Dear Sophie: Can I do anything to speed up the EAD renewal process?

Here’s another edition of “Dear Sophie,” the advice column that answers immigration-related questions about working at technology companies.

“Your questions are vital to the spread of knowledge that allows people all over the world to rise above borders and pursue their dreams,” says Sophie Alcorn, a Silicon Valley immigration attorney. “Whether you’re in people ops, a founder or seeking a job in Silicon Valley, I would love to answer your questions in my next column.”

TechCrunch+ members receive access to weekly “Dear Sophie” columns; use promo code ALCORN to purchase a one- or two-year subscription for 50% off.

Dear Sophie,

I’m on an L-2 visa as a dependent spouse to my husband’s L-1A.

My EAD (work permit) is expiring in May — we filed for the extension of both my visa and EAD a few months ago. How long is the current process?

Might there be anything I can do so my employment isn’t affected?

— Career Centered

Dear Centered,

I’ve got fantastic news for you and other L-1 spouses — and your employers! As long as your visa remains valid, you are no longer at risk of having your employment interrupted due to delays in getting your Employment Authorization Document (EAD).

Thanks to a policy change by U.S. Citizenship and Immigration Services (USCIS), getting work authorization is now easier for L-2 spouses of L-1 visa holders as well as a few other categories. As Elon Musk said this week, for anybody who wants to work hard in the U.S., immigration should be a “no-brainer.”

Soaring processing times

During the past two years, processing times for EADs soared due to a combination of backlogs prompted by the pandemic, funding issues and paper-based USCIS processing procedures.

Depending on which USCIS service center processed the EAD renewal application (Form I-765), timing ranged from about 90 days to more than a year. Interesting to note, it can take anywhere from 7.5 to 14.5 months to process EADs at the California Service Center. At the Texas Service Center, it can take two to 13 months.

A composite image of immigration law attorney Sophie Alcorn in front of a background with a TechCrunch logo.

Image Credits: Joanna Buniak / Sophie Alcorn (opens in a new window)

Lawsuit prompts big policy changes

Last September, a group of spouse-dependent visa holders filed a class-action lawsuit against the Secretary of Homeland Security, who oversees USCIS. The suit was filed on behalf of dependent spouses of H-1B and L-1 visa holders, many of whom had been forced to stop working when USCIS failed to approve and send out new EADs before the current ones expired due to substantial processing delays.

The situation was compounded by the fact that EAD renewals can’t be filed more than six months in advance of their expiration date.

Starting up remotely? Keep these labor laws and tax guidelines in mind

When it comes to remote employment, employees and employers both face a plethora of benefits and pitfalls. While the cultural pros and cons have been covered, considerations from a setup and maintenance standpoint largely haven’t been addressed. There are important legal and tax implications to keep in mind when it comes to a remote workforce.

Virtual teams existed well before COVID-19, but over the last two years, employees turned not being able to go into an office into a benefit by moving out of their employer’s state. For startups, hiring out-of-state employees became common, as remote-first businesses were created from scratch and talent was vastly more critical than location.

Should your startup start or go remote, keep the following in mind.

Tax implications

Remote workforces have tax implications for their companies. Specifically, there is a state payroll withholding tax. This is generally required for the state where an employee works or provides services, regardless of an employer’s location. This means your startup may need to register and withhold income taxes in several states.

These are complicated issues, and often, the best approach is to engage an expert early.

Here are the questions we ask clients:

  1. What are your sales and revenue by state?
  2. Where are your employees located?
  3. Where is your office located, as well as any other property?

Dollar amounts and property locations matter because each state has a different threshold when it comes to defining whether a nexus (more on that in a moment) has been established or not.

This isn’t something you can ignore. States do pay attention. When you register with a government agency, the state receives your tax ID number and other identifying information. This means you’ve got a presence in that state, and your business will be monitored and pursued for any resulting tax liabilities.

For example, one of our clients was stalled during an acquisition last year because they were discovered to be out of compliance with their remote workforce. So, it’s critical to register in each state where you have employees.

Considering the “nexus”

Founders should be honest about their failures according to Forage CEO

Welcome back to Found, the weekly TechCrunch podcast where we get the stories behind the startups.

This week Darrell and Jordan talked with Justin Intal from Forage on Found Live. He talks about how profound struggles in her personal life motivated him to create a way for online grocers to accept EBT and SNAP benefits. He also talked about the importance of vulnerability and transparency as a CEO. Each failure is learning, so he is not about hiding his past failed companies or ideas — in fact, he has them written out on his Linkedin.

Take our listener survey and let us know a bit about yourself and what you think of FOUND.

Connect with us:

Report spotlights vast scale of adtech’s ‘biggest data breach’

New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today by the Irish Council for Civil Liberties (ICCL), suggests Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billions of times per day.

“RTB is the biggest data breach ever recorded,” argues the ICCL. “It tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.”

The ICCL’s report, which is based on industry figures that the rights organization says it obtained from a confidential source, offers an estimate of RTB per person per day across US states and European countries which suggests that web users in Colorado and the UK are among the most exposed by the system — with 987 and 462 RTB broadcasts apiece per person per day.

But even online individuals living in bottom of the chart, District of Columbia or Romania, have their information exposed by RTB an estimated 486 times per day or 149 times per day respectively, per the report.

The ICCL calculates that people living in the U.S. have their online activity and real-world location exposed 57% more often than people in Europe — likely as a result of differences in privacy regulation across the two regions.

Collectively, the ICCL estimates that U.S. Internet users’ online behaviour and locations are tracked and shared 107 trillion times a year, while Europeans’ data is exposed 71 trillion times a year.

“On average, a person in the U.S. has their online activity and location exposed 747 times every day by the RTB industry. In Europe, RTB exposes people’s data 376 times a day,” it also writes, adding: “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data.”

The report’s figures are likely a conservative estimate of the full extent of RTB since the ICCL includes the caveat that: “[T]he figures presented for RTB broadcasts as a low estimate. The industry figures on which we rely do not include Facebook or Amazon RTB broadcasts.”

Per the report, Google, the biggest player in the RTB system, allows 4,698 companies to receive RTB data about people in the U.S., while Microsoft — which ramped up its involvement in RTB in December last year when it bought adtech firm Xandr from AT&T — says it may send data to 1,647 companies.

That too is likely just the tip of the iceberg since RTB data is broadcast across the Internet — meaning it’s ripe for interception and exploitation by non-officially listed RTB ‘partners’, such as data brokers whose businesses involve people farming by compiling dossiers of data to reidentify and profile individual web users for profit, using info like device IDs, device fingerprinting, location etc to link web activity to a named individual, for example.

Privacy and security concerns have been raised about RTB for years — especially in Europe where there are laws in place that are supposed to prevent such a systematic abuse of people’s information. But awareness of the issue has been rising in the US too, following a number of location-tracking and data-sharing scandals.

The leaked Supreme Court opinion earlier this month which suggested the US’ highest court is preparing to overturn Roe v Wade — removing the constitutional protection for abortion — has further dialled up concern and sent shock waves through the country, with some commentators immediately urging women to delete their period tracking apps and pay close attention to their digital security and privacy hygiene.

The concern is ad tracking could expose personal data that can be used to identify women and people who are pregnant and/or seeking abortion services.

