 Hey, I'm Corey Doctro and I work with the Electronic Frontier Foundation. I'm a special advisor there and This talk it's based on a paper that I co-wrote with my colleague at EFF Bennett Cifers. That is his real name And that paper is also called Privacy Without Monopoly same title as this talk You can download it at EFF.org slash DC29 that's down there in the URL DEF CON 29 Now look anytime someone talks about big tech and the internet's monopolization Someone will bring up the term Network effects. Now network effects are what economists call product or service that gets better the more people there are who you Who are using it and tech companies do in fact enjoy network effects The fact that the people you want to talk to are on Facebook is a reason for you to join Facebook And once you join Facebook, that's a reason for people who want to talk to you to join Facebook or you know Every time someone makes an iPhone app that makes the iPhone itself a more valuable thing to have because there's more apps for it And every time someone goes out and buys an iPhone because there's more apps for it That's a reason to make more apps because there's more customers for those apps But network effects. They're only half of the story Network effects are why companies get big, but they're not why companies stay big Network effects get critical mass give critical mass to big companies, right? So once they get to a certain size, they just keep growing because they have so many users that people keep joining them Because they want the benefits of those network effects and they keep adding users But if you want to understand why these companies stay big why users don't leave you have to look at switching costs That's another term from economics jargon switching costs or whatever you have to give up to leave a product or a service Like if you quit Facebook, you leave behind the friends and family members and the communities and the Customers that you found there right or that you join there to be with If you leave behind Google, you'll lose search sure But you lose your apps and maybe you lose your mobile platform And if you want to quit iOS you have to say goodbye to the apps and the proprietary files that those apps created That you bought for iOS now these switching costs aren't an accident. They don't come naturally They're actually engineered into the system After all you can switch mobile carriers without losing contact with your friends You don't even have to change your phone number. You don't have to tell them you've changed from like Verizon to Sprint There's no technical reason Facebook couldn't be designed to let you keep talking to your Facebook friends Even after you leave Facebook after all Facebook has spent millions of dollars and they constructed They've conducted endless research to figure out how to let you stay with your friends when you join Facebook You know think of all that technical expertise in UX that goes into calling you into uploading your address book to Facebook So that once you get there they can automatically hook you up with all the friends who are already there and when new friends join They can figure out that they know you But not only has Facebook failed to produce tools to help you stay in touch with your Facebook friends when you leave Facebook They've actually devoted substantial engineering to make it harder for you to maintain your relationships If you have the temerity to stop using their service In other words Facebook just like every tech monopolist does everything it can to raise the switching costs for users who leave for a rival's service Now why did tech companies want high switching costs? Companies need to balance their interests and your interests as their customer or user now Sometimes customers and companies they have the same interest like if you make an app And I buy that app from you neither of us wants that app to crash. We want it to be good But sometimes those interests diverge and when they diverge when what's best for the customer isn't what's best for the company The company wants to resolve those issues in their favor But when company does when a company does something that redounds to their benefit and your cost say like Gouging you on the price or sucking up a bunch of your personal identifying information They run the risk that you'll be so upset that you will quit the service. And so that's where switching costs come in The higher a switching cost is the more a company gets to abuse you before they lose you as a customer That is if the cost of preserving your privacy is less than the cost of losing touch with your Facebook friends The communities and the customers that you have there then Facebook gets to abuse your privacy And they don't have to worry about losing you as a customer The more you stand to lose by quitting or product or a service The more value the company behind that product or service can shift from your side of the balance sheet to their side of the balance sheet Without losing your business Now fortunately for inter connect internet connected world general purpose computers connected to general purpose networks They eat switching costs for breakfast All the stuff that we talk about at this con reverse engineering scraping encapsulation Compatibility layers quirks modes virtualization. They all boil down to the same thing They're ways to connect something new to something that already exists. In other words, they're tools for interoperability Interop is a profound and crucial part of the design of a networked technological society All other things being equal interop puts a limit on how badly a company gets to abuse its customers So think for a minute about how Apple managed to kick Microsoft's ass at the start of this millennium The office programs that Microsoft made for the Mac were really terrible so much so that workplaces Transitioned everyone even their graphic designers to Windows because that was the only way they could share documents with