powers collecting our data, it should focus on comprehensive consumer data privacy legislation that will have a real impact, and protect our data no matter what platform it’s on—TikTok, Facebook, Twitter, or anywhere else that profits from our private information. That’s why EFF supports such consumer data privacy legislation. Foreign adversaries won’t be able to get our data from social media companies if the social media companies aren’t allowed to collect, retain, and sell it in the first place.

TAKE ACTION

TELL CONGRESS: DON’T PASS THE RESTRICT ACT

Would the RESTRICT Act result in a “ban” on the personal use of TikTok? It’s unclear.

This bill is not a “ban” on personal use, or even on a technology directly. The bill may result in a ban on TikTok because it grants the Commerce Department such broad authority. That ban may take the form of removing it from app stores or a forced sale, or other mitigation measures imposed against the owners of the technologies. The RESTRICT Act makes use of mitigation measures that have been used under the International Emergency Economic Powers Act and by the Committee on Foreign Investment in the United States. The bill applies to six “foreign adversaries” (China, Cuba, Iran, North Korea, Russia, and Venezuela), and could be expanded to other countries. Though the bill is being referred to as a TikTok ban by many, it can be applied to other companies, like Huawei or Kaspersky, which are headquartered in those countries; indeed, Sen. Warner, the bill’s co-sponsor has identified those companies as the bill’s primary targets.

As of yet, the U.S. government has not shared information that would justify a forced sale or ban of TikTok from app stores, or other possible mitigation measures. As we’ve written, the government will have to demonstrate that any mitigation measure is narrowly tailored  to prevent the harm it has identified.

Unfortunately, three provisions of the RESTRICT Act make it less likely that the public would ever learn whether U.S. officials actually have information to justify the mitigation measures authorized by the bill.

Privacy Action Plan – Live Your Life Online Again With Zero Fear

(Sign Up Risk-Free Today)

First, while Congress can override the designation or de-designation of a “foreign adversary,” it has no other role.

Second, any lawsuit challenging a ban would be constrained in scope and the amount of discovery—again, limiting what the public could learn about how the bill is applied. Discovery can lead to the release of information that helps the public learn how a law is applied and why, but this law would limit what the public could learn, as well as the ways in which a case could proceed.

Third, the executive branch need not publicly explain its application of the law if doing so is not “practicable” and “consistent with … national security and law enforcement interests.” Those “interests” are also not defined, and we have written many times before about the problems with overclassification of national security information. In this case, that means crucial transparency is missing from the process.

Overall, the law authorizes the executive branch to make decisions about which technologies can enter the U.S. with extremely limited oversight by the public or its representatives about the law’s application.

Could a person be punished under the law for using a VPN to access TikTok if its U.S. access is restricted? Potentially.

Recent comments by one of the authors, Sen. Warner, indicate that the bill is meant to be used to punish companies, not users who might access a product like TikTok after it is restricted. But the law does not itself place limits on mitigation measures or bar individual user prohibitions, and the resulting uncertainty is troubling.

The bill authorizes the Department of Commerce to impose “mitigation measures” without any restrictions on what those measures might be. Couple that with a vague enforcement provision that grants the power to broadly punish any person who “evades” these undefined “mitigation measures,” and the result is a law that can be read as criminalizing common practices like using a VPN to get a prohibited app, side-loaded installations, or using an app that was lawfully downloaded somewhere else.

Even if the bills’ sponsors do not intend it, giving the Commerce Department broad authority to impose crushing criminal penalties on any person trying to evade a “mitigation measure”  is dangerous. For example, in the case of a mitigation measure that bars the importation of TikTok into the U.S., it authorizes penalties, including 25 years of prison time, for any person who brings TikTok into the U.S., whether by use of a VPN or downloading it while in another country.

Congress absolutely should tighten this penalty language to remove all possibility of prosecution against individuals who use an app.

TAKE ACTION

TELL CONGRESS: DON’T PASS THE RESTRICT ACT

Is the RESTRICT Act a surveillance bill that would allow the government access to your devices? Not exactly. But it is far too broad in the power it gives to investigate potential user data.

Under the bill, the Commerce Secretary can demand information from “any party to a transaction or holding under review or investigation.” In theory, a company designated under the bill, such as TikTok, could be required to cough up user data during these investigations. There are some important confidentiality requirements protecting this data, but it could be shared with other government entities in some specific circumstances.

