Don’t Blame Privacy for Big Tech’s Monopoly on Information

Two years ago, in a Congressional hearing before the Senate Judiciary and Commerce Committees, Facebook CEO Mark Zuckerberg was stumped by a simple question: “Who is your biggest competitor?”

As if he was contemplating this matter for the first time, Zuckerberg stammered about the different categories of services Facebook offers, and how they overlap with Google, Apple, Amazon, and Microsoft. This answer did not satisfy Senator Lindsey Graham (R – S.C.), who pushed back: “If I buy a Ford, and it doesn’t work well, and I don’t like it, I can buy a Chevy. If I’m upset with Facebook, what’s the equivalent product I can go sign up for?”

There was no need for another winding response. The answer was simple: none.

Facebook rose to power by maximizing the commoditization of data. The platform has since jealously guarded its dominance by absorbing burgeoning competitors and consolidating more user data.

Through the acquisition of Instagram and WhatsApp, Facebook gained data that unlocked access to new communities, their interests, networks, and personal information. This generated profitable insights on targeting ads to a greater population, and created valuable feedback data for Facebook’s services and technologies. Basically, more data created more possibilities for monetization. Deals made by Google, Amazon, and Apple all share this common motivation. When regulators failed to block these acquisitions for over a decade, the tech market divided into the haves and the have-nots: incumbents with an exclusive, far-reaching vantage point built on data, and the outsiders that lack the information capital to enter the arena.

Graham’s intuitive query, direct enough to warrant a one-word answer, unraveled an ugly truth: Big Tech faces no meaningful competition. And they never will, unless their access to data is democratized to enliven competition and collective innovation.

The unrelenting market dominance of a few giants has generated overlapping regulatory concerns on competition and privacy. With default opt-in settings and unnegotiable privacy policies, user data is acquired at virtually no cost to tech companies but is widely capitalized as a commodity. Powerful incumbents and regulators alike are incorrectly pitting privacy and competition as dichotomous goals, arguing that expanding access to Big Tech’s data would violate user privacy. An overview of privacy-preserving data-sharing mechanisms proves this view is outdated—and ready to be questioned.

As the prospect of antitrust charges against Facebook by the Federal Trade Commission (FTC) looms larger, regulators should champion the remedy that upholds competition and privacy as intricately connected values in the marketplace of information. It is time to challenge the proprietary concentration of data that has too long been weaponized as absolute bargaining power. Balancing this goal with privacy will require both legal and technological solutions. The two interests – privacy and competition – are not as contradictory as industry leaders would like them to seem. Smart regulation can advance both.

Data Portability vs. Data-Sharing Mandates

Following Facebook’s testimony to the FTC last month, policy discussions have focused on data portability as a potential remedy for anticompetitive platforms. Data portability offers users the choice to migrate their photos and information to a different platform. The idea is to let consumers take their user-generated data to other platforms to try out new products and services. Companies like Facebook and Google proudly tout their “Download Your Information” tools as proof that they can remain competitive without regulatory intervention.

This proposal is but a necessary baseline. Data portability alone cannot address the root of Big Tech’s power—which derives not only from the individual user’s messages, photos, and ad preferences, but also the exclusive market insights and third-party data that can be analyzed to edge out the competition. Data portability only makes accessible the first category of user-generated information.

An alternative proposal for a “data-sharing mandate” takes a more comprehensive approach, requiring technology companies above a certain market cap to share a representative subset of their data with their competitors. This more systematic approach is necessary to achieve genuine competition. Tech giants that emerged from an unregulated era continue to benefit from the data they freely collected before policymakers began to question the monopolistic consequences. Revisiting this issue in 2020, regulators should understand that telling consumers “you have a choice to leave” is meaningless in the status quo. This sense of agency is illusory if a few tech giants can keep dominating with an abundance of competitive intelligence to undercut their rivals and leverage exclusivity.

Even with data portability, Facebook can track your web activity on apps that use Facebook’s services and technologies. Amazon sets the rulebook for online retailers but violates its own policies to gather seller data to price-cut competing shops. And Google restricts customer data interoperability to maintain negotiating power over AdTech competitors. Nothing will change until we challenge Big Tech’s monopolistic control of information.

A key difference between the regulatory models of data portability and data-sharing mandates is whether the consumers or businesses should carry the burden of opening up the market to more players. While data portability puts the burden on consumers to shop around for a service that offers the best options for both privacy and performance; data-sharing mandates rightfully place the onus on Big Tech companies to open-source insights that competitors can use to offer a comparable service to consumers.

