How the RESTRICT Act could impact the software ecosystem

Last month, legislation was proposed in the United States that could have potential impacts on the software ecosystem.

Sponsored by Sens. Mark Warner (D-Va.) and John Thune (R-S.D.), the RESTRICT Act is a bipartisan piece of legislation with the goal of “Restricting the Emergence of Security Threats that Risk Information and Communications Technology,” thus the name.

The general public may be familiar with it as the act aiming to ban TikTok, but it’s broader in scope than that. 

According to Min Hwan Ahn, lawyer and founder of EZ485, the law would give the U.S. Commerce secretary the ability to “review transactions involving information and communications technologies products or services (ICTS) connected to foreign adversaries.” The bill in its current state labels six countries as foreign adversaries: China, Cuba, Iran, North Korea, Russia, and Venezuela.

“Today, the threat that everyone is talking about is TikTok, and how it could enable surveillance by the Chinese Communist Party, or facilitate the spread of malign influence campaigns in the U.S.,” Warner said in a statement. “Before TikTok, however, it was Huawei and ZTE [that] threatened our nation’s telecommunications networks. And before that, it was Russia’s Kaspersky Lab, which threatened the security of government and corporate devices,”  Warner said. “We need a comprehensive, risk-based approach that proactively tackles sources of potentially dangerous technology before they gain a foothold in America, so we aren’t playing Whac-A-Mole and scrambling to catch up once they’re already ubiquitous.”

According to Warner, in a document announcing the act, individual agencies have tried to step in to address those threats over the years, but efforts were disjointed and under-suited to the complexity and interconnectedness of the global technology supply chain. Therefore, he set out to create a new approach with this RESTRICT Act. 

The bill obtained bipartisan support in Congress, but within the tech industry there is a lot of debate on whether or not this would be a good thing.

“Some argue that it is necessary to protect national security interests and prevent adversaries from exploiting vulnerabilities in our digital infrastructure,” said Ahn. “They believe that increased oversight is crucial for safeguarding sensitive data and maintaining the integrity of our democratic processes. On the other hand, critics argue that the Act may have unintended consequences, such as stifling innovation and hindering collaboration between developers across borders.”

According to Ahn, another concern technologists have expressed is whether the act would violate First Amendment rights if entire services are being blocked. There are also other concerns around transparency and oversight for those enforcing the law. 

Andrew Pickett, lead trial attorney at Andrew Pickett Law, is on the side of being opposed to the bill, stating that it’s just too broad in scope. “Before taking such drastic measures, the government should provide specific evidence showing a real problem and a narrowly tailored solution. It’s important to remember that the internet is a global network that enables people to exchange ideas and access information freely,” he said. 

He also said that he is concerned by the fact that the law also provides criminal penalties of up to 20 years in prison for those trying to evade the ban. Though not explicitly mentioned in the bill, many have taken this to mean that using a VPN might land you in trouble. 

A spokesperson for Warner has said: “The bill is squarely aimed at companies like Kaspersky, Huawei and TikTok that create systemic risks to the United States’ national security, not individual users.”

Will LaSala, field CTO of security company OneSpan, believes the ability of TikTok to “collect any and all data from a device is dangerous,” but that this law banning it is just a Band-Aid and not a real solution. 

According to LaSala, app developers have the ability to better protect user data, but may not have implemented the technology to do so, which opens up the possibility of data leakage and bad actors misusing user data. 

Instead of a ban, app developers should be making use of the security tools that are available, security vendors should make sure their tools aren’t causing negative user experiences, and operating systems manufacturers should implement controls that mitigate risks. 

“Users should be able to quickly see what data is being collected, when it is being collected and for what purpose, and should be able to shut off the stream of a specific type of data in real time at any time,” said LaSala. 

Ahn believes that it will be important for lawmakers to strike the right balance to ensure the law meets its objectives without causing unnecessary harm. Doing so might require refining some of the provisions of the bill, increasing transparency of enforcement mechanisms, and including safeguards for protecting individual rights and promoting innovation. 

“As an experienced lawyer who has dealt with numerous technology-related cases, I understand both sides of this debate. While it’s essential to take measures to protect national security interests, it’s also important not to hinder technological progress or infringe upon individual rights,” said Ahn. 

There has already been a congressional hearing with the CEO of TiKTok, but as of this writing there has been no indication about when, or if, the RESTRICT Act will be brought to a vote.