Research Programs
More
What are you looking for?
Showing Latest Publications
TL;DR Data is one of the pillars of the modern digital economy, but its value is contingent on its ability to flow around the globe in real time, permitting individuals and firms to develop new and novel insights and to operate at higher levels of efficiency and safety.
Data is one of the pillars of the modern digital economy, but its value is contingent on its ability to flow around the globe in real time, permitting individuals and firms to develop new and novel insights and to operate at higher levels of efficiency and safety.
Those data flows increasingly run into barriers when they seek to cross national borders. These often take the form of “data-localization” requirements to locate, store, and/or process data within national boundaries.
Data-localization policies are often framed as necessary to protect critical digital infrastructure and national-security interests, but they serve instead as trade barriers that hurt consumers more than they help. An examination of the impact on the financial services industry helps to illustrate the problem.
Read the full explainer here.
TOTM There has been a rapid proliferation of proposals in recent years to closely regulate competition among large digital platforms. The European Union’s Digital Markets Act (DMA, which . . .
There has been a rapid proliferation of proposals in recent years to closely regulate competition among large digital platforms. The European Union’s Digital Markets Act (DMA, which will become effective in 2023) imposes a variety of data-use, interoperability, and non-self-preferencing obligations on digital “gatekeeper” firms. A host of other regulatory schemes are being considered in Australia, France, Germany, and Japan, among other countries (for example, see here). The United Kingdom has established a Digital Markets Unit “to operationalise the future pro-competition regime for digital markets.” Recently introduced U.S. Senate and House Bills—although touted as “antitrust reform” legislation—effectively amount to “regulation in disguise” of disfavored business activities by very large companies, including the major digital platforms (see here and here).
Read the full piece here.
Scholarship Abstract The current debate about antitrust divestitures has focused on how combining business units under the same corporate umbrella can allow digital platforms to favor . . .
The current debate about antitrust divestitures has focused on how combining business units under the same corporate umbrella can allow digital platforms to favor their own services over those provided by third parties. To the extent that these debates have framed the issues in economic terms, they have overlooked the enduring importance of Conway’s Law and the Mirroring Hypothesis, which assert that a firm’s organizational structure must reflect the underlying technology of its products. These principles suggest that enforcement officials should not mandate the structural separation of an existing firm without taking into account the task interdependencies that determine the natural modular structure of a platform industry. Proper analysis of any proposed divestiture will also require antitrust law to shed the reluctance to engage in detailed balancing of technical considerations reflected in its technological tying precedents.
Read at SSRN.
TOTM Why do digital industries routinely lead to one company having a very large share of the market (at least if one defines markets narrowly)? To . . .
Why do digital industries routinely lead to one company having a very large share of the market (at least if one defines markets narrowly)? To anyone familiar with competition policy discussions, the answer might seem obvious: network effects, scale-related economies, and other barriers to entry lead to winner-take-all dynamics in platform industries. Accordingly, it is that believed the first platform to successfully unlock a given online market enjoys a determining first-mover advantage.
TOTM The Federal Trade Commission (FTC) has taken another step away from case-specific evaluation of proposed mergers and toward an ex ante regulatory approach in its . . .
The Federal Trade Commission (FTC) has taken another step away from case-specific evaluation of proposed mergers and toward an ex ante regulatory approach in its Oct. 25 “Statement of the Commission on Use of Prior Approval Provisions in Merger Orders.” Though not unexpected, this unfortunate initiative once again manifests the current FTC leadership’s disdain for long-accepted economically sound antitrust-enforcement principles.
TOTM The leading contribution to sound competition policy made by former Assistant U.S. Attorney General Makan Delrahim was his enunciation of the “New Madison Approach” to . . .
The leading contribution to sound competition policy made by former Assistant U.S. Attorney General Makan Delrahim was his enunciation of the “New Madison Approach” to patent-antitrust enforcement—and, in particular, to the antitrust treatment of standard essential patent licensing (see, for example, here, here, and here). In short (citations omitted)…
TL;DR Legal history offers examples of areas where attempting to apply liability directly to bad actors is likely to be ineffective, but where certain related parties might be able to either control the bad actors or mitigate the damage they cause.
Legal history offers examples of areas where attempting to apply liability directly to bad actors is likely to be ineffective, but where certain related parties might be able to either control the bad actors or mitigate the damage they cause. In such cases, the common law has long embraced indirect or vicarious liability, holding one party liable for wrongs committed by another. The purpose of this kind of indirect liability is to align incentives where they can be most useful by placing responsibility on the least-cost avoider.
The immunity from liability granted to online platforms by Section 230 of the Communications Decency Act is a departure from normal rules governing intermediary behavior. It is impossible to know exactly how a robust common law of online intermediary liability would have developed in a world where Section 230 immunity never existed.
Lessons can be drawn from how the offline world has dealt with third-party liability, especially when an intermediary operates under a duty of care. The common law offers several examples of duties that business owners owe to their customers or, sometimes, to the outside world. Central among these is the legal obligation to take reasonable steps to curb harm from the use of a business’ goods and services. If the business has created a situation or environment that puts people at risk, it has an obligation to mitigate that risk. It also can have obligations to prevent risk of harm to customers or others with whom it has entered into a relationship, even if the business did not directly create the risk.
TL;DR The Communications Decency Act of 1996’s Section 230 holds that the law will not treat online service providers as speakers or publishers of third-party content, and that actions the providers take to moderate content hosted by their services will not trigger liability.
