InsideSources

The Department of Justice plans to open an antitrust investigation into Apple and Google while the Federal Trade Commission plans to investigate Amazon, according to multiple news reports. The House Judiciary committee also announced it will open a bipartisan investigation into whether Big Tech suppresses competition.

“The open internet has delivered enormous benefits to Americans, including a surge of economic opportunity, massive investment, and new pathways for education online,” Judiciary Chairman Jerrold Nadler (D-N.Y.) said in a statement. “But there is growing evidence that a handful of gatekeepers have come to capture control over key arteries of online commerce, content, and communications.”

The FTC investigated Google for antitrust violations in 2013 and, despite releasing a 160-page report finding that Google uses anti-competitive tactics that harm consumers and the internet ecosystem, did not take action against the company.

2020 presidential contender Elizabeth Warren and President Donald Trump both spoke out against Apple, Google and other Big Tech companies over the past year, with Warren calling for breaking up Big Tech and Trump threatening antitrust investigations.

But Big Tech lobbying groups and some economists insist that companies like Amazon, Apple, Google and Facebook don’t violate antitrust law based on the current understanding of consumer welfare.

(Under the current understanding of consumer welfare, economists assume that if monetary prices for goods and services are falling, then that can only be a good thing — even if falling prices are accompanied by market consolidation and fewer choices for consumers. Some economists also say consumers pay for Big Tech services with their personal data, which has led to privacy violations and the current debate over writing a federal privacy law.)

“The Justice Department’s investigation of Google will come to the same conclusion as the FTC’s did in 2013 — that there is no antitrust case,” said Carl Szabo, vice president and general counsel for Big Tech lobbying group NetChoice, of which Google and Facebook are members. “It’s illogical that the DOJ is investigating competitors in the same market for monopoly behavior. Amazon, Apple and Google all compete with each other in a vibrant and competitive marketplace,” he said in a statement to InsideSources.

On Apple’s website, the company recently set up a page listing ways its App Store encourages competition among app developers and benefits consumers.

“We believe competition makes everything better and results in the best apps for our customers,” Apple said, almost as if speaking directly to federal lawmakers and regulators. “We also care about quality over quantity, and trust over transactions. That’s why, even though other stores have more users and more app downloads, the App Store earns more money for developers. Our users trust Apple — and that trust is critical to how we operate a fair, competitive store for developer app distribution.”

Aram Sinnreich, chair of communication studies at American University, said an antitrust investigation could jolt Big Tech into self-regulating and halting anticompetitive practices.

“Antitrust scrutiny on its own if nothing else is a good red flag to encourage companies to act more competitively and divest themselves of businesses that might invite regulatory action,” Sinnreich told InsideSources. “I think antitrust by the FTC is a good idea, that doesn’t necessarily mean the government will decide to break the company up.”

Despite Apple’s protests to the contrary, Sinnreich believes Apple does behave anticompetitively in its App Store because its business model encourages it — Apple works hard to dissuade any Apple customer from switching brands.

“I can’t get a new brand phone unless I find a place to store all the 15,000 photos I’ve taken over the years [with an iPhone],” Sinnreich said. “Their role in streaming distribution, combine that with their role in facial recognition and biometrics, it begins to get really problematic.”

Apple’s not alone in the scrutiny: tech experts and economists say the same about Amazon and Google.

“[Big Tech companies] do behave anticompetitively and are not concerned with maintaining a robust landscape of software providers,” Sinnreich said. “They use that landscape for free market research and then they adopt whatever is popular and undercut the market for the third parties that developed the technology in the first place.”

But not everyone agrees Big Tech should be broken up, even those who criticize Big Tech’s role in the marketplace. At a tech event hosted by the Hoover Institution in May, experts on both the right and the left discussed how we may not have a proper regulatory framework to deal with Big Tech because the internet evolved so rapidly.

At a privacy forum hosted by the American Enterprise Institute on Wednesday, the Department of Justice’s Chief Privacy Officer Peter Winn pushed back on the idea of “individual control” in a federal privacy law.

Winn launched the forum by stating, “Privacy is not about giving individuals complete control over their personal information in all contexts. Some people think we need a privacy law like the one in the EU. I disagree.”

