Long before TikTok, the clock Was ticking on standards for foreign-owned apps

If you have kids, or if you can remembe when you were one yourself, you may be familiar with the phrase, “My house, my rules.” It’s a tenet that many parents fall back on when establishing boundaries for their children and their children’s visitors in their home.

Like many lessons from childhood, this one can be applied to a very different situation — rules for foreign-based companies that provide applications and software to users in the U.S. Foreign nations or companies that provide these products or services to U.S. citizens must comply with U.S. standards governing issues, such as data ownership and algorithms. In other words, “Our house, our rules.”

This scenario has been brought to light most recently by the controversy surrounding TikTok and other apps from China, such as DeepSeek. And although the need for such guidelines sounds extremely basic, the U.S. currently has no established standards along these lines.

The ongoing debate and controversy surrounding TikTok illustrates why it is imperative for the U.S. to develop and implement these standards. To protect our national security, we need defined rules guiding who gets to own and who has access to the data collected via these apps, as well as standards for quality control. We also need standards for monitoring whether the algorithms being built or used in these types of technologies are doing harm, including their effects on children and whether they are producing politically polarizing content.

If we don’t have consistent standards around protecting user data, nations can create algorithms and technologies that allow them to advance their own interests to the detriment of the U.S. This could start with a simple requirement like “all applications must provide clear notification up front as to who owns the data on their platform and how users can opt out of sharing their information.” Right now, this information is purposefully buried in user agreements that no one reads before hitting accept.

In addition, the U.S. should develop policies or laws on how to govern the availability of applications and technologies. The guidelines should be based on several factors, such as:

• Where will the app’s user data be stored and will the application permit the sale, storage and transfer of user information to additional entities? 
• Will user information be used to train or in any way aid in the development of machine learning or artificial intelligence models?
• To that point, will foreign governments or other foreign entities have access to user data? If so, we have to assess the laws that govern the data usage of those foreign entities and whether their differing standards conflict with those we have in the U.S.
• If multiple stakeholders own and/or operate the app, who will have a controlling interest, and what are the lines of demarcation in responsibility in ensuring user data is protected?

A comprehensive policy along these lines would help consumers understand how their personal data will be used and by whom. While many organizations and applications might claim that users can determine how their data is collected and used, they make it difficult for end users to understand how to opt out and often end up owning and using information for profit, further exposing individuals to nefarious intentions. A clear policy governing foreign-owned apps would spell this out and provide guardrails on the behavior of the entities that own them. It also ensures every company conforms to the same set of standards.

Finally, it would also provide a baseline framework for protecting U.S. users and avoiding future political arguments similar to the one we are currently experiencing related to TikTok. Without it, we could again find ourselves in the situation we’re in now – with a wildly popular app collecting information on individuals or with potentially dangerous algorithms that could end up in the hands of the government of a foreign nation under its laws.

With the “my house, my rules” adage as a guiding principle, the U.S. is well within its bounds to enforce these types of policies. The clock has been ticking on creating these standards long before the controversy around TikTok. With a policy in place, we will not be chasing the train the next time.

Tom Guarente is vice president of external and government affairs at cybersecurity firm Armis.