How to Make the ACCESS Act a Success

Platform interoperability is a topic many regulators are exploring as a means to promote greater competition amongst online services they believe have grown too large. The European Union has included interoperability requirements in its new Digital Markets Act and Australia’s consumer protection agency is exploring its potential impact. The U.S. Congress is no exception, and the current legislative session has seen a handful of bills put forward that would require interoperability between large platforms in one form or another. One of the more detailed bills on the topic is the Augmenting Compatibility and Competition by Enabling Service Switching Act of 2021 (ACCESS Act).

Interoperability—or the ability of different pieces of software to exchange information—has the potential to increase competition between large platforms in a few related ways. Most importantly, interoperability can lower “switching costs” for users of a platform that want to try out a competitor by allowing those users to preserve connections from the first platform.

Imagine a social media user wants to try out a different service. Typically, this would entail starting from scratch and connecting with friends manually on their new account. If two services were interoperable, however, a user might bring friends or followers directly from one service to another and keep a large portion of their old network intact. This is already similar to how things work when moving between Facebook and Instagram, which are owned by the same parent company. Interoperability requirements would seek to provide similarly low switching costs between a wide variety of services, not just those that share the same corporate umbrella.

Allowing users to migrate more freely between online platforms would be a fundamental shift in the competitive landscape for social media and other types of services. Not only that, this change would give new competitors the ability to advertise access to content or people on other platforms when luring new customers—improving the ability of new services to gain users, compete with existing services, and thrive.

Interoperability is a foundational tenet of the internet, which grew from an early desire of universities and governments to allow their disparate computer systems to communicate with each other. To this day, all of the networks around the globe that make up the internet interoperate using agreed-upon protocols. The websites that we read work in a variety of web browsers because they all implement the HTML standard. Emails travel between companies, schools, governments, and individuals because they all speak the Simple Mail Transfer Protocol first developed in 1980 and 1981. Interoperability is fundamental to how and why the internet is the incredible success it is.

Laws that maintain and strengthen this tradition, particularly aimed at companies that have built closed silos on top of the open internet, therefore have the potential to contribute to the overall health of the internet and increase competition in the marketplace. Because interoperability is so directly tied up with the movement of data, however, regulations must be carefully crafted to achieve the desired positive outcomes while taking care to protect privacy and avoid other negative side effects.

With that in mind, we have taken the opportunity to analyze the ACCESS Act and develop a set of recommendations to better ensure the bill can increase competition and enhance the everyday experience of the internet for all users. While these recommendations are offered in the context of the U.S. House of Representatives version of the ACCESS Act, the issues discussed are often applicable to other interoperability laws and regulations, such as the Senate version of the ACCESS Act, the American Innovation and Choice Online Act (AICOA), and the interoperability portions of the EU’s Digital Markets Act.

Most interoperability mandates in other laws are applicable only to a small subset of companies in the internet platform space. This is often explained as a desire to not inadvertently inhibit competition by burdening smaller companies with the engineering and policy challenges of implementing interoperability. While there is certainly a danger of over-applying an interoperability mandate, there is also a danger of writing a law that is too narrow to have a meaningful effect. Defining what platforms are covered should be done quite carefully.

An important consideration is that one definition may not be appropriate for all the areas of regulation of a given bill. For example, the ACCESS Act contains mandates for both interoperability and data portability (the ability to download your own data and move it to another platform), but applies the same covered entity definition to both. Data portability, however, is a fundamental data right that other jurisdictions, such as Europe and California, already hold all online services responsible for. By using the same definition, the ACCESS Act inappropriately limits the scope of platforms that are subject to the data portability requirements—and, thus, the number of users it could ultimately benefit.

The following suggested change borrows language from OTI’s published Data Portability Act to eliminate the “covered platform” language from the requirement.