Furthermore, he added, sweeping privacy laws like the EU’s GDPR “often have consequences they go far beyond their intended purposes and end up impacting core public safety initiatives,” specifically referencing concerns regarding the Internet Corporation for Assigned Names and Numbers (ICANN).

ICANN now allows cookies, internet domain names and IP addresses, to be obscured in order to comply with GDPR because these data points can be used to identify an individual and are now classified as “personal information.” Opponents of GDPR argue this hinders law enforcement from tracking down cybercriminals.

From Winn’s perspective, a privacy law that grants the consumer total control over his or her data conflicts with the needs of law enforcement officials trying to ensure public safety.

He’s not the only one to draw attention to this point. Last fall, a group of cybersecurity firms filed comments with the National Technology and Information Administration (NTIA) stating that sometimes companies compromise their customers’ privacy for the sake of security, by sharing data with other companies after a cyberattack to better mitigate future cyberattacks.

“This is consistent with consensus best practices for comprehensive security programs, such as the NIST Cybersecurity Framework,” the Cybersecurity Coalition wrote in the filing. “By necessity, some of this data can be linked to individuals or specific devices, thereby potentially falling under common definitions of ‘personal information.’ For example, phishing, a highly prevalent and effective attack vector used to steal sensitive data, is based on spoofed emails and identities. To detect and avoid suspected phishing attempts, cybersecurity service providers may process such personal information including the email address, purported identity, and the IP address associated with the origination of the phishing email.”

Winn also said stakeholders should play a central role in any privacy law discussion, but did not mention consumer advocates or consumer protection.

“Understanding the democratic process in the U.S. is also important to understanding how privacy policies work — all the major stakeholders have weighed in, and there at least needs to be a substantial consensus among them and at least a clear understanding of why the privacy standards are needed before a bill can become law,” he said.

If stakeholders can agree on privacy standards, he argued, then they’re more likely to comply. Consumer advocates frequently point out that Congress should consider consumer perspectives when discussing privacy legislation, as any privacy law will directly impact consumers as well as stakeholders.

“Some bemoan the fact that the American democratic process requires greater buy-in from the people who will actually have to comply with the laws we enact, but a requirement of more buy-in for a proposed law upfront results in a greater level of compliance when it becomes law,” he said. “Compliance has a lot to do with trust.”

The Electronic Frontier Foundation (EFF) points out in a blog post that listening to stakeholders alone enables them to push ideas and legislative efforts that benefit them, but may not be good for consumers.

“The testimony and responses from industry representatives [are] predictable: lip service to the idea of strong federal consumer privacy legislation, but few specifics on what those protections should actually look like,” the EFF’s Legislative Analyst India McKinney and Research Associate Gennie Gebhart wrote. “These witnesses also continue to advocate for unwritten, vague federal preemption of existing state laws like California’s Consumer Privacy Act (CCPA) or Illinois’s Biometric Information Privacy Act (BIPA).”

Instead of an aggressive legislative crackdown, Winn thinks companies should try to regain consumers’ trust by treating their data well.

“We can only earn this trust by making sure we handle their information appropriately and lawfully,” Winn said, despite constant news reports detailing how companies abused consumers’ trust in the past, from Equifax to Facebook to Google.

Follow Kate on Twitter

The Federal Communications Commission’s (FCC) recent “cyberattack” fiasco doesn’t surprise experts, given how terribly prepared they think smaller federal agencies are for most cyberattacks.

Large private sector companies routinely grapple with cybersecurity and fending off cybercrime, so for smaller federal agencies that may not have the resources to outsource cybersecurity to federal contractors — especially independent agencies like the FCC, the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Federal Election Commission (FEC), the Social Security Administration (SSA) and the Environmental Protection Agency (EPA) — cybersecurity is a major, constant struggle.

A recent Tenable survey of 2,100 organizations found that only 48 percent have semi-adequate to adequate cybersecurity measures in place, while 33 percent do the bare minimum.

On Tuesday, the House passed bipartisan legislation that would establish the Continuous Diagnostics Mitigation division within the Department of Homeland Security, which would endeavor to protect federal agencies from cyberattacks.