Many US states have already heavily restricted access to abortion. But if the Supreme Court overturns Roe v Wade a number of states are expected to ban abortion entirely — which means people who can get pregnant will be at increased risk from online surveillance as any online searches for abortion services or location tracking or other types of data mining of their digital activity could be used to built a case against them for obtaining or seeking to obtain an illegal abortion.

Highly sensitive personal data on web users is, meanwhile, routinely sucked up and shared for ad targeting purposes, as previous ICCL reports have detailed in hair-raising detail. The data broker industry also collects information on individuals to trade and sell — and in the US, especially, people’s location data appears all too easy to obtain.

Last year, for example, a top Catholic priest in the US was reported to have resigned after allegations were made about his sexuality based on a claim that data on his phone had been obtained which indicated use of the location-based gay hook-up app, Grindr.

A lack of online privacy could also negatively impinge on women’s health issues — making it easier to gather information to criminalize pregnant people who seek an abortion in a post-Roe world.

There is no way to restrict the use of RTB data after it is broadcast,” emphasizes the ICCL in the report. “Data brokers used it to profile Black Lives Matter protestors. The US Department of Homeland Security and other agencies used it for warrant-less phone tracking. It was implicated in the outing of a gay Catholic priest through his use of Grindr. ICCL uncovered the sale of RTB data revealing likely survivors of sexual abuse.”

The report raises especially cutting question for European regulators since, unlike the US, the region has a comprehensive data protection framework. The General Data Protection Regulation (GDPR) has been in force across the EU since May 2018 and regulators should have been enforcing these privacy rights against out-of-control adtech for years.

Instead, there has been a collective reluctance to do so — likely as a result of how extensively and pervasively individual tracking and profiling tech has been embedded into web infrastructure, coupled with loud claims by the adtech industry that the free web cannot survive if Internet users’ privacy is respected. (Such claims ignore the existence of alternative forms of ad targeting, such as contextual, which do not require tracking and profiling of individual web users’ activity to function and which have been shown to be profitable for years, such as for non-tracking search engine, DuckDuckGo.)

An investigation opened by the Irish Data Protection Commission (DPC) into Google’s adtech three years ago (May 2019), following a number of RTB complaints, is — ostensibly — ongoing. But no decision has been issued.

The UK’s ICO also repeatedly fumbled enforcement action against RTB following complaints filed back in 2018, despite voicing a view publicly since 2019 that the behavioral ad industry is wildly out of control. And in a parting shot last fall, the outgoing information commissioner, Elizabeth Denham, urged the industry to undertake meaningful privacy reforms.

Since then, a flagship adtech industry mechanism for gathering web users’ consent to ad tracking — the IAB Europe’s self-styled Transparency and Consent Framework (TCF) — has itself been found in breach of the GDPR by Belgian’s data protection authority.

Its February 2022 decision, also found the IAB itself at fault, giving the industry body two months to submit a reform plan and six months to implement it. (NB: Google and the IAB are the two bodies that set standards for RTB.)

That consent issue is one (solid) complaint against RTB under Europe’s GDPR. However the ICCL’s concern has been focused on security — as it argues that high velocity, massive scale trading of people’s data to place ads by broadcasting it over the Internet to thousands of ‘partners’ (but also with the clear risk of interception and appropriation by scores of unknown others) is inherently insecure. And, regardless of the consent issues, the GDPR requires people’s information is adequately protected — hence its framing of RTB as the “biggest ever data breach”.

In March, the ICCL announced it intended to sue the DPC — accusing the regulator of years of inaction over RTB complaints (some of which were lodged the same year the GDPR came into application). That litigation is still pending.

It has also approached the EU ombudsperson to complaint that the European Commission is failing to properly monitor application of the regulation — which led to the former opening an enquiry to look at the Commission’s claims to the contrary earlier this year.

A requested deadline for the EU’s executive to submit information to the ombudsperson passed yesterday without a submission, per the ICCL, with the Commission reportedly asking for 10 more days to provide the requested data — which suggests the four-year anniversary of the GDPR coming into force (May 25, 2018) will pass by in the meanwhile (perhaps a little more quietly than it might have done if the ombudsperson had been in a position to issue a verdict)…

“As we approach the four year anniversary of the GDPR we release data on the biggest data breach of all time. And it is an indictment of the European Commission, and in particular commissioner [Didier] Reynders, that this data breach is repeated every day,” Johnny Ryan, senior fellow at the ICCL, told TechCrunch.

“It is time that the Commission does its job and compels Ireland to apply the GDPR correctly,” he added.

We also contacted Google, Microsoft, the DPC and the European Commission with questions about the ICCL’s report but at the time of writing none had not responded.

Ryan told us the ICCL is also writing to US lawmakers to highlight the scale of the “privacy crisis in online advertising” — and specifically pressing the Senate Subcommittee on Competition Policy, Antitrust and Consumer Rights to ensure adequate enforcement resources are provided to the FTC — so it can take urgent action “against this enormous breach”.

In the letter, which we’ve reviewed, the ICCL points out that private data on US citizens is sent to firms across the globe, including to Russia and China — “without any means of controlling what is then done with the data”.

War in Europe certainly adds a further dimension to this surveillance adtech story.

Russia’s invasion of Ukraine earlier this year has fuelled added concern about adtech’s mass surveillance of web users — i.e. if citizens’ data is finding its way back, via online tracking, to hostile third countries like Russia and its ally China.

Back in March, the Financial Times reported that scores of apps contain SDK technology made by the Russian search giant Yandex — which was accused of sending user data back to servers in Russia where it might be accessible to the Russian government. 

In Europe, the GDPR requires that exports of personal data out of the bloc are protected to the same standard as citizens’ information should be wrapped with when it’s being processed or stored in Europe.

A landmark EU ruling in July 2020 saw the bloc’s top court strike down a flagship EU-US data transfer agreement over security concerns attached to US government mass surveillance programs — creating ongoing legal uncertainty around international data flows to risky third countries as the court underscored the need for EU regulators to proactively monitor data exports and step in to suspend any data flows to jurisdictions that lack adequate data protection.

Many of the key players in adtech are US-based — raising questions about the legality of any processing of Europeans’ data by the sector that’s taking place over the pond too, given the high standard that EU law requires for data to be legally exported.

Europe’s CSAM scanning plan unpicked

The European Union has formally presented its proposal to move from a situation in which some tech platforms voluntarily scan for child sexual abuse material (CSAM) to something more systematic — publishing draft legislation that will create a framework which could obligate digital services to use automated technologies to detect and report existing or new CSAM, and also identify and report grooming activity targeting kids on their platforms.

The EU proposal — for “a regulation laying down rules to prevent and combat child sexual abuse” (PDF) — is intended to replace a temporary and limited derogation from the bloc’s ePrivacy rules, which was adopted last year in order to enable messaging platforms to continue long-standing CSAM scanning activity which some undertake voluntarily.

However that was only ever a stop-gap measure. EU lawmakers say they need a permanent solution to tackle the explosion of CSAM and the abuse the material is linked to — noting how reports of child sexual abuse online rising from 1M+ back in 2014 to 21.7M reports in 2020 when 65M+ CSAM images and videos were also discovered — and also pointing to an increase in online grooming seen since the pandemic.

The Commission also cites a claim that 60%+ of sexual abuse material globally is hosted in the EU as further underpinning its impetus to act.