the rest of the team Every Microsoft office document that anyone created using Windows made Windows more valuable That's what we call the network effect But not using Windows meant that you were cut off from every Microsoft office user and that is the switching cost Apple undid the network effect by annihilating the switching cost The way they did that was by making a program called the I work suite Which decomposed into three smaller programs called pages numbers and keynote that they made by reverse engineering the Microsoft file formats And making interoperable products after that the switching cost fell to basically zero Network effects are how companies get big but high switching costs are why they stay big and that's why companies do everything They can to raise switching costs They use a lot of technological countermeasures the kind of stuff we talk about here DRM obfuscation tamper resistance boot lockers all kinds of stuff But they also use legal countermeasures and those are a little more insidious It's the kind of thing EFF spends a lot of time on laws like section 1201 of the Digital Millennium Copyright Act that bans by passing DRM even if you're not doing anything nefarious or the Computer Fraud and Abuse Act this Ronald Reagan era cybersecurity law that has been stretched to cover all kinds of Legitimate activity, especially the kind of thing that security researchers do as well as things like software patents and weird and obscure legal theories like tortuous interference with contract and more All of those countermeasures the technological ones and the legal ones that's how big tech stays big and the higher the switching costs the more big tech gets to abuse us because the higher the Switching costs the more that abuse the worst that abuse has to be before it makes sense to switch and That brings me to privacy. Remember the talk is called privacy without monopoly Companies don't invade your privacy because they're nosy They spy on you because spying on you makes them more profitable Google and Facebook they invade your privacy because it makes their ad targeting service more valuable It's not why Apple does it Apple invades Chinese users privacy like by backdouring its cloud service and blocking working VPNs from the iOS app store in China They do that to preserve its access to Chinese customers and far more importantly Chinese manufacturing Interoperability lowers switching costs and that makes it easier to switch away from a company whose products invade your privacy And that means that companies are less likely to want to invade your privacy in the first place because they understand that if they do They might lose you you might lose your business But if they go ahead and do it anyway, you get to switch and That is something that lawmakers have figured out We have seen legal interoperability mandates These are laws or regulations that require companies to interoperate with smaller new market entrants Proposed in the United Kingdom the US the European Union and elsewhere all over the world and these bills and regulations They propose one or more of three kinds of interoperability The first kind is one that you're really familiar with I'm sure Data portability that's when a company has to produce a standards defined blob of your data Snapshot that you can either use for your own reference or maybe upload to a rival so that you can start there With everything configured the way you like it and your social graph intact The second kind is a little more exotic. It's called back-end interoperability That's when a company is required by law to expose an API So that third parties can use it to exchange platforms with data with dominant platforms and the third kind is called Delegatability that's interoperability for the front-end So it would be a requirement that companies have some kind of standardized way to script their user interfaces So that you as a user might nominate someone else to autopilot parts of the service on your behalf Maybe to moderate content or like imagine if you wanted to finally turn on location privacy in Google This is something that's notoriously hard to do Google engineers who work on location privacy can't figure out where all the checkboxes are that you have to tick off in order to have good location privacy with Google and if you miss just one you get no privacy So maybe privacy international would just throw some resources at that Figure out what the recipe was for getting you good privacy for your location on Google And then you could delegate the ability to navigate all of Google's nefarious and baroque settings pages on your behalf to PI And they'd go ahead and they would they would give you location privacy Now notwithstanding that last example Interop has a complicated relationship to privacy on the one hand interop promises to allow users to reclaim their privacy You know by switching from high surveillance services To privacy respecting rivals whether those are like co-ops or nonprofits or public services or startups And they get to do so without sacrificing their relationships and the benefits that they used to get From interacting with those big dominant services and interrupt Therefore puts pressure on the dominant services to be better on privacy Because the low switch in cost mean that the choices that put shareholders interests ahead of users interests will result in the immediate loss of users and revenue But on the other hand interoperability could be a privacy nightmare Like what if a privacy abusing company a company that's even worse on privacy than say Google or Facebook? Wants to plug into one of those services after all Google and Facebook. Yeah, they invade the hell out of your privacy But they're playing an iterated game. They're they're not gonna be so bad that you leave the service straight away They're trying to keep that in balance But what if it's a new company that doesn't care about keeping your business they just want to steal your data You know