The Federal Acquisition Regulation Council earlier this month issued something the procurement community had been expecting. An interim rule that bans the TikTok app from certain contractor devices. Joining the Federal Drive with Tom Temin to explain the implications, Haynes and Boone partner Zach Prince.
Tom Temin So this rule is interim, which means it’s in effect, but not final. What does it do exactly?
Zach Prince So that’s right. So the rule is implementing a requirement that was mandated by Congress and then with some implementing guidance from OMB back in February. It bans any application put out by Bytedance Ltd, which is the company that owns TikTok or any affiliate from being present on any IT-owned or managed by the government or any IT user provided by a contractor under a contract.
Tom Temin Right. So that leads to some fuzziness because are people that religious, let’s say, about keeping one device for personal and one device for business because millions of people are affected here. Correct.
Zach Prince That’s right. So I’ve been getting questions from clients with just that issue. Do we now need to say anybody who’s using our email system on their phone, for example, can’t have TikTok? And we need to impose real restrictions to ensure that is the case. The rules are not totally clear on what contractor employees are going to be covered. So if you’re doing back office support, doing HR, accounting, etc. that, incidentally is covering a government contracts. Are you one of those covered employees? A lot of open questions.
Tom Temin And a lot of companies just as even in some cases agencies have a so-called BYOD, bring your own device policy. Well, how many “Ds” are people supposed to “B” of their own? Because no one has an unlimited budget for devices.
Zach Prince That’s right. So it’s always made me a little wary to have my employer have access and total control of my phone. And I think a lot of employees likely think the same. It would be better if you just used your company technology and then you can keep your personal and work life separate. But the reality is these days it’s hard to do that in general.
Tom Temin All right. So this rule then, what does it impose with respect to bids, solicitations, the communications that go back and forth between the government and contractors?
Zach Prince So this rule is essentially the same impact as the telecommunications ban or the Huawei ban. It’s a new clause. It requires you to be representing that you’re in compliance with it. Failing to comply with it is likely a material breach of your contract. So companies have to be doing some due diligence and should have been doing it already for a while to be sure that they’re really implementing this and I think they ought to be going further anyway. There have been concerns about TikTok for years from the cybersecurity community. It is a good policy, I think, to prohibit TikTok anyway on company devices or anything that can touch your networks.
Tom Temin You know, notwithstanding the question of why anyone would spend more than 4 minutes looking at TikTok in the first place, I’m showing my age, I guess, but it seems like a river of ridiculousness. But notwithstanding that, what do we really know about the security implications? I mean, the hearings that took place a couple of months back in the Senate were sensational, but didn’t really shed a lot of light on the relationship between TikTok, who has a president from Singapore, I think. I mean, it’s an international operation, so it’s kind of hard to gauge what’s really going on, isn’t it?
Zach Prince It is. And I’ve spoken with friends who I trust in the cybersecurity space who tell me they actually do have a lot of faith in TikTok U.S. as being really separated from the broader TikTok and being able to maintain data security. But the reality is commercial companies in China are treated as an arm of the state and any data that they have available to them as a company is going to be given to the Chinese government. So the firewalling might look good on paper, it might even be real. But the concerns are significant enough that that firewall can be breached. I think it poses a real security risk.
Tom Temin We know China has police stations, at least we found one in the United States. And now they got that listening post in Cuba, which is practically Florida. But there’s another analogy here. Companies from nations with which the United States government can buy from Canada, Great Britain, France and so forth. Even those companies are required to establish air gapped boards of directors and operations in the United States. And that’s how they’re able to sell here to the government. Nothing like that, really, for TikTok, it’s not firewalled in that manner. And even if it was, could you trust it because it is China after all.
Zach Prince Yeah. And that the U.S. entity requirement is really if you’re doing work in the classified space to mitigate any foreign ownership or control issues. But there was talk last year of trying to get TikTok to sell off its U.S. entity and really be entirely separate. There is, for obvious reasons, I think, strong resistance to doing that from TikTok. But the response when they refused was to start implementing a ban, at least on anything touching government contracts.
Tom Temin And you bring up a good point with respect to people operating in the classified space or in the high security space, the national security space, intelligence, there’s already probably a lot of restrictions on what people can do on government devices and what contractors can do. A priori of the new rule on TikTok. Fair to say?
Zach Prince It’s certainly fair to say. The problem is that there’s always a gap between the rules and then what your people do, and that’s why we see security breaches. The human factor is always the weakest in any of these cases. We’ve got fairly, should be fairly sophisticated members of the military releasing intelligence information out on social media. And we certainly have that in the contractor space. So it’s really difficult to get your people to be falling in line with the requirements.
Tom Temin And TikTok probably shares with most social media and most I mean, for that matter, shopping platforms. So many platforms do track your whereabouts and use location based information to feed you stuff. And plus their algorithms have this ecosystem of connection to advertisers. And so when you think about it, almost every social media app probably has the potential to give up secrets just because of the plumbing that is so complex. For the purposes of data gathering and ad serving.
Zach Prince They definitely do. You have to hope that it’s mostly anonymized, but the algorithms are very sophisticated and are absolutely aggregating a ton of data. You could be talking in a room about your interest in an item and suddenly your social media stream has all these links to that item.
Tom Temin So getting back to the TikTok ban, then, what are the practical implications? What are you advising contractors to do now?
Zach Prince So I’m telling clients that while I think that you could fairly interpret this rule as applying only to direct employees that are clearly servicing a government contract, it is prudent to impose a broader ban, including on a phone that’s part of a BYOD policy. It’s an employee’s phone that they’re using to access company tech. Any time you’ve got an employee that has their technology or any technology touching your systems, it is just safe to have a TikTok ban.