ACCESS Act might improve data privacy through interoperability

ACCESS Act might improve data privacy through interoperability

Data privacy is back in Congressional lawmakers’ sights, as a new, legislative proposal focuses not on data collection, storage, and selling, but on the idea that Americans should be able to more easily pack up their user data and take it to a competing service—perhaps one that better respects their data privacy.

The new bill would also require certain tech companies, including Facebook, Google, and Twitter, to introduce “interoperability” into their products, allowing users to interact across different platforms of direct competitors.

These rules, referred to in the bill as data portability and interoperability, would presumably allow Americans to, for example, download all their data from Facebook and move it to privacy-focused social network Ello. Or talk directly to Twitter users while using the San Francisco-based company’s smaller, decentralized competitor, Mastodon. Or even, perhaps, log into their Vimeo account to comment on YouTube videos.

Data portability and interoperability are nothing new: Mobile phone users can keep their phone number when switching wireless providers; enterprise software can today read the files made on competitor programs, like the various documents made by Apple Pages, Microsoft Word, and Google Docs.

But few, if any, notable examples of data portability and interoperability came at the behest of federal legislation. Whether this new bill will succeed—in passage, in improving data portability and interoperability, and in its stated purpose of improving data security—remains to be seen.

Avery Gardiner, senior fellow of competition, data, and power for the Center for Democracy and Technology, said that the bill has a few good ideas, but in trying to improve data privacy, it strangely does not focus on the issue itself.

“If we have a privacy problem, which we do have in America, let’s fix that with privacy legislation,” Gardiner said.

Cory Doctorow, a writer, activist, and research affiliate with MIT Media Lab, appreciated the bill’s focus on interoperability—a topic that could use smart rule-making and which is getting little attention in Congress, as opposed to the constant, possibly futile attempts to strictly regulate Big Tech offenders, like Facebook.

“This aims to fix the Internet,” Doctorow said, “so that Facebook’s behavior is no longer so standard.”

The ACCESS Act

On October 22, US Senators Mark Warner (D-VA), Josh Hawley (R-MO), and Richard Blumenthal (D-CT) introduced the Augmenting Compatibility and Competition by Enabling Service Switching Act, or, ACCESS Act.

The bill would regulate what it calls “large communications platforms,” which are online products and services that make money from the collection, processing, sale, or sharing of user data, and that have more than 100 million monthly active users in the United States. The bill calls the owners of these products “communications providers.”

Plainly, the bill applies to both Big Tech companies and the platforms they own and operate, including Facebook and its Messenger, WhatsApp, and Instagram platforms, Google and its YouTube platform, and the primary products of LinkedIn and Pinterest.

But rather than placing new rules on these tech giants in an effort to break them up—a rallying cry for some Democratic presidential candidates—the bill instead aims to open up competition against them, potentially creating a level playing field where users can easily leave a platform that betrays their trust, runs afoul of federal agreements, or simply stops providing an enjoyable experience.

“The exclusive dominance of Facebook and Google have crowded out the meaningful competition that is needed to protect online privacy and promote technological innovation,” said Sen. Blumenthal, who helped introduce the bill, in a prepared statement. “The bipartisan ACCESS Act would empower consumers to finally stand up to Big Tech and move their data to services that respect their rights.”

The ACCESS Act has three prongs—data portability, interoperability, and “delegability,” which we’ll discuss below.

First, on data portability, any company that operates a large communications platform would need to develop a way for users to grab their user data and move it over to a competitor in a secure, “structured, commonly used, and machine-readable format.”

While some companies already provide a way for users to download their data—one Verge reporter downloaded 138 GB of their own data following the passage of the European Union’s General Data Protection Regulation—the potential to seamlessly port it over to a competitor could lower barriers to leaving behind Big Tech companies that dominate today’s social media ecosystem.

CDT’s Gardiner said that the bill’s attempt to introduce data portability is good, but whether it will be effective depends on a robust, competitive landscape where upstarts can actually accept a user’s data in a meaningful way. Right now, she said, that landscape does not exist.

