Skip to main content

The Flawed ACCESS Act Creates More Problems Than It Solves

 

Of the bills being advanced by House Antitrust Subcommittee Chairman David Cicilline (D-R.I.) this year, perhaps the least understood and yet potentially one of the most consequential is the “Augmenting Compatibility and Competition by Enabling Service Switching Act of 2021 (ACCESS) Act,” H.R. 3849, sponsored by Rep. Mary Gay Scanlon (D-PA). The ACCESS Act would mandate that the largest online platforms make their data not only portable for their users but also interoperable with the platforms’ competitors, and would make the failure to do so a violation of antitrust laws. 

Like the other bills being advanced as a part of this major push to regulate “Big Tech” companies via antitrust, the ACCESS Act only applies to “covered platforms,” which are defined in a way that presently would apply to a handful of companies, principally Amazon, Google, Facebook, Apple, and Microsoft. However, more companies are bound to qualify as covered platforms as the digital economy continues to grow, and even now the consequences of these regulations would affect far more than just the companies being directly impacted. Even in revised form, the ACCESS Act raises concerns that legislators ought to understand and explore before advancing such a consequential new law.

Defining Terms

Data portability is simply allowing users to access the data associated with them on an online platform on which they have a profile and to download or transfer that data elsewhere. 

Interoperability, in the context of these online platforms, is the requirement that the platform owners design application programming interfaces (APIs) that would allow not only individual users but third-party sellers or services who use the platform to access and make use of the platform’s data.  

Simple Concepts, Complicated Solutions

Closely related but separate, data portability and interoperability both have merit and have frequently been touted as important components to facilitating real competition with the largest internet platforms. Indeed, the development of protocols for interoperability were the backbone upon which the internet as we know it was built. A top-down federal mandate, however, has great potential to cause major collateral damage to privacy and innovation, and to run into complicated technological compliance issues. 

For example, how does one define what data “belongs” to a user for the purpose of data portability on a social media platform? Does it only apply to a user’s own posted content, or even photos they’re tagged in or comments they’ve made? Or does it also apply to data that’s produced about a user by the platform in question, like inferences about what content they’ll be most interested in based on what they’ve viewed?

The interconnectedness that social media platforms facilitate in particular causes this definition of ownership to be crucial when talking about allowing users to download their data in bulk and use it elsewhere. Making such a definition too broad could actually facilitate the massive overproduction of data from users and their connections. The ACCESS Act punts this crucial definition to the Federal Trade Commission (FTC).

Meanwhile, proponents of interoperability often cite the benefits of government intervention in requiring that phone numbers be transferable between carriers as an example for why a similar approach would work for online platforms. Economist Gus Hurwitz has pointed out that phone numbers are about as simple a piece of information to make interoperable as possible, and that “portability and interoperability work best when dealing with highly standardized data used in highly standardized ways.” In contrast, attempts to force complex systems to interoperate have proven costly and difficult, and have failed to produce the desired competitive benefits.

Privacy and Security: Who’s Responsible?

The problems raised with who is allowed to access what data are essentially punted by the ACCESS Act, which leaves it to the regulated platforms to “set privacy and security standards for access by business users to the extent reasonably necessary to address a threat to the covered platform or user data.” This leaves open major problems with defining user data privacy standards that have long been neglected by Congress, as well as leaving covered platforms with the troubling question of where their liability ends for the misuse of data that they are required to make portable and interoperable.

Similarly, opening the large platforms up to requests by any competitor to make their API interoperable with them creates both costly technical difficulties and also an increased number of potential security hazards. Essentially, the more different ways that platforms are forced to open their systems to interoperate with competitors, the more avenues they create for possible malicious use of such access.

It’s also important to acknowledge that there are some security and privacy benefits to closed, less-interoperable systems that consumers might benefit from, Apple being the most prominent example. To foreclose consumer choice between highly-controlled, less interoperable systems like Apple and more interoperable systems like Google’s is to pick winners and losers in an incredibly dynamic digital marketplace.

Delegation of Power to FTC

Aside from these significant technical questions, perhaps the most alarming aspect of the ACCESS Act is the tremendous power it grants to FTC and the new technical committee that the bill orders the commission to create. To begin with, as previously mentioned, the single most important definition for the purposes of its mandates is what exactly constitutes “data” and who owns it. This is left for the FTC to define, even though this definition has a tremendous impact on the rest of the scope and function of the law.  

The FTC’s technical advisory committee would consist of representatives from: competitors of the covered platforms, independent experts “that the Commission may deem useful,” someone from the National Institute for Standards and Technology (NIST), and a token (non-voting) representative from a covered platform. The FTC commissioners have sole jurisdiction over who is chosen for the committee and how many people are on it. In practice, this gives the majority in the FTC, which stands to be led by the fervently progressive Lina Khan, the ability to choose an advisory committee likely to give the advice they would prefer to advance their own agenda. 

As of the proposed committee substitute amendment to the bill, any changes that the covered platforms make “that may affect its interoperability interface” must be submitted to this technical committee for approval, unless “to address a security vulnerability or other exigent circumstance.” This gives the committee the ability to veto a wide range of changes to the regulated platforms, without regard for how new innovations might benefit consumers, while giving competitors a vote in what they think is “unreasonably denying access or undermining interoperability.”

Forcing the large platforms to ask “mother may I” for every single change to their platform that might affect their APIs could dramatically slow down innovation by the platform owners themselves, to the detriment of everyone who uses them. 

Conclusion

While data portability and interoperability have some superficial appeal, Congress should take a step back and ask if wielding the blunt instrument of antitrust enforcement to mandate them for just the largest platforms is likely to benefit competition and consumers. Just as importantly, they should assess the drawbacks of such an approach to privacy and innovation, and consider whether it is wise to give such massive authority to the FTC to regulate it.