Further Action On TikTok Divestment and Ban But No Changes

TikTok sues to block the CFIUS order that it divest and the Trump Administration files an appeal of an injunction.

Even though the Trump Administration’s efforts to implement its ban of TikTok have gone nowhere as numerous courts have enjoined the enforcement of the orders, TikTok filed suit against the related order that the company divest Musical.ly primarily on the grounds that the technology that supposedly threatens United States (U.S.) national security is unrelated to the acquisition. Moreover, the day after this suit was filed, a key U.S. agency announced a delay of the divestment order. In a related action, the Trump Administration filed to appeal one of the injunctions blocking it from moving forward on banning the People’s Republic of China (PRC) app. Depending on how long it takes for the federal court to resolve this suit, a Biden Administration Department of Justice (DOJ) may take a different tack than the Trump DOJ.

The day before the divestment order was set to take effect, TikTok asked the United States Court of Appeals for the District of Columbia to review “the Presidential Order Regarding the Acquisition of Musical.ly by ByteDance Ltd., 85 Fed. Reg. 51,297 (Aug. 14, 2020) (the “Divestment Order”), and the related action of the Committee on Foreign Investment in the United States (CFIUS), including its determination to reject mitigation, truncate its review and investigation, and refer the matter to the President.” TikTok asserted:

The Divestment Order and the CFIUS Action seek to compel the wholesale divestment of TikTok, a multi-billion-dollar business built on technology developed by Petitioner ByteDance Ltd. (“ByteDance”), based on the government’s purported national security review of a three-year- old transaction that involved a different business. This attempted taking exceeds the authority granted to Respondents under Section 721, which authorizes CFIUS to review and the President to, at most, prohibit a specified “covered transaction” to address risks to national security created by that transaction. Here, that covered transaction was ByteDance’s acquisition of the U.S. business of another Chinese- headquartered company, Musical.ly—a transaction that did not include the core technology or other aspects of the TikTok business that have made it successful and yet which the Divestment Order now seeks to compel ByteDance to divest.

TikTok also made claims that CFIUS violated the Due Process Clause of the Fifth Amendment, violated the Administrative Procedures Act, and is proposing a “taking” illegal under the Fifth Amendment.

And yet, the Department of the Treasury, the lead agency in the CFIUS process, issued a statement, explaining that the deadline for divestiture had been pushed back by 15 days:

The President’s August 14 Order requires ByteDance and TikTok Inc. to undertake specific divestments and other measures to address the national security risk arising from ByteDance’s acquisition of Musical.ly.  Consistent with the Order, the Committee on Foreign Investment in the United States (CFIUS) has granted ByteDance a 15-day extension of the original November 12, 2020 deadline.  This extension will provide the parties and the Committee additional time to resolve this case in a manner that complies with the Order.   

The Trump Administration may successfully argue that a delay of the order means the court cannot rule on TikTok’s suit. Consequently, this suit may well get pushed into a Biden Administration.

TikTok issued this statement along with the filing of its suit:

For a year, TikTok has actively engaged with CFIUS in good faith to address its national security concerns, even as we disagree with its assessment. In the nearly two months since the president gave his preliminary approval to our proposal to satisfy those concerns, we have offered detailed solutions to finalize that agreement—but have received no substantive feedback on our extensive data privacy and security framework.

Of course, because of the CFIUS divestment order, ByteDance seems to have reached an agreement with Oracle and Walmart, but what they exactly agreed to remains an open question.

In mid-September, the Trump Administration paused its notice for implementing the Executive Order (EO) against TikTok because of agreement in principles of a deal that would permit Oracle and Walmart to control a certain percentage of TikTok in the U.S. However, the details of which entity would control what remain murky with ByteDance arguing that U.S. entities will not control TikTok, but assertions to the opposite being made by the company’s U.S. partners. In the weekend before the EO has set to take effect, it appeared Oracle and Walmart would be able to take a collective 20% stake in a new entity TikTok Global that would operate in the U.S. Walmart has been partnering with Microsoft, but when the tech giant failed in its bid, Walmart began talks with Oracle. ByteDance would have a stake in the company but not majority control according to some sources. However, ByteDance began pushing back on that narrative as President Donald Trump declared after word of a deal leaked “if we find that [Oracle and Walmart] don’t have total control, then we’re not going to approve the deal.” Moreover, $5 billion would be used for some sort of educational fund. However, it is hard to tell what exactly would occur and whether this is supposed to be the “finder’s fee” of sorts Trump had said the U.S. would deserve from the deal.

On 19 September, the U.S. Department of Commerce issued a statement pushing back the effective date of the order against TikTik from 20 September to 27 September because of “recent positive developments.” The same day, the U.S. Department of the Treasury released a statement, explaining:

The President has reviewed a deal among Oracle, Walmart, and TikTok Global to address the national security threat posed by TikTok’s operations. Oracle will be responsible for key technology and security responsibilities to protect all U.S. user data. Approval of the transaction is subject to a closing with Oracle and Walmart and necessary documentation and conditions to be approved by Committee on Foreign Investment in the United States (CFIUS). 

TikTok also released a statement, asserting

We’re pleased that today we’ve confirmed a proposal that resolves the Administration’s security concerns and settles questions around TikTok’s future in the US. Our plan is extensive and consistent with previous CFIUS resolutions, including working with Oracle, who will be our trusted cloud and technology provider responsible for fully securing our users’ data. We are committed to protecting our users globally and providing the highest levels of security. Both Oracle and Walmart will take part in a TikTok Global pre-IPO financing round in which they can take up to a 20% cumulative stake in the company. We will also maintain and expand the US as TikTok Global’s headquarters while bringing 25,000 jobs across the country.

Walmart issued its own statement on 19 September:

While there is still work to do on final agreements, we have tentatively agreed to purchase 7.5% of TikTok Global as well as enter into commercial agreements to provide our ecommerce, fulfillment, payments and other omnichannel services to TikTok Global. Our CEO, Doug McMillon, would also serve as one of five board members of the newly created company. In addition, we would work toward an initial public offering of the company in the United States within the next year to bring even more ownership to American citizens. The final transaction will need to be approved by the relevant U.S. government agencies.

The same day, Oracle and Walmart released a joint statement:

  • The President has announced that ByteDance has received tentative approval for an agreement with the U.S. Government to resolve the outstanding issues, which will now include Oracle and Walmart together investing to acquire 20% of the newly formed TikTok Global business.
  • As a part of the deal, TikTok is creating a new company called TikTok Global that will be responsible for providing all TikTok services to users in United States and most of the users in the rest of the world. Today, the administration has conditionally approved a landmark deal where Oracle becomes TikTok’s secure cloud provider.
  • TikTok Global will be majority owned by American investors, including Oracle and Walmart. TikTok Global will be an independent American company, headquartered in the U.S., with four Americans out of the five member Board of Directors.
  • All the TikTok technology will be in possession of TikTok Global, and comply with U.S. laws and privacy regulations. Data privacy for 100 million American TikTok users will be quickly established by moving all American data to Oracle’s Generation 2 Cloud data centers, the most secure cloud data centers in the world.
  • In addition to its equity position, Walmart will bring its omnichannel retail capabilities including its Walmart.com assortment, eCommerce marketplace, fulfillment, payment and measurement-as-a-service advertising service.
  • TikTok Global will create more than 25,000 new jobs in the Unites States and TikTok Global will pay more than $5 billion in new tax dollars to the U.S. Treasury.
  • TikTok Global, together with Oracle, SIG, General Atlantic, Sequoia, Walmart and Coatue will create an educational initiative to develop and deliver an AI-driven online video curriculum to teach children from inner cities to the suburbs, a variety of courses from basic reading and math to science, history and computer engineering.
  • TikTok Global will have an Initial Public Offering (IPO) in less than 12 months and be listed on a U.S. Exchange. After the IPO, U.S. ownership of TikTok Global will increase and continue to grow over time.

A day later, Oracle went further in a statement to the media claiming, “ByteDance will have no ownership in TikTok Global,” which is a different message than the one the company was sending. For example, in a blog post, ByteDance stated “[t]he current plan does not involve the transfer of any algorithms or technology…[but] Oracle has the authority to check the source code of TikTok USA.”

On a related note, the DOJ filed a notice of appeal of an injunction barring the implementation of the TikTok issued in late October. Three TikTok influencers had filed suit and lost their motion for a preliminary injunction. However, after District Court of the District of Columbia granted TikTok’s request to stop the Department of Commerce from enforcing the first part of the order implementing the ban, the three influencers revised their motion and refiled.

Judge Wendy Beetlestone found that the Trump Administration exceeded its powers under the International Emergency Economic Powers Act (IEEPA) in issuing part of its TikTok order effectuating the ban set to take effect on 12 November:

  • Any provision of internet hosting services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;]
  • Any provision of content delivery network services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;]
  • Any provision of directly contracted or arranged internet transit or peering services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;and]
  • Any utilization, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, of the TikTok mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the land and maritime borders of the United States and its territories.

Beetlestone found that the limit on the use of IEEPA powers to regulate information is clearly implicated by Commerce’s order, which proposes to do just that. Consequently, this is not a legal use of IEEPA powers. The judge also found the plaintiffs would be irreparably harmed through a loss of their audiences and brand sponsorships:

Plaintiffs challenge the Commerce Identification on both statutory and constitutional grounds. First, they contend that the Commerce Identification violates both the First and Fifth Amendments to the U.S. Constitution. They then contend that the Commerce Identification violates the Administrative Procedure Act,5 U.S.C. §701 et seq.,as it is both arbitrary and capricious, see id.§706(2)(A), and ultra vires, see id. § 706(2)(C). Plaintiffs’ ultra vires claim consists of three separate arguments: (1) the Commerce Identification contravenes IEEPA’s “informational materials” exception, 50 U.S.C. § 1702(b)(3); (2) the Commerce Identification contravenes IEEPA’s prohibition on the regulation of “personal communication[s] . . . not involv[ing] a transfer of anything of value,” id. § 1702(b)(1), and (3) the Commerce Identification is not responsive to the national emergency declared in the ICTS Executive Order, and therefore requires the declaration of a new national emergency to take effect, see id. §1701(b).

