The Biden administration is moving to revise federal rules to address potential security risks from TikTok and other foreign-owned apps, eight months after opting not to pursue a forced shutdown of the Chinese-owned video-sharing platform.
The Commerce Department recently concluded a public-comment period on the proposed rule change, which would expand federal oversight to explicitly include apps that could be used by "foreign adversaries to steal or otherwise obtain data," according to a filing in the Federal Register.
Under the rule, the commerce secretary could effectively bar foreign apps deemed unacceptable security risks. That could force social-media platforms such as TikTok and other software applications connected to the internet to submit to third-party auditing, source-code examination and monitoring of the logs that show user data, according to the proposed rule.
"That rule is going to be significant, and will be a tool in the way that we deal with the threat," Commerce Secretary Gina Raimondo said in an interview.
The U.S. military has already banned its members from using the app on government-issued devices. Some lawmakers including Sen. Marco Rubio (R., Fla.) say the White House is moving too slowly to come up with a comprehensive plan.
"TikTok remains a serious threat to U.S. national security and Americans’—especially children’s—personal privacy," Mr. Rubio said. "The Biden administration undid critical measures that President Trump took against the app, and the timid steps it has taken on data security are not nearly enough."
Biden administration officials say a Trump executive order that sought to block TikTok in the U.S., as part of an administration effort to put it under control of U.S. owners, was effectively unenforceable. Executive actions implementing the Trump order were ultimately blocked by two separate federal court rulings, and the Biden administration decided not to pursue appeals.
Now, U.S. officials say they are moving carefully to ensure that their actions withstand legal challenges. In addition to the proposed rule change, the Commerce Department has submitted recommendations to the White House to further address the risk that data collected on American users by Chinese apps could be shared with Beijing.
"We take incredibly seriously the national-security risks presented by these connected software applications," Ms. Raimondo said. "These are complex issues we take very seriously."
TikTok, which is owned by Beijing-based ByteDance Ltd., declined to comment.
In a statement, the Chinese Embassy in Washington said the U.S. shouldn’t "overstretch the concept of national security and politicize economic issues."
"Efforts should be made to provide an open, fair, just and nondiscriminatory business environment for market players from other countries to invest and operate in the U.S.," the embassy said.
TikTok has said repeatedly that it doesn’t share information on American users with the Chinese government, and that its data are held on servers in the U.S. with backup servers in Singapore.
National-security officials say that TikTok would have no choice but to comply with a demand by China’s Communist government for data. They say TikTok’s user data could be used to track federal employees and contractors, conduct corporate espionage and compile dossiers for blackmail purposes.
In his final months in office, former President Donald Trump issued the executive orders on TikTok’s ownership and blessed a plan for Oracle Corp. and Walmart Inc. to be major investors in the new company.
That deal would have required Chinese approval, however, which was far from ensured.
Rather than pursue appeals of the blocked Trump executive orders, President Biden ordered a broad review of apps controlled by foreign adversaries to determine whether they pose a security threat to the U.S.
In addition to the Commerce Department’s actions, the Committee on Foreign Investment in the U.S. has restarted negotiations with TikTok, seeking changes in TikTok’s systems to address Washington’s concerns about the Chinese government’s ability to obtain American users’ personal data, administration officials say.
Cfius, which seeks to ensure that foreign-owned business interests don’t jeopardize national security, could potentially demand that TikTok locate its data exclusively in the U.S. and that the data be subject to oversight by trusted U.S. national-security officials, according to people familiar with its dealings.
Given TikTok’s popularity, however, any attempt to outright block the social-media platform carries political risk for the Biden administration, according to analysts following developments.
"There’s a bit of a third rail—people like TikTok," said James Lewis, director of the technology and public-policy program at the Center for Strategic and International Studies, a Washington think tank.
An added hurdle is that most Americans don’t see TikTok as a security risk, said Patrick Jackson, chief technology officer for the security firm Disconnect Inc.
"There would be outrage," Mr. Jackson said. "Regular Americans don’t recognize the harm the U.S. government is alleging. They may see it similar to Instagram or Snapchat. The onus is on the government to connect the dots."
The proposed Commerce Department rule change is aimed at including certain foreign-owned apps in a broader program that allows the department to oversee and even ban various online transactions that present unacceptable security risks.
Some business groups contend the proposed rule threatens to make an already difficult situation worse.
In a Jan. 11 comment letter, the U.S. Chamber of Commerce said the proposal "complicates the U.S. business community’s efforts to identify problematic [information-technology] transactions while navigating a potentially uncertain regulatory environment where the Department may apply multiple standards in reviewing [information-technology] transactions."
CTIA, a trade group representing the wireless-communications industry, warned in its comment that requiring trusted third-party audits could lead to unintended consequences, and urged flexibility in compliance.
"Mandating auditing that includes third-party access to the logs and data the connected software application collects could create privacy and data-protection issues," the group said.
The proposed rule won’t become effective until the Commerce Department reviews the comments and issues a final rule, according to a recent regulatory alert from law firm Akin Gump Strauss Hauer & Feld LLP. The firm noted that the Commerce Department is expected to issue new proposed rules to implement its broader technology-security regime and could undertake enforcement actions.
While his administration considers what to do about TikTok, Mr. Biden himself has appeared on the popular app. In December, he made a cameo in a TikTok video by the Jonas Brothers to promote vaccination against Covid-19.
Mr. Biden’s aides said he was aware the appearance would be for social media, but let the Jonas Brothers determine on which platform it would be used. The video, which was shot at the White House, has been played more than 16 million times on the app.