A bill designed to break up America’s largest tech companies could come with an inadvertent side effect, its critics are arguing: weakening Americans’ privacy and data security.
Detractors of the “American Innovation and Choice Online Act,” including Apple and Google, are campaigning against the legislation, contending that it would limit how companies are able to protect users’ privacy and security. “These bills may compel us to share the sensitive data you store with us with unknown companies in ways that could compromise your privacy,” Google’s president of global affairs Kent Walker wrote in a blog post Tuesday.
Allowing users to download apps straight from the internet means “millions of Americans will likely suffer malware attacks on their phones that would otherwise have been stopped,” Apple’s senior director of government affairs Timothy Powderly wrote in a letter to the Senate Judiciary Committee.
The critiques are just a small part of the storm of opposition big tech is bringing against legislation that would fundamentally change the shape of the technology industry in the United States. But they could be enough to sow significant doubt in the bill’s fast-track to becoming law. The concerns were a frequent refrain in a markup of the bill Thursday, which the Judiciary panel approved by a 16-6 vote.
Third-party experts say while some of the critiques are hard to prove, they aren’t unfounded.
In a May report from the nonprofit Center for Cybersecurity Policy and Law, a focus group of 25 experts from across civil society, academia, industry, and the government warned against government policies that could inadvertently damage mobile security. (Two of the participants worked for Apple.)
“I think there is something to the fact of working through the app stores and the reviews that happen to the app stores do make the mobile environment safer,” said Ari Schwartz, coordinator at Center for Cybersecurity Policy and Law. “There was concern from the experts we spoke to that if that changes we could see things get worse on the platform.”
Apple’s primary argument is against sideloading, or allowing users to upload apps directly from the Internet instead of Apple’s trusted app store. Apple has released its own paper to support its stance, citing the higher presence of malware on Android devices, which allow sideloading, as evidence.
Critics have also questioned provisions in the bill that would penalize companies for making it harder for competitors to share and receive consumer data. The requirement could potentially leave data in the hands of third parties with lower security standards or even foreign adversaries, imposing risk on consumers.
“Expanding access to data is a challenge,” said Brandon Pugh, cybersecurity and emerging threats policy counsel at the R Street Institute. “And the reason it’s a challenge is that the person accessing it may not have sufficient safeguards in place. Perhaps they’ve already been compromised, unknowingly.”
Proponents of the bill say that many of these concerns are addressed in the version adavanced Thursday and that tech companies are scrambling for excuses.
“All of Apple’s arguments about ‘sideloading’ really amount to a desperate attempt to preserve their app store monopoly, which they use to charge huge fees from businesses they are competing against,” Jane Meyer, spokesperson for bill sponsor Sen. Amy Klobuchar, D-Minn., wrote to CyberScoop in an email. “Let’s be clear — this multi-trillion dollar company is more than capable of protecting privacy and security while still giving consumers greater choice by allowing competition. And the legislation includes strong provisions for all platforms, not just Apple, to safeguard user privacy and security.”
There are plenty of small and medium-size tech companies that support the legislation. A coalition of more than 40 companies companies including Yelp and web browser DuckDuckGo sent a letter to the Senate Judiciary Committee endorsing the bill.
While European regulators have for years had to balance the intersection of regulating data privacy and governing tech firms’ anti-competitive behavior, interest in the intersection of the two areas of consumer protection is relatively new in the U.S.
“We haven’t thought a lot about the potential tradeoffs between privacy and competition in the U.S.,” said Erika Douglas, an assistant professor at Temple University’s Beasley School of Law. “I don’t think that we’ve really decided if privacy comes at the cost of competition that we’re comfortable with that tradeoff, or vice versa.”
Another factor complicating the debate in the United States is a lack of a federal privacy law that could clarify some of the concepts addressed in the bill, S. 2992.
It’s something that both experts and members of Congress have raised.
“It’s hard to discuss data access and regulating data without a bill that specifically addresses those points,” said Pugh, who co-wrote a critique of the legislation offering a number of suggestions to amend it to prevent potential cybersecurity issues. Pugh joined in a similar critique of antitrust bills introduced by the House this summer.
As written, there is a provision in the bill that exempts actions taken to “protect safety, user privacy, the security of non-public data, or the security of the covered platform” from being deemed unlawful conduct. If a tech company is sued for violating the law that the legislation would establish, the onus to prove it had acted in the interest of user security is on the tech company, however.
The current exemption for privacy and security “puts covered platforms on the defense,” said Pugh. “I think it’s going to do one of two things: It’s either going to force companies not to take proactive measures in the first place in terms of including security, which is probably the more likely outcome, or you’re going to see less compliance with the law.”
The marked-up version of the bill takes steps to address some of the criticisms. For instance, an amended version of the bill clarifies that it does not apply to data transfers to the People’s Republic of China or governments or companies controlled by other adversaries.
But so far critics aren’t impressed.
“In S. 2992’s sponsors’ haste to get the bill out of Committee, a number of critical amendments and suggestions got waived off with promises to ‘work together’ or ‘address their concerns at a later point,” Morgan Reed, president of ACT | The App Association, wrote in a statement. “We urge the full Senate to avoid spending precious time on the legislative calendar on measures that appear to serve the political aim of taking on ‘Big Tech,’ but in reality, diminish opportunities for small app makers and harm consumer privacy and security.” (ACT receives general funding from Apple.)