New Bill Wants "Made in China" App Labels
A new bill in Congress would require app stores to label applications with "country of origin." Here's what to know.
US technology policy is increasingly centered on China. Now, a new bill in Congress would require app stores to add a “country of origin” label to apps, based on such factors as where the developers are based and the company that owns the application. Apps from “countries of concern” would receive an additional disclaimer. Here’s what to know — including about the bill’s clear focus on Chinese-made apps. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
The “Know Your App Act” would require app stores to label apps with “country of origin” and, based on that country, possibly show an additional warning to users — removing apps that fail to properly and accurately disclose the information.
“Made in China” and Other App Labels
Three Republican senators introduced the “Know Your App Act” on May 30. I recently unpacked and analyzed the bill in an article for Lawfare.
The bill describes four sets of risks, as I paraphrased in the article:
Internet-linked applications collecting data about and posing privacy risks to minors.
A lack of transparency, combined with a lack of user understanding about applications’ countries of origin — and the potential risks of “exposure to foreign government surveillance, data breaches, and privacy violations.”
Foreign states potentially collecting user data through internet-linked apps, including sensitive data, data for espionage, and data to exert influence over critical infrastructure.
Users needing more information to make informed and pro-privacy and pro-security decisions about the apps they use.
While some of these risks are more directly tied to an app’s “country of origin,” such as espionage risks, others are less so — such as collection of data on minors.
Covered app stores would have to display this origin information for every single application in their stores. Then, if an app was from a designated “country of concern” (discussed next), the app store must provide a “prominent” disclaimer on the app store page that “data from the application could be accessed by a foreign government.” The bill did not fully describe how this should be visualized. App stores would also be required to allow users to filter out apps “whose primary country of origin is a country of concern.” Developers, for their part, would have to inform a covered app store if their country of origin, their owner, or their owner’s country of origin changed and annually certify to covered app stores that the information is up to date.
As I elaborate, the bill does not define a “country of concern” itself and instead directs the Secretary of Commerce and Secretary of the Treasury to jointly develop a list.
This is an interesting approach. It does not simply default to the list of China, Russia, Iran, and North Korea familiar to any reader of US national security policies. It also does not explicitly or solely target China. Any country with a law for government control of an application’s content moderation, algorithm design, or user data transfer could be placed on the list. This would certainly include China — both legally, in how the bill could encompass China’s national security and intelligence laws, and politically, in how any administration is likely to define a country of concern (in that China’s tech rise is a significant concern to U.S. national security decision-makers). The bill’s authors clearly have this in mind: Lankford said in the press release that “I want the ‘Made in China’ label and labels for any other countries where apps like TikTok originate to be clearly marked when and where they are downloaded.”
It could theoretically include countries like India as well, but it is politically unlikely for an administration to take that approach. This leads into two issues with the bill.
The bill’s sponsors clearly intend it to focus on China and what they would likely describe as authoritarian technology practices. But if one way to qualify as a country of concern is merely having state control over user data transfers, virtually any country with a consumer privacy regime could make the list. If interpreted literally, dozens and dozens of countries could have their privacy laws and regulations about the collection, transfer, storage, and processing of data fit under the definition laid out in the bill’s text — from the EU bloc with its General Data Protection Regulation and EU-US data transfer controls to Brazil’s privacy law with controls for data transfers to foreign countries, Nigeria’s new Data Protection Act, and many more. The Information Technology and Innovation Foundation found that data localization measures jumped from 35 countries with 67 barriers in 2017 to 62 countries with 144 barriers in 2021; in 2022, McKinsey estimated that 75 percent of all countries had “some level of data localization rules.”
As I continue:
…the counterargument might be that the US government would not be “concerned” about many of those countries, like France or Germany. This is likely correct, but it’s still significant that the bill could make most countries with privacy laws qualify for the list. That seems to be a strange potential outcome from a piece of legislation that (while written broadly) is clearly focused on China. It also raises a point of potential contradiction within the bill itself. Government control over user data transfers in a country is a way to become a country of concern. Simultaneously, the label required in app stores for countries of concern does not say that a government has control over user data transfers but that, as described above, “data from the application could be accessed by a foreign government.” These are two distinct things. Countries don’t need a regulation over user data transfers per se to access data from apps; all they might need is a court order to compel the company to hand over data. Or, in countries like Russia, the state can simply use brute force to make companies comply. Control over user data transfers is one way in which increased state surveillance could potentially occur, but it is not the only way for it to occur.
Significantly, the bill would require app stores to “remove” applications from their stores that do not comply with transparency requirements, if they do not correct any known errors within 90 days of a warning. That provision raises larger questions, most immediately about speech.
Now What?
There is little indication that other members of Congress have great interest in the bill. Nonetheless, it serves as another interesting window into how some members of Congress are thinking about technology, data, privacy issues, and security risks. The focus on transparency makes it stand out from other pieces of legislation, such as the RESTRICT Act, which has far more expansive powers for the executive branch; this legislation would emphasize disclosing “origin” information, rather than pursuing immediate restrictions. But it still underscores a continued focus on “country of origin” as a primary determinant of risk — when many other factors matter, too.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.