Part of the problem according to Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, is that organizations tend to have the wrong focus in cybersecurity.

“Most organizations are focused on trying to prevent cybercrime, but resistance is futile,” he told InsideSources. “You can try to prevent as hard as you can, and that will make you less of a low-hanging fruit, but anyone who is diligently trying will find a way to work around. Most organizations private or public are pouring 90 percent of their energy into the prevention side.”

Trying to prevent cyberattacks, Madnick says, is a waste of time, because you’ll be attacked regardless.

“My sense is people are not very well prepared for a variety of reasons, because people think of being prepared in terms of what they’ve experienced in the past,” he said. “The problem with cyberattacks is they’re always something you’ve never seen before. Both private and public tend to be very poorly prepared. Most people, when a problem occurs, they kind of scurry to try to deal with it.”

The deck is stacked against most organizations: according to an August Malwarebytes study, 10 percent of cybersecurity professionals are engaged in “Black Hat” activity and 50 percent know or have known someone engaged in “Black Hat” activity.

This is especially alarming for federal agencies handling sensitive information. Because cybercrime is such a lucrative business for many cybersecurity professionals, it is now harder to trust whoever is handling your cybersecurity.

Furthermore, Madnick said 50 percent of organizations who have experienced a cyberattack don’t know they’ve been attacked, which adds to the confusion and explains why some — like the FCC and DNC — jumped to conclusions as soon as they noticed anything remotely off.

Madnick has experience with state government and local government information technology (IT) systems, and said most government entities’ resources and funding for cybersecurity is “relatively minimal,” which is especially concerning ahead of midterms.

Despite the mad dash to improve elections security this year, Madnick doubts federal, state and local governments have done enough, based on how outdated their IT systems are.

“That’s a very scary system because it involves local authorities, state authorities, federal authorities, and I suspect none of them have put in the time and energy needed,” he said, despite the news coverage.

Large federal agencies suffer cyberattacks but have more resources and better cybersecurity measures in place to handle them. Smaller federal agencies, on the other hand, are “ripe to be pilfered with.” Some may regularly experience attacks without even realizing it.

“There was a report that the Department of Energy had been attacked 20-some times in the past year,” Madnick said. “Not all the attacks were successful, but they were information-gathering attacks, a lot of their internal documents were being stolen.”

The Center for Strategic and International Studies’ (CSIS) Vice President James Lewis — an expert in cybersecurity who previously worked for the Commerce and State Departments — said cybersecurity has “been a struggle since the first computer was installed” in federal agencies.

“The intelligence agencies and the military do an 80 percent job, anybody else is catch as catch can,” he told InsideSources. “Agencies don’t want to give up their independence, so we have a lot of agencies that just don’t have the resources or the people, and that’s a guaranteed vulnerability. Bigger agencies do better, like the Treasury, Department of Justice (DOJ, Department of Defense (DOD, but not all of them.”

Lewis thinks the biggest problem for the smaller, independent agencies is their size and the fact that they tend to handle cybersecurity in-house.

“They really need to outsource a lot of these functions either to another agency or the private sector,” he said. “That’s kind of a budget thing but also a strategy thing.”

Some agencies may need bigger budgets, but Lewis also said some agencies may not be able to outsource simply because of the nature of their authorization. Many agencies aren’t permitted to outsource much of their data simply because it is so sensitive.

“The ways the laws were written 30 years ago require an agency to maintain some control of data storage,” Lewis said. “The federal government’s guidelines for agencies to move data into the clou is 1400 pages long, and that’s a problem right there, you have a rulebook that’s so complicated no one can figure it out.”

FedRAMP, which helps an agency transfer its data to the cloud, requires a lengthy authorization process that may be burdensome for small, independent agencies.

For some agencies, then, amending existing regulations regarding how they handle their data could allow them to pursue better cybersecurity measures.

“If you’re posed to safeguard people’s data, you have to think about when you move it to a cloud service provider. It’s not impossible, but it does take money and thought,” Lewis said. “You have to have someone to manage these contracts. You have privacy concerns. The old thing was, I’m an agency, I have data, I put it in a file and it’s safe. When they moved that over to the digital mindset, it becomes, do I want to move that outside of my own agency boundaries.”

