Further Action On TikTok Divestment and Ban But No Changes

TikTok sues to block the CFIUS order that it divest and the Trump Administration files an appeal of an injunction.

Even though the Trump Administration’s efforts to implement its ban of TikTok have gone nowhere as numerous courts have enjoined the enforcement of the orders, TikTok filed suit against the related order that the company divest Musical.ly primarily on the grounds that the technology that supposedly threatens United States (U.S.) national security is unrelated to the acquisition. Moreover, the day after this suit was filed, a key U.S. agency announced a delay of the divestment order. In a related action, the Trump Administration filed to appeal one of the injunctions blocking it from moving forward on banning the People’s Republic of China (PRC) app. Depending on how long it takes for the federal court to resolve this suit, a Biden Administration Department of Justice (DOJ) may take a different tack than the Trump DOJ.

The day before the divestment order was set to take effect, TikTok asked the United States Court of Appeals for the District of Columbia to review “the Presidential Order Regarding the Acquisition of Musical.ly by ByteDance Ltd., 85 Fed. Reg. 51,297 (Aug. 14, 2020) (the “Divestment Order”), and the related action of the Committee on Foreign Investment in the United States (CFIUS), including its determination to reject mitigation, truncate its review and investigation, and refer the matter to the President.” TikTok asserted:

The Divestment Order and the CFIUS Action seek to compel the wholesale divestment of TikTok, a multi-billion-dollar business built on technology developed by Petitioner ByteDance Ltd. (“ByteDance”), based on the government’s purported national security review of a three-year- old transaction that involved a different business. This attempted taking exceeds the authority granted to Respondents under Section 721, which authorizes CFIUS to review and the President to, at most, prohibit a specified “covered transaction” to address risks to national security created by that transaction. Here, that covered transaction was ByteDance’s acquisition of the U.S. business of another Chinese- headquartered company, Musical.ly—a transaction that did not include the core technology or other aspects of the TikTok business that have made it successful and yet which the Divestment Order now seeks to compel ByteDance to divest.

TikTok also made claims that CFIUS violated the Due Process Clause of the Fifth Amendment, violated the Administrative Procedures Act, and is proposing a “taking” illegal under the Fifth Amendment.

And yet, the Department of the Treasury, the lead agency in the CFIUS process, issued a statement, explaining that the deadline for divestiture had been pushed back by 15 days:

The President’s August 14 Order requires ByteDance and TikTok Inc. to undertake specific divestments and other measures to address the national security risk arising from ByteDance’s acquisition of Musical.ly.  Consistent with the Order, the Committee on Foreign Investment in the United States (CFIUS) has granted ByteDance a 15-day extension of the original November 12, 2020 deadline.  This extension will provide the parties and the Committee additional time to resolve this case in a manner that complies with the Order.   

The Trump Administration may successfully argue that a delay of the order means the court cannot rule on TikTok’s suit. Consequently, this suit may well get pushed into a Biden Administration.

TikTok issued this statement along with the filing of its suit:

For a year, TikTok has actively engaged with CFIUS in good faith to address its national security concerns, even as we disagree with its assessment. In the nearly two months since the president gave his preliminary approval to our proposal to satisfy those concerns, we have offered detailed solutions to finalize that agreement—but have received no substantive feedback on our extensive data privacy and security framework.

Of course, because of the CFIUS divestment order, ByteDance seems to have reached an agreement with Oracle and Walmart, but what they exactly agreed to remains an open question.

In mid-September, the Trump Administration paused its notice for implementing the Executive Order (EO) against TikTok because of agreement in principles of a deal that would permit Oracle and Walmart to control a certain percentage of TikTok in the U.S. However, the details of which entity would control what remain murky with ByteDance arguing that U.S. entities will not control TikTok, but assertions to the opposite being made by the company’s U.S. partners. In the weekend before the EO has set to take effect, it appeared Oracle and Walmart would be able to take a collective 20% stake in a new entity TikTok Global that would operate in the U.S. Walmart has been partnering with Microsoft, but when the tech giant failed in its bid, Walmart began talks with Oracle. ByteDance would have a stake in the company but not majority control according to some sources. However, ByteDance began pushing back on that narrative as President Donald Trump declared after word of a deal leaked “if we find that [Oracle and Walmart] don’t have total control, then we’re not going to approve the deal.” Moreover, $5 billion would be used for some sort of educational fund. However, it is hard to tell what exactly would occur and whether this is supposed to be the “finder’s fee” of sorts Trump had said the U.S. would deserve from the deal.

On 19 September, the U.S. Department of Commerce issued a statement pushing back the effective date of the order against TikTik from 20 September to 27 September because of “recent positive developments.” The same day, the U.S. Department of the Treasury released a statement, explaining:

The President has reviewed a deal among Oracle, Walmart, and TikTok Global to address the national security threat posed by TikTok’s operations. Oracle will be responsible for key technology and security responsibilities to protect all U.S. user data. Approval of the transaction is subject to a closing with Oracle and Walmart and necessary documentation and conditions to be approved by Committee on Foreign Investment in the United States (CFIUS). 

