Google Buys Fitbit Even Though U.S. and Australia May Still Oppose

The Google/Fitbit deal could ultimately get blocked.

Even though the European Union (EU) has signed off on Google’s acquisition of Fitbit with some conditions, the United States (U.S.) and Australia are still assessing the deal. Moreover, given that both nations are in the midst of acting against Google and other tech companies, one, if not both, may find the deal violates antitrust or competition laws and seek to force Google to reverse the merger.

In blog posting, Google Senior Vice President, Devices & Services Rick Osterloh stated “Google has completed its acquisition of Fitbit and I want to personally welcome this talented team to Google.” Osterloh asserted “[y]our privacy and security are paramount to achieving this and we are committed to protecting your health information and putting you in control of your data.” Osterloh claimed:

This deal has always been about devices, not data, and we’ve been clear since the beginning that we will protect Fitbit users’ privacy. We worked with global regulators on an approach which safeguards consumers’ privacy expectations, including a series of binding commitments that confirm Fitbit users’ health and wellness data won’t be used for Google ads and this data will be separated from other Google ads data. We’ll also maintain access to Android APIs that enable devices like fitness trackers and smart watches to interoperate with Android smartphones, and we’ll continue to allow Fitbit users to choose to connect to third-party services so you’ll still be able to sync your favorite health and fitness apps to your Fitbit account. These commitments will be implemented globally so that all consumers can benefit from them. We’ll also continue to work with regulators around the world so that they can be assured that we are living up to these commitments. 

Last month, following the completion of its “in-depth” investigation, the European Commission (EC) cleared Google’s acquisition of Fitbit with certain conditions, removing a significant hurdle for the American multinational in buying the wearable fitness tracker company. In its press release, the EC explained that after its investigation, “the Commission had concerns that the transaction, as initially notified, would have harmed competition in several markets.” To address and allay concerns, Google bound itself for ten years to a set of commitments that can be unilaterally extended by the EC and will be enforced, in part, by the appointment of a trustee to oversee compliance. However, a number of these commitments are binding only in the European Economic Area (EEA) (i.e. the EU plus a handful of non-EU European nations).

The EC was particularly concerned about:

  • Advertising: By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to that of Fitbit. By increasing the already vast amount of data that Google could use for the personalisation of ads, it would be more difficult for rivals to match Google’s services in the markets for online search advertising, online display advertising, and the entire “ad tech” ecosystem. The transaction would therefore raise barriers to entry and expansion for Google’s competitors for these services to the detriment of advertisers, who would ultimately face higher prices and have less choice.
  • Access to Web Application Programming Interface (‘API’) in the market for digital healthcare: A number of players in this market currently access health and fitness data provided by Fitbit through a Web API, in order to provide services to Fitbit users and obtain their data in return. The Commission found that following the transaction, Google might restrict competitors’ access to the Fitbit Web API. Such a strategy would come especially at the detriment of start-ups in the nascent European digital healthcare space.
  • Wrist-worn wearable devices: The Commission is concerned that following the transaction, Google could put competing manufacturers of wrist-worn wearable devices at a disadvantage by degrading their interoperability with Android smartphones.

As noted, Google made a number of commitments to address competition concerns:

  • Ads Commitment:
    • Google will not use for Google Ads the health and wellness data collected from wrist-worn wearable devices and other Fitbit devices of users in the EEA, including search advertising, display advertising, and advertising intermediation products. This refers also to data collected via sensors (including GPS) as well as manually inserted data.
    • Google will maintain a technical separation of the relevant Fitbit’s user data. The data will be stored in a “data silo” which will be separate from any other Google data that is used for advertising.
    • Google will ensure that European Economic Area (‘EEA’) users will have an effective choice to grant or deny the use of health and wellness data stored in their Google Account or Fitbit Account by other Google services (such as Google Search, Google Maps, Google Assistant, and YouTube).
  • Web API Access Commitment:
    • Google will maintain access to users’ health and fitness data to software applications through the Fitbit Web API, without charging for access and subject to user consent.
  • Android APIs Commitment:
    • Google will continue to license for free to Android original equipment manufacturers (OEMs) those public APIs covering all current core functionalities that wrist-worn devices need to interoperate with an Android smartphone. Such core functionalities include but are not limited to, connecting via Bluetooth to an Android smartphone, accessing the smartphone’s camera or its GPS. To ensure that this commitment is future-proof, any improvements of those functionalities and relevant updates are also covered.
    • It is not possible for Google to circumvent the Android API commitment by duplicating the core interoperability APIs outside the Android Open Source Project (AOSP). This is because, according to the commitments, Google has to keep the functionalities afforded by the core interoperability APIs, including any improvements related to the functionalities, in open-source code in the future. Any improvements to the functionalities of these core interoperability APIs (including if ever they were made available to Fitbit via a private API) also need to be developed in AOSP and offered in open-source code to Fitbit’s competitors.
    • To ensure that wearable device OEMs have also access to future functionalities, Google will grant these OEMs access to all Android APIs that it will make available to Android smartphone app developers including those APIs that are part of Google Mobile Services (GMS), a collection of proprietary Google apps that is not a part of the Android Open Source Project.
    • Google also will not circumvent the Android API commitment by degrading users experience with third party wrist-worn devices through the display of warnings, error messages or permission requests in a discriminatory way or by imposing on wrist-worn devices OEMs discriminatory conditions on the access of their companion app to the Google Play Store.

The EC allowed the deal to move ahead despite concerns about harms to users in the EU. Amnesty International (AI) sent EC Executive Vice-President Margrethe Vestager a letter, arguing “[t]he merger risks further extending the dominance of Google and its surveillance-based business model, the nature and scale of which already represent a systemic threat to human rights.” AI asserted “[t]he deal is particularly troubling given the sensitive nature of the health data that Fitbit holds that would be acquired by Google.” AI argued “[t]he Commission must ensure that the merger does not proceed unless the two business enterprises can demonstrate that they have taken adequate account of the human rights risks and implemented strong and meaningful safeguards that prevent and mitigate these risks in the future.”

In late December, the Australian Competition & Consumer Commission (ACCC) “announced that it will not accept a long-term behavioural undertaking offered by Google that sought to address competition concerns about its proposed acquisition of wearables supplier and manufacturer Fitbit.” In light of the ongoing fights between the ACCC and Google, this was hardly a surprising outcome. The agency added it “will therefore continue its investigation into Google’s proposed acquisition of Fitbit and has set a new decision date of 25 March 2021.” The agency said Google had offered a deal similar to the one accepted by the EC, but ACCC Chair Rod Sims remarked “[w]hile we are aware that the EC recently accepted a similar undertaking from Google, we are not satisfied that a long term behavioural undertaking of this type in such a complex and dynamic industry could be effectively monitored and enforced in Australia.”

The ACCC claimed:

  • The proposed acquisition also further consolidates Google’s leading position in relation to the collection of user data, which supports its significant market power in online advertising and is likely to have applications in health markets.
  • Google sought to address the ACCC’s competition concerns by offering a court enforceable undertaking that it would behave in certain ways towards rival wearable manufacturers, not use health data for advertising and, in some circumstances, allow competing businesses access to health and fitness data.
  • The proposed acquisition has received conditional clearance in Europe, but several other competition authorities, including the U.S. Department of Justice, are yet to make a decision.  Both companies are based in the U.S. and Fitbit’s market share is higher in the U.S. than in most other countries. The ACCC will continue to work closely with overseas agencies on these important competition issues. 

In its June 2020 Statement of issues on the proposed merger, the ACCC turned up a reasons why Google’s offer to not use Fitbit data for Google Ads (an offer the EC accepted) will not stop the use and possible abuse of such data:

The health and fitness data collected by Fitbit will provide Google with access to consumer data that is likely to be an important element of services in several markets.

Google will not use these data in Google Ads, but what about Google Maps? Could it find ways to profitably use people’s health data in perhaps selling access to population level health trends to companies aside and apart from Google Ads? I would think the answer is yes even if my example is uninformed or unrealistic.

The ACCC added:

In relation to data-dependent health services, the ACCC is concerned that the acquisition may eliminate potential competition between Fitbit (either under current ownership or under alternative ownership) and Google. Google has a strong focus on new and developing markets and will likely become a strong competitor in the supply of data-dependent health services with or without the proposed acquisition. The health and fitness data collected by Fitbit puts Fitbit in a strong position to enter and compete in data-dependent health markets. The proposed acquisition eliminates this potential competition between Google and Fitbit.

The ACCC’s rejection of the terms accepted by the EU must be seen in light of other regulatory actions. In 2019, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.

In October 2020, the United States (U.S.) Department of Justice (DOJ) and a number of states finally filed the antitrust suit against Google that has been rumored to be coming since late summer. This anti-trust action centers on Google’s practices of making Google the default search engine on Android devices and paying browsers and other technology entities to make Google the default search engine. Of course, this type of conduct, even if true, does not necessarily bear on the DOJ’s deliberations on whether the U.S. should act against the Google/Fitbit deal. And yet, given the renewed focus on antitrust in Washington, the DOJ under new President Joe Biden might indeed take a look at the deal on the grounds that a massive company is getting much bigger.

In its press release on the October antitrust action, the DOJ claimed

Today, the Department of Justice — along with eleven state Attorneys General — filed a civil antitrust lawsuit in the U.S. District Court for the District of Columbia to stop Google from unlawfully maintaining monopolies through anticompetitive and exclusionary practices in the search and search advertising markets and to remedy the competitive harms. The participating state Attorneys General offices represent Arkansas, Florida, Georgia, Indiana, Kentucky, Louisiana, Mississippi, Missouri, Montana, South Carolina, and Texas.

The DOJ added

As one of the wealthiest companies on the planet with a market value of $1 trillion, Google is the monopoly gatekeeper to the internet for billions of users and countless advertisers worldwide. For years, Google has accounted for almost 90 percent of all search queries in the United States and has used anticompetitive tactics to maintain and extend its monopolies in search and search advertising.  

The DOJ claimed:

As alleged in the Complaint, Google has entered into a series of exclusionary agreements that collectively lock up the primary avenues through which users access search engines, and thus the internet, by requiring that Google be set as the preset default general search engine on billions of mobile devices and computers worldwide and, in many cases, prohibiting preinstallation of a competitor. In particular, the Complaint alleges that Google has unlawfully maintained monopolies in search and search advertising by:

  • Entering into exclusivity agreements that forbid preinstallation of any competing search service.
  • Entering into tying and other arrangements that force preinstallation of its search applications in prime locations on mobile devices and make them undeletable, regardless of consumer preference.
  • Entering into long-term agreements with Apple that require Google to be the default – and de facto exclusive – general search engine on Apple’s popular Safari browser and other Apple search tools.
  • Generally using monopoly profits to buy preferential treatment for its search engine on devices, web browsers, and other search access points, creating a continuous and self-reinforcing cycle of monopolization.

These and other anticompetitive practices harm competition and consumers, reducing the ability of innovative new companies to develop, compete, and discipline Google’s behavior. 

In December, two other suits were filed against Google, arguing that the company’s dominance in the search engine and online advertising markets. One suit is led by Colorado’s attorney general and the other by Texas’ attorney general. The two suits have overlapping but different foci, and it is possible these new suits get folded into the suit against Google filed by the DOJ. There are also media reports that some of the states that brought these suits may be preparing yet another antitrust action against Google over allegedly anti-monopolistic behavior in how it operates its Google Play app store. (see here for more detail.)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Social Estate on Unsplash

New Google Antitrust Suits Filed

Two new suits filed against Google by state attorneys general. If the content detailed isn’t illegal behavior, get ready for even more shocking conduct from technology companies to stymie competitors and extract the maximum of any and all rents.

Last month, two new suits were filed against Google, arguing that the company’s dominance in the search engine and online advertising markets. One suit is led by Colorado’s attorney general and the other by Texas’ attorney general. The two suits have overlapping but different foci, and it is possible these new suits get folded into the suit against Google filed by the United States (U.S.) Department of Justice (DOJ). There are also media reports that some of the states that brought these suits may be preparing yet another antitrust action against Google over allegedly anti-monopolistic behavior in how it operates its Google Play app store.

Colorado Attorney General Phil Phil Weiser and 38 other state attorneys general[1] filed their antitrust suit in the District Court of the District of Columbia “under Section 2 of the Sherman Act, 15 U.S.C. § 2, to restrain Google from unlawfully restraining trade and maintaining monopolies in markets that include general search services, general search text advertising, and general search advertising in the United States, and to remedy the effects of this conduct.” They are asking the court for a range of relief, including but not limited to permanent injunctions to stop ongoing and future anti-competitive conduct and a ;possible breakup of the company.

Weiser and his counterparts framed their argument this way:

Google, one of the largest companies in the world, has methodically undertaken actions to entrench and reinforce its general search services and search-related advertising monopolies by stifling competition. As the gateway to the internet, Google has systematically degraded the ability of other companies to access consumers. In doing so, just as Microsoft improperly maintained its monopoly through conduct directed at Netscape, Google has improperly maintained and extended its search-related monopolies through exclusionary conduct that has harmed consumers, advertisers, and the competitive process itself. Google, moreover, cannot establish business justifications or procompetitive benefits sufficient to justify its exclusionary conduct in any relevant market.

They summed up their legal argument of three forms of anticompetitive conduct of Google:

  • First, Google uses its massive financial resources to limit the number of consumers who use a Google competitor. For example, according to public estimates Google pays Apple between $8 and $12 billion per year to ensure that Google is enthroned as the default search engine on Apple devices, and it limits general search competition on Android devices with a web of restrictive contracts. Google pursues similar strategies with other devices, such as voice assistants and internet-connected cars.
  • Second, Google’s Search Ads 360 (“SA360”) service, a search advertising marketing tool used by many of the world’s most sophisticated advertisers, has long pledged to offer advertisers a “neutral” means for purchasing and comparing the performance of not only Google’s search advertising, but also that of its closest competitors. But, in reality, Google operates SA360—the single largest such tool used by advertisers—to severely limit the tool’s interoperability with a competitor, thereby disadvantaging SA360 advertisers.
  • Third, Google throttles consumers from bypassing its general search engine and going directly to their chosen destination, especially when those destinations threaten Google’s monopoly power. Google acknowledges its [REDACTED] because of the proliferation of services offered by specialized vertical providers. Specialized vertical providers, like an online travel agency who offer consumers the ability to complete a transaction then and there, do not compete in Google’s search-related markets. Nevertheless, they pose a threat to Google’s monopoly power in those markets because their success would both strengthen general search rivals with whom they partner and lower the artificially high barriers to expansion and entry that protect Google’s monopolies.

In summary, Weiser and his colleagues argued:

  • Google has willfully maintained, abused, and extended its monopoly power in general search services through (a) anticompetitive and exclusionary distribution agreements that lock up the present default positions for search access points on browsers, mobile devices, computers, and other devices as well as emerging device technology; require preinstallation and prominent placement of Google’s apps; and tie Google’s search access points to Google Play and Google APIs; (b) operation of SA360 to limit the tool’s interoperability with a competitor, disadvantaging SA360 advertisers; (c) discriminatory treatment towards specialized vertical providers in certain commercial segments that hinders consumers’ ability to find responsive information; and (d) other restrictions that drive queries to Google at the expense of search rivals.
  • Google has willfully maintained, abused, and extended its monopoly power in general search advertising through (a) anticompetitive and exclusionary distribution agreements that lock up the present default positions for search access points on browsers, mobile devices, computers, and other devices as well as emerging device technology; require preinstallation and prominent placement of Google’s apps; and tie Google’s search access points to Google Play and Google APIs; (b) operation of SA360 to limit the tool’s interoperability with a competitor, disadvantaging SA360 advertisers; (c) discriminatory treatment towards specialized vertical providers in certain commercial segments that hinders consumers’ ability to find responsive information; and (d) other restrictions that drive queries to Google at the expense of search rivals.
  • Google has willfully maintained, abused, and extended its monopoly power in general search text advertising through (a) anticompetitive and exclusionary distribution agreements that lock up the present default positions for search access points on browsers, mobile devices, computers, and other devices as well as emerging device technology; require preinstallation and prominent placement of Google’s apps; and tie Google’s search access points to Google Play and Google APIs; (b) operation of SA360 to limit the tool’s interoperability with a competitor, disadvantaging SA360 advertisers; (c) discriminatory treatment towards specialized vertical providers in certain commercial segments that hinders consumers’ ability to find responsive information; and (d) other restrictions that drive queries to Google at the expense of search rivals.

