The bipartisan ACCESS Act, introduced in the US Congress back in October 2019, lays the groundwork for fostering greater competition for social media platforms, and indeed across many elements of the Web. [1] As this blog post explains, however, fans of data portability and network interoperability need to make their voices heard, in order to preserve a key operational aspect of that legislation: the right of trustworthy delegation.

Network Interoperability and Data Portability = Transfer Your Data Where You Wish

Interoperability refers to the ability for different computer networks to interact, and to exchange data. Data portability refers to the ability for end users to use interoperable systems to move their data from one online platform to another. Together, these two technical requirements can open up existing online services to greater end user choice, and facilitate new forms of competition.

The ACCESS Act legislation would codify into Federal law the end user’s right to interoperate with online platforms, and the related right to transfer data to other destinations. As co-sponsoring Senator Mark Warner remarked back in October 2019:

“By making it easier for social media users to easily move their data or to continue to communicate with their friends after switching platforms, startups will be able to compete on equal terms with the biggest social media companies.” [2]

Platform data portability and interoperability are two critical ways for people to exercise their autonomy online. Both also have the potential to foster entirely new markets, projects, and companies.

Mozilla Corporation has been a leading advocate for interop and data portability. In the fall of 2019, the company released a working paper arguing that in any pro-competition policy adopted by governments, “standards and interoperability [must] be at the center.” [3] Chris Riley, former head of US policy for Mozilla, wrote a follow-up paper explaining the core role of interop in fostering competition in networked platforms such as the Internet. [4]

Other important voices agree. In March 2020, New America Foundation published a detailed research report citing interoperability as having “a unique ability to promote and incentivize competition—especially competition between platforms,” as well as offering end users “greater privacy and better control over their personal data generally.” Most recently, Cory Doctorow penned a new essay lauding interoperability, and in particular a form he calls “competitive compatibility” where upstart companies build innovative new products on top of preexisting ones. He prefers using such competition-bolstering measures to “fix the Internet, not the tech giants.”

Even the large online platform companies themselves recognize the utility of interop and portability. Beginning in 2007, a group of engineers at Google created a project in their spare time called the Data Liberation Front. This project became a collection of tools to help end users download their data from Google. [5] The DLF project eventually led to a product called Google Takeout. More recently, groups of engineers from various companies created the Data Transfer Project, which claims to be building an open source platform to bridge the technical hurdles involved in moving data between various platforms. Despite its moniker, DTP is intended to address both data portability and platform-to-platform interop. As the DTP sponsors put it:

“The contributors to the Data Transfer Project believe portability and interoperability are central to innovation. Making it easier for individuals to choose among services facilitates competition, empowers individuals to try new services and enables them to choose the offering that best suits their needs.” [6]

A variety of independent organizations, companies, and individuals who recognize the need for this kind of “interop” infrastructure are beginning to tackle building solutions. Of course, giving ordinary end users the ability to direct and control their own interop and data porting decisions -- sometimes known as “open interop” -- would be a further step towards recapturing the original ethos of the Internet itself as the ultimate interconnection platform.

Recognizing a Right to Trustworthy Delegation

An often overlooked new frontier in data rights is the opportunity to empower people to delegate their data rights, including portability and interoperability, to a trusted third party. Importantly, Section 5 of the ACCESS Act bill recognizes this important fact. That provision would “allow users to delegate trusted custodial services, which are required to act in a user’s best interests through a strong duty of care, with the task of managing their account settings, content, and online interactions.” [7]

Senator Warner’s observation in late 2019 on this crucial provision still rings true:

“Empowering trusted custodial companies to step in on behalf of users to better manage their accounts across different platforms will help balance the playing field between consumers and companies. In other words – by enabling portability, interoperability, and delegatability, this bill will help put consumers in the driver’s seat when it comes to how and where they use social media.” [8]

An important component of that formulation is the “trusted” entity to manage a Web user’s online custodial services. While trust is inherently a subjective experience by two or more parties, trustworthiness is generated using a more outward, objective set of criteria. One can imagine how that single provision of the bill could help engender a new ecosystem of trustworthy third parties, vying to act on behalf of Web users, and in their best interests.

Mozilla Foundation has been exploring the foundations of just such an ecosystem. Its Data Futures Lab is working with small entities to develop governance structures to ensure the safe protection and promotion of sensitive data. Potential models of trustworthiness being explored include the "data trust." Responsibilities for such entities would include the duty of care -- called out expressly in the ACCESS Act language -- as well as the fiduciary duties of loyalty, and of confidentiality.

My own organization, GLIA Foundation, has fostered the GLIAnet project, which seeks to build a more trustworthy and agential overlay to the existing World Wide Web. That project is promoting a new option that could take ready advantage of an express right of delegation: a fiduciary agent, operating under strong duties of care and loyalty. What we call a "digital fiduciary" has the potential to operate on behalf of its clients and customers, in ways that promote their best interests, rather than undermining them. Coupled with “edgetech” such as Personal AIs, local data pods, open algorithms, and identity layers, the resulting layered overlays promise a new Web ecosystem founded on trustworthy and supportive entities, elevating human autonomy and agency.

Traditional fiduciary obligations extend from the duty of care (reasonable practices and prudent conduct), to variations on a duty of loyalty (no conflicts of interest with other stakeholders, and promoting the best interests of the customer). While the ACCESS Act invokes a “strong duty of care” for “trusted custodial companies,” an obligation of care alone may not be sufficient to create the appropriate environment for trustworthiness. Instead, an optimal requirement for an entity claiming to be “standing in the shoes” of its customers would be some form of a duty of loyalty. These duties also foster an environment of trustworthiness, that in turn leads to the formation of trusted commercial relationships.