In the first injunction granted against the TikTok ban, the court found that TikTok’s claims on the misuse of IEEPA, 50 U.S.C. §§ 1701–08, the primary authority President Donald Trump relied on in his executive order banning the app, were unpersuasive. The court conceded “IEEPA contains a broad grant of authority to declare national emergencies and to prohibit certain transactions with foreign countries or foreign nationals that pose risks to the national security of the United States.” But, the court noted “IEEPA also contains two express limitations relevant here: the “authority granted to the President . . . does not include the authority to regulate or prohibit, directly or indirectly” either (a) the importation or exportation of “information or informational materials”; or (b) “personal communication[s], which do[] not involve a transfer of anything of value.” The court concluded:

In sum, the TikTok Order and the Secretary’s prohibitions will have the intended effect of stopping U.S. users from communicating (and thus sharing data) on TikTok. To be sure, the ultimate purpose of those prohibitions is to protect the national security by preventing China from accessing that data and skewing content on TikTok. And the government’s actions may not constitute direct regulations or prohibitions of activities carved out by 50 U.S.C. 1702(b). But Plaintiffs have demonstrated that they are likely to succeed on their claim that the prohibitions constitute indirect regulations of “personal communication[s]” or the exchange of “information or informational materials.”

After considering the risks of irreparable harm to TikTok and the equities and public interest, the court decided:

Weighing these interests together with Plaintiffs’ likelihood of succeeding on their IEEPA claim and the irreparable harm that Plaintiffs (and their U.S. users) will suffer absent an injunction, the Court concludes that a preliminary injunction is appropriate.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Olivier Bergeron from Pexels

Court Issues Injunction On First Part of TikTok Ban

The Trump Administration’s efforts to start banning TikTok is blocked by a federal court, its second defeat this month.

A federal court has granted a request made by TikTok to stop the first part of an order that would have required Apple and Google to remove the Chinese app from its stores or providing updates. The court was not persuaded by the President’s use of his emergency powers in ways that are contrary to the text of the law regarding information, information services, and personal communication. It is likely the Trump Administration appeals even though it appears TikTok has a very good chance of winning on the merits. However, this injunction does not effect, at present, the four other provisions in the order, and nor does it have any relevance on the order by the inter-agency group to ByteDance to unwind the deal that brought it musical.ly

The District Court of the District of Columbia granted TikTok’s request to stop the Department of Commerce from enforcing the first part of the order implementing the ban:

Any provision of services, occurring on or after 11:59 p.m. eastern standard time on September 27, 2020, to distribute or maintain the TikTok mobile application, constituent code, or application updates through an online mobile application store

The court found that TikTok’s claims on the misuse of “International Emergency Economic Powers Act” (IEEPA), 50 U.S.C. §§ 1701–08, the primary authority President Donald Trump relied on in his executive order banning the app, were unpersuasive. The court conceded “IEEPA contains a broad grant of authority to declare national emergencies and to prohibit certain transactions with foreign countries or foreign nationals that pose risks to the national security of the United States.” But, the court noted “IEEPA also contains two express limitations relevant here: the “authority granted to the President . . . does not include the authority to regulate or prohibit, directly or indirectly” either (a) the importation or exportation of “information or informational materials”; or (b) “personal communication[s], which do[] not involve a transfer of anything of value.” The court concluded:

In sum, the TikTok Order and the Secretary’s prohibitions will have the intended effect of stopping U.S. users from communicating (and thus sharing data) on TikTok. To be sure, the ultimate purpose of those prohibitions is to protect the national security by preventing China from accessing that data and skewing content on TikTok. And the government’s actions may not constitute direct regulations or prohibitions of activities carved out by 50 U.S.C. 1702(b). But Plaintiffs have demonstrated that they are likely to succeed on their claim that the prohibitions constitute indirect regulations of “personal communication[s]” or the exchange of “information or informational materials.”

After considering the risks of irreparable harm to TikTok and the equities and public interest, the court decided:

Weighing these interests together with Plaintiffs’ likelihood of succeeding on their IEEPA claim and the irreparable harm that Plaintiffs (and their U.S. users) will suffer absent an injunction, the Court concludes that a preliminary injunction is appropriate.

This is the second defeat of the Trump Administration’s efforts to ban companies from the People’s Republic of China (PRC) this month. On 19 September, a magistrate judge in San Francisco granted a preliminary injunction against the Trump Administration’s implementation of the WeChat order. As explained in a footnote, “[t]he plaintiffs are U.S. WeChat Users Alliance, a nonprofit formed to challenge the WeChat Executive Order, and individual and business users.” In short, they contended that the WeChat ban

(1) violates the First Amendment to the U.S. Constitution,

(2) violates the Fifth Amendment,

(3) violates the Religious Freedom Restoration Act, 42 U.S.C. § 2000bb(1)(a),

(4) was not a lawful exercise of the President’s and the Secretary’s authority under IEEPA— which allows the President to prohibit “transactions” in the interest of national security — because the IEEPA, 50 U.S.C. § 1702(b)(1), does not allow them to regulate personal communications, and

(5) violates the Administrative Procedures Act (“APA”) because the Secretary exceeded his authority under the IEEPA and should have promulgated the rule through the notice-and-comment rulemaking procedures in 5 U.S.C. § 553(b).

The judge granted the motion for a preliminary injunction “on the ground that the plaintiffs have shown serious questions going to the merits of the First Amendment claim, the balance of hardships tips in the plaintiffs’ favor, and the plaintiffs establish sufficiently the other elements for preliminary-injunctive relief.” The judge seemed most persuaded by this claim and summarized the plaintiffs’ argument:

  • First, they contend, effectively banning WeChat — which serves as a virtual public square for the Chinese-speaking and Chinese-American community in the United States and is (as a practical matter) their only means of communication — forecloses meaningful access to communication in their community and thereby operates as a prior restraint on their right to free speech that does not survive strict scrutiny.
  • Second, even if the prohibited transactions are content-neutral time-place-or-manner restrictions, they do not survive intermediate scrutiny because the complete ban is not narrowly tailored to address the government’s significant interest in national security.

The Trump Administration will almost certainly appeal these decisions, but it remains to be seen how quickly the case moves through the court system.

As noted, the Committee on Foreign Investment in the United States (CFIUS) recommended that the President order ByteDance to divest musical.ly, and Trump did so in an “Order Regarding the Acquisition of Musical.ly by ByteDance Ltd.” The deadline for selling off this part of the company is mid-November, but this timeline was effectively moved up by Trump’s public comments about the sale and the TikTok executive order set to take effect in mid-September. Oracle, Walmart, and ByteDance are awaiting review of the deal in both Washington and Beijing. At present, the terms proposed seem to indicate Oracle would become a “trusted technology partner,” a term not used before in such transactions, and Walmart would provide “ecommerce, fulfillment, payments and other omnichannel services” to TikTok operations in the U.S. It has been suggested but contested that a majority of these operations would be in the hands of U.S. entities, but ByteDance has disputed that claim. Moreover, it has been separately claimed Oracle and Walmart would get a collective 20% stake in U.S. operations. All of this is unclear and subject to change depending on CFIUS review. Moreover, the PRC will need to approve the deal per its recently implemented export control regulations that would seem to bar the transfer of technology like TikTok’s algorithm.

In terms of background, on 18 September, the Trump Administration issued orders barring TikTok and WeChat pursuant to executive orders issued an “Executive Order on Addressing the Threat Posed by TikTok” and an “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively. The U.S. Department of Commerce (Commerce) issued orders effectuating the executive orders.

In a press release, Commerce explained:

As of September 20, 2020, the following transactions are prohibited:

  1. Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
  2. Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.

As of September 20, 2020, for WeChat and as of November 12, 2020, for TikTokthe following transactions are prohibited:

  1. Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
  2. Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
  3. Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
  4. Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.

Commerce added:

Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date. Should the U.S. Government determine that WeChat’s or TikTok’s illicit behavior is being replicated by another app somehow outside the scope of these executive orders, the President has the authority to consider whether additional orders may be appropriate to address such activities. The President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.

Commerce has submitted notices to be published this week in the Federal Register identifying the transactions that will be illegal regarding TikTok and WeChat:

Pursuant to Executive Order 13942, the Secretary of Commerce is publishing the list of prohibited transactions by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, including TikTok Inc., in which any such company has any interest, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13942 posed by mobile application TikTok.

On 19 September, the U.S. Department of Commerce issued a statement pushing back the effective date of the order against TikTik from 20 September to 27 September because of “recent positive developments” regarding a possible deal between ByteDance, Oracle, and Walmart that would satisfy U.S. national security concerns about the app.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Solen Feyissa on Unsplash

