October 3, 2023

Podcast - Navigating the TikTok Ban: Implications for Government Contractors

Regulatory Phishing Podcast Series
In this episode of "Regulatory Phishing," government contracts and cybersecurity attorney Eric Crusius is joined by Jeremy Burkhart, an associate in Holland & Knight's Government Contracts Group. Mr. Crusius and Mr. Burkhart discuss the interim rule issued by the Federal Acquisition Regulatory (FAR) Council implementing the statutory ban on the use of ByteDance's TikTok app on federal information technology systems and contracts. They explore the ambiguities in the rule's language and different approaches contractors may take to ensure compliance.

Eric Crusius: Welcome back to the next episode of Regulatory Phishing. With me today is Jeremy Burkhart, an attorney in our Government Contracts Group. Hey Jeremy.

Jeremy Burkhart: Hey Eric, it's a pleasure to be here. Thanks for having me on.

Eric Crusius: So we're going to talk today about the TikTok ban. Jeremy is a co-author of two blog posts about the government contracting TikTok ban. I had the pleasure of watching a presentation he did just a short while ago on the ban that I thought was very comprehensive, and I thought it'd be great to have him on the podcast to talk about it. Before we get into the nuances of the TikTok ban, I thought it would be really good to provide a background on how we got here. As some of our listeners may know, in the 2018 National Defense Authorization Act (NDAA), Congress passed a partial ban on software and services from Kaspersky Labs, a Russian-based company, or at least a company that had Russian ties to it. It didn't necessarily have ties to the Russian government, but there were certain laws Congress was arguing within Russia that would allow Russian government to access information collected by Kaspersky. That was the stated basis of the partial ban, which prohibited the provision of Kaspersky to the government or the use of Kaspersky on deliverables that were eventually provided to the government. That had a long-lasting impact on Kaspersky, where their antivirus software was fairly popular within the United States before that time. The popularity has waned a lot since then because of the government intervention and the stated purpose of the ban, which was because there was concerns about the security of the software vis-à-vis the Russian government. Kaspersky did challenge that ban in court, and that challenge and the appeal failed. Seeing that success, Congress followed up the next year with the 2019 National Defense Authorization Act, with the Chinese tech ban led by Huawei, covering four other companies along the way, including ZTE, Hikvision, among others. Again, this ban is not a full on ban of everything these companies do, but connected with telecommunications services and products. The stated purpose of this ban was because of their ties to the Chinese government, particularly the Chinese military. The government saw this as a threat, so it implemented this ban through the statute, which eventually made its way to the Federal Acquisition Regulation (FAR), much like the Kaspersky ban. If you're interested in learning more about the Chinese tech ban, you could look at FAR 52.204-24, 52.204-25 and 52.204-26. The 52.204-25 clause is the ban itself, where the 52.204-24 and 52.204-26 clauses are the certification clauses. hat has been around now for a few years. We’re operating under final interim rule, and we expect a final rule to come out sometime in the future. It's been kind of pending for a while now. Congress kind of got tired of these one-off bans in the National Defense Authorization Act, so they created the Federal Acquisition Security Council a year later, at the end of 2020. Their job is to kind of look at sources and products and services for relative security. If there is a lack of security or ties to a government that is seen as a frenemy, so to speak, then to consider banning them. There's a whole process within that council that does that. There's a final interim rule in place with respect to the Federal Acquisition Security Council, and we're awaiting a final rule, and that should come out pretty soon. I expect we'll have a podcast episode on that when that happens. But you didn't come to hear a history of Congress or history of nation-state bans, but I thought it was good background. We're here about the latest version of this, which is the TikTok ban, which is what it's called, but it's an application from ByteDance. And ByteDance is the Chinese-based company that has created and has put TikTok into the app stores for various cell phones. So with that introduction, Jeremy, again, welcome. How are you?

Jeremy Burkhart: Doing Well, Eric, and I actually did come here to hear a history of nation-state bans.