TikTok also released a statement, asserting

We’re pleased that today we’ve confirmed a proposal that resolves the Administration’s security concerns and settles questions around TikTok’s future in the US. Our plan is extensive and consistent with previous CFIUS resolutions, including working with Oracle, who will be our trusted cloud and technology provider responsible for fully securing our users’ data. We are committed to protecting our users globally and providing the highest levels of security. Both Oracle and Walmart will take part in a TikTok Global pre-IPO financing round in which they can take up to a 20% cumulative stake in the company. We will also maintain and expand the US as TikTok Global’s headquarters while bringing 25,000 jobs across the country.

Walmart issued its own statement on 19 September:

While there is still work to do on final agreements, we have tentatively agreed to purchase 7.5% of TikTok Global as well as enter into commercial agreements to provide our ecommerce, fulfillment, payments and other omnichannel services to TikTok Global. Our CEO, Doug McMillon, would also serve as one of five board members of the newly created company. In addition, we would work toward an initial public offering of the company in the United States within the next year to bring even more ownership to American citizens. The final transaction will need to be approved by the relevant U.S. government agencies.

The same day, Oracle and Walmart released a joint statement:

  • The President has announced that ByteDance has received tentative approval for an agreement with the U.S. Government to resolve the outstanding issues, which will now include Oracle and Walmart together investing to acquire 20% of the newly formed TikTok Global business.
  • As a part of the deal, TikTok is creating a new company called TikTok Global that will be responsible for providing all TikTok services to users in United States and most of the users in the rest of the world. Today, the administration has conditionally approved a landmark deal where Oracle becomes TikTok’s secure cloud provider.
  • TikTok Global will be majority owned by American investors, including Oracle and Walmart. TikTok Global will be an independent American company, headquartered in the U.S., with four Americans out of the five member Board of Directors.
  • All the TikTok technology will be in possession of TikTok Global, and comply with U.S. laws and privacy regulations. Data privacy for 100 million American TikTok users will be quickly established by moving all American data to Oracle’s Generation 2 Cloud data centers, the most secure cloud data centers in the world.
  • In addition to its equity position, Walmart will bring its omnichannel retail capabilities including its Walmart.com assortment, eCommerce marketplace, fulfillment, payment and measurement-as-a-service advertising service.
  • TikTok Global will create more than 25,000 new jobs in the Unites States and TikTok Global will pay more than $5 billion in new tax dollars to the U.S. Treasury.
  • TikTok Global, together with Oracle, SIG, General Atlantic, Sequoia, Walmart and Coatue will create an educational initiative to develop and deliver an AI-driven online video curriculum to teach children from inner cities to the suburbs, a variety of courses from basic reading and math to science, history and computer engineering.
  • TikTok Global will have an Initial Public Offering (IPO) in less than 12 months and be listed on a U.S. Exchange. After the IPO, U.S. ownership of TikTok Global will increase and continue to grow over time.

A day later, Oracle went further in a statement to the media claiming, “ByteDance will have no ownership in TikTok Global,” which is a different message than the one the company was sending. For example, in a blog post, ByteDance stated “[t]he current plan does not involve the transfer of any algorithms or technology…[but] Oracle has the authority to check the source code of TikTok USA.”

On a related note, the DOJ filed a notice of appeal of an injunction barring the implementation of the TikTok issued in late October. Three TikTok influencers had filed suit and lost their motion for a preliminary injunction. However, after District Court of the District of Columbia granted TikTok’s request to stop the Department of Commerce from enforcing the first part of the order implementing the ban, the three influencers revised their motion and refiled.

Judge Wendy Beetlestone found that the Trump Administration exceeded its powers under the International Emergency Economic Powers Act (IEEPA) in issuing part of its TikTok order effectuating the ban set to take effect on 12 November:

  • Any provision of internet hosting services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;]
  • Any provision of content delivery network services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;]
  • Any provision of directly contracted or arranged internet transit or peering services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;and]
  • Any utilization, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, of the TikTok mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the land and maritime borders of the United States and its territories.

Beetlestone found that the limit on the use of IEEPA powers to regulate information is clearly implicated by Commerce’s order, which proposes to do just that. Consequently, this is not a legal use of IEEPA powers. The judge also found the plaintiffs would be irreparably harmed through a loss of their audiences and brand sponsorships:

Plaintiffs challenge the Commerce Identification on both statutory and constitutional grounds. First, they contend that the Commerce Identification violates both the First and Fifth Amendments to the U.S. Constitution. They then contend that the Commerce Identification violates the Administrative Procedure Act,5 U.S.C. §701 et seq.,as it is both arbitrary and capricious, see id.§706(2)(A), and ultra vires, see id. § 706(2)(C). Plaintiffs’ ultra vires claim consists of three separate arguments: (1) the Commerce Identification contravenes IEEPA’s “informational materials” exception, 50 U.S.C. § 1702(b)(3); (2) the Commerce Identification contravenes IEEPA’s prohibition on the regulation of “personal communication[s] . . . not involv[ing] a transfer of anything of value,” id. § 1702(b)(1), and (3) the Commerce Identification is not responsive to the national emergency declared in the ICTS Executive Order, and therefore requires the declaration of a new national emergency to take effect, see id. §1701(b).