Further Reading, Other Developments, and Coming Events (29 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • September 30 the House Veterans’ Affairs Committee’s Technology Modernization Subcommittee will meet for an oversight hearing titled “Examining VA’s Ongoing Efforts in the Electronic Health Record Modernization Program.”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.
  • On October 1, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing as part of its series on online competition at which it may unveil its proposal on how to reform antitrust enforcement for the digital age. The hearing is titled “Proposals to Strengthen the Antitrust Laws and Restore Competition Online.”
  • On 1 October, the Senate Commerce, Science, and Transportation Committee may hold a markup to authorize subpoenas to compel the attendance of the technology CEOs for a hearing on 47 U.S.C. 230 (aka Section 230). Ranking Member Maria Cantwell (D-WA) has said:
    • Taking the extraordinary step of issuing subpoenas is an attempt to chill the efforts of these companies to remove lies, harassment, and intimidation from their platforms. I will not participate in an attempt to use the committee’s serious subpoena power for a partisan effort 40 days before an election,” indicating a vote, should one occur, may well be along party lines.
    • Nonetheless, the Committee may subpoena the following CEOs:
      • Mr. Jack Dorsey, Chief Executive Officer, Twitter
      • Mr. Sundar Pichai, Chief Executive Officer, Alphabet Inc., Google
      • Mr. Mark Zuckerberg, Chief Executive Officer, Facebook
  • The Senate Judiciary Committee will markup the “Online Content Policy Modernization Act” (S.4632), a bill to reform 47 U.S.C. 230 (aka Section 230) that provides many technology companies with protection from lawsuits for third party content posted on their platforms and for moderating and removing such content.
  • On October 1, the Senate Armed Services Committee’s Readiness and Management Support Subcommittee will hold a hearing on supply chain integrity with Under Secretary of Defense for Acquisition and Sustainment Ellen Lord testifying. Undoubtedly, implementation of the ban on Huawei, ZTE, and other People’s Republic of China (PRC) equipment and services as required by Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) will be discussed. Also, the Cybersecurity Maturity Model Certification (CMMC) program will also likely be discussed.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Senate passed an extension of the “Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006” (U.S.  SAFE  WEB  Act) (H.R.4779), sending the bill to the White House. The Senate did not alter the bill the House sent to it in December. The House Energy and Commerce Committee explained in its committee report:
    • Enacted into law on December 22, 2006, the U.S. SAFE WEB Act amended the Federal Trade Commission Act (FTC Act) to improve the FTC’s ability to combat unfair or deceptive acts or practices that are international in scope. Specifically, U.S. SAFE WEB Act: (1) affirms the FTC’s cross-border enforcement authority; (2) authorizes collaboration with foreign law enforcement in the form of investigative assistance3and information sharing, provided certain statutory factors are met; (3) bolsters the FTC’s ability to receive information from foreign counterparts by allowing confidential treatment of information received; and (4) promotes relation-ship building through staff exchanges with foreign counterparts.
    • H.R. 4779 would ensure that the FTC continues to have the cross-border enforcement authority and international cooperation tools it needs to protect American consumers from unfair or deceptive acts or practices that originate abroad. This program provides a sound foundation for related issues of protecting and preserving cross-border data flows that are essential for Privacy Shield and other such agreements. Such legislation helps promote our leader ship  on  artificial  intelligence,  autonomous  vehicles,  quantum  computing, and other emerging technologies.
  • The Department of Veterans Affairs (VA) revealed it had been breached and “the personal information of approximately 46,000 Veterans” has been compromised. This announcement came the same day as an advisory issued by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) that Chinese Ministry of State Security (MSS)-affiliated cyber threat actors have been targeting and possibly penetrating United States (U.S.) agency networks. The two events may not be linked, however. And yet, what is linked to the breach is an August VA request for information (RFI) for an entity “provide cyber security audit services support,” as confirmed by an agency spokesperson. The VA has experienced long running problems with information technology (IT) and cybersecurity as evidenced by this Government Accountability Office (GAO) testimony released a few weeks ago. In the notice of the breach, the VA explained:
    • The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office. A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols. To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued Emergency Directive 20-04, “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday” that directs United States’ (U.S.) agencies to act with respect to “non-national security systems,” meaning civilian agencies, to “immediately apply the Windows Server August 2020 security update to all domain controllers.” This most recent Emergency Directive follows two earlier ones this year (found here and here.)
  • The United States Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announced a trio of enforcement actions for violations of HHS regulations on healthcare information these entities failed to properly protect. Specifically, these entities failed to meet their obligations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. OCR released these summaries of the actions:
    • Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history. PBC operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than two million people.
      • On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system.  The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015.  This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. 
      • OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
    •  CHSPSC LLC, (“CHSPSC”) has agreed to pay $2,300,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people.  CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee.
      • In April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network. 
      • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
    • Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia and provides orthopedic services to approximately 138,000 patients annually.
      • On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.
      • On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
      • OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
  • The Department of the Treasury published a final rule that changes the Committee on Foreign Investment in the United States (CFIUS) regulations with respect to mandatory filings for future deals in which foreign companies are investing in United States (U.S.) firms producing “critical technologies.” Previously, the trigger was if there was a nexus between the U.S. entity and certain industries. But now, the filing requirement will be triggered if “certain U.S. government authorizations would be required to export, reexport, transfer (in-country), or retransfer the critical technology or technologies produced, designed, tested, manufactured, fabricated, or developed by the U.S. business to certain transaction parties and foreign persons in the ownership chain.” The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) (P.L. 115-232) required the agency to make this, among many other changes, in the CFIUS regime. What constitutes “critical technologies” is defined in FIRRMA and includes all sorts of military, commercial items with military applications, and “emerging and foundational technologies.” The final rule also “makes amendments to the definition of the term “substantial interest” and a related provision, and makes one technical revision.”
  • The Government Accountability Office (GAO) has assessed how well the Department of the Treasury is doing in its role as the overseer of cybersecurity for the United States (U.S.) financial services industry. The GAO found Treasury’s efforts lacking, especially with respect in implementing the recommendations the GAO has previously made. The GAO concluded:
    • Increased access to financial services sector systems, combined with the potential for monetary gains and economic disruptions, poses significant information security risks to the sector’s systems and to the critical operations and infrastructures they support. The financial services sector faces several different types of cyber-related risks, including ensuring adequate security for service providers traditionally considered external to the sector, an increased interconnectivity between sector entities that could result in simpler attack vectors, and the potential introduction of malware such as ransomware through social engineering techniques, such as spear phishing, or insider access. The sector has also faced an increase in attacks from well-organized attackers with significant resources.
    • The financial services industry, including firms and sectorwide groups set up to assist firms in ensuring the cybersecurity and resilience of the sector, have undertaken a series of risk mitigation efforts, in areas such as coordination and information sharing between organizations, development of guidance and training for members, and sectorwide incident response exercises. However, industry firms also pointed to challenge areas for assistance from regulators and policymakers. The most common of these areas were improved information sharing of actionable data after a cyber incident; improved harmonization among regulators, such as minimizing differences in use of state versus national requirements; establishing clearer guidance regarding regulation of the sector’s third-party service providers; and increasing cybersecurity training to firm employees.
    •  Federal agencies are conducting risk mitigation efforts intended to support private industry in improving cybersecurity of the financial services sector. These efforts, including regular outreach by the designated financial sector-specific agency, Treasury, generally meet responsibilities laid out in policy. However, Treasury does not prioritize or track the progress of sectorwide risk mitigation efforts, and does not explicitly link sector efforts to the goals in the sector specific plan, which is the primary sector planning document. Furthermore, the plan is out of date and does not include information on how the sector plans to implement recently required efforts. The plan also does not identify ways to measure sector progress, such as explicit metrics for determining the progress of risk mitigation efforts to enhance the cybersecurity and resilience of the sector. Unless Treasury undertakes tracking and prioritization of efforts based on metrics that reflect sector planning documents, the sector will remain unable to determine the effectiveness of its efforts, which could leave the sector insufficiently prepared to deal with primary sector risks.
    • The GAO made two recommendations to Treasury:
      • Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)
      • Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector’s ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)
  • The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) published its review of a May 2019 breach of a U.S. Customs and Border Protection (CBP) subcontractor that resulted in “CBP data, including traveler images from CBP’s facial recognition pilot, appear[ing] on the dark web.” The OIG explained that “CBP selected Unisys Corporation to design, develop, and install a biometric entry-exit solution that would verify and confirm the arrival and departures of passengers. In turn, Unisys Corporation hired Perceptics, LLC, as a subcontractor to install its proprietary facial image capture solution.” Perceptics then proceeded to violate DHS security and privacy protocols by transferring these data to its systems, but the agency did not store the personally identifiable information (PII) in an encrypted form. Consequently, when Perceptics was hit with a ransomware attack, “more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack.” The hackers also “stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.” Worse still, CBP was notified of the breach through a media article instead of by either the prime or subcontractor even thought Perceptics informed Unisys, which opted against informing CBP in violation of its contractual duties.
  • The OIG summarized the facts of the case:
    • CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack.
    • DHS requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse. However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network. Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.
    • This data breach compromised approximately 184,000 traveler images from CBP’s facial recognition pilot; at least 19 of the images were posted to the dark web. This incident may damage the public’s trust in the Government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry.
  • The OIG made 3 recommendations to CBP:
    • Recommendation 1: We recommend CBP’s Assistant Commissioner for the Office of Information and Technology implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods.
    • Recommendation 2: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations coordinate with the CBP Office of Information and Technology to ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations.
    • Recommendation 3: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with Department security and privacy standards.

Further Reading

  • Revealed: Trump campaign strategy to deter millions of Black Americans from voting in 2016” — Channel 4 News. The same British news organization that broke the Cambridge Analytica story is back with another article on the mining and use of personal data in microtargeting voters in the 2016 presidential election. Despite repeated denials, it appears the Trump Campaign in concert with Cambridge Analytica and the Republican National Committee targeted African Americans with messages on Facebook to keep them home on election day, possibly swinging a few keys states Trump could not have won the Electoral College without.
  • Why the right wing has a massive advantage on Facebook” By Alex Thompson — Politico. This piece lays the responsibility for the advantage in popularity conservative political posts and content on human nature, arguing that right-wing populism will always be more viscerally appealing to people than left-wing populism. The company also seems to be laying what many are calling its malign effects on human nature, too.  
  • Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns” By Jack Gillum, Jessica Huseman, Jeff Kao and Derek Willis — ProPublica. In an article based on information provided on a small Texas County’s breach, light is shined on how unprepared many localities and jurisdictions against common cyber threats. In this case, a common ransomware malware was placed successfully on the county’s system rending it unusable. It appears this, and other counties, have disregarded the cybersecurity advice furnished by the Department of Homeland Security in the hopes that the United States’ (U.S.) systems will be secure against election day hacks. With minimal effort, a sophisticated entity can wreak havoc in contested states this election.
  • TikTok was just the beginning: Trump administration is stepping up scrutiny of past Chinese tech investments” By Jeanne Whalen — The Washington Post. To no great surprise, the Trump Administration is looking to use the Committee on Foreign Investment in the United States (CFIUS) process. The Department of the Treasury’s Office of Investment Security Monitoring & Enforcement has been sending letters to technology companies since the early spring inquiring about foreign investment. The companies being targeted tend to collect, process, and store a lot of personal data or are pioneering or producing cutting edge technology considered vital for national security like electric batteries. This new office is reportedly looking back at transactions completed more than ten years ago. Already the scrutiny is having its intended effect as entities from the People’s Republic of China (PRC) have invested less this year in Silicon Valley than they have in six years.
  • China chip giant SMIC shares sink on US export controls” By Jerome Taylor — AFP; “U.S. sanctions on chipmaker SMIC hit at the very heart of China’s tech ambitions” By Arjun Kharpal — CNBC. The United States (U.S.) Department of Commerce has reportedly informed U.S. chipmakers and others that they must stop selling equipment to the People’s Republic of China’s (PRC) Semiconductor Manufacturing International Corp (SMIC) unless they get an export license. This latest move tightens further the chokehold the U.S. has placed on Huawei and other PRC firms that require U.S. technology to make their products. While SMIC has made strides in developing chips, it is still dependent on foreign technology. SMIC told western media outlets we “no relationship with the Chinese military and does not manufacture for any military end-users or end-uses.”
  • Activists slam Palantir for its work with ICE ahead of market debut” By Tonya Riley and Cat Zakrzewski — The Washington Post. Ahead of tomorrow’s initial public offering, human rights advocates are pressing investors to forego Palantir or to buy the stock and demand changes. These activists are arguing that the Peter Thiel launched company has worked with the United States government and others in violation of human rights.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Daniel Falcao on Unsplash

