Edward Longe, American Consumer Institute
Last year, lawmakers in the House of Representatives and Senate introduced the American Innovation and Choice Online Act, which if enacted, would rewrite America’s antitrust rules by prohibiting specific online tech platforms from self-preferencing their goods and services. Also contained in the AICOA text are requirements that specific tech platforms share data with small businesses and mandated interoperability rules.
While mandating data sharing and interoperability might correct a perceived harm, lawmakers must also recognize that their proposals could leave sensitive consumer data vulnerable to cybercriminals. Therefore, Congress must reject any proposals that inadvertently make it easier for consumer data to fall into the wrong hands.
AICOA has been proposed at a time when Americans are deeply concerned about how their data is handled online. A recent poll conducted by the Pearson Institute and the Associated Press found that “9 in 10 Americans are at least somewhat concerned about hacking that involves their personal information, financial institutions, government agencies or certain utilities. About two-thirds stated they are very or extremely concerned.”
Americans’ deep concerns about cybersecurity are not unfounded. For example, it is estimated that between January 1, 2021, and September 30, 2021 — a period of just 272 days — 1,291 data breaches occurred. That amounts to almost five each day and 35 each week.
For both businesses and consumers alike, the effects of a data breach can be substantial. For companies, the financial cost of each data breach is estimated to be around $8.64 million and severe reputational damage. For consumers, data breaches not only result in identity theft but unquantifiable damage to a victim’s mental health.
Under the provisions of AICOA, big tech platforms would be prohibited from restricting or impeding “a business user from accessing data generated on the platform by the activities of the business user or its customers.” In simple terms, this means companies like Amazon would be forced to hand over consumer data to third-party vendors that use their platform to sell goods and services.
Tech platforms would only be exempted from sharing data with other businesses if they can prove “by a preponderance of the evidence that the conduct” is “narrowly tailored, non-pretextual, and reasonably necessary” to “protect safety, user privacy, the security of nonpublic data, or the security of the covered platform.”
This provision is particularly dangerous because small businesses are especially vulnerable to cyberattacks and data breaches. Verizon found that 43% of all data breaches and cyberattacks target small businesses, with 60% of small businesses going out of business after an attack. Unlike large companies, small businesses are unable to make the significant capital investments required to produce robust cybersecurity protections. If big tech companies are forced to share sensitive financial information with small businesses, lawmakers would be putting it in the hands of those who are least able to protect it.
The result will inevitably be more cyberattacks, more identity theft, and reduced consumer confidence.
AICOA would also impose interoperability requirements on tech platforms. For example, AICOA states that tech platforms cannot “materially restrict, impede, or unreasonably delay the capacity of a business user to access or interoperate with the same platform, operating system.” In simple terms, this language would require tech companies like Amazon to develop software that can exchange information with other businesses.
Congress could inadvertently make consumer data more accessible for cybercriminals by mandating interoperability.
Interoperability also poses cybersecurity concerns that could leave consumers’ data vulnerable. Existing vulnerabilities in interoperable software often allow cybercriminals easier access to sensitive consumer information. In October 2021, for example, cybersecurity experts found that interoperable systems had serious flaws “that enabled unauthorized access to data outside of the authorized users’ scope.”
While lawmakers might be inclined to pass measures, like AICOA, that would reform America’s antitrust laws, they must do so responsibly and under full awareness of the wider consequences of their proposals. In the case of AICOA, lawmakers have not fully considered the ramifications of the bill on cybersecurity and data protection. Their negligence could ultimately jeopardize the robust protections consumers currently enjoy making data breaches and cyberattacks even more common than what they are now.
Edward Longe is a policy manager at the American Consumer Institute, a nonprofit educational and research organization.