The Hidden Costs of Forced Interoperability
TL;DR
Background: State legislatures are increasingly targeting digital “stickiness” with mandates for data portability and technical interoperability. Supporters argue these rules reduce switching costs by letting users move their digital lives between services. Utah enacted such a law in 2025. Other states—including Virginia, through SB 85—are considering measures that would require platforms to maintain continuous, third-party-accessible interfaces for real-time data sharing.
But… These mandates rest on a flawed premise: that data is a modular asset that can be extracted without affecting the service that generates it. In practice, requiring “continuous” and “real-time” access through open protocols turns secure, closed systems into permanent “live wires” for third-party extraction.This design also creates a privacy externality. When one user ports a social graph, they export the private interactions and metadata of their entire network—including people who never consented to third-party transfers.
Moreover… Mandatory interoperability can undermine the consumer-protection goals it claims to advance. If platforms must interoperate with any third-party service that meets a vague technical threshold, they lose the ability to screen for bad actors or insecure operators. The result is a regulatory loophole. Once data moves, it may fall under the recipient’s potentially nonexistent privacy protections—bypassing the safeguards users expect from established platforms.
KEY TAKEAWAYS
The Social Graph Privacy Problem
Social data is relational, not purely individual. Many proposals define “social graph data” broadly to include connections, mentions, and “responses to the content of other users.” As Mikolaj Barczentewicz notes, this conflicts with existing privacy frameworks.
If Person A moves their data to an insecure startup, the private messages, shared photos, and threaded comments of Person B—who remains on the original platform—may be exported without Person B’s knowledge or consent.
This “multi-party data” problem strips nonconsenting users of meaningful control over their digital footprint. By treating shared interactions as the property of a single porting user, these bills ignore the privacy externalities inherent in networked platforms. The result risks turning data portability into a mechanism for large-scale, unauthorized data harvesting.
Security Risks and Technical Limits
Mandating “continuous, real-time” data sharing through open APIs would sharply expand cybersecurity risks. Moving from occasional downloads to always-on access points creates a much larger attack surface. Many proposals also include “non-discrimination” or “equal access” provisions that could prevent platforms from vetting third-party recipients.
A breach at a single poorly secured recipient could expose the data of millions of users on the original platform.
These mandates also strain platform-specific content-moderation systems. Moderation tools rely on signals and norms unique to each service. Forcing data and content across platforms pushes those systems into environments they were not designed to govern.
The result is an enforcement gap. Authorities have limited ability to monitor misuse of open interfaces in real time, particularly when bad actors operate outside the United States. Receiving platforms may also lack the capacity—or the incentive—to moderate imported content. A weakly secured or malicious recipient could exploit mandated access points to extract data or spread harmful content at scale.
Applying these mandates to AI systems introduces additional problems. Modern large language models (LLMs) use different architectures, and no standard format exists for transferring contextual data or model-generated inferences among them. An output from one model may be unusable to another.
Mandating such transfers would not meaningfully improve portability. Instead, it risks exposing proprietary information—including trade secrets and model-weighting structures—effectively forcing firms to disclose core intellectual property in the name of “user choice.”
Constitutional Limits
State interoperability mandates raise serious constitutional and federalism concerns. Requiring a global digital platform to redesign its architecture to satisfy a single state’s rules may violate the Dormant Commerce Clause. Because digital services operate nationally and internationally, a state-level mandate could effectively impose a national design standard.
As Geoffrey Manne notes, forced infrastructure sharing is an extraordinary remedy traditionally reserved for “essential facilities” or natural monopolies. Modern social-media and AI platforms do not meet that standard under antitrust law. Requiring firms to open proprietary servers to third parties may also raise Fifth Amendment concerns as an uncompensated taking and implicate First Amendment editorial discretion.
The analogy often invoked to justify these mandates—telephone-number portability—fails. Telephone numbers are standardized identifiers within a single regulated network. Social-media platforms are heterogeneous services built around distinct norms, interaction models, and expressive environments.
A pseudonymous discussion thread on Reddit serves a different function from a professional profile on LinkedIn or an ephemeral story on Instagram. Users maintain separate identities across these services because the platforms are intentionally differentiated products serving distinct communicative purposes.
Treating them as interchangeable commodities subject to common-carrier-style mandates imposes a legal fiction of functional equivalence. In practice, it would force platforms to restructure both their technical architecture and editorial environments—raising core First Amendment concerns about compelled speech and association.
The Burden of Proof
These mandates prioritize protecting nascent competitors over protecting consumers. By elevating “openness” above architectural integrity, lawmakers risk weakening the secure, moderated environments users rely on.
Forced interoperability at scale remains an untested, high-risk experiment. It could expose users to systemic privacy and security harms while delivering only speculative economic benefits. The more likely result is a race to the bottom in privacy and security standards.
States considering Utah’s approach should note an important signal: Utah amended the law before it even took effect. Genuine user empowerment requires identifying a real problem, not imposing technical mandates that trade measurable harms for uncertain gains.
The burden of proof rests with the mandates’ proponents. So far, that burden remains unmet.
For more on this issue, see “ICLE Comments to the Virginia Senate on SB 85” and Mikolaj Barczentewicz’s blog post at Truth on the Market “Privacy and Security Risks of Interoperability and Sideloading Mandates.”