TikTok Deal Struck And WeChat Wins Injunction

A TikTok deal may be taking shape even though there are indications the details have not been hammered out entirely. A federal court blocked implementation of the WeChat ban.

Over the weekend with the 20 September effective dates looming on the TikTok and WeChat notices, there were separate developments that delayed implementation of the bans on the two apps from the People’s Republic of China (PRC). It appeared the Trump Administration, ByteDance, and potential United States (U.S.) partners were closing in on a deal even as there continued to be disputes as to the composition and nature of the new entity that would house TikTok in the U.S. The ban against WeChat was blocked by a U.S. court, a decision sure to be appealed.

On 19 September, a magistrate judge in San Francisco granted a preliminary injunction against the Trump Administration’s implementation of the WeChat order. As explained in a footnote, “[t]he plaintiffs are U.S. WeChat Users Alliance, a nonprofit formed to challenge the WeChat Executive Order, and individual and business users.” In short, they contended that the WeChat ban

(1) violates the First Amendment to the U.S. Constitution,

(2) violates the Fifth Amendment,

(3) violates the Religious Freedom Restoration Act, 42 U.S.C. § 2000bb(1)(a),

(4) was not a lawful exercise of the President’s and the Secretary’s authority under the International Economic Emergency Powers Act (“IEEPA”) — which allows the President to prohibit “transactions” in the interest of national security — because the IEEPA, 50 U.S.C. § 1702(b)(1), does not allow them to regulate personal communications, and

(5) violates the Administrative Procedures Act (“APA”) because the Secretary exceeded his authority under the IEEPA and should have promulgated the rule through the notice-and-comment rulemaking procedures in 5 U.S.C. § 553(b).

The judge granted the motion for a preliminary injunction “on the ground that the plaintiffs have shown serious questions going to the merits of the First Amendment claim, the balance of hardships tips in the plaintiffs’ favor, and the plaintiffs establish sufficiently the other elements for preliminary-injunctive relief.” The judge seemed most persuaded by this claim and summarized the plaintiffs’ argument:

  • First, they contend, effectively banning WeChat — which serves as a virtual public square for the Chinese-speaking and Chinese-American community in the United States and is (as a practical matter) their only means of communication — forecloses meaningful access to communication in their community and thereby operates as a prior restraint on their right to free speech that does not survive strict scrutiny.
  • Second, even if the prohibited transactions are content-neutral time-place-or-manner restrictions, they do not survive intermediate scrutiny because the complete ban is not narrowly tailored to address the government’s significant interest in national security.

The Trump Administration will almost certainly appeal this decision, but it remains to be seen how quickly the case moves through the court system.

Also, over the weekend, the Trump Administration paused its notice for implementing the EO against TikTok because of agreement in principles of a deal that would permit Oracle and Walmart to control a certain percentage of TikTok in the U.S. However, the details of which entity would control what remain murky with ByteDance arguing that U.S. entities will not control TikTok, but assertions to the opposite being made by the company’s U.S. partners. Over the weekend, it appeared Oracle and Walmart would be able to take a collective 20% stake in a new entity TikTok Global that would operate in the U.S. Walmart has been partnering with Microsoft, but when the tech giant failed in its bid, Walmart began talks with Oracle. ByteDance would have a stake in the company but not majority control according to some sources. However, ByteDance began pushing back on that narrative as President Donald Trump declared this morning “if we find that [Oracle and Walmart] don’t have total control, then we’re not going to approve the deal.” Moreover, $5 billion would be used for some sort of educational fund. However, it is hard to tell what exactly would occur and whether this is supposed to be the “finder’s fee” of sorts Trump had said the U.S. would deserve from the deal.

On 19 September, the U.S. Department of Commerce issued a statement pushing back the effective date of the order against TikTik from 20 September to 27 September because of “recent positive developments.” The same day, the U.S. Department of the Treasury released a statement, explaining:

The President has reviewed a deal among Oracle, Walmart, and TikTok Global to address the national security threat posed by TikTok’s operations. Oracle will be responsible for key technology and security responsibilities to protect all U.S. user data. Approval of the transaction is subject to a closing with Oracle and Walmart and necessary documentation and conditions to be approved by Committee on Foreign Investment in the United States (CFIUS). 

TikTok also released a statement, asserting

We’re pleased that today we’ve confirmed a proposal that resolves the Administration’s security concerns and settles questions around TikTok’s future in the US. Our plan is extensive and consistent with previous CFIUS resolutions, including working with Oracle, who will be our trusted cloud and technology provider responsible for fully securing our users’ data. We are committed to protecting our users globally and providing the highest levels of security. Both Oracle and Walmart will take part in a TikTok Global pre-IPO financing round in which they can take up to a 20% cumulative stake in the company. We will also maintain and expand the US as TikTok Global’s headquarters while bringing 25,000 jobs across the country.

Walmart issued its own statement on 19 September:

While there is still work to do on final agreements, we have tentatively agreed to purchase 7.5% of TikTok Global as well as enter into commercial agreements to provide our ecommerce, fulfillment, payments and other omnichannel services to TikTok Global. Our CEO, Doug McMillon, would also serve as one of five board members of the newly created company. In addition, we would work toward an initial public offering of the company in the United States within the next year to bring even more ownership to American citizens. The final transaction will need to be approved by the relevant U.S. government agencies.

The same day, Oracle and Walmart released a joint statement:

  • The President has announced that ByteDance has received tentative approval for an agreement with the U.S. Government to resolve the outstanding issues, which will now include Oracle and Walmart together investing to acquire 20% of the newly formed TikTok Global business.
  • As a part of the deal, TikTok is creating a new company called TikTok Global that will be responsible for providing all TikTok services to users in United States and most of the users in the rest of the world. Today, the administration has conditionally approved a landmark deal where Oracle becomes TikTok’s secure cloud provider.
  • TikTok Global will be majority owned by American investors, including Oracle and Walmart. TikTok Global will be an independent American company, headquartered in the U.S., with four Americans out of the five member Board of Directors.
  • All the TikTok technology will be in possession of TikTok Global, and comply with U.S. laws and privacy regulations. Data privacy for 100 million American TikTok users will be quickly established by moving all American data to Oracle’s Generation 2 Cloud data centers, the most secure cloud data centers in the world.
  • In addition to its equity position, Walmart will bring its omnichannel retail capabilities including its Walmart.com assortment, eCommerce marketplace, fulfillment, payment and measurement-as-a-service advertising service.
  • TikTok Global will create more than 25,000 new jobs in the Unites States and TikTok Global will pay more than $5 billion in new tax dollars to the U.S. Treasury.
  • TikTok Global, together with Oracle, SIG, General Atlantic, Sequoia, Walmart and Coatue will create an educational initiative to develop and deliver an AI-driven online video curriculum to teach children from inner cities to the suburbs, a variety of courses from basic reading and math to science, history and computer engineering.
  • TikTok Global will have an Initial Public Offering (IPO) in less than 12 months and be listed on a U.S. Exchange. After the IPO, U.S. ownership of TikTok Global will increase and continue to grow over time.

Today, Oracle went further in a statement to the media claiming, “ByteDance will have no ownership in TikTok Global,” which is a different message than the one the company was sending. For example, in a blog post, ByteDance stated “[t]he current plan does not involve the transfer of any algorithms or technology…[but] Oracle has the authority to check the source code of TikTok USA.”

Late last week, the Trump Administration issued orders barring TikTok and WeChat pursuant to executive orders issued an “Executive Order on Addressing the Threat Posed by TikTok” and an “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively. The U.S. Department of Commerce (Commerce) issued orders effectuating the executive orders, which were set to take effect this past weekend. In a press release, Commerce explained:

As of September 20, 2020, the following transactions are prohibited:

  1. Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
  2. Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.

As of September 20, 2020, for WeChat and as of November 12, 2020, for TikTokthe following transactions are prohibited:

  1. Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
  2. Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
  3. Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
  4. Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.

Commerce added:

Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date. Should the U.S. Government determine that WeChat’s or TikTok’s illicit behavior is being replicated by another app somehow outside the scope of these executive orders, the President has the authority to consider whether additional orders may be appropriate to address such activities. The President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.

