Effective June 3, Contracting Officers have been required to include a new contract clause in federal contracts banning the use of TikTok. The clause—which does not mention cellular phones, TikTok’s primary hardware—introduces a confusing set of requirements not seen in other information technology clauses. This article looks at the basis for the prohibition and then clarifies the scope of the prohibition, including what devices it covers.

The clause arises out of a December 2022 law called the “No TikTok on Government Devices Act” (“No TikTok Act”).[1] In general, the No TikTok Act prohibited the use of TikTok on government devices and required the Director of the Office of Management and Budget (“OMB”) to promulgate “standards and guidelines” for agencies to carry out the law.[2] In the backdrop of the prohibition on TikTok are several other U.S. laws since 2018 that have prohibited the use of Chinese information technology (“IT”) hardware from use in government facilities or by contractors.  Why has the U.S. suddenly taken a tough stance on Chinese technology? Is the clause just another product of the ongoing geopolitical drama between two superpowers?  Not quite. These rules are the U.S. government’s response to an intrusive intelligence law passed by China in 2017 that clearly puts the private data of users of Chinese software at risk.

I. The Source of the U.S. Government’s Prohibitions on Chinese IT Hardware and Software: China’s 2017 National Intelligence Law (国家情报法) and an Overly Broad Concept of “National Security” Threats

The U.S.’s restrictions on IT hardware and software in federal procurements are a response to recent political and legal developments in China.  On June 27, 2017, the Standing Committee of the Twelfth National People’s Congress passed the National Intelligence Law of the People’s Republic of China with the purpose of “strengthen[ing] and safeguard[ing] national intelligence work and safeguard[ing] national security and interests.”[3]  Among other things, the law requires “organizations and citizens” to “support, assist, and cooperate with national intelligence work in accordance with the law” with assurances of state protection.[4] The law includes provisions that ensure the protection of the rights of individuals and organizations; however, the U.S. was particularly concerned with provisions that grant “staff members of national intelligence agencies” access to “relevant files, materials, and articles” from “relevant agencies, organizations, and individuals.”[5] When considered alongside the Chinese Government’s prohibitions on comedy and musical performances for reasons of national security,[6] there are clear concerns about the safeguarding of personal identifiable information (“PII”), sensitive procurement information, Controlled Classified Information (“CUI”) and other categories of sensitive data in the hands of such companies. 

II. OMB Memorandum M-23-13

Pursuant to the No TikTok Act, the Director of the OMB issued a Memorandum for the heads of Executive Departments and Agencies (“OMB Memo”) on February 27, 2023.[7] The OMB Memo draws on established definitions of “Information Technology” from a 2002 law, now codified at 40 U.S.C. § 11101.[8] That definition encompasses information technology equipment “used by a contractor under a contract with the executive agency that requires the use—(i) of that equipment; or (ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product.”[9] As the OMB Memo notes, the definition of IT Equipment “does not . . . ‘include any equipment acquired by a federal contractor incidental to a federal contract.”[10] Presumably this would include IT equipment purchased under a contract for services not related to the function and operation of those systems.

Among other things, the OMB Memo required Agencies do the following within 90 days:

1. Ensure any new contracts issued do not contain requirements that include the use of a covered application in the performance of the contract, except in cases of approved exceptions; and,
2. Cease use of contracts that contain requirements that may include use of a covered application in performance of the contract or modify those contracts to conform with the prohibition on covered applications, except in cases of approved exceptions.[11]

Within 120 days, agencies were required to “[e]nsure that each agency solicitation requires conformance with the prohibition on covered applications.”[12]

III. Requirements Under the FAR Clause

The new clause, effective June 3, requires contracting officers to insert 52.204-27, Prohibition on a ByteDance Covered Application (Jun 2023) in all contracts and requires the clause to be flowed down to all subcontracts. The clause applies to TikTok “or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited.”[13] The law draws on the same statutory definition of IT hardware systems as the OMB Memo:

Computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources.

The prohibition oddly does not make explicit mention of cell phones but includes installation on “peripheral equipment”[14] where TikTok would never appear. However, since cell phones almost always include “computers,” they fall under the definition.

Under the clause, contractors are prohibited from the following:

…from having or using a covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the Contractor under this contract, including equipment provided by the Contractor’s employees. . .[15]

To clarify, this prohibition applies to two categories of technology:

1. IT owned/managed by the Government
2. IT “used or provided by the Contractor under this contract, including equipment provided by the Contractor’s employees.”