Texas Attorney General Ken Paxton and nine other attorneys general[2] filed their antitrust action in the Eastern District of Texas and dropped a bomb: they allege Google and Facebook conspired to monopolize the online advertising market after publishers have devised a system to blunt Google’s dominance. However, Paxton and his colleagues argue that Google’s illegal actions have essentially taxed Americans through higher prices and lower quality products and services because companies are forced to pay a premium to Google to advertise online.

Paxton and the attorneys general summarized their suit and the relief they think appropriate in light of Google’s conduct:

As a result of Google’s anticompetitive conduct, including its unlawful agreement with Facebook, Google has violated and continues to violate Sections 1 and 2 of the Sherman Act, 15 U.S.C. §§ 1, 2. Plaintiff States bring this action to remove the veil of Google’s secret practices and end Google’s abuse of its monopoly power in online advertising markets. Plaintiff States seek to restore free and fair competition to these markets and to secure structural, behavioral, and monetary relief to prevent Google from ever again engaging in deceptive trade practices and abusing its monopoly power to foreclose competition and harm consumers.

They summed up the harm they think Google has wrought:

Plaintiff States have sustained antitrust injury as a direct and proximate cause of Google’s unlawful conduct, in at least the following ways: (1) substantially foreclosing competition in the market for publisher ad servers, and using market power in the publisher ad server market to harm competition in the exchange market; (2) substantially foreclosing competition in the exchange market by denying rivals’ access to publisher inventory and to advertiser demand; (3) substantially foreclosing competition in the market for demand-side buying tools by creating information asymmetry and unfair auctions by virtue of Google’s market dominance in the publisher ad serving tools and exchange markets; (4) increasing barriers to entry and competition in publisher ad server, exchange, and demand-side buying tools markets; (5) harming innovation, which would otherwise benefit publishers, advertisers and competitors; (6) harming publishers’ ability to effectively monetize their content, reducing publishers’ revenues, and thereby reducing output and harming consumers; (7) reducing advertiser demand and participation in the market by maintaining opacity on margins and selling process, harming rival exchanges and buying tools; (8) increasing advertisers’ costs to advertise and reducing the effectiveness of their advertising, and thereby harming businesses’ return on the investment in delivering their products and services, reducing output, and harming consumers; (9) protecting Google’s products from competitive pressures, thereby allowing it to continue to extract high margins while shielded from significant pressure to innovate.

With regard to another possible antitrust action against Google, the suit Epic Games brought against the tech giant for taking 30% of in-app purchases as a condition of being allowed in the Play Store may shed light on what such a suit may look like.  In August Epic Games filed a suit against Google on substantially the same grounds as it is bringing against Apple. Google acted after Apple did to remove Fortnite from its Play Store once Epic Games started offering users a discounted price to buy directly from them as opposed to through Google. Epic asserted:

  • Epic brings claims under Sections 1 and 2 of the Sherman Act and under California law to end Google’s unlawful monopolization and anti-competitive restraints in two separate markets: (1) the market for the distribution of mobile apps to Android users and (2) the market for processing payments for digital content within Android mobile apps. Epic seeks to end Google’s unfair, monopolistic and anti-competitive actions in each of these markets, which harm device makers, app developers, app distributors, payment processors, and consumers.
  • Epic does not seek monetary compensation from this Court for the injuries it has suffered. Epic likewise does not seek a side deal or favorable treatment from Google for itself. Instead, Epic seeks injunctive relief that would deliver Google’s broken promise: an open, competitive Android ecosystem for all users and industry participants. Such injunctive relief is sorely needed.
  • Google has eliminated competition in the distribution of Android apps using myriad contractual and technical barriers. Google’s actions force app developers and consumers into Google’s own monopolized “app store”—the Google Play Store. Google has thus installed itself as an unavoidable middleman for app developers who wish to reach Android users and vice versa. Google uses this monopoly power to impose a tax that siphons monopoly profits for itself every time an app developer transacts with a consumer for the sale of an app or in-app digital content. And Google further siphons off all user data exchanged in such transactions, to benefit its own app designs and advertising business.
  • If not for Google’s anti-competitive behavior, the Android ecosystem could live up to Google’s promise of open competition, providing Android users and developers with competing app stores that offer more innovation, significantly lower prices and a choice of payment processors. Such an open system is not hard to imagine. Two decades ago, through the actions of courts and regulators, Microsoft was forced to open up the Windows for PC ecosystem. As a result, PC users have multiple options for downloading software unto their computers, either directly from developers’ websites or from several competing stores. No single entity controls the ecosystem or imposes a tax on all transactions. And Google, as the developer of software such as the Chrome browser, is a direct beneficiary of this competitive landscape. Android users and developers likewise deserve free and fair competition.

In late October, the DOJ and a number of states filed a long awaited antitrust suit against Google that has been rumored to be coming since late summer 2020. This anti-trust action centers on Google’s practices of making Google the default search engine on Android devices and paying browsers and other technology entities to make Google the default search engine. The DOJ and eleven state attorneys general are following in the footsteps of the European Union’s (EU) €4.34 billion fine of Google in 2018 for imposing “illegal restrictions on Android device manufacturers and mobile network operators to cement its dominant position in general internet search.” The European Commission (EC or Commission) claimed the offending behavior included:

  • has required manufacturers to pre-install the Google Search app and browser app (Chrome), as a condition for licensing Google’s app store (the Play Store);
  • made payments to certain large manufacturers and mobile network operators on condition that they exclusively pre-installed the Google Search app on their devices; and
  • has prevented manufacturers wishing to pre-install Google apps from selling even a single smart mobile device running on alternative versions of Android that were not approved by Google (so-called “Android forks”).

The EC said its “decision concludes that Google is dominant in the markets for general internet search services, licensable smart mobile operating systems and app stores for the Android mobile operating system.”

And, of course, this is only the latest anti-trust case Google has faced in the EU with the €2.42 billion fine in June 2017 “for abusing its dominance as a search engine by giving an illegal advantage to Google’s own comparison shopping service.”

Google’s antitrust and anticompetitive issues are not confined to the United States and the EU. In 2019, the Australian Competition and Consumer Commission (ACCC) announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Hebi B. from Pixabay


[1] The following states are parties to the suit: Colorado, Nebraska, Arizona, Iowa, New York, North Carolina, Tennessee, Utah, Alaska, Connecticut, Delaware, Hawaii, Idaho, Illinois, Kansas, Maine, Maryland, Minnesota, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Dakota, Vermont, Washington, West Virginia, and Wyoming; the Commonwealths of Massachusetts, Pennsylvania, Puerto Rico, and Virginia; the Territory of Guam; and the District of Columbia.

[2] These states sued Google: Texas, Arkansas  Idaho, Indiana, Mississippi,  Missouri,  North Dakota,  South Dakota, Utah, and the Commonwealth of Kentucky.

Further Reading, Other Development, and Coming Events (4 January 2021)

Further Reading

  • Microsoft Says Russian Hackers Viewed Some of Its Source Code” By Nicole Perlroth — The New York Times. The Sluzhba vneshney razvedki Rossiyskoy Federatsii’s (SVR) hack keeps growing and growing with Microsoft admitting its source code was viewed through an employee account. It may be that authorized Microsoft resellers were one of the vectors by which the SVR accessed SolarWinds, FireEye, and ultimately a number of United States (U.S.) government agencies. Expect more revelations to come about the scope and breadth of entities and systems the SVR compromised.
  • In 2020, we reached peak Internet. Here’s what worked — and what flopped.” By Geoffrey Fowler — The Washington Post. The newspaper’s tech columnist reviews the technology used during the pandemic and what is likely to stay with us when life returns to some semblance of normal.
  • Facebook Says It’s Standing Up Against Apple For Small Businesses. Some Of Its Employees Don’t Believe It.” By Craig Silverman and Ryan Mac — BuzzFeed News. Again, two of the best-sourced journalists when it comes to Facebook have exposed employee dissent within the social media and advertising giant, and this time over the company’s advertising blitz positioning it as the champion of small businesses that allegedly stand to be hurt when Apple rolls out iOS 14 that will allow users to block the type of tracking across apps and the internet Facebook thrives on. The company’s PR campaign stands in contrast to the anecdotal stories about errors that harmed and impeded small companies in using Facebook to advertise and sell products and services to cusstomers.
  • SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage?” By Tim Starks — cyberscoop. This piece previews possible and likely inevitable litigation to follow from the SolarWinds hack, including possible securities action on the basis of fishy dumps of stock by executive, breach of contract, and negligence for failing to patch and address vulnerabilities in a timely fashion. Federal and state regulators will probably get on the field, too. But this will probably take years to play out as Home Depot settled claims arising from its 2014 breach with state attorneys general in November 2020.
  • The Tech Policies the Trump Administration Leaves Behind” By Aaron Boyd — Nextgov. A look back at the good, the bad, and the ugly of the Trump Administration’s technology policies, some of which will live on in the Biden Administration.

Other Developments

  • In response to the SolarWinds hack, the Federal Bureau of Investigation (FBI), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) issued a joint statement indicating that the process established in Pursuant to Presidential Policy Directive (PPD) 41, an Obama Administration policy has been activated and a Cyber Unified Coordination Group (UCG) has been formed “to coordinate a whole-of-government response to this significant cyber incident.” The agencies explained “[t]he UCG is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities.”
    • In PPD-41 it is explained that a UCG “shall serve as the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts, as appropriate.” Moreover, “[t]he Cyber UCG is intended to result in unity of effort and not to alter agency authorities or leadership, oversight, or command responsibilities.”
  • Following the completion of its “in-depth” investigation, the European Commission (EC) cleared Google’s acquisition of Fitbit with certain conditions, removing a significant hurdle for the American multinational in buying the wearable fitness tracker company. In its press release, the EC explained that after its investigation, “the Commission had concerns that the transaction, as initially notified, would have harmed competition in several markets.” To address and allay concerns, Google bound itself for ten years to a set of commitments that can be unilaterally extended by the EC and will be enforced, in part, by the appointment of a trustee to oversee compliance.
    • The EC was particularly concerned about:
      • Advertising: By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to that of Fitbit. By increasing the already vast amount of data that Google could use for the personalisation of ads, it would be more difficult for rivals to match Google’s services in the markets for online search advertising, online display advertising, and the entire “ad tech” ecosystem. The transaction would therefore raise barriers to entry and expansion for Google’s competitors for these services to the detriment of advertisers, who would ultimately face higher prices and have less choice.
      • Access to Web Application Programming Interface (‘API’) in the market for digital healthcare: A number of players in this market currently access health and fitness data provided by Fitbit through a Web API, in order to provide services to Fitbit users and obtain their data in return. The Commission found that following the transaction, Google might restrict competitors’ access to the Fitbit Web API. Such a strategy would come especially at the detriment of start-ups in the nascent European digital healthcare space.
      • Wrist-worn wearable devices: The Commission is concerned that following the transaction, Google could put competing manufacturers of wrist-worn wearable devices at a disadvantage by degrading their interoperability with Android smartphones.
    • As noted, Google made a number of commitments to address competition concerns:
      • Ads Commitment:
        • Google will not use for Google Ads the health and wellness data collected from wrist-worn wearable devices and other Fitbit devices of users in the EEA, including search advertising, display advertising, and advertising intermediation products. This refers also to data collected via sensors (including GPS) as well as manually inserted data.
        • Google will maintain a technical separation of the relevant Fitbit’s user data. The data will be stored in a “data silo” which will be separate from any other Google data that is used for advertising.
        • Google will ensure that European Economic Area (‘EEA’) users will have an effective choice to grant or deny the use of health and wellness data stored in their Google Account or Fitbit Account by other Google services (such as Google Search, Google Maps, Google Assistant, and YouTube).
      • Web API Access Commitment:
        • Google will maintain access to users’ health and fitness data to software applications through the Fitbit Web API, without charging for access and subject to user consent.
      • Android APIs Commitment:
        • Google will continue to license for free to Android original equipment manufacturers (OEMs) those public APIs covering all current core functionalities that wrist-worn devices need to interoperate with an Android smartphone. Such core functionalities include but are not limited to, connecting via Bluetooth to an Android smartphone, accessing the smartphone’s camera or its GPS. To ensure that this commitment is future-proof, any improvements of those functionalities and relevant updates are also covered.
        • It is not possible for Google to circumvent the Android API commitment by duplicating the core interoperability APIs outside the Android Open Source Project (AOSP). This is because, according to the commitments, Google has to keep the functionalities afforded by the core interoperability APIs, including any improvements related to the functionalities, in open-source code in the future. Any improvements to the functionalities of these core interoperability APIs (including if ever they were made available to Fitbit via a private API) also need to be developed in AOSP and offered in open-source code to Fitbit’s competitors.
        • To ensure that wearable device OEMs have also access to future functionalities, Google will grant these OEMs access to all Android APIs that it will make available to Android smartphone app developers including those APIs that are part of Google Mobile Services (GMS), a collection of proprietary Google apps that is not a part of the Android Open Source Project.
        • Google also will not circumvent the Android API commitment by degrading users experience with third party wrist-worn devices through the display of warnings, error messages or permission requests in a discriminatory way or by imposing on wrist-worn devices OEMs discriminatory conditions on the access of their companion app to the Google Play Store.
  • The United States (U.S.) Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) has proposed a major rewrite of the regulations governing medical privacy in the U.S. As the U.S. lacks a unified privacy regime, the proposed changes would affect on those entities in the medical sector subject to the regime, which is admittedly many such entities. Nevertheless, it is almost certain the Biden Administration will pause this rulemaking and quite possibly withdraw it should it prove crosswise with the new White House’s policy goals.
    • HHS issued a notice of proposed rulemaking “to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).”
      • HHS continued:
        • The Privacy Rule is one of several rules, collectively known as the HIPAA Rules, that protect the privacy and security of individuals’ medical records and other protected health information (PHI), i.e., individually identifiable health information maintained or transmitted by or on behalf of HIPAA covered entities (i.e., health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses).
        • The proposals in this NPRM support the Department’s Regulatory Sprint to Coordinated Care (Regulatory Sprint), described in detail below. Specifically, the proposals in this NPRM would amend provisions of the Privacy Rule that could present barriers to coordinated care and case management –or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections. These regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care.
    • In a press release, OCR asserted:
      • The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
  • The Federal Trade Commission (FTC) has used its powers to compel selected regulated entities to provide requested information in asking that “nine social media and video streaming companies…provide data on how they collect, use, and present personal information, their advertising and user engagement practices, and how their practices affect children and teens.” The TFTC is using its Section 6(b) authority to compel the information from Amazon.com, Inc., ByteDance Ltd., which operates the short video service TikTok, Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and YouTube LLC. Failure to respond can result in the FTC fining a non-compliant entity.
    • The FTC claimed in its press release it “is seeking information specifically related to:
      • how social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;
      • how they determine which ads and other content are shown to consumers;
      • whether they apply algorithms or data analytics to personal information;
      • how they measure, promote, and research user engagement; and
      • how their practices affect children and teens.
    • The FTC explained in its sample order:
      • The Commission is seeking information concerning the privacy policies, procedures, and practices of Social Media and Video Streaming Service providers, Including the method and manner in which they collect, use, store, and disclose Personal Information about consumers and their devices. The Special Report will assist the Commission in conducting a study of such policies, practices, and procedures.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) supplemented its Emergency Directive 21-01 to federal civilian agencies in response to the Sluzhba vneshney razvedki Rossiyskoy Federatsii’s (SVR) hack via SolarWinds. In an 18 December update, CISA explained:
    • This section provides additional guidance on the implementation of CISA Emergency Directive (ED) 21-01, to include an update on affected versions, guidance for agencies using third-party service providers, and additional clarity on required actions.
    •  In a 30 December update, CISA stated:
      • Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020. CISA will follow up with additional supplemental guidance, to include further clarifications and hardening requirements.
  • Australia’s Attorney-General’s Department published an unclassified version of the four volumes of the “Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community,” an “examination of the legislative framework underpinning the National Intelligence Community (NIC)…the first and largest since the Hope Royal Commissions considered the Australian Intelligence Community (AIC) in the 1970s and 1980s.” Ultimately, the authors of the report concluded:
    • We do not consider the introduction of a common legislative framework, in the form of a single Act governing all or some NIC agencies, to be a practical, pragmatic or proportionate reform. It would be unlikely that the intended benefits of streamlining and simplifying NIC legislation could be achieved due to the diversity of NIC agency functions—from intelligence to law enforcement, regulatory and policy—and the need to maintain differences in powers, immunities and authorising frameworks. The Review estimates that reform of this scale would cost over $200million and take up to 10years to complete. This would be an impractical and disproportionate undertaking for no substantial gain. In our view, the significant costs and risks of moving to a single, consolidated Act clearly outweigh the limited potential benefits.
    • While not recommending a common legislative framework for the entire NIC, some areas of NIC legislation would benefit from simplification and modernisation. We recommend the repeal of the TIA Act, Surveillance Devices Act 2004(SD Act) and parts of the Australian Security Intelligence Organisation Act 1979 (ASIO Act), and their replacement with a single new Act governing the use of electronic surveillance powers—telecommunications interception, covert access to stored communications, computers and telecommunications data, and the use of optical, listening and tracking devices—under Commonwealth law.
  • The National Institute of Standards and Technology (NIST) released additional materials to supplement a major rewrite of a foundational security guidance document. NIST explained “[n]ew supplemental materials for NIST Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, are available for download to support the December 10, 2020 errata release of SP 800-53 and SP 800-53B, Control Baselines for Information Systems and Organizations.” These supplemental materials include:
    • A comparison of the NIST SP 800-53 Revision 5 controls and control enhancements to Revision 4. The spreadsheet describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significance of the changes.  Note that this comparison was authored by The MITRE Corporation for the Director of National Intelligence (DNI) and is being shared with permission by DNI.
    • Mapping of the Appendix J Privacy Controls (Revision 4) to Revision 5. The spreadsheet supports organizations using the privacy controls in Appendix J of SP 800-53 Revision 4 that are transitioning to the integrated control catalog in Revision 5.
    • Mappings between NIST SP 800-53 and other frameworks and standards. The mappings provide organizations a general indication of SP 800-53 control coverage with respect to other frameworks and standards. When leveraging the mappings, it is important to consider the intended scope of each publication and how each publication is used; organizations should not assume equivalency based solely on the mapping tables because mappings are not always one-to-one and there is a degree of subjectivity in the mapping analysis.
  • Via a final rule, the Department of Defense (DOD) codified “the National Industrial Security Program Operating Manual (NISPOM) in regulation…[that] establishes requirements for the protection of classified information disclosed to or developed by contractors, licensees, grantees, or certificate holders (hereinafter referred to as contractors) to prevent unauthorized disclosure.” The DOD stated “[i]n addition to adding the NISPOM to the Code of Federal Regulations (CFR), this rule incorporates the requirements of Security Executive Agent Directive (SEAD) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position.” The DOD stated “SEAD 3 requires reporting by all contractor cleared personnel who have been granted eligibility for access to classified information.”
    • The DOD added “[t]his NISPOM rule provides for a single nation-wide implementation plan which will, with this rule, include SEAD 3 reporting by all contractor cleared personnel to report specific activities that may adversely impact their continued national security eligibility, such as reporting of foreign travel and foreign contacts.”
    • The DOD explained “NISP Cognizant Security Agencies (CSAs) shall conduct an analysis of such reported activities to determine whether they pose a potential threat to national security and take appropriate action.”
    • The DOD added that “the rule also implements the provisions of Section 842 of Public Law 115-232, which removes the requirement for a covered National Technology and Industrial Base (NTIB) entity operating under a special security agreement pursuant to the NISP to obtain a national interest determination as a condition for access to proscribed information.”
  • An advisory committee housed at the United States (U.S.) Department of Homeland Security (DHS) is calling for the White House to quickly “operationalize intelligence in a classified space with senior executives and cyber experts from most critical entities in the energy, financial services, and communications sectors working directly with intelligence analysts and other government staff.” In their report, the President’s National Infrastructure Advisory Council (NIAC) proposed the creation of a Critical Infrastructure Command Center (CICC) to “provid[e] real-time collaboration between government and industry…[and] take direct action and provide tactical solutions to mitigate, remediate,  and deter threats.” NIAC urged the President to “direct relevant federal agencies to support the private sector in executing the concept, including identifying the required government staff…[and] work with Congress to ensure the appropriate authorities are established to allow the CICC to fully realize its operational functionality.” NIAC recommended “near-term actions to implement the CICC concept:
    • 1.The President should direct the relevant federal agencies to support the private sector in rapidly standing up the CICC concept with the energy, financial services, and communications sectors:
      • a. Within 90 days the private sector will identify the executives who will lead execution of the CICC concept and establish governing criteria (including membership, staffing and rotation, and other logistics).
      • b. Within 120 days the CICC sector executives will identify and assign the necessary CICC staff from the private sector.
      • c. Within 90 days an appropriate venue to house the operational component will be identified and the necessary agreements put in place.
    • 2. The President should direct the Intelligence Community and other relevant government agencies to identify and co-locate the required government staff counterparts to enable the direct coordination required by the CICC. This staff should be pulled from the IC, SSAs, and law enforcement.
    • 3. The President, working with Congress, should establish the appropriate authorities and mission for federal agencies to directly share intelligence with critical infrastructure companies, along with any other authorities required for the CICC concept to be fully successful (identified in Appendix A).
    • 4. Once the CICC concept is fully operational (within 180 days), the responsible executives should deliver a report to the NSC and the NIAC demonstrating how the distinct capabilities of the CICC have been achieved and the impact of the capabilities to date. The report should identify remaining gaps in resources, direction, or authorities.

