Examining a New Bill to Label Apps “Made in China”
A new bill would require app stores to label apps from certain countries. It’s another piece of legislation focused on data, security worries, and country of origin.
Published by The Lawfare Institute
in Cooperation With
On May 30, Sens. Tim Scott (R-S.C.), Roger Wicker (R-Miss.), and James Lankford (R-Okla.) introduced a bill to require mobile app stores to label apps with their “country of origin.” Titled the Know Your App Act, the bill would require covered app stores to provide an additional disclaimer for apps from “countries of concern” (ostensibly to include China) that would be determined by the Treasury and Commerce departments. When introducing the legislation, Scott said that
Americans should be able to make informed decisions about the online services they use in order to protect their data and security. Requiring app stores to display an app’s country of origin is a common-sense solution that can help them do just that.
The bill follows months of congressional concern about TikTok, the popular video-sharing platform owned by Chinese technology company ByteDance. It also has some similarities to a bill introduced in 2020 to “warn” people downloading apps made in certain foreign countries. However, the bill’s authors have scoped the legislation in a way that goes far beyond China—which is clearly their focus—and could implicate any app developed in a country with user data transfer regulations. Unpacking the legislation provides additional perspectives on questions of mobile apps, data collection, and privacy and security risks. It also underscores that many members of Congress remain focused on country of origin as a major determinant of risk in the software and data spaces, when in fact there are many other factors to consider in a comprehensive risk analysis.
What’s in the Bill?
The Know Your App Act opens by describing four sets of concerns:
Internet-linked applications collecting data about and posing privacy risks to minors.
A lack of transparency, combined with a lack of user understanding about applications’ countries of origin—and the potential risks of “exposure to foreign government surveillance, data breaches, and privacy violations.”
Foreign states potentially collecting user data through internet-linked apps, including sensitive data, data for espionage, and data to exert influence over critical infrastructure.
Users needing more information to make informed and pro-privacy and pro-security decisions about the apps they use.
Some of these risks are more directly tied to the country in which an app developer is based, such as the laws to which that individual is subject and the risk of foreign espionage. Other risks are not as clearly tied to the country of origin question. For example, it is possible that foreign governments access data on minors in the United States, but many apps originating from many countries collect data about minors. And the national security reasoning—and risk—behind a foreign state using an app to collect data about U.S. minors is not as clear as in the case of, hypothetically, a foreign state gathering data through an app about clearance-holding U.S. government employees.
The bill defines “application stores” as publicly available websites, software applications, electronic services, or platforms that distribute apps from third-party developers to device users and have more than 20 million U.S. users. Therefore, if an app store has fewer than 20 million U.S. users, it is not covered. The Apple and Google app stores would obviously be covered under that threshold. It is possible that other application stores could be covered as well, such as the gaming platform Steam, which has approximately 120 million monthly active users—the number in the U.S. is unclear.
Covered app stores would have to display this origin information for every single application in their stores. Then, if an app was from a designated “country of concern” (discussed next), the app store must provide a “prominent” disclaimer on the app store page that “data from the application could be accessed by a foreign government.” The bill did not fully describe how this should be visualized. App stores would also be required to allow users to filter out apps “whose primary country of origin is a country of concern.” Developers, for their part, would have to inform a covered app store if their country of origin, their owner, or their owner’s country of origin changed and annually certify to covered app stores that the information is up to date.
The bill does not define a “country of concern” in its text. Further, unlike other bills on non-U.S. tech companies, products, and services, it does not point to the definition of “foreign adversary” in the Secure and Trusted Communications Networks Act of 2019 (Public Law No. 116-124), defined as “any foreign government or foreign nongovernment person engaged in a long-term pattern or serious instances of conduct significantly adverse” to U.S. national security or the “security and safety of United States persons.” Instead, the Know Your App Act gives the treasury and commerce secretaries 180 days to jointly develop, submit to Congress, and publicly publish a list of
each foreign country that has in effect a national law that may subject a developer or application to control by the government of the country over content moderation, algorithm design, or user data transfers.
This is an interesting approach. It does not simply default to the list of China, Russia, Iran, and North Korea familiar to any reader of U.S. national security policies. It also does not explicitly or solely target China. Any country with a law for government control of an application’s content moderation, algorithm design, or user data transfer could be placed on the list. This would certainly include China—both legally, in how the bill could encompass China’s national security and intelligence laws, and politically, in how any administration is likely to define a country of concern (in that China’s tech rise is a significant concern to U.S. national security decision-makers). The bill’s authors clearly have this in mind: Lankford said in the press release that “I want the ‘Made in China’ label and labels for any other countries where apps like TikTok originate to be clearly marked when and where they are downloaded.” Theoretically, this scope could also include countries like India, where the Modi government has introduced new surveillance requirements for virtual private networks, raided Twitter’s offices in an effort to get its politicians’ hateful content restored, and, according to former CEO Jack Dorsey, previously threatened to shut down access to Twitter altogether if the company did not comply with politicians’ demands. Politically speaking, though, it is hard to imagine any U.S. administration using such a bill as an opportunity to designate (and therefore highlight) concerning state surveillance and content manipulation practices in countries like India, Turkey, or even in closer U.S. or ally partner countries.