In the first injunction granted against the TikTok ban, the court found that TikTok’s claims on the misuse of IEEPA, 50 U.S.C. §§ 1701–08, the primary authority President Donald Trump relied on in his executive order banning the app, were unpersuasive. The court conceded “IEEPA contains a broad grant of authority to declare national emergencies and to prohibit certain transactions with foreign countries or foreign nationals that pose risks to the national security of the United States.” But, the court noted “IEEPA also contains two express limitations relevant here: the “authority granted to the President . . . does not include the authority to regulate or prohibit, directly or indirectly” either (a) the importation or exportation of “information or informational materials”; or (b) “personal communication[s], which do[] not involve a transfer of anything of value.” The court concluded:

In sum, the TikTok Order and the Secretary’s prohibitions will have the intended effect of stopping U.S. users from communicating (and thus sharing data) on TikTok. To be sure, the ultimate purpose of those prohibitions is to protect the national security by preventing China from accessing that data and skewing content on TikTok. And the government’s actions may not constitute direct regulations or prohibitions of activities carved out by 50 U.S.C. 1702(b). But Plaintiffs have demonstrated that they are likely to succeed on their claim that the prohibitions constitute indirect regulations of “personal communication[s]” or the exchange of “information or informational materials.”

After considering the risks of irreparable harm to TikTok and the equities and public interest, the court decided:

Weighing these interests together with Plaintiffs’ likelihood of succeeding on their IEEPA claim and the irreparable harm that Plaintiffs (and their U.S. users) will suffer absent an injunction, the Court concludes that a preliminary injunction is appropriate.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Olivier Bergeron from Pexels

Courts Further Block TikTok and WeChat Bans

Two Trump Administration measures to strike at the PRC remain unimplemented.

The Trump Administration has suffered more setbacks in its efforts to move forward with its bans on applications from the People’s Republic of China (PRC). United States’ (U.S.) courts continue to block enforcement of orders prohibiting TikTok and WeChat on national security grounds. Courts have been skeptical of the rationale and reasons offered by the Trump Administration and have not allowed a single portion of either order to take effect.

In a decision late last month, a magistrate judge in San Francisco rejected the Trump Administration’s request to essentially reverse the injunction on the ban of WeChat. Magistrate Judge Laurel Beeler explained:

The government moved to stay the preliminary injunction, and it submitted additional information (that it could not have reasonably submitted earlier) that the Secretary of Commerce considered in identifying the prohibited transactions. The plaintiffs submitted additional information too. On this record, the court denies the motion to stay. The government’s additional evidence does not alter the court’s previous holding that the plaintiffs are entitled to a preliminary injunction.

Beeler said the Department of Commerce presented additional evidence on the threats to national security posed by WeChat and Tencent, chiefly because of the PRC’s access to the data amassed and used by PRC companies, and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency presented evidence on potential threats the app poses, including as a vehicle for PRC misinformation, a means of introducing malicious code, and the exposure of data of Americans to the PRC.

One of the plaintiff’s experts identified “four targeted measures to address the government’s concerns about WeChat:

  • First, WeChat could partner with a U.S. cloud provider to store data, which would allow a relatively secure place for user data and easy audits to detect unauthorized access to data.
  • Second, regular compliance audits would mitigate data-security risks.
  • Third, it is industry best practice to have stringent corporate or external oversight over management and personnel with access to user data.
  • Fourth, WeChat could use end-to-end encryption. These measures do not eliminate all risks of data leaks to the Chinese government, but they meet the industry’s current standards.

This expert further noted

that the government’s concern about WeChat’s surveillance capabilities could be addressed by an independent third party’s review and audit of WeChat’s source codes. Banning WeChat downloads is dangerous because it increases security risks to users: software needs updates to fix bugs, and if bugs are not fixed, WeChat users’ devices and data are subject to attack. Security concerns about government employees are addressed through narrower bans of those employees’ use of the WeChat app. Otherwise, data protection generally requires best practices such as end-to-end encryption, protecting consumer data and metadata (in the manner of Europe’s General Data Protection Regulation or California’s Consumer Privacy Act), and supporting research into making traffic analysis more difficult. Tech companies such as Facebook and Google, which collect data and sell it to data brokers, also pose surveillance concerns. If China wants U.S. users’ private information, it can buy it from those data brokers. Effectively banning WeChat does not protect U.S. user data from criminals or China.

Beeler found:

The government’s new evidence does not meaningfully alter its earlier submissions. The court’s assessment of the First Amendment analysis and the risks to national security — on this record — are unchanged.

[T]he record does not support the conclusion that the government has “narrowly tailored” the prohibited transactions to protect its national-security interests. Instead, the record, on balance, supports the conclusion that the restrictions “burden substantially more speech than is necessary to further the government’s legitimate interests.”

Consequently, Beeler denied the motion to lift the injunction against the WeChat order.

Moreover, the United States Court of Appeals for the Ninth Circuit declined to stay’s Beeler’s injunction barring implementation of the WeChat ban, as requested by the Trump Administration.

