A TikTok ‘Deal’?

Yesterday President Trump signed an executive order certifying that ByteDance, TikTok’s Chinese parent company, has initiated a “qualified divestiture” of the popular social media app. This certification comes more than eight months after the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACAA), which effectively banned TikTok in the United States absent such a divestiture, went into effect. The administration’s sudden move follows a lengthy period of conspicuous non-enforcement, during which it has asserted broad executive authority over foreign relations to justify its inaction. But while the White House may be declaring victory, a closer look at the reported deal raises serious questions about whether it truly satisfies the stringent requirements of the law.

PAFACAA’s Requirements

PAFACAA makes it illegal for U.S. entities like Apple, Google, and internet hosting services such as Oracle to distribute, maintain, or update TikTok and its mobile apps. This prohibition takes effect unless the president certifies to Congress that a “qualified divestiture” has occurred. There are two critical conditions for such a deal.

First, the company must no longer be “controlled by a foreign adversary.” This is primarily a question of TikTok’s ownership structure. Under PAFACAA, foreign adversary control is defined as any Chinese, Russian, Iranian, or North Korean “adversary, person or entity” having a direct or indirect ownership stake of 20 percent or more. The new ownership arrangement, reportedly led by a consortium of U.S. and Emirati investors, appears designed to meet this threshold. Although ByteDance will retain a minority stake, it is said to be under the 20 percent cap.

The second requirement of the law is more  complex because it goes to operation rather than ownership. The law states that any divestiture must “preclude the establishment or maintenance of any operational relationship” between the new U.S. TikTok operations and any formerly affiliated, foreign-adversary-controlled entities. The statute explicitly includes as part of this relationship “cooperation with respect to the operation of a content recommendation algorithm” (emphasis added). This gets at the heart of one of the national security concerns that animated the law: the fear that the Chinese government, through its influence over ByteDance, could manipulate the algorithm to shape the information environment for millions of Americans.

The Algorithm Licensing Problem

This second requirement gets at the crux of the problem around the TikTok divestment: the  algorithm and who will control it. Reporting is unclear on this point. For example, the Wall Street Journal reports that “[u]nder the deal, ByteDance would copy its algorithm, then lease it to the new entity, which would train it on U.S. user data to wall it off from Chinese influence under the supervision of cloud-computing firm Oracle.” But the details of how this will work matter enormously.

As we see it, there are three basic options.

Option 1: ByteDance licenses a one-time complete transfer of the source code. This would allow a clean hand-off that lets the new U.S. entity operate, maintain, and modify the algorithm independently on a (theoretically) now U.S. universe of data. This likely satisfies the law’s demand to sever the operational relationship, and the U.S. company would have full control over the code that shapes user experience.

Option 2: The “license” entails an ongoing relationship with source code from Chinese parent-company Byte Dance. Such an arrangement would almost certainly violate PAFACAA. For example, if ByteDance is required under the terms of the license  to provide updates, bug fixes, or technical support for the algorithm, that would constitute a prohibited operational relationship. Even a requirement for periodic license renewals would create an opening for Chinese influence, as ByteDance could leverage the renewal negotiations to exert pressure on the U.S. company. The core purpose of the law was to eliminate precisely this kind of leverage.

Option 3: The new U.S.-based company continues to use the algorithm created and maintained by ByteDance only for its U.S. operations but “controls and protects” the U.S. data that goes into it and comes out of it. This runs into essentially the same problems as Option 2—and the addition of assurances that the underlying U.S. data going into or coming out of the algorithm would be a fairly meaningless technical distinction. ByteDance could easily capture this information or alter the presentation of this information if it controls the operations that all the information runs through, thus failing under the second requirement of PAFACAA.

Perhaps the most unsettling part of all of this is that we may never actually know which option (if any) the deal has picked. Because the certification of whether the divestiture requirements have been met is done by the president, the public may never see the licensing agreement or even any of the key documents relating to the deal at all. The details are likely to remain confidential, shielded by the private companies involved and both the U.S. and Chinese governments. This opacity creates a significant accountability problem.

The executive order provides scant, and in any case inconsistent, information. On the one hand, it states that “the divestiture puts the operation of the algorithms and code, as well as content-moderation decisions, under the control of the new joint venture,” but without explaining what “control” means.

On the other hand, it states that “the divestiture includes intense monitoring of software updates, algorithms, and data flows by the United States’ trusted security partners, and it requires all recommendation models, including algorithms, that use United States user data to be retrained and monitored by those trusted security partners.” But critically we have to ask: Why would intense monitoring be necessary if there’s no ongoing operational relationship with ByteDance as to the algorithm?

A Presidential Safe Harbor?

For the U.S. tech companies that PAFACAA governs, this ambiguity may not matter. They can plausibly argue that the president’s certification to Congress provides them with a legal safe harbor. Once the executive branch has formally declared that a qualified divestiture is underway, companies like Apple and Google have a strong defense against any potential liability under the statute, regardless of whether the deal’s underlying terms actually meet the legal standard.

In theory, more accountability and information could be sought by Congress, which can either accept the president’s certification or challenge it. But Congress has shown little to no appetite for confronting the Trump administration on matters of executive authority. While PAFACAA passed with overwhelming bipartisan support, the political will to enforce it, particularly among Democrats who grew wary of the law’s implications, seemed to evaporate once it was signed. Republicans, meanwhile, have been consistently unwilling to challenge a president who maintains a firm grip on the party.

Even if the deal does, against the odds, fully comply with PAFACAA, it does not undo the nine months of flagrant illegality in which the president effectively unilaterally erased the existence of the law by instructing the Department of Justice to not enforce it. (Indeed, the executive order includes yet another lawless 120 non-enforcement period.) The administration’s refusal to enforce a duly enacted statute that was upheld unanimously by the Supreme Court, as well as the acquiescence of major U.S. technology companies, set a troubling precedent for executive non-enforcement neutering the democratic will and process of Congress and the courts.

How the deal came about raises its own questions, including how the new investment group was chosen. Most concerning is the question of what concessions the Trump administration may have offered Beijing to secure its approval for the divestiture, which remains unanswered. If the cost for this deal  was merely a relaxation of certain trade restrictions with China, there is less concern, but if it involved compromises on more critical national security interests, such as the defense of Taiwan, the long-term cost of this deal could be far greater than the benefit of resolving the TikTok saga. We may have ended one national security threat only to have quietly invited another.

Disclosure: One of the authors (Rozenshtein) consults for one of the parties reportedly involved in the TikTok divestment on unrelated matters.