Commerce has submitted notices to be published this week in the Federal Register identifying the transactions that will be illegal regarding TikTok and WeChat:

  • Pursuant to Executive Order 13942, the Secretary of Commerce is publishing the list of prohibited transactions by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, including TikTok Inc., in which any such company has any interest, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13942 posed by mobile application TikTok.
  • Pursuant to Executive Order 13943, the Secretary of Commerce is publishing this Identification of Prohibited Transactions related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States, with Tencent Holdings Ltd. (a.k.a. Téngxùn Kònggŭ Yŏuxiàn Gōngsī), Shenzhen, China, or any subsidiary of that entity, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13943 posed by mobile application WeChat.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by chuttersnap on Unsplash

Uncertainty As Deadlines Approach On TikTok and WeChat EOs

It is still not clear how matters will play out with a proposed Oracle/TikTok deal and the ban on WeChat (and possibly TikTok if an acceptable deal cannot be made.)

Today, the Trump Administration issued orders barring TikTok and WeChat pursuant to executive orders issued an “Executive Order on Addressing the Threat Posed by TikTok” and an “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively, the former being much more popular in the United States (U.S.) than the latter. Working in the background is a potential deal between United States’ (U.S.) company Oracle and ByteDance that may address U.S. concerns about TikTok. On this front, there have been multiple stories from the Trump Administration about the positions of stakeholders on whether Oracle’s proposed role as a “trusted technology partner” will satisfy the national security concerns articulated in the executive order banning the app and the order from the United States government to ByteDance to divest a key part of their platform. Moreover, there is growing pressure from Republicans in Congress to reject the Oracle/TikTok arrangement as it stands.

In his public remarks this week, President Donald Trump seemed underwhelmed about the proposed Oracle/TikTok deal. He said that “[c]onceptually, I can tell you I don’t like [ByteDance maintaining a stake].” Trump stated “[i]f that’s the case, I’m not going to be happy with that.” He added any acceptable deal “has to be 100 percent as far as national security is concerned, and no, I’m not prepared to sign off on anything…[and] I have to see the deal.” On the other hand, Secretary of the Treasury and chair of Committee on Foreign Investment in the United States (CFIUS) Steven Mnuchin seemed to be taking a different view. He stated “I will just say from our standpoint, we’ll need to make sure that the code is, one, secure, Americans’ data is secure, that the phones are secure and we’ll be looking to have discussions with Oracle over the next few days with our technical teams.” And to this end, the New York Times is reporting that ByteDance has accepted some unspecified changes to the deal in order to address national security concerns, and Reuters is claiming ByteDance has agreed to an initial public offering within a year.

As noted, the U.S. Department of Commerce (Commerce) issued orders effectuating the executive orders, which are set to take effect this weekend. In a press release, Commerce explained:

As of September 20, 2020, the following transactions are prohibited:

  1. Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
  2. Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.

As of September 20, 2020, for WeChat and as of November 12, 2020, for TikTokthe following transactions are prohibited:

  1. Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
  2. Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
  3. Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
  4. Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.

Commerce added:

Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date. Should the U.S. Government determine that WeChat’s or TikTok’s illicit behavior is being replicated by another app somehow outside the scope of these executive orders, the President has the authority to consider whether additional orders may be appropriate to address such activities. The President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.

Commerce has submitted notices to be published next week in the Federal Register identifying the transactions that will be illegal regarding TikTok and WeChat:

  • Pursuant to Executive Order 13942, the Secretary of Commerce is publishing the list of prohibited transactions by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, including TikTok Inc., in which any such company has any interest, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13942 posed by mobile application TikTok.
  • Pursuant to Executive Order 13943, the Secretary of Commerce is publishing this Identification of Prohibited Transactions related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States, with Tencent Holdings Ltd. (a.k.a. Téngxùn Kònggŭ Yŏuxiàn Gōngsī), Shenzhen, China, or any subsidiary of that entity, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13943 posed by mobile application WeChat.

While the TikTok order could be rescinded if a deal with Oracle is approved by the U.S. government, it seems unlikely that the WeChat order will be undone, at least in the short term. Moreover, these orders will undoubtedly be challenged further in court. Last month, TikTok filed suit in United States federal court in Northern California, asking for an injunction to stop enforcement of the EO and a declaration that it is illegal. It is possible the company, along with Tencent, WeChat’s parent, ask a federal court to stop the Trump Administration from proceeding.

Moreover, there are questions about enforcement, for the Administration cannot reasonably expect people in the U.S. to stop using and delete TikTok and WeChat. There may also be a case to be made on First Amendment grounds that the orders violate rights of free speech and association.

As mentioned, a number of Republicans have come out against the Oracle/TikTok deal. At the beginning of the week, Senator Josh Hawley (R-MO) wrote Mnuchin “calling on CFIUS to reject Oracle’s proposed partnership with ByteDance to obtain control of TikTok’s U.S. operations…[because]…the proposed partnership allows for continued Chinese Communist Party (CCP) control of TikTok, putting American data at risk and violating President Trump’s executive order.” Hawley added:

CFIUS should promptly reject any Oracle-ByteDance collaboration and send the ball back to ByteDance’s court so that the company can come up with a more acceptable solution. ByteDance can still pursue a full sale of TikTok, its code, and its algorithm to a U.S. company, so that the app can be rebuilt from the ground up to remove any trace of CCP influence.

Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Commerce, Science, and Transportation Committee Chair Roger Wicker (R-MS), and Thom Tillis (R-NC), Rick Scott (R-FL), Dan Sullivan (R-AK), and John Cornyn (R-TX) sent a letter to the President “outlining significant concerns regarding reports that Oracle Corp. confirmed a deal with ByteDance to become a “trusted technology provider” for TikTok’s U.S. operations, including that the “arrangement could violate the requirements set about in the August 6, 2020 Executive Order on Addressing the Threat Posed by TikTok and would do little to satisfy the range of concerns expressed in that order.”

Senator Ted Cruz (R-TX) also wrote Mnuchin arguing:

The Chinese Communist Party and its expansionist actions represent a threat the United States, its interests, and its allies. This Administration has correctly recognized this threat and has taken substantial counter-measures in response to protect our national security. I urge you to do the same when reviewing the newly submitted plan of a transaction between the Chinese company ByteDance and Oracle.

So far, Democrats in Congress, and the Biden campaign, have remained silent, apparently willing to let Republicans criticize the proposed deal from the right. The White House may ultimately prove susceptible to criticism and seek a modified deal to allay these concerns. However, these Republican Senators seem to be laying out a case for a much more dramatic transaction, but one that would likely run afoul of new regulations issued by the People’s Republic of China on export controls. Late last month, two PRC agencies changed the PRC’s export control rules for the first time since 2008 to likely have leverage over TikTok’s sale to a U.S. entity. Ostensibly, the changes are “to regulate technology exports, promote scientific and technological progress and economic and technological cooperation, and maintain national economic security,” but the inclusion of “personalised information recommendation service technology based on data analysis” and “artificial intelligence interactive interfaces” likely point to ByteDance’s app, TikTok. In fact, a researcher with the PRC Ministry of Commerce was quoted as asserting “[t]he time to publish the new update of the export control list has been expedited due to the TikTok sale.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by 雪飞 王 from Pixabay

U.S. Orders ByteDance To Unwind Deal That Created TikTok

The Trump Administration ups the ante with TikTok and orders its parent to divest the app that formed the core of the popular short video sharing platform.

In an order issued late last week, the Trump Administration completed its retrospective review of ByteDance’s acquisition of the app Musical.ly that became TikTok. The decision on whether ByteDance’s acquisition threatened the national security of the United States (U.S.) is separate from the executive order released earlier in the week banning the app. The Trump Administration is giving ByteDance 90 days to sell Musical.ly, a move that may well impair TikTok in nations other than the U.S. It is not immediately clear how this order affects the executive order issued a week earlier barring all transactions with TikTok.

The Committee on Foreign Investment in the United States (CFIUS) has been reviewing ByteDance’s acquisition on national security grounds, but the fact that the CFIUS process wrapped up the same week the Trump Administration issued an order banning TikTok in the U.S. is curious to say the least. There have been media accounts for some time that the CFIUS agencies were looking at the ByteDance deal because of increasing tensions with the People’s Republic of China (PRC).  While it is not a frequent occurrence, there is precedent for a retrospective use of the CFIUS process. For example, in March 2019, the Trump Administration ordered Kunlun, a PRC gaming firm, to spin off Grindr, a LGBTQ dating app, for similar national security reasons.

In the order, the Trump Administration makes the case that “[t]here is credible evidence that leads me to believe that ByteDance Ltd., an exempted company with limited liability incorporated under the laws of the Cayman Islands (“ByteDance”), through acquiring all interests in musical.​ly, an exempted company with limited liability incorporated under the laws of the Cayman Islands (“Musical.​ly”), might take action that threatens to impair the national security of the United States.” The Trump Administration has been expressing concern that PRC companies have been sharing the personal data of users, many of whom are Americans, with the PRC government because of recent changes in law that require information sharing with authorities in Beijing.

In the “Order Regarding the Acquisition of Musical.ly by ByteDance Ltd,” President Donald Trump stated

The transaction resulting in the acquisition by ByteDance of Musical.​ly, to the extent that Musical.​ly or any of its assets is used in furtherance or support of, or relating to, Musical.​ly’s activities in interstate commerce in the United States (“Musical.​ly in the United States”), is hereby prohibited, and ownership by ByteDance of any interest in Musical.​ly in the United States, whether effected directly or indirectly through ByteDance, or through ByteDance’s subsidiaries, affiliates, or Chinese shareholders, is also prohibited.

Moreover, ByteDance is under an obligation to destroy user data before selling. Specifically, the order directs

Immediately upon divestment, ByteDance shall certify in writing to CFIUS that it has destroyed all data that it is required to divest…as well as all copies of such data wherever located, and CFIUS is authorized to require auditing of ByteDance on terms it deems appropriate in order to ensure that such destruction of data is complete.

Moreover, during the 90 day period preceding the sale, CFIUS is authorized to take necessary steps to ensure ByteDance’s compliance.

