This sharing by 71 CA police agencies violates state law and could be used by other states to identify and prosecute abortion seekers and providers.

( Electronic Frontier Foundation ) – SAN FRANCISCO—Seventy-one California police agencies in 22 counties must immediately stop sharing automated license plate reader (ALPR) data with law enforcement agencies in other states because it violates California law and could enable prosecution of abortion seekers and providers elsewhere, three civil liberties groups demanded Thursday in letters to those agencies.

The letters from the Electronic Frontier Foundation (EFF), the American Civil Liberties Union of Northern California (ACLU NorCal), and the American Civil Liberties Union of Southern California (ACLU SoCal) gave the agencies a deadline of June 15 to comply and respond. A months-long EFF investigation involving hundreds of public records requests uncovered that many California police departments share records containing detailed driving profiles of local residents with out-of-state agencies.

ALPR camera systems collect and store location information about drivers, including dates, times, and locations. This sensitive information can reveal where individuals work, live, associate, worship—or seek reproductive health services and other medical care.

“ALPRs invade people’s privacy and violate the rights of entire communities, as they often are deployed in poor and historically overpoliced areas regardless of crime rates,” said EFF Staff Attorney Jennifer Pinsof. “Sharing ALPR data with law enforcement in states that criminalize abortion undermines California’s extensive efforts to protect reproductive health privacy.”

The letters note how the nation’s legal landscape has changed in the past year.

“Particularly since the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade, ALPR technology and the information it collects is vulnerable to exploitation against people seeking, providing, and facilitating access to abortion,” the letters say. “Law enforcement officers in anti-abortion jurisdictions who receive the locations of drivers collected by California-based ALPRs may seek to use that information to monitor abortion clinics and the vehicles seen around them and closely track the movements of abortion seekers and providers. This threatens even those obtaining or providing abortions in California, since several anti-abortion states plan to criminalize and prosecute those who seek or assist in out-of-state abortions.”

Image by Simon from Pixabay

Idaho, for example, has enacted a law that makes helping a pregnant minor get an abortion in another state punishable by two to five years in prison.

The agencies that received the demand letters have shared ALPR data with law enforcement agencies across the country, including agencies in states with abortion restrictions including Alabama, Idaho, Mississippi, Oklahoma, Tennessee, and Texas. Since 2016, sharing any ALPR data with out-of-state or federal law enforcement agencies is a violation of the California Civil Code (SB 34). Nevertheless, many agencies continue to use services such as Vigilant Solutions or Flock Safety to make the ALPR data they capture available to out-of-state and federal agencies.

California law enforcement’s sharing of ALPR data with law enforcement in states that criminalize abortion also undermines California’s extensive efforts to protect reproductive health privacy, specifically a 2022 law (AB 1242) prohibiting state and local agencies from providing abortion-related information to out-of-state agencies.

Via Electronic Frontier Foundation

Published under Creative Commons License 3.0.

( Electronic Frontier Foundation ) – In the wake of this year’s Supreme Court decision in Dobbs overruling Roe v. Wade, sheriffs and bounty hunters in anti-abortion states will try to investigate and punish abortion seekers based on their internet browsing, private messaging, and phone app location data. We can expect similar tactics from officials in states that have prohibited transgender youths from obtaining gender-affirming health care. Indeed, the Texas governor ordered state child welfare officials to investigate such care as child abuse.

Many states are stepping forward to serve as health care sanctuaries for people seeking abortion or gender-affirming care that is not legal at home. These states must also be data sanctuaries. To be the safest refuge, a state that has data about people who sought abortion or gender-affirming health care must lock down that data, and not disclose it to adversaries who would use it to punish them for seeking that health care.

So it is great news that California Gov. Gavin Newsom recently signed three bills that will help meet these data privacy threats: A.B. 1242, authored by Asm. Rebecca Bauer-Kahan; A.B. 2091, authored by Asm. Mia Bonta; and S.B. 107, authored by Sen. Scott Wiener.

EFF supported all three bills. And we encourage other states to pass similar bills. They create new reproductive and trans health data exemptions from old information disclosure mandates. These laws also place new limits on how courts, government agencies, and businesses handle this data. (You can read here a more detailed explanation of these three new California laws; this post is a summary.)

