Back

By lowering the switching cost of walking away from Big Tech, Congress could create space for co-ops, tinkerers, nonprofits, startups and public services to create small, user-centered communities built on giving people technological self-determination.

This week, the ACCESS Act will likely go before the House Judiciary Committee for markup, and there's going to be a fierce battle for the future of this bill (predictably, Big Tech hates it and wants it dead).

2/

We (EFF) just published our list of things that should be fixed ACCESS during markup, a collection of six areas where the law could be improved:

https://www.eff.org/deeplinks/2021/06/new-access-act-good-start-heres-how-make-sure-it-delivers

3/

I. Strong Consent and Purpose Limitation Requirements

The ACCESS Act is already pretty good on ensuring that when you take your data from a platform, but the language is a little fuzzy at the edges.

We'd like crisply defined limits on data requires consent - for example, do your friends have to consent to you exporting their replies to your messages? Does it matter if they're private messages or public? We've published some deep dives on this:

https://www.eff.org/wp/interoperability-and-privacy

4/

II. Define “Interoperability”

This is the second version of the ACCESS Act (the first was introduced in the Senate during the 2019/2020 session). The Senate version actually defined "interop" (too narrowly!), while the current version fails to do so.

The risk of underdefining interop is that ad-tech companies and other human-rights abusers have called for interop to "fix the competition problem" in surveillance-based advertising.

5/

Unless Congress specifies what kind of interop ACCESS is supposed to support, it might create a race to see who can most efficiently gut your foundational right to privacy while giving you the least benefit in return.

6/

III. Let the people sue

ACCESS has incredibly stiff penalties for companies that violate it - but these can only be invoked by the FTC. To be fair, the FTC is enjoying a renaissance, with the amazing Lina Khan at its helm, but what about the *next* FTC?

We think this bill needs a "private right of action" - that is, the right of regular internet users to sue tech companies that break the law, whether on their own, in class action suits, or through public-interest law-firms like EFF.

7/

IV. Bring back delegability

The 2019 version of ACCESS had a wonderful section on "delegatability," in which users could hand over the right to manage big services to other entities whom they trusted.

Like, you could ask a privacy org to manage your privacy settings on Facebook, or authorize a co-op platform to provide an alternative interface (say, one with a tracker-blocker) to the services you use.

Delegatability was dropped from the 2020 ACCESS Act and we'd like it back, please.

8/

V. Government standards as safe harbors, not mandates

Under the ACCESS Act, a technical committee is charged with standardizing a way for a big platform to create interoperability with other systems. We think this is too constraining.

Rather than mandate that big platforms *must* use this standard interface, we argue that using the standard would give you a "safe harbor" (if you used it, you'd be sure you were following the law).

9/

But big platforms would have the option of creating *other* interfaces that were technically equivalent to the standard, with strict penalties and a private right action if the alternative wasn't as good as the standard.

That way, tech companies could offer *more* interop (including interop for features that don't even exist yet) without having to wait for revisions to emerge from the standardization process.

10/

VI. About that standardization process

ACCESS creates a new standards committee for each Big Tech platform, separate from existing standards bodies (which have a deserved rep for being hostage to the tech giants). The structure of this standardization process needs work.

First, the law specifies a minimum number of reps from Big Tech, independent privacy experts, and smaller companies (as well as a rep from NIST), but it doesn't set *maximum* numbers for these.

11/

So it would be fine under the ACCESS Act for Facebook's "independent" technical committee to consist of a NIST rep, two academics, two startup people, and 500 Facebook lawyers and engineers. That's obviously not right and it should be fixed in markup.

The current ACCESS draft doesn't provide for public scrutiny of the standards development process.

12/

The tech committee's work should all be public, with opportunities for public comment and a requirement to answer substantive issues raised during comment periods.

Finally, the Act doesn't guarantee public access to the final standard (only "competing businesses or potential competing businesses" get to see it). That's absurd. It's the law, the law should be public, and we should all be able to see it and implement it. I mean, duh.

13/

None of this stuff is insurmountable; a lot of it appears to be oversights, and other parts are probably good faith disagreements that can be hashed out during markup. We're so glad to see this bill introduced and can't wait for the committee meeting!

eof/