earlier this summer the House Judiciary Committee held markup hearings on six antitrust bills including the access act Which is one of these interoperability mandates It's a a law that would force big companies to expose their APIs to rivals and some of the lawmakers there They asked a good question. They said like what if a Chinese state-owned enterprise use one of these APIs and just sucked up a bunch of Sensitive data or what if it was just a company a company like Cambridge Analytica that could get an API key and use the API To just harvest all kinds of data under false pretenses now those are really excellent questions Unfortunately the answers that tech companies give to them are really stupid Companies like Facebook and Google and Apple they say that they have already attained the optimum level of interoperability Just the right trade-off between user privacy and user freedom And they say that they know that they've done this because they have the same interests as their users and the best way to Make sure that no one nefarious ever gets to plug into their system is to give them free reign to block interoperability Whenever they think it makes sense to do so Now whenever the Fox starts telling us about how good it is at guarding our hen house We should be suspicious So like when Facebook tells us that we can trust it not to let Facebook Plot are not to let Cambridge Analytica plug into its service and get all of our data We should be pretty skeptical of that claim Because Facebook already did let Cambridge Analytica plug into its service and get all of our data Every platform from Google to Apple to LinkedIn to Microsoft and yeah, I know that's the same company One of the things that's happened over the last 40 years as we've allowed companies to monopolize is that the web has turned into like five giant websites So with screenshots of text from the other four and all of those big companies have either intentionally allowed Someone to suck up all of our private data because we're down to their profit or they screwed up their security So badly that some was able to do it without their permission Monopolous can't be trusted to decide who gets to compete with them and how and when obviously But of course interop does come with serious privacy risks and proposals to fix interop Should address this risk and you know they do but in an ideal world the way that we'd fix most of this risk is by America adopting a strong federal privacy law a law that specified when consent needed to be obtained and for To in order to gain access to your information and to process it and that would describe what consent was right it consent Can't just be I've shown you a dialogue box with 30,000 words of like garbage legalese that no one is ever going to read and then I agree button underneath it a law like that would clarify some hard problems like Do you need your friend's permission to export the private messages that they sent you when you quit one service and go to another one? Now there is a version of this in the European Union. There's the GDPR the general data protection regulation GDPR it's a mixed bag. It sometimes gets a bad rap, but even with all of its flaws It is still a democratically arrived upon set of rules for data processing if those rules have flaws There's a democratic process for amending them And that's a lot better than having no privacy laws at all the way America does and it's also a lot better than having Whatever privacy rules we have unilaterally set behind closed doors in corporate monopolist boardrooms with no recourse Now a good federal privacy law shouldn't just spell out the rules for obtaining consent It should also have a private right of action That's a lawyer's term for when you get to sue to defend your rights Instead of having to get the federal trade commission or your local district attorney or the attorney general or some other authority To take up your cause and spend their blood and treasure to make sure you get justice With a federal privacy law that had a private right of action a lot of the thorniest problems with interop They just go away like whether you get to take your friends annotations on your photos with you when you export those photos And go to a new service or you know Does your address belong to you because you uploaded it to Facebook or does it belong to Facebook because they added new Information to it as you used it as well as some really really hard questions like even if we agree That you should have to get your friends consent to export the messages They send you to another service. Does that still apply if the person whose private messages you are trying to export are the messages that your Stalker or your harasser sent to you that you want to hang on to in case you need to get a restraining order Do they get to tell you that they're not that you're not allowed to take those messages with you when you quit a service That wasn't willing to use moderation policies to defend you from that harasser and go somewhere else Now when governments order companies to interoperate they don't just need to rely On a federal privacy law they can go beyond what the law says and if there is no law They can create some protections in interoperability mandates So for example the first version of the access act which was introduced last year in the Senate It said that the FTC should create a new kind of company kind of arms length special Referee that would be in charge of protecting the users of big platforms And when someone started a new service that wanted to plug into one of the big platforms apis They would evaluate that service and decide whether or not that service was on the up and up They wouldn't be allowed to compete with that service or with the big dominant platforms They would have to have no conflicts of interest and they would decide whether or not You would your new service would be able to plug into the API And if so like what a fair rate for using the API would be to recover