Replace section 3(a) with the following:

Policymakers must also decide whether they want to extend the interoperability obligations (or some subset of them) to any non-covered entities that make use of a covered entity’s interoperable system. This is sometimes referred to as obligating “reciprocity.” Take, for example, a small social media service not large enough to be covered by interoperability regulations—if they offer users the ability to message their friends on larger, covered competing services, they would need to be covered by the same regulations.

There are benefits and drawbacks to requiring reciprocity in an interoperability regulation. Extending the law’s obligations to smaller companies that are seeking to make use of the interoperability offered by a covered platform may place a burden on the company that could make it harder for them to compete, or even dissuade them from taking advantage of the interoperability in the first place. In addition, there is the concern that smaller companies may not be equipped to formulate appropriate policies for dealing with interoperability as it relates to privacy and security.

On the other hand, not requiring reciprocity runs the risk of creating an ecosystem that, instead of embodying an interconnecting web of communication, reflects a hub-and-spoke archetype in which the larger covered platforms all have interactions with many smaller competitors, but the competitors do not interact with one another. While this situation may (or may not) address policymakers’ competition concerns, it does not serve the interests of an open and healthy internet.

The House version of the ACCESS Act provides for reciprocity in section 6(f), while both the Senate version and the EU’s DMA do not appear to contain any such requirements.

Example text to require reciprocity:

The overall benefits to the internet that interoperability provides suggest that taking additional steps to encourage the practice would be good policy and a sensible inclusion in a competition-focused bill. Promoting interoperability beyond the mandates applied to covered entities could take a number of forms.

Governments could offer incentives, such as tax breaks or grants, to companies in exchange for enabling interfaces or implementing standard protocols in their platforms. They could also have a definite impact by giving grants for the development of software libraries (pieces of code that can be used by others to perform some function) that implement common interoperable protocols, or for performing security audits on existing libraries.

Any interoperability regulation must determine what types of services or data its rules apply to. For example, the EU’s DMA will, at least at first, apply its interoperability mandate only to one-to-one instant messaging services (such as Facebook Messenger or Apple’s iMessage). The ACCESS Act, on the other hand, does not specify a particular type of service or data, but leaves that work to the Federal Trade Commission (FTC) as part of the bill’s implementation.

Under the proposed law, the FTC is instructed to develop “standards” for the implementation of the obligations that are particular to each covered entity, after the covered entity designation is made for each company. This process, while giving the regulator flexibility in choosing what services and types of data must be made interoperable, runs the risk of creating disparate requirements across the industry. While it seems probable that a regulator will tend to treat similar platforms alike, changes in staff over time and therefore the loss of institutional memory make it worthwhile for the law to be specific on this point. The regulator should be instructed to treat platforms with similar services and data with similar rules.

Append to Section 6(c)(1):

Additionally, interoperability is most impactful when it operates in a network with many participants. Obviously, a single service operating alone may offer all the interoperability in the world, but such an offering is useless without any other services to interact with. The value of interoperability grows as more and more services, platforms, and people are reachable through the network. Therefore, in determining which services of a covered platform should be subject to requirements and what standards to require, the regulator should also look to the existing ecosystem of communities and protocols and prefer solutions that make use of established standards or where there is existing demonstrated interoperability.

Append to Section 6(c)(1):

Privacy in interoperability is a fundamental requirement, and mandating interoperability in a legal setting where there are little to no fundamental privacy protections is a dangerous proposition. That is why when it comes to interoperability in the context of the US Congress’ legislation, the fundamental suggestion is to legislate in conjunction with, or after the passage of, a baseline privacy law. Doing otherwise risks bad actors taking advantage of lax restrictions, even if the interoperability law itself attempts to make some rules.

There is a temptation to include some subset of privacy regulation within an interoperability law in an effort to cover the potential privacy harms that interoperability can cause. Accomplishing this task is, however, impossible. Upon examination, the possible privacy concerns implicated by interoperability expand to include every case that one would wish to include in a comprehensive baseline privacy law. Such effort would be better spent on simply creating the overall privacy law itself.