This relates to a broader issue with the bill’s scope. The bill’s sponsors clearly intend it to focus on China and what they would likely describe as authoritarian technology practices. But if one way to qualify as a country of concern is merely having state control over user data transfers, virtually any country with a consumer privacy regime could make the list. If interpreted literally, dozens and dozens of countries could have their privacy laws and regulations about the collection, transfer, storage, and processing of data fit under the definition laid out in the bill’s text—from the EU bloc with its General Data Protection Regulation and EU-U.S. data transfer controls to Brazil’s privacy law with controls for data transfers to foreign countries, Nigeria’s new Data Protection Act, and many more. The Information Technology and Innovation Foundation found that data localization measures jumped from 35 countries with 67 barriers in 2017 to 62 countries with 144 barriers in 2021; in 2022, McKinsey estimated that 75 percent of all countries had “some level of data localization rules.”
Of course, the counterargument might be that the U.S. government would not be “concerned” about many of those countries, like France or Germany. This is likely correct, but it’s still significant that the bill could make most countries with privacy laws qualify for the list. That seems to be a strange potential outcome from a piece of legislation that (while written broadly) is clearly focused on China. It also raises a point of potential contradiction within the bill itself. Government control over user data transfers in a country is a way to become a country of concern. Simultaneously, the label required in app stores for countries of concern does not say that a government has control over user data transfers but that, as described above, “data from the application could be accessed by a foreign government.” These are two distinct things. Countries don’t need a regulation over user data transfers per se to access data from apps; all they might need is a court order to compel the company to hand over data. Or, in countries like Russia, the state can simply use brute force to make companies comply. Control over user data transfers is one way in which increased state surveillance could potentially occur, but it is not the only way for it to occur.
Significantly, the bill stipulates that companies would have to notify developers in violation of these rules no fewer than three times over 90 days. If the developer does not remedy the issue by 90 days after its first warning from the app store, the app store, under the bill, “shall remove the application of the developer from the application store.” Of course, this immediately raises larger questions, especially about speech: The sponsoring legislators would like to attempt to force private companies to make software effectively unavailable to the U.S. public because the software is not, in their view, sufficiently transparent about its country of origin. It somewhat echoes calls to have Google and Apple remove TikTok from their U.S. app stores. It also raises unanswered questions about what would constitute a violation of the country of origin provisions. Because a “beneficial owner” of an app, under the bill, can include a company with only 25 percent ownership, there could be scenarios in which developers are based in one country, a part owner of an app is based in a second country, and a majority owner of an app is based in a third country. It’s not exactly clear how that would be handled—perhaps by the app having to list all three countries.
App stores would also be required to establish a process for users to report apps violating these rules, anonymously if they so choose, and for apps to contest removal from the app store. For app stores in violation of these rules, the bill states that the attorney general for the appropriate district court can bring a civil suit against those companies.
What’s the Takeaway?
Lankford has positioned the Know Your App Act in contrast to proposals like the RESTRICT Act, the latter of which would establish a formal process for the Commerce Department to review and potentially restrict or block transactions with a wide range of non-U.S. tech companies, products, and services. In the press release on the Know Your App Act, Lankford said that
Americans should remain free to buy items from wherever they want, but the least Big Tech can do is label where Americans’ money is going when they download in the app store.
Section 2(a)(2) of the bill that describes the risks of concern also states that
Users have a right to know baseline information on the country of origin so that they can personally make decisions to mitigate the threat to their personal and biometric information.
Indeed, this bill is very different from the RESTRICT Act. It does not formally establish a technology security review process in the government, and it does not call for the government itself to directly restrict access to an application. Instead, the Know Your App Act focuses just on apps and app stores, and would require that apps provide information about their country of origin. Theoretically, apps owned by Chinese firms would all remain in the app store, so long as they were transparent to the app store that their owners were based in China. The RESTRICT Act, in turn, could have these apps’ activity in the U.S. (such as their availability in app stores) limited. Also unlike the RESTRICT Act, this bill does not attempt to supersede an important limit on executive power that says the president cannot restrict the import or export of information.
Again, the bill’s authors are worried about apps from China but have written the legislation more broadly. It’s not clear, though, whether they realize just how many countries have laws and regulations for user data transfers, which if interpreted literally would make dozens and dozens of countries around the world qualify as countries of concern. Again, this is not a bad thing—disclosing, for example, that an app has a Swiss developer is another piece of information for the consumer. But it rings somewhat strange in a bill that is clearly motivated by concerns about apps with Chinese corporate owners.