The Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA), enacted in April 2024, was sold as a narrow national-security measure. Eighteen months on, it has become something quite different: a recurring exercise in presidential improvisation over which app roughly 170 million Americans are permitted to use, and on what ownership terms. The framework deal announced in late 2025 for ByteDance to transfer TikTok's US operations to a US-led consortium may resolve the immediate standoff, but the precedent it sets — Washington as referee of app ownership — deserves far more scrutiny than it has received.
From statutory deadline to rolling extensions
PAFACA gave ByteDance until January 19, 2025 to divest TikTok's US operations or be banned from US app stores and hosting providers. The Supreme Court unanimously upheld the law in TikTok Inc. v. Garland on January 17, 2025, accepting the government's foreign-adversary-control rationale and rejecting the platform's First Amendment challenge. The next day, the app briefly went dark; the day after, President Trump took office and issued an executive order directing the Attorney General not to enforce the statute for 75 days.
That 75-day pause then became another, and another. By late 2025, the administration had extended the non-enforcement window multiple times — each extension grounded in the same loose claim of presidential discretion over enforcement priorities, with the framework agreement finally announced as the political off-ramp. Whatever one thinks of the eventual deal's terms, the route to get there involved a sitting president repeatedly declining to execute a law Congress had passed and the Supreme Court had upheld. That is not a tidy outcome.
The bigger question PAFACA leaves open
The narrow legal debate around TikTok — is it a First Amendment violation to force divestiture of a foreign-owned app? — has been answered for now. The harder policy question is the one PAFACA largely ducked: when, exactly, should the federal government tell Americans which apps they may install, and on whose corporate ownership terms?
PAFACA's text designates the People's Republic of China, Russia, Iran and North Korea as "foreign adversaries" and authorises the President to designate further covered applications. That is a remarkably open-ended instrument. The same statutory machinery used against TikTok can be turned on any sufficiently large app deemed "controlled" by a covered country — a definition that, in practice, requires very little evidence of actual data exfiltration or content manipulation. The Court in Garland was explicit that it was not requiring such evidence; the foreign-control link was sufficient.
Why proportionality matters here
A pro-innovation regulatory posture is not pro-adversary. There are real concerns about data flows to jurisdictions with extraterritorial intelligence laws, and about recommender systems being tuned by foreign-state actors. But the proportionate response is rarely a forced sale of an entire US business unit under threat of an outright ban. More targeted tools exist and have been tested:
- Project Texas–style data-localisation and third-party auditing of recommender code, of the type CFIUS reportedly negotiated for years before PAFACA was passed.
- Targeted restrictions on government devices, which over 30 US states and the federal workforce already have.
- Sector-specific data-broker rules — the kind contemplated by Executive Order 14117 and bipartisan privacy proposals — that constrain bulk data transfers regardless of which app collects them.
Each of these targets the underlying harm without conscripting the government into the role of deciding which firms may operate consumer-facing platforms. A divestiture mandate, by contrast, treats ownership nationality as a proxy for risk, then leaves the executive branch to negotiate the corporate restructuring it prefers.
The precedent risk
The framework deal, whatever its commercial merits, normalises three things worth flagging:
- Selective enforcement as policy. A statute Congress passed and the Supreme Court upheld was effectively held in abeyance for most of a year by executive order. Future administrations will note the option.
- Government-brokered cap tables. Federal officials shaping the ownership structure and board composition of a consumer app is an unusual posture for the US, more familiar from industrial-policy regimes the US has historically criticised.
- Reciprocity risk. If "foreign-adversary control" justifies forced divestiture, other jurisdictions will reach for the same rationale against US firms operating abroad. The EU's Digital Markets Act and India's IT Rules already gesture in that direction; PAFACA gives them a model with American fingerprints on it.
A better path forward
Congress should revisit PAFACA before the next "covered application" designation. A revised framework should require an evidentiary finding of specific harm — data exfiltration, content manipulation, or platform-level coercion — before divestiture remedies are available, and should sunset designations automatically absent renewed findings. Enforcement extensions should be statutorily bounded rather than left to indefinite executive discretion.
The TikTok saga has been treated as a one-off. It is not. It is the template for how the US government may regulate the consumer internet for the next decade, and the template is, at present, both too broad and too discretionary. A free, open internet that is also secure does not require Washington to pick winners on the app store — it requires laws targeted at the conduct that actually matters.