Some EU Member States are already adopting their own proposals for platforms to tackle CSAM at a national level so there’s also a risk of fragmentation of the rules applying to the bloc’s Single Market. The aim for the regulation is therefore to avoid that risk by creating a harmonized pan-EU approach.  

EU law contains a prohibition on placing a general monitoring obligations on platforms because of the risk of interfering with fundamental rights like privacy — but the Commission’s proposal aims to circumvent that hard limit by setting out what the regulation’s preamble describes as “targeted measures that are proportionate to the risk of misuse of a given service for online child sexual abuse and are subject to robust conditions and safeguards”.

What exactly is the bloc proposing? In essence, the Commission’s proposal seeks to normalize CSAM mitigation by making services elect to put addressing this risk on the same operational footing as tackling spam or malware — creating a targeted framework of supervised risk assessments combined with a permanent legal basis that authorizes (and may require) detection technologies to be implemented, while also baking in safeguards over how and indeed whether detection must be done, including time limits and multiple layers of oversight.

The regulation itself does not prescribe which technologies may or may not be used for detecting CSAM or ‘grooming’ (aka, online behavior that’s intended to solicit children for sexual abuse).

“We propose to make it mandatory for all providers of service and hosting to make a risk assessment: If there’s a risk that my service, my hosting will be used or abused for sharing CSAM. They have to do the risk assessment,” said home affairs commissioner Ylva Johansson, explaining how the Commission intends the regulation to function at a press briefing to announce the proposal today. “They have also to present what kind of mitigating measures they are taking — for example if children have access to this service or not.

“They have to present these risk assessments and the mitigating measures to a competent authority in the Member State where they are based or in the Member State where they appointed a legal representative authority in the EU. This competent authority will assess this. See how big is the risk. How effective are the mitigating measures and is there a need for additional measures,” she continued. “Then they will come back to the company — they will consult the EU Centre, they will consult their data protection agencies — to say whether there will be a detection order and if they find there should be a detection order then they should ask another independent authority — it could be a court in that specific Member State — to issue a detection order for a specific period of time. And that could take into account what kind of technology they are allowed to use for this detection.”

“So that’s how we put the safeguards [in place],” Johansson went on. “It’s not allowed to do a detection without a detection order. But when there is a detection order you’re obliged to do it and you’re obliged to report when and if you find CSAM. And this should be reported to the EU Centre which will have an important role to assess whether [reported material] will be put forward to law enforcement [and to pick up what the regulation calls “obviously false positives” to prevent innocent/non-CSAM from being forward to law enforcement].”

The regulation will “put the European Union in the global lead on the fight on online sexual abuse”, she further suggested.

Stipulations and safeguards

The EU’s legislation proposing body says the regulation is based on both the bloc’s existing privacy framework (the General Data Protection Regulation; GDPR) and the incoming Digital Services Act (DSA), a recently agreed horizontal update to rules for ecommerce and digital services and platforms which sets governance requirements in areas like illegal content.

CSAM is already illegal across the EU but the problem of child sexual abuse is so grave — and the role of online tools, not just in spreading and amplifying but also potentially facilitating abuse — that the Commission argues dedicated legislation is merited in this area.

It adopted a similarly targeted regulation aimed at speeding up takedowns of terrorism content last year — and the EU approach is intended to support continued expansion of the bloc’s digital rulebook by bolting on other vertical instruments, as needed.

“This comes of course with a lot of safeguards,” emphasized Johansson of the latest proposed addition to EU digital rules. “What we are targeting in this legislation are service providers online and hosting providers… It’s tailored to target this child sexual abuse material online.”

As well as applying to messaging services, the regime includes some targeted measures for app stores which are intended to help prevent kids downloading risky apps — including a requirement that app stores use “necessary age verification and age assessment measures to reliably identify child users on their services”.  

Johansson explained that the regulation bakes in multiple layers of requirements for in-scope services — starting with an obligation to conduct a risk assessment that considers any risks their service may present to children in the context of CSAM, and a requirement to present mitigating measures for any risks they identify.

This structure looks intended by EU lawmakers to encourage services to proactively adopt a robust security- and privacy-minded approach towards users to better safeguard any minors from abuse/predatory attention in a bid to shrink their regulatory risk and avoid more robust interventions that could mean they have to warn all their users they are scanning for CSAM (which wouldn’t exactly do wonders for the service’s reputation).

It looks to be no accident that — also today — the Commission published a new strategy for a “better Internet for kids” (BI4K) which will encourage platforms to conform to a new, voluntary “EU code for age-appropriate design”; as well as fostering development of “a European standard on online age verification” by 2024 — which the bloc’s lawmakers also envisage looping in another plan for a pan-EU ‘privacy-safe’ digital ID wallet (i.e. as a non-commercial option for certifying whether a user is underage or not).

The BI4K strategy doesn’t contain legally binding measures but adherence to approved practices, such as the planned age-appropriate design code, could be seen as a way for digital services to earn brownie points towards compliance with the DSA — which is legally binding and carries the threat of major penalties for infringers. So the EU’s approach to platform regulation should be understood as intentionally broad and deep; with a long-tail cascade of stipulations and suggestions which both require and nudge.

Returning to today’s proposal to combat child sexual abuse, if a service provider ends up being deemed to be in breach the Commission has proposed fines of up to 6% of global annual turnover — although it would be up to the Member State agencies to determine the exact level of any penalties.

These local regulatory bodies will also be responsible for assessing the service provider’s risk assessment and existing mitigations — and, ultimately, deciding whether or not a detection order is merited to address specific child safety concerns.

Here the Commission looks to have its eye on avoiding forum shopping and enforcement blockages/bottlenecks (as have hampered GDPR) as the regulation requires Member State-level regulators to consult with a new, centralized (but independent of the EU) agency — called the “European Centre to prevent and counter child sexual abuse” (aka, the “EU Centre” for short) — a body lawmakers intend to support their fight against child sexual abuse in a number of ways.

Among the Centre’s tasks will be receiving and checking reports of CSAM from in-scope services (and deciding whether or not to forward them to law enforcement); maintaining databases of “indicators” of online CSAM which services could be required to use on receipt of a detection order; and developing (novel) technologies that might be used to detect CSAM and/or grooming.

In particular, the EU Centre will create, maintain and operate databases of indicators of online child sexual abuse that providers will be required to use to comply with the detection obligations,” the Commission writes in the regulation preamble. 

The EU Centre should also carry out certain complementary tasks, such as assisting competent national authorities in the performance of their tasks under this Regulation and providing support to victims in connection to the providers’ obligations. It should also use its central position to facilitate cooperation and the exchange of information and expertise, including for the purposes of evidence-based policy-making and prevention. Prevention is a priority in the Commission’s efforts to fight against child sexual abuse.”

The prospect of apps having to incorporate CSAM detection technology developed by a state agency has, unsurprisingly, caused alarm among a number of security, privacy and digital rights watchers.

Although alarm isn’t limited to that one component; Pirate Party MEP, Patrick Breyer — a particularly vocal critic — dubs the entire proposal “mass surveillance” and “fundamental rights terrorism” on account of the cavalcade of risks he says it presents, from mandating age verification to eroding privacy and confidentiality of messaging and cloud storage for personal photos.

