TikTok TikTok: How Should Contractors Respond to the Ban?
If you search the web for TikTok and government contractors, you’ll find a growing number of blog posts about the recently issued interim rule that implements “The No TikTok on Government Devices Act.” (“TikTok Act”). The TikTok Act is found at Division R of the Consolidated Appropriations Act of 2023, Public Law no. 117-328.
The TikTok Act directs the Director of the Office of Management and Budget (“OMB”) in consultation with various executive agencies to “develop standards and guidelines for executive agencies requiring the removal of any covered application from information technology.” TikTok Act § 102(b)(1). A “covered application” is TikTok or any application developed or provided by its parent company, ByteDance, or by any entity owned by ByteDance. According to CNN Business, ByteDance apps include Lemon8, which is a social media app that is being marketed to influencers as an alternative to Instagram.
The complicated part for compliance purposes is the definition of “information technology” used by the Act, which is found at 40 U.S.C. § 11101(6). The definition of “information technology” broadly encompasses a whole slew of particular kinds of equipment. Although smart phones and tablets aren’t expressly named in the clause, I have little doubt that they would be covered along with personal computers and “peripherals.”
If those devices are government-owned , they’re information technology. But devices owned by contractors or by their employees won’t be information technology unless they’re being “used by a contractor under a contract with [an] executive agency that requires the use— (i) of that equipment; or (ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product. . . .” It does not, however, “include any equipment acquired by a Federal contractor incidental to a Federal contract.” Query what equipment is “required” for performance versus equipment “acquired . . . incidental to a Federal contract.”
With that murky definition in mind, here is the operative text:
The Contractor is prohibited from having or using a covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the Contractor under this contract, including equipment provided by the Contractor's employees. . . .
FAR 52.204-27 Prohibition On A Bytedance Covered Application (June 2023) at § (b) (emphasis added).
My take on all this is that, yes, contractors need to be addressing this now; however, it’s also my sense that contractors shouldn’t rush themselves into corporate policies that potentially might go farther than necessary in a manner that will tick off many of their employees (terrible pun intended). While a ban on TikTok for all equipment used to perform a contract sounds simple enough, it’s actually far from simple given the confusing terminology. This complexity defies the adoption of a simple blanket ban if one is concerned about the HR implications of getting into their employees’ technology beeswax.
If you want evidence that this ban is confusing – consider the recent news that Southwest and Delta are implementing TikTok bans. Southwest’s ban (described on the View from the Wing website) applies to its company network, but not the personal devices of its employees. And, notably, Southwest’s social media team will continue to post TikTok videos, but they’ll do so using personal devices. Delta’s policy, as reported by the Points Guy website, apparently bans TikTok not only on company-owned devices but also on employee devices used “to access any Delta system—including e-mail, scheduling, the employee internet and other systems.”
Indeed, the Government’s own internal implementation of the ban has been inconsistent and confused. For example, one agency is telling its contractors that the company has to strip TikTok off all devices including employees’ personal devices even though the use is limited to checking email and regardless of whether the contractor uses software that separates company resources from personal apps. To my mind, simplistic, draconian approaches are Government at its worst.
Nevertheless, there may be some useful technology solutions that are being used by some agencies. For example, the software used by the contractor that’s implementing the Army’s bring-your-own-device program separates Army resources from a servicemember’s personal phone using methods that, frankly, are above my pay grade to describe. The contractor claims this technology complies with the TikTok ban while at the same time allowing the individual employee to retain his or her technological autonomy. This technical solution, according to the contractor, establishes that the individual’s device is not covered equipment. This demonstrates an effort to establish strong security while protecting the employee’s privacy—both of which are laudable goals.
In any event, it’s my view that contractors do not necessarily need to adopt a blanket ban of TikTok on individual employee devices regardless of how they use their devices or whether particular devices were acquired “incidental to a federal contract” whatever that means. While a blanket policy is relatively easy to establish and implement in theory, that doesn’t mean it will go over well. Contractors that wish to take a nuanced approach to find a balance between full compliance with the new contract clause and their employees’ preferences will need to review their contracts, consider what equipment is used in performance of their contracts, assess whether particular pieces of equipment fall in the “incidental” category, and discern how employees’ personal devices are used in performance of the contract work, if at all.
Although it’s nonbinding, the drafters of the interim rule claim that its regulatory burden will be limited based on their assessment of what compliance actions must be taken. While this discussion is not intended as guidance and is certainly nonbinding, it could be useful in considering what good-faith actions are needed at the moment. According to them, contractor should be able to use existing technologies and policies, but that they should review and update their policies to prohibit TikTok/ByteDance apps and to explain to employees “when a covered application is prohibited on a personal device used in performance of a Federal contract.” The Contractor’s duties regarding subcontractors are limited to flowing the clause down and advising the subcontractors that they are required to comply with the new policy. There is no apparent need to police compliance or furnish certifications.
All this said, I get why there are security concerns, particularly when one considers the potential for data mining for intelligence gathering. However, I suspect many rank and file employees will be very unhappy with a blanket ban. Thoughtful contractors will need to carefully balance these competing interests. Good luck y’all.