We find another concern that others have raised to be largely misplaced. Some have read the bill as authorizing investigations into any website that has a foreign entity’s pixel embedded in it. These companies would then have to produce user data to the Commerce Department. We don’t share this concern because it would require interpreting the law to say that merely using a website pixel means your site is a holding of a foreign adversary. Thankfully, the definition of “holding” under the bill is not this broad.

This misinterpretation and other overly strained readings of the law have been shared widely on both social media and in the news, and are understandable given the broad language in the bill. This is sweeping legislation that would have Congress abdicate much of its responsibility in holding the executive branch accountable, and leaving any room for misinterpretation is a problem. The confusing language here is another failure of the bill.

For those concerned about such sweeping surveillance powers, we encourage you to ask your representative to reform Section 702 of the Foreign Intelligence Surveillance Act. Under Section 702, the FBI conducted up to 3.4 million warrantless searches of Section 702 data to find Americans’ communications in 2021 alone. Join this fight and you will be in good company: we and a large number of civil liberties and civil rights groups have been fighting for FISA reform for a decade.

Take Action

The RESTRICT Act is absolutely the wrong approach to protecting data privacy. It would open the door to wide-ranging government bans on hardware or software from foreign countries with no explanations needed, little transparency, limited challenges via litigation, and limited congressional oversight.

The law also intentionally removes current checks on executive power, which are necessary even in the realm of foreign relations. RESTRICT skirts these checks by providing only minimal Congressional review. The free flow of information, even if it’s your enemy speaking, is an essential democratic principle. The U.S. government often condemns similar actions that restrict certain communications technologies in other countries. Going around these protocols could weaken our credibility when doing so in the future.

RESTRICT is also vague and broadly written, and could be interpreted (and has) in various troubling ways. Numerous organizations oppose the bill, including ACLU, Fight for the Future, and the Center for Democracy and Technology. As such, we encourage you to reach out to your representative to tell them not to pass the bill.

TAKE ACTION

TELL CONGRESS: DON’T PASS THE RESTRICT ACT

Source: EFF

Jason Kelley – In addition to focusing on student privacy, surveillance, and free speech issues, Jason ensures that EFF’s campaigns are seen by as many people as possible. Before joining EFF, Jason managed marketing strategy and content for a software company that helps non-programmers learn to code, and advertising and marketing analytics for a student loan startup. Jason received his BA in English and Philosophy from Kent State University and an M.F.A. in creative writing from The University of the South. He tries daily to apply advice from his professor Sam Pickering, the inspiration for Robin Williams’ character in Dead Poets Society: “Take out the extra words. Make it go quicker.”

David Greene – David Greene, Senior Staff Attorney and Civil Liberties Director, has significant experience litigating First Amendment issues in state and federal trial and appellate courts. David currently serves on the steering committee of the Free Expression Network, the governing committee of the ABA Forum on Communications Law, and on advisory boards for several arts and free speech organizations across the country. David is also an adjunct professor at the University of San Francisco School of Law, where he teaches classes in First Amendment and media law and was formerly an instructor in the journalism department at San Francisco State University. He has written and lectured extensively on many areas of First Amendment Law, including as a contributor to the International Encyclopedia of Censorship. Before joining EFF, David was for twelve years the Executive Director and Lead Staff Counsel for First Amendment Project, where he worked with EFF on numerous cases including Bunner v. DVDCCA. David also previously served as program director of the National Campaign for Freedom of Expression where he was the principal contributor and general editor of the NCFE Quarterly and the principal author of the NCFE Handbook to Understanding, Preparing for and Responding to Challenges to your Freedom of Artistic Expression. He also practiced with the firms Bryan Cave LLP and Hancock, Rothert & Bunshoft. Way back in 1998, he was a founding member, with David Sobel and Shari Steele, of the Internet Free Expression Alliance. He is a 1991 graduate of Duke University School of Law.

Become a Patron!
Or support us at SubscribeStar
Donate cryptocurrency HERE

Subscribe to Activist Post for truth, peace, and freedom news. Follow us on SoMee, Telegram, HIVE, Flote, Minds, MeWe, Twitter, Gab, What Really Happened and GETTR.

Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.


Activist Post Daily Newsletter

Subscription is FREE and CONFIDENTIAL
Free Report: How To Survive The Job Automation Apocalypse with subscription

Be the first to comment on "The Broad, Vague RESTRICT Act is a Dangerous Substitute for Comprehensive Data Privacy Legislation"

Leave a comment