New exemptions from old mandates. Many states require in-state entities to share data with out-of-state entities. States that respect the rights to abortion and gender-affirming health care must create new exemptions from these old laws, for out-of-state investigations of such health care. The new California bills do this to three old California laws that (1) require certain California digital service providers to treat out-of-state warrants like in-state warrants, (2) require California courts to assist in enforcing out-of-state judicial orders, and (3) require California health care providers to disclose certain kinds of medical information to certain kinds of entities.

New limits on judges. Under the new California laws, state judges cannot authorize wiretaps, pen registers, or search warrants, if they are for the purpose of investigating abortions that are legal in California. Also, state judges now cannot compel someone to identify a person who had an abortion, or issue a subpoena, in connection with an out-of-state investigation of an abortion that is legal in California.

New limits on state agencies. California’s state and local government agencies, including but not limited to law enforcement and prisons, are now barred from disclosing information to an individual or out-of-state agency regarding a person’s abortion or gender-affirming health care.

New limits on communication services. There is a new rule for California corporations, and corporations with principal offices in California, that provide electronic communication services. They shall not, in California, provide information or assistance in response to out-of-state court orders concerning abortions that are legal in California. However, such a corporation is not subject to liability unless it knew or should have known that the court order in question related to such an abortion.

Three cheers for California! These new data sanctuary laws are strong protections for people seeking abortion and transgender health care. Other pro-choice and pro-trans states should enact similar laws.

But more work remains.

Anti-abortion and anti-trans sheriffs will continue to seek information located in the Golden State. California lawmakers must enact new laws as needed. For example, they may need to add new exemptions to an old law that authorizes state courts to command residents to travel out-of-state to testify in criminal proceedings. Eternal vigilance is the price of data sanctuary. States should also be data sanctuaries for immigrants.

Also, Congress and the states must enact comprehensive consumer data privacy legislation that limits how businesses collect, retain, use, and share our data. A great way to stop anti-choice and anti-trans sheriffs from seizing data from businesses is to stop these businesses from collecting and retaining this data in the first place. Legislators should start with Rep. Jacobs’ My Body, My Data bill.

Finally, Congress and the states must limit how law enforcement agencies obtain our data from businesses. For example, police across the country are using “reverse search warrants” to identify all people who used particular keywords in their web searches, and all people who were physically present at a particular geolocation. These schemes violate the Fourth Amendment. Legislators must ban them. New York State legislators tried to do so last year. Anti-abortion sheriffs might use them to identify all people who searched the web for “abortion pill,” or who visited an abortion clinic. Likewise, police across the country are buying detailed location data, often without a warrant, from data brokers who got it from our phone apps. This also violates the Fourth Amendment. Legislators should ban it, too.

Via Electronic Frontier Foundation

( EFF ) – It’s been a tumultuous year for free expression globally. From internet shutdowns, crackdowns on expression and closed-door partnerships to attempts to restrict anonymity and end to end encryption, in many places, digital rights are under threat. And while the European Union has made regulatory strides, elsewhere in the world, efforts to regulate—particularly those undertaken by authoritarian countries—threaten to fracture the global internet. 

EFF is deeply engaged in the global fight for free expression online. In 2022, we worked with the DSA Human Rights Alliance to ensure that EU lawmakers consider the global impacts of European legislation. We also joined the Arab Alliance for Digital Rights, a newly-formed coalition that brings together groups across the MENA region and international partners to protect civic space online. We continued our work as long-term members of the IFEX network. And with (cautious) travel back on the table, we participated in a number of international fora, including the Balkans-based POINT conference, FIFAfrica, Bread and Net in Lebanon, and the OSCE.

Working with international partners, we launched Protect the Stack, an initiative supported by more than 55 organizations worldwide aimed at ensuring infrastructure providers don’t become speech police. We also launched Tracking Global Online Censorship to monitor the impact of content moderation on free expression worldwide.

In addition to these joint efforts, there were quite a few places that warranted extra attention. Here are five ongoing threats that we will be watching in the year to come:

1. Ghana’s Repulsive Anti-LGBTQ Bill

Ghana, a constitutional democracy with a strong commitment to free expression, has become a regional tech hub, making this bill introduced by the Ghanaian parliament all the more atrocious. Ghanian law already criminalizes same-sex sexual activity, but this proposal goes further, threatening up to five years in jail to anyone who publicly identifies as LGBTQI+ or “any sexual or gender identity that is contrary to the binary categories of male and female.” The bill also criminalizes identifying as an LGBTQI+ ally.

