The writer is international policy director at Stanford University’s Cyber Policy Center
Three years ago, Donald Trump’s proposal to ban TikTok barely got off the ground, but the tide has turned. Earlier this month, Christopher Wray, the FBI’s director, added his voice to growing US national security concerns about the video sharing app.
Intelligence suggests that the Chinese government could use its access to data held by companies there to collect information on hundreds of millions of people, including Americans. It might then use apps for operations to influence the public and control the algorithms recommending content to users. Bipartisan legislation, recently introduced, seeks to mitigate these concerns by mandating the commerce department to identify and address threats from foreign tech products.
While TikTok may dominate the headlines, the Biden administration is using a rare political consensus to reshape technology regulation more broadly — believing a more comprehensive technology policy is key to national security. Congress made historic investments in the US semiconductor industry last year via the Chips and Science Act to lessen dependence on global supply chains that China can disrupt.
In addition, the administration rolled out a new national cyber security strategy this month. Presenting it, acting national security director Kemba Walden conceded: “We have a challenge in this country. We really do not understand the impact of incidents. We just don’t know what is happening.” The strategy recognises that the over-reliance on tech companies for cyber security is blindsiding government — even eroding its ability to govern.
In trying to escape this painful state, the strategy requires large tech firms to build more secure systems and protect networks. Liability is expected to increase; future legislation will have to spell out the details.
These interventions, targeting both foreign and domestic companies, are nothing short of revolutionary in a US context. For decades, Democrats and Republicans have trusted market forces. As a former lawmaker in Europe, I experienced first-hand that “the r-word”, or regulation, was best avoided if you wanted a welcome in Washington or Silicon Valley. Data protection obligations were seen as a European thing. Blaming the EU for unjustly going after Silicon Valley was a constant refrain. That is now rapidly changing, with data protection rules and liability obligations also part of the new cyber security strategy. The US realises that its hands-off approach has failed.
As someone who has long argued that the US needs to shoulder its responsibility by making sure Big Tech operates within the bounds of the law, you would expect me to cheer this avalanche of measures. But while I back moves to curb the outsized power of technology firms large and small, the lens through which the policies are presented should avoid creating risks to civil liberties and rights online. Government power must not be abused. After 9/11, the obsession with national security led to warrantless wiretapping and mass data collection.
Future administrations may use national security as a pretext for invasive measures. And the US record is bleak when it comes to the relationship between national security interventions and human rights safeguards. There is still no comprehensive data protection law to ensure privacy; the police use facial recognition systems even if they are known to discriminate against minorities. We cannot repeat the mistakes of the 2000s and pursue mass online surveillance programmes, this time under the guise of cyber security.
The US government is right to regulate technology companies. But the proposed measures, devised through the prism of national security policy, must also pass the democracy test. Rigorous safeguards against the abuse of power by government are needed as well.