Searching for a Solution — Google in DoJ Crosshairs, Brave Policy Fireside Chat, Facebook Globalcoin — June 3, 2019
Executive Summary
In this note, we explore the current political climate and why it suggests that the recently announced Department of Justice antitrust investigation into Google may be different than the multitude of antitrust violations into Google in the past. We will cover the following conclusions:
1. Privacy as a Priority
In talking to elected officials during our trips to Washington DC, they repeatedly emphasized that privacy remains a “high priority” for lawmakers, regardless of party affiliation. Based on the mass market, even populist, appeal of the issue, we believe that this topic will only grow louder as we head into the 2020 election.
2. Privacy as the Antitrust Trojan Horse
On Friday evening, the WSJ reported that the Department of Justice (DoJ) plans to bring an antitrust case against Google. In our May 1 note, “President Trump, Elizabeth Warren and Tim Cook’s Common Ground: Big Tech Regulation”, we demonstrated that the last three antitrust fines the company faced, all levied by the European Union and totaling $9.4 billion, had no bearing on the stock price. In fact, the stock has outperformed the market in the ensuing to-date period of each. Moreover, it appears likely that the FTC is deferring to the DoJ in this case — the FTC had already brought two cases against Google over the last several years, but the total judgement against Google across both was only $22.5 million, the equivalent of 0.16% of the company’s operating expense last quarter. While antitrust and data privacy are separate issues, we have already seen presidential candidates reference the former as a solution to the latter. This suggests a willingness among lawmakers to depart from the traditional antitrust procedure of the past four decades (i.e. solely economic analysis) to stir up the mainstream base. By citing the two topics in tandem, the issue of competition between tech firms takes on a far more personal angle.
3. GDPR and “Soft Breakups”
Last week, on the one-year anniversary of GDPR, we hosted Johnny Ryan, Chief Policy Officer of Brave Software, after he presented to the US Senate Judiciary Committee. His session in Congress was quickly followed by Ireland’s Data Protection Commission (DPC) announcing a major GDPR probe into “suspected infringement” by Google’s “DoubleClick/Authorized Buyers” advertising business. It is notable that, while we have seen several antitrust fines levied, we have yet to see a GDPR/privacy related judgement. As we started discussing in November of last year, one of Johnny’s complaints with respect to Google and others is their use of Real Time Bidding (RTB), which infringes on GDPR. Johnny is an important voice in this debate — as an example of his expertise, his book “A History of the Internet and the Digital Future” was the most cited source in the European Commission’s impact assessment that decided against pursuing Web censorship across the European Union. A “soft breakup” solution he presented to Congress was “ring fencing” data so that one business would not be allowed to use the data in another business. See herein for all other highlights of the fireside chat with Johnny Ryan.
4. Marketplace (Platform) Reform
We expect Big Tech platforms to continue to see their ability to compete against third parties on platforms they provide, erode. The WSJ article cited the topic of search, which has been an antitrust challenge to Google in the past by others (three challenges specifically spanned Google AdSense, Shopping and Mobile). Amazon, another Big Tech platform cited in Elizabeth Warren’s Medium post, argued similarly that, while the platform provides low prices and a place for mom and pop retailers to sell their products, Amazon inevitably just undercuts the small retailers once it understands their respective markets.
5. Implications for the Ad-Based Revenue — Facebook Fixing with Globalcoin?
Facebook provides a great example of how damaging even just a “soft breakup” could be to a company model reliant on advertising, where user data acts as its lifeblood. Ring fencing data of WhatsApp, Instagram and News Feed would mean that insights gleaned about users would be siloed. This could theoretically impact revenues and at the same time, Facebook loses cost synergies, such as the ability to deploy capex across all three. Facebook announced the roll out of their cryptocurrency, GlobalCoin, which we believe initially at least, will be less about Payments and more about Advertising. Globalcoin could provide a way for users to garner value on the platform and then “spend” it in various ways — directly paying users for their data with GlobalCoin and getting more specific spending behavior patterns will be very valuable and could allow Facebook to retain rights for cross-service data analytics, while acting as a non-arbitrary mechanism by which to onboard users to the new currency.
Fireside Chat with Johnny Ryan
Below are comments and questions posed by Angela Dalton, Signum Global Advisors (in bold) and either direct commentary or excerpts from the writings and Senate Judiciary Committee by Johnny Ryan, Chief Policy and Industry Relations Officer at Brave Software.
The typical analyst or portfolio manager would not cite “Big Tech Regulation” or “Privacy” as #1, 2, 3 or maybe even top ten among issues that take up the most mindshare, likely because the stocks have experienced little more than extremely short-term speed bumps as antitrust fines have been priced into valuations. Talking to elected officials during our trips to Washington DC has uncovered a very different picture — these two topics rank very highly on elected officials’ priorities, regardless of party, and we believe will only grow louder as we head into the 2020 election.