Re: the Centre’s listed detection technologies, it’s worth noting that Article 10 of the regulation includes this caveated line on obligatory use of its tech — which states [emphasis ours]: “The provider shall not be required to use any specific technology, including those made available by the EU Centre, as long as the requirements set out in this Article are met” — which, at least, suggests providers have a choice over whether or not they apply its centrally devised technologies to comply with a detection order vs using some other technologies of their choice.

(Okay, so what are the requirements that must be “met”, per the rest of the Article, to be freed from the obligation to use EU Centre approved tech? These include that selected technologies are “effective” at detection of known/new CSAM and grooming activity; are unable to extract other information from comms other than what is “strictly necessary” for detecting the targeted CSAM content/behavior; are “state of the art” and have the “least intrusive” impact on fundamental rights like privacy; and are “sufficiently reliable, in that they limit to the maximum extent possible the rate of errors regarding the detection”… So the primary question arising from the regulation is probably whether such subtle and precise CSAM/grooming detection technologies exist anywhere at all — or even could ever exist outside the realms of sci-fi.)

That the EU is essentially asking for the technologically impossible has been another quick criticism of the proposal.

Crucially for anyone concerned about the potential impact to (everybody’s) privacy and security if messaging comms/cloud storage etc are compromised by third party scanning tech, local oversight bodies responsible for enforcing the regulation must consult EU data protection authorities — who will clearly have a vital role to play in assessing the proportionality of proposed measures and weighing the impact on fundamental rights.

Per the Commission, technologies developed by the EU Centre will also be assessed by the European Data Protection Board (EDPB), a steering body for application of the GDPR, which it stipulates must be consulted on all detection techs included in the Centre’s list. (“The EDPB is also consulted on the ways in which such technologies should be best deployed to ensure compliance with applicable EU rules on the protection of personal data,” the Commission adds in a Q&A on the proposal.)

There’s a further check built in, according to EU lawmakers, as a separate independent body (which Johansson suggests could be a court) will be responsible for finally issuing — and, presumably, considering the proportionality of — any detection order. (But if this check doesn’t include a wider weighing of proportionality/necessity it might just amount to a procedural rubber stamp.)

The regulation further stipulates that detection orders must be time limited. Which implies that requiring indefinite detection would not be possible under the plan. Albeit, consecutive detection orders might have a similar effect — albeit, you’d hope the EU’s data protection agencies would do their job of advising against doing that or the risk of a legal challenge to the whole regime would certainly crank up.

Whether all these checks and balances and layers of oversight will calm the privacy and security fears swirling around the proposal remains to be seen.

A version of the draft legislation which leaked earlier this week quickly sparked loud alarm klaxons from a variety of security and industry experts — who reiterated (now) perennial warnings over the implications of mandating content-scanning in an digital ecosystem that contains robustly encrypted messaging apps.

The concern is especially what the move might mean for end-to-end encrypted services — with industry watchers querying whether the regulation could force messaging platforms to bake in backdoors to enable the ‘necessary’ scanning, since they don’t have access to content in the clear?

E2EE messaging platform WhatsApp’s chief, Will Cathcart, was quick to amplify concerns of what the proposal might mean in a tweet storm.

Some critics also warned that the EU’s approach looked similar to a controversial proposal by Apple last year to implement client-side CSAM scanning on users’ devices — which was dropped by the tech giant after another storm of criticism from security and digital rights experts.

Assuming the Commission proposal gets adopted (and the European Parliament and Council have to weigh in before that can happen), one major question for the EU is absolutely what happens if/when services ordered to carry out detection of CSAM are using end-to-end encryption — meaning they are not in a position to scan message content to detect CSAM/potential grooming in progress since they do not hold keys to decrypt the data.

Johansson was asked about encryption during today’s presser — and specifically whether the regulation poses the risk of backdooring encryption? She sought to close down the concern but the Commission’s circuitous logic on this topic makes that task perhaps as difficult as inventing a perfectly effective and privacy safe CSAM detecting technology.

“I know there are rumors on my proposal but this is not a proposal on encryption. This is a proposal on child sexual abuse material,” she responded. “CSAM is always illegal in the European Union, no matter the context it is in. [The proposal is] only about detecting CSAM — it’s not about reading or communication or anything. It’s just about finding this specific illegal content, report it and to remove it. And it has to be done with technologies that have been consulted with data protection authorities. It has to be with the least privacy intrusive technology.

“If you’re searching for a needle in a haystack you need a magnet. And a magnet will only see the needle, and not the hay, so to say. And this is how they use the detection today — the companies. To detect for malware and spam. It’s exactly the same kind of technology, where you’re searching for a specific thing and not reading everything. So this is what this about.”

“So yes I think and I hope that it will be adopted,” she added of the proposal. “We can’t continue leaving children without protection as we’re doing today.”

As noted above, the regulation does not stipulate exact technologies to be used for detection of CSAM. So EU lawmakers are  — essentially — proposing to legislate a fudge. Which is certainly one way to try to sidestep the inexorable controversy of mandating privacy-intrusive detection without fatally undermining privacy and breaking E2EE in the process.

During the brief Q&A with journalists, Johansson was also asked why the Commission had not made it explicit in the text that client-side scanning would not be an acceptable detection technology — given the major risks that particular ‘state of the art’ technology is perceived to pose to encryption and to privacy.

She responded by saying the legislation is “technology neutral”, before reiterating another relative: That the regulation has been structured to limit interventions so as to ensure they have the least intrusive impact on privacy. 

“I think she is extremely important in these days. Technology is developing extremely fast. And of course we have been listening to those that have concerns about the privacy of the users. We’ve also been listening to those that have concerns about the privacy of the children victims. And this is the balance to find,” she suggested. “That’s why we set up this specific regime with the competent authority and they have to make a risk assessment — mitigating measures that will foster safety by design by the companies.

“If that’s not enough — if detection is necessary — we have built in the consultation of the data protection authorities and we haver built in a specific decision by another independent authority, it could be a court, that will take the specific detection order. And the EU Centre is there to support and to help with the development of the technology so we have the least privacy intrusive technology.

“But we choose not to define the technology because then it might be outdated already when it’s adopted because the technology and development goes so fast. So the important [thing] is the result and the safeguards and to use the least intrusive technology to reach that result that is necessary.”

There is, perhaps, a little more reassurance to be found in the Commission’s Q&A on the regulation where — in a section responding to the question of how the proposal will “prevent mass surveillance” — it writes [emphasis ours]:

“When issuing detection orders, national authorities have to take into account the availability and suitability of relevant technologies. This means that the detection order will not be issued if the state of development of the technology is such that there is no available technology that would allow the provider to comply with the detection order.”

That said, the Q&A does confirm that encrypted services are in-scope — with the Commission writing that had it explicitly excluded those types of services “the consequences would be severe for children”. (Even as it also gives a brief nod to the importance of encryption for “the protection of cybersecurity and confidentiality of communications”.)

On E2EE specifically, the Commission writes that it continues to work “closely with industry, civil society organisations, and academia in the context of the EU Internet Forum, to support research that identifies technical solutions to scale up and feasibly and lawfully be implemented by companies to detect child sexual abuse in end-to-end encrypted electronic communications in full respect of fundamental rights”.