There are a few privacy questions that are particular to interoperability, however, that policymakers should be aware of:

First, an interoperability mandate should not be taken as an obligation for any service to enumerate their users for a competitor. Obviously, if a competitor attempts to send a message to a platform’s user via a protocol or API interface, the platform can respond by saying that no such user exists (as email servers do), but they should not have to provide a list of all available users.

Secondly, there is an obvious simple solution to the question of interoperability and privacy, which is to simply prohibit companies from doing anything with any data that they receive via an interoperable interface from another platform other than what is necessary to enable the interoperability itself. For example, a platform offering messaging interoperability would be able to process incoming data for the purposes of delivering a message to one of its users, but not for feeding into a hypothetical spell checking machine learning algorithm or an advertising model. This rule seems elegant and straightforward, but like most simple rules it has many edge cases that get complicated quickly.

Nevertheless, if policymakers must include privacy protections in an interoperability bill and do not have a comprehensive privacy law to fall back on, this type of rule could work, particularly if combined with a fair process for making determinations about the complicated issues around the edges.

Finally, it is worth pointing out that many (if not most) of the privacy concerns related to interoperability are obviated where the communication in question is end-to-end encrypted. If neither platform can read the content of the messages passing through the interoperable interface, then the privacy harms are considerably reduced. Policymakers should therefore strongly consider including incentives and encouragement to implement end-to-end encryption in the context of interoperability.

While a general requirement to interoperate is a good policy position, there are situations where exceptions are necessary and should be allowed or even encouraged. The greatest of these is for the purposes of content moderation and battling spam and harassment. If a covered platform in good faith prevents a user from another platform from interacting with its own users because of a history of abusive behavior, that should not be considered a violation of its obligations.

Policymakers should also consider the situation in which a covered platform may seek, again in good faith, to block an entire competitor’s service from interoperating if that other service has policies that lend it toward being a safe haven for abusive people, illegal uses, or simple spam. Such a block should still be examinable by enforcers of the law, and penalties be available for situations in which a block was implemented in bad faith. Generally speaking, however, interoperability should not be taken as a commitment by a platform to subject its users to the worst the internet has to offer.

Finally, the ACCESS Act requires the Federal Trade Commission to convene a body tasked with developing proposed standards for implementation by covered entities. While existing bodies tasked with creating internet protocols, such as the Internet Engineering Task Force, move slowly and may have their problems, the development of standards by a new group convened by the U.S. government is unlikely to yield better results.

To begin with, it is relatively unlikely that a covered entity is going to present such a novel service or product that there is no existing or in-development standard that could be applied to its interoperability. The value of using such an existing standard, including ease of implementation by all parties, pre-existing analyses of impacts to cybersecurity, and simply not reinventing the wheel, greatly outweigh any benefit that the Commission might glean from creating a new standard out of whole cloth.

Secondly, even in cases where a covered entity truly presents a service for which there is no relevant standard, a small, closed advisory committee convened by the U.S. government is not an appropriate venue for developing a new one. These new standards should instead be taken to existing standards bodies.

While the ACCESS Act is only one of several interoperability bills before the Congress, it goes into the most detail and deserves serious consideration as a solution to competition woes among online platforms. Incorporating the above recommendations would ensure the bill is better able to address the challenges it aims at. Many of these principles hold true for other forms of interoperability and data portability legislation, but we continue to believe a comprehensive approach like that of the ACCESS Act is best.

The “walled gardens” maintained by large tech platforms are built on top of an open internet that prized interoperability from its earliest days—indeed, “the internet” itself is simply a set of protocols allowing different computers to interact and form networks.

Bringing the current tech giants back in line with this original vision would be a boon to consumers, offering a more seamless online experience that doesn’t require dependence on a limited set of platforms and services that happen to be the largest. And it would help reignite the spirit of innovation and competition that helped make the internet such a success, making room for new platforms and new ideas to flourish.