The new E.O. resets the U.S. government’s approach to ICTS by ordering a review of the national security threats posed by software applications that collect Americans’ sensitive personal and business data and by foreign adversaries’ access to large repositories of U.S. person data. New restrictions are likely following that review, and companies that rely on software applications owned or managed by companies linked to China or other potential foreign adversaries, should closely watch developments in this space.

New reports on “unacceptable or undue risks” posed by foreign adversary-connected applications

The E.O. directs the Directors of National Intelligence and Homeland Security to provide threat and vulnerability assessments to the Secretary of Commerce. In turn, the Commerce Department will draft two reports on foreign adversary-connected software, defined as software that has the ability to collect, process, or transmit data over the internet. The reports will recommend actions to protect against harm from the sale of, transfer of, or access to U.S. persons’ sensitive data, including personally identifiable information, personal health information, and genetic information. In addition, the Commerce Department will recommend additional actions to address risks associated with software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

Several criteria indicate national security risk of ICTS applications

Building on the criteria to assess national security threats listed in E.O. 13873, the new E.O. lists several factors that will be considered when evaluating the risks posed by foreign adversary-connected software, including:

• ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
• use of the connected software applications to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
• ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
• ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
• a lack of thorough and reliable third-party auditing of connected software applications;
• the scope and sensitivity of the data collected; the number and sensitivity of the users of the connected software application; and
• the extent to which identified risks have been or can be addressed by independently verifiable measures.

These criteria will inform the U.S. government’s decision-making framework to adopt a “rigorous, evidence-based” analysis to address risks posed by ICTS transactions involving foreign adversary-connected software.

Further action on ICTS applications likely

Although yesterday’s E.O. rescinds the previous E.O.s dealing with Chinese mobile applications, new restrictions on Chinese and other software that collect large amounts of sensitive U.S. person data are likely to flow from the Commerce Department’s forthcoming report and recommendations, which are expected within 180 days. Furthermore, the E.O. provides the Commerce Department with authority to restrict transactions and business activities that may:

• Pose a risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of ICTS in the United States;
• Pose a risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; or
• Otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.

Post Update:

Original Post:

As a result, beginning on September 20, users in the United States will likely be unable to download the applications from app stores and application updates will be unavailable. Importantly, the new restrictions do not apply to the use of the mobile applications outside of the United States, which should be a relief to the many U.S. companies whose overseas operations use WeChat to process payments and connect with customers in China and elsewhere. In addition, the new rules generally do not prohibit the continued use of the apps by individual users in the United States who have already installed the programs on their mobile devices.

The following types of “business to business” transactions,[1] spelled out in the WeChat notice, are prohibited under the new rules:[2]

“1. Any provision of services to distribute or maintain the WeChat mobile application, constituent code, or mobile application updates through an online mobile application store, or any online marketplace where mobile users within the land or maritime borders of the United States and its territories may download or update applications for use on their mobile devices;

2. Any provision of internet hosting services enabling the functioning or optimization of the WeChat mobile application, within the land and maritime borders of the United States and its territories;
3. Any provision of content delivery services enabling the functioning or optimization of the WeChat mobile application, within the land and maritime borders of the United States and its territories;
4. Any provision of directly contracted or arranged internet transit or peering services enabling the functioning or optimization of the WeChat mobile application, within the land and maritime borders of the United States and its territories;
5. Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments to or from parties within the land or maritime borders of the United States and its territories;
6. Any utilization of the WeChat mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the land and maritime borders of the United States and its territories.”

Pursuant to a series of exceptions, Commerce indicated that the following activities are not prohibited by the new rules:

1. Payment of wages, salaries, and benefit packages to employees or contractors;
2. The exchange between or among WeChat/TikTok mobile application users of personal or business information using the mobile applications (to include the transferring and receiving of funds via WeChat);
3. Activities related to mobile applications intended for distribution, installation or use outside of the United States by any person, including but not limited to any person subject to U.S. jurisdiction, and all ancillary activities, including activities performed by any U.S. person, which are ordinarily incident to, and necessary for, the distribution, installation, and use of mobile applications outside of the United States; or
4. The storing of WeChat/Tiktok mobile application user data in the United States.

[1] “Transaction” is defined broadly to include any “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service.”

[2] The prohibitions applicable to TikTok are very similar, but exclude paragraph 5, which is specific to WeChat’s payment functionality.