The week before, the White House acted against two popular applications from the PRC on account of purported national security issues created by Americans downloading and using them. The White House issued an “Executive Order on Addressing the Threat Posed by TikTok” and an “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively, the former being much more popular in the United States (U.S.) than the latter. These bans are also of a piece with the Trump Administration’s narrative that the PRC is responsible for COVID-19 and poses an existential threat to western democracy. In response, the PRC is likely to increase pressure on U.S. and foreign firms operating in that nation or with supply chains rooted in the PRC. In any event, it is not clear how effective these directives will be and the companies being targeted are almost certain to sue to stop enforcement.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

US Indictments Handed Down Against PRC Hackers

Two PRC nationals were indicted for hacking to help their country’s security services and for financial gain in a wide-ranging complaint. The charges come during a time when the DOJ and other US agencies are accusing the PRC of a range of actions that threaten the US and its allies.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The United States (US) Department of Justice (DOJ) made public two grand jury indictments of nationals of the People’s Republic of China (PRC) who allegedly led long term penetrations and hacking of a range of US public and private sector entities. The DOJ is claiming these hackers both worked closely with PRC government agencies in executing the hacks and sought to benefit financially from these activities. The indictments are the most recent development in the US-PRC dispute that continues to grow seemingly by the day. While it is very unlikely the US will ever succeed in extraditing or apprehending these hackers, many cybersecurity and national security experts see value in “naming and shaming” and filing charges as a means of shaping public opinion and rallying allies and like-minded nations against nations engaged in cyber attacks and hacking.

According to the materials released by the DOJ, these two PRC hackers were detected in trying to on the networks of Department of Energy’s Hanford Site which is engaged in cleanup from the production of plutonium during the Cold War. This suggests the hackers succeeded in penetrated these networks and possibly others at the Department of Energy. However, the DOJ stressed these hackers’ work in trying to access and exfiltrate information related to COVID-19 research, which echoes the claim made in a May unclassified public service announcement issued by the Federal Bureau of Investigation (FBI) and CISA that named the PRC as a nation waging a cyber campaign against U.S. COVID-19 researchers. It is possible these indictments and that claim are related. Moreover, the DOJ stressed the information these hackers stole from defense contractors and possibly universities involved with defense activities. Incidentally, if the claims are true, it would lend more weight to the Trump Administration’s previously made claims that the PRC is again violating the 2015 agreement struck to stop the “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

In the indictment against LI Xiaoyu (李啸宇) and DONG Jiazhi (董家志), the DOJ claimed:

LI and DONG, former classmates at an electrical engineering college in Chengdu, China, used their technical training to hack the computer networks of a wide range of victims, such as companies engaged in high tech manufacturing; civil, industrial, and medical device engineering; business, educational, and gaming software development; solar energy; and pharmaceuticals. More recently, they researched vulnerabilities in the networks of biotech and other firms publicly known for work on COVID-19 vaccines, treatments, and testing technology. Their victim companies were located all over the world, including among other places the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom.

The DOJ further claimed

  • The Defendants stole hundreds of millions of dollars’ worth of trade secrets, intellectual property, and other valuable business information. At least once, they returned to a victim from which they had stolen valuable source code to attempt an extortion –threatening to publish on the internet, and thereby destroy the value of, the victim’s intellectual property unless a ransom was paid.
  • LI and DONG did not just hack for themselves. While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest to the PRC’s Government’s Ministry of State Security (MSS). LI and DONG worked with, and were assisted by, and operated with the acquiescence of the MSS, including MSS Officer 1, known to the Grand Jury, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department GSSD).
  • When stealing information of interest to the MSS, LI and DONG in most instances obtained data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the U.S. and abroad, LI and DONG stole information regarding military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to-helicopter integration systems.

The DOJ added in its statement on the case:

According to the indictment, to gain initial access to victim networks, the defendants primarily exploited publicly known software vulnerabilities in popular web server software, web application development suites, and software collaboration programs.  In some cases, those vulnerabilities were newly announced, meaning that many users would not have installed patches to correct the vulnerability.  The defendants also targeted insecure default configurations in common applications.  The defendants used their initial unauthorized access to place malicious web shell programs (e.g., the “China Chopper” web shell) and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers.

The DOJ has filed the following charges and will seek these penalties per the agency’s press release:

  • The indictment charges the defendants with conspiring to steal trade secrets from at least eight known victims, which consisted of technology designs, manufacturing processes, test mechanisms and results, source code, and pharmaceutical chemical structures.  Such information would give competitors with a market edge by providing insight into proprietary business plans and savings on research and development costs in creating competing products.
  • The defendants are each charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison; one count of conspiracy to commit theft of trade secrets, which carries a maximum sentence of ten years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; one count of unauthorized access of a computer, which carries a maximum sentence of five years in prison; and seven counts of aggravated identity theft, which each carries a mandatory sentence of two non-consecutive years in prison.

The indictments come a few days after US Attorney General William Barr and Assistant Attorney General for National Security John Demers made remarks at separate events that cast the activities of the PRC as existential threats to the US and western democracy. Their remarks continued the Trump Administration’s rhetoric, echoed by many Republicans in Congress, warning of the dangers posed by the PRC and sometimes explicitly or implicitly blaming the nation for the COVID-19 virus as a means of shifting the focus from the Trump Administration’s response that has left the US with higher infection and death rates per capita than any comparable nation. For example, earlier today, in London, in describing his talks with British Foreign Secretary Dominic Raab, Secretary of State Mike Pompeo contended

We of course began with the challenge presented by the Chinese Communist Party and the COVID-19 virus that originated in Wuhan, China.  On behalf of the American people I want to extend my condolences to the British people from your losses from this preventable pandemic.  The CCP’s exploitation of this disaster to further its own interests has been disgraceful.

Earlier this month, Federal Bureau of Investigation (FBI) Director Christopher Wray delivered a speech at a conservative think tank that continued the Trump Administration’s focus on the PRC that followed the late June speech by National Security Advisor Robert O’Brien at the occasion of the announcement that Taiwan Semiconductor Manufacturing Corporation (TSMC) would build a plant in Arizona. In mid-June at the Copenhagen Democracy Summit Pompeo urged European leaders to work together to address the malign intentions and actions of the PRC that also threaten Europe. And, tomorrow Pompeo will “deliver a speech on Communist China and the future of the free world” at the Richard Nixon Presidential Library in Yorba Linda, California.

In his remarks, Barr compared the US’s situation to the challenges the “free enterprise system” faced at the end of the 1960’s within the US and from the former Soviet Union and called on private sector companies to stand together against the economic hegemony Beijing is seeking to enforce in part by coopting these companies and their technology. He lauded the refusal of some large tech companies to cooperate with the PRC’s change in national security law in Hong Kong and urged US firms doing business in the PRC to diversify supply chains and rare earth supplies in order to blunt growing Chinese dominance. Barr called for greater cooperation between the public and private sectors in the name of protecting the US and fending off the PRC.

Barr claimed

  • The PRC is now engaged in an economic blitzkrieg—an aggressive, orchestrated, whole-of-government (indeed, whole-of-society) campaign to seize the commanding heights of the global economy and to surpass the United States as the world’s preeminent superpower.  A centerpiece of this effort is the Communist Party’s “Made in China 2025” initiative, a plan for PRC domination of high-tech industries like robotics, advanced information technology, aviation, and electric vehicles.  Backed by hundreds of billions of dollars in subsidies, this initiative poses a real threat to U.S. technological leadership.  Despite World Trade Organization rules prohibiting quotas for domestic output, “Made in China 2025” sets targets for domestic market share (sometimes as high as 70 percent) in core components and basic materials for industries such as robotics and telecommunications.  It is clear that the PRC seeks not merely to join the ranks of other advanced industrial economies, but to replace them altogether.
  • “Made in China 2025” is the latest iteration of the PRC’s state-led, mercantilist economic model.  For American companies in the global marketplace, free and fair competition with China has long been a fantasy.  To tilt the playing field to its advantage, China’s communist government has perfected a wide array of predatory and often unlawful tactics: currency manipulation, tariffs, quotas, state-led strategic investment and acquisitions, theft and forced transfer of intellectual property, state subsidies, dumping, cyberattacks, and espionage.  About 80% of all federal economic espionage prosecutions have alleged conduct that would benefit the Chinese state, and about 60% of all trade secret theft cases have had a nexus to China.

Barr added

Just as consequential, however, are the PRC’s plans to dominate the world’s digital infrastructure through its “Digital Silk Road” initiative.  I have previously spoken at length about the grave risks of allowing the world’s most powerful dictatorship to build the next generation of global telecommunications networks, known as 5G.  Perhaps less widely known are the PRC’s efforts to surpass the United States in other cutting-edge fields like artificial intelligence.  Through innovations such as machine learning and big data, artificial intelligence allows machines to mimic human functions, such as recognizing faces, interpreting spoken words, driving vehicles, and playing games of skill such as chess or the even more complex Chinese strategy game Go.  AI long ago outmatched the world’s chess grandmasters.  But the PRC’s interest in AI accelerated in 2016, when AlphaGo, a program developed by a subsidiary of Google, beat the world champion Go player at a match in South Korea.  The following year, Beijing unveiled its “Next Generation Artificial Intelligence Plan,” a blueprint for leading the world in AI by 2030.  Whichever nation emerges as the global leader in AI will be best positioned to unlock not only its considerable economic potential, but a range of military applications, such as the use of computer vision to gather intelligence.

The PRC’s drive for technological supremacy is complemented by its plan to monopolize rare earth materials, which play a vital role in industries such as consumer electronics, electric vehicles, medical devices, and military hardware.  According to the Congressional Research Service, from the 1960s to the 1980s, the United States led the world in rare earth production. “Since then, production has shifted almost entirely to China,” in large part due to lower labor costs and lighter environmental regulation.

The United States is now dangerously dependent on the PRC for these materials.  Overall, China is America’s top supplier, accounting for about 80 percent of our imports.  The risks of dependence are real.  In 2010, for example, Beijing cut exports of rare earth materials to Japan after an incident involving disputed islands in the East China Sea.  The PRC could do the same to us.

As China’s progress in these critical sectors illustrates, the PRC’s predatory economic policies are succeeding.  For a hundred years, America was the world’s largest manufacturer — allowing us to serve as the world’s “arsenal of democracy.”  China overtook the United States in manufacturing output in 2010.  The PRC is now the world’s “arsenal of dictatorship.”

