Cyber & Technology

Protecting National Security, Cybersecurity and Privacy While Ensuring Competition

By Bill Baer, Stephanie Pell
Wednesday, January 26, 2022, 8:01 AM

Editor’s Note: This article originally appeared on TechTank

Are the tech platforms—Facebook, Apple, Amazon and Google—that play such a central role in our everyday lives too big and powerful? Do they adequately protect our personal data? Do they use their power unfairly to restrict rivals and extend their reach into other markets? These questions are being debated within society, at the antitrust agencies, in the courts, and in Congress. Many argue that we need to use our current antitrust laws or enact new legislation to break up these firms, limit their ability to make new acquisitions, and more carefully scrutinize how they deal with those who rely on their platforms to advertise or sell.

Others, including the platforms themselves and their defenders, see it differently. They contend that intervention—by the antitrust agencies or Congress—threatens to kill the goose that laid the golden egg. At a time when many think we need stronger privacy protections and cybersecurity practices, certain companies argue that they are successful because they protect our privacy and cybersecurity better than any outcome resulting from antitrust litigation, regulation, or congressional action. They also contend that restricting certain allegedly anticompetitive practices or breaking up these companies would cede the field to our adversaries like China, which champions its own tech platforms, and could thus significantly weaken our national security.

The Brookings Roundtable

To explore these seemingly stark differences in view, we recently brought together a diverse group of stakeholders from academia, civil society, industry and government in the fields of antitrust, privacy, cybersecurity and national security for a Chatham House Rule roundtable. The question we posed was whether there are irreconcilable tensions between antitrust enforcement and promoting competition on the one hand, and protecting our privacy, guarding against threats to our cybersecurity and defending our country against hostile foreign actors on the other.

Our Takeaways

After a respectful and informative discussion, the two of us—one with a background in cybersecurity and the other a former competition enforcer—came away convinced that the tension is real but not irreconcilable. Here are our takeaways:

First, competition enforcement—especially when directed at monopoly power—has historically served U.S. interests well, including in technology fields. In 1956, AT&T settled an antitrust case with the U.S. Department of Justice resulting in AT&T’s release of its transistor patents and exclusion from entering the computer industry, which allowed other companies to innovate on these technologies and ushered in major advances in semiconductors. Twenty-six years later, the court-ordered breakup of AT&T enhanced competition in the long-distance telephone market and facilitated competition in the nascent wireless industry.

We note too that antitrust enforcement is not the only tool for ensuring competitive markets. The benefits of competition can be achieved outside of the courthouse through targeted congressional legislation and agency rulemaking, which, at times, may follow earlier antitrust litigation or settlements. As explained by Professor Randy Picker, in the years following the breakup of AT&T into the regional Bell operating companies (often called the RBOCs or Baby Bells), the FCC auctioned off spectrum licenses that resulted in “roughly 400 million US wireless connections” by the end of 2016. While AT&T would otherwise have been the “leading potential buyer of the spectrum,” the breakup created an environment where the RBOCs were competitors of AT&T for those licenses. Similarly, the FCC’s 2004 rules allowing consumers to easily transfer their landline and cell phone numbers when switching carriers triggered unprecedented competition among long-distance and mobile carriers. In short, regulation, whether ex-post or ex-ante, can serve as a complement to antitrust enforcement and needs to be part of the solution to problems associated with tech platform dominance.

Moreover, the lack of a comprehensive federal privacy law, as our colleague Cam Kerry has written, contributes to the persistent market power of the technology platforms. In the absence of federal regulation, each company has, with few limits, created its own policies on collecting, sharing and transferring personal information about their users. But network effects tilt the playing field in favor of the large platforms, meaning that they can collect immense amounts of data, reinforcing their dominant status over less-established and newly formed platforms. These firms frequently require sellers on their platforms to adhere to their privacy and access rules, even where such rules have the effect, whether intended or not, of limiting competition and reinforcing platform dominance. In the absence of government requirements, company-imposed standards may make sense, as they can prevent certain privacy abuses in the app ecosystem. But comprehensive federal privacy legislation—setting legal guardrails for all companies on the collection, sale and sharing of data—would mitigate the competition concerns that arise when dominant platforms act as sole gatekeepers to impose their own privacy requirements on other companies. Moreover, comprehensive federal privacy legislation, in addition to preventing companies from collecting data irrelevant to the service or information provided, could address those circumstances where there are legitimate reasons for a third-party app provider to access user data that would otherwise be prohibited by a dominant platform. A dating app, for example, may wish to obtain information to facilitate its ability to run sex-offender checks and verify the age of its customers.