We called on Twitter and Meta, both of which had previously opened offices in the Ghanian capital of Accra (Twitter’s office has since been shuttered), to speak out against the bill, and encouraged global allies to support the Ghanaian LGBTQI+ and human rights communities in opposing its passing. We will continue to monitor the situation for future developments.

2. Iran’s Crackdown on Protesters and Technologists

In September, the death of Jina (Mahsa) Amini at the hands of Iran’s morality police sparked protests that have continued for more than two months, despite a brutal crackdown that has included tens of thousands of arrests and several executions of high-profile anti-government protesters.

Amongst those targeted by government forces early on were several technologists and digital rights defenders. In October, we joined our friends at Access Now, Article19, and Front Line Defenders in issuing a statement calling on Iran to stop the persecution of the digital rights community and to release those detained, including technology specialist Aryan Eqbal and blogger and technologist Amiremad (Jadi) Mirmirani.

Eqbal was released in early November, and Mirmirani in mid-December, but Iranians still face serious threats to online free expression. We will continue working with our international partners to call attention to the situation.

3. Turkey’s Latest Attempt to Hinder Free Expression

Turkey, an early adopter of measures to restrict social media, was at it again in 2022 with a new law aimed at curbing disinformation. Following in the footsteps of its 2020 mutant NetzDG copycat law, the Turkish government is now looking to fight disinformation with censorship in the form of a vaguely-worded law prescribing three years’ imprisonment for anyone who publishes “false information” with the intent to “instigate fear or panic” or “endanger the country’s security, public order and general health of society.”

The law was met with condemnation within Turkey and abroad, and we echoed that sentiment. We will be watching to see how the regulation impacts speech in the coming year.

4. Saudi Arabia’s Threats to Rights Online

Saudi Arabia has never offered a space for free expression, online or off, but as the country seeks to improve its international reputation with developments like smart city NEOM—just a few years after its brutal murder of journalist Jamal Khashoggi—its striking measures to restrict free expression have us paying close attention to the Gulf state.

In 2022, Saudi Arabia imposed strikingly harsh prison sentences on two Twitter users, one of whom is an American citizen. The other, Salma al-Shehab, was a student at the University of Leeds in the UK and was arrested upon her return to Saudi Arabia and held for more than a year before being sentenced to a whopping 34 years in prison, to be followed by a 34-year travel ban. Her “crime”? Sharing content in support of prisoners of conscience and women human rights defenders. Her sentence is four years longer than the maximum sentence suggested by the country’s anti-terror laws for activities such as supplying explosives or hijacking an aircraft.

In October, we joined more than a dozen international organizations in calling on the UK government to push for her release, and have continued to monitor her case. In light of both cases, and a number of other rights violations by the Saudi government, we also called on Google to abandon plans to open a data center in the country. And now, with Saudi Arabia one of Twitter’s largest investors, we have more reason to keep a close eye on Silicon Valley’s ventures with the human rights-violating country. 

5. Egypt’s Brutal Repression of Alaa Abd El Fattah 

We had hoped 2022 would be the year that we would see technologist, activist, and writer Alaa Abd El Fattah free and reunited with his family. A friend of EFF, Alaa’s case has been a cornerstone of our international advocacy work for many years. This year, as the COP27 Summit—hosted by Egypt despite international objections—neared, Alaa decided to escalate his ongoing hunger strike, putting his life in grave danger but also drawing eyes to his plight. Ultimately, the protests surrounding the COP27 calling for his freedom and that of other political prisoners in Egypt overshadowed the climate negotiations.

Alaa was one of three winners of the 2022 EFF Awards, and while we are proud to honor his accomplishments, the moment was bittersweet: Despite demands from the UK government, a number of members of U.S. Congress, and a broad swath of the international community, Alaa remains in prison.

But, to put it in his own words, we have not yet been defeated: Alaa ended his hunger strike in mid-November and was finally allowed a visit with his family shortly after. There is still hope, and Alaa’s family, friends, and allies around the world continue the fight for his freedom. The campaign’s latest ask (external link) is for UK and U.S. constituents to write to their members of parliament and Congress, respectively. We hope that Alaa finally gets his freedom back in 2023, and we won’t stop fighting until he does.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2022.