American companies must understand the stakes.  The Chinese Communist Party thinks in terms of decades and centuries, while we tend to focus on the next quarterly earnings report.  But if Disney and other American corporations continue to bow to Beijing, they risk undermining both their own future competitiveness and prosperity, as well as the classical liberal order that has allowed them to thrive.

Barr asserted

  • During the Cold War, Lewis Powell — later Justice Powell — sent an important memorandum to the U.S. Chamber of Commerce.  He noted that the free enterprise system was under unprecedented attack, and urged American companies to do more to preserve it.  “[T]he time has come,” he said, “indeed, it is long overdue—for the wisdom, ingenuity and resources of American business to be marshaled against those who would destroy it.”
  • So too today.  The American people are more attuned than ever to the threat that the Chinese Communist Party poses not only to our way of life, but to our very lives and livelihoods.  And they will increasingly call out corporate appeasement.
  • If individual companies are afraid to make a stand, there is strength in numbers.  As Justice Powell wrote: “Strength lies in organization, in careful long-range planning and implementation, in consistency of action over an indefinite period of years, in the scale of financing available only through joint effort, and in the political power available only through united action and national organizations.” 
  • Despite years of acquiescence to communist authorities in China, American tech companies may finally be finding their courage through collective action.  Following the recent imposition of the PRC’s draconian national security law in Hong Kong, many big tech companies, including Facebook, Google, Twitter, Zoom, and LinkedIn, reportedly announced that they would temporarily suspend compliance with governmental requests for user data.  True to form, communist officials have threatened imprisonment for noncompliant company employees.  We will see if these companies hold firm.  I hope they do.  If they stand together, they will provide a worthy example for other American companies in resisting the Chinese Communist Party’s corrupt and dictatorial rule.
  • The CCP has launched an orchestrated campaign, across all of its many tentacles in Chinese government and society, to exploit the openness of our institutions in order to destroy them.  To secure a world of freedom and prosperity for our children and grandchildren, the free world will need its own version of the whole-of-society approach, in which the public and private sectors maintain their essential separation but work together collaboratively to resist domination and to win the contest for the commanding heights of the global economy.  America has done that before.  If we rekindle our love and devotion for our country and each other, I am confident that we—the American people, American government, and American business together—can do it again.  Our freedom depends on it. 

In his speech, Assistant Attorney General for National Security John Demers walked through the DOJ’s efforts in “working with our interagency partners to protect against adversaries that would exploit our country’s open investment climate to harm our national security interests,” most likely a reference to the PRC that echoes Barr’s claim Beijing is taking advantage of the US. Demers discussed recent statutory and regulatory changes in the Committee on Foreign Investment in the United States process, the newly established Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (aka Team Telecom), and the DOJ’s National Security Division’s recently restructured and expanded Foreign Investment Review Section (FIRS) that is charged with crafting and overseeing agreements with companies seeking US government assent to deals involving significant foreign investment. Demers talked in generalities in explaining the Trump Administration’s approach as it pertains to the DOJ except when he referenced a Team Telecom recommendation to revoke the licenses to operate in the US of a PRC telecommunications company.

Demers explained

  • Looking at the numbers, only very few of the transactions we review are blocked.  That does not necessarily mean the others pose no national security risk; rather, for most transactions that involve national security risk, we are successful in working with companies to craft mitigation measures that enable us to resolve the risk without resort to barring the transaction.  Our ability to negotiate mitigation agreements with parties and then monitor compliance is often overlooked in public discussions of foreign investment review, but that part of our program is absolutely crucial.  For that reason, today I would like to focus on the “back end” or “compliance tail” of our reviewed transactions, and to provide what I hope are some helpful insights into our compliance priorities and how those priorities can inform your own approach to mitigation and compliance.
  • One of the major activities of DOJ’s National Security Division is working with our interagency partners to protect against adversaries that would exploit our country’s open investment climate to harm our national security interests.  This conference is devoted to that aspect of our work, and offers an opportunity to engage with the private sector about the threats we face, the steps taken to address those threats.
  • What I would like to discuss with you today is one specific element of our Division’s foreign investment review work, which is our increasing focus on compliance and enforcement.

Demers stated

the Department of Justice’s mitigation activities related to foreign investment arise chiefly in the context of two interagency groups: (1) the Committee on Foreign Investment in the United States; and (2) the newly minted Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.  This new committee was established this past spring by Executive Order, and formalized the process known for years as Team Telecom, but unfortunately burdened it with the nearly unpronounceable acronym of CAFPUSTSS (pronounced caf-PUSS-tiss).  Here, for ease of our conversation, I will set aside this tongue twisting acronym and instead continue to refer to the committee as Team Telecom.

Demers added

  • In both of these interagency groups, the Department of Justice and our interagency partners can usually resolve national security and law enforcement risks by negotiating mitigation measures with the transaction parties.  Those measures can range from the relatively straightforward, such as routine notice requirements to the very complex – for example, imposing certain governance restrictions.  Once memorialized in a written agreement, we monitor compliance to ensure our identified concerns remain mitigated.
  • Since 2012, the number of mitigation agreements monitored by the Department of Justice has nearly doubled, and this upward trend shows no signs of abating.  Without effective mitigation monitoring by both the government and the parties themselves, the number of reviewed transactions able to clear CFIUS and Team Telecom would be far fewer.  For this reason, robust and effective compliance programs are in the mutual interest of both government and industry.

Finally, Demers remarked

I would like to make brief mention of recent enforcement activities regarding the U.S. subsidiary of China Telecom, which is a Chinese state-owned entity.  As you may be aware from our April 2020 recommendation to the FCC, the Executive Branch agencies identified substantial and unacceptable national security and law enforcement risks associated with China Telecom’s operations, which is why we recommended that the FCC revoke its licenses.  That recommendation was based on several factors, but many of them relate to the company’s failure to comply with a 2007 mitigation agreement.  Other factors include the company’s inaccurate statements concerning the storage of U.S. records and its cybersecurity policies.  The company’s operations also provided opportunities for P.R.C. state actors to engage in malicious cyber activity enabling economic espionage and disruption and misrouting of U.S. communications.  And, it followed logically that additional mitigation terms would give us no comfort with a party we cannot not trust to follow them.  The Foreign Investment Review Section identified those compliance issues through its mitigation monitoring program.  As a result, the Executive Branch agencies concluded that the national security and law enforcement risks associated with China Telecom’s international Section 214 authorizations could not be mitigated by additional mitigation terms.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Senate Subcommittee Faults US Government On PRC Telecom

“It is this constant evolution that highlights a major flaw with the FCC’s Section 214 authorizations: once authorized, a company can operate indefinitely without any oversight. Without proper oversight, foreign carriers operating in the United States can expose the United States to potential economic, national security, and law enforcement risks. The federal government has highlighted the potential risks associated with Chinese telecommunications carriers operating in the United States.”  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On June 9, the chair and ranking member of the Senate Homeland Security & Governmental Affairs Committee’s Permanent Investigations Subcommittee released a “bipartisan” report alleging that the United States’ (US) government was lax in allowing telecommunications companies from the People’s Republic of China (PRC) to enter the US market. Specifically, Chair Rob Portman (R-OH) and Ranking Member Tom Carper (D-DE) took issue with how well the Federal Communications Commission (FCC) and “Team Telecom,” an inter-agency review process, oversaw the entrance and operation of three PRC telecommunications in the US, especially from the perspective of national security: China Mobile, China Telecom, and China Unicom. The Subcommittee launched its inquiry after the FCC rejected China Mobile International (USA) Inc.’s application to operate in the US. In May 2019. Since that time, the FCC has undertaken a review of the three aforementioned PRC entities, and the Trump Administration issued an executive order (EO) to revamp and formalize the Team Telecom review process (See here for more detail.) The Subcommittee found a number of ongoing problems with the review and oversight process and recommended a number of changes.

Portman and Carper called for legislation to codify and reform the Team Telecom review process along the same lines as the recent reform of the Committee on Foreign Investment in the United States. Given that these authorities and the thrust of the legislation are focused on the PRC, there is likely significant support on Capitol Hill for a measure that would lead to further scrutiny of PRC telecommunications carriers. Should such legislation be paired with other measures aimed at PRC technology entities, it may face resistance from some stakeholders, including the White House, that may bar enactment this year. Another possibility is that legislation such as this is developed this Congress and support is built for passage in a future year, possibly via inclusion in the National Defense Authorization Act.

The Subcommittee claimed the report “details how the U.S. federal government—particularly the FCC, Department of Justice (DOJ), and Department of Homeland Security (DHS)— historically exercised minimal oversight to safeguard U.S. telecommunications networks against risks posed by Chinese state-owned carriers.” The Subcommittee noted “[t]hree Chinese state-owned carriers have been operating in the United States since the early 2000s, but only in recent years have the FCC, DOJ, and DHS focused on potential risks associated with these carriers. DOJ and DHS did enter into security agreements with two of the Chinese state-owned carriers prior to 2010, but they conducted only two site visits to each carrier since that time (or four total).” The Subcommittee claimed “[t]hree of those visits occurred between 2017 and 2018” and concluded “[t]his lack of oversight undermined the safety of American communications and endangered our national security.”

The Subcommittee stated

Since the Subcommittee launched its investigation, the agencies have increased their oversight of the Chinese state-owned carriers. The administration also recently issued an executive order establishing a formal committee to review the national security and law enforcement risks posed by foreign carriers operating in the United States. Still, the new committee’s authorities remain limited, and as a result, our country, our privacy, and our information remain at risk.

The Subcommittee concluded

It is well understood that the national security environment evolves over time. It is this constant evolution that highlights a major flaw with the FCC’s Section 214 authorizations: once authorized, a company can operate indefinitely without any oversight. Without proper oversight, foreign carriers operating in the United States can expose the United States to potential economic, national security, and law enforcement risks. The federal government has highlighted the potential risks associated with Chinese telecommunications carriers operating in the United States. Three particular carriers have been operating in the United States for approximately 20 years, without sufficient oversight from the FCC and the Executive Branch. Especially when dealing with state-owned telecommunications carriers, greater controls are needed, and the Administration and Congress must work together to ensure sufficient safeguards and oversight mechanisms are in place.