Eric Crusius: Well, grab a cup of coffee and have a seat. Here we go now. I appreciate that. I really am fascinated by this. First of all, I think it's the first time we've seen a ban in government contracting on a particular app. In fact, I could feel fairly confident saying that because I don't know if we have any FAR clauses that deal with apps. It's kind of just the latest in this push and pull between the United States and Chinese governments. We had word that the Chinese government was banning iPhones for certain uses in China. I would not be surprised if that was a reaction to this TikTok ban. I'm fascinated by that aspect, and I'm fascinated by the push and pull of the language within the FAR clause itself. It doesn't seem to be written as clearly as it could be. I think that's caused confusion in the marketplace also. Kind of a fascinating look at the geopolitical place we are right now that has been really forced into the FAR. So, Jeremy, I wonder if you kind of give an overview of what this TikTok ban is.

Jeremy Burkhart: This whole thing kind of got started because there was this concern about TikTok and how it was being used. Of course, TikTok is owned by ByteDance, and, as you said, ByteDance is a Chinese corporation. There's basically two major concerns that politicians had with it. Number one, is the concern that it's being used for propaganda and very selective censoring. It's been confirmed that TikTok will censor stuff related to Tibet or Tiananmen Square or anything that really could make it look bad, like Chinese human rights abuses. Politicians are also very concerned about basically the Chinese government weaponizing TikTok in order to do spying or influencing operations. That kind of came about fairly recently. I think a large part of it was due to ByteDance actually confirming recently that it had used the app to monitor the physical location of a few U.S. journalists. These journalists worked for Forbes, previously worked for BuzzFeed, but they were reporting on the close links between the Chinese government and TikTok and asserting that the Chinese government was controlling TikTok. Part of the reason that their stories were profound was because they actually had internal dialogue audio recordings from meetings of TikTok and ByteDance. They were given those by a TikTok employee like a whistleblower. So ByteDance did this internal investigation to try to identify the source of the leak. In order to do that, they used the app to detect the physical location of these journalists to try to figure out if they were ever near TikTok or ByteDance employees. That investigation wasn't something done just by a few rogue employees at ByteDance. It was actually sanctioned by the highest levels of the company, including the legal compliance officers. So there are some very real concerns that the Chinese government could use the app to basically spy on American users.

Eric Crusius: Very interesting, and it leads to this FAR clause here, which has been the source of consternation for many.

Jeremy Burkhart: So the FAR clause comes from late 2022. Congress passed the No TikTok on Government Devices Act. It was part of the 2023 NDAA, and that basically said that you couldn't have a ByteDance app or anything owned by ByteDance. In this case, TikTok is generally the app that's being talked about, but you couldn't have that app on any information technology (IT). The definition of information technology was pulled from a statute, 40 U.S.C. 11101, subparagraph six, and that meant any equipment used by an executive agency directly or used by a contractor under a contract with the agency that either required the use of that equipment or required the use of that equipment to a significant extent in the performance of a service or furnishing of a product. So Congress passed this law that you couldn't have TikTok on any federal information technology. The law was unanimously passed. In the Senate, there was no opposition to it, it was literally unanimous. The law said that the Office of Management and Budget (OMB) had 60 days to issue a rule that affected that statute. In February, the OMB came out with a memo directing all agencies to identify the use or presence of TikTok on federal IT, remove and disallow installations of it and prohibit Internet traffic from federal IT to TikTok. Again, it didn't specifically use the term TikTok, but it defined a covered application as TikTok or anything owned ByteDance.

Eric Crusius: It's kind of amazing that it happened this quickly, too. I mean, we just had the statute late last year, and we are already operating under our FAR clause essentially. Is this a final interim rule or proposed rule or final rule? Which status is it at right now?

Jeremy Burkhart: The OMB memo came out on February 27, 2023, and then the FAR Council issued an interim rule on June 2, 2023, and so that FAR clause was FAR 52.204-27, Prohibition on a ByteDance Covert Application. So it's an interim rule. They took comments on it. The comment period ended on August 1, 2023, so we'll see what the final rule looks like because there's definitely some ambiguities and some language in the FAR clause that could be clarified.