Jillian C. York is EFF’s Director for International Freedom of Expression and is based in Berlin, Germany. Her work examines state and corporate censorship and its impact on culture and human rights, with a focus on historically marginalized communities. At EFF, she leads the platform censorship working group, and also works on European policy, the impact of sanctions on the use of technology, and occasionally, digital security. Jillian is the author of Silicon Values: The Future of Free Speech Under Surveillance Capitalism (Verso, 2021) and has written for Vice, Buzzfeed, the Guardian, and the New York Times, among others. She teaches at the College of Europe Natolin in Warsaw. She is also a regular speaker at global events.

Via EFF

Attribution 3.0 United States (CC BY 3.0 US)

AlHathloul is among the victims of an illegal spying program created and run by former U.S. intelligence operatives, including the three defendants named in the lawsuit, who worked for a U.S. company hired by United Arab Emirates (UAE) in the wake of the Arab Spring protests to identify and monitor activists, journalists, rival foreign leaders, and perceived political enemies.

Reuters broke the news about the hacking program called Project Raven in 2019, reporting that when UAE transferred the surveillance work to Emirati firm DarkMatter, the U.S. operatives, who learned spycraft working for the National Security Agency and other U.S. intelligence agencies, went along and ran DarkMatter’s hacking program, which targeted human rights activists like AlHathloul, political dissenters, and even Americans residing in the U.S.

DarkMatter executives Marc Baier, Ryan Adams, and Daniel Gericke, working for their client UAE—which was acting on behalf of the Kingdom of Saudi Arabia (KSA)—oversaw the hacking project, which exploited a vulnerability in the iMessage app to locate and monitor targets. Baier, Adams, Gericke, all former members of U.S. intelligence or military agencies, designed and operated the UAE cybersurveillance program, also known as Project DREAD (Development Research Exploitation and Analysis Department), using malicious code purchased from a U.S. company.

What’s Happening: “Loujain al-Hathloul Sues Three Ex-US Intel Operatives Over Hacking For UAE”

Baier, who resides in UAE, Adams, a resident of Oregon, and Gericke, who lives in Singapore, admitted in September to violating the Computer Fraud and Abuse Act (CFAA) and prohibitions on selling sensitive military technology under a non-prosecution agreement with the U.S. Justice Department.

“Companies that peddle their surveillance software and services to oppressive governments must be held accountable for the resulting human rights abuses,” said EFF Civil Liberties Director David Greene. “The harm to Loujain AlHathloul can never be undone. But this lawsuit is a step toward accountability.”

AlHathloul, whose statement on the case is below, is a leader in the movement to advance the rights of women in Saudi Arabia, where females were barred from driving until 2018, are required by law to obtain permission from a male guardian to work or travel, and suffer discrimination and violence. She rose to prominence for her advocacy for women’s right to drive and put herself at great risk in 2014 by publicly announcing her intention to drive across the border from UAE to KSA and filming herself driving. She was stopped at the KSA border and imprisoned for 73 days. Undeterred, AlHathloul continued to speak out for women’s rights and continues to be a target of the kingdom’s efforts to suppress dissent.

DarkMatter intentionally directed the code to Apple servers in the U.S. to reach and place malicious software on AlHathloul’s iPhone, a violation of the CFAA, EFF says in a complaint filed in federal court in Oregon. The phone was initially hacked in 2017, gaining access to her texts, email messages, and real-time location data. Later, AlHathloul was driving on the highway in Abu Dhabi when she was arrested by UAE security services, and forcibly taken by plane to the KSA, where she was imprisoned twice, including at a secret prison where she was subject to electric shocks, flogging, and threats of rape and death.

“Project Raven went beyond even the behavior that we have seen from NSO Group, which has been caught repeatedly having sold software to authoritarian governments who use their tools to spy on journalists, activists, and dissidents,” said EFF Cybersecurity Director Eva Galperin. “Dark Matter didn’t merely provide the tools; they oversaw the surveillance program themselves.”

While EFF has long pressed for the need to reform the CFAA, this case represents a straightforward application of the CFAA to the sort of egregious violation of users’ security that everyone agrees the law was intended to address.

“This is a clear-cut case of device hacking, where DarkMatter operatives broke into AlHathloul’s iPhone without her knowledge to insert malware, with horrific consequences,” said Mukund Rathi, EFF attorney and Stanton Fellow. “This kind of crime is what the CFAA was meant to punish.”