The Subcommittee made the following recommendations:

  • (1)  The FCC should complete its review of China Telecom Americas, China Unicom Americas, and ComNet in a timely manner. Team Telecom has recommended that China Telecom Americas’ authorizations be revoked because of “substantial and unacceptable” national security concerns. The FCC should expeditiously review the authorizations of China Telecom Americas and the other Chinese state-owned carriers to ensure our national security and communications networks are not unnecessarily put at risk. As part of its review of China Unicom Americas’ and ComNet’s authorizations, the FCC should seek the recommendation of the newly established EO Telecom Committee as to national security and law enforcement concerns associated with the carriers’ authorizations. The analysis should also include a decision as to whether risks can be mitigated—through the existing security agreements or new agreements.
  • (2)  The FCC should establish a clear standard and process for revoking a foreign carrier’s existing authorizations. Currently, there is no clear standard or process for revoking a foreign carrier’s existing authorizations. Telecommunications companies must understand the circumstances under which authorizations could be revoked and be afforded due process to challenge potential revocation. Team Telecom officials indicated that they do not know what the FCC considers a “sufficient” basis for a revocation. Thus, while government officials may believe revocation is warranted, they may not recommend revocation without additional guidance. A formal standard and revocation process would provide clear guidance to both the government and industry as to when revocation of an existing authorization is warranted.
  • (3)  Congress should require the periodic review and renewal of foreign carriers’ authorizations to provide international telecommunications services. Currently, these authorizations can exist in perpetuity. Although the recent Executive Order allows the EO Telecom Committee to review existing authorizations, it does not mandate periodic review or renewal. Considering the limited resources DOJ and DHS dedicated to Team Telecom’s review of foreign carriers’ applications, it is unlikely that they will review many existing authorizations. National security and law enforcement concerns, as well as trade, and foreign policy concerns, however, are ever evolving, meaning that an authorization granted in one year may not continue to serve the public interest years later. Requiring a periodic review and renewal of authorizations would ensure that the FCC and the Executive Branch continually account for evolving national security, law enforcement, policy, and trade risks.
  • (4)  Congress should statutorily authorize the EO Telecom Committee. The Administration established the EO Telecom Committee, which formalizes Team Telecom, but the EO Telecom Committee still has no governing statutory authority. Team Telecom’s historical lack of statutory authority led to a review process criticized by many as “opaque” and “broken.” The recent Executive Order is a positive step, but formal legislative authority will provide for greater oversight over foreign carriers.
  • (5)  Congress should preserve the role of other relevant Executive Branch agencies. Team Telecom was comprised of DOJ, DHS, and DOD officials. These agencies are also the primary components of the newly established EO Telecom Committee. Historically, the FCC has sought input on a foreign carrier’s application from other Executive Branch agencies, including the Department of State, Department of Commerce, and the U.S. Trade Representative. The recent Executive Order makes these agencies, and others, advisors to the EO Telecom Committee. These agencies provide invaluable input and their role in the review process must be accounted for in any formal legislation.
  • (6)  Congress should set deadlines by which decisions on FCC- related application reviews must be made. Team Telecom had no set deadlines by which it needed to complete its review of a foreign carrier’s application pursuant to the FCC’s request. Further, Team Telecom’s already limited resources were often focused on actions related to the Committee on Foreign Investment in the United States (“CFIUS”). This resulted in protracted reviews and business uncertainty. Setting deadlines will imbue trust back into the review process. The recent Executive Order imposed certain timelines, but it allows for the EO Telecom Committee to seek extensions, which could draw out the review process, especially if resources remain limited.
  • (7)  Congress should provide sustained resources necessary for the EO Telecom Committee to effectively assess foreign carriers’ applications and to monitor foreign carriers operating in the United States. The Foreign Investment Risk Review Modernization Act of 2018 provided CFIUS agencies specialized authority to hire staff to ensure agencies can manage CFIUS filings. EO Telecom Committee agencies should be provided a similar authority to ensure it is able to effectively and efficiently review foreign carriers’ applications and monitor foreign carriers’ operations.
  • (8)  Congress should require the EO Telecom Committee to formally coordinate reviews of foreign carrier applications with CFIUS. The EO Telecom Committee’s component agencies are members of CFIUS. CFIUS’s and the EO Telecom Committee’s processes overlap when a foreign investor seeks to acquire control of a U.S. telecommunications operator or infrastructure owner. These applications already undergo extensive review by CFIUS. Requiring formal coordination between CFIUS and the EO Telecom Committee will streamline the regulatory clearance process while meeting national security, law enforcement, trade policy, and foreign policy objectives.
  • (9)  Congress should provide the EO Telecom Committee with authority to recommend revocation of a carrier’s authorization, even where no security agreement exists between it and the carrier. Where no security agreement existed, Team Telecom did not interact with the foreign carrier. Although certain government officials believed that Team Telecom could review an existing authorization, even where no agreement existed, there is no formal, legal basis for such review. Combined with a requirement to periodically renew authorizations, affording the EO Telecom Committee the authority to review and recommend revocation of existing authorizations, even without a security agreement in place, allows the EO Telecom Committee to better respond to the evolving nature of national security risks.
  • (10)  Congress should require the periodic review and renewal of security agreements between the EO Telecom Committee and foreign carriers. Team Telecom officials told the Subcommittee that, even if it believed that a security agreement was not comprehensive to address all risks associated with a foreign carrier’s operations, it had little leverage to update the agreement. This means that certain risks, which could otherwise be mitigated, may go unaddressed. Requiring a periodic review and renewal of security agreements provides the EO Telecom Committee yet another tool to ensure that national security and other risks are regularly assessed and addressed.
  • (11)  The EO Telecom Committee should establish formal, written policies and procedures governing its monitoring of compliance with security agreements. Team Telecom had no formal, written processes governing its monitoring of a foreign carrier’s compliance with a security agreement. It relied on written correspondence and site visits, but there was no clear method as to when these mechanisms were used or why. The EO Telecom Committee should document and formalize Team Telecom’s processes, which will provide for more streamlined and consistent review of foreign carriers’ operations in the United States.
  • (12) Congress and the Administration should take steps to ensure reciprocal access to the Chinese telecommunications market for U.S. companies. In those aspects of telecommunications in which China officially permits foreign participation, China requires forced technology transfers and imposes discriminatory regulatory processes and burdensome licensing and operating requirements. This results in a highly asymmetric playing field in which U.S. companies face immensely restrictive policies in China, while Chinese companies are not equally restricted in the United States.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Executive Order Formalizes Review of Foreign Investment in Telecommunications

President Donald Trump has issued an executive order creating an inter-agency review body to determine whether foreign investment in U.S. telecommunications companies presents national security issues. However, the executive order merely formalizes and change the longstanding “Team Telecom” process through which proposed foreign investment in the U.S. telecommunications industry have been evaluated. Like the previous body, the new body will consist of representatives from the Departments of Defense, Homeland Security, and Justice and other agencies in an advisory role. Notably, a time limit will be set on how long these reviews should take. Moreover, a number of the changes will align this review process with the reforms enacted in 2018 to the Committee for Foreign Investment in the United States (CFIUS) process, and like the recent reforms to CFIUS, many of these reforms are aimed at countering Chinese companies’ growing investment in or purchase of U.S. companies in key industries.

The Executive Order (EO) “Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector” creates the new “Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector” (Committee) chaired by the Attorney General. The EO explained “the primary objective of which shall be to assist the Federal Communications Commission (FCC) in its public interest review of national security and law enforcement concerns that may be raised by foreign participation in the United States telecommunications services sector.” Moreover, the “The function of the Committee shall be:

(i) to review applications and licenses for risks to national security and law enforcement interests posed by such applications or licenses; and

(ii) to respond to any risks presented by applications or licenses by recommending to the FCC, as appropriate and consistent with the provisions of this order, that it dismiss an application, deny an application, condition the grant of an application upon compliance with mitigation measures, modify a license with a condition of compliance with mitigation measures, or revoke a license.”

The Committee “shall review and assess applications to determine whether granting a license or the transfer of a license poses a risk to national security or law enforcement interests of the United States” and must render its assessment within 120 days. If a secondary assessment is required “is warranted because risk to national security or law enforcement interests cannot be mitigated by standard mitigation measures,” then an additional 90 day review period may commence.

In a statement, Federal Communications Commission Chairman Ajit Pai said, “I applaud the President for formalizing Team Telecom review and establishing a process that will allow the Executive Branch to provide its expert input to the FCC in a timely manner.” He claimed that “[n]ow that this Executive Order has been issued, the FCC will move forward to conclude our own pending rulemaking on reform of the foreign ownership review process.” Pai stated that “[a]s we demonstrated last year in rejecting the China Mobile application, this FCC will not hesitate to act to protect our networks from foreign threats…[but] [a]t the same time, we welcome beneficial investment in our networks and believe that this Executive Order will allow us to process such applications more quickly.”

The pending rulemaking to which Pai referred was started under his predecessor former chair Tom Wheeler and would change the FCC’s review of foreign applications in these ways:

In this Notice of Proposed Rulemaking, we propose changes to our rules and procedures related to certain applications and petitions for declaratory ruling involving foreign ownership(together, “applications”). As discussed below, the Commission refers certain applications to the relevant Executive Branch agencies for their input on any national security, law enforcement, foreign policy, and trade policy concerns that may arise from the foreign ownership interests held in the applicants and petitioners (together, “applicants”). As part of our effort to reform the Commission’s processes, we seek to improve the timeliness and transparency of this referral process. More specifically, our goals here are to identify ways in which both the Commission and the agencies might streamline and facilitate the process for obtaining information necessary for Executive Branch review and identify expected time frames, while ensuring that we continue to take Executive Branch concerns into consideration as part of our public interest review.