Coming Events

  • On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
    • Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
    • Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
    • Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
    • Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
    • Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by opsa from Pixabay

Further Reading, Other Developments, and Coming Events (15 December)

Further Reading

  • DHS, State and NIH join list of federal agencies — now five — hacked in major Russian cyberespionage campaign” By Ellen Nakashima and Craig Timberg — The Washington Post; “Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit” By David E. Sanger, Nicole Perlroth and Eric Schmitt — The New York Times; The list of United States (U.S.) government agencies breached by Sluzhba vneshney razvedki Rossiyskoy Federatsii (SVR), the Russian Federation’s Foreign Intelligence Service, has grown. Now the Department of Homeland Security, Defense, and State and the National Institutes of Health are reporting they have been breached. It is unclear if Fortune 500 companies in the U.S. and elsewhere and U.S. nuclear laboratories were also breached in this huge, sophisticated espionage exploit. It appears the Russians were selective and careful, and these hackers may have only accessed information held on U.S. government systems. And yet, the Trump Administration continues to issue equivocal statements neither denying nor acknowledging the hack, leaving the public to depend on quotes from anonymous officials. Perhaps admitting the Russians hacked U.S. government systems would throw light on Russian interference four years ago, and the President is loath to even contemplate that attack. In contrast, President Donald Trump has made all sorts of wild, untrue claims about vote totals being hacked despite no evidence supporting his assertions. It appears that the declaration of mission accomplished by some agencies of the Trump Administration over no Russian hacking of or interference with the 2020 election will be overshadowed by what may prove the most damaging hack of U.S. government systems ever.
  • Revealed: China suspected of spying on Americans via Caribbean phone networks” By Stephanie Kirchgaessner — The Guardian. This story depends on one source, so take it for what it is worth, but allegedly the People’s Republic of China (PRC) is using vulnerabilities in mobile communications networks to hack into the phones of Americans travelling in the Caribbean. If so, the PRC may be exploiting the same Signaling System 7 (SS7) weaknesses an Israeli firm, Circles, is using to sell access to phones, at least according to a report published recently by the University of Toronto’s Citizen Lab.
  • The Cartel Project | Revealed: The Israelis Making Millions Selling Cyberweapons to Latin America” By Amitai Ziv — Haaretz. Speaking of Israeli companies, the NSO Group among others are actively selling offensive cyber and surveillance capabilities to Central American nations often through practices that may be corrupt.
  • U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists” By Tom McKay and Dhruv Mehrotra — Gizmodo. Israeli firm Cellebrite and competitors are being used in school systems across the United States (U.S.) to access communications on students’ phones. The U.S. Supreme Court caselaw gives schools very wide discretion for searches, and the Fourth Amendment is largely null and void on school grounds.
  • ‘It’s Hard to Prove’: Why Antitrust Suits Against Facebook Face Hurdles” By Mike Issac and Cecilia Kang — The New York Times. The development of antitrust law over the last few decades may have laid an uphill path for the Federal Trade Commission (FTC) and state attorneys general in securing a breakup of Facebook, something that has not happened on a large scale since the historic splintering of AT&T in the early 1980’s.
  • Exclusive: Israeli Surveillance Companies Are Siphoning Masses Of Location Data From Smartphone Apps” By Thomas Brewster — Forbes. Turns out Israeli firms are using a feature (or what many would call a bug) in the online advertising system that allows those looking to buy ads to get close to real-time location data from application developers looking to sell advertising space. By putting out a shingle as a Demand Side Platform, it is possible to access reaps of location data, and two Israeli companies are doing just that and offering the service of locating and tracking people using this quirk in online advertising. And this is not just companies in Israel. There is a company under scrutiny in the United States (U.S.) that may have used these practices and then provided location data to federal agencies.

Other Developments

  • The Government Accountability Office (GAO) evaluated the United States’ (U.S.) Department of Defense’s electromagnetic spectrum (EMS) operations found that the DOD’s efforts to maintain EMS superiority over the Russian Federation and the People’s Republic of China (PRC). The GAO concluded:
    • Studies have shown that adversaries of the United States, such as China and Russia, are developing capabilities and strategies that could affect DOD superiority in the information environment, including the EMS. DOD has also reported that loss of EMS superiority could result in the department losing control of the battlefield, as its Electromagnetic Spectrum Operations (EMSO) supports many warfighting functions across all domains. DOD recognizes the importance of EMSO to military operations in actual conflicts and in operations short of open conflict that involve the broad information environment. However, gaps we identified in DOD’s ability to develop and implement EMS-related strategies have impeded progress in meeting DOD’s goals. By addressing gaps we found in five areas—(1) the processes and procedures to integrate EMSO throughout the department, (2) governance reforms to correct diffuse organization, (3) responsibility by an official with appropriate authority, (4) a strategy implementation plan, and (5) activities that monitor and assess the department’s progress in implementing the strategy—DOD can capitalize on progress that it has already made and better support ensuring EMS superiority.
    • The GAO recommended:
      • The Secretary of Defense should ensure that the Vice Chairman of the Joint Chiefs of Staff, as Senior Designated Official of the Electromagnetic Spectrum Operations Cross-Functional Team (CFT), identifies the procedures and processes necessary to provide for integrated defense-wide strategy, planning, and budgeting with respect to joint electromagnetic spectrum operations, as required by the FY19 NDAA. (Recommendation 1)
      • The Secretary of Defense should ensure that the Vice Chairman of the Joint Chiefs of Staff as Senior Designated Official of the CFT proposes EMS governance, management, organizational, and operational reforms to the Secretary. (Recommendation 2)
      • The Secretary of Defense should assign clear responsibility to a senior official with authority and resources necessary to compel action for the long-term implementation of the 2020 strategy in time to oversee the execution of the 2020 strategy implementation plan. (Recommendation 3)
      • The Secretary of Defense should ensure that the designated senior official for long-term strategy implementation issues an actionable implementation plan within 180 days following issuance of the 2020 strategy. (Recommendation 4)
      • The Secretary of Defense should ensure that the designated senior official for long-term strategy implementation creates oversight processes that would facilitate the department’s implementation of the 2020 strategy. (Recommendation 5)
  • A forerunner to Apple’s App Store has sued the company, claiming it has monopolized applications on its operating system to the detriment of other parties and done the same with respect to its payment system. The company behind Cydia is arguing that it conceived of and created the first application store for the iPhone, offering a range of programs Apple did not. Cydia is claiming that once Apple understood how lucrative an app store would be, it blocked Cydia and established its own store, the exclusive means through which programs can be installed and used on the iOS. Furthermore, this has enabled Apple to levy 30% of all in-application purchases made, which is allegedly a $50 billion market annually. This is the second high-profile suit this year against Apple. Epic Games, the maker of the popular game, Fortnite, sued Apple earlier this year on many of the same grounds because the company started allowing users to buy directly from it for a 30% discount. Apple responded by removing the game from the App Store, which has blocked players from downloading updated versions. That litigation has just begun. In its complaint, Cydia asserts:
    • Historically, distribution of apps for a specific operating system (“OS”) occurred in a separate and robustly competitive market. Apple, however, began coercing users to utilize no other iOS app distribution service but the App Store, coupling it closer and closer to the iPhone itself in order to crowd out all competition. But Apple did not come up with this idea initially—it only saw the economic promise that iOS app distribution represented after others, like [Cydia], demonstrated that value with their own iOS app distribution products/services. Faced with this realization, Apple then decided to take that separate market (as well as the additional iOS app payment processing market described herein) for itself.
    • Cydia became hugely popular by offering a marketplace to find and obtain third party iOS applications that greatly expanded the capabilities of the stock iPhone, including games, productivity applications, and audio/visual applications such as a video recorder (whereas the original iPhone only allowed still cameraphotos). Apple subsequently took many of these early third party applications’ innovations, incorporating them into the iPhone directly or through apps.
    • But far worse than simply copying others’ innovations, Apple also recognized that it could reap enormous profits if it cornered this fledgling market for iOS app distribution, because that would give Apple complete power over iOS apps, regardless of the developer. Apple therefore initiated a campaign to eliminate competition for iOS app distribution altogether. That campaign has been successful and continues to this day. Apple did (and continues to do) so by, inter alia, tying the App Store app to iPhone purchases by preinstalling it on all iOS devices and then requiring it as the default method to obtain iOS apps, regardless of user preference for other alternatives; technologically locking down the iPhone to prevent App Store competitors like Cydia from even operating on the device; and imposing contractual terms on users that coerce and prevent them from using App Store competitors. Apple has also mandated that iOS app developers use it as their sole option for app payment processing (such as in-app purchases), thus preventing other competitors, such as Cydia, from offering the same service to those developers.
    • Through these and other anticompetitive acts, Apple has wrongfully acquired and maintained monopoly power in the market (or aftermarket) for iOS app distribution, and in the market (or aftermarket) for iOS app payment processing. Apple has frozen Cydia and all other competitors out of both markets, depriving them of the ability to compete with the App Store and to offer developers and consumers better prices, better service, and more choice. This anticompetitive conduct has unsurprisingly generated massive profits and unprecedented market capitalization for Apple, as well as incredible market power.
  • California is asking to join antitrust suit against Google filed by the United States Department of Justice (DOJ) and eleven state attorneys general. This antitrust action centers on Google’s practices of making Google the default search engine on Android devices and paying browsers and other technology entities to make Google the default search engine. However, a number of states that had initially joined the joint state investigation of Google have opted not to join this action and will instead be continuing to investigate, signaling a much broader case than the one filed in the United States District Court for the District of Columbia. In any event, if the suit does proceed, and a change in Administration could result in a swift change in course, it may take years to be resolved. Of course, given the legion leaks from the DOJ and state attorneys general offices about the pressure U.S. Attorney General William Barr placed on staff and attorneys to bring a case before the election, there is criticism that rushing the case may result in a weaker, less comprehensive action that Google may ultimately fend off.
    • And, there is likely to be another lawsuit against Google filed by other state attorneys general. A number of attorneys general who had orginally joined the effort led by Texas Attorney General Ken Paxton in investigating Google released a statement at the time the DOJ suit was filed, indicating their investigation would continue, presaging a different, possibly broader lawsuit that might also address Google’s role in other markets. The attorneys general of New York, Colorado, Iowa, Nebraska, North Carolina, Tennessee, and Utah did not join the case that was filed but may soon file a related but parallel case. They stated:
      • Over the last year, both the U.S. DOJ and state attorneys general have conducted separate but parallel investigations into Google’s anticompetitive market behavior. We appreciate the strong bipartisan cooperation among the states and the good working relationship with the DOJ on these serious issues. This is a historic time for both federal and state antitrust authorities, as we work to protect competition and innovation in our technology markets. We plan to conclude parts of our investigation of Google in the coming weeks. If we decide to file a complaint, we would file a motion to consolidate our case with the DOJ’s. We would then litigate the consolidated case cooperatively, much as we did in the Microsoft case.
  • France’s Commission nationale de l’informatique et des libertés (CNIL) handed down multi-million Euro fines on Google and Amazon for putting cookies on users’ devices. CNIL fined Google a total of €100 million and Amazon €35 million because its investigation of both entities determined “when a user visited [their] website, cookies were automatically placed on his or her computer, without any action required on his or her part…[and] [s]everal of these cookies were used for advertising purposes.”
    • CNIL explained the decision against Google:
      • [CNIL] noticed three breaches of Article 82 of the French Data Protection Act:
      • Deposit of cookies without obtaining the prior consent of the user
        • When a user visited the website google.fr, several cookies used for advertising purposes were automatically placed on his or her computer, without any action required on his or her part.
        • Since this type of cookies can only be placed after the user has expressed his or her consent, the restricted committee considered that the companies had not complied with the requirement provided for in Article 82 of the French Data Protection Act regarding the collection of prior consent before placing cookies that are not essential to the service.
      • Lack of information provided to the users of the search engine google.fr
        • When a user visited the page google.fr, an information banner displayed at the bottom of the page, with the following note “Privacy reminder from Google”, in front of which were two buttons: “Remind me later” and “Access now”.
        • This banner did not provide the user with any information regarding cookies that had however already been placed on his or her computer when arriving on the site. The information was also not provided when he or she clicked on the button “Access now”.
        • Therefore, the restricted committee considered that the information provided by the companies did not enable the users living in France either to be previously and clearly informed regarding the deposit of cookies on their computer or, therefore, to be informed of the purposes of these cookies and the available means enabling to refuse them.
      • Partial failure of the « opposition » mechanism
        • When a user deactivated the ad personalization on the Google search by using the available mechanism from the button “Access now”, one of the advertising cookies was still stored on his or her computer and kept reading information aimed at the server to which it is attached.
        • Therefore, the restricted committee considered that the “opposition” mechanism set up by the companies was partially defective, breaching Article 82 of the French Data Protection Act.
    • CNIL explained the case against Amazon:
      • [CNIL] noticed two breaches of Article 82 of the French Data Protection Act:
      • Deposit of cookies without obtaining the prior consent of the user
        • The restricted committee noted that when a user visited one of the pages of the website amazon.fr, a large number of cookies used for advertising purposes was automatically placed on his or her computer, before any action required on his or her part. Yet, the restricted committee recalled that this type of cookies, which are not essential to the service, can only be placed after the user has expressed his or her consent. It considered that the deposit of cookies at the same time as arriving on the site was a practice which, by its nature, was incompatible with a prior consent.
      • Lack of information provided to the users of the website amazon.fr
        • First, the restricted committee noted that, in the case of a user visiting the website amazon.fr, the information provided was neither clear, nor complete.
        • It considered that the information banner displayed by the company, which was “By using this website, you accept our use of cookies allowing to offer and improve our services. Read More.”, only contained a general and approximate information regarding the purposes of all the cookies placed. In particular, it considered that, by reading the banner, the user could not understand that cookies placed on his or her computer were mainly used to display personalized ads. It also noted that the banner did not explain to the user that it could refuse these cookies and how to do it.
        • Then, the restricted committee noticed that the company’s failure to comply with its obligation was even more obvious regarding the case of users that visited the website amazon.fr after they had clicked on an advertisement published on another website. It underlined that in this case, the same cookies were placed but no information was provided to the users about that.
  • Senator Amy Klobuchar (D-MN) wrote the Secretary of Health and Human Services (HHS), to express “serious concerns regarding recent reports on the data collection practices of Amazon’s health-tracking bracelet (Halo) and to request information on the actions [HHS] is taking to ensure users’ health data is secure.” Klobuchar stated:
    • The Halo is a fitness tracker that users wear on their wrists. The tracker’s smartphone application (app) provides users with a wide-ranging analysis of their health by tracking a range of biological metrics including heartbeat patterns, exercise habits, sleep patterns, and skin temperature. The fitness tracker also enters into uncharted territory by collecting body photos and voice recordings and transmitting this data for analysis. To calculate the user’s body fat percentage, the Halo requires users to take scans of their body using a smartphone app. These photos are then temporarily sent to Amazon’s servers for analysis while the app returns a three-dimensional image of the user’s body, allowing the user to adjust the image to see what they would look like with different percentages of body fat. The Halo also offers a tone analysis feature that examines the nuances of a user’s voice to indicate how the user sounds to others. To accomplish this task, the device has built-in microphones that listen and records a user’s voice by taking periodic samples of speech throughout the day if users opt-in to the feature.
    • Recent reports have raised concerns about the Halo’s access to this extensive personal and private health information. Among publicly available consumer health devices, the Halo appears to collect an unprecedented level of personal information. This raises questions about the extent to which the tracker’s transmission of biological data may reveal private information regarding the user’s health conditions and how this information can be used. Last year, a study by BMJ (formerly the British Medical Journal) found that 79 percent of health apps studied by researchers were found to share user data in a manner that failed to provide transparency about the data being shared. The study concluded that health app developers routinely share consumer data with third-parties and that little transparency exists around such data sharing.
    • Klobuchar asked the Secretary of Health and Human Services Alex Azar II to “respond to the following questions:
      • What actions is HHS taking to ensure that fitness trackers like Halo safeguard users’ private health information?
      • What authority does HHS have to ensure the security and privacy of consumer data collected and analyzed by health tracking devices like Amazon’s Halo?
      • Are additional regulations required to help strengthen privacy and security protections for consumers’ personal health data given the rise of health tracking devices? Why or why not?
      • Please describe in detail what additional authority or resources that the HHS could use to help ensure the security and protection of consumer health data obtained through health tracking devices like the Halo.

