Institutional Design and Privacy: Giving Everyone Control Leaves Everything Exposed
This post is part of a series covering different studies on antitrust enforcement of digital services released by various academics, think tanks, and regulatory agencies.
Digital platform regulation is often at the center of hotly contested political debates in areas such as antitrust and privacy. The Stigler Report’s “Market Structure and Antitrust” chapter (discussed further here and summarized here) advocates for the creation of a regulatory authority capable of promulgating ex ante regulations and adjudicating issues of antitrust and competitiveness in digital markets. While this may seem like a way to focus on and remedy the perceived competition and antitrust issues, it leaves the door open for a host of new issues.
Specifically, the Stigler Report offers some guidance on how data portability, interoperability, and data sharing should be conducted to reduce barriers to entry and level the playing field so that competition may flourish. This is a noble goal, however, the recommendations paint a troubling picture for consumer privacy, and would require firms to undertake serious changes to the way their data is structured, their privacy policies, and their mechanisms through which data is accessed (e.g. APIs). The promotion of competition is important, but moving too quickly may have unintended consequences for companies and consumers alike.
The Stigler Report calls for the creation of a Digital Authority (DA) to “regularly collect data on market transactions, with an emphasis on data from businesses with bottleneck power.” This could include data such as “a sample of searches at a set of websites, a sample of queries followed by purchases at other sites, a sample of downloads of applications at an app store, or a sample of activity and ads shown on a social media site.” In addition to this vast amount of data, the Report argues that the DA should have the authority to collect information regarding the types of data businesses collect, and how they use that data. The DA is then free to share this data to aid in an investigation or the pursuit of a prosecution by an antitrust agency. The Report reasons this authority will make it easier for the DA to simply turn over the data to an antitrust agency. That agency would then follow proper civil or criminal procedure and subpoena the data directly from the targeted firms, allowing them to fight for the privacy rights of consumers.
In conjunction with the collection of large amounts of consumer data, the Stigler Report argues that the DA should seek to make as much of the data it collects as public as possible. This data would be subject to de-identification and certain needs of business to keep secrets confidential. However, the Report provides no standard by which this data should be deidentified. The United States government also does not speak with one voice when it comes to the deidentification of data, with NIST, HIPAA, and FERPA all having different standards by which collected data should be deidentified, just to name a few.
The report cites the public availability of airline industry data as a model; however, the breadth of online data targeted by the report is simply incomparable for a number of reasons. In the case of online data there is more personally identifiable information, and without proper protections in place there is a great risk to consumer privacy, especially if the consumer does not know that this data is being shared with the government.
The Report states that the DA “has a role to ensure that users can easily transfer their data from one service to another in industries where there is a common business model” and that this will in effect cause competition to increase as it is easier to move from one competitor to another. The DA may be the entity to propose a standard for the exchange of data, but ultimately the authors of the Report note that the DA should be open to allowing the industry itself to determine the standards for data portability, so long as those standards are themselves not barriers to entry. This is a task that some companies have already undertaken; the Data Transfer Project — launched in 2018 with Apple, Facebook, Google, Microsoft, and Twitter as contributors — seeks to create an open-source tool for data portability and interoperability. The Stigler Report does not suggest any hard and fast solutions for data portability, but it notes the possibility that the DA could set up a process through which a consumer can choose to send their data directly from one service to a new entrant without the need for them to download that information first. The DA would be required to authorize this new entrant to offer the ability to its consumers, and promulgate regulations to require the incumbent service provider to transfer the data at an authorized request from the new entrant.
Recently Facebook published a white paper entitled “Data Portability and Privacy.” This white paper explains the basic concepts of data portability, but more importantly it seeks to create discussion regarding the privacy concerns surrounding data portability. Facebook examines five questions as to how data portability and privacy interact such as “whose data should be portable?” “How should we protect privacy while enabling portability?” and “After people’s data is transferred, who is responsible if the data is misused or otherwise improperly protected?” The white paper notes that when data is portable is not necessarily simply an issue of taking one user’s data and moving it somewhere else, instead it is a complex problem of what happens when the data at issue is associated with another person or persons. This gives rise to the question of who should have the ability to control what data is shared. If a person wishes to take their data to another service, but any of the content is associated with another individual should that person need to give consent before the data can be ported to another service? If the individual provides consent to the requesting user then they may do anything they wish with the data, including porting it. Alternatively, absent the individual’s consent a requesting user would not be able to port the data.