“The proposed legislation takes into account recommendations made under a separate, ongoing multi-stakeholder process exclusively focused on encryption arising from the December 2020 Council Resolution,” it further notes, adding [emphasis ours]: “This work has shown that solutions exist but have not been tested on a wide scale basis. The Commission will continue to work with all relevant stakeholders to address regulatory and operational challenges and opportunities in the fight against these crimes.”

So — the tl;dr looks to be that, in the short term, E2EE services are likely to dodge a direct detection order, being as there’s likely no (legal) way to detect CSAM without fatally compromising user privacy/security, so the EU’s plan could, in the first instance, end up encouraging further adoption of strong encryption (E2EE) by in scope services — i.e. as a means of managing regulatory risk. (What that might mean for services that operate intentionally user-scanning business models is another question.)

That said, the proposed framework has been set up in such a way as to leave the door open to a pan-EU agency (the EU Centre) being positioned to consult on the design and development of novel technologies that could, one day, tread the line — or thread the needle, if you prefer — between risk and rights.

Or else that theoretical possibility is being entertained as another stick for the Commission to hold over unruly technologists to encourage them to engage in more thoughtful, user-centric design as a way to combat predatory behavior and abuse on their services.

UST founder Do Kwon shares plan to save its stablecoin from mass destruction

The past few days have been extremely volatile across the crypto economy, after one of the (what was supposed to be) largest stablecoins, TerraUSD (UST), depegged from its $1 value and fell as much as 70% to 29 cents earlier this morning.

Do Kwon, the founder of Terraform Labs (TFL) — the organization behind UST, cryptocurrency Terra (LUNA) and Luna Foundation Guard (LFG) — shared an update to the situation in a thread of tweets earlier this morning, in hopes of righting the ship.

“I understand the last 72 hours have been extremely tough on all of you — know that I am resolved to work with every one of you to weather this crisis, and we will build our way out of this,” Kwon said. “Together.”

UST is an algorithmic stablecoin that leans on a system of traders who swap between LUNA and UST when the value of UST goes above or below its 1:1 ratio, so it could hold to the U.S. dollar. Every time $1 worth of UST token is bought, $1 worth of LUNA is burned, and vice versa.

If UST goes above $1, arbitrageurs are encouraged to burn LUNA to make more UST and bring it back to its $1 value. If demand contracts and drops UST below $1, as we’ve seen over the past few days, UST could be burnt for LUNA. (Burning is a common mechanism in crypto to pull tokens out of circulation to keep demand and supply healthy – in this case, the burning reduces supply with the goal of making it more scarce and valuable, thus keeping algorithmic stablecoins like UST at their peg.) But in this most recent situation, tons of capital was being pulled from UST after arbitrageurs sold LUNA, which caused the “stablecoin” to drop dramatically, applying massive pressure on its ecosystem.

Kwon acknowledged that due to the algorithmic nature of UST, there was a significant impact on the price of LUNA, which peaked at $119.18 in April but has since plummeted to 85 cents at the time of publication. In the last 24 hours alone, LUNA fell more than 96%, according to CoinMarketCap data. “Luna price has diminished drastically absorbing the [arbitrage],” he said.

LFG is also looking to raise over $1 billion from investment firms and market makers, according to a May 10 article from The Block, citing multiple anonymous sources.

The deal isn’t finalized; it’s currently being negotiated for investors to purchase LUNA tokens at a 50% discount with a two-year vesting schedule, The Block reported. Since then, LUNA has been discounted far beyond that value, so it’s uncertain if investors will still consider the deal.

“Before anything else, the only path forward will be to absorb the stablecoin supply that wants to exit before $UST can start to repeg,” Kwon wrote. “There is no way around it.”

The impact of this event can have broader implications across the market, as seen earlier this week when bitcoin’s value fell below $30,000 and U.S. Treasury Secretary Janet Yellen pushed for more stablecoin regulation during an annual testimony in front of the Senate Banking Committee on May 10, right in the middle of when Terra’s algorithmic stablecoin, UST, struggled to retain its peg.

In response to questions from Senators Pat Toomey and Catherine Cortez Masto, Yellen said it would be “highly appropriate” for stablecoin regulation to occur by the end of 2022 because there are “many risks associated with cryptocurrencies.”

“We really need a consistent federal framework,” Yellen commented.

While some holders (and non-believers) of the cryptocurrency and stablecoin alike have already abandoned ship, others who believe deeply in the project are willing to give it another chance.

“Rooting for the failure of $UST is rooting for the failure of all stablecoins (and crypto),” Sheldon Evans, a crypto-focused YouTuber with about 740,000 subscribers, tweeted. “Centralized [stablecoins] where collateralization is not completely public and transparent such as $USDT (which [by the way] what most of the crypto market is propped up on) could destroy everything.”

Going forward, Kwon plans to endorse a Terra community proposal that will increase the amount of LUNA able to be minted by four times, so that the holders can “absorb the UST more quickly” or sell because only a certain amount of UST can be sold daily.

But by increasing the minting capacity, LUNA’s price will have the ability to drop even more. As it stands, about 95,200,000 votes — which is based on the number of LUNA tokens, not per user — have been cast in favor of the proposal, with zero votes against it.

“Naturally, this is at a high cost to UST and LUNA holders, but we will continue to explore various options to bring in more exogenous capital to the ecosystem [and] reduce supply overhang on UST,” Kwon said.

As Terraform Labs rebuilds UST, the team will adjust its stablecoin mechanism to be collateralized, Kwon said.

In April, Kwon told TechCrunch that it planned to back UST with a “basket” of Layer 1 cryptocurrencies over time, in addition to the U.S. dollar and bitcoin.

“Stablecoins are like the utility side and basically the money of crypto,” Kwon said at the time. “Possibly aside from Bitcoin, stablecoins are crypto’s holy grail use case.”

UK opts for slow reboot of Big Tech rules, pushes ahead on privacy ‘reforms’

The UK government has confirmed it will move forward on a major ex ante competition reform aimed at Big Tech, as it set out its priorities for the new parliamentary session earlier today.

However it has only said that draft legislation will be published over this period — booting the prospect of passing updated competition rules for digital giants further down the road.

At the same time today it confirmed that a “data reform bill” will be introduced in the current parliamentary session.

This follows a consultation it kicked off last year to look at how the UK might diverge from EU law in this area, post-Brexit, by making changes to domestic data protection rules.

There has been concern that the government is planning to water down citizens’ data protections. Details the government published today, setting out some broad-brush aims for the reform, don’t offer a clear picture either way — suggesting we’ll have to wait to see the draft bill itself in the coming months.

Read on for an analysis of what we know about the UK’s policy plans in these two key areas… 

Ex ante competition reform

The government has been teasing a major competition reform since the end of 2020 — putting further meat on the bones of the plan last month, when it detailed a bundle of incoming consumer protection and competition reforms.

But today, in a speech setting out prime minister Boris Johnson’s legislative plans for the new session at the state opening of parliament, it committed to publish measures to “create new competition rules for digital markets and the largest digital firms”; also saying it would publish “draft” legislation to “promote competition, strengthen consumer rights and protect households and businesses”.

In briefing notes to journalists published after the speech, the government said the largest and most powerful platform will face “legally enforceable rules and obligations to ensure they cannot abuse their dominant positions at the expense of consumers and other businesses”.