Coming Events

  • On 15 December, the Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing titled “The Role of Private Agreements and Existing Technology in Curbing Online Piracy” with these witnesses:
    • Panel I
      • Ms. Ruth Vitale, Chief Executive Officer, CreativeFuture
      • Mr. Probir Mehta, Head of Global Intellectual Property and Trade Policy, Facebook, Inc.
      • Mr. Mitch Glazier, Chairman and CEO, Recording Industry Association of America
      • Mr. Joshua Lamel, Executive Director, Re:Create
    • Panel II
      • Ms. Katherine Oyama, Global Director of Business Public Policy, YouTube
      • Mr. Keith Kupferschmid, Chief Executive Officer, Copyright Alliance
      • Mr. Noah Becker, President and Co-Founder, AdRev
      • Mr. Dean S. Marks, Executive Director and Legal Counsel, Coalition for Online Accountability
  • The Senate Armed Services Committee’s Cybersecurity Subcommittee will hold a closed briefing on Department of Defense Cyber Operations on 15 December with these witnesses:
    • Mr. Thomas C. Wingfield, Deputy Assistant Secretary of Defense for Cyber Policy, Office of the Under Secretary of Defense for Policy
    • Mr. Jeffrey R. Jones, Vice Director, Command, Control, Communications and Computers/Cyber, Joint Staff, J-6
    • Ms. Katherine E. Arrington, Chief Information Security Officer for the Assistant Secretary of Defense for Acquisition, Office of the Under Secretary of Defense for Acquisition and Sustainment
    • Rear Admiral Jeffrey Czerewko, United States Navy, Deputy Director, Global Operations, J39, J3, Joint Staff
  • The Senate Banking, Housing, and Urban Affairs Committee’s Economic Policy Subcommittee will conduct a hearing titled “US-China: Winning the Economic Competition, Part II” on 16 December with these witnesses:
    • The Honorable Will Hurd, Member, United States House of Representatives;
    • Derek Scissors, Resident Scholar, American Enterprise Institute;
    • Melanie M. Hart, Ph.D., Senior Fellow and Director for China Policy, Center for American Progress; and
    • Roy Houseman, Legislative Director, United Steelworkers (USW).
  • On 17 December the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force will convene for a virtual event, “Partnership in Action: Driving Supply Chain Security.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Naya Shaw from Pexels

Further Reading, Other Developments, and Coming Events (14 December)

Further Reading

  • Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect” By David Sanger — The New York Times.; “Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce” By Ellen Nakashima and Craig Timberg — The Washington Post; “Suspected Russian hackers spied on U.S. Treasury emails – sources” By Chris Bing — Reuters. Apparently, Sluzhba vneshney razvedki Rossiyskoy Federatsii (SVR), the Russian Federation’s Foreign Intelligence Service, has exploited a vulnerability in SolarWinds’ update system used by many United States (U.S.) government systems, Fortune 500 companies, and the U.S.’ top ten largest telecommunications companies. Reportedly, APT29 (aka Cozy Bear) has had free reign in the email systems of the Departments of the Treasury and Commerce among other possible victims. The hackers may have also accessed a range of other entities around the world using the same SolarWind system. Moreover, these penetrations may be related to the recently announced theft of hacking tools a private firm, FireEye, used to test clients’ systems.
  • Hackers steal Pfizer/BioNTech COVID-19 vaccine data in Europe, companies say” By Jack Stubbs — Reuters. The European Union’s (EU) agency that oversees and approve medications has been hacked, and documents related to one of the new COVID-19 vaccines may have been stolen. The European Medicines Agency (EMA) was apparently penetrated, and materials related to Pfizer and BioNTech’s vaccine were exfiltrated. The scope of the theft is not yet known, but this is the latest in many attempts to hack into the entities conducting research on the virus and potential vaccines.
  • The AI Girlfriend Seducing China’s Lonely Men” By Zhang Wanqing — Sixth Tone. A chat bot powered by artificial intelligence that some men in the People’s Republic of China (PRC) are using extensively raises all sorts of ethical and privacy issues. Lonely people have turned to this AI technology and have confided their deepest feelings, which are stored by the company. It seems like a matter of time until these data are mined for commercial value or hacked. Also, the chatbot has run afoul of PRC’s censorship policies. Finally, is this a preview of the world to come, much like the 2013 film, Her, in which humans have relationships with AI beings?
  • YouTube will now remove videos disputing Joe Biden’s election victory” By Makena Kelly — The Verge. The Google subsidiary announced that because the safe harbor deadline has been reached and a sufficient number of states have certified President-elect Joe Biden, the platform will begin taking down misleading election videos. This change in policy may have come about, in part, because of pressure from Democrats in Congress about what they see as Google’s lackluster efforts to find and remove lies, misinformation, and disinformation about the 2020 election.
  • Lots of people are gunning for Google. Meet the man who might have the best shot.” By Emily Birnbaum — Protocol. Colorado Attorney General Phil Weiser may be uniquely qualified to lead state attorneys general on a second antitrust and anti-competition action against Google given his background as a law professor steeped in antitrust and his background in the Department of Justice and White House during the Obama Administration.

Other Developments

  • Cybersecurity firm, FireEye, revealed it was “attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack” according to CEO Kevin Mandia. This hacking may be related to vast penetration of United States (U.S.) government systems revealed over the weekend. Mandia stated FireEye has “found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security…[that] mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers.” Mandia claimed none of these tools were zero-day exploits. FireEye is “proactively releasing methods and means to detect the use of our stolen Red Team tools…[and] out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.
    • Mandia added:
      • Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly.
      • Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.
      • We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.    
  • The United States’ (U.S.) Department of Justice filed suit against Facebook for “tactics that discriminated against U.S. workers and routinely preferred temporary visa holders (including H-1B visa holders) for jobs in connection with the permanent labor certification (PERM) process.” The DOJ is asking for injunction to stop Facebook from engaging in the alleged conduct, civil penalties, and damages for workers harmed by this conduct.
    • The DOJ contended:
      • The department’s lawsuit alleges that beginning no later than Jan. 1, 2018 and lasting until at least Sept. 18, 2019, Facebook employed tactics that discriminated against U.S. workers and routinely preferred temporary visa holders (including H-1B visa holders) for jobs in connection with the PERM process. Rather than conducting a genuine search for qualified and available U.S. workers for permanent positions sought by these temporary visa holders, Facebook reserved the positions for temporary visa holders because of their immigration status, according to the complaint. The complaint also alleges that Facebook sought to channel jobs to temporary visa holders at the expense of U.S. workers by failing to advertise those vacancies on its careers website, requiring applicants to apply by physical mail only, and refusing to consider any U.S. workers who applied for those positions. In contrast, Facebook’s usual hiring process relies on recruitment methods designed to encourage applications by advertising positions on its careers website, accepting electronic applications, and not pre-selecting candidates to be hired based on a candidate’s immigration status, according to the lawsuit.
      • In its investigation, the department determined that Facebook’s ineffective recruitment methods dissuaded U.S. workers from applying to its PERM positions. The department concluded that, during the relevant period, Facebook received zero or one U.S. worker applicants for 99.7 percent of its PERM positions, while comparable positions at Facebook that were advertised on its careers website during a similar time period typically attracted 100 or more applicants each. These U.S. workers were denied an opportunity to be considered for the jobs Facebook sought to channel to temporary visa holders, according to the lawsuit. 
      • Not only do Facebook’s alleged practices discriminate against U.S. workers, they have adverse consequences on temporary visa holders by creating an employment relationship that is not on equal terms. An employer that engages in the practices alleged in the lawsuit against Facebook can expect more temporary visa holders to apply for positions and increased retention post-hire. Such temporary visa holders often have limited job mobility and thus are likely to remain with their company until they can adjust status, which for some can be decades.
      • The United States’ complaint seeks civil penalties, back pay on behalf of U.S. workers denied employment at Facebook due to the alleged discrimination in favor of temporary visa holders, and other relief to ensure Facebook stops the alleged violations in the future. According to the lawsuit, and based on the department’s nearly two-year investigation, Facebook’s discrimination against U.S. workers was intentional, widespread, and in violation of a provision of the Immigration and Nationality Act (INA), 8 U.S.C. § 1324b(a)(1), that the Department of Justice’s Civil Rights Division enforces. 
  • A trio of consumer authority regulators took the lead in coming into agreement with Apple to add “a new section to each app’s product page in its App Store, containing key information about the data the app collects and an accessible summary of the most important information from the privacy policy.” The United Kingdom’s UK’s Competition and Markets Authority (CMA), the Netherlands Authority for Consumers and Markets and the Norwegian Consumer Authority led the effort that “ongoing work from the International Consumer Protection and Enforcement Network (ICPEN), involving 27 of its consumer authority members across the world.” The three agencies explained:
    • Consumer protection authorities, including the CMA, became concerned that people were not being given clear information on how their personal data would be used before choosing an app, including on whether the app developer would share their personal data with a third party. Without this information, consumers are unable to compare and choose apps based on how they use personal data.
  • Australia’s Council of Financial Regulators (CFR) has released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework “to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry.”

Coming Events

  • On 15 December, the Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing titled “The Role of Private Agreements and Existing Technology in Curbing Online Piracy” with these witnesses:
    • Panel I
      • Ms. Ruth Vitale, Chief Executive Officer, CreativeFuture
      • Mr. Probir Mehta, Head of Global Intellectual Property and Trade Policy, Facebook, Inc.
      • Mr. Mitch Glazier, Chairman and CEO, Recording Industry Association of America
      • Mr. Joshua Lamel, Executive Director, Re:Create
    • Panel II
      • Ms. Katherine Oyama, Global Director of Business Public Policy, YouTube
      • Mr. Keith Kupferschmid, Chief Executive Officer, Copyright Alliance
      • Mr. Noah Becker, President and Co-Founder, AdRev
      • Mr. Dean S. Marks, Executive Director and Legal Counsel, Coalition for Online Accountability
  • The Senate Armed Services Committee’s Cybersecurity Subcommittee will hold a closed briefing on Department of Defense Cyber Operations on 15 December with these witnesses:
    • Mr. Thomas C. Wingfield, Deputy Assistant Secretary of Defense for Cyber Policy, Office of the Under Secretary of Defense for Policy
    • Mr. Jeffrey R. Jones, Vice Director, Command, Control, Communications and Computers/Cyber, Joint Staff, J-6
    • Ms. Katherine E. Arrington, Chief Information Security Officer for the Assistant Secretary of Defense for Acquisition, Office of the Under Secretary of Defense for Acquisition and Sustainment
    • Rear Admiral Jeffrey Czerewko, United States Navy, Deputy Director, Global Operations, J39, J3, Joint Staff
  • The Senate Banking, Housing, and Urban Affairs Committee’s Economic Policy Subcommittee will conduct a hearing titled “US-China: Winning the Economic Competition, Part II” on 16 December with these witnesses:
    • The Honorable Will Hurd, Member, United States House of Representatives;
    • Derek Scissors, Resident Scholar, American Enterprise Institute;
    • Melanie M. Hart, Ph.D., Senior Fellow and Director for China Policy, Center for American Progress; and
    • Roy Houseman, Legislative Director, United Steelworkers (USW).
  • On 17 December the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force will convene for a virtual event, “Partnership in Action: Driving Supply Chain Security.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by stein egil liland from Pexels

Task Force Calls For Enhanced Digital Regulation in UK

The UK may soon reform its competition and consumer laws visa vis digital markets.