The Stigler Report separates data portability into two sections. The first is what the DA should do while the second is how the DA should respond to antitrust violations. The Report notes that in the case where a digital platform has been found guilty of an antitrust violation the proper course of action to help restore lost competition may be to force one digital platform to share the relevant data it has collected. Further, the Report proposes that a company should not just release the historical data that may have given one digital platform an edge over the competition, but also present and future data. This forced data sharing comes with no requirements for consumer consent and does little to imply that any consumer whose data is to be shared would have any input as to whether this data was to be made publicly available. Depending on the type of data to be shared, this kind of forced data transference could be detrimental to consumer privacy.
Data portability is an important innovation that many technology companies have already pledged to finding a solution to implement, however, it is a monumental task and there are a slew of concerns and questions other than consumer privacy that must be addressed and answered before data portability systems can be put in place, much less be ordered to happen by a sectoral regulator.
Digital Identity Standards
The authors of the Stigler Report note that a further task that the DA could undertake is the creation of an open standard so that new entrants can easily offer their own digital identity product that allows user to access goods and services online. The Report lists examples such as Estonia’s e-Estonia initiative, India’s Aadhaar, and Sweden’s BankId. These initiatives allow governments to issue issue identifiers and authenticators for a variety of on and offline services, and in turn allow companies, banks, and government agencies to identify and conclude agreements with individuals over the internet. These types of blockchain based identity solutions, provide an individual with the ability to own their identity credentials and restrict access to their data online. The Stigler report argues that giving an individual more control over their digital identity would promote the porting of identity data from one service to a new entrant, and could help erode switching costs. However, what the Stigler Report does not take into account is that these systems are meant more to protect data from being tampered with rather than being viewed. Data on the blockchain is easily viewable, and may be easily traced back to the individual who provided the data. Furthermore, if a malicious actor is able to determine what an individual’s unique identifier is, under one of these digital identity standards that bad actor is then able to follow the chain and see each transaction that that identifier has participated in, giving a fairly complete picture of their personal life. While the blockchain may secure data, it does nothing to increase user privacy, and in some cases may actually hurt user privacy by centralizing transaction histories.
Interoperability of devices and services is noted in the Stigler Report in two instances: the first being if the DA is charged by Congress to prevent the creation of market power, and the second is if a firm is found to have violated antitrust law or regulation, and the DA seeks to restore lost competition. Interoperability is a spectrum, with user driven data portability on one end, and greater access to shared data at the institutional level on the other (which DisCo covered here). If Congress charges a created DA to devise an interoperability standard, there may be significant privacy concerns in the design of such a standard. These concerns stem from forcing platforms to interoperate, and as a result, consumers lose the ability to provide consent as to which platforms do and do not have access to their data. The Stigler Report mentions that the use of APIs to transfer data between an incumbent bottleneck firm to a new entrant’s users, so that they could not only see their data, but also the data of their friends and family on an incumbent site that was subject to an interoperability standard. For this to be a reasonable response to an antitrust violation there would need to be significant protection in place to keep users’ data away from those who would abuse the API to harvest large amounts of user data.
What makes competition in this industry is new technology, doing something newer and better than ever before. Simply sharing data with anyone and everyone who may be able to make a claim of lock-in or bottlenecking will not solve issues of competition because users crave innovation when making choices about the services they use. The Stigler Report fails to understand that there are serious consumer privacy, competition, and innovation implications when it comes to the creation of data sharing standards, and that these types of rules of the road cannot simply be created overnight, they require industry, government, and individual input to truly understand what the privacy concerns surrounding online data are.