In recent legislative developments, a new law has emerged that categorizes the distribution, maintenance, and updating of certain applications, including their source code, as “unlawful.” This law aims to restrict entities from enabling the continued operation of applications like TikTok within the United States. Specific provisions include barring app stores, accessible from within the country, from distributing or updating these applications, alongside preventing any internet hosting services from providing the necessary infrastructure to support them.
According to Milton Mueller, a professor at the Georgia Institute of Technology and cofounder of the Internet Governance Project, the legislation does not explicitly render it unlawful for individual users to retain the app on their devices. Rather, it strategically focuses on cutting off new downloads from major platforms like Apple’s App Store and Google’s Play Store, as well as updates for existing users through these channels. Notably, the law makes no mention of a requirement for TikTok to actively block U.S. users, which adds an interesting dynamic to the ongoing discourse about app regulation.
Should TikTok be removed from the aforementioned app stores, it would create significant challenges in maintaining its functionality. Without direct access to updates that optimize performance, address bugs, or patch security vulnerabilities, TikTok’s operational efficacy would likely deteriorate over time. Major technology companies like Apple and Google have remained silent on how they would enforce this law, leaving business owners and users alike uncertain about what the future holds.
The legal framework also casts a wide net regarding “hosting” services. Defined broadly, this could encompass various types of hosting, including file storage, cloud services, and virtual private servers. Since 2022, amid scrutiny of its Chinese ownership, TikTok has housed user data within Oracle’s cloud infrastructure. However, the impact of this law extends to other critical components of TikTok’s ecosystem, like content delivery networks and advertising services. The ambiguous language surrounding these services potentially places them into a gray area where they must assess their role in either maintaining or distributing TikTok’s operational capacity.
Recent evaluations of TikTok’s website revealed a substantial use of embedded domains from third-party providers, underscoring its dependence on external services for functionality. As certain services may cease to operate due to legal uncertainties or risks posed by the law’s vague language, TikTok could face severe performance issues, leading to a degraded user experience over time.
One curious aspect of the legislation is its omission of internet service providers (ISPs) from its enforcement scope. Unlike censorship mechanisms seen in countries such as Russia and China, which utilize ISP blocking to restrict access to entire websites, the current U.S. law appears to steer clear of implementing such a system, likely to avoid infringing upon First Amendment rights. Mueller suggests this decision reflects a conscious effort to maintain an open internet free from the stringent controls characteristic of other nations.
Although it is anticipated that TikTok’s service in the United States would diminish over time under these restrictions, there are potential workarounds that users and possibly the company could explore. The effectiveness of these alternatives is still in question and hinges heavily on user inclination to continue utilizing TikTok amidst the legal landscape and the strategic decisions made by the company itself.
With TikTok boasting a user base of around 170 million in the U.S., compliance with the law doesn’t necessarily equate to total user disengagement. Experts agree that while the goal of the legislation is to complicate access to TikTok, it is implausible that it will eliminate user access entirely. Such complexities highlight the interplay between regulation and user behavior in the evolving landscape of cybersecurity and data governance, prompting business owners to remain vigilant about their digital engagements and the implications of regulatory measures on their operational toolbox.
In examining the potential impact of this legislative action, one can consider relevant adversary tactics from the MITRE ATT&CK framework. Techniques associated with initial access, such as exploitation of vulnerabilities in application services, along with potential persistence challenges, could emerge as significant narrative points amidst these constraints, as stakeholders navigate the security landscape shaped by emerging regulatory environments.