On 19 September, Beeler granted a preliminary injunction against the Trump Administration’s implementation of the WeChat order. As explained in a footnote, “[t]he plaintiffs are U.S. WeChat Users Alliance, a nonprofit formed to challenge the WeChat Executive Order, and individual and business users.” In short, they contended that the WeChat ban

(1) violates the First Amendment to the U.S. Constitution,

(2) violates the Fifth Amendment,

(3) violates the Religious Freedom Restoration Act, 42 U.S.C. § 2000bb(1)(a),

(4) was not a lawful exercise of the President’s and the Secretary’s authority under IEEPA— which allows the President to prohibit “transactions” in the interest of national security — because the IEEPA, 50 U.S.C. § 1702(b)(1), does not allow them to regulate personal communications, and

(5) violates the Administrative Procedures Act (“APA”) because the Secretary exceeded his authority under the IEEPA and should have promulgated the rule through the notice-and-comment rulemaking procedures in 5 U.S.C. § 553(b).

The judge granted the motion for a preliminary injunction “on the ground that the plaintiffs have shown serious questions going to the merits of the First Amendment claim, the balance of hardships tips in the plaintiffs’ favor, and the plaintiffs establish sufficiently the other elements for preliminary-injunctive relief.” The judge seemed most persuaded by this claim and summarized the plaintiffs’ argument:

  • First, they contend, effectively banning WeChat — which serves as a virtual public square for the Chinese-speaking and Chinese-American community in the United States and is (as a practical matter) their only means of communication — forecloses meaningful access to communication in their community and thereby operates as a prior restraint on their right to free speech that does not survive strict scrutiny.
  • Second, even if the prohibited transactions are content-neutral time-place-or-manner restrictions, they do not survive intermediate scrutiny because the complete ban is not narrowly tailored to address the government’s significant interest in national security.

In a decision from last week, a new federal court has found reason to block the TikTok ban on new grounds. Three TikTok influencers  had filed suit and lost their motion for a preliminary injunction. However, after District Court of the District of Columbia granted TikTok’s request to stop the Department of Commerce from enforcing the first part of the order implementing the ban, the three influencers revised their motion and refiled.

Judge Wendy Beetlestone found that the Trump Administration exceeded its powers under the International Emergency Economic Powers Act (IEEPA) in issuing part of its TikTok order effectuating the ban set to take effect on 12 November:

  • Any provision of internet hosting services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;]
  • Any provision of content delivery network services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;]
  • Any provision of directly contracted or arranged internet transit or peering services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[; and]
  • Any utilization, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, of the TikTok mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the land and maritime borders of the United States and its territories.

Beetlestone found that the limit on the use of IEEPA powers to regulate information is clearly implicated by Commerce’s order, which proposes to do just that. Consequently, this is not a legal use of IEEPA powers. The judge also found the plaintiffs would be irreparably harmed through a loss of their audiences and brand sponsorships

Plaintiffs challenge the Commerce Identification on both statutory and constitutional grounds. First, they contend that the Commerce Identification violates both the First and Fifth Amendments to the U.S. Constitution. They then contend that the Commerce Identification violates the Administrative Procedure Act,5 U.S.C. §701 et seq.,as it is both arbitrary and capricious, see id.§706(2)(A), and ultra vires, see id. § 706(2)(C). Plaintiffs’ ultra vires claim consists of three separate arguments: (1) the Commerce Identification contravenes IEEPA’s “informational materials” exception, 50 U.S.C. § 1702(b)(3); (2) the Commerce Identification contravenes IEEPA’s prohibition on the regulation of “personal communication[s] . . . not involv[ing] a transfer of anything of value,” id. § 1702(b)(1), and (3) the Commerce Identification is not responsive to the national emergency declared in the ICTS Executive Order, and therefore requires the declaration of a new national emergency to take effect, see id. §1701(b).

In the first injunction granted against the TikTok ban, the court found that TikTok’s claims on the misuse of IEEPA , 50 U.S.C. §§ 1701–08, the primary authority President Donald Trump relied on in his executive order banning the app, were unpersuasive. The court conceded “IEEPA contains a broad grant of authority to declare national emergencies and to prohibit certain transactions with foreign countries or foreign nationals that pose risks to the national security of the United States.” But, the court noted “IEEPA also contains two express limitations relevant here: the “authority granted to the President . . . does not include the authority to regulate or prohibit, directly or indirectly” either (a) the importation or exportation of “information or informational materials”; or (b) “personal communication[s], which do[] not involve a transfer of anything of value.” The court concluded:

In sum, the TikTok Order and the Secretary’s prohibitions will have the intended effect of stopping U.S. users from communicating (and thus sharing data) on TikTok. To be sure, the ultimate purpose of those prohibitions is to protect the national security by preventing China from accessing that data and skewing content on TikTok. And the government’s actions may not constitute direct regulations or prohibitions of activities carved out by 50 U.S.C. 1702(b). But Plaintiffs have demonstrated that they are likely to succeed on their claim that the prohibitions constitute indirect regulations of “personal communication[s]” or the exchange of “information or informational materials.”