In addition to CFAA violations, the complaint alleges that Baier, Adams, and Gericke aided and abetted in crimes against humanity because the hacking of AlHathloul’s phone was part of the UAE’s widespread and systematic attack against human rights defenders, activists, and other perceived critics of the UAE and KSA.

The law firms of Foley Hoag LLP and Boise Matthews LLP are co-counsel with EFF in this matter.

Loujain Alhathloul Lawsuit Statement

“Never have I envisioned myself being recognized for standing up for what I believed was right. My early realization of my privilege to speak up and out for women and myself drove me to engage in the sphere of human rights defenders.

“In a 2018 article titled Kidnapped Freedoms, I expressed my understanding of freedom to be safety and peace:

‘safety to express, to feel protected, to live and to love.
[And] peace to reveal the purest and most sincere humanity implanted deep within our souls and minds without experiencing unforgivable consequences.
Deprived of safety and peace, I have lost my freedom. Forever?’

“Previously, I had limited consideration of all aspects of harm a human rights defender, or any individual for that matter, could face, especially in the online world. Today, I incorporate online safety as well as protection from misuse of power by cyber companies to my understanding of safety. The latter should be considered a basic and natural right in our digital reality.

“No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious. This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyber abuses of power. I continue to realize my privilege to possibly act upon my beliefs.

“I hope this case inspires others to confront all sorts of cybercrimes while creating a safer space for all of us to grow, share, and learn from one another without the threat of power abuses.”

For the complaint:
https://www.eff.org/document/alhathloul-v-darkmatter

Mukund Rathi at EFF adds

When governments or private companies target someone with malware and facilitate the abuse of their human rights, the victim must be able to hold the bad actors accountable. That’s why, in October, EFF requested that a federal court consider its amicus brief in support of journalist Ghada Oueiss in her lawsuit against DarkMatter, a notorious cyber-mercenary company based in the United Arab Emirates. Oueiss is suing the company and high-level Saudi government officials for allegedly hacking her phone and leaking her private information as part of a smear campaign.

EFF’s brief argues that private companies should not be protected by foreign sovereign immunity, which limits when foreign governments can be sued in U.S. courts. Hundreds of technology companies sell surveillance and hacking as a product and service to governments around the world. Some companies sell surveillance tools to governments—in 45 of the 70 countries that are home to 88% of the world’s internet users—and others, like DarkMatter, do the surveillance and hacking themselves.

DarkMatter’s hacking has serious consequences. In her lawsuit, Oueiss recounts being targeted by thousands of tweets attacking her, with accounts posting stolen personal photos and videos, some of which were doctored to further humiliate her. And earlier this month, EFF filed a lawsuit against DarkMatter because the company hacked Saudi human rights activist Loujain AlHathloul, leading to her kidnapping by the UAE and extradition to Saudi Arabia, where she was imprisoned and tortured.

U.S. companies are on both ends of DarkMatter’s misconduct—some are targets, like Apple and iPhone users, and other companies are vendors. Two U.S. companies sold zero-click iMessage exploits to DarkMatter, which it used to create a hacking system that could infiltrate iPhones around the world without the targets knowing a thing.

Human rights principles must be enforced, and voluntary mechanisms have failed these victims. U.S. courts should be open to journalists and activists to vindicate their rights, especially when there is a connection to this country—the smear campaign against Oueiss occurred here in part. EFF welcomed the Ninth Circuit Court of Appeals’ recent ruling that spyware vendor NSO Group, as a private company, did not have foreign sovereign immunity from WhatsApp’s lawsuit alleging hacking of the app’s users. Courts should similarly deny immunity to DarkMatter and other surveillance and hacking companies who directly harm Internet users around the world.

For more on state-sponsored malware:
https://www.eff.org/issues/state-sponsored-malware

Via EFF

Everyone in the tech world claims to love interoperability—the technical ability to plug one product or service into another product or service—but interoperability covers a lot of territory, and depending on what’s meant by interoperability, it can do a lot, a little, or nothing at all to protect users, innovation and fairness.

Let’s start with a taxonomy of interoperability:

Indifferent Interoperability

This is the most common form of interoperability. Company A makes a product and Company B makes a thing that works with that product, but doesn’t talk to Company A about it. Company A doesn’t know or care to know about Company B’s add-on.