In the meantime, Madnick said all organizations need to rethink cybersecurity and be more proactive about regular screenings, because getting attacked is inevitable. The severity of an attack, however, can be mitigated.

“You need to start backwards, and say what it is that you don’t want to go wrong,” Madnick said. “And what mechanism can you put in place to make sure that doesn’t happen or minimize how much damage it can do. I don’t think most organizations are doing that, because it’s not normal. I think we have this naive assumption that if we prevent enough we won’t have to prepare. I do think we can do a heck of a lot better job in preparations.”

Follow Kate on Twitter

The Department of Justice (DOJ) released court documents Monday detailing its challenge to the District of Columbia’s District Court Judge Richard Leon’s ruling that approved the AT&T – Time Warner Cable merger.

The appeal is likely to go to court, but it is unclear whether the move will result in an overturn of Leon’s ruling.

The DOJ claims the district court “erroneously ignor[ed] fundamental principles of economics and common sense. These errors distorted its view of the evidence and rendered its factual findings clearly erroneous, and they are the subject of this appeal.”

In the DOJ’s view, it doesn’t matter that Leon found no evidence that the merger would weaken competition in the video distribution-programmer market — what matters it that the merger could weaken competition and “lead to hundreds of millions of dollars of net harm passed through to consumers annually.”

The DOJ cites Section 7 of the Clayton Antitrust Act of 1914 as the grounds for its appeal, which “prohibits any merger the effect of which ‘may be’ to lessen competition substantially. 15 U.S.C. § 18. The legal standard under Section 7, therefore, is ‘reasonable probability.’ To establish a Section 7 violation, a plaintiff need not show that the merger will have an anticompetitive effect, such as increased prices. ‘All that is necessary is that the merger create an appreciable danger of [higher prices] in the future. A predictive judgment, necessarily probabilistic and judgmental rather than demonstrable, is called for.'”

Because there is a danger AT&T could raise prices and use its ownership of Time Warner to gain more leverage over negotiations with programmers, the DOJ argues, the merger never should have been approved in district court.

“Important evidence that the government proffered — but the district court refused to admit — included, among other things, AT&T’s own analyses of the potential competitive effects of vertical integration,” the brief reads.

The brief also calls out AT&T for backtracking on its original belief that vertically integrated mergers are harmful to consumers.

“The merger will empower AT&T to use Time Warner’s valuable programming to raise its rival distributors’ costs for obtaining programming, while also enabling AT&T to protect its high-margin satellite-television business from competition by upstart rivals — all to the detriment of American consumers,” the brief reads. “AT&T endorsed this theory of harm six years ago when it warned federal regulators that such a vertically integrated firm would use its ownership of programming to raise fees to rival distributors and limit competition in the distribution market. AT&T changed its tune once its own merger was under scrutiny.”

Andrew Jay Schwartzman, the Benton Senior Counselor at Georgetown University’s Institute for Public Representation, told InsideSources that “the odds are against reversal,” the DOJ’s challenge is not purely politically motivated.

“The judge in this case wrote a very backed, laden decision, clearly with an eye towards protecting it from reversal because review in courts defers to trial judges on their facts finding,” Schwartzman said. “I think the DOJ brief demonstrates this is a nonfrivolous appeal, meaning that it’s not off the wall. They have a prospect of getting a reversal.”

The DOJ is likely to push for a reversal of Leon’s ruling based on legal analysis rather than facts, as Leon’s ruling was very meticulous in using the evidence to refute the DOJ’s antitrust fears.

Schwartzman thinks it is a “good brief with a good case for reversal,” but said if he had to bet money, the D.C. Court of Appeals will likely affirm the original ruling. At the same time, he said, the outcome of the appeal really depends on which appellate judge hears it.

“Anybody’s assessment of the likelihood of the success of an appeal adjusts it once you find out who’s going to hear the case,” Schwartzman said.

The current ideological split is between seven more liberal judges and three more conservative ones.

