FTC Rightly Warns That Tech Companies Can’t Hide Behind Questionable Claims Of ‘Security’ To Block Interoperability
One of the things we talk about quite a lot on Techdirt is how the easy" policy ideas that many people have aren't quite so easy, because everything has tradeoffs. You want strict privacy laws? Well, that might create issues for free speech and competition. You want stronger liability on social media services? Well, that's going to limit competition.
Lately there have been some debates regarding interoperability and privacy/security. One of many examples of this is Apple blocking Beeper from reverse engineering iMessage, to allow iPhone users to more securely communicate with Android users. In that case, Apple claimed it had to do this for security reasons. This was Apple's statement at the time:
At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.
Except that didn't pass the sniff test. As noted, Beeper was actually increasing the security of iMessage users by making sure that their messages to Android users were end-to-end encrypted, as opposed to currently, where they are much less secure.
There are similar examples of this as well throughout the years. Right to repair laws are often lobbied against by big tech companies claiming they'll create security and privacy problems. Companies like Facebook and LinkedIn have sued third parties for building new interfaces, claiming they were security risks.
Right before the holidays last year, however, the FTC (which I often criticize, but sometimes does the right thing) came out with a very interesting note, warning tech companies that it would be more carefully scrutinizing claims that they need to block interoperability in the name of security and privacy.
As the announcement points out, interoperability is important:
The FTC has highlighted these benefits to interoperability. Indeed, there are aspects of technology that people may take for granted while navigating their daily routines that turn on interoperability. Web pages can display regardless of web browser. Emails can be sent and received regardless of email provider. Computer accessories, including keyboards, mice, and monitors, can be plugged into most computers regardless of manufacturer. Interoperability can also enhance consumer choice and facilitate switching between products, and thereby enhance competition.
And then it notes that, obviously, security and privacy are also super important. But, the important part is that the FTC says it's not just going to accept the claims of tech companies that they need to block interoperability for security and privacy reasons without at least something more to substantiate those claims.
As the FTC staff observed in the 2021 Nixing the Fix Report, manufacturers may assert that restrictions on competition in aftermarkets are necessary for privacy [and] data security," but such justifications need to be scrutinized on a case-by-case basis and should be rejected if found to be a mere pretext for anticompetitive conduct." Similarly, during the FTC's 2020 workshop, Data to Go: An FTC Workshop on Data Portability, several expert panelists discussed the importance of identifying when companies raise security concerns as a pretext for anticompetitive conduct.
The FTC is no stranger to considering privacy and security and anticompetitive conduct. Through vigorous law enforcement, the FTC strives to support a vibrant marketplace where new businesses can emerge, new products can compete, and where consumers' digital privacy and security are protected. The agency will continue to use our full range of tools to identify anticompetitive behavior and closely scrutinize claims that restrictions or bars on interoperability are the appropriate way to protect privacy or security.
Where dominant market participants use privacy and security as a justification to disallow interoperability and foreclose competition, the FTC will scrutinize those claims carefully to determine whether they are well-founded and not pretextual, and whether the chosen approach is tailored to minimize anticompetitive impact.
This sounds like a smart, thoughtful, balanced, and nuanced approach. Obviously, there may be some cases where privacy and security is legitimately put at risk through reverse engineering or other kinds of adversarial' interoperability. But, historically, those risks have been way more limited than companies would have you believe.
The FTC taking a nuanced approach, making it clear that it won't just accept such claims from companies on blind faith seems like the correct approach. We should live in a world where the default expectation is for interoperability, right to repair, etc. If there are real security and privacy concerns, companies should raise them, but we shouldn't take those claims as accurate, because the companies have billions of reasons to exaggerate those risks.
It's good that the FTC is making it clear that it's going to scrutinize such claims more closely.