On GDPR — What articles are the most important? And one year later, why hasn’t Europe already fined any companies?
- Article 5 sets out the principle of the entire regulation and everything in the GDPR flows through that. Article 5(1)(b), is the “purpose limitation” principle, [iv] which ring fences personal data held by companies, so they can’t use it outside of consumer expectations. They need a legal basis for each data processing purpose. [v]
- Article 7 (3) requires that an opt-in must be as easy to undo as it was to give in the first place, and that people can do so without detriment.
- As we know, the GDPR calls for a fine of up to 4% of global revenues. While we haven’t seen any fines to date, there is similar policy precedent in the insurance industry and in that case, the first round of judgments against companies took 18 months.
On the topic of consent, we cited Nuala O’Connor, CDT President & CEO, in our last paper (“Consent and choice are no longer a choice”) as we believe the onus of privacy protection should shift from users to the platforms, effectively making the “Accept” button a relic of the past.
Johnny commented that consent has yet to be implemented by the GDPR. If you have consent notices, they are immaterial and unlawful, and the trade body has an illegal cookie wall that is subject to complaint. Something that doesn’t properly inform users in first place simply isn’t good enough. The GDPR says that one is not able to consent to something that is illegal anyway.
According to Johnny, consent messages will become far less annoying in Europe, because if a company insists on harassing you to opt in, and you finally click OK, it will be required to keep reminding you that you can opt back out again.
These two GDPR tools, the “purpose limitation principle”, plus the ease of withdrawal of consent, enable freedom. Freedom for the market of users to defect from and engage with big tech companies, deciding what personal data can be used for.
You have commented extensively about how Real Time Bidding (RTB) infringes on the GDPR. Can you explain this concept?
Every time a person visits a website that uses RTB systems, intimate personal data about them and what they are viewing is broadcast in a “bid request” to tens or hundreds of companies, to solicit bids from potential advertisers’ for the opportunity to show an ad to this specific visitor. The data can include people’s exact locations; inferred religious, sexual, political characteristics; what they are reading, watching, and listening to online; and unique codes that allow long term profiles about each person to aggregate over time. As today’s GDPR complaints show, this occurs hundreds of billions of times every day, and is the most significant source of personal data leakage so far.
Google’s DoubleClick (recently renamed “Authorized Buyers”) is active on 8.4 million websites, and broadcasts personal data about visitors to these sites to over 2,000 companies. The next biggest ad exchange is AppNexus, owned by AT&T, which conducts 131 billion personal data broadcasts every day.
“There is no control over what happens to the data once broadcast, which is like the Facebook data leakage that enabled Cambridge Analytica to profile people, but for the fact that it is far greater in scale.” - Johnny Ryan at the US Senate Judiciary Committee
Our view at Signum has been that we will see a Federal Privacy Law in 2019 and it was explained to us that it has to happen by 12/13/19 to avoid accepting California’s privacy law as the Federal law. While there appears to be some debate over whether such a Federal law would preempt California law, the tech industry has come out vocally in favor of federal preemption, due to the higher costs of a patchwork of state laws and an expectation that a federal law would be less onerous. Is the California law good enough?
Johnny does not believe that California is good enough. The state laws should act as a floor, and US federal law should start with a minimum of what GDPR offers. Johnny pointed out that more than half of the world’s GDP has adopted GDPR. He agrees that no one wants a patchwork of state laws, which will make for a more complicated and expensive system to manage.
Separately, Brave has written to the California Department of Justice to highlight potential loopholes in the California Consumer Protection Act (CCPA). A full transcript of the report is here. Broadly, Brave is concerned about four potential loopholes in the CCPA.
1. The definition of “personal information” appears to be too narrow.
2. Loopholes on deletion of data may undermine the intention of the Act.
3. Exceptions for “business purposes” appear to be too wide.
4. The concept of “sale” of data may be too narrow.
How would you propose regulating these companies? You have proposed “soft break ups”. What does this mean?
The term that Johnny used with Congress was “ring fencing” data. In keeping with the Fair Information Practice Principles (FIPPs) of the 1974 US Privacy Act, a federal law should require that the collection of personal information is subject to purpose specification. This means that personal information shall only be collected for specific and explicit purposes. Personal information should not be used beyond those purposes without consent, unless a further purpose is poses no risk of harm and is compatible with the initial purpose, in which case the data subject should have the opportunity to opt-out.
This allows for a consideration of harms that may be suffered by the data subject, and, for example, should rule out the wide cross-use of personal information by Equifax, Facebook, Google, and other serial data protection offenders.
Simply, one is not allowed to collect data for one purpose and then use it for another purpose. For each purpose, one needs a legal basis.
In January 2019, the FCC put out a call for submissions called “Competition and consumer protection in the 21st Century”. Brave Software’s response made the point that big tech companies who “cross-use” user data from one part of their business to prop up others stifles competition, hurts innovation and reduces consumer choice.
