By Katharine Trendacosta, Bennett Cyphers, Cory Doctorow, and Cindy Cohn
June 11, 2021
When it comes to online services, there are a few very large companies whose gravitational effects can alter the entire tech universe. Their size, power, and diverse levers of control mean that there is no single solution that will put right that which they’ve thrown out of balance. One thing is clear—having such large companies with control over so much of our data is not working for users, not working for privacy or freedom of expression, and it’s blocking the normal flow of competition. These giants need to be prevented from using their tremendous power to just buy up competitors, so that they have to actually compete, and so that new competitors are not incentivized to just be be acquired. Above all, these giants need to be pushed to make it easy for users to leave, or to use other tools to interact with their data without leaving entirely.
In recognition of this reality, the House Judiciary Committee has released a number of proposed laws which would reign in the largest players in the tech space in order to make a healthier, more competitive internet ecosystem. We’ll have more in-depth analysis of all of them in the coming weeks, but our initial thoughts focus on the proposal which would make using a service on your own terms, or moving between services, much easier: the ACCESS Act.
The “Augmenting Compatibility and Competition by Enabling Service Switching Act”—or ACCESS Act—helps accomplish a goal we’ve long promoted as central to breaking the hold large tech companies have on our data and our business: interoperability.
Today too many tech companies are “roach motels” where our data enters but can never leave, or be back under our control. They run services where we only get the features that serve their shareholders’ interests, not our needs. This stymies other innovators, especially those who could move beyond today’s surveillance business models. The ACCESS Act creates a solid framework for change.
Privacy and Agency: Making Interoperability Work for Users
These services have vast troves of information about our lives. The ACCESS Act checks abuse of that data by enforcing transparency and consent. The bill mandates that platforms of a certain size and type make it possible for a user to leave that service and go to a new one, taking some or even all their data with them, while still maintaining the ability to socialize with the friends, customers, colleagues and communities who are still using the service. Under the bill, a user can request the data for themselves or, with affirmative consent, have it moved for them.
Interoperability means more data sharing, which can create new risks: we don’t want more companies competing to exploit our data. But as we’ve written, careful safeguards on new data flows can ensure that users have the first and final word on what happens to their information. The guiding principle should be knowing and clear consent.
First, sensitive data should only be moved at the direction of the users it pertains to, and companies shouldn’t be able to use interoperability to expand their nonconsensual surveillance. That’s why the bill includes a requirement for affirmative consent before a user’s data can be ported. It also forbids any secondary use or sharing of the data that does get shared—a crucial corollary that will ensure data can’t be collected for one purpose, then sold or used for something else.
Furthermore, the bill requires covered platforms to not make changes to their interoperability interfaces without approval from the Federal Trade Commission (FTC), except in emergencies. That’s designed to prevent Facebook or other large platforms from making sudden changes that pull the rug out from under competitors. But there are times that the FTC cannot act quickly enough to approve changes. In the event of a security vulnerability or similar privacy or security emergency, the ACCESS act would allow platforms to address the problem without prior FTC approval.
We Need Multiple Possible Consequences for Platforms, Not Just Those Levied by the FTC
The bill is not perfect. It lacks some clarity about how much control users will have over ongoing data flows between platforms and their competitors, and it should make it 100% clear that “interoperability” can’t be construed to mean “surveillance advertising.” It also depends on an FTC that has enough staff to promote, rather than stymie, innovation in interoperable interfaces. To make sure the bill’s text turns into action, it should also have a private right of action. Private rights of action allow users themselves to sue a company that fails to abide by the law. This means that users themselves can hold companies accountable in the courts, instead of relying on the often overstretched, under-resourced FTC. It’s not that the FTC should not have oversight power, but that the bill would be strengthened by adding another form of oversight.
Put simply: the ACCESS Act needs a private right of action so that those of us stuck inside dominant platforms, or pounding on the door to innovate alongside or in competition with them, are empowered to protect ourselves.
The bill introduced today is a huge step in bringing much-needed competition to online services. While we believe there are things missing, we are glad to see so many problems being addressed.
Source: Electronic Frontier Foundation