In July, the Knight Institute, where I work, filed a lawsuit on behalf of the Coalition for Independent Technology Research challenging the application of Texas’s TikTok ban to public university faculty. Texas’s ban requires state agencies, including public universities, to bar their employees from using or downloading TikTok on state-owned devices or networks, as well as on personal devices used to conduct state business. We explained in the complaint that the ban “severely compromises the ability of public university faculty to teach with and about TikTok, as well as to undertake research relating to TikTok,” implicating the First Amendment interests of students, researchers, and the public at large.
In a declaration filed in support of the Knight Institute’s request for preliminary relief in that case, Bruce Schneier—one of the nation’s leading experts on privacy and computer security—addressed the other side of the equation, Texas’s possible interests in enacting the ban. He concluded that the ban is ineffective, unnecessary, and even counterproductive. Although it centers on the circumstances in Texas, Schneier’s declaration should be read widely. It has obvious relevance to the ongoing public discussion over banning TikTok—not just in Texas but around the country, including in the litigation unfolding in Montana over that state’s broad public ban; the legislative deliberations in states like Massachusetts, Illinois, and California that are considering their own bans; and the very live debate about a possible ban at the federal level.
In his declaration, Schneier evaluated Texas’s purported justifications for the ban, which he sees as general concerns about data collection, the spread of disinformation, and network security, as well as specific concerns relating to TikTok’s connections to China. But if these are Texas’s reasons for the ban, Schneier explained, they are poor ones; a ban is entirely ineffective in addressing any of these interests. He observed that while data collection, disinformation, and network security may be “serious concerns,” they are issues that “are not unique to TikTok” but “present on all popular online platforms”—including American ones.
Texas’s Ban Won’t Effectively Address Concerns about Data Collection
With respect to social media platforms’ data collection practices, Schneier acknowledged that governments “are right to be concerned about the ability of private companies—including TikTok—to collect, aggregate, and use sensitive user data.” But, he explained, Texas’s ban cannot hope to ameliorate these problems “because it does nothing to address the root of the issue: the intrusive data collection practices themselves.” As Schneier noted, many other major online platforms, including Google, Facebook, and a host of other popular services, “collect as much data from their users as TikTok does from its users.”
Even focusing on TikTok alone, Schneier explained that a ban on TikTok for public employees would not prevent the platform from collecting personal information about those users anyway. TikTok, for instance, can use tracking pixels embedded in third-party websites to collect data about a person’s IP address and browsing activity, even if that person does not have a TikTok account. Schneier concluded that a ban simply cannot “protect the data privacy of Texans because it does not restrict TikTok, or any other company, from collecting sensitive information.”
Schneier’s declaration also explained that, even as to any distinct concerns Texas may have about TikTok’s connections with China, banning TikTok will not prevent the Chinese government from collecting sensitive data from Americans if it wishes to do so. As he underscored, “[i]t would be trivial for the Chinese government to buy enormously detailed datasets about Americans.” And it could do so “without ever accessing the data collected by TikTok.” He wrote:
Even assuming that there is a significant likelihood that the Chinese government will acquire access to TikTok’s American-user data and that Texas’s TikTok ban will cut off that direct access (both questionable premises), the Chinese government can acquire Americans’ data from commercial data brokers, advertising aggregators, and other apps and devices that send or sell data directly to China.
To support this point, Schneier cited a recent report from the Office of the Director of National Intelligence, which explained that the wide range of commercially available information sold by data brokers is already readily available to foreign governments. Thus, “[b]anning TikTok does not meaningfully limit the Chinese government’s ability to acquire data about Texans.”
Texas’ Ban Won’t Prevent the Spread of Disinformation or Threats to Cybersecurity
Schneier also explained why a ban on TikTok cannot effectively address the spread of disinformation. He noted that “all social media platforms, including American ones, can be exploited by foreign powers interested in influencing Americans.” Schneier highlighted several notable examples of recent disinformation campaigns originating from foreign governments—including attempts by Iranian nationals to influence voters during the 2020 election and by Russian operatives to interfere with the 2016 election—all of which were launched on US-based platforms. Governments like China’s “do not need to own or be closely associated with a platform” to disseminate disinformation to the United States.
A ban on TikTok likewise does little to address device and network security concerns. As Schneier explained, “[o]ther apps and devices, including American ones, can be used as vectors for malware or used to gain unauthorized access to networks and devices.” Banning TikTok would not, for instance, have done anything to prevent or mitigate the 2019 SolarWinds breach, which left the networks of over 14,000 clients exposed, including those belonging to prominent government offices like the National Institutes of Health, parts of the Pentagon, and the Cybersecurity and Infrastructure Security Agency.
Texas Can Address Its Concerns Without Banning TikTok
Schneier’s declaration also made clear that a ban is wholly unnecessary. He pointed to a number of policy alternatives that Texas could adopt to more directly address its concerns. For instance, regarding data collection, Schneier explained that “strong privacy legislation” that includes “better controls on data collection, sale, and aggregation by private companies” would “help secure data privacy” and “protect Americans in the long term” without requiring a broad ban on access to TikTok. This approach would be consistent with the “broad consensus among technology policy experts and the general public about the necessity of comprehensive data privacy regulation.”
Schneier similarly explained how concerns relating to device and network security could be addressed with a much narrower policy than an outright ban. Public universities, for instance, could “address security concerns by issuing dedicated devices to faculty engaged in TikTok-related research and by establishing dedicated networks for use of TikTok in research and teaching.” Such measures would be “trivial for public universities to implement” and would advance an interest in protecting device and network security without necessitating a broad ban.
Blocking Research Relating to TikTok Undermines Texas’ Goals
Finally, Schneier’s declaration stressed that banning TikTok is not only ineffective and unnecessary, it is counterproductive. A ban that prohibits public university faculty from accessing TikTok inhibits important research about the platform, “including work relating to data privacy, the spread of disinformation, and security”—the very interests Texas purports to advance. This research is necessary to better understand the potential risks TikTok might pose to those interests. For instance, Schneier pointed to a study conducted by the University of Toronto’s Citizen Lab, which performed a comprehensive security and privacy analysis of the TikTok app. As Schneier noted, “[u]nderstanding what sensitive information TikTok collects, how TikTok uses and secures this information, and who TikTok shares this information with is crucial to assessing the impact of those practices on user privacy and security.” These critical inquiries are precisely the kind of research that Texas’s ban hinders. (A separate declaration from Dr. Jacqueline Vickery explained how Texas’s ban specifically impairs her efforts to research and teach about TikTok, including its implications for youth privacy.)
Although Schneier’s declaration speaks directly to Texas’s TikTok ban and its effect on public university faculty in that state, his insights on why the ban is ineffective, unnecessary, and counterproductive are important to the broader discourse on the wisdom of such bans. To the extent that government officials believe that a ban on TikTok could address concerns about data collection, the spread of disinformation, device and network security, and even TikTok’s connections to China, Schneier’s declaration shows why a broad, categorical ban on the platform simply does not serve those interests. Policymakers and the public should pay attention.