Lawmakers, Experts Sound Alarm on Security Risks the American Innovation and Choice Online Act Would Create

Washington, D.C. (01/28/2022) – A bipartisan group of Senate Judiciary Committee members and experts have highlighted how the American Innovation and Choice Online Act (S. 2992) would foster significant cyber and national security risks and jeopardize consumers’ data security and privacy.

Issues around security were just one of the many problems that senators raised with the bill during a Senate Judiciary Committee hearing earlier this month. 

“I think we’ve all learned that unvetted access to data, hardware and services raises cybersecurity concerns. Not every potential user that does want to interoperate with a platform will have the level of cybersecurity that Americans deserve. The FBI, NSA, and CISA at the Department of Homeland Security have issued a joint threat alert warning that Chinese state-sponsored cyber actors target the United States repeatedly – I think that’s common knowledge. This bill would make those targets more vulnerable,” said Senator John Cornyn (R-TX).

“We’re requiring companies to take down protections that are in place today and instead allow hackers and those looking to steal personal data to access the devices. I’m told that Federal agencies have concerns about this, but this committee has not had the benefit of their input,” said Senator Dianne Feinstein (D-CA).

“I have concerns with provisions in the bill that could require data sharing between American companies and bad actors under the control of the Chinese Communist Party,” said Senator Tom Cotton (R-AR).

“The bill makes it too difficult for online platforms to adequately protect consumers’ privacy. The bill creates a bar far too high for platforms to protect privacy without worrying about being penalized,” said Senator Pat Leahy (D-VT).

Concerningly, experts agree.

“Instead of cracking down on privacy and security abuses, S. 2992 would force app stores to allow fraudsters, copyright thieves, and malware to be fixtures in the marketplace. The bill doesn’t stop there, however, as it would also require platforms to allow any app—including malicious apps intended to cause harm — unfettered access to consumers’ personal information… 

“If platforms cannot remove bad actors without fear this action could lead to antitrust violations, app stores take on a fundamentally different character, where the consumer is left to their own privacy and security protection skills. Small companies receive the short end of this particular stick, as the prohibitions would force them to cede hard-won success to larger brands that can convince people through name recognition and Super Bowl ads that they have overcome the costs and challenges of a threat-ridden marketplace” according to Morgan Reed of The App Association.

“The first thing we got to make sure is that we don’t handcuff our businesses. And I know there is some legislation pending that says things like ‘software companies have to always open up their interfaces’. What that means is that the Chinese can always get the data. Or that you can’t make an acquisition. We have to be careful,” said the Hon. Keith J. Krach, Chairman of the Center for Tech Diplomacy, Purdue.

“This bill would punish companies with a business model that focuses on security. From a policy perspective, we should encourage—not discourage—more companies to include more stringent security for all products, especially software that is sold at scale to millions of users. Forced interoperability, narrow requirements and obstacles for security updates through requirements for affirmative defense, as well as patchy security exclusions, create a recipe for weaker cybersecurity and should be reconsidered, amended or removed before any further movement on this legislation, per Tatyana Bolton and Brandon Pugh of the R Street Institute.

“Increased risks for user data privacy and security. The designated covered platforms cannot ‘materially restrict or impede a business user from accessing data generated on the covered platform,’ and would not be able to impose strict terms and conditions on small businesses that use the platform. Given that large platforms operate sophisticated cybersecurity programs and offer substantial data privacy protections, mandating smaller companies with fewer protections to be given access to consumer data would mean that consumer data would be at increased for privacy and security breaches,” said Krisztina Pusok from the American Consumer Institute.

“This bill is about more than a few U.S. tech companies being brought down a peg; it’s about us voluntarily ceding critical technological and economic advantage to countries like China at a time when leading in key technologies and tech markets is critical for our nation’s long-term thriving,” said American Enterprise Institute’s Klon Kitchen and NSI’s Jamil Jaffer.

More about the impact S. 2992 would have on data security and national security is available here and here.

The Don’t Break What Works campaign is powered by the Computer and Communications Industry Association (CCIA). Learn more here