One of the core concerns ACT | The App Association had about the original text of the American Innovation and Choice Online Act (AICOA) is that it effectively prohibits platforms from addressing and responding to security and privacy threats. Senators Amy Klobuchar and Chuck Grassley circulated a Manager’s Amendment yesterday, altering several of the bill’s provisions. Typically, this type of amendment streamlines the legislative process by offering multiple changes under one amendment, but of course Manager’s Amendments only include changes the original authors approve. One of the provisions of the AICOA Manager’s Amendment seeks to deal with privacy and security concerns, but in reality, it would do nothing to exempt meaningful protections from liability.

The provision, a rule of construction, clarifies that the bill’s prohibitions on restricting access to personal data do not apply to removal of certain software. Specifically, the new rule of construction states that the bill’s prohibitions “may [not] be construed” to:

  • “Require a covered platform operator to interoperate or share data with persons or business users that are on any list maintained by the Federal Government by which entities” are either “identified as limited or prohibited from engaging in economic transactions as part of United States sanctions or export-control regimes” or “have been identified as national security, intelligence, or law enforcement risks.”
  • “Prohibit a covered platform operator from promptly requesting and obtaining the consent of a covered platform user prior to providing access to the non-public, personally identifiable information of the user to a covered platform user under that subsection.”

Limiting the universe of bad actors subject to removal to those that appear on lists “maintained by the Federal Government” is laughably inadequate and irresponsible cybersecurity policy. The new language only protects token cybersecurity activity, shielding platforms if they rely on the lists of prohibited persons and businesses from the federal government. Cybercriminals adapt quickly and take a variety of measures to prevent detection. Requiring platforms to wait for threat identification and addition to a federal government list gives criminals an enviable new advantage and would expose consumers to a fresh wave of new threats that mobile devices can easily avoid at present.

The privacy language also fails to allow platform users to apply their data sharing preferences to every service and app they use, essentially maintaining the bill’s prohibition on platforms facilitating privacy preferences across apps.

Companies like Facebook are already trying to use antitrust laws to prevent other platforms from protecting the privacy of their users, and this language does nothing to protect platforms from that kind of abusive antitrust action. It raises the risk for companies to continue their expensive programs to proactively address security and privacy with the threat of antitrust litigation and a 15 percent of revenue penalty.

The Manager’s Amendment maintains the base bill’s strong disincentive for platforms to continue proactively protecting their marketplaces from threats to consumer privacy and security. It is unlikely the Senate Judiciary Committee can amend its way out of the security and privacy problems S. 2992 presents. The bill’s prohibitions are fundamentally in tension with privacy and security measures. The better bet is for Congress to focus its tech efforts on enacting a set of strong federal privacy requirements and avoid potentially disastrous scenario for small business and consumers alike.