The one thing my students all invariably know about China is that you can’t use Facebook there, or YouTube or Google. For at least a decade, China has maintained strict control over the internet and aggressively blocked foreign tech platforms within its borders.
So when President Trump issued two executive orders Thursday night that all but ban two Chinese social media networks — the video app TikTok and the messaging app WeChat — from operating in the United States, citing national security concerns, the decision seemed straight out of China’s own playbook.
The executive orders and Microsoft’s interest in buying TikTok’s American business echo what happened in 2017, when China’s cybersecurity law went into effect and required foreign companies to store data about Chinese customers within China. Some American companies, including Amazon, had to sell the hardware components of their cloud computing services in China to Chinese companies in order to continue operating there.
The United States government’s approach to cybersecurity is now looking more and more like China’s. If that meant only limiting access to humorous video apps then it would be merely unfortunate. But it’s a deeply misguided and unproductive way to try to secure data and computer networks — one that relies on the profoundly untrue assumption that data stored within a country’s own borders is more secure than data stored in other places.
No one knows better than the United States government that the data kept within its borders is highly vulnerable to Chinese cyberespionage. In 2015, Chinese hackers stole personal information belonging to more than 21 million people from the federal government’s Office of Personnel Management. In 2017, members of the Chinese military managed to steal records belonging to 145 million Americans from the U.S. credit bureau Equifax, according to charges filed by the Department of Justice earlier this year.
Any number of lessons could be drawn from these incidents, including the importance of vetting outside vendors and the need to carefully monitor outbound data. But deciding that information is more secure because it is collected and stored by American companies is precisely the wrong conclusion.
In January, the Department of Defense announced that military personnel would be required to remove TikTok from their government-issued smartphones. Even absent any evidence that ByteDance was sharing data with the Chinese government, that decision made sense for smartphones that were being used by military officers given the sensitive nature of their work. But for the government to expand that ban to the phones of civilians in the United States, it needs to show some clearer indication that the app poses a real risk to its users. Otherwise, this just looks like an anti-competitive decision made to disadvantage a Chinese tech firm in the name of strengthening security.
It’s not clear whether the Trump administration regards either TikTok’s or WeChat’s data, or their parent companies, as particularly pernicious or dangerous, but it has not released any evidence that these companies are distributing compromised software to their users via the apps or sharing any data about their American customers with the Chinese government.
But make no mistake: the president’s executive orders are not about cybersecurity — they are a retaliatory jab in the ongoing tensions between China and the United States. In fact, the ban’s greatest impact will probably not be on the bottom lines of TikTok and WeChat’s parent companies, but instead on promoting a fundamentally Chinese view of internet security.
For years, the American government has championed the idea of an open and global internet, in which the same online content and services are available worldwide, regardless of where users live. Tech companies could operate internationally, moving data freely between their data centers across the globe. But if the government now believes that the only safe data and computer networks are within its own borders — as the animus toward TikTok and WeChat suggests — then, like China, the United States fundamentally does not believe in a global internet. That’s a terrible mistake for a country whose tech industry depends heavily on companies that do business all over the world. It’s also a mistake from a security perspective.
To protect Americans’ data, the federal government needs to set clearer and more rigorous standards for how that data is protected and what the consequences are for failing to meet those standards. By pretending that restricting the use of TikTok and WeChat could possibly serve the same — or even a similar — purpose, the government is failing to engage with the hard questions around liability for cybersecurity breaches. Instead, it is buying into China’s belief that the only way to secure the internet is to keep international influences and services offline.