After considering the risks of irreparable harm to TikTok and the equities and public interest, the court decided:

Weighing these interests together with Plaintiffs’ likelihood of succeeding on their IEEPA claim and the irreparable harm that Plaintiffs (and their U.S. users) will suffer absent an injunction, the Court concludes that a preliminary injunction is appropriate.

On 18 September, the Trump Administration issued orders barring TikTok and WeChat pursuant to the “Executive Order on Addressing the Threat Posed by TikTok” and “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively. The U.S. Department of Commerce (Commerce) issued orders effectuating the executive orders.

In a press release, Commerce explained:

As of September 20, 2020, the following transactions are prohibited:

  1. Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
  2. Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.

As of September 20, 2020, for WeChat and as of November 12, 2020, for TikTokthe following transactions are prohibited:

  1. Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
  2. Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
  3. Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
  4. Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.

Commerce added:

Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date. Should the U.S. Government determine that WeChat’s or TikTok’s illicit behavior is being replicated by another app somehow outside the scope of these executive orders, the President has the authority to consider whether additional orders may be appropriate to address such activities. The President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by iXimus from Pixabay

Court Issues Injunction On First Part of TikTok Ban

The Trump Administration’s efforts to start banning TikTok is blocked by a federal court, its second defeat this month.

A federal court has granted a request made by TikTok to stop the first part of an order that would have required Apple and Google to remove the Chinese app from its stores or providing updates. The court was not persuaded by the President’s use of his emergency powers in ways that are contrary to the text of the law regarding information, information services, and personal communication. It is likely the Trump Administration appeals even though it appears TikTok has a very good chance of winning on the merits. However, this injunction does not effect, at present, the four other provisions in the order, and nor does it have any relevance on the order by the inter-agency group to ByteDance to unwind the deal that brought it musical.ly

The District Court of the District of Columbia granted TikTok’s request to stop the Department of Commerce from enforcing the first part of the order implementing the ban:

Any provision of services, occurring on or after 11:59 p.m. eastern standard time on September 27, 2020, to distribute or maintain the TikTok mobile application, constituent code, or application updates through an online mobile application store

The court found that TikTok’s claims on the misuse of “International Emergency Economic Powers Act” (IEEPA), 50 U.S.C. §§ 1701–08, the primary authority President Donald Trump relied on in his executive order banning the app, were unpersuasive. The court conceded “IEEPA contains a broad grant of authority to declare national emergencies and to prohibit certain transactions with foreign countries or foreign nationals that pose risks to the national security of the United States.” But, the court noted “IEEPA also contains two express limitations relevant here: the “authority granted to the President . . . does not include the authority to regulate or prohibit, directly or indirectly” either (a) the importation or exportation of “information or informational materials”; or (b) “personal communication[s], which do[] not involve a transfer of anything of value.” The court concluded:

In sum, the TikTok Order and the Secretary’s prohibitions will have the intended effect of stopping U.S. users from communicating (and thus sharing data) on TikTok. To be sure, the ultimate purpose of those prohibitions is to protect the national security by preventing China from accessing that data and skewing content on TikTok. And the government’s actions may not constitute direct regulations or prohibitions of activities carved out by 50 U.S.C. 1702(b). But Plaintiffs have demonstrated that they are likely to succeed on their claim that the prohibitions constitute indirect regulations of “personal communication[s]” or the exchange of “information or informational materials.”

After considering the risks of irreparable harm to TikTok and the equities and public interest, the court decided:

Weighing these interests together with Plaintiffs’ likelihood of succeeding on their IEEPA claim and the irreparable harm that Plaintiffs (and their U.S. users) will suffer absent an injunction, the Court concludes that a preliminary injunction is appropriate.

This is the second defeat of the Trump Administration’s efforts to ban companies from the People’s Republic of China (PRC) this month. On 19 September, a magistrate judge in San Francisco granted a preliminary injunction against the Trump Administration’s implementation of the WeChat order. As explained in a footnote, “[t]he plaintiffs are U.S. WeChat Users Alliance, a nonprofit formed to challenge the WeChat Executive Order, and individual and business users.” In short, they contended that the WeChat ban

(1) violates the First Amendment to the U.S. Constitution,

(2) violates the Fifth Amendment,

(3) violates the Religious Freedom Restoration Act, 42 U.S.C. § 2000bb(1)(a),

(4) was not a lawful exercise of the President’s and the Secretary’s authority under IEEPA— which allows the President to prohibit “transactions” in the interest of national security — because the IEEPA, 50 U.S.C. § 1702(b)(1), does not allow them to regulate personal communications, and

(5) violates the Administrative Procedures Act (“APA”) because the Secretary exceeded his authority under the IEEPA and should have promulgated the rule through the notice-and-comment rulemaking procedures in 5 U.S.C. § 553(b).