Eric Crusius: Have you had any clients or have heard of folks seeing this rule pop up in existing contracts or new contracts yet?

Jeremy Burkhart: Yeah. In fact, this clause is sweeping. It's in every single federal contract that there is. The language doesn't have any limitation on if this should only be in contracts above the simplified acquisition threshold. Even in contracts that are below the micro purchase threshold, the government purchase clause, those conceivably based on the language the clause would include FAR 52.204-27. Then you have other agencies like the General Services Administration (GSA), right? They handle all the federal leases. Normally FAR clauses don't apply to GSA leases. The only FAR clauses that apply to GSA leases are those that GSA itself decides to apply. In this case, GSA actually published a lease alert saying this FAR clause now applies to all federal lease. So, yeah, this clause is everywhere.

Eric Crusius: So it has broad application. One thing I know we've talked about internally is the difference between how broad it should be interpreted or how broad Congress wants it interpreted versus how broad the clause is interpreted or could be interpreted. I was wondering if you could walk through the dichotomy there as far as where the government probably wants folks to do versus what the clause allows for folks to do.

Jeremy Burkhart: Unfortunately some of it's ambiguous, and it's ambiguous as it relates to contractors. There's no dispute that information technology is going to cover any equipment that's used or owned by a federal agency. For example, computers, phones and fax machines. Any type of IT that federal agency uses or owns is covered by this clause. So agencies have already taken steps to make sure that none of their IT can access TikTok, whether it's the app or the website. The reach of information technology also includes contractors' equipment. So even if it's not equipment that's owned or used by agency personnel, the definition of information technology, again, going back as it's defined in 40 U.S.C. 11101, and that same definition is now in the FAR clause itself. Just looking at 52.204-27, it defines information technology to include equipment used by a contractor under a contract with the executive agency that either requires the use of that equipment or requires the use of that equipment to a significant extent in the performance of a service or the furnishing of a product. The definition of information technology is only supposed to be items that the contractor has that are either specifically required by the contract, like it's explicitly stated in the contract, or implicitly it’s required to a significant extent in order to perform the service or furnish the product. So the definition is kind of supposed to be limited based off what Congress said in the No TikTok on Government Devices Act and then as affected by the OMB memo. When the FAR Council issued the FAR clause, it unfortunately added some language that is kind of strange. I think it’s language that’s going to lead to potential misinterpretations by some contracting officers. First time in the FAR clause, there’s a reference to equipment that’s provided by the contractor's employees. That really doesn't make a whole lot of sense because you never have a contract with the federal government where the federal government saying, "hey, contractor, you're required to have your employees bring equipment," if there’s going to be equipment that’s required to perform the contract. Yeah, the contractor might need to have certain equipment, but there’s no reason that the contractor's employees would need to have that equipment. So that language was added to the prohibition in the FAR clause. The specific sentence says, "The contractor is prohibited from having or using a covert application on any information technology owned or managed by the government, on any information technology used or provided by the contractor under this contract, including equipment provided by the contractor's employees." It's essentially surplusage because if it just said that you can't have a covert application on any information technology, that's all it said. Just like that's all that was said in the OMB memo and in the No TikTok on Government Devices Act. This reference to equipment provided by the contractor employees has caused a lot of clients to question exactly what they need to do to comply with this clause.

Eric Crusius: What are some examples of different ways that this could be interpreted kind of more specifically as far as bring your own devices, things like that?