“Anti-competitive practices may be inevitable when companies with Google’s degree of market dominance update their privacy policies to include the cross-use of personal information.”
“The cross-use of data between different lines of business is analogous to the tying of two products. Indeed, tying and cross-use of data can occur at the same time, as Google Chrome’s latest ‘auto sign in to everything’ controversy illustrates.”
In keeping with the fair information practice principles (FIPPs) of the 1974 US Privacy Act, Brave recommends that a federal law should require that the collection of personal information is subject to purpose specification. This means that personal information shall only be collected for specific and explicit purposes. Personal information should not be used beyond those purposes without consent, unless a further purpose posed no risk of harm and was compatible with the initial purpose, in which case the data subject should still have the opportunity to opt-out.
This allows for a consideration of harms that may be suffered by the data subject, and, for example, should rule out the wide cross-use of personal information by Equifax, Facebook, Google, and other serial data protection offenders. Note also that where sensitive personal information is concerned, opt-in consent is required for all purposes, compatible or not, unless the data have been made “manifestly public” by the person that they concern.
Brave also recommends that a federal law should include a definition of what a “processing purpose” is. The term “processing purpose” means an adequately specific and granular reason for which a covered entity processes personal information. A purpose is adequately granular if there is no more granular processing purpose that can be communicated to an individual.
Microsoft’s focus on privacy goes back to 2013 when they ran an ad campaign promoting its privacy and anti-tracking tools. “Your privacy is our priority,” the ads said. Also, Microsoft’s CEO Satya Nadella told a crowd that privacy is a “human right.”
Two weeks ago, Microsoft made an announcement that they will allow users to own their own identity using decentralization and they will build this on the Bitcoin network. This was a big announcement because it is the first big tech company to roll out something like this and it was the first time we have seen an Enterprise rely on the security of the Bitcoin network. What did you think of this announcement?
Johnny commented that Microsoft hired Julia Brill former Commissioner of the U.S. Federal Trade Commission (FTC) but he didn’t see any real response from the FTC in terms of enforcement. Microsoft also owns LinkedIn, which Johnny believes is in the same bucket in terms of GDPR infringement. Having said that, on the topic of Self Sovereign Identity (SSI), in a situation of KYC, this could be an interesting solution.
There was news last week that Amazon has filed a new patent application with the United States Patent and Trademark Office (USPTO) titled “Pre-Wakeword Speech Processing,” which will capture and process the words spoken by an Alexa owner before the wakeword (or hotword) is spoken. In other words, Alexa will record what you are saying prior to saying “Alexa.”
Johnny pointed out that Amazon has a big trust bridge to build for that very reason. However, for Virtual Assistants in general, a device builds up a profile and then shows ads to you based on this. Theoretically, advertising at the device level is preferred. With Brave’s solution, one is shown an ad as an operating system notification. A user clicking on an ad would trigger a payment by the advertiser. For example, if an advertiser spends $100, $70 would go to the user, which would then be paid to publishers’ sites that the user visits. This seems like an interesting way to allow users to garner value just at the time that subscriptions and paywalls are increasing. In the next iteration of the product, publishers will receive 85% of the ad revenues.
Note: The Irish Data Protection Commission (DPC) opened an inquiry into Google’s AdTech, citing section 110 of Ireland’s Data Protection Act 2018. The DPC wrote that the inquiry is “to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation, including the lawful basis for processing, the principles of transparency and data minimization, as well as Google’s retention practices”.
Dr. Johnny Ryan
Johnny is the Chief Policy & Industry Relations Officer at Brave. Before joining Brave, Dr. Ryan was responsible for PageFair’s research and analysis, as well as industry relations. Previous roles include being Chief Innovation Officer of The Irish Times, Senior Researcher at the Institute of International & European Affairs (IIEA). He is a Fellow of the Royal Historical Society, and a member of the World Economic Forum’s expert network on media, entertainment and information. Dr Ryan is the author of two books (read about “A History of the Internet and the Digital Future” here). His first book was based on his work at the IIEA and was the most cited source in the European Commission’s impact assessment that decided against pursuing Web censorship across the European Union. His expert commentary has appeared in The New York Times, The Economist, The Financial Times, Bloomberg, Wired, Le Monde, NPR, TechCrunch, Advertising Age, Fortune, Business Week, the BBC, Sky News, and many others. As an O’Reilly Foundation PhD scholar at the University of Cambridge he studied the spread of militant memes on the Web. He started his career as a designer and returned to design thinking later as Executive Director of The Innovation Academy at University College Dublin. He was an associate on the emerging digital environment at the Judge Business School of the University of Cambridge. Twitter: @johnnyryan
Author: Angela Dalton Managing Partner, Technology Angela@signumglobal.com