A new Big Tech regulator will also be empowered to “proactively address the root causes of competition issues in digital markets” via “interventions to inject competition into the market, including obligations on tech firms to report new mergers and give consumers more choice and control over their data”, it also said.

However another key detail from the speech specifies that the forthcoming Digital Markets, Competition and Consumer Bill will only be put out in “draft” form over the parliament — meaning the reform won’t be speeding onto the statue books.

Instead, up to a year could be added to the timeframe for passing laws to empower the Digital Markets Unit (DMU) — assuming ofc Johnson’s government survives that long. The DMU was set up in shadow form last year but does not yet have legislative power to make the planned “pro-competition” interventions which policymakers intend to correct structural abuses by Big Tech.

(The government’s Online Safety Bill, for example — which was published in draft form in May 2021 — wasn’t introduced to parliament until March 2022; and remains at the committee stage of the scrutiny process, with likely many more months before final agreement is reached and the law passed. That bill was included in the 2022 Queen’s Speech so the government’s intent continues to be to pass the wide-ranging content moderation legislation during this parliamentary session.)

The delay to introducing the competition reform means the government has cemented a position lagging the European Union — which reached political agreement on its own ex ante competition reform in March. The EU’s Digital Markets Act is slated to enter into force next Spring, by which time the UK may not even have a draft bill on the table yet. (While Germany passed an update to its competition law last year and has already designated Google and Meta as in scope of the ex ante rules.)

The UK’s delay will be welcomed by tech giants, of course, as it provides another parliamentary cycle to lobby against an ex ante reboot that’s intended to address competition and consumer harms in digital markets which are linked to giants with so-called “Strategic Market Status”.

This includes issues that the UK’s antitrust regulator, the CMA, has already investigated and confirmed (such as Google and Facebook’s anti-competitive dominance of online advertising); and others it suspects of harming consumers and hampering competition too (like Apple and Google’s chokepoint hold over their mobile app stores).

Any action in the UK to address those market imbalances doesn’t now look likely before 2024 — or even later.

Recent press reports, meanwhile, have suggested Johnson may be going cold on the ex ante regime — which will surely encourage Big Tech’s UK lobbyists to seize the opportunity to spread self-interested FUD in a bid to totally derail the plan.

The delay also means tech giants will have longer to argue against the UK introducing an Australian-style news bargaining code — which the government appears to be considering for inclusion in the future regime.

One of the main benefits of the bill is listed as [emphasis ours]:

“Ensuring that businesses across the economy that rely on very powerful tech firms, including the news publishing sector, are treated fairly and can succeed without having to comply with unfair terms.”

“The independent Cairncross Review in 2019 identified an imbalance of bargaining power between news publishers and digital platforms,” the government also writes in its briefing note, citing a Competition and Markets Authority finding that “publishers see Google and Facebook as ‘must have’ partners as they provide almost 40 per cent of large publishers’ traffic”.

Major consumer protection reforms which are planned in parallel with the ex ante regime — including letting the CMA decide for itself when UK consumer law has been broken and fine violating platforms over issues like fake reviews, rather than having to take the slow route of litigating through the courts — are also on ice until the bill gets passed. So major ecommerce and marketplace platforms will also have longer to avoid hard-hitting regulatory action for failures to purge bogus reviews from their UK sites.

Consumer rights group, Which?, welcomed the government’s commitment to legislate to strengthen the UK’s competition regime and beef up powers to clamp down on tech firms that breach consumer law. However it described it as “disappointing” that it will only publish a draft bill in this parliamentary session.

“The government must urgently prioritise the progress of this draft Bill so as to bring forward a full Bill to enact these vital changes as soon as possible,” added Rocio Concha, Which? director of policy and advocacy, in a statement.

Data reform bill

In another major post-Brexit policy move, the government has been loudly flirting with ripping up protections for citizens’ data — or, at least, killing off cookie banners.

Today it confirmed it will move forward with ‘reforming’ the rules wrapping people’s data — just without being clear about the exact changes it plans to make. So where exactly the UK is headed on data protection still isn’t clear.

That said, in briefing notes on the forthcoming data reform bill, the government appears to be directing most focus at accelerating public sector data sharing instead of suggesting it will pass amendments that pave the way for unfettered commercial data-mining of web users.

Indeed, it claims that ensuring people’s personal data “is protected to a gold standard” is a core plank of the reform.

A section on the “main benefits” of the reform also notably lingers on public sector gains — with the government writing that it will be “making sure that data can be used to empower citizens and improve their lives, via more effective delivery of public healthcare, security, and government services”.

But of course the devil will be in the detail of the legislation presented in the coming months. 

Here’s what else the government lists as the “main elements” of the upcoming data reform bill:

  • Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
  • Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.

Discussing other “main benefits” for the reform, the government touts increased “competitiveness and efficiencies” for businesses, via a suggested reduction in compliance burdens (such as “by creating a data protection framework that is focused on privacy outcomes rather than box-ticking”); a “clearer regulatory environment for personal data use” which it suggests will “fuel responsible innovation and drive scientific progress”; “simplifying the rules around research to cement the UK’s position as a science and technology superpower”, as it couches it; and ensuring the data protection regulator (the ICO) takes “appropriate action against organisations who breach data rights and that citizens have greater clarity on their rights”.

The upshot of all these muscular-sounding claims boils down to whatever the government means by an “outcomes-focused” approach to data protection vs “tick-box” privacy compliance. (As well as what “responsible innovation” might imply.)

It’s also worth mulling what the government means when it says it wants the ICO to take “appropriate” action against breaches of data rights. Given the UK regulator has been heavily criticized for inaction in key areas like adtech you could interpret that as the government intending the regulator to take more enforcement over privacy breaches, not less.

(And its briefing note does list “modernizing” the ICO, as a “purpose” for the reform — in order to “[make] sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public”.)

However, on the flip side, if the government really intends to water down Brits’ privacy rights — by say, letting businesses overrule the need to obtain consent to mine people’s info via a more expansive legitimate interest regime for commercial entities to do what they like with data (something the government has been considering in the consultation) — then the question is how that would square with a top-line claim for the reform ensuing “UK citizens’ personal data is protected to a gold standard”?

The overarching question here is whose “gold standard” the UK is intending to meet? Brexiters might scream for their own yellow streak — but the reality is there are wider forces at play once you’re talking about data exports.

Despite Johnson’s government’s fondness for ‘Brexit freedom’ rhetoric, when it comes to data protection law the UK’s hands are tied by the need to continue meeting the EU’s privacy standards, which require the an equivalent level of protection for citizens’ data outside the bloc — at least if the UK wants data to be able to flow freely into the country from the bloc’s ~447M citizens, i.e. to all those UK businesses keen to sell digital services to Europeans. 

This free flow of data is governed by a so-called adequacy decision which the European Commission granted the UK in June last year, essentially on account that no changes had (yet) been made to UK law since it adopted the bloc’s General Data Protection Regulation (GDPR) in 2018 by incorporating it into UK law.

And the Commission simultaneously warned that any attempt by the UK to weaken domestic data protection rules — and thereby degrade fundamental protections for EU citizens’ data exported to the UK — would risk an intervention. Put simply, that means the EU could revoke adequacy — requiring all EU-UK data flows to be assessed for legality on a case-by-case basis, vastly ramping up compliance costs for UK businesses wanting to import EU data.