A Nascent Right -- in Jeopardy

Nonetheless, the fine work of the 2019 Senate version of the ACCESS Act may end up falling well short of its potential. This is because a House bill, recently introduced as a companion measure to the Senate bill, fails to include the express “right to trusted delegation” language.

On June 24, 2021, H.R. 3849 was amended by the House Judiciary Committee, and reported to the full House of Representatives. [9] Notably, while H.R. 3849 tracks many key elements of the Senate version of the ACCESS Act, the legislation fails to include a provision granting to end users an express right to delegate all her online custodial services to a trusted entity operating under a strong duty of care. Instead, Section 3(a) of the bill directs that only “covered platforms” need transfer an end user’s data to any “business user,” based on the end user’s “affirmative consent.” [10] That less robust language amounts to an oversight that can and should be addressed.

In brief, while data portability and related rights are important, they will mean little if they are not provided in a way that ordinary people can actually utilize them, for all their online interactions and all across the Web.

While data portability and related rights are important, they will mean little if they are not provided in a way that ordinary people can actually utilize them.

~

This is not theoretical; there are real world implications. We have seen for example how the GDPR -- with all good intentions -- gave European citizens more choice online regarding protecting their data. [11] But when they seek to implement it, many people find this kind of expanded agency overwhelming. [12]

In particular, “consent fatigue” is an actual problem for ordinary human beings, when it comes to accepting or rejecting Web browser cookies. [13] When recognizing how challenging it can be to help people just to manage browser cookies, and then consider important decisions about extracting, porting, and sharing one’s personal data, and managing other online interactions -- it’s important to find ways to make implementation sustainable.

And that is where introducing an express legal right to trustworthy delegation becomes so crucial.

Codifying Trustworthy Delegation Creates Meaningful End User Agency, and Sustainable Competition

Allowing a trusted company or non-profit to help its patrons exercise their interop and portability rights, and all the numerous follow-on decisions, can make those rights that much more meaningful. Adding a duty of loyalty would make that pledge all the more meaningful and enforceable. Conversely, the lack of any express right of delegation may make it all but impossible for digital fiduciaries and other trusted third parties to interact with all kinds of online entities in support of their customers or clients.

Indeed, as Nobel prize winning economist Paul Romer observed in his statement supporting the original 2019 version of the bill:

“By giving consumers the ability to delegate decisions to organizations working on their behalf, the ACCESS Act gives consumers some hope that they can understand what they are giving up and getting in the opaque world that the tech firms have created.” [14]

Without such express delegation rights, it is difficult to disagree with Professor Romer that end users largely will be left stranded and vulnerable to the worst practices of predatory entities on the Web. Even where an end user decides to have a trusted entity act on her behalf, the lack of a legal requirement means that even “covered” platform companies can simply ignore that delegation, or impose onerous and irrelevant requirements that render the delegation useless. Months and years of delays, and frustrated outcomes, may be all but inevitable.

A Window of Opportunity

With the 2019 Senate version of the ACCESS Act, for the first time we have Federal legislation that meaningfully codifies three rights for Web end user: network interop, data portability, and delegatability of these and related rights to a trusted entity. With the addition of fiduciary duties of loyalty, the bill would provide appropriate incentives for truly trustworthy entities, and optimal accountability protections for end users.

We now have an opportunity before us to support promising initiatives like the original ACCESS Act. Part of that work could entail building fiduciary technology -- a “digital trust layer” -- to provide a sustainable way for ordinary people to fully exercise their rights on the Web. By embedding duties of loyalty and care into data-handling technology, we can help create a new kind of Web ecosystem, one where trusted entities treat each of us with the respect that we deserve. A robust version of the ACCESS Act can be an important stepping stone to that promising future.

ENDNOTES:

[1] https://www.scribd.com/document/431507473/GOE19968

[2] https://www.warner.senate.gov/public/index.cfm/2019/10/senators-introduce-bipartisan-bill-to-encourage-competition-in-social-media

[3] https://blog.mozilla.org/netpolicy/files/2019/09/Mozilla-Competition-Working-Paper.pdf

[4] Chris Riley (2020) Unpacking interoperability in competition, Journal of Cyber Policy, 5:1, 94-106, DOI: 10.1080/23738871.2020.1740754 Found at: https://www.tandfonline.com/doi/full/10.1080/23738871.2020.1740754

[5] https://en.wikipedia.org/wiki/Google_Data_Liberation_Front

[6] https://datatransferproject.dev/

[7] Id.

[8] Id.

[9] www.warner.senate.gov/public/index.cfm/2021/6/warner-blumenthal-applaud-house-advancing-bipartisan-bill-to-increase-data-portability-encourage-more-tech-competition

[10] www.congress.gov/bill/117th-congress/house-bill/3849/text

[11] https://gdpr.eu/what-is-gdpr/

[12] https://www.cnbc.com/2019/05/04/gdpr-has-frustrated-users-and-regulators.html

[13] https://techcrunch.com/2019/08/10/most-eu-cookie-consent-notices-are-meaningless-or- manipulative-study-finds/

[14] https://www.warner.senate.gov/public/index.cfm/2019/10/senators-introduce-bipartisan-bill-to-encourage-competition-in-social-media