“The way that your data would be useful is pretty specific to the way it is already in someone’s platform,” Gardiner said. “You’re not going to port your Facebook data into Twitter because it wouldn’t help you do anything, as a user.”

Gardiner said she understood what the bill is trying to accomplish, but she questioned whether it was the most effective route.

“When I read the press statements, I think part of what they’re saying is that privacy failures by some of the Big Tech companies are, in part, due to the lack of competition, so we should facilitate competition for communications platforms,” Gardiner said. “I have a simpler approach to solve that problem, and that’s to pass privacy legislation.”

On the bill’s demands of interoperability, companies must develop an “interoperability interface” for every large communications platform they own. For a company like Facebook, that would mean allowing interoperability with its Messenger, WhatsApp, and Instagram platforms, as CEO Mark Zuckerberg promised earlier this year, as well as with outside competitors that want to enter the field.

Finally, on “delegability,” the bill asks that Americans be given the opportunity to select a third party to manage their privacy and account setting across the various platforms they use. Those third parties, which the bill calls “custodial third-party agents,” must register with the US Federal Trade Commission and abide by rules that the Commission would need to issue after the bill’s passage.

Custodial third-party agents could charge a fee for their services, the bill says, and must protect the privacy and security of their users’ data.  

Interoperability’s importance

The ACCESS Act seeks a type of interoperability in which competitors can attract new users to their platforms by making their services compatible with a dominant player in the market. If users don’t need to use Facebook’s Messenger to stay in touch with their friends, for instance, they may find it easier to leave Messenger behind altogether, loosening Facebook’s hold on users today.

This type of interoperability has already helped dislodge the near-monopolies of Microsoft and IBM out of their respective markets—the enterprise software applications Word, Excel, and Powerpoint; and the PC itself.

But interoperability could do more than put large tech companies on watch. It could actually lead to a safer Internet for users, Doctorow said.

Doctorow told an anecdote about his friend, a comic book writer who receives targeted harassment from a group of predominantly male Twitter users. The users, angered by the writer’s feminist views, send threatening direct messages to her. But, after she reads the direct messages, they delete them.

This is for two reasons, Doctorow said. One, users cannot report a direct message to Twitter unless that direct message is still available and not deleted. Twitter does not accept screenshots in harassment reports because of the potential for faked claims.

Two, once the direct message has been deleted, the same harassers will comment publicly on the comic writer’s Twitter feed, and to several other women in her online community. These public comments, Doctorow said, reference the same content of the threatening direct messages, re-traumatizing the writer.

This is a cycle of harassment in which direct threats skirt consequences, only to reappear in similar content, increasing the feeling of powerlessness for the victim.

Interestingly, Doctorow said, there might be an opportunity for interoperability to help.

The comic writer and her small community of friends could use an outside competitor (or develop one themselves) to continue their discussions—which typically take place on Twitter—while setting up rules that would prevent the harassers’ direct messages and Tweets from showing up in their feeds and inboxes.

It’s more than a blocklist, Doctorow said. It’s giving power to users to engage with meaningful, online communities that already exist in a way that supports and protects them.

Interoperability, then, might offer a potential solution for users to avoid online harassment—until aggressors find them on a new platform. But will interoperability actually serve the ACCESS Act’s stated goal of improving data privacy?

How to regulate data privacy

The ACCESS Act is at least the sixth federal bill proposed in the past year that aims to improve Americans’ data privacy.

As Malwarebytes Labs has reported, each federal bill seeks to improve data privacy through various means. One Senator’s bill would enforce a “Do Not Track” list, another would create a “duty to care” for user data, and another would require clear and concise terms of service agreements.

The ACCESS Act, on the other hand, is the first data privacy bill to focus on data portability and interoperability. Both concepts have provided proven, better experiences for technology users across multiple sectors. College students can take their transcripts to a new university when they wish to transfer schools. Healthcare patients can take their records to a new provider.

But with Congress taking a winter recess in just six weeks, there is essentially zero chance that any of these data privacy bills will pass in 2019.

Maybe 2020 will be better for users and their data privacy.

ABOUT THE AUTHOR

David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.