Jim Banks, the Republican Party’s Indiana representative, is pushing forward a piece of legislation that would see consumers being slapped with warning labels before downloading apps that originate from countries considered to be U.S. national security risks.
If passed, the bill would mandate that app developers and app stores go to new lengths in their warning labels to lay out which companies own the app, as well as to which country’s laws the app is subject.
According to Banks, the waning labels are proposed to read:
‘Warning: [Name of Covered Foreign Software] is developed by [Name of Developer of Covered Foreign Software], which [is controlled by a company that] [is organized under the laws of]/[conducts its principal operations in]/[is organized under the laws of and conducts its principal operations in] [Name of Covered Country]. Please acknowledge by selecting the “accept” or “decline” button below if you wish to proceed.
The move comes as suspicion mounts concerning where the personal data of app users ultimately ends up being processed—prompting questions around who has access to the information behind some of the world’s most popular mobile apps.
TikTok and FaceApp in the crosshairs
On the grounds of national security, the issuance of such warning labels would stand to affect some of the most popular apps among U.S. consumers. Most notably, it would affect the short-form video platform TikTok—which has over 80 million downloads in the U.S. alone—due to the fact that it belongs to the Beijing-based ByteDance.
Another popular app to be affected by the warning labels would be FaceApp, an app which uses AI to transform human faces in photographs to make them appear younger, older, smiling, or of another gender. FaceApp is owned by Wireless Lab, a Russian tech company.
“Parents and consumers have a right to a warning that by downloading some apps like Russia’s FaceApp or China’s TikTok, their data may be used against the United States by an adversarial or enemy regime,” Rep. Banks said in a statement, referring to both TikTok and FaceApp directly.
“Some phone apps are fun and useful, others are counterintelligence threats. Americans should know which is which before they hit the download button.”
Stoking national security fears
Banks’s proposal to make use of warning labels comes after increasing state and public suspicion grows around the use of data by certain apps, most notably TikTok.
The Chinese-linked app is known to collect masses of personal information from U.S. consumers that is, in turn, processed on servers hosted in China. The fear among some American policymakers is that China’s authorities may be able to gain unfettered access to the information, thereby potentially posing a national security risk to the U.S.
“One data sleuth discovered TikTok stored user data within China as recently as late 2018,” Banks wrote in a column in November last year. “Here why that’s frightening – data localization laws grant the Chinese government unrestrained access to data stored in its territory.”
It was this fear exactly that prompted the U.S. Army to block its soldiers from using the video platform back in January, citing a potential national security threat posed by China having access to military-related information. This followed less than a month after the Pentagon made a similar decision to ban TikTok on government-owned devices late last year.
Aside from issuing warning labels, Banks’s proposed new bill would inflict some of the strongest measures to mitigate the perceived national security threat posed by apps like TikTok to date. For example, app developers and software marketplace operators who do not enforce the new warning labels could be slapped with fines of up to and including $50,000.
Furthermore, the bill also leaves the door open for criminal punishment, including prison time, to be inflicted on anyone who contravenes the law in a flagrant and extreme manner.
The trouble with warning labels
According to research by VPNpro.com, many developers tend to hide the true location of their apps, making the process of issuing warning labels, in theory, a difficult one. Much of the time, according to the research, the true location of the app servers rest in China.
According to Jan Youngren, a cybersecurity and consumer protection specialist at VPNpro.com, Banks’s proposed legislation spells out the fact that many companies already provide “unfettered access” of their data to the Chinese government—going so far as to include keys for encrypted data.
“For that reason, it’s usually a national security risk to house large amounts of American citizens’ data in countries such as China and Russia that are historically unfriendly to the U.S.,” Youngren explains.
Youngren also points out that, because many app developers tend to hide the location of their servers, app stores are unable to effectively monitor the potential origin of app servers—and by extension the national security threat they may pose.
“This specific law, if passed, might be hard to enact for Google, however, as the Play store likely has hundreds of thousands of apps that conceal their true locations, or mislead users about where they truly are located,” he says.
This predicament is laid out in recent research by VPNpro.com. By analysing a network of apps under the control of a single company based in Shenzhen the researchers were able to show that many apps had listed their locations as being in California, rather than in China.
According to Youngren, this clearly suggests that app stores ought to be clearer in defining whether a company’s servers or whether its headquarters constitute the “true location” of the company. “Google Play will have to find a way to define and determine the true location of an app developer or its controlling company,” he asserts, pointing out that there are many Russian or Chinese app developers that house their data in US servers.
“There are also many international companies that have branches in the US, but that are ultimately Chinese or Russian,” Youngren continues. “The same holds true for other countries deemed ‘national security risks’.”
“Whatever the outcome, users would benefit greatly from having app developers’ true locations shown by default.”