Would Proposed Tech Regulations Foster Foreign Information Warfare?
The current geopolitical moment has prompted digital services to confront state-backed information warfare on the Internet as never before. In the wake of the Russian invasion of Ukraine, multinational digital services immediately responded to protect their users in Ukraine, Russia, and beyond. These efforts involved partnering with the U.S., EU, and Ukraine against security and information threats emerging from Russia and Belarus. That response is ongoing, but the evolving regulatory environment in the United States — including legislation being considered in Congress — raises questions about whether those steps could continue.
In response to the ongoing crisis, digital services have taken multiple actions. In addition to compliance with U.S. Government sanctions, digital services have suspended numerous products and services including payment systems operations in Russia, blocked Russian state media from their sites, and suspended advertising in Ukraine and Russia.¹ Many of these actions were proactive; some were carried out in partnership with governments, including the Ukrainian Prime Minister, among other policymakers.
Companies are also working to ensure the safe availability of basic technological tools like apps for secured communications and private browsing, providing avenues for people in Russia, Ukraine, and elsewhere to receive truthful and reliable information about the war. For example, while the Russian government has sought to block access to legitimate Western news websites, press freedom advocates have enabled Russian and Ukrainian citizens to access news reports via VPN, messaging apps, and even creative applications of shortwave radio. As a State Department spokesperson told the Washington Post, “It is critical to maintain the flow of information to the people of Russia to the fullest extent possible”. This underscores how critical it is that digital services remain agile and capable of making timely and nuanced decisions about how to help people in the region learn the truth about the Russian government’s increasingly brutal offensive against its neighbor.
The governments of China and Russia clearly see this as an information war. In response, these governments are doubling down on efforts to detach their populaces from the global Internet, creating national “splinternets.” This reflects an understanding of how effectively American digital services can pierce authoritarians’ reality distortion bubbles. These developments underscore the need for continued American technological leadership, the importance of strengthening technological partnerships with democratic governments, and the imperative of defending the U.S. innovation paradigm through well-crafted and geopolitically informed regulatory measures.
Unfortunately, some legislative proposals being considered in Congress that predate the war in Ukraine — particularly the Klobuchar-Grassley bill (S. 2992) discussed below — threaten this imperative on at least two different levels. At the micro-scale, the Ukraine conflict has established the need for digital services to retain flexibility to react quickly to changed circumstances and protect their users. Core design features of the Klobuchar-Grassley proposal, however, will impair companies from taking voluntary steps to protect users and raise up authoritative and timely information in response to the war. At the macro-scale, these bills stand to render U.S. services less agile, and blunt their strategic capacities in crises such as Russia’s invasion of Ukraine.
These proposals are remarkable in their timing: even while governments appeal to industry to contribute to the defense of the U.S.-led global order, proposed tech regulations would hamstring digital services at a moment when the need to counter hostility and protect users is manifestly obvious.
As previously covered here ([1], [2], [3]), legislation proposed in the Senate (S. 2992) and House (H.R. 3816) targets leading digital services with severe limitations on their discretion to treat business users differently. Even prior to the Russian invasion and associated information warfare campaign, leading national security experts, members of Congress, and other commentators ([1], [2]) had observed that these constraints could undermine U.S. companies’ efforts to fight bad actors operating at home and abroad.
Due to a recent amendment to the Klobuchar-Grassley bill, the bill’s sponsors implicitly acknowledged these critiques. The concession that the proposed regulations could expose American data and infrastructure to exploitation was made by removing the governments of “foreign adversaries,” as defined in 47 U.S.C. § 1607(c), from the definition of protected “business users” in the bill. As a result, the amended version of S. 2992 now excludes from the bill’s broad definition of “business user” persons that are (i) “a clear national security risk” or (ii) “controlled by the Government of the People’s Republic of China or the government of another foreign adversary.”
Unfortunately, this amended language only cosmetically addresses the problem of foreign adversaries carrying out network-based operations targeted at U.S. networks. Bill sponsors have claimed otherwise, however, asserting that S. 2992 would not prevent action against Russian propaganda from RT and Sputnik.
But as AEI’s Klon Kitchen observes,
“it’s not at all clear that RT and Sputnik would be exempted because the United States hasn’t named Russia as a “foreign adversary.” Second, even if such a designation were made after the invasion of Ukraine, it wasn’t in place in the months prior to invasion and so the law would have placed tech companies in jeopardy for downranking and demonetizing propaganda outlets in advance of the conflict.”
And even if Russia were so designated by the U.S. Government, a digital service’s action could nevertheless be subject to challenge and litigation, for example, if there were debate about the extent of state control over the bad actor in question.²
Moreover, by focusing on bad actors controlled by the governments of foreign adversaries, the bill overlooks the fact that shadowy disinformation networks and extremist cells tend not to advertise who holds their leash. Attribution is a challenge in the online information battlefield. As multiple sources told the Post this week, Klobuchar-Grassley would hamstring digital trust and safety efforts against trolls, “sock puppets,” and others believed to be connected to foreign powers, but who remain plausibly deniable.
Violations of Klobuchar-Grassley and its variants entail draconian remedies, state and federal enforcement, civil penalties of up to 15% of total U.S. revenue, injunctions, and forfeiture. And because both the House and Senate bills would place the burden of proof upon digital services to justify their actions, there are many cases where the narrow exceptions focused on identified state actors would be meaningless. While a company might manage to document that the official accounts of foreign state-controlled media are controlled by a designated “foreign adversary”, clearly connecting a “troll” account to a foreign clandestine operation would be far more challenging.
In short, there’s no worse moment to handcuff digital services’ proactive security efforts than amid a geopolitical crisis with an adversary desperate to perpetuate its own distorted narrative. Yet under the House and Senate bills, critical steps that companies are taking in response to the war in Ukraine — and may take in future crises — would be subject to legal challenge. This uncertainty coupled with a minefield of aggressive remedies will drive businesses to assume a fundamentally cautious posture — becoming more hesitant to challenge foreign disinformation, take action against security threats, and surface authoritative content. This would lead to more dangerous actors and malicious content remaining online, with damaging consequences for users and national security.
