Privacy advocates have been calling for the United States to adopt strong consumer privacy protection laws along the lines of the EU’s GDPR for a long time now, but the proposed Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act isn’t the answer we’re looking for.
Terrible acronym aside, the RESTRICT Act claims to…
empower the United States government to prevent certain foreign governments from exploiting technology services operating in the United States in a way that poses risks to Americans’ sensitive data and our national security.whitehouse.gov
In reality, this act would grant the government broad powers to restrict access to any site or service they claim could pose a threat to national security, akin to China’s “great firewall.”
Currently, if you go on the internet and try and find out what the RESTRICT Act actually does, you’ll find a lot of confusing and conflicting information. This is by design, not from a lack of analysis. Simply put, the RESTRICT Act has been interpreted in so many different ways because the wording is so broad that it can be interpreted in so many different ways. This is obviously a problematic form of government overreach.
So what does it actually do? Well, nothing! For now anyway: Like many bills lately, this bill has no immediate effects, but it does grant the White House power to create rules and regulations which will have the power of law. Section 8 grants the Secretary of Commerce the power to “establish such rules, regulations, and procedures as the Secretary considers appropriate.” These rules can include almost anything as long as they are targeting an entity covered by the bill.
To give it a little credit, the specific activities this bill targets are relatively narrow. Section 2 of the bill mainly defines the affected entities in terms of corporate ownership and funding in relation to specific “foreign adversaries.” It would be difficult for a company to violate this bill without actually being a front for a foreign government. However, once a targeted company is identified, the powers the White House then gains to prevent their operation and access within the United States are wildly expansive.
How might this affect VPN providers?
This is the question on a lot of people’s mind, and the answer is of course a bit complicated.
Right now, this bill is mainly focused on TikTok, despite them not being mentioned specifically within the bill text, so let’s focus on them. If the White House determines that TikTok is covered by this act, they could implement “mitigation measures” including ordering Internet Service Providers to block access to TikTok entirely. At this point, the Act grants very broad power to block circumvention of those mitigation measures as well. Now, any service “which is designed or intended to evade or circumvent the application of this Act” falls under the scope of this regulation.
No person may cause or aid, abet, counsel, command, induce, procure, permit, or approve the doing of any act prohibited by, or the omission of any act required by any regulation, order, direction, mitigation measure, prohibition, or other authorization or directive issued under, this Act. (Section 11(a)(2))
A reading of this could certainly include VPN providers. Even if the White House does not declare VPN companies to be directly violating this act, they could certainly deem their services to be aiding and abetting violators, and the end result is the same: Regulations which ban the operation of VPNs entirely.
Even more worryingly—especially for myself at Privacy Guides—a stricter reading of the quoted section above could make it illegal to even share advice (i.e. “counsel”) on how to run a VPN or sideload TikTok! And all of these violations can be punished with criminal charges including up to 20 years in jail or up to $1,000,000 in fines.
So what do we actually know?
- Does this bill ban VPNs? No.
- Does this bill give the White House executive power to ban VPNs? Yes!
Ultimately, the provisions in this bill are so broad that it is inconceivable that they will not be eventually abused by the White House, it would only be a matter of time. Any law like this which gives the government broad authority to ban all sorts of tools if they are even tangentially related to a foreign country they deem a threat is simply unacceptable in a purportedly free country, and we need to make sure it does not pass.
Is this good privacy regulation?
Absolutely not. Fundamentally, the RESTRICT Act does nothing to address the actual privacy concerns of American citizens, it only ensures that the digital data of Americans is exploited exclusively by America-friendly companies. If Congress was legitimately concerned about data collection in America, they could implement strong consumer protections that enhance individuals’ control and rights over their personal data on every platform instead of playing whac-a-mole with every foreign technology entity.
You may still be thinking that this bill would only really impact large, foreign entities like China/TikTok, but we’ve seen time and time again how bills like this that are sold as attacks on huge, nebulous entities like “terrorists” and “foreign state adversaries” wind up mainly used to attack the little guy with minor infractions.
Just like with the post-9/11 Patriot Act, the government is trying to whip people up into a panic to pass a bill under false pretexts that only serves to expand their police powers over us. Call your legislators and demand that they vote against the RESTRICT Act, don’t let them take away even more freedoms.