Data-sharing mandates advance a compelling mission. To combat monopolistic power derived from data, Big Tech should share what they know—and make this information widely usable for current and potential competitors. This pragmatic approach is supported by the European Commission, which has proposed a ‘fair and equal data-sharing’ mandate to remedy market distortions introduced by information monopolies. This idea has been openly supported by both political and academic communities.

The competition commissioner of the European Union (EU), Margrethe Vestager, has stated that data “can foreclose the market” and “give the parties that have them immense business opportunities that are not available to others.” Oxford Internet governance professor Viktor Mayer-Schönberger has called for a progressive mandate for technology companies to make more data available to the public as their market share increases: “[the mandate] would kick in once a company’s market share reaches an initial threshold – say, 10 percent. It would then have to share a randomly chosen portion of its feedback data with every other player in the market that requests it. How much data it must make available would depend on the market share captured by the company. The closer a company is to domination, the more data it would have to share with its competitors.”

Data-sharing presents a direct path to correcting a heavily top-concentrated market. Additionally, this approach can widen economic activity on data without unduly constraining incumbents and impacting consumers, as breaking up Big Tech would.

As regulators navigate how to put the idea into practice, they should think outside the box of doctrinal law. Anticompetitive data concentration is an interdisciplinary issue that requires a technical solution supported by policy principles. Advanced privacy-enhancing technologies are rapidly scaling to enable progressive data-sharing without compromising consumer privacy. Adopted with technical safeguards to anonymize personal information, data-sharing mandates can be achieved without a privacy tradeoff.

Privacy or Competition: A False Choice

It threatens both competition and privacy that information asymmetries insulate big platforms from transparency in their dealings with consumers, advertisers, and third-party sellers. Yet, legislative discussions continue to contrast the goals of competition against privacy. The companies seeking to avoid regulation encourage this false dilemma.

During the July 29, 2020 House antitrust hearing, Rep. Kelly Armstrong (R – N.D.) asked Google CEO Sundar Pichai about the company’s decision to require third-parties to purchase Google’s ad-buying tools to advertise on YouTube. Pichai cited user privacy as a justification, and Armstrong questioned if privacy is serving as a shield for anticompetitive behavior.

Armstrong’s serious bipartisan investigation of Big Tech’s harmful practices is commendable, but his misguided conclusion is alarming. Describing the EU General Data Protection Regulation (GDPR)—the most advanced data protection regime in the world—he said, “the consequences of [the] GDPR have been to further entrench large established actors like Google, leading to regulatory capture that exacerbates competition concerns.” This statement dangerously misrepresents the intent, impact, and opportunities created by global privacy laws.

It should raise concerns that a legislator is suggesting that privacy law is an enabler of monopolies.

The GDPR systematizes accountability in the processing of personal data. The intent is to keep companies vigilant about what data they are collecting, how the data is being processed and held, and why. This means minimizing the collection of personal data, and finding ways to engineer for better privacy. It was in the absence of these rules that Big Tech grew unsustainably powerful.

Despite political narratives that pit privacy and competition as conflicting ideas, privacy regulations are built on fair information principles that reject monopolistic data-hoarding practices.

The policy objective of the GDPR is not to enable companies to gatekeep data with privacy policies and contractual clauses. It is to disrupt the “business as usual” complacency by requiring companies to review and update their business models—both operationally and technologically—to comport with the letter and the spirit of data protection laws. This protects consumers by challenging organizations to mindfully invest in privacy safeguards (such as anonymization techniques) for essential data processing needs, while eliminating superfluous and risky data practices.

Data-sharing mandates have become an essential prerequisite for competition and innovation to thrive. They can be securely enforced through privacy-enhancing technologies, so that competition policies can be achieved within the framework of consumer protection and privacy regulations.

Democratizing Data with Privacy-Enhancing Technologies

A key provision of the GDPR is privacy-by-design, which encourages innovative technical safeguards to limit the transfer of personally identifying information. If there is a privacy risk to sharing personal information with outsiders, the GDPR requires companies to develop and design processes that can facilitate this collaboration with regard to the ‘state of the art’ technology in de-identifying the data.