the cost of operating the servers that provide You with a data conduit Now the access act got reintroduced this year in the house not the Senate and it did away with these third parties these what you might call a fiduciary And it replaced them with something else. It's also pretty good a set of rules for what kind of company is allowed to connect to the API Rules like those companies are not allowed to collect or monetize or share user data ever Now interoperability mandates have their place Interoperability mandates are kind of how we got here Like if you're my age, you'll remember that the golden age of long-distance bulletin board systems Came about as a result of an interoperability mandate that forced the phone companies to allow third-party Long-distance carriers to connect to them and that's when suddenly you could connect to bbs's far from your home Without having to be a phone freak and risk doing federal time But there is another kind of interop beyond these interop mandates And that's the kind of interop that Apple used when it reverse engineered Microsoft offices file formats and made pages and numbers and keynotes It's the kind of interop that people at this kind of con should be pretty familiar with After all no one ordered Microsoft to give Apple the spec for its file formats and Apple didn't ask Microsoft for permission to do so Microsoft actually did everything it could to obfuscate those file formats. They didn't just not cooperate with Apple They actively opposed anyone reverse engineering their file formats and Apple did it anyway That interop is called adversarial interoperability or we at EFF. We call it competitive Compatibility or Comcom. This is really hard to say adversarial interoperability So when I say Comcom think competitive compatibility, which is also adversarial interoperability. See you learn something new every day So Comcom is in the story of every tech monopoly that was knocked over and every new tech company that rose to greatness Comcom is that impolite zero fucks given form of interop That doesn't care if the way that I plug my thing into your thing major shareholder said Comcom is in the story of everything from IBM PC clones to haze modem command sets to SMB and Samba networking To the browser wars and the rise of the web and of course online music But there is a new and impenetrable thicket of laws and legal interpretations Cybersecurity laws like the computer fraud and abuse act anti-circumvention laws like section 12 1 of the DMCA Software patents and more that have made this once routine practice of Comcom Into a legal minefield that today is almost entirely practiced in the shadows We need lawmakers and regulators to restore Comcom And and one way they can do that is by reforming existing laws so that they're no longer so broad that they can be used to block Interop or they could pass a new law a kind of interoperators defense that said, you know notwithstanding all the other laws It's not an offense to add Features or modify a product or service for a legitimate purpose it would shield you from liability if you were making replacement parts or Fixing something or improving its security or adding lawful features or making it accessible to people with disabilities And there's another way we could do it You know as the FTC pursues monopolists and enters into settlements with them because they don't want to spend 10 or 15 years in court One of the conditions of those settlements could be that the companies agreed not to use these laws to shut down interoperators They could still use copyright law to stop people who were violating their copyright, but not just people who passed by passed a TPM Now mandatory interoperability and adversarial interoperability. They're not exclusive. They're not contradictory. They are Extremely complimentary We want mandatory interrupt because it's orderly if there's a Mandated API for one of the big services Then the way that you make something new that plugs into it is by reading the docs looking at the reference code and building your app Now compare that with the messy guerrilla warfare of Com-Com in order to plug into a service You might have to fuzz its inputs or find a flaw in its IDS or bypass its bootloader And then every time they patch you have to do it all over again But Com-Com is useful here because mandatory interrupt is so brittle Companies have a lot of ways to break their mandatory interrupt without violating the letter of the law Like they could pre-textually shut down their API over and over again because of suspicious activity Or if they could just restructure the internal data model so that the fields that the API can access are no longer useful to a competitor When a company nerfs its mandatory API getting that fixed Involves a full-blown regulators investigation It involves appeals it involves a judgment it involves an order and enforcement And it could take years during which time those little services that have popped up to give users more freedom might just collapse But if Com-Com is legally safe if you're allowed to do Com-Com then the day that a company breaks its API All those little companies that rely on it can switch to scraping or reverse engineering or other adversarial tactics In fact companies are so frightened of the unquantifiable unquantifiable risk That's posed by free-for-all bot wars that in many cases They're just going to resist the temptation to wreck their APIs because the alternative is worse But if they go for it anyway if they're reckless enough to shut down the API and brave the wrath of the regulator Well, then Com-Com fills in the gaps while we wait for the FTC to wake up and smack them around a little Let me give you a concrete example of how that works and how it fails Back in 2012 Massachusetts passed a ballot initiative with an overwhelming majority That forced the big three automakers to supply independent mechanics with the data They needed to read diagnostic information off the wired