The Communications Decency Act of 1996’s Section 230 holds that the law will not treat online service providers as speakers or publishers of third-party content, and that actions the providers take to moderate content hosted by their services will not trigger liability. A quarter-century later, a growing number of lawmakers seek reforms to Section 230. In the 116th Congress alone, 26 bills were introduced to modify the law’s scope or to repeal it altogether.
While the current debate popularly centers on whether platforms should be forced to host certain content or when they should be forced to remove other content, such reforms are virtually certain to harm, not improve, social welfare: As frustrating as imperfect content moderation may be, state-directed speech codes are much worse.
The real gains to social welfare will materialize from reforms that better align the incentives of online platforms with the social goal of deterring or mitigating illegal or tortious conduct. To the extent that the current legal regime permits social harms online that exceed concomitant benefits, it should be reformed to deter those harms if such reform can be accomplished at sufficiently low cost.
Regulatory Comments Intro and summary As one of his final acts in office, former President Donald Trump signed Executive Order 13984 (the EO), “Taking Additional Steps To . . .
As one of his final acts in office, former President Donald Trump signed Executive Order 13984 (the EO), “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber- Enabled Activities.” The EO directed the Secretary of Commerce to “propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an Account.”
In its related advanced notice of proposed rulemaking (ANPRM), the U.S. Commerce Department notes that:
…foreign persons obtain or offer for resale IaaS accounts (Accounts) with U.S. IaaS providers, and then use these Accounts to conduct malicious cyber-enabled activities against U.S. interests. Malicious actors then destroy evidence of their prior activities and transition to other services. This pattern makes it extremely difficult to track and obtain information on foreign malicious cyber actors and their activities in a timely manner, especially if U.S. IaaS providers do not maintain updated information and records of their customers or the lessees and sub-lessees of those customers.
…foreign persons obtain or offer for resale IaaS accounts (Accounts) with U.S. IaaS providers, and then use these Accounts to conduct malicious cyber-enabled activities against U.S. interests. Malicious actors then destroy evidence of their prior activities and transition to other services.
This pattern makes it extremely difficult to track and obtain information on foreign malicious cyber actors and their activities in a timely manner, especially if U.S. IaaS providers do not maintain updated information and records of their customers or the lessees and sub-lessees of those customers.
The rule of law is frustrated when courts and law enforcement are unable to locate those who commit illegal acts. Other legal frictions may arise when the law fails to deter illegal behavior or to offer incentives for firms to adopt socially optimal business practices. These concerns are particularly acute online, because the Internet hosts a large volume of activity from anonymous or otherwise difficult-to-locate users.
The Internet’s ability to facilitate anonymous or pseudonymous communications, of course, also continues a long tradition of anonymous speech being protected under U.S. constitutional law. The ANPRM acknowledged this tension when it asks “[c]an the Department implement the requirement to verify a foreign person’s identity… while minimizing the impact on U.S. persons’ opening or using such Accounts, or will the application of the requirements to foreign persons in practice necessitate the application of that requirement across all customers?” But anonymity is just one value among many that must be weighed when crafting regulatory policy—particularly with respect to enforcing criminal law and upholding national security. Thus, even if the EO has some effect on U.S. business customers, that alone ought not foreclose implementation of effective identity-verification requirements.
Further, it is important to consider how the incentives service providers face align with optimal social policy. In particular, Information as a Service (IaaS) providers may not adequately internalize the social costs that stem from their making anonymous or pseudonymous accounts available to the public. Public policy may be necessary to correct such misalignment. While the EO focuses narrowly on the use of IaaS by foreign actors, there are broader problems associated with the anonymous use of Internet-connected services. As such, the Administration, the U.S. Commerce Department, and Congress should consider broader “know your business customer” (KYBC) requirements.
But while IaaS providers’ potential misalignment of incentives is a proper subject for regulatory and legislative action, policy should be carefully calibrated to encourage compliance with broader criminal and national-security goals, while still permitting the vibrant IaaS industry to continue to thrive. The law must shape incentives such that responsibility to deal with illicit activity is placed where it is appropriate. Overly broad regulatory requirements can become burdensome, accrue more costs than benefits, and ultimately chill entry of new firms.
Thus, as described in more detail below, the EO is correct to require basic identity verification by IaaS providers, subject to some caveats. The goal of these regulations should be to collect the optimal amount of information about bad actors with the least interference in the operations of firms subject to the requirements. Thus, the Department must weigh how much benefit it realistically expects to obtain from any given level of compliance. Notably, the overwhelming number of IaaS accounts will be law-abiding users. The process is thus largely about identifying outliers, and regulatory intervention must be tempered in recognition that IaaS firms are constrained in the degree to which they can assist in furthering legitimate law-enforcement ends.
The requirements ought to be designed to obtain the optimal level of information that law enforcement and courts would need in most, but not all, cases. A minimal set of initial verification requirements, paired with an ongoing obligation to re-verify user identities, ought to resolve most problems associated with anonymous users.
Moreover, it would be highly inadvisable to prescribe specific technological measures that providers must use. Providers should be free to implement what they consider to be appropriate identity-verification systems, so long as those systems elicit the needed information. Relatedly, IaaS providers are bound by the requirements of laws like the EU’s General Data Protection Regulation (GDPR) and therefore need the flexibility to design their systems to comply both with the Department’s final rules as well as various privacy regimes to which they are subject.
Read the full comments here.