The judge granted the motion for a preliminary injunction “on the ground that the plaintiffs have shown serious questions going to the merits of the First Amendment claim, the balance of hardships tips in the plaintiffs’ favor, and the plaintiffs establish sufficiently the other elements for preliminary-injunctive relief.” The judge seemed most persuaded by this claim and summarized the plaintiffs’ argument:

  • First, they contend, effectively banning WeChat — which serves as a virtual public square for the Chinese-speaking and Chinese-American community in the United States and is (as a practical matter) their only means of communication — forecloses meaningful access to communication in their community and thereby operates as a prior restraint on their right to free speech that does not survive strict scrutiny.
  • Second, even if the prohibited transactions are content-neutral time-place-or-manner restrictions, they do not survive intermediate scrutiny because the complete ban is not narrowly tailored to address the government’s significant interest in national security.

The Trump Administration will almost certainly appeal these decisions, but it remains to be seen how quickly the case moves through the court system.

As noted, the Committee on Foreign Investment in the United States (CFIUS) recommended that the President order ByteDance to divest musical.ly, and Trump did so in an “Order Regarding the Acquisition of Musical.ly by ByteDance Ltd.” The deadline for selling off this part of the company is mid-November, but this timeline was effectively moved up by Trump’s public comments about the sale and the TikTok executive order set to take effect in mid-September. Oracle, Walmart, and ByteDance are awaiting review of the deal in both Washington and Beijing. At present, the terms proposed seem to indicate Oracle would become a “trusted technology partner,” a term not used before in such transactions, and Walmart would provide “ecommerce, fulfillment, payments and other omnichannel services” to TikTok operations in the U.S. It has been suggested but contested that a majority of these operations would be in the hands of U.S. entities, but ByteDance has disputed that claim. Moreover, it has been separately claimed Oracle and Walmart would get a collective 20% stake in U.S. operations. All of this is unclear and subject to change depending on CFIUS review. Moreover, the PRC will need to approve the deal per its recently implemented export control regulations that would seem to bar the transfer of technology like TikTok’s algorithm.

In terms of background, on 18 September, the Trump Administration issued orders barring TikTok and WeChat pursuant to executive orders issued an “Executive Order on Addressing the Threat Posed by TikTok” and an “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively. The U.S. Department of Commerce (Commerce) issued orders effectuating the executive orders.

In a press release, Commerce explained:

As of September 20, 2020, the following transactions are prohibited:

  1. Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
  2. Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.

As of September 20, 2020, for WeChat and as of November 12, 2020, for TikTokthe following transactions are prohibited:

  1. Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
  2. Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
  3. Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
  4. Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.

Commerce added:

Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date. Should the U.S. Government determine that WeChat’s or TikTok’s illicit behavior is being replicated by another app somehow outside the scope of these executive orders, the President has the authority to consider whether additional orders may be appropriate to address such activities. The President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.

Commerce has submitted notices to be published this week in the Federal Register identifying the transactions that will be illegal regarding TikTok and WeChat:

Pursuant to Executive Order 13942, the Secretary of Commerce is publishing the list of prohibited transactions by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, including TikTok Inc., in which any such company has any interest, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13942 posed by mobile application TikTok.

On 19 September, the U.S. Department of Commerce issued a statement pushing back the effective date of the order against TikTik from 20 September to 27 September because of “recent positive developments” regarding a possible deal between ByteDance, Oracle, and Walmart that would satisfy U.S. national security concerns about the app.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Solen Feyissa on Unsplash

TikTok Sues Trump Administration

TikTok files a longshot lawsuit that may soon be moot if the company’s operations in the U.S. are sold.     

No one in the White House or Administration should be terribly surprised that TikTok decided to sue over the 6 August “Executive Order on Addressing the Threat Posed by TikTok.” The company is alleging the President and his Administration exceeded the bounds of authority granted by Congress and violated the company’s rights under the United States (U.S.) Constitution. The company wants a court to stop the Trump Administration from moving forward with implementing the executive order (EO) and for the court to deem the EO unconstitutional and illegal. It is possible the court rules on whether it will enjoin the Trump Administration in the short term, but it will likely take much more time to decide on the substance of the case. In any event, this suit could soon be moot if ByteDance sells off its U.S. operations of TikTok to a U.S. company, for the EO would likely be rescinded in such a case.

The EO bars all transactions between U.S. entities and people, starting 45 days after issuance of the EO, with TikTok and their subsidiaries. Specifically, “to the extent permitted under applicable law: any transaction [is prohibited] by any person, or with respect to any property, subject to the jurisdiction of the United States, with [ByteDance], or its subsidiaries, in which any such company has any interest…” The Trump Administration claimed:

TikTok, a video-sharing mobile application owned by the Chinese company ByteDance Ltd., has reportedly been downloaded over 175 million times in the United States and over one billion times globally.  TikTok automatically captures vast swaths of information from its users, including Internet and other network activity information such as location data and browsing and search histories.  This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.