“The more left-oriented judges, in very broad general terms, are more sympathetic to reversal and would include Cornelia Pillard and Patricia Millet,” Schwartzman said. “Of the judges who likely would be leaning toward affirmance, it would include David Sentelle and Douglas Ginsburg, who used to be Assistant Attorney General of the Antitrust Division during the Reagan administration, and it would have also been Judge Brett Kavanaugh but he won’t be hearing the case.”

Regardless the appeal’s likelihood to garner a reversal, the DOJ is convinced that the original ruling did not evaluate its evidence fairly, insisting that “the district court substantially constrained the government’s presentation of evidence showing that the merged entity would have greater bargaining leverage.”

But depending on who hears the case, the DOJ still may not get the fair hearing it thinks it deserves.

Follow Kate on Twitter

A federal court on Thursday limited a Department of Justice search warrant for data on visitors to an anti-Trump website, described by the domain name registrar of the site, DreamHost, as violations of the First and Fourth Amendments.

Domain name registrar DreamHost will only have to comply with part of the warrant for data on visitors to disruptj20.org, a website that organized political protests against the Trump administration, after a judge on the Washington, D.C. Superior Court ordered the government to enact a “minimization plan.”

“This plan is to include the names of all government investigators who will have access to this data and a list of all methods that will be used to comb through it in search of evidence,” DreamHost said in a Thursday blog post describing the ruling as a win. “The production of evidence from this trove of data will be overseen by the court. The DOJ is not permitted to perform this search in a bubble.”

The department must now justify to the court why it believes the data requested is within the scope of its warrant. The court will seal any information it deems falling outside the warrant, and DOJ will be forbidden from sharing that data with any other agency.

“This is an uncommon step for the court to take, but it speaks to the sensitive content of this site and the First Amendment issues raised,” DreamHost said. “The de-scoping of the original warrant, combined with the court’s additional restrictions on the use of, and access to, that data, is a clear victory for user privacy.”

DreamHost revealed last week it’s been battling the DOJ search warrant for “1.3 million visitor IP addresses — in addition to contact information, email content, and photos of thousands of people — in an effort to determine who simply visited the website.”

“That information could be used to identify any individuals who used this site to exercise and express political speech protected under the Constitution’s First Amendment,” DreamHost said in a blog post. “That should be enough to set alarm bells off in anyone’s mind.”

DreamHost described the warrant as “investigatory overreach” and “a clear abuse of government authority,” and challenged DOJ over its request. The department responded with a motion to the Washington, D.C. Superior Court asking for an order compelling DreamHost to hand over the data.

The domain registrar took its argument public and the wave of criticism forced DOJ to step back, and narrow the scope of its search warrant by excluding all HTTP access and error logs “meaning visitors’ IP addresses are largely safe,” according to DreamHost. Unpublished media, including text and photographs in blog posts that were drafted but never published, were also excluded.

Tech groups on the right and left universally opposed the warrant.

“U.S. tech companies are often compelled to resist sweeping dragnets aimed at political dissent from foreign regimes,” said Ed Black, president of the non-profit Computer and Communications Industry Association, which represents companies in the internet industry.

Black said the U.S. often criticizes other countries with strict internet censorship regimes for similar requests, and suggested DOJ “consider the consequences of such requests both in terms of emboldening countries like China and in the message this sends to democratic allies.”

Berin Szoka, president of center-right policy think tank TechFreedom, said this was precisely what the founders had in mind when they adopted the First and Fourth Amendments.

“If the DOJ can unmask over a million internet users simply for visiting a website, without any further alleged connection to criminal activity, then no American is safe to use the internet to access dissident speech,” Szoka said. “The fear of being unmasked — and subjected to harassment, or far worse — will chill the speech of millions more.”

General warrants like the one issued to DreamHost were a “tyrannical practice” and “among the chief sparks of the American Revolution,” according to Szoka.

“DreamHost is now fighting that same battle in the digital realm,” he added.

Following its day in court the company said it will comply with the narrowed request, but still plans to appeal the ruling, with the hope of indefinitely limiting the government’s access to the data.

“While we’ve been compelled by the court to share this (still) large cache of data (and will do so in the next few days), the DOJ will not gain access to it immediately,” the company said. “We are considering an appeal which would deny the government the ability to access that data temporarily and potentially forever if our appeal is found to have merit.”

Follow Giuseppe on Twitter