Think of a car’s cigarette lighter: these started in the 1920s as aftermarket accessories that car owners could have installed at a garage; over time they became popular enough that they came standard in every car. Eventually, third-party companies began to manufacture DC power adapters that plugged into the lighter receptacle, drawing power from the car engine’s alternator. This became widespread enough that it was eventually standardized as ANSI/SAE J563.

Standardization paved the way for a variety of innovative new products that could be made by third-party manufacturers who did not have to coordinate with (or seek permission from) automotive companies before bringing them to market. These are now ubiquitous, and you can find fishbowls full of USB chargers that fit your car-lighter receptacle at most gas stations for $0.50-$1.00. Some cars now come with standard USB ports (though for complicated reasons, these tend not to be very good chargers), but your auto manufacturer doesn’t care if you buy one of those $0.50 chargers and use it with your phone. It’s your car, it’s your car-lighter, it’s your business.

Cooperative Interoperability

Sometimes, companies are eager to have others create add-ons for their products and services. One of the easiest ways to do this is to adopt a standard: a car manufacturer that installs an ANSI/SAE J563-compliant car-lighter receptacle in its cars enables its customers to use any compatible accessory with their cars; any phone manufacturer that installs a 3.5mm headphone jack allows anyone who buys that phone to plug in anything that has a matching plug, even exotic devices like Stripe’s card-readers, which convert your credit-card number to a set of tones that are played into a vendor’s phone’s headphone jack, to be recognized and re-encoded as numbers by Stripe’s app.

Digital standards also allow for a high degree of interoperability: a phone vendor or car-maker who installs a Bluetooth chip in your device lets you connect any Bluetooth accessory with it—provided that they support that device, or at least that they make no steps to prevent that device from being connected.

This is where things get tricky: manufacturers and service providers who adopt digital standards can use computer programs to discriminate against accessories, even those that comply with the standard. This can be extremely beneficial to customers: you might get a Bluetooth “firewall” that warns you when you’re connecting to a Bluetooth device that’s known to have security defects, or that appears on a blacklist of malicious devices that siphon away your data and send it to identity thieves.

But as with all technological questions, the relevant question isn’t merely “What does this technology do?” It’s “Who does this technology do it to and who does it do it for?”

Because the same tool that lets a manufacturer help you discriminate against Bluetooth accessories that harm your well-being allows the manufacturer to discriminate against devices that harm its well-being (say, a rival’s lower-cost headphones or keyboard) even if these accessories enhance your well-being.

In the digital era, cooperative interoperability is always subject to corporate boundaries. Even if a manufacturer is bound by law to adhere to a certain standard—say, to provide a certain electronic interface, or to allow access via a software interface like an API—those interfaces are still subject to limits that can be embodied in software.

A digitally enabled car-lighter receptacle could be made to support only a limited range of applications—charging via USB but not USB-C or Lightning, or only charging phones but not tablets—and software could be written to enforce those limits. Even a very permissive “smart lighter-receptacle” that accepted every known device as of today could be designed to reject any devices invented later on, unless the manufacturer chose to permit their use. A manufacturer of such a device could truthfully claim to support “every device you can currently plug into your car lighter,” but still maintain a pocket veto over future devices as a hedge against new developments that it decides are bad for the manufacturer and its interests.

What’s more, connected devices and services can adjust the degree of interoperability their digital interfaces permit from moment to moment, without notice or appeal, meaning that the browser plugin or social media tool you rely on might just stop working.

Which brings us to…

Adversarial Interoperability

Sometimes an add-on comes along that connects to a product whose manufacturer is outright hostile to it: third-party ink for your inkjet printer, or an unauthorized app for your iPhone, or a homebrew game for your console, or a DVR that lets you record anything available through your cable package, and that lets you store your recordings indefinitely.

Many products actually have countermeasures to resist this kind of interoperability: checks to ensure that you’re not buying car parts from third parties, or fixing your own tractor.

When a manufacturer builds a new product that plugs into an existing one despite the latter’s manufacturer’s hostility, that’s called “adversarial interoperability” and it has been around for about as long as the tech industry itself, from the mainframe days to the PC revolution to the operating system wars to the browser wars.