A United Kingdom (UK) entity has recommended that Prime Minister Boris Johnson and his Conservative government remake digital regulation in the UK, especially with respect to competition policy. A task force has returned an extensive set of recommendations requiring legislation and increased coordination and a new focus for existing regulators. The timeline for such action is not clear, and Downing Street would have to agree before anything happens. However, the UK’s new regulatory scheme and the European Union’s ongoing efforts to revamp its regulatory approach to large technology firms will both likely affect United States (U.S.) multinationals such as Facebook and Google. It may also serve as a template for the U.S. to remake its regulation of digital competition.

The United Kingdom’s Competition & Markets Authority (CMA) led an effort consisting of the Office of Communications (Ofcom) and the Information Commissioner’s Office (ICO) in the form of the Digital Markets Taskforce. The Task Force follows the 2019 “Unlocking digital competition, Report of the Digital Competition Expert Panel”, an effort led by Obama Administration Council of Economic Advisers Chair Jason Furman and the more recent July 2020 “Online platforms and digital advertising market study.” In 2019, the Task Force issued its “Digital Markets Strategy” that “sets out five strategic aims, and seven priority focus areas.”

The Task Force acknowledged its efforts in the UK were not unique. It referenced similar inquiries and plans to reform other nations’ regulation of digital markets in the U.S., the EU, Germany, Japan, and Australia.

The Task Force summarized its findings:

The accumulation and strengthening of market power by a small number of digital firms has the potential to cause significant harm to consumers and businesses that rely on them, to innovative competitors and to the economy and society more widely:

  • A poor deal for consumers and businesses who rely on them. These firms can exploit their powerful positions. For consumers this can mean they get a worse deal than they would in a more competitive market, for example having less protection or control of their data. For businesses this can mean they are, for example, charged higher listing fees or higher prices for advertising online. These higher prices for businesses can then feed through into higher prices for consumers for a wide range of products and services across the economy.
  • Innovative competitors face an unfair disadvantage. A powerful digital firm can extend its strong position in one market into other markets, ultimately giving itself an unfair advantage over its rivals. This means innovative competitors, even if they have a good idea, are likely to find it much harder to compete and grow their businesses. This can result in long-term harmful effects on innovation and the dynamism of UK markets.
  • A less vibrant digital economy. If powerful digital firms act to unfairly disadvantage their innovative competitors, these innovative firms will find it harder to enter and expand in new markets, meaning the ‘unicorns’ of tomorrow that will support jobs and the future digital economy will not emerge.

The Task Force calls for the establishment of a new Digital Markets Unit (DMU) that would be particularly focused on policing potential harm before it occurs. Thus, the Task Force is calling for a regulator that is proactive and nimble enough to address risks to competition and consumers any harm happens. The DMU would oversee a new “Strategic Market Status” regime, and the Task Force is recommending that the government and Parliament revisit and refresh consumer and competition laws. The Task Force stated that the “government should put in place a regulatory framework for the most powerful digital firms, alongside strengthening existing competition and consumer laws…[and] [i]n considering the design of this regulatory framework we have sought to strike the right balance between the following key principles:

  • Evidence driven and effective – regulation must be effective, and that means ensuring it is evidence based, but also that it can react swiftly enough to prevent and address harms. The activities undertaken by the most powerful digital firms are diverse and a ‘one size fits all’ approach could have damaging results.
  • Proportionate and targeted – regulation must be proportionate and targeted at addressing a particular problem, minimising the risk of any possible unintended consequences.
  • Open, transparent and accountable – across all its work the DMU should operate in an open and transparent manner. In reaching decisions it should consult a wide range of parties. It should clearly articulate why it has reached decisions and be held accountable for them.
  • Proactive and forward-looking – the DMU should be focused on preventing harm from occurring, rather than enforcing ex post. It should seek to understand how digital markets might evolve, the risks this poses to competition and innovation, and act proactively to assess and manage those risks.
  • Coherent – the DMU should seek to promote coherence with other regulatory regimes both domestically and internationally, in particular by working through the Digital Regulation Cooperation Forum which is already working to deliver a step change in coordination and cooperation between regulators in digital markets.

The Task Force provided more detail on the new SMS scheme:

The entry point to the SMS regime is an assessment of whether a firm has ‘strategic market status’. This should be an evidence-based economic assessment as to whether a firm has substantial, entrenched market power in at least one digital activity, providing the firm with a strategic position (meaning the effects of its market power are likely to be particularly widespread and/or significant). It is focused on assessing the very factors which may give rise to harm, and which motivate the need for regulatory intervention.

Those firms that are designated with SMS should be subject to the following three pillars of the regime:

  • An enforceable code of conduct that sets out clearly how an SMS firm is expected to behave in relation to the activity motivating its SMS designation. The aim of the code is to manage the effects of market power, for example by preventing practices which exploit consumers and businesses or exclude innovative competitors.
  • Pro-competitive interventions like personal data mobility, interoperability and data access which can be used to address the factors which are the source of an SMS firm’s market power in a particular activity. These interventions seek to drive longer-term dynamic changes in these activities, opening up opportunities for greater competition and innovation.
  • SMS merger rules to ensure closer scrutiny of transactions involving SMS firms, given the particular risks and potential consumer harm arising from these transactions.

The SMS regime should be an ex ante regime, focused on proactively preventing harm. Fostering a compliance culture within SMS firms will be crucial to its overall success. However, a key part of fostering compliance is credible deterrence and the DMU will need to be able to take tough action where harm does occur, requiring firms to change their behaviour, and with the ability to impose substantial penalties. The ability to take tough action sits alongside enabling resolution through a participative approach, whereby the DMU seeks to engage constructively with all affected parties to achieve fast and effective results.

The Task Force sketched its ideal timeline during which Parliament would enact its recommendations, which would be next year at the earliest:

We believe the case for an ex ante regime in digital markets has been made. We therefore welcome the government’s response to the CMA’s online platforms and digital advertising market study, and its commitment to establishing a DMU from April 2021 within the CMA. We also welcome government’s commitment to consult on proposals for a new pro-competition regime in early 2021 and to legislate to put the DMU on a statutory footing when parliamentary time allows. We urge government to move quickly in taking this legislation forward. As government rightly acknowledges, similar action is being pursued across the globe and there is a clear opportunity for the UK to lead the way in championing a modern pro-competition, pro-innovation regime.

The Task Force summarized its recommendations to the government:

A Digital Markets Unit

Recommendation 1: The government should set up a DMU which should seek to further the interests of consumers and citizens in digital markets, by promoting competition and innovation.

  • Recommendation 1a: The DMU should be a centre of expertise and knowledge in relation to competition in digital markets.
  • Recommendation 1b: The DMU should be proactive, seeking to foster compliance with regulatory requirements and taking swift action to prevent harm from occurring.

A pro-competition regime for the most powerful digital firms

Recommendation 2: The government should establish a pro-competition framework, to be overseen by the DMU, to pursue measures in relation to SMS firms which further the interests of consumers and citizens, by promoting competition and innovation.

Recommendation 3: The government should provide the DMU with the power to designate a firm with SMS.

  • Recommendation 3a: SMS should require a finding that the firm has substantial, entrenched market power in at least one digital activity, providing the firm with a strategic position.
  • Recommendation 3b: The DMU should set out in formal guidance its prioritisation rules for designation assessments. These should include the firm’s revenue (globally and within the UK), the activity undertaken by the firm and a consideration of whether a sector regulator is better placed to address the issues of concern.
  • Recommendation 3c: The designation process should be open and transparent with a consultation on the provisional decision and the assessment completed within a statutory deadline.
  • Recommendation 3d: A firm’s SMS designation should be set for a fixed period before being reviewed.
  • Recommendation 3e: When a firm meets the SMS test, the associated remedies should apply only to a subset of the firm’s activities, whilst the status should apply to the firm as a whole.

Recommendation 4: The government should establish the SMS regime such that when the SMS test is met, the DMU can establish an enforceable code of conduct for the firm in relation to its designated activities to prevent it from taking advantage of its power and position.

  • Recommendation 4a: A code should comprise high-level objectives supported by principles and guidance.
  • Recommendation 4b: The objectives of the code should be set out in legislation, with the remainder of the content of each code to be determined by the DMU, tailored to the activity, conduct and harms it is intended to address.
  • Recommendation 4c: The DMU should ensure the code addresses the concerns about the effect of the power and position of SMS firms when dealing with publishers, as identified by the Cairncross Review.
  • Recommendation 4d: The code of conduct should always apply to the activity or activities which are the focus of the SMS designation.
  • Recommendation 4e: The DMU should consult on and establish a code as part of the designation assessment. The DMU should be able to vary the code outside the designation review cycle.

Recommendation 5: SMS firms should have a legal obligation to ensure their conduct is compliant with the requirements of the code at all times and put in place measures to foster compliance.

Recommendation 6: The government should establish the SMS regime such that the DMU can impose pro-competitive interventions on an SMS firm to drive dynamic change as well as to address harms related to the designated activities.

  • Recommendation 6a: With the exception of ownership separation, the DMU should not be limited in the types of remedies it is able to apply.
  • Recommendation 6b: The DMU should be able to implement PCIs anywhere within an SMS firm in order to address a concern related to its substantial entrenched market power and strategic position in a designated activity.
  • Recommendation 6c: In implementing a PCI the DMU should demonstrate that it is an effective and proportionate remedy to an adverse effect on competition or consumers. A PCI investigation should be completed within a fixed statutory deadline.
  • Recommendation 6d: PCIs should be implemented for a limited duration and should be regularly reviewed.

Recommendation 7: The government should establish the SMS regime such that the DMU can undertake monitoring in relation to the conduct of SMS firms and has a range of tools available to resolve concerns.

  • Recommendation 7a: Where appropriate, the DMU should seek to resolve concerns using a participative approach, engaging with parties to deliver fast and effective resolution.
  • Recommendation 7b: The DMU should be able to open formal investigations into breaches of the code and where a breach is found, require an SMS firm to change its behaviour. These investigations should be completed within a fixed statutory deadline.
  • Recommendation 7c: The DMU should be able to impose substantial penalties for breaches of the code and for breaches of code and PCI orders.
  • Recommendation 7d: The DMU should be able to take action quickly on an interim basis where it suspects the code has been breached.
  • Recommendation 7e: The DMU should be able to undertake scoping assessments where it is concerned there is an adverse effect on competition or consumers in relation to a designated activity. The outcome of such assessments could include a code breach investigation, a pro-competitive intervention investigation, or variation to a code principle or guidance.

Recommendation 8: The government should establish the SMS regime such that the DMU can draw information from a wide range of sources, including by using formal information gathering powers, to gather the evidence it needs to inform its work.

Recommendation 9: The government should ensure the DMU’s decisions are made in an open and transparent manner and that it is held accountable for them.

  • Recommendation 9a: The DMU’s decisions should allow for appropriate internal scrutiny.
  • Recommendation 9b: The DMU should consult on its decisions.
  • Recommendation 9c: The DMU’s decisions should be timely, with statutory deadlines used to set expectations and deliver speedy outcomes.
  • Recommendation 9d: The DMU’s decisions should be judicially reviewable on ordinary judicial review principles and the appeals process should deliver robust outcomes at pace.

Recommendation 10: The government should establish the SMS regime such that SMS firms are subject to additional merger control requirements.

Recommendation 11: The government should establish the SMS merger control regime such that SMS firms are required to report all transactions to the CMA. In addition, transactions that meet clear-cut thresholds should be subject to mandatory notification, with completion prohibited prior to clearance. Competition concerns should be assessed using the existing substantive test but a lower and more cautious standard of proof.

A modern competition and consumer regime for digital markets

Recommendation 12: The government should provide the DMU with a duty to monitor digital markets to enable it to build a detailed understanding of how digital businesses operate, and to provide the basis for swifter action to drive competition and innovation and prevent harm.

Recommendation 13: The government should strengthen competition and consumer protection laws and processes to ensure they are better adapted for the digital age.

  • Recommendation 13a: The government should pursue significant reforms to the markets regime to ensure it can be most effectively utilised to promote competition and innovation across digital markets, for example by pursuing measures like data mobility and interoperability.
  • Recommendation 13b: The government should strengthen powers to tackle unlawful or illegal activity or content on digital platforms which could result in economic detriment to consumers and businesses.
  • Recommendation 13c: The government should take action to strengthen powers to enable effective consumer choice in digital markets, including by addressing instances where choice architecture leads to consumer harm.
  • Recommendation 13d: The government should provide for stronger enforcement of the Platform to Business Regulation.

A coherent regulatory landscape

Recommendation 14: The government should ensure the DMU is able to work closely with other regulators with responsibility for digital markets, in particular Ofcom, the ICO and the FCA.

  • Recommendation 14a: The DMU should be able to share information with other regulators and seek reciprocal arrangements.
  • Recommendation 14b: The government should consider, in consultation with Ofcom and the FCA, empowering these agencies with joint powers with the DMU in relation to the SMS regime, with the DMU being the primary authority.

Recommendation 15: The government should enable the DMU to work closely with regulators in other jurisdictions to promote a coherent regulatory landscape.

  • Recommendation 15a: The DMU should be able to share information with regulators in other jurisdictions and should seek reciprocal arrangements.
  • Recommendation 15b: The DMU should explore establishing a network of international competition and consumer agencies to facilitate better monitoring and action in relation to the conduct of SMS firms.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

U.S. Federal Government and States Ask Court To Break Up Facebook

Antitrust suits finally filed against Facebook. The U.S. and state governments want to spin off WhatsApp and Instagram.

As has been long rumored, the Federal Trade Commission (FTC) and state attorneys general have filed lawsuits against Facebook, claiming the social media giant has pursued anti-competitive practices in violation of federal and state laws. This is the second major lawsuit filed this fall against a tech giant and may not be the last. The lawsuits make the case that the appropriate way to rectify the pattern of abuse is to spin off WhatsApp and Instagram among other requested legal relief. Probably not by accident, but both suits were filed in the same federal court, and consequently the suits will likely be consolidated with the FTC and the states working together in litigating against Facebook. This case may not be resolved until well into the Biden Administration.

The FTC voted to proceed with the antitrust and anti-competition action on a 3-2 vote with Chair Joseph Simons siding with the two Democratic Commissioners. The other two Republicans voted no but did so without issuing a dissent or statement, explaining their views or arguing the majority’s approach is wrong or misguided.

In the suit filed in the District Court of the District of Columbia, the FTC claims that Facebook has violated Section 2 of the Sherman Antitrust Act and by extension Section 5 of the FTC Act through buying potential rivals WhatsApp and Instagram and forcing any companies that want to use Facebook’s application programming interfaces not to compete with Facebook or Facebook Messenger. As a result, the FCT claims, people have no functional options for social messaging and personal networking and the online advertising market hurts advertisers and ultimately consumers given Facebook’s dominance of the market.

The FTC asserted:

  • Facebook has maintained its monopoly position by buying up companies that present competitive threats and by imposing restrictive policies that unjustifiably hinder actual or potential rivals that Facebook does not or cannot acquire.
  • Facebook holds monopoly power in the market for personal social networking services (“personal social networking” or “personal social networking services”) in the United States, which it enjoys primarily through its control of the largest and most profitable social network in the world, known internally at Facebook as “Facebook Blue,” and to much of the world simply as “Facebook.”
  • Facebook’s unmatched position has provided it with staggering profits. Facebook monetizes its personal social networking monopoly principally by selling advertising, which exploits a rich set of data about users’ activities, interests, and affiliations to target advertisements to users. Last year alone, Facebook generated revenues of more than $70 billion and profits of more than $18.5 billion.
  • Since toppling early rival Myspace and achieving monopoly power, Facebook has turned to playing defense through anticompetitive means. After identifying two significant competitive threats to its dominant position—Instagram and WhatsApp—Facebook moved to squelch those threats by buying the companies, reflecting CEO Mark Zuckerberg’s view, expressed in a 2008 email, that “it is better to buy than compete.” To further entrench its position, Facebook has also imposed anticompetitive conditions that restricted access to its valuable platform—conditions that Facebook personnel recognized as “anti user[,]” “hypocritical” in light of Facebook’s purported mission of enabling sharing, and a signal that “we’re scared that we can’t compete on our own merits.”
  • As Facebook has long recognized, its personal social networking monopoly is protected by high barriers to entry, including strong network effects. In particular, because a personal social network is generally more valuable to a user when more of that user’s friends and family are already members, a new entrant faces significant difficulties in attracting a sufficient user base to compete with Facebook. Facebook’s internal documents confirm that it is very difficult to win users with a social networking product built around a particular social “mechanic” (i.e., a particular way to connect and interact with others, such as photo-sharing) that is already being used by an incumbent with dominant scale. Even an entrant with a “better” product often cannot succeed against the overwhelming network effects enjoyed by a dominant personal social network.
  • In an effort to preserve its monopoly in the provision of personal social networking, Facebook has, for many years, continued to engage in a course of anticompetitive conduct with the aim of suppressing, neutralizing, and deterring serious competitive threats to Facebook Blue. This course of conduct has had three main elements: acquiring Instagram, acquiring WhatsApp, and the anticompetitive conditioning of access to its platform to suppress competition.

