On April 14th, 2023, the Montana legislature voted to ban TikTok within the borders of the state of Montana. TikTok, a popular short video sharing website and mobile application, is owned by ByteDance, a Chinese-controlled company. I and other prominent information security and technical experts called this ban “technically stupid” and “technically incompetent” based on its profound and proudly-proclaimed ignorance of how the internet works, but that’s not the whole story. There may have been good reasons the Montana legislature would want to ban TikTok, including concerns over global privacy, Chinese surveillance, and children’s safety. That nuance has been lost.
Over the last few weeks, I’ve spent a lot of time on phones and radio with journalists explaining the technical implications of the recent Montana legislature’s ban on TikTok. Rather than letting my most pithy two-word observations and some boiled-down simplifications of the underlying Internet architecture stand as my full comments, let’s dig a bit more into why Montana is pushing this ban, the technical limitations on its current implementation, how it could be feasibly put into place, and what the implications for U.S. and global cyber policy will be.
Montana is a wonderful place that I’m proud to have in my history; I lived there for three years and my B.A. in international relations is from Carroll College in Helena (Go Saints!). I’m not here to bash on Big Sky Country, and it’s important to note that the Montana legislature’s actions come in the wake of absolutely no action whatsoever on meaningful federal U.S. data privacy legislation. This is a reaction to the parlous lack of real protections on U.S. consumers and children online, and is absolutely understandable. In that absence, why shouldn’t Montana try to protect its children from Chinese surveillance? I can’t think of a good reason not to try—but the problem here is that instead of engaging with technical experts, policymakers with experience, and the companies providing these apps (basically, Google and Apple’s app stores), the Montana legislature wrote a bill that demands that the sky be plaid, river trout can fly, and that the sun rise in the West.
The simple idea of banning a phone or internet app inside the borders of one U.S. state is technically meaningless with the current physical makeup of the internet. Have you ever been near any U.S. border (but not outside it) and seen your phone pop up a text message that says “Bienvenidos a Mexico” or “Bienvenue à Canada!” That happens because the internet does not understand physical geography, only the locations that cell towers are placed. If a phone connects to the closest cell tower which happens to be across a border, your phone thinks it’s in the country of that cell tower. There’s no triangulation or other police-procedural television magic that can tell your phone precisely where it is, or the app ecosystem you belong to where you are.
The only way to enforce Montana’s ban is to build this system and begin massive surveillance of all U.S. internet-connected devices, reporting precise location and the contents of all phones to any law enforcement at will. Sound familiar? That’s because that is the surveillance state in China. There’s a profound irony in the fact that to enforce a ban on TikTok in Montana while still connected to the rest of the internet, the Montana state legislature would have to have broken/bypassed/backdoored encryption on all phones inside the state to prevent any downloads of the app and monitor for its use. That’s the exact same technical implementation China uses to monitor use of apps. It’s also incredibly expensive.
To be totally honest, if quite extreme, you could also implement this ban by physically cutting off Montana from the rest of the internet - as if you had bulldozed a cut across every road and highway leading into and out of the state of Montana, and knocked down all cell towers that are near enough to the border to have their signals reach outside it. Then, Montana would have its own internet which would be hosted on servers actually inside the state, with no ability to electronically reach TikTok–or Google, Facebook, Amazon, Microsoft, or any other company which have servers physically located anywhere but Montana. Also, then no one outside Montana could get to the websites for the University of Montana or Montana State–or the Legislature. This is as if Montana chose to have its own post office as well, rather than being connected to all the other U.S. states; basically, you could send and have a letter delivered inside Montana, but not outside it. Governor Gianforte would have to give up his website, however—the endpoint for gregformontana.com (IP: 22.214.171.124) is currently in San Francisco and controlled by internet utility CloudFlare. The Missoulian newspaper (IP: 126.96.36.199) which currently is hosted on servers in Davenport, Iowa would have to change its hosting provider. The largest employer in Montana, Schneider Electric (IP: 188.8.131.52) would need to stop hosting its online presence out of a datacenter in Virginia. This is what the physical and technical implementation of a real Great Firewall of Montana would look like.
So, why can’t the Apple and Google app stores turn off access to TikTok in the state of Montana? Well, first of all, there’s no such thing as “Montana” in those app stores; only countries and regions. There’s the possibility that to reach the barest minimum of legal compliance, app stores could turn off the ability to download TikTok for anyone with a billing address inside Montana. It would mean that someone outside the state of Montana but whose bills are being paid by someone inside the state would not be able to download the app, like many college students attending school out of state. Still, credit card billing addresses can be changed quite easily, and there are many tools online, like virtual private network (VPN) apps (a bit like a postal mail forwarding address for your computer that makes it look like you’re logging on from South Dakota or elsewhere), which can defeat any attempt to pinpoint someone’s physical location from their perceived internet logon point.
Regardless of all this, the idea that Montana alone can determine whether someone can reach a cultural and news hub to read and learn is clearly a First Amendment issue. Every lawyer to whom I’ve spoken about this says that the lawsuits filed by both TikTok itself as well as five Montana content creators two days ago are likely to succeed–and are going to be expensive for Montana to defend against. It’s disturbing to think of Montana using taxpayer dollars to attempt to curtail the constitutional rights of those same taxpayers. There’s also a fundamental difference between the common act of banning TikTok on devices being used by government officials or choices by private organizations to not permit corporate devices to have this entertainment app installed. It is reasonable and quite common to limit entertainment or foreign-owned apps on devices being used by government officials or children or corporate employees—but those are not choices with First Amendment implications.
Should Montana follow through on the ban (intended to come into effect January 1st, 2024), it’s nearly inconceivable that there would not be judicial intervention to prevent the First Amendment from being trampled in this fashion. There are constitutional options, like the extreme case I’ve shown above involving severing Montana from the remainder of the Internet which would be more legal than what they’re currently trying to do. And as far as holding encryption keys or backdooring all phones to enforce a ban: Montana would then find itself on the other side of a Fourth Amendment challenge against unreasonable search and seizure for warrantless surveillance of innocent American citizens.
The Montana Legislature has voted itself into quite a constitutional pickle, and they’ll either have to back down, cut off Montana from the Internet, or face constitutional challenges. I do not envy the crow-eating about to commence in the Last Best Place, but I do look forward to my next backpacking trip out there. I’ll pack in some wifi endpoints if anyone wants to break the law just a little bit. Illegally downloading online content? It’ll be just like college, all over again.