In the suit filed in United States federal court in Northern California, TikTok is asking for an injunction to stop enforcement of the EO and a declaration that it is illegal. The company specifically asserts:

The executive order and, necessarily, any implementing regulations are unlawful and unconstitutional for a number of independent reasons:

  • By banning TikTok with no notice or opportunity to be heard (whether before or after the fact), the executive order violates the due process protections of the Fifth Amendment.
  • The order is ultra vires because it is not based on a bona fide national emergency and authorizes the prohibition of activities that have not been found to pose “an unusual and extraordinary threat.”
  • The order is ultra vires because its prohibitions sweep broadly to prohibit any transactions with ByteDance, although the purported threat justifying the order is limited to TikTok, just one of ByteDance’s businesses.
  • The order is ultra vires because it restricts personal communications and the transmission of informational materials, in direct violation of International Emergency Economic Powers Act (IEEPA).
  • IEEPA lacks any intelligible principle to guide or constrain the President’s action and thereby violates the non-delegation doctrine, as the President’s overbroad and unjustified claim of authority in this matter confirms.
  • By demanding that Plaintiffs make a payment to the U.S. Treasury as a condition for the sale of TikTok, the President has taken Plaintiffs’ property without compensation in violation of the Fifth Amendment.
  • By preventing TikTok Inc. from operating in the United States the executive order violates TikTok Inc.’s First Amendment rights in its code, an expressive means of communication.

In a press release, TikTok contended

To be clear, we far prefer constructive dialogue over litigation. But with the [EO] threatening to bring a ban on our US operations – eliminating the creation of 10,000 American jobs and irreparably harming the millions of Americans who turn to this app for entertainment, connection, and legitimate livelihoods that are vital especially during the pandemic – we simply have no choice.

It bears note that rarely have suits against the use of a President’s use of IEEPA succeeded, notably on many of the same grounds TikTok is using. Courts have rejected claims that a President’s use of these powers violate the Fifth and First Amendments and the non-delegation doctrine.

Additionally, a TikTok employee has filed suit against the Trump Administration, making some of the same arguments against the EO, but contending further

Given the severe civil and criminal penalties in place for violating the Executive Order, and the overbroad nature of its language, it is obvious that TikTok and its employees, as well as other companies involved in the process of distributing wages and salaries to U.S. employees, such as ADP, banks, and credit companies, would not dare to engage in any activity that might be construed as a violation. The broad language of the order necessarily will create a chilling effect for any person or entity that has contracted with or that does business with TikTok.

Of course, there is litigation pending against TikTok for alleged violations, including one case before the same court in Northern California. A college student filed suit, arguing:

Unknown to its users, however, is that TikTok also includes Chinese surveillance software. TikTok clandestinely has vacuumed up and transferred to servers in China vast quantities of private and personally-identifiable user data that can be employed to identify, profile and track the location and activities of users in the United States now and in the future. TikTok also has surreptitiously taken user content, such as draft videos never intended for publication, without user knowledge or consent. In short, TikTok’s lighthearted fun comes at a heavy cost. Meanwhile, TikTok unjustly profits from its secret harvesting of private and personally-identifiable user data by, among other things, using such data to derive vast targeted-advertising revenues and profits. Its conduct violates statutory, Constitutional, and common law privacy, data, and consumer protections.

The plaintiff asserted TikTok violated the following U.S. and California laws and common law legal doctrines:

  • Computer Fraud and Abuse Act, 18 U.S.C. § 1030
  • California Comprehensive Data Access and Fraud Act, Cal. Pen. C. § 502
  • Right to Privacy – California Constitution
  • Intrusion upon Seclusion
  • California Unfair Competition Law, Bus. & Prof. C. §§ 17200 et seq.
  • California False Advertising Law, Bus. & Prof. C. §§ 17500 et seq.
  • Negligence
  • Restitution / Unjust Enrichment

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Executive Order on Securing the United States Bulk-Power System

A new EO will result in the systems and equipment from certain nations, most likely including China, being barred from the U.S. electric grid on account of the risk they pose to national security.  

Late last week, President Donald Trump signed an executive order (EO) that would direct the Secretary of Energy and other officials to take steps to ensure the United States’ bulk power sector is protected from the threats posed by the manufacture of components by foreign adversaries, most likely the People’s Republic of China (PRC). This EO is of a piece with two Administration priorities: desired changes in trade policies with the PRC and defending the United States from vulnerabilities arising from an information and communications technology (ICT) supply chain that largely originates in the PRC. Trump declared a national emergency with respect to the bulk power system, triggering a range of powers to address this situation. The EO would establish a blanket ban on bulk power utilities from buying systems and equipment from yet to be named foreign adversaries except if allowed by the Department of Energy along with required mitigations.

Even though the EO and related materials released by the Trump Administration do not spell out the predicate for this action, the likely policy background was informed by broader concerns about possibly compromised ICT coming from the PRC and possibly more specific information about such equipment, hardware, software, and systems.The EO is also of a piece with the Trump Administration’s aggressive policy initiatives to protect the U.S. and rebuff alleged Chinese efforts to lace U.S. supply chains and critical systems with compromised technology that could later be used for espionage or cyber-attack.

Over the last few years, the Trump Administration reported of intrusions and penetrations of the U.S. electric system by hackers sponsored by or related to the Russian government. In 2018, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released an advisory in which they “characterize[d] this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” DHS and the FBI stated, “[a]fter obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).” At about the same time, the Department of the Treasury announced sanctions against five Russian entities and 19 Russian nationals for “Russia’s continuing destabilizing activities” including “U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” as detailed in “the recent technical alert issued by the Department of Homeland Security and Federal Bureau of Investigation.”

