Our last explainer focused on the American Choice and Innovation Online Act (H.R.3816) and Augmenting Compatibility and Competition by Enabling Service Switching Act of 2021 (H.R.3849). This explainer analyzes S.2992, the American Innovation and Choice Online Act, the Senate version of H.R.3816. Like the House versions of antitrust legislation, this bill includes provisions which have significant negative cybersecurity ramifications. This analysis is based on the manager’s amendment to the bill from Jan. 18, 2022. It focuses squarely on the cybersecurity and data protection concerns of the identified provisions, and does not address the raging debate on the merits of the antitrust proposals more broadly.

American Innovation and Choice Online Act (SB 2992)

 

Bill authors note, “As dominant digital platforms … increasingly give preference to their own products and services, we must put policies in place to ensure small businesses and entrepreneurs still have the opportunity to succeed in the digital marketplace.” Assuming the bill would actually promote this, the cost would be high: broad cybersecurity and data protection weaknesses. The manager’s amendment to this bill acknowledges some cybersecurity concerns, but fails to address the main concerns outlined here. On the whole, it is difficult for security experts to encourage resilience and diligence for platforms and networks along with the uptake of strong cybersecurity practices. It is even harder to convince businesses that cyber risk is a business risk, or encourage them to develop products with security in mind. While this is not a strict cybersecurity bill, it adds obstacles and restrains the application of security safeguards by platforms, which creates adverse incentives.

This bill would punish companies with a business model that focuses on security. From a policy perspective, we should encourage—not discourage—more companies to include more stringent security for all products, especially software that is sold at scale to millions of users. Forced interoperability, narrow requirements and obstacles for security updates through requirements for affirmative defense, as well as patchy security exclusions, create a recipe for weaker cybersecurity and should be reconsidered, amended or removed before any further movement on this legislation.

In terms of data security and protection, any provisions should be considered separately in a comprehensive bill, not as a portion of an antitrust bill. This is a challenging area with many tradeoffs that need to be carefully considered to achieve a suitable balance between consumer protection and business function, and an anti-trust bill is not the place to debate or determine these tradeoffs.

For more information on the subject, contact:

Tatyana Bolton
Policy Director, Cybersecurity and Emerging Threats
[email protected]

Image credit: joyfotoliakid