The Problem the US TikTok Crackdown and Kaspersky Ban Have in Common

On July 20, the United States Commerce Department will ban new sales of popular antivirus software made by Moscow-based Kaspersky Labs. The move comes just two months after US president Joe Biden signed a law that will effectively ban the social media app TikTok in the US if its Chinese parent company doesn’t sell it off. The US government banned federal use of Kaspersky antivirus software in 2017, but as the US-Russia relationship has further deteriorated and the Kremlin has exerted more stringent control over the Russian tech sector, US officials have remained concerned about the potential for the Russian government to weaponize Kaspersky software.

In its campaigns to ban these pieces of foreign software as a matter of national security, though, the US government is setting a precedent that undermines tenets of a free and open internet in which users can access any information and software they choose.

“The risks to US national security addressed in this Final Determination stem not from whether Kaspersky’s products are effective at identifying viruses and other malware, but whether they can be used strategically to cause harm to the United States,” the Department of Commerce wrote last week. Commerce Secretary Gina Raimondo told reporters on Tuesday that this is the first time the US Commerce Department has banned the sale of a cybersecurity product.

Kaspersky, naturally, countered that it believes the Commerce Department “made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.” The company added that “Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies.”

TikTok, meanwhile, has sued the US government, claiming that the potential ban of its app violates the First Amendment. The lawsuit points out that US lawmakers are forcing TikTok’s China-based parent company, ByteDance, to sell TikTok to a company headquartered in the US based on “the hypothetical possibility that TikTok could be misused in the future, without citing specific evidence.”

Unlike TikTok, a social media app that is built as a forum for discourse and can be downloaded for free, Kaspersky’s antivirus product is paid software that is granted deep system access to monitor customers’ devices and networks. Where TikTok’s software is contained by the mobile operating systems it runs in, scanners like Kaspersky are given free rein by design, adding to cybersecurity concerns.

“The apps are fundamentally different,” says Patrick Wardle, a longtime Mac security researcher. “If a person of interest had Kaspersky antivirus and TikTok on their device, Kaspersky is probably the bigger problem, because it can give its developer unfettered access to the device. A mobile app like TikTok runs in an app sandbox and really can’t do much beyond you granting it access to specific data like your contacts.”

For that reason, Riana Pfefferkorn, a policy researcher at Stanford University, argues that the US government needs to share more specific and compelling information with the general public about why they should not do business with Kaspersky, rather than paternalistically banning the app. Similarly, throughout multiple administrations and terms, the White House and Congress have never released evidence or even made specific allegations about the threat TikTok may pose to US national security.

“After the TikTok law passed, it just feels like it’s open season on any tech company the government doesn’t like—so long as it’s not a domestic firm—and like the government has excused itself from giving the public the ample and damning evidence we should expect it to provide if it is to justify such drastic decisions,” Pfefferkorn tells WIRED.

Unlike a social media platform such as TikTok, where a US adversary like China might exert control to disseminate misinformation or influence public perception of key issues over time, antivirus software like Kaspersky could be directly exploited to steal data or even take control of targeted devices. And Kaspersky has been the target of multiple sophisticated hacking campaigns over the years, indicating that foreign intelligence agencies may be keen to determine what information the company has access to. But the slippery slope created by software bans is not inconsequential.

“The federal government rightfully has leeway to decide what software not to allow on its own networks on the basis of security and privacy concerns,” Pfefferkorn says. “But when it comes to the general public, the better approach is to set basic privacy and cybersecurity requirements for all software, not just foreign-owned apps. That’s particularly true so long as data brokers remain free to sell Americans’ data to foreign governments.”

As the constant threat of software supply-chain attacks shows, strong security defenses and privacy guarantees are ultimately more durable and broadly protective than specific bans anyway. Meanwhile, Reuters reported on Tuesday that the Biden administration and the Commerce Department are investigating the access that China Mobile, China Telecom, and China Unicom have to US data through their cloud and internet routing services. The TikTok and Kaspersky crackdowns may be a glimpse of the US’s growing digital isolationism.