The first category is straightforward and prohibits ByteDance apps on covered IT systems provided by the government to a contractor. The second category contemplates IT systems used “under” a contract. Read broadly, the application to contractor-provided IT equipment is legally demanding and would cover the use of any cell phone used for work attributable to a contract. However, again, the definition of “Information Technology” excludes equipment only “incidental to a Federal contract.”  The prohibition, therefore, does not consider all cell phones used by contractor employees “under” a contract as covered “IT Equipment.”  That is because the definition only applies to equipment on a contract “that requires the use of the equipment” and to equipment used “to a significant extent in the performance of a service or the furnishing of a product.”

IV. Guidance

The clause applies to all contracts, but it may be arguable whether IT Equipment used by a contractor falls under the prohibition. The prohibition clearly applies to all government-provided IT equipment.  It also clearly applies to any IT Equipment specifically required for performance under the contract; this would include contracts for front-end technical support, software development, service contracts requiring extensive word processing or telecommunications such as acquisition support and consulting services. In general, the prohibition applies to any IT equipment utilized regularly in the performance of a contractor’s duties under the contract, while it would not apply to contracts for products that do not require the use of a cell phone or IT hardware “to a significant extent.”

In borderline cases, contractors without existing IT policies or a reasonable method of controlling the installation of third-party applications on employee cell phones should assure the contracting officer (if true) that works under the contract would not require the “significant use” of employees’ cell phones or IT equipment. However, to provide Agencies with the strongest assurance of compliance, contractors should either prohibit or block the installation of ByteDance applications on all IT equipment or prohibit all but approved third-party applications. For small businesses without centralized IT departments, they should include explicit restrictions on ByteDance on all but approved third-party applications in company handbooks. Such policies should include penalties for employees who download ByteDance applications onto covered devices. Lastly, contractors should remember to flow down the clause to all contracts, including for commercial products and services.

As always, for additional guidance, do not hesitate to contact government contracts attorneys at Peckar & Abramson PC.

________________________________

[1] 117 P.L. 328, 136 Stat. 4459, div. R, §§ 101-02, available at https://www.congress.gov/bill/117th-congress/senate-bill/1143

[2] The Director of OMB is charged with overseeing “best practices in [the] acquisition” of information technology.  See 40 U.S.C. § 11302(b) – Capital planning and investment control.

[3] National Intelligence Law of the People’s Republic of China, 2017 China Law LEXIS 1415, available at http://www.npc.gov.cn/npc/c30834/201806/483221713dac4f31bda7f9d951108912.shtml

[4] 2017 China Law LEXIS 1415, *4 (Article 7).

[5] 2017 China Law LEXIS 1415, *7 (Article 16).

[6] Vivian Wang, Cultural crackdown in China shuts comedy and music shows.  The New York Times (2023), https://www.nytimes.com/2023/05/24/world/asia/china-comedy-music-crackdown.html (last visited Jun 30, 2023).

[7] Shalanda  D. Young, Memorandum for the Heads of Executive Departments and Agencies (2023). Available at https://www.whitehouse.gov/wp-content/uploads/2023/02/M-23-13-No-TikTok-on-Government-Devices-Implementation-Guidance_final.pdf

[8] Public Buildings, Property, and Works Amendments Act, 148 Cong Rec H 3316, et seq.

[9] 40 U.S.C. 40 U.S.C. 11101(6)(A)(i) & (ii).

[10] Shalanda  D. Young, Memorandum for the Heads of Executive Departments and Agencies (2023) Section II.

[11] Id., Section III.

[12] Id. 

[13] As of the writing of this article, these applications include Douyin, Toutiao, TikTok, Xigua Video, Helo, Lark, and BytePlus.

[14] From 47 CFR § 15.3:

Peripheral device. An input/output unit of a system that feeds data into and/or receives data from the central processing unit of a digital device. Peripherals to a digital device include any device that is connected external to the digital device, any device internal to the digital device that connects the digital device to an external device by wire or cable, and any circuit board designed for interchangeable mounting, internally or externally, that increases the operating or processing speed of a digital device, e.g., turbo cards and enhancement boards. Examples of peripheral devices include terminals, printers, external floppy disk drives and other data storage devices, video monitors, keyboards, interface boards, external memory expansion cards, and other input/output devices that may or may not contain digital circuitry.

[15] FAR 52.204-27