But as technology markets have grown more concentrated and less competitive, what was once business-as-usual has become almost unthinkable, not to mention legally dangerous, thanks to abuses of cybersecurity law, copyright law, and patent law.

Taking adversarial interoperability off the table breaks the tech cycle in which a new company enters the market, rudely shoulders aside its rivals, grows to dominance, and is dethroned in turn by a new upstart. Instead, today’s tech giants show every sign of establishing a permanent, dominant position over the internet.

“Punishing” Big Tech by Granting It Perpetual Dominance

As states grapple with the worst aspects of the Internet—harassment, identity theft, authoritarian and racist organizing, disinformation—there is a real temptation to “solve” these problems by making Big Tech companies legally responsible for their users’ conduct. This is a cure that’s worse than the disease: the big platforms can’t subject every user’s every post to human review, so they use filters, with catastrophic results. At the same time, these filters are so expensive to operate that they make it impossible for would-be competitors to enter the market. YouTube has its $100 million Content ID copyright filter now, but if it had been forced to find an extra $100,000,000 to get started in 2005, it would have died a-borning.

But assigning these expensive, state-like duties to tech companies also has the perverse effect of making it much harder to spark competition through careful regulation or break-ups. Once we decide that providing a forum for online activity is something that only giant companies with enough money to pay for filters can do, we also commit to keeping the big companies big enough to perform those duties.

Interoperability to the Rescue?

It’s possible to create regulation that enhances competition. For example, we could introduce laws that force companies to follow interoperability standards and oversee the companies to make sure that they’re not sneakily limiting their rivals behind the scenes. This is already a feature of good telecommunications laws, and there’s lots to like about it.

But a mandate to let users take their data from one company to another—or to send messages from one service to another—should be the opener, not the end-game. Any kind of interoperability mandate has the risk of becoming the ceiling on innovation, not the floor.

For example, as countries around the world broke up their national phone company monopolies, they made rules forcing them to allow new companies to use their lines, connect to their users and share their facilities, and this enabled competition in things like long distance service.

But these interoperability rules were not the last word: the telcos weren’t just barred from discriminating against competitors who wanted to use their long-haul lines; thanks to earlier precedent, they were also not able to control who could make devices that plugged into those lines. This allowed companies to make modems that could connect to phone lines. As the Internet crept (and then raced) into Americans’ households, the carriers had ample incentive to control how their customers made use of the net, especially as messaging and voice-over-IP eroded the massive profits from long-distance and SMS tariffs. But they couldn’t, and that helplessness to steer the market let new companies and their customers create a networked revolution.

The communications revolution owes at least as much to the ability of third parties to do things that the carriers hated—but couldn’t prevent—as it does to the rules that forced them to interconnect with their rivals.

Fix the Internet, Not the Tech Companies

The problems of Big Tech are undeniable: using the dominant services can be terrible, and now that they’ve broken the cycle of dominance and dethroning, the Big Tech companies have fortified their summits such that others dare not besiege them.

Today, much of the emphasis is on making Big Tech better by charging the companies to filter and monitor their users.

The biggest Internet companies need more legal limits on their use and handling of personal data. That’s why we support smart, thorough new Internet privacy laws. But laws that require filtering and monitoring user content make the Internet worse: more hostile to new market entrants (who can’t afford the costs of compliance) and worse for Internet users’ technological self-determination.

If we’re worried that shadowy influence brokers are using Facebook to launch sneaky persuasion campaigns, we can either force Facebook to make it harder for anyone to access your data without Facebook’s explicit approval (this assumes that you trust Facebook to be the guardian of your best interests)—or we can bar Facebook from using technical and legal countermeasures to shut out new companies, co-ops, and projects that offer to let you talk to your Facebook friends without using Facebook’s tools, so you can configure your access to minimize Facebook’s surveillance and maximize your own freedom.

The second way is the better way. Instead of enshrining Google, Facebook, Amazon, Apple, and Microsoft as the Internet’s permanent overlords and then striving to make them as benign as possible, we can fix the Internet by making Big Tech less central to its future.

It’s possible that people will connect tools to their Big Tech accounts that do ill-advised things they come to regret. That’s kind of the point, really. After all, people can plug weird things into their car’s lighter receptacles, but the world is a better place when you get to decide how to use that useful, versatile ANSI/SAE J56-compliant plug—not GM or Toyota.