network in cars. What's called the CAN bus carmakers had spent years systematically monopolizing independent car service And they had been doing so by obfuscating those diagnostic and repair messages and people in Massachusetts had had enough of it But even before that law came into effect carmakers started redesigning their cars So that all that useful diagnostic information no longer flowed over the CAN bus it flowed over new wireless meshes Those weren't covered by the law now Eventually, Massachusetts passed a law that overrode those loopholes that forced automakers to Expose the data that was going over those wireless networks, but it took eight years and during those eight years Independent mechanics had a choice They could either just have cars that they couldn't fix or they could close their shops and go to work for one of the big automakers The mismatch between the time it takes to subvert a mandate and the time it takes to fix it again Is why mandates alone are not enough for mandates to work? They need counterweights a consequence that befalls companies that subvert them that hurts worse than obeying the mandate in the first place And that Comcom that counterweight. That's Comcom Imagine for example if car makers who were breaking their their diagnostic mandate had to worry about Comcom when they were doing that Imagine if when they switch the service messages from the wired network to that Exempted wireless network a couple of smart MIT kids could have just entered the market with like a raspberry pi based Interpreter that cost them a dollar to make that they could sell to every mechanic in the state for $20 And that would continue to read those wireless messages as they flew around in the car Anything the car manufacturers did to freeze out those gadgets would mean retooling every authorized service center and dealing with the inevitable upgrade problems Meanwhile independent mechanics would have a new business to supply them with diagnostic tools that MIT kids start up And that business could offer other services to them services that made the manufacturers even less important to independent repair services Comcom therefore is the stiffener that turns these otherwise structurally unsound mandates into sturdy and pro-competitive solutions Now Comcom just like every other kind of interop has plenty of ways that it can be abused for privacy Today companies say that they stop Comcom from abusing our privacy by using Anti-circumvention enforceable terms of service and other anti-competitive laws to safeguard their users privacy But if we really want to defend user privacy, we need a privacy law We shouldn't be letting companies improvise this highly selective privacy defense regime from random cyber security and copyright laws Have been lying around since the Reagan era with an actual privacy law We wouldn't have to rely on companies to tell us what the good Comcom and the bad Comcom was We could tell what was good and what was bad good Comcom didn't violate privacy law and bad Comcom did Now we've just underwent a half century of official tolerance for monopoly, but we are at a turning point The president's latest executive order says that America's new policy is officially Anti-monopoly and sets out 72 directives to the various administrative agencies to make that a reality There are six antitrust bills going through Congress. There is also state-level antitrust action There's antitrust action in Canada the UK and the European Union with laws like the Digital Markets Act and the Digital Services Act This is quite a moment that we're having But the point of this fight isn't just about competition for its own sake I mean every time a company like Apple does something good like introducing anti-tracking technology the anti The ad tech industry starts whining that this is anti competitive and they're not wrong Apple does make it harder to compete in the race to see who is best at Violating our human rights most cheaply and prolifically That's not a race we want. We don't want competition to find the best human rights violator We want to ban human rights violations Interoperability and privacy rules together do more than just enhancing competition or choice They do something more nobler indeed. They give us technological self-determination The right to decide how our technology works either by changing it ourselves or by finding something we trust to change it for us So you can stick with a big company if it's got your back But you can switch away if it doesn't have your back Because companies do sometimes have their users backs if a platform knows that the users aren't cowed by switching costs They're incentivized to twitch the to treat those users. Well I'm not here to say that companies will always screw their users I mean, I know a lot of you people watching this do good hard work on behalf of those companies to defend dumb-dumbs like me I'm not a hacker But no one is ever going to pay you to defend me from your boss especially not your boss Interoperability and privacy law. They're how we make it so that you don't have to Now that's the end of the talk and if you want more detail I urge you to read the paper once again It's called privacy without monopoly and you can read it. You can see the URL down there EFF org slash DC to nine I'd like to thank again my colleague Bennett ciphers who did all the heavy lifting on this paper I hope you will give the paper a read. I'm really looking forward to seeing you next year for DEF CON 30 in person Assuming we haven't all been killed by like the Zeta variant by then please get vaccinated wear your mask We will get through this fellas and and folks and gosh fellas That was a terrible way to end a talk that I managed to pull off without any gas all the way through We will get through this folks. Please Do what you can to keep us all healthy and thank you for the hard work you're doing and for your attention I really hope you enjoy the rest of DEF CON. Thank you very much You