The FTC detailed the harm to people and to competition:

  • Through at least the foregoing conduct, Facebook suppresses, deters, hinders, and eliminates personal social networking competition, and maintains its monopoly power in the U.S. personal social networking market, through means other than merits competition. In doing so, Facebook deprives users of personal social networking in the United States of the benefits of competition, including increased choice, quality, and innovation. Facebook cannot justify this substantial harm to competition with claimed efficiencies, procompetitive benefits, or business justifications that could not be achieved through other means.
  • By suppressing, neutralizing, and deterring the emergence and growth of personal social networking rivals, Facebook also suppresses meaningful competition for the sale of advertising. Personal social networking providers typically monetize through the sale of advertising; thus, more competition in personal social networking is also likely to mean more competition in the provision of advertising. By monopolizing personal social networking, Facebook thereby also deprives advertisers of the benefits of competition, such as lower advertising prices and increased choice, quality, and innovation related to advertising.

The FTC asked the court for a ruling that:

  1. that Facebook’s course of conduct, as alleged herein, violates Section 2 of the Sherman Act and thus constitutes an unfair method of competition in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a);
  2. divestiture of assets, divestiture or reconstruction of businesses (including, but not limited to, Instagram and/or WhatsApp), and such other relief sufficient to restore the competition that would exist absent the conduct alleged in the Complaint, including, to the extent reasonably necessary, the provision of ongoing support or services from Facebook to one or more viable and independent business(es);
  3. any other equitable relief necessary to restore competition and remedy the harm to competition caused by Facebook’s anticompetitive conduct described above;
  4. a prior notice and prior approval obligation for future mergers and acquisitions;
  5. that Facebook is permanently enjoined from imposing anticompetitive conditions on access to APIs and data;
  6. that Facebook is permanently enjoined from engaging in the unlawful conduct described herein;
  7. that Facebook is permanently enjoined from engaging in similar or related conduct in the future;
  8. a requirement to file periodic compliance reports with the FTC, and to submit to such reporting and monitoring obligations as may be reasonable and appropriate; and
  9. any other equitable relief, including, but not limited to, divestiture or restructuring, as the Court finds necessary to redress and prevent recurrence of Facebook’s violations of law, as alleged herein.

46 states, the District of Columbia, and the territory of Guam filed suit the same day against Facebook, alleging violations of Sections 16 and 7 of the Clayton Act and Section 2 of the Sherman Act. The suit was also filed in the District Court of the District of Columbia. The state attorneys general who filed suit against Facebook represent the following jurisdictions: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, the territory of Guam, Hawaii, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

The states made their case that Facebook has violated federal antitrust and anti-competition laws:

  • Every day, more than half of the United States population over the age of 13 turns to a Facebook service to keep them in touch with the people, organizations, and interests that matter most to them. For them, Facebook provides an important forum for sharing personal milestones and other intimate details about their lives to friends and family: for example, announcing the birth of a child or grieving the loss of a close relative; sharing photos and videos of children and grandchildren; and debating politics and public events.
  • Users do not pay a cash price to use Facebook. Instead, users exchange their time, attention, and personal data for access to Facebook’s services.
  • Facebook makes its money by selling ads. Facebook sells advertising to firms that attach immense value to the user engagement and highly targeted advertising that Facebook can uniquely deliver due to its massive network of users and the vast trove of data it has collected on users, their friends, and their interests. The more data Facebook accumulates by surveilling the activities of its users and the more time the company convinces users to spend engaging on Facebook services, the more money the company makes through its advertising business.
  • For almost a decade, Facebook has had monopoly power in the personal social networking market in the United States. As set forth in detail below, Facebook illegally maintains that monopoly power by deploying a buy-or-bury strategy that thwarts competition and harms both users and advertisers.
  • Facebook’s illegal course of conduct has been driven, in part, by fear that the company has fallen behind in important new segments and that emerging firms were “building networks that were competitive with” Facebook’s and could be “very disruptive to” the company’s dominance. As Facebook’s founder and CEO, Mark Zuckerberg observed, “[o]ne thing about startups . . . is you can often acquire them,” indicating at other times that such acquisitions would enable Facebook to “build a competitive moat” or “neutralize a competitor.”
  • Zuckerberg recognized early that even when these companies were not inclined to sell, if Facebook offered a “high enough price . . . they’d have to consider it.” Facebook has coupled its acquisition strategy with exclusionary tactics that snuffed out competitive threats and sent the message to technology firms that, in the words of one participant, if you stepped into Facebook’s turf or resisted pressure to sell, Zuckerberg would go into “destroy mode” subjecting your business to the “wrath of Mark.” As a result, Facebook has chilled innovation, deterred investment, and forestalled competition in the markets in which it operates, and it continues to do so.
  • Facebook’s unlawfully maintained monopoly power gives it wide latitude to set the terms for how its users’ private information is collected, used, and protected. In addition, because Facebook decides how and whether the content shared by users is displayed to other users, Facebook’s monopoly gives it significant control over how users engage with their closest connections and what content users see when they do. Because Facebook users have nowhere else to go for this important service, the company is able to make decisions about how and whether to display content on the platform and can use the personal information it collects from users solely to further its business interests, free from competitive constraints, even where those choices conflict with the interests and preferences of Facebook users.
  • choice in personal social networks, suppressed innovation, and reduced investment in potentially competing services. Facebook’s conduct deprives users of product improvements and, as a result, users have suffered, and continue to suffer, reductions in the quality and variety of privacy options and content available to them.
  • By eliminating, suppressing, and deterring the emergence and growth of personal social networking rivals, Facebook also harms advertisers in a number of ways, including less transparency to assess the value they receive from advertisements, and harm to their brand due to offensive content on Facebook services.
  • Facebook’s anticompetitive campaign to forestall competing services that might threaten its dominance in personal social networking services includes a variety of tactics.

The states are asking the court for the following relief:

  1. That Facebook be adjudged to have violated Section 2 of the Sherman Act, 15 U.S.C. § 2;
  2. That Facebook be enjoined and restrained from continuing to engage in any anticompetitive conduct and from adopting in the future any practice, plan, program, or device having a similar purpose or effect to the anticompetitive actions set forth above;
  3. That Facebook be enjoined and restrained from making further acquisitions valued at or in excess of $10 million without advance notification to Plaintiff States;
  4. That Facebook be enjoined and restrained from making further acquisitions without such disclosures to Plaintiff States as would be required to the federal government under the Hart-Scott-Rodino Act for transactions falling within the scope of such Act;
  5. That Facebook’s acquisition of Instagram be adjudged to be in violation of Section 7 of the Clayton Act, 15 U.S.C. § 18;
  6. That Facebook’s acquisition of WhatsApp be adjudged to be in violation of Section 7 of the Clayton Act, 15 U.S.C. § 18;
  7. That each Plaintiff State be awarded its costs, including reasonable attorneys’ fees pursuant to 15 U.S.C. § 15(c); and
  8. That the Court order such other and further equitable relief as this Court may deem appropriate to restore competitive conditions and lost competition and to prevent future violations, including divestiture or reconstruction of illegally acquired businesses and/or divestiture of Facebook assets or business lines.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (18 November)

Further Reading

  • Trump fires top DHS official who refuted his claims that the election was rigged” By Ellen Nakashima and Nick Miroff — The Washington Post. As rumored, President Donald Trump has decapitated the United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Director Christopher Krebs was fired via Twitter, after he had endorsed a letter by 59 experts on election security who said there was no fraud in the election. Trump tweeted: “The recent statement by Chris Krebs on the security of the 2020 Election was highly inaccurate, in that there were massive improprieties and fraud — including dead people voting, Poll Watchers not allowed into polling locations, ‘glitches’ in the voting machines which changed votes from Trump to Biden, late voting, and many more. Therefore, effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.” Of course, the statement CISA cosigned and issued last week asserting there was no evidence of fraud or wrongdoing in the election probably did not help his prospects. Additionally, CISA Deputy Director Matthew Travis was essentially forced out when he was informed the normal succession plan would be ignored and he would not become the acting head of CISA. A CISA senior civil servant, Brandon Wales, will helm the agency in an acting basis. Last week, CISA’s Assistant Director for Cybersecurity Bryan Ware was forced out.
  • NSA Spied On Denmark As It Chose Its Future Fighter Aircraft: Report” By Thomas Newdick — The Drive. A Danish media outlet is claiming the United States U.S. National Security Agency (NSA) spied Denmark’s Ministry of Finance, the Ministry of Foreign Affairs, and the defense firm Terma in order to help Lockheed Martin’s bid to sell F-35 Joint Strike Fighters to Denmark. Eurofighter GmbH and Saab were offering their Typhoon and Gripen fighters to replace Denmark’s F-16s. Reportedly, the NSA used an existing arrangement with Denmark to obtain information from a program allowing the NSA access to fiber optics cables in the country. It is likely Denmark did not have such surveillance in mind when it struck this agreement with the U.S. Two whistleblowers reports have been filed with the Forsvarets Efterretningstjeneste (FE), Denmark’s Defense Intelligence Service, and there are allegations that the U.S. surveillance was illegal. However, the surveillance appears not to have influenced the Danish government, which opted for the F-35. Earlier this year, there were allegations the FE was improperly sharing Danish cables containing information on Danish citizens improperly.
  • Facebook Knows That Adding Labels To Trump’s False Claims Does Little To Stop Their Spread” By Craig Silverman and Ryan Mac — BuzzFeed News. These reporters must know half of Facebook’s staff because they always see what is going on internally with the company. In this latest scoop, they say they have seen internal numbers showing that labeling President Donald Trump’s false tweets have done little to slow their spread. In fact, labelling may only slow their spread by 8%. This outcome is contrary to a practice Facebook employed in 2017 under which fact checkers would label untrue posts as false. This reduced their virality by 80%.
  • Apple Halves Its App Store Fee for the Smaller Companies” By Jack Nicas — The New York Times. The holiday spirit must already be afoot in Cupertino, California, for small app developers will now only pay Apple 15% of in-app purchases for the privilege of being in the App Store. Of course, this decision has nothing to do with the antitrust pressure the company is facing in the European Union and United States (U.S.) and will have very little impact on their bottom line since app developers with less than $1 million in revenue (i.e., those entitled to a reduction) account for 2% of App Store revenue. It does give Apple leadership and executive some great talking points when pressed by antitrust investigators, legislators, and the media.
  • Inside the behind-the-scenes fight to convince Joe Biden about Silicon Valley” By Theodore Schleifer — recode. The jockeying among factions in the Democratic party and other stakeholders is fierce and will only grow fiercer when it comes to who will serve where in a Biden Administration. Silicon Valley and those who would reform tech are fighting to get people amenable to their policy goals placed in the new Administration. President-elect Joe Biden and his campaign were ambiguous on many tech policy issues and have flexibility which has been further helped by appointing people respected in both camps like new White House Chief of Staff Ron Klain.
  • Group of 165 Google critics calls for swift EU antitrust action – letter” By Foo Yun Chee — Reuters. A wide-ranging group of companies and industry associations are urging the European Union to investigate and punish what they see as Google’s anti-competitive dominance of online search engines, especially the One Box that now appears at the top of search results that points people to Google sites and products.