As a result, privacy-enhancing technologies have become widely available as tools to internalize the principles of ‘data protection by default’—namely, minimizing the collection, transmission, and disclosure of personal information. Responding to the wave of substantive reforms on international privacy laws, these techniques have quickly scaled from academic research to commercial deployment; emerging as a pragmatic solution to deriving utility from data without creating a central repository of personal information.

In particular, stricter privacy requirements around the world created the need for decentralized computing—or privacy-preserving cryptography—to enable multiple parties to collaborate and perform analytics without sharing or revealing the underlying personal data they individually hold. These cryptographic techniques are based on homomorphic encryption (or encryption in-use), and secure multi-party computation.

Even though they sound complex, the concept is simple.

Current mainstream encryption methods are encryption at-rest (protecting information stored in your phone), and encryption in-transit (protecting emails and texts while they are being sent). Privacy-preserving cryptography builds on the third pillar of encryption: encryption in-use. This is the ability to perform analytics on someone else’s data in encrypted format, so that you can extract the insight you need without seeing the private data inputs. In the data-sharing context, this capacity would enable Big Tech to allow competitors to compute on its data without exposing any personal user information in the process. (Full disclosure: My company, Inpher, provides secure multi-party computation services, including products that perform the functions recommended herein.)

Data, when securely shared, becomes more accurate, usable, and diverse. Techniques like secure multi-party computation have been applied by private companies to overcome competitive and confidential barriers to data collaboration: facilitating bank-to-bank information sharing on anti-money laundering investigations, pooling training data to improve machine-learning systems, and even supporting the public interest of identifying gender wage gaps. Cryptographic privacy safeguards have established proof of concept in these critical sectors, and are being further developed in healthcare to preserve privacy in data-sharing programs for COVID-19 tracing efforts.

When deployed to actualize data-sharing mandates, privacy-enhancing technologies have the power to lift the veil on companies that have hoarded data for their own gain.

This extra technical layer of privacy and security will be necessary to protect consumers in data-sharing programs. Without the push for technical firewalls, companies would rely solely on complex legal agreements to share data with competitors.

This is dangerous, because contractual clauses and privacy policies are mere legal instruments which cannot actively protect data from malicious third parties or negligent actors. These ‘paper safeguards’ can assign liability to the foreseeable recipients who may misuse the data. But the scope of these data-sharing programs will require a technical failsafe to prevent these risks ex ante by cryptographically securing the data from leaking into the wrong hands.

Policy Recommendations

Policymakers thus need to take the next step in adopting privacy-enhancing technologies that make data widely usable for collaborators without multiplying privacy risks. Notable intergovernmental bodies including the United Nations (UN), Organization for Economic Co-operation and Development (OECD), World Economic Forum (WEF), and the European Union Agency for Cybersecurity (ENISA) have all promoted the implementation of privacy-enhancing technologies to protect data against preventable risks. Industry and academic groups, including the Multi-Party Computation (MPC) Alliance –of which my company is a member—have also formed to develop applied research for privacy-preserving techniques and to collectively advocate for their adoption.

Regulatory efforts in the United States should follow suit in examining the viability of privacy-enhancing technologies to resolve the anticompetitive effects of Big Tech’s proprietary hold on data. It is manifestly unfair that Big Tech is using privacy as an excuse to wall off vital information to engineer an imbalance of market power—when they have the resources to explore technical solutions to democratize access to their data.

We do not need any more well-manicured CEO testimonies in discordant Congressional hearings.

To move forward, we need privacy and competition authorities to work together on a coherent policy to regulate Big Tech and its control of data. We need regulators to engage diverse stakeholders to discuss technological and policy solutions for information monopolies—which have imposed an insurmountable barrier to entry for competitors and insulated systemic privacy issues from consumers.

Opening up Big Tech’s exclusive troves of data can level the playing field in a very skewed market, and also provide competitors with incredible tools for innovation. Regulators just need to know that these alternative solutions exist, beyond the current legal and political gridlocks.

Image: HANOVER, GERMANY – MARCH 16: Visitors look at Windows-enabled smartphones at the Microsoft stand at the 2015 CeBIT technology trade fair on March 16, 2015 in Hanover, Germany. (Photo by Sean Gallup/Getty Images)

 

About the Author(s)

Sunny Seon Kang

Sunny Seon Kang is Senior Privacy Counsel and Head of Policy at Inpher. She advises on U.S. and international data privacy laws, FinTech regulations, and AI policy. Follow her on Twitter at (@GDPRgirl).