Mr. Harrell was a senior director on the National Security Council from 2021 to 2022. Mr. Wu was a special assistant to the president on the National Economic Council from 2021 to 2023.
Sign up for the Opinion Today newsletter Get expert analysis of the news and a guide to the big ideas shaping the world every weekday morning.
There’s growing momentum in Congress to ban TikTok, the social media app owned by the Chinese company ByteDance, for reasons of national security. Last week, the White House expressed support for a bipartisan bill in the Senate that would give President Biden the power to ban the app, and the White House is also reportedly pressing ByteDance to sell the company.
The security concern is not that we’ll be corrupted by goofy videos but rather that the Chinese government could use the TikTok apps installed on millions of American phones as a form of spyware — collecting sensitive data and personal information, including where we go and what we do. (On Friday, The Times reported that the Justice Department is investigating the surveillance of Americans by ByteDance.)
Congress is focused on TikTok for an obvious reason: It’s wildly popular and everyone’s heard of it. Banning it or forcing it to be sold off wouldn’t be a bad idea; the app does present serious privacy and security threats. But focusing just on TikTok would be a showy, inadequate response that would do far too little to protect Americans from the broad range of data security risks that China poses. Instead, Congress should pass a law to comprehensively protect American data and security.
TikTok accounts for just a small part of the Chinese technological surveillance threat, much of which is hiding in plain sight. China can (and probably does) buy data from the many commercial companies that effectively spy on Americans through our phones; an entire industry of little-known data brokers like Kochava and Acxiom legally collects and sells information in just this way. Moreover, despite bans on some Chinese security equipment and routers, Americans still rely on Chinese software in a wide range of tools and devices, such as the software for Chinese-made cranes in shipping ports and countless small drones Americans have bought for personal and commercial use. The Chinese government has also repeatedly hacked its way into the servers of American companies and the U.S. government. And then there are the surveillance balloons.
Given China’s history of hacking and its ability to easily purchase data on the open market, the best way to protect Americans’ data is through legislation that would reduce the collection of data in the first place and force companies to increase their cybersecurity protections — to shift the burden of protecting data from the individuals who produce it to the companies and other entities that process it. Congress should target data brokers to restrict the type and volume of data they can sell and to require them to know to whom they are selling it to avoid compromising national security.
What we’re envisioning is along the lines of the American Data Privacy and Protection Act that Congress considered last year. Beyond protecting national security, it responds to strong public demand for privacy: Americans across the political spectrum say they want better protection and less collection of their sensitive data.
But despite the support of the public, as well as the backing of both political parties, the White House and much of the business community, the act wasn’t passed. It ran into opposition from California officials who sought to protect their state’s privacy laws from federal pre-emption — even though mostexperts consider the federal law to be stronger. Alas, there was a time when states were proud to see the laws they pioneered inspire national protections. Regardless, Congress should not let state resistance stand in the way of passing a strong national law.
To better control apps and software from Chinese-owned companies, the government needs new tools, such as the ability to ban TikTok provided in the bipartisan Senate bill that the White House expressed support for last week. It is important, however, that such tools include the authority not only to ban or sanction such apps, but also to mandate security measures and transparency, and when necessary to force apps to be sold.
TikTok and other Chinese-owned companies have tried to address security concerns voluntary, offering to store American data in servers in the United States and to provide source-code transparency. TikTok, for example, has been touting a plan called Protect Texas, in which the Texas-based software company Oracle would store TikTok’s U.S. data and audit TikTok’s source code to help ensure that Beijing can’t manipulate it for propaganda purposes.
But neither current nor proposed laws offer an effective way to enforce these voluntary commitments or to impose them on companies that resist. Congress should empower the government to impose such measures and issue fines and bans for companies that fail to comply.
Opponents of an aggressive data security law will argue that the United States, as an open and democratic country, ought to refrain from limiting the access of foreign-owned companies to its markets. Others worry that such a law would encourage countries like France and India, already skeptical of U.S. tech companies, to use the American example as a reason to impose increased restrictions on American companies.
These criticisms are misplaced. Being an open and democratic country does not mean being a sucker. Accepting unequal treatment is not a badge of honor. The United States would be justified in responding to China’s limits on U.S. companies by imposing its own limits.
And when it comes to our allies in Europe, Asia and Latin America, this is what diplomacy is for. The United States should be building a coalition of nations that agree to take privacy and security seriously, guaranteeing access to one another’s markets on that basis — building on the Declaration for the Future of the Internet that the Biden administration introduced last year.
Passing a comprehensive data security law would require more work for Congress than targeting a single company. But privacy protection and the need to compete effectively with Beijing happen to be among the small number of issues with broad popular appeal and bipartisan support on Capitol Hill. Congress has a rare opportunity to serve national security and also meet public demand. It shouldn’t waste it.