To be clear, we recognize that foreign actors such as China do not share our commitment to competition as a fundamental rule of law principle and may well try to take advantage of any antitrust outcomes that limit what U.S. tech platforms can do. Even though China has recently taken enforcement and other actions against its own dominant platforms, its intentions and overall direction are not yet clear. As such, it is important to guard against any foreign actors who may take advantage of code sharing or interoperability requirements to facilitate malware attacks, data breaches, surveillance, or economic espionage. But it is still possible to legislate—and litigate—outcomes that both facilitate competition and set up guardrails against national security threats. Safeguards can be put in place without sacrificing competition principles. President Biden, for example, recently signed the Secure Equipment Act, which prevents the FCC from authorizing “radio frequency devices that pose a national security risk.” The law’s effect is to prevent U.S. technology platforms from being forced to interoperate with or transfer data to suppliers like Huawei or ZTE that may have ties to the Chinese government. We’ve also recently seen the FCC prohibit China Telecom, via its U.S. subsidiary China Telecom Americas, from providing telecommunications services in the U.S. by revoking its Section 214 license. While the Section 214 licensing process was designed to protect the U.S. market from anticompetitive behavior by a carrier with market power in a foreign country, the FCC’s revocation is partially grounded in national security, rule-of-law and cybersecurity concerns involving the Chinese government.

Our roundtable discussion also convinced us that it is possible to protect national security and cybersecurity interests on technology platforms without sacrificing competition between consumer-facing products and services. We can and should distinguish those elements of system and app store design, access requirements and prohibitions that protect consumers from fraud, malware and other kinds of cybersecurity threats from those that unduly inhibit consumer knowledge and choice.  Judge Yvonne Gonzalez Rogers, for example, recently ruled in the Epic v. Apple case that, under California law, Apple cannot block developers from offering or informing users about third-party payment options existing outside of the in-app payment system in the Apple app store. While Judge Rogers’ ruling is currently on appeal, she did not credit or find legitimate security concerns in support of Apple’s anti-steering requirements and conduct, as she did when she evaluated and rejected other antitrust claims made by Epic pertaining to other app store requirements imposed by Apple.

We should also not assume that we face a binary choice between a “Wild West” environment where consumers freely load any app onto their phones without the governance and protection provided by app stores or an environment where only one app store on a device provides that governance and protection. We acknowledge that app stores play a very important role in protecting consumers from fraud, privacy violations and a range of cybersecurity threats, some of which can only be accomplished by human review of third-party apps. We also recognize that there are differences in privacy and security among existing app stores and that consumers, for the most part, benefit or suffer from the varying privacy and security practices that come with the app store on the phone they buy.

All of that said, perhaps it is possible for competing app stores to exist on devices and provide consumers with needed cybersecurity protections and the benefits of increased competition on the dominant platforms. As a starting point, we need to look at establishing baseline standards for app stores focused on addressing a broad array of threats and harms, which include malware; fraud or scams where users mistakenly download a clone app; and content that may technically be “safe,” but users may find objectionable in the context of what they expect a particular app to do. While the display of nude images may be appropriate in a medical app setting, it would be improper or unwelcome in other contexts—like apps marketed for children. In conjunction with industry, civil society and the academic community, two components of the Commerce Department, the National Institute of Standards and Technology (NIST), due to its particular expertise in privacy and cybersecurity, and the National Telecommunications and Information Administration (NTIA), with its considerable experience in running multi-stakeholder processes, could take the lead in developing a framework for standards. We imagine that such a framework would incorporate a fulsome human review process that, as previously referenced, is necessary to address various threats and harms. We also recognize that the threat environment is constantly evolving and that security is not a static property. Platforms must respond to new cyber threats, which could include making changes to app review. We therefore need to explore how to ensure that all app stores are both maintaining established security standards and practices and addressing new threats.

Finally, we share the view of our colleague Tom Wheeler, that those arguing that competition principles are fundamentally at odds with other legitimate national interests have not made their case. A recent letter signed by prominent national security experts states that “Congress risks undermining America’s key advantage vis-à-vis China by pursuing domestic legislation that threatens to impede U.S. companies and their ability to pursue such innovation,” and argues for more study before Congress considers any legislation that would regulate or limit the behaviors of successful U.S. tech platforms. But those advocates ignore the extensive hearings on these issues held in the last 18 months by both chambers, and they do not offer constructive suggestions on an appropriate path forward to address legitimate concerns with the consequences for consumers and competition from tech platform dominance.

As we previously noted, the U.S. government has in the past been able to address concerns with monopoly power, including breaking up firms that have abused their dominant positions, without sacrificing other values we hold dear. There is no reason, none, that we cannot do that here. A constructive path forward does, however, require tech platforms to provide, in good faith, their cybersecurity expertise to policymakers while simultaneously being open to regulation that, in the interests of promoting competition and protecting consumer privacy, may weaken their market power. The alternative may result in legislative and judicial outcomes that are not to their liking.