Other Developments

  • The European Union (EU) announced a revision of its export control process for allowing the export of dual use items, including cyber surveillance tools. The European Commission (EC) asserted “[t]hanks to the new Regulation, the EU can now effectively protect its interests and values and, in particular, address the risk of violations of human rights associated with trade in cyber-surveillance technologies without prior agreement at multilateral level…[and] also enhances the EU’s capacity to control trade flows in sensitive new and emerging technologies. The EC explained “[t]he new Regulation includes many of the Commission proposals for a comprehensive “system upgrade”, and will make the existing EU Export control system more effective by:
    • introducing a novel ‘human security’ dimension so the EU can respond to the challenges posed by emerging dual-use technologies – especially cyber-surveillance technologies – that pose a risk to national and international security, including protecting human rights;
    • updating key notions and definitions (e.g. definition of an “exporter” to apply to natural persons and researchers involved in dual-use technology transfers);
    • simplifying and harmonising licensing procedures and allowing the Commission to amend – by ‘simplified’ procedure, i.e. delegated act – the list of items or destinations subject to specific forms of control, thereby making the export control system more agile and able to evolve and adjust to circumstances;
    • enhancing information-exchange between licensing authorities and the Commission with a view to increasing transparency of licensing decisions;
    • coordination of, and support for, robust enforcement of controls, including enhancing secure electronic information-exchange between licensing and enforcement agencies;
    • developing an EU capacity-building and training programme for Member States’ licensing and enforcement authorities;
    • outreach to industry and transparency with stakeholders, developing a structured relationship with the private sector through specific consultations of stakeholders by the relevant Commission group of Member-State experts, and;
    • setting up a dialogue with third countries and seeking a level playing field at global level.
    • The European Parliament contended:
      • The reviewed rules, agreed by Parliament and Council negotiators, govern the export of so-called dual use goods, software and technology – for example, high-performance computers, drones and certain chemicals – with civilian applications that might be repurposed to be used in ways which violate human rights.
      • The current update, made necessary by technological developments and growing security risks, includes new criteria to grant or reject export licenses for certain items.
      • The Parliament added its negotiators
        • got agreement on setting up an EU-wide regime to control cyber-surveillance items that are not listed as dual-use items in international regimes, in the interest of protecting human rights and political freedoms;
        • strengthened member states’ public reporting obligations on export controls, so far patchy, to make the cyber-surveillance sector in particular more transparent;
        • increased the importance of human rights as licensing criterion; and
        • agreed on rules to swiftly include emerging technologies in the regulation.
  • The United States House of Representatives passed three technology bills by voice vote yesterday. Two of these bills would address in different ways the United States’ (U.S.) efforts to make up ground on the People’s Republic of China in the race to roll out 5G networks. It is possible but not foreseeable whether the Senate will take up these bills before year’s end and send them to the White House. It is possible given how discrete the bills are in scope. The House Energy and Commerce Committee provided these summaries:
    • The “Utilizing Strategic Allied (USA) Telecommunications Act of 2020” (H.R.6624) creates a new grant program through the National Telecommunications and Information Administration (NTIA) to promote technology that enhances supply chain security and market competitiveness in wireless communications networks.
      • One of the bill’s sponsors, House Energy and Commerce Committee Chair Frank Pallone Jr (D-NJ) stated:
        • Earlier this year, the House passed, and the President signed, my Secure and Trusted Communications Networks Act to create a program to fund the replacement of suspect network equipment. Suspect equipment, including that produced by Huawei and ZTE, could allow foreign adversaries to surveil Americans at home or, worse, disrupt our communications systems.
        • While we are still pushing for Congress to appropriate funds to that end, it is important to recognize that my legislation was only half the battle, even when it is funded. We also need to create and foster competition for trusted network equipment that uses open interfaces so that the United States is not beholden to a market for network equipment that is becoming less competitive. This bill before us today, the Utilizing Strategic Allied Telecommunications Act, or the USA Telecommunications Act, does just that.
        • The bipartisan legislation creates a grant program and authorizes $750 million in funding for the National Telecommunications and Information Administration to help promote and deploy Open Radio Access Network technologies that can spur that type of competition. We must support alternatives to companies like Huawei and ZTE…
    • The “Spectrum IT Modernization Act of 2020” (H.R.7310) requires NTIA – in consultation with the Policy and Plans Steering Group – to submit to Congress a report on its plans to modernize agency information technology systems relating to managing the use of federal spectrum. 
      • A sponsor of the bill, House Energy and Commerce Committee Ranking Member Greg Walden (R-OR) explained:
      • H.R. 7310 would require NTIA to establish a process to upgrade their spectrum management infrastructure for the 21st century. The bill would direct the policy coordination arm of NTIA to submit a plan to Congress as to how they will standardize the data collection across agencies and then directs agencies with Federal spectrum assignments from NTIA to issue an implementation plan to interoperate with NTIA’s plan.
      • This is a good-government bill–it really is–and with continued support and oversight from Congress, we can continue the United States’ leadership in making Federal spectrum available for flexible use by the private sector.
    • The “Reliable Emergency Alert Distribution Improvement (READI) Act of 2020” (H.R.6096) amends the Warning, Alert, and Response Network Act to classify emergency alerts from the Federal Emergency Management Agency as a type of alert that commercial mobile service providers may not allow subscribers to block from their devices. The bill also directs the Federal Communications Commission (FCC) to adopt regulations to facilitate coordination with State Emergency Communications Committees in developing and modernizing State Emergency Alert System plans. Finally, the READI Act directs the FCC to examine the feasibility of modernizing the Emergency Alert System by expanding alert distribution to the internet and streaming services.  
  • The same privacy activists that brought the suits that resulted in the striking down of the Safe Harbor and Privacy Shield agreements have filed complaints in Spain and Germany that Apple has violated the European Union’s (EU) e-Privacy Directive and laws in each nation through its use of IDFA (Apple’s Identifier for Advertisers). Because the General Data Protection Regulation (GDPR) is not the grounds for the complaints, each nation could act without needing to consult other EU nations. Moreover, a similar system used by Google is also being investigated for possible violations. The group none of your business (noyb) asserted:
    • IDFA – the cookie in every iPhone user’s pocket. Each iPhone runs on Apple’s iOS operating system. By default, iOS automatically generates a unique “IDFA” (short for Identifier for Advertisers) for each iPhone. Just like a license plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”).
    • Tracking without user consent. Apple’s operating system creates the IDFA without user’s knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users’ behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU “Cookie Law” (Article 5(3) of the e-Privacy Directive) and requires the users’ informed and unambiguous consent.
    • Insufficient “improvement” on third-party access. Recently Apple announced plans for future changes to the IDFA system. These changes seem to restrict the use of the IDFA for third parties (but not for Apple itself). Just like when an app requests access to the camera or microphone, the plans foresee a new dialog that asks the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is unclear when and if these changes will be implemented by the company.
    • No need for EU cooperation. As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR.
  • The Federal Trade Commission (FTC) Chair made remarks at antitrust conference on how antitrust law should view “an acquisition of a nascent competitive threat by a monopolist when there is reason to think that the state of competition today may not tell the whole story.” Chair Joseph Simons views are timely for a number of reasons, particularly the extent to which large technology firms have sought and bought smaller, newer companies. Obviously, the acquisitions of WhatsApp and Instagram by Facebook and YouTube and AdSense by Google come to mind as the sorts of acquisitions United States (U.S.) regulators approved, possibly without much thought given to what a future market may look like for competition if the larger, dominant company is allowed to proceed. Simons suggested regulators and courts would be wise to give this aspect of antitrust mush more thought, which could theoretically inform the approach the Biden Department of Justice and FTC take. Simons stated:
    • And if firms are looking to the future, then antitrust enforcers should too. We must be willing and able to recognize that harm to competition might not be obvious from looking at the marketplace as it stands. If we confine ourselves to examining a static picture of the market at the moment we investigate a practice or transaction, without regard to the dynamic business realities at work, then we risk forfeiting the benefits of competition that could arise in the future to challenge the dominant firm, even when this future competition is to some extent uncertain.
    • Simons asserted:
      • A merger or acquisition can of course constitute anticompetitive conduct for purposes of Section 2 [of the Sherman Act]
      • From a competition perspective, a monopolist can “squash” a nascent competitor by buying it, not just by targeting it with anticompetitive actions as Microsoft did. In fact, from the monopolist’s perspective, it may be easier and more effective to buy the nascent threat (even if only to keep it out of the hands of others) than to target it with other types of anticompetitive conduct.
      • A central issue in potential competition cases is the nature and strength of evidence that the parties will become actual competitors in the future. Some cases have applied Section 7 [of the Clayton Act] narrowly in this context: too narrowly, I think, given that the purpose of Section 7 is to prohibit acquisitions that “may” substantially lessen competition or “tend” to create a monopoly.
    • Simons concluded:
      • But uncertainty has always been a feature of the competitive process, even in markets that appear to be simple or traditional, and dealing with uncertainty is all in a day’s work for an antitrust enforcer. I have referred to the Microsoft case repeatedly today, so, in closing, let me remind everyone that there was some uncertainty about the future in Microsoft as well. The court, in holding that the plaintiff does not and should not bear the burden of “reconstruct[ing] a product’s hypothetical development,” observed that the defendant should appropriately be “made to suffer the uncertain consequences of its own undesirable conduct.” The same holds when the monopolist has simply chosen to acquire the threat.
  • The National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE) revised the Workforce Framework for Cybersecurity (NICE Framework) that “improves communications about how to identify, recruit, develop, and retain cybersecurity talent ­ – offering a common, consistent lexicon that categorizes and describes cybersecurity work.” NIST explained:
    • The NICE Framework assists organizations with managing cybersecurity risks by providing a way to discuss the work and learners associated with cybersecurity. These cybersecurity risks are an important input into enterprise risk decisions as described in NIST Interagency Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM).
    • NIST stated “[r]evisions to the NICE Framework (NIST Special Publication 800-181) provide:
      • A streamlined set of “building blocks” comprised of Task, Knowledge, and Skill Statements;
      • The introduction of Competencies as a mechanism for organizations to assess learners; and
      • A reference to artifacts, such as Work Roles and Knowledge Skills and Abilities statements, that will live outside of the publication to enable a more fluid update process.
  • A left center think tank published a report on how the United States (U.S.) and likeminded nations can better fight cybercrime. In the report addressed to President-elect Joe Biden and Vice President-elect Kamala Harris, the Third Way presented the results of a “multiyear effort to define concrete steps to improve the government’s ability to tackle the scourge of cybercrime by better identifying unlawful perpetrators and imposing meaningful consequences on them and those behind their actions.” In “A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?,” the Third Way made a list of detailed recommendations on how the Biden Administration could better fight cybercrime, but in the cover letter to the report, there was a high level summary of these recommendations:
    • In this roadmap, we identify the challenges the US government faces in investigating and prosecuting these crimes and advancing the level of international cooperation necessary to do so. Cyberattackers take great pains to hide their identity, using sophisticated tools that require technical investigative and forensic expertise to attribute the attacks. The attacks are often done at scale, where perpetrators prey on multiple victims across many jurisdictions and countries, requiring coordination across criminal justice agencies. The skills necessary to investigate these crimes are in high demand in the private sector, making it difficult to retain qualified personnel. A number of diplomatic barriers make cross-border cooperation difficult, a challenge exacerbated often by blurred lines line between state and non-state actors in perpetrating these crimes.
    • This roadmap recommends actions that your administration can take to develop a comprehensive strategy to reduce cybercrime and minimize its impact on the American people by identifying the perpetrators and imposing meaningful consequences on them. We propose you make clear at the outset to the American public and global partners that cyber enforcement will be a top priority for your administration. In reinstating a White House cybersecurity position, we have extensive recommendations on how that position should address cybercrime. And, to make policy from an intelligence baseline, we believe you should request a National Intelligence Estimate on the linkages between cybercrime and nation-state cyber actors to understand the scope of the problem.
    • Our law enforcement working group has detailed recommendations to improve and modernize law enforcement’s ability to track and respond to cybercrime. And our global cooperation working group has detailed recommendations on creating a cohesive international cyber engagement strategy; assessing and improving the capacity of foreign partners on cybercrime; and improving the process for cross-border data requests that are critical to solving these crimes. We believe that with these recommendations, you can make substantial strides in bringing cybercriminals to justice and deterring future cybercriminals from victimizing Americans.

Coming Events

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

EU Announces One Antitrust Action Against A Big Tech Firm and Previews Another

The EU commences with one antitrust action against Amazon while investigating other possible violations.

The European Commission (EC) released a summary of its findings in one antitrust investigation against Amazon, finding enough evidence to proceed while also starting the process to investigate another alleged violation by the United States (U.S.) multinational. The EC started its investigation of Amazon in July 2019, and this action follows an announced investigation of Apple earlier this year. Also, the European Union (EU) has fined Google €8.2 billion cumulatively for three separate antitrust violations over the last five or six years. Moreover, the EC is readying a “Digital Markets Act” to update the EU’s competition laws.

Article 102 of the Treaty on the Functioning of the European Union (TFEU) bars a company from abusing its dominant market position. The EC is asserting that Amazon has a dominant market position regarding its use of sales data from selling the items of third parties that the company sometimes uses to undercut the third parties. According to the EC, this is abuse in violation of Article 102, and it has issued a Statement of Objections. However, the process by which an antitrust action in the EU is brought is not finished at this stage. Amazon will have the opportunity to respond and any final decision, particularly fines, must be approved by the Advisory Committee which consists of the EU’s competition authorities.

In its press statement, the EC explained:

  • The European Commission has informed Amazon of its preliminary view that it has breached EU antitrust rules by distorting competition in online retail markets. The Commission takes issue with Amazon systematically relying on non-public business data of independent sellers who sell on its marketplace, to the benefit of Amazon’s own retail business, which directly competes with those third party sellers.
  • The Commission also opened a second formal antitrust investigation into the possible preferential treatment of Amazon’s own retail offers and those of marketplace sellers that use Amazon’s logistics and delivery services.

In its Statement of Objections, the EC further detailed its case that Amazon’s access to and use of private business data of third-party sellers for Amazon’s benefit distorts competition contrary to EU law:

  • Amazon has a dual role as a platform: (i) it provides a marketplace where independent sellers can sell products directly to consumers; and (ii) it sells products as a retailer on the same marketplace, in competition with those sellers.
  • As a marketplace service provider, Amazon has access to non-public business data of third party sellers such as the number of ordered and shipped units of products, the sellers’ revenues on the marketplace, the number of visits to sellers’ offers, data relating to shipping, to sellers’ past performance, and other consumer claims on products, including the activated guarantees.
  • The Commission’s preliminary findings show that very large quantities of non-public seller data are available to employees of Amazon’s retail business and flow directly into the automated systems of that business, which aggregate these data and use them to calibrate Amazon’s retail offers and strategic business decisions to the detriment of the other marketplace sellers. For example, it allows Amazon to focus its offers in the best-selling products across product categories and to adjust its offers in view of non-public data of competing sellers.
  • The Commission’s preliminary view, outlined in its Statement of Objections, is that the use of non-public marketplace seller data allows Amazon to avoid the normal risks of retail competition and to leverage its dominance in the market for the provision of marketplace services in France and Germany- the biggest markets for Amazon in the EU. If confirmed, this would infringe Article 102 of the TFEU that prohibits the abuse of a dominant market position.

The EC also launched another inquiry into the platform’s practices that allegedly favor the company’s items as compared to third-party sellers and also those items offered by third-parties that use Amazon’s logistics and delivery services. The EC explained it “opened a second antitrust investigation into Amazon’s business practices that might artificially favour its own retail offers and offers of marketplace sellers that use Amazon’s logistics and delivery services (the so-called “fulfilment by Amazon or FBA sellers”).” The EC continued:

  • In particular, the Commission will investigate whether the criteria that Amazon sets to select the winner of the “Buy Box” and to enable sellers to offer products to Prime users, under Amazon’s Prime loyalty programme, lead to preferential treatment of Amazon’s retail business or of the sellers that use Amazon’s logistics and delivery services.
  • The “Buy Box” is displayed prominently on Amazon’s websites and allows customers to add items from a specific retailer directly into their shopping carts. Winning the “Buy Box” (i.e. being chosen as the offer that features in this box) is crucial to marketplace sellers as the Buy Box prominently shows the offer of one single seller for a chosen product on Amazon’s marketplaces, and generates the vast majority of all sales. The other aspect of the investigation focusses on the possibility for marketplace sellers to effectively reach Prime users. Reaching these consumers is important to sellers because the number of Prime users is continuously growing and because they tend to generate more sales on Amazon’s marketplaces than non-Prime users.
  • If proven, the practice under investigation may breach Article 102 of the TFEU that prohibits the abuse of a dominant market position.

The EC’s antitrust action may be followed by an action by the United States (U.S.) government. It has been reported in the media that the Federal Trade Commission (FTC) is also investigating Amazon’s conduct visa vis third-party sellers on its platform and could also bring suit. However, there may be a lack of bandwidth and resources at the agency if it proceeds with an antitrust action against Facebook as is rumored to be filed by year’s end.

Moreover, the U.S. House of Representatives’ Judiciary Committee’s Antitrust, Commercial and Administrative Law Subcommittee’s “Investigation into Competition in Online Markets” detailed the same conduct the EU is alleging violates antitrust law:

One of the widely reported ways in which Amazon treats third-party sellers unfairly centers on Amazon’s asymmetric access to and use of third-party seller data. During the investigation, the Subcommittee heard repeated concerns that Amazon leverages its access to third-party sellers’ data to identify and replicate popular and profitable products from among the hundreds of millions of listings on its marketplace. Armed with this information, it appears that Amazon would: (1) copy the product to create a competing private-label product; or (2) identify and source the product directly from the manufacturer to free ride off the seller’s efforts, and then cut that seller out of the equation.

Amazon claims that it has no incentive to abuse sellers’ trust because third-party sales make up nearly 60% of its sales, and that Amazon’s first-party sales are relatively small. Amazon has similarly pointed out that third-party listings far outnumber Amazon’s first-party listings. In a recent shareholder letter, CEO Jeff Bezos wrote, “Third-party sellers are kicking our first-party butt. Badly.” In response to a question from the Subcommittee, however, Amazon admitted that by percentage of sales—a more telling measure—Amazon’s first-party sales are significant and growing in a number of categories. For example, in books, Amazon owns 74% of sales, whereas third-party sellers only account for 26% of sales. At the category level, it does not appear that third-party sellers are kicking Amazon’s first-party butt. Amazon may, in fact, be positioned to overtake its thirdparty sellers in several categories as its first-party business continues to grow.

As noted, earlier this year, the EC announced two antitrust investigations of Apple regarding allegations of unfair and anticompetitive practices with its App Store and Apple Pay.

In a press release, the EC announced it “has opened a formal antitrust investigation to assess whether Apple’s conduct in connection with Apple Pay violates EU competition rules…[that] concerns Apple’s terms, conditions and other measures for integrating Apple Pay in merchant apps and websites on iPhones and iPads, Apple’s limitation of access to the Near Field Communication (NFC) functionality (“tap and go”) on iPhones for payments in stores, and alleged refusals of access to Apple Pay.” The EC noted that “[f]ollowing a preliminary investigation, the Commission has concerns that Apple’s terms, conditions, and other measures related to the integration of Apple Pay for the purchase of goods and services on merchant apps and websites on iOS/iPadOS devices may distort competition and reduce choice and innovation.” The EC contended “Apple Pay is the only mobile payment solution that may access the NFC “tap and go” technology embedded on iOS mobile devices for payments in stores.” The EC revealed “[t]he investigation will also focus on alleged restrictions of access to Apple Pay for specific products of rivals on iOS and iPadOS smart mobile devices” and “will investigate the possible impact of Apple’s practices on competition in providing mobile payments solutions.”

In a press release issued the same day, the EC explained it had also “opened formal antitrust investigations to assess whether Apple’s rules for app developers on the distribution of apps via the App Store violate EU competition rules.” The EC said “[t]he investigations concern in particular the mandatory use of Apple’s own proprietary in-app purchase system and restrictions on the ability of developers to inform iPhone and iPad users of alternative cheaper purchasing possibilities outside of apps.” The EC added “[t]he investigations concern the application of these rules to all apps, which compete with Apple’s own apps and services in the European Economic Area (EEA)…[and] [t]he investigations follow-up on separate complaints by Spotify and by an e-book/audiobook distributor on the impact of the App Store rules on competition in music streaming and e-books/audiobooks.”