Last year’s adequacy agreement also came with a baked in sunset clause of four years — meaning it will be up for automatic review in 2025. Ergo, the amount of wiggle room the UK government has here is highly limited. Unless it’s truly intent on digging ever deeper into the lunatic sinkhole of Brexit by gutting this substantial and actually expanding sunlit upland of the economy (digital services).

The cost — in pure compliance terms — of the UK losing EU adequacy has been estimated at between £1BN-£1.6BN. But the true cost in lost business/less scaling would likely be far higher.

The government’s briefing note on its legislative program itself notes that the UK’s data market represented around 4% of GDP in 2020; also pointing out that data-enabled trade makes up the largest part of international services trade (accounting for exports of £234BN in 2019).

It’s also notable that Johnson’s government has never set out a clear economic case for tearing up UK data protection rules.

The briefing note continues to gloss over that rather salient detail — saying that analysis by the Department for Digital, Culture, Media and Sport (DCMS) “indicates our reforms will create over £1BN in business savings over ten years by reducing burdens on businesses of all sizes”; but without specifying exactly what regulatory changes it’s attaching those theoretical savings to.

And that’s important because — keep in mind — if the touted compliance savings are created by shrinking citizens’ data protections that risks the UK’s adequacy status with the EU — which, if lost, would swiftly lead to at least £1BN in increased compliance costs around EU-UK data flows… thereby wiping out the claimed “business savings” from ‘less privacy red tape’.

The government does cite a 2018 economic analysis by DCMS and a tech consultancy, called Ctrl-Shift, which it says estimated that the “productivity and competition benefits enabled by safe and efficient data flows would create a £27.8BN uplift in UK GDP”. But the keywords in that sentence are “safe and efficient”; whereas unsafe EU-UK data flows would face being slowed and/or suspended — at great cost to UK GDP…

The whole “data reform bill” bid does risk feeling like a bad-faith PR exercise by Johnson’s thick-on-spin, thin-on-substance government — i.e. to try to claim a Brexit ‘boon’ where there is, in fact, none.

See also this “key fact” which accompanies the government’s spiel on the reform — claiming:

“The UK General Data Protection Regulation and Data Protection Act 2018 are highly complex and prescriptive pieces of legislation. They encourage excessive paperwork, and create burdens on businesses with little benefit to citizens. Because we have left the EU, we now have the opportunity to reform the data protection framework. This Bill will reduce burdens on businesses as well as provide clarity to researchers on how best to use personal data.”

Firstly, the UK chose to enact those pieces of legislation after the 2016 Brexit vote to leave the EU. Indeed, it was a Conservative government (not led by Johnson at that time) that passed these “highly complex and prescriptive pieces of legislation”.

Moreover, back in 2017, the former digital secretary Matt Hancock described the EU GDPR as a “decent piece of legislation” — suggesting then that the UK would, essentially, end up continuing to mirror EU rules in this area because it’s in its interests to do so to in order to keep data flowing.

Fast forward five years and the Brexit bombast may have cranked up to Johnsonian levels of absurdity but the underlying necessity for the government to “maintain unhindered data flows”, as Hancock put it, hasn’t gone anywhere — or, well, assuming ministers haven’t abandoned the idea of actually trying to grow the economy.

But there again the government lists creating a “pro-growth” (and “trusted”) data protection framework as a key “purpose” for the data reform bill — one which it claims can both reduce “burdens” for businesses and “boosts the economy”. It just can’t tell you how it’ll pull that Brexit bunny out of the hat yet.

Elon Musk gives Europe’s speech platform rules the thumbs up

While the world continues to wonder what ‘free speech absolutist‘ and gadfly billionaire Elon Musk might mean for the future of Twitter, the European Union has chalked up an early PR win in the long game of platform regulation — extracting agreement from the Tesla founder that its freshly rebooted approach toward content policy sounds like good shiz.

EU internal market commissioner, Thierry Breton, paid a visit to the would-be Twitter owner, Musk, yesterday for a meeting at his gigafactory in Austin, Texas, where we’re told regulation of online speech was a key discussion topic, alongside “mutual interest” supply chain chat.

Breton was keen to introduce Musk to the newly agreed Digital Services Act (DSA), which will come into force across the bloc in the coming years — likely in early 2023 for larger platforms such as Twitter — with the aim of harmonizing content governance rules and dialling up consumer protections. Breaches of the regulation, meanwhile, can attract fines of up to 6% of global annual turnover.

Asked whether the newly agreed regulation fits with his planned approach for Twitter, Musk responded: “I think it’s exactly aligned with my thinking”.

“It’s been a great discussion,” Musk also said in the brief Q&A with Breton. “I agree with everything you said really. I think we’re very much of the same mind. And I think anything that my companies can do that would be beneficial to Europe, we want to do that. That’s what I’m saying.”

“On social media, they had a constructive exchange on the impact of the recently adopted EU Digital Services Act on online platforms in areas such as freedom of speech, algorithm transparency, or user responsibility,” a spokesman for Breton’s office also told us — pointing to a “short video” summary which was promptly posted to Twitter, post-meeting, where Musk can be heard making the aforementioned remarks.

“Great meeting!” he also tweeted afterwards. “We are very much on the same page.”

Setting aside the awkward body language between Musk and Breton (defensive vs obsequious), it remains to be seen whether the former might have the last (hollow) laugh — should it turn out he’s inadvertently highlighted a major hole in the bloc’s plan.

In recent weeks, since news of Musk’a $44BN bid to buy Twitter broke, he’s suggested his rule of thumb for moderating speech on the social media platform will cleave to local laws that require the removal of illegal speech — but leave pretty much everything else up.

Which could mean he’ll happily open the floodgates to toxic abuse and mindless conspiracy theories — aka ‘legal but harmful speech’…

Europe’s grand plan for modernizing platform rules, meanwhile, essentially sidesteps this fuzzier (controversial) area of legal but harmful speech in favor of fixing hard-and-fast rules to harmonize speedy takedowns of strictly illegal stuff (e.g. CSAM; copyright infringement; hate speech in certain markets; another EU regulation that’s due to start applying this year also targets terrorist content with a one-hour takedown rule).

So it’s perhaps no wonder that Musk came away from the meeting with the EU commissioner professing their approaches align — assuming Breton’s core message was that the rules focus on illegal speech.

Confirmation bias is a helluva a drug!

That said, EU lawmakers do have a number of (softer) mechanisms in the pipe to tackle fuzzier content problems such as disinformation — and to set transparency rules around political ads. So it may be that Musk hasn’t fully grokked all the ways the bloc intends to pressure platform providers not to spread other types of toxic and/or harmful content.

If he succeeds in buying Twitter, one thing is clear: Musk will be fielding many more requests for meetings from lawmakers at home and abroad. And if he chooses to pull out the speech stops, and let toxic abuse and damaging disinformation rip, he’ll quickly find a lot of those requests turning into hard and fast demands.

Match Group sues Google over ‘monopoly power’ in Android app payments

The parent company of dating apps Tinder, Match and OkCupid is suing Google, alleging that the company exerts too much control over payments through its Google Play app marketplace.

The lawsuit, filed Monday in California’s Northern District, accuses the company of deploying “anticompetitive tactics” to maintain a monopoly on the Android mobile ecosystem:

Ten years ago, Match Group was Google’s partner. We are now its hostage. Google lured app developers to its platform with assurances that we could offer users a choice over how to pay for the services they want.