Jeremy Burkhart: The FAR Council only has the power to regulate what Congress has said, right? So if you go back to the No TikTok on Government Devices Act, all that the federal government should be able to do here is police TikTok that's on information technology, which is either equipment expressly required by the contract or required to a significant extent in performing the contract. But because there has been this reference to equipment provided by the contractor's employees, then it gets into this question of, is the government going to be enforcing this by saying that if employees have a cell phone and it's like a bring your own device program where they're accessing email on their cell phone, are they now subject to this TikTok prohibition because they're using their personal equipment to help them perform a contract? When you look at the Federal Register notice, when the interim rule was announced, the FAR Council published it, and as part of that process, there's a Federal Register notice that comes along with the FAR clause saying, hey we're putting this out. So there's a discussion and analysis section in there. Again, there's some troubling language in there where they say this prohibition applies to devices regardless of whether the device is owned by the government, the contractor or the contractor employees. Then it gives an example that says each employee-owned devices that are used as part of an employer bring your own device program. It goes on to say that a personal use cell phone that is not used in the performance of the contract is not subject to the prohibition. The way that you frame that, a personal cell phone not used in the performance of a contract is not subject to the prohibition. Well, what's the converse of that? A personal cell phone that is used in the performance of a contract is subject to the prohibition? So that language is confusing, right? Because, number one, personal devices are never going to be required to perform the contract. It's never going to be in the contract that a contractor has to have their employees bring their own devices. It's really never going to be implicitly required, either, because the contractor could perform without using employee equipment. The contractor could issue their employees their own equipment. So it really doesn't make any sense that there would be all these references to personally owned devices. It's giving an example of a personal cell phone that would not be covered, but is saying it's not used in performance of the contract. If a personal device is used to any extent, is that now going to be covered by this ban? It's very unclear. There's basically two ways to interpret this. Number one, you go strictly with the definition of information technology and basically the power that Congress gave the FAR Council to regulate it. It really wouldn't involve employee devices unless there was a reference to employee devices in the contract. You wouldn't need to worry about employee devices having access to TikTok. The second way to look at this is a more conservative approach. Basically, you're saying there's two concerns that we have. Number one, that is the concern that the government wants to regulate TikTok broadly and they don't really care about the power that Congress gave. I think that's a that's a legitimate concern. I mean, you have to look at the background of all this. Congress and the Biden Administration have actually tried to ban TikTok for everybody, not just for contractors, but for all Americans. There was this bipartisan proposal called The RESTRICT Act that would essentially allow the Biden Administration to ban TikTok. That was proposed in the early part of 2023. They called the ByteDance CEO to a subcommittee to testify. The Biden Administration came out and said that they supported this act. It was actually expected that there was going to be a broad ban on TikTok nationwide. However, the effort stalled because the language in The RESTRICT Act doesn't even mention ByteDance or TikTok by name. It's extremely broad, and that brought along concerns that essentially the government could use it to criminalize any type of information technology or apps or Internet activity that it just didn't agree with. I say all that just to kind of give the listener the background here, that because the Biden Administration hasn't been able to regulate TikTok as broadly as it would like to, the language of this FAR clause might be an attempt to sort of basically acquire some of that power through FAR rather than through legislation as it had hoped. That's one concern. Then the other concern is just because you have all this extra language in the FAR clause that doesn't need to be there, like these references to employees' personal devices is the language in the Federal Register notice. That's all stuff that is either conflicting with the definition of information technology or it's just unnecessary surplusage. But because it's there, individual contracting officers that are attempting to enforce this clause may innocently believe that all this equipment is supposed to be regulated, in which case they will assert that any personal devices of employees that are being used on the federal contract can't have access to TikTok. Those are the two ways to basically approach compliance with the clause. Number one, going in with a strict interpretation of what the FAR Council actually has the power to regulate, or, number two, going with a risk averse approach where you just want to make sure that you're never going to run afoul of anything the government does, even if it's mistaken in their enforcement approach.

Eric Crusius: It's very well said, Jeremy. We're not giving out advice here in this podcast, but I imagine the direction of the advice that you would give or I would give is it would just be dependent on the contractor or their risk proposition for this aversion to risk and other geopolitical things that they're facing at the time. Do you think that's right?