Finally, recently, EU Executive Vice-President Margrethe Vestager gave a speech titled “Building trust in technology,” in which she previewed one long awaited draft EU law on technology and another to address antitrust and anti-competitive practices of large technology companies. Vestager stated “in just a few weeks, we plan to publish two draft laws that will help to create a more trustworthy digital world.” Both drafts are expected on 2 December and represent key pieces of the new EU leadership’s Digital Strategy, the bloc’s initiative to update EU laws to account for changes in technology since the beginning of the century. The Digital Services Act will address and reform the legal treatment of both online commerce and online content. The draft Digital Markets Act would give the EC more tools to combat the same competition and market dominance issues posed by companies like Apple, Amazon, Facebook, and Google. Vestager stated:

  • So, to keep our markets fair and open to competition, it’s vital that we have the right toolkit in place. And that’s what the second set of rules we’re proposing – what we call the Digital Markets Act – is for. 
  • That proposal will have two pillars. The first of those pillars will be a clear list of dos and don’ts for big digital gatekeepers, based on our experience with the sorts of behaviour that can stop markets working well. 
  • For instance, the decisions that gatekeepers take, about how to rank different companies in search results, can make or break businesses in dozens of markets that depend on the platform. And if platforms also compete in those markets themselves, they can use their position as player and referee to help their own services succeed, at the expense of their rivals. For instance, gatekeepers might manipulate the way that they rank different businesses, to show their own services more visibly than their rivals’. So, the proposal that we’ll put forward in a few weeks’ time will aim to ban this particular type of unfair self-preferencing. 
  • We also know that these companies can collect a lot of data about companies that rely on their platform – data which they can then use, to compete against those very same companies in other markets. That can seriously damage fairness in these markets – which is why our proposal aims to ban big gatekeepers from misusing their business users’ data in that way. 
  • These clear dos and don’ts will allow us to act much faster and more effectively, to tackle behaviour that we know can stop markets working well. But we also need to be ready for new situations, where digitisation creates deep, structural failures in the way our markets work.  
  • Once a digital company gets to a certain size, with the big network of users and the huge collections of data that brings, it can be very hard for anyone else to compete – even if they develop a much better service. So, we face a constant risk that big companies will succeed in pushing markets to a tipping point, sending them on a rapid, unstoppable slide towards monopoly – and creating yet another powerful gatekeeper. 
  • One way to deal with risks like this would be to stop those emerging gatekeepers from locking users into their platform. That could mean, for instance, that those gatekeepers would have to make it easier for users to switch platform, or to use more than one service. That would keep the market open for competition, by making it easier for innovative rivals to compete. But right now, we don’t have the power to take this sort of action when we see these risks arising. 
  • It can also be difficult to deal with large companies which use the power of their platforms again and again, to take over one related market after another. We can deal with that issue with a series of cases – but the risk is that we’ll always find ourselves playing catch-up, while platforms move from market to market, using the same strategies to drive out their rivals. 
  • The risk, though, is that we’ll have a fragmented system, with different rules in different EU countries. That would make it hard to tackle huge platforms that operate throughout Europe, and to deal with other problems that you find in digital markets in many EU countries. And it would mean that businesses and consumers across Europe can’t all rely on the same protection. 
  • That’s why the second pillar of the Digital Markets Act would put a harmonised market investigation framework in place across the single market, giving us the power to tackle market failures like this in digital markets, and stop new ones from emerging. That would give us a harmonised set of rules that would allow us to investigate certain structural problems in digital markets. And if necessary, we could take action to make these markets contestable and competitive.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by stein egil liland from Pexels

Biden Administration Tech Policy: Federal Trade Commission (FTC)

Under President Joe Biden, the FTC will face most of the same issues presently before the agency.

In a Biden Administration, the FTC may tip from three Republican Commissioners, including the chair, to a majority of Democrats if Chair Joseph Simons steps down as has been rumored for some months now, in part because of political pressure and displeasure from the Trump White House. However, it is not uncommon for chairs to stay on even if a President of a different party comes to power, and, in fact, it rarely occurs that a sitting chair resigns at the beginning of a new presidency as occurred when then Chair Edith Ramirez resigned at the beginning of the Trump Administration in 2017. However, by law, the President may not remove the FTC chair or any commissioner except for “inefficiency, neglect of duty, or malfeasance in office.”

However, the President may, and almost always does in the event the White House changes hands, designate a new chair, and either of the sitting Commissioners could become the new chair: Rebecca Kelly Slaughter or Rohit Chopra. However, the latter’s term actually ended in September 2019 and can serve until he is re-confirmed or a successor is confirmed. It is not clear whether Chopra would be re-nominated given his view on regulating is to the left of Biden’s historical position on such issues. However, Chopra has support from Senator Elizabeth Warren (D-MA), a key stakeholder a Biden White House may try to keep happy. However, Chopra’s name was floated for the head of the Consumer Financial Protection Bureau (CFPB), the agency where he served as the Deputy Director. So, it may come to pass that President-elect Joe Biden gets to appoint two Democrats to the FTC if Simons steps down and Chopra moves on to the CFPB.

Of course, the FTC will almost certainly continue as the de facto federal data protection authority (DPA) for the United States and will use its Section 5 powers to investigate and punish privacy, data security, and cybersecurity violations. The agency is one of the two federal antitrust enforcers, a recently revived area of federal law that has bipartisan interest and support, and is on the verge of filing an antitrust action against Facebook, alleging violations of antitrust law in the social messaging market, especially on account of its WhatsApp and Instagram acquisitions. Conceivably, the FTC under Democratic leadership may have a more aggressive posture towards technology companies and other swaths of the economy that have undergone increased consolidation.

Moreover, most of the privacy bills in Congress would assign the responsibility of enforcing the regime at the federal level to the FTC, a power it would share with state attorneys general as is the current case with respect to antitrust and data security enforcement. The crucial question will be whether the agency receives the resources necessary to maintain its current responsibilities while taking on new responsibilities. At present, the House is proposing a $10 million increase to the agency’s budget from $331 million to $341 million.

Another aspect of the FTC that bears watching is how federal courts construe the agency’s power because a significant portion of the FTC’s ability to use its enforcement powers will hinge on court cases and possible Congressional tweaks to the FTC Act.

A few weeks ago, the FTC recently wrote the House and Senate committees with jurisdiction over the agency, asking for language restoring the power to seek and obtain restitution for victims of those who have violated Section 5 of the FTC Act and disgorgement of ill-gotten gains. The FTC is also asking that Congress clarify that the agency may act against violators even if their conduct has stopped as it has for more than four decades. Two federal appeals courts have ruled in ways that have limited the FTC’s long used powers, and now the Supreme Court of the United States is set to rule on these issues sometime next year. The FTC is claiming, however, that defendants are playing for time in the hopes that the FTC’s authority to seek and receive monetary penalties will ultimately be limited by the United States (U.S.) highest court. Judging by language tucked into a privacy bill introduced by the chair of one of the committees, Congress may be willing to act soon.

The FTC asked the House Energy and Commerce and Senate Commerce, Science, and Transportation Committees “to take quick action to amend Section 13(b) [of the FTC Act i.e. 15 U.S.C. § 53(b)] to make clear that the Commission can bring actions in federal court under Section 13(b) even if conduct is no longer ongoing or impending when the suit is filed and can obtain monetary relief, including restitution and disgorgement, if successful.” The agency asserted “[w]ithout congressional action, the Commission’s ability to use Section 13(b) to provide refunds to consumer victims and to enjoin illegal activity is severely threatened.” All five FTC Commissioners signed the letter.

The FTC explained that adverse rulings by two federal appeals courts are constraining the agency from seeking relief for victims and punishment for violators of the FTC Act in federal courts below those two specific courts, but elsewhere defendants are either asking courts for a similar ruling or using delaying tactics in the hopes the Supreme Court upholds the two federal appeals courts:

  • …[C]ourts of appeals in the Third and Seventh Circuits have recently ruled that the agency cannot obtain any monetary relief under Section 13(b). Although review in the Supreme Court is pending, these lower court decisions are already inhibiting our ability to obtain monetary relief under 13(b). Not only do these decisions already prevent us from obtaining redress for consumers in the circuits where they issued, prospective defendants are routinely invoking them in refusing to settle cases with agreed-upon redress payments.
  • Moreover, defendants in our law enforcement actions pending in other circuits are seeking to expand the rulings to those circuits and taking steps to delay litigation in anticipation of a potential Supreme Court ruling that would allow them to escape liability for any monetary relief caused by their unlawful conduct. This is a significant impediment to the agency’s effectiveness, its ability to provide redress to consumer victims, and its ability to prevent entities who violate the law from profiting from their wrongdoing.

Earlier in the year, by a split vote across party lines, the Federal Trade Commission (FTC) asked a United States (U.S.) appeals court to reconsider a ruling that overturned a lower court’s ruling that Qualcomm has violated antitrust laws in the licensing of its technology and patents vital to smartphones. Republican Commissioners Noah Joshua Phillips and Christine Wilson voted against filing the brief asking for a rehearing with Chair Joseph Simons joining the two Democratic Commissioners Rohit Chopra and Rebecca Kelly Slaughter in voting to move forward with the brief. This case could have major ramifications for antitrust law and the technology sector in the U.S. and for the 5G market as Qualcomm is a major player in the development and deployment of the technology necessary for this coming upgrade in wireless communications expected to bring a host of intended and unintended improvements in communications.

In the brief, the FTC argued the (U.S.) Court Of Appeals for The Ninth Circuit (Ninth Circuit) did not disagree with the District Court’s factual findings of anticompetitive conduct and rather took issue with the lack of “a cogent theory of anticompetitive harm.” The FTC argued the case should be reconsidered on three grounds:

  • The Ninth Circuit ruled on the basis of formal labels and not economic substance contrary to established Supreme Court law
  • Facially neutral surcharges by one market participant to its rivals is, in fact, an unequal and exclusionary burden on rivals, conduct the Supreme Court has ruled violates antitrust law; and
  • Harm to customers is indeed a central focus and concern of antitrust cases and ruling that this harm is outside relevant antitrust markets is also a misreading of established law.

As noted, the Ninth Circuit reversed a U.S. District Court’s decision that Qualcomm’s licensing practices violated the Sherman Antitrust Act. Specifically, the lower court held these practices “have strangled competition in the Code Division Multiple Access (CDMA) and premium Long-Term Evolution (LTE) modem chip markets for years, and harmed rivals, original equipment manufacturers (OEMs), and end consumers in the process.” Consequently, the court found “an unreasonable restraint of trade under § 1 of the Sherman Act and exclusionary conduct under § 2 of the Sherman Act….and that Qualcomm is liable under the FTC Act, as “unfair methods of competition” under the FTC Act include “violations of the Sherman Act.”

However, the Ninth Circuit disagreed, overturned the district court and summarized its decision:

  • [We] began by examining the district court’s conclusion that Qualcomm had an antitrust duty to license its standard essential patents (SEPs) to its direct competitors in the modern chip markets pursuant to the exception outlined in Aspen Skiing Co. v. Aspen Highlands Skiing Corp., 472 U.S. 585 (1985). [We] held that none of the required elements for the Aspen Skiing exception were present, and the district court erred in holding that Qualcomm was under an antitrust duty to license rival chip manufacturers. [We] held that Qualcomm’s OEM-level licensing policy, however novel, was not an anticompetitive violation of the Sherman Act.
  • [We] rejected the FTC’s contention that even though Qualcomm was not subject to an antitrust duty to deal under Aspen Skiing, Qualcomm nevertheless engaged in anticompetitive conduct in violation of § 2 of the Sherman Act. [We] held that the FTC did not satisfactorily explain how Qualcomm’s alleged breach of its contractual commitment itself impaired the opportunities of rivals. Because the FTC did not meet its initial burden under the rule of reason framework, [We were] less critical of Qualcomm’s procompetitive justifications for its OEM-level licensing policy—which, in any case, appeared to be reasonable and consistent with current industry practice. [We] concluded that to the extent Qualcomm breached any of its fair, reasonable, and nondiscriminatory (FRAND) commitments, the remedy for such a breach was in contract or tort law.

The FTC has a number of significant outstanding rulemakings.

In early 2019, the FTC released notices of proposed rulemaking (NPRM) for two of the data security regulations with which some financial services companies must comply:

The reassessment of the Safeguards Rule began in 2016 when the FTC asked for comments. The proposed Safeguards Rule demonstrates the agency’s thinking on what data security regulations should look like, which is important because the FTC is the agency most likely to become the enforcer and writer of any new data security or privacy regulations. Notably, the new Safeguards regulation would require the use of certain best practices such as encrypting data in transit or at rest or requiring the use of multi-factor authentication “for any individual accessing customer information.” Moreover, the other financial services agencies charged with implementing the section of Gramm-Leach-Bliley (GLB) that requires financial services companies to safeguard customers’ information may follow suit (e.g. the Federal Reserve Board or the Comptroller of the Currency.)

In the proposed rule, the FTC noted that its changes to the Safeguards Rule would “include more detailed requirements for the development and establishment of the information security program required under the Rule…[and] [t]hese amendments are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services, 23 NYCRR 500 (“Cybersecurity Regulations”), and the insurance data security model law issued by the National Association of Insurance Commissioners (“Model Law”).”

In the Safeguards Rule proposal, the FTC explained “[t]he proposal contains five main modifications to the existing Rule.”

  • First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption.
  • Second, it adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.
  • Third, it exempts small businesses from certain requirements.
  • Fourth, it expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. Such a change would add “finders”–companies that bring together buyers and sellers of a product or service–within the scope of the Rule.
  • Finally, the Commission proposes to include the definition of “financial institution” and related examples in the Rule itself rather than incorporate them by reference from a related FTC rule, the Privacy of Consumer Financial Information Rule.

The FTC’s Safeguards Rule applies to the following and other entities:

[M]ortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non- federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.

The FTC explained that it “is proposing to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to specifically include so-called “finders,” those who charge a fee to connect consumers who are looking for a loan to a lender…[because] [t]his proposed change would bring the Commission’s Rule in line with other agencies’ interpretation of the Gramm Leach Bliley Act.”

As part of its regular review of its regulations, the FTC released asked for input on its Health Breach Notification Rule (HBN Rule) promulgated in 2010 per direction in the “American Recovery and Reinvestment Act” (ARRA) (P.L. 111-5). When enacted, Congress expected this regulation to be temporary as policymakers thought a national breach notification statute would shortly be enacted that would make the FTC’s regulations superfluous, but that has obviously not happened. And, hence the FTC continues to have regulations governing breach notification and security of some health information for entities not subject to the “Health Insurance Portability and Accountability Act” (HIPAA)/“Health Information Technology for Economic and Clinical Health Act” (HITECH Act) regulations, which are generally healthcare providers and their business associates. Incidentally, it is possible the FTC’s HBN Rule would govern breaches arising from breaches of vendors involved with COVID-19 contact tracing.

As explained in the current regulation, the HBN Rule “applies to foreign and domestic vendors of personal health records (PHR), PHR related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act, that maintain information of U.S. citizens or residents.” This rule, however, “does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.”

And yet, the FTC conceded it “has not had occasion to enforce its Rule because, as the PHR market has developed over the past decade, most PHR vendors, related entities, and service providers have been HIPAA-covered entities or “business associates” subject to the Department of Health and Human Services’ (HHS) rule.” The FTC foresees utility and need for the HBN Rule “as consumers turn towards direct-to-consumer technologies for health information and services (such as mobile health applications, virtual assistants, and platforms’ health tools), more companies may be covered by the FTC’s Rule.” Accordingly, the FTC “now requests comment on the HBN Rule, including the costs and benefits of the Rule, and whether particular sections should be retained, eliminated, or modified.”

In terms of how the HBN Rule functions, the FTC explained:

  • The Recovery Act directed the FTC to issue a rule requiring these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information.
  • Accordingly, the HBN Rule requires vendors of PHRs and PHR related entities to provide: (1) Notice to consumers whose unsecured individually identifiable health information has been breached; (2) notice to the media, in many cases; and (3) notice to the Commission.
  • The Rule also requires third party service providers (i.e., those companies that provide services such as billing or data storage) to vendors of PHRs and PHR related entities to provide notification to such vendors and entities following the discovery of a breach.
  • The Rule requires notice “without unreasonable delay and in no case later than 60 calendar days” after discovery of a data breach. If the breach affects 500 or more individuals, notice to the FTC must be provided “as soon as possible and in no case later than ten business days” after discovery of the breach. The FTC makes available a standard form for companies to use to notify the Commission of a breach. The FTC posts a list of breaches involving 500 or more individuals on its website. This list only includes two breaches, because the Commission has predominantly received notices about breaches affecting fewer than 500 individuals.

Moreover, per the current regulations, the FTC may treat breaches as violations of regulation on unfair or deceptive practices, permitting the FTC to seek and possibly levy civil fines of up to $43,000 per violation.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Gerd Altmann from Pixabay