The year before, DHS and the FBI advised critical infrastructure operators of a penetration of a nuclear energy operator in Kansas and others throughout the U.S. The agencies jointly claimed, “[t]here is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

And yet, these forays could easily be precursors to the sorts of attacks Russia has waged against its neighbors. For example, in 2015, Russian hackers were identified as the culprits who compromised part of Ukraine’s electric grid, but it appears access was gained and havoc was wreaked through the acquisition of employees’ credentials and not likely through exploitation of weaknesses or backdoors in the utility’s systems. In the Director of National Intelligence’s public 2019 Worldwide Threat Assessment, it was claimed

Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016.Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.

Moreover, risks to the energy sector have long been recognized. In a 2017 report prepared by the Idaho National Laboratory, “ICS   attacks   are   becoming   increasingly   more   targeted   and   sophisticated, with trusted communications  networks,  remote  access,  mobile  devices,  vendors,  and  supply  chains  are  the most likely routes of ingress.” In 2014, a U.S. think tank claimed

Vulnerabilities arise when utilities procure hardware and software from third-party vendors, including hardware or software that is intended to support smart grid and cybersecurity initiatives. New products and software may not be sufficiently secure in their design or implementation; they may be subject to malicious manipulation or be compromised by the use of counterfeit parts. Suppliers may not face market pressures or requirements to incorporate cybersecurity features in the design of their systems and devices. In some cases, products sold to the power sector may be insecure by design or insufficiently supported as new risks are identified. These issues are further complicated by the global nature of supply chains, which offer multiple possible entry points for cyber attacks. For example, numerous SCADA (supervisory control and data acquisition) devices are manufactured overseas, including in China, where external cyber threats have originated in the past.

In the EO, Trump found “that the unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects.” He added that “I therefore determine that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States, which has its source in whole or in substantial part outside the United States.” Trump wrote, “[t]o address this threat, additional steps are required to protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.” He declared that “[i]n light of these findings, I hereby declare a national emergency with respect to the threat to the United States bulk-power system.”

The EO would bar the purchase of “any bulk-power system electric equipment” from unspecified foreign nations if the transaction poses unacceptable risks to the U.S. electric grid specifically and the U.S. generally. The EO defines foreign adversary as a “foreign government or foreign non-government person engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or its allies or the security and safety of United States persons.” Presumably countries that have well-developed offensive cyber capabilities like the PRC, Russia, Iran, and North Korea would be designated foreign adversaries.

However, the Secretary of Energy could identify and require the use of mitigation measures that could render otherwise banned equipment to be bought and used. The Department of Energy “may establish and publish criteria for recognizing particular equipment and particular vendors in the bulk-power system electric equipment market as pre-qualified for future transactions; and may apply these criteria to establish and publish a list of pre-qualified equipment and vendors.”

More broadly, the Secretary of Energy is directed to use the full authority conferred on his department by Congress and all the powers available under the International Emergency Economic Powers Act (IEEPA), the basis for Presidents to impose sanctions and other economic measures in peace time. Pursuant to the use of these powers, the Department of Energy will likely identify countries as foreign adversaries for purposes of the EO and the companies they own, control, or have a stake in. Furthermore, the Department should also identify those foreign adversaries or companies that deserve additional scrutiny and a licensing process for those transactions that would otherwise be banned under the EO but are allowed to proceed with mitigation measures.  The Department of Energy must also identify any existing bulk power system electric equipment that poses a threat to national or economic security and determine the means by which this equipment could be monitored, isolated, or replaced. The EO would also create a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security (Task Force) that “shall work to protect the Nation from national security threats through the coordination of Federal Government procurement of energy infrastructure and the sharing of risk information and risk management practices to inform such procurement.”

Finally, regarding the thrust of the EO, it bears mention that the Federal Energy Regulatory Commission (FERC) granted a petition to “defer the implementation of several Commission-approved Reliability Standards that have effective dates or phased-in implementation dates that fall in the second half of 2020,” including CIP-013-1 (Cyber Security – Supply Chain Risk Management), which was designed “to help ensure that responsible entities establish organizationally-defined processes that integrate a cybersecurity risk management framework into the system development lifecycle.” The deferral of this and related standards was on account of the COVID-19 pandemic’s effect on the energy sector. When the rule was adopted, FERC explained “Reliability Standard CIP-013-1 addresses information system planning and vendor risk management and procurement controls by requiring that responsible entities develop and implement one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact Bulk Electric System (BES) Cyber Systems. The required plans must address, as applicable, a baseline set of six security concepts: (1) Vendor security event notification; (2) coordinated incident response; (3) vendor personnel termination notification; (4) product/services vulnerability disclosures; (5) verification of software integrity and authenticity; and (6) coordination of vendor remote access controls.”

This EO could serve as a template for future actions to more tightly regulate other critical sectors. It is not hard to imagine Trump or a future president deciding that the threats posed by the PRC or other adversaries justifies a heavier role in the regulation of supply chains and even cybersecurity.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.