The following is an audio recording of a post that originally appeared on the Last Word Blog at www.acec.org.
ACEC recently held a webinar on the prohibition against TikTok on any device used to execute federal government contracts. Led by Holland & Knight attorney Jeremy Burkhart – a leading expert on government contracts – the session focused on the legal implications of the ban and what firms may or may not legally do to enforce it. The rule applies to the presence or use of any covered application on any information technology owned or managed by a contractor, including equipment provided by the contractor’s employees, unless an exception is granted.
Burkhart began his presentation with the backstory of TikTok: what it is, how it came to be, and why it has been the cause of such widespread agita among governments across the globe. He joked that those concerns are well beyond the obvious, namely wasting your time or socially stunting your kids. Instead, he continued, the overriding concerns are twofold: spying and propaganda by the Chinese government.
“The spying to me is the larger concern,” Burkhart said. “It’s not just a hypothetical. It’s a very real issue.” He pointed to an incident in which ByteDance, the Chinese company that owns TikTok, tracked three journalists who had previously exposed its links to the Chinese government and who had revealed that the company’s employees had repeatedly accessed American user data. ByteDance tracked these reporters’ IP addresses and user data to determine if they had been in the same locations as its employees in an effort to determine the source of the leaks.
This, Burkhart concluded, was not a rogue operation. Rather, it was sanctioned at the company’s highest levels. ByteDance is currently under investigation by both the FBI and the DOJ.
In December 2022, Congress passed – and President Biden signed – the No TikTok on Government Devices Act, which prohibits the use of the app on government devices. The law passed unanimously, with broad support on both sides of the aisle – a notable moment of agreement in deeply polarized Washington. The law requires the government to “develop standards and guidelines for executive agencies requiring the removal of any covered application.”
There have also been moves toward a more sweeping and outright ban on TikTok (which some countries and states have done) but the broad nature of the language stymied its passage. Momentum for such an outright ban has now slowed, and it’s unclear whether any legislation addressing TikTok will pass Congress.
Which leaves unsettled questions for firms with government contracts on how to enforce the ban, particularly on the personal devices of employees. Burkhart was asked about personal devices not issued by the company but used by employees to access company email and collaboration tools like Teams. Would such devices be included within the ban? And is that legal?
For firms, Burkhart said, the thornier question is not an outright ban so much as how to enforce compliance. “At the end of the day, there’s considerations that the company has to go through,” he said. “Either way there is some level of risk. [Firms] have to weigh all those risks.”
And in weighing those risks, it’s important that firms also take into account things like their own corporate culture and demographics. What size is your workforce, and are employees of a demographic that will even care about not using TikTok? How much does the company prioritize employee expression and separation of work and personal lives? And, if a company does opt against banning its employees from TikTok, is the company prepared for the potential fallout if there is a move for more expansive enforcement?
Burkhart concluded his presentation with a technical tutorial on what companies can do to mitigate the risks of TikTok for both the firm and its employees. Regardless of whether the government expands its reach on TikTok, Burkhart emphasized that the app does pose a real threat to users’ private data. “It is worth considering policies to address that threat, irrespective of any federal mandate.”
This webinar – and all ACEC education sessions – is available on demand and includes professional development hours (PDH) to all who successfully complete the course requirements. To view this presentation, click here.