Jeremy Burkhart: Yeah, absolutely. It is a completely situational-dependent issue. For companies that are very large or companies that have a workforce where it involves a lot of younger employees, people who actually care about using TikTok on their personal device, those companies definitely would probably resist applying this clause broadly to all of their personal devices that are being used in contract performance. On the other hand, a smaller contractor, one that has employees who don't care about using TikTok, it really doesn't harm them at all to just issue a broad policy in order to protect themselves from the possibility of any issues. There's other considerations too, like a company's ability to handle risk. It kind of comes down to, can a contractor afford to deal with government regulation in this manner. If the government thinks that a company is violating this clause, there'll be an investigation. There could be potential administrative sanctions, maybe a poor performance evaluation, potentially a termination due to a breach of contract suspension and debarment, a government claim against the contractor if there's alleged damages for violation of this clause. At the far end, if the government believes the contractor basically intentionally or recklessly disregarded this clause, there could be a False Claims Act (FCA). If the contractor basically complied with this clause according to the strict definition of information technology, then at the end of the day, they will prevail on whatever investigation or administrative sanction they're facing because there's always the path to litigation to remedy that government overreach. But it goes back to Ben Franklin saying, "An ounce of prevention is worth a pound of cure." So does the client want to have to spend the time and money to get to that place to vindicate themselves, or do they just want to make sure that they're not going to have any issues and never put themselves in that position? When clients are deciding on the particular type of approach, the consideration is how will we be able to handle if the government tries to enforce this broad.

Eric Crusius: I should mention that there’s no separate certification requirement for this provision like there is for example, the Chinese tech ban. There’s no disclosure requirement either. If the Chinese tech ban FAR clause requires notice to the government, if the contractor is found to use those products or services or provided them to the government, in contrary to the clause, there’s not that here. Would you argue that contractors still have a responsibility to tell the government, or is it really circumstantial and dependent on the use and how it's discovered, etc.?

Jeremy Burkhart: I think if they discovered a violation of it, or if it actually impacted contract performance, I think they would have a duty to disclose it to the government. If it's something that there was no tangible impact, I don't think they would need to disclose it to the government. But that brings up a good issue of, how is the government ever going to discover a violation? I think it would largely be happenstance. Somehow somebody within the government witnesses a contractor accessing TikTok. I can also see a scenario where there is some type of data breach or hack, and in the investigation into that, the government learns that there was access to TikTok permitted. The other thing too potentially, I think, is a False Claims Act. You know, a whistleblower or a qui tam suit where an employee basically thinks that for whatever reason their employer isn't following this clause. I think that it can come to light that way as well. Outside of those circumstances, I'm not sure this is really going to be something that's going to be easily detected by the government. However, contractors still have to comply with the rule. They still need to make sure that they have some type of policy that they can point to that saying we're doing our part to follow the law.

Eric Crusius: Makes a lot of sense. It certainly puts the contractor in an interesting position to try to figure out what the best course is, because there's not a best course necessarily in the implementation or living within clause if there is an incident or an issue or they discover that there is something happening that is contrary to the language of the clause. Before we wrap up, is there anything else that you are seeing out there with respect to this clause or anything else that you'd want to mention?

Jeremy Burkhart: I think companies need to immediately make sure they are in compliance with the clause for all of their company information technology. Whether they want to apply this to personal devices, I think, again, it depends on some of the things we talked about, like risk tolerance, culture of the company and their ability to handle any government overreach that might occur. I think at the end of the day, there definitely needs to be a policy that's put forth to comply with the clause. I think employees need to be required to acknowledge that they're complying with that clause. I don't recommend intrusive things like actual inspections of phones and things of that nature. I think as most employers know at this point, there is technology out there that helps with protecting data. They have these, this thing called container management features where you can basically separate work apps from personal apps. I think that’s a great way to, to try to comply with this clause where on any work apps like Microsoft Teams messaging or Outlook or email or anything like that, when you're in those work apps, you can't use personal apps like a TikTok. That's a good practice regardless of this clause, because you're just protecting your data, making it less likely to be at risk. Also, I think companies need to have a written policy, and they need to have employees acknowledge that policy.

Eric Crusius: Well, I really appreciate you joining us for this, and it's really great to hear from you today.

Jeremy Burkhart: Yeah, thanks for having me, Eric.

Eric Crusius: Thanks, Jeremy.

Related Insights