But once it monopolized the market for Android app distribution with Google Play by riding the coattails of the most popular app developers, Google sought to ban alternative in-app payment processing services so it could take a cut of nearly every in-app transaction on Android.

Match’s lawsuit is the latest instance of app developers demanding relief from Google and Apple over the 30 percent standard cut — now, sometimes 15% — that those tech giants extract from in-app payments. Longstanding tensions around the issue boiled over in 2020 when Epic Games sued Apple for antitrust violations, a case that didn’t result in a clear-cut victor but did force Apple to allow developers to point their users to alternative payment options.

Facing pressure over its restrictive payment choices, Google recently launched a pilot program that would allow apps to offer an alternative payment option along with Google Play’s own system within apps. Spotify was the only company named as a participant in the pilot program, and Match claims that the company has rebuffed its own efforts to sign up.

At the same time, Google announced plans to crack down on apps that circumvent its billing systems, setting a deadline of June 1. In light of the deadline, Match Group CEO Shar Dubey called the lawsuit a “measure of last resort” for the dating app company.

“They control app distribution on Android devices, and pretend that developers could successfully reach consumers on Android elsewhere,” Dubey said. “It’s like saying ‘you don’t have to take the elevator to get to the 60th floor of a building, you can always scale the outside wall.’ It’s not legitimate.”

In a statement to TechCrunch, Google dismissed the new Match lawsuit as a “self-interested campaign” to avoid paying its fair share. “… Even if they don’t want to comply with Google Play’s policies, Android’s openness still provides them multiple ways of distributing their apps to Android users, including through other Android app stores, directly to users via their website or as consumption-only apps,” a Google spokesperson said.

Match Group is a member of the Coalition for App Fairness, a developer advocacy group that calls attention to the ways that Apple and Google’s dominance over the mobile software market negatively affects app developers. Epic Games, Spotify and Tile are others prominent members of the group, which was formed in 2020 around the time that Epic escalated its own complaints.

Developers tired of paying such a hefty cut of their in-app earnings to Apple and Google are stepping up the pressure on those companies, but governments around the world are increasingly taking an interest in the issue too.

In the U.S., the bipartisan Open Markets Act would crack open both the iOS and Android app store, upending Apple and Google’s shared stranglehold on the mobile software world in the process. That bill moved out of a Senate committee earlier this year and appears poised to continue the slow crawl toward becoming law.

Last week, a competition complaint in the Netherlands against Google’s Play Store from Match Group prompted a preliminary investigation into the company’s potential anticompetitive practices. That country’s Authority for Consumers and Markets is also sparring with Apple over its own app payment processes, and the regulatory group has ordered the company to allow dating apps to offer alternative payment options.

UK’s Big Tech regulator ‘to boost switching, cut killer acquisitions’

Just over a year after launching a dedicated unit focused on digital markets inside the national competition watchdog, the UK government has put some meat on the bones of what this new Big Tech regulator will focus on — including confirming it will have the ability to levy fines of up to 10% of global annual turnover if platform giants fail to comply with tailored codes of conduct.

However the government still hasn’t confirmed exactly when it expects to legislate to empower the Digital Markets Unit (DMU) — saying only that it will introduce legislation to put it on a statutory footing “in due course.”

Responding late yesterday to a consultation on a new “pro-competition regime for digital markets” which it launched last year, the Department for Digital, Culture, Media and Sport (DCMS) said that incoming “fair play” rules for Big Tech — which the government wants to make digital markets more open and competitive — will make it easier for UK consumers to switch between Android and iOS; between social media accounts without losing their data; and to have more control over their data (such as by opting out of “personalized” advertising).

DCMS also wants the regime to ensure smartphone users to have more choice over which search engine and messaging apps they use — so the DMU looks set to target the pre-loading/bundling practices of giants like Apple and Google.

Boosting competition by setting out rules of the road for platform giants so they deal fairly with business customers is another core aim for the reform, with DCMS touting how it will support small businesses and startups.

“Tens of thousands of UK small and medium-size businesses will get a better deal from the big tech firms which they rely on to trade online. Tech firms could need to warn smaller firms about changes to their algorithms which drive traffic and revenues,” DCMS said in a press release, highlighting the example of changes to search engine algorithms that could steer traffic “away from certain sites and businesses which could have a negative effect on their revenue”. (Something plenty of Google competitors have complained about, over the years.)

Commenting in a statement, digital minister Chris Philp said:

“Technology has revolutionised the way thousands of UK firms do business – helping them reach new customers and putting a range of instant online services at people’s fingertips. But the dominance of a few tech giants is crowding out competition and stifling innovation.

“We want to level the playing field and we are arming this new tech regulator with a range of powers to generate lower prices, better choice and more control for consumers while backing content creators, innovators and publishers, including in our vital news industry.”

DCMS also said the incoming measures will “make sure news publishers are able to monetise their online news content and be paid fairly for it” — saying the DMU will be given the power to “step in to solve pricing disputes between news outlets and platforms”, which suggests the government is taking inspiration from Australia’s news bargaining code law targeted at Facebook and Google.

App developers will also be able to sell their apps on “fairer and more transparent terms”, per DCMS.

Here the government is likely drawing on a number of international moves to force Apple and Google to give up total control of their respective app store rules. (Albeit, the devil will be in the detail of the codes of conduct the DMU will be applying and we’ll have to wait an unknown amount of time to see those, as DCMS confirmed: “The government will define the digital activities and conduct requirements for firms in scope of the regime when it brings forward the legislation.”)

Per DCMS, only “a small number of firms with substantial and entrenched market power in the UK” will be designated with strategic market status and thus fall in scope of the regime. “This will make sure the regime holds the most-powerful businesses to account for their behaviour,” it suggested.

“An arsenal of robust sanctions will be available to the DMU to tackle non-compliance, including fines of up to 10% of annual global turnover and additional penalties of 5% of daily global turnover for each day an offence continues,” it added, further specifying that the unit will be able to “suspend, block and reverse behaviour by firms that breaches their conduct requirements, ordering them to take specific steps necessary to resolve a breach”.

“Senior managers will face civil penalties if their firms fail to engage properly with requests for information,” DCMS also noted.

Another trailed measure will be an obligation for the “handful” of tech giants who fall in scope of the regime (aka, those “with substantial and entrenched market power in the UK”) to report acquisitions to the CMA before they have closed, in order that the regulator can conduct an initial assessment of the merger “to determine whether further investigation is needed”.

Last fall, the CMA ordered Facebook/Meta to undo its (completed) acquisition of Giphy — relying on existing competition rules and powers for that intervention. But, in the future, the aim is for the DMU to proactively prevent a giant like Meta from buying a smaller rival in the first place if/when it identifies key competition concern attached to a proposed merger.

That provision looks set to put big limits on Big Tech’s ability to buy up and close down/otherwise assimilate/crush smaller rivals — so called ‘killer acquisitions’ — which are widely considered to be horrible for consumers and competition (even if certain venture capitalists may be happy to get an exit).

Commenting on DCMS’ DMU announcement in a statement, Andrea Coscelli, CEO of the CMA, said:

“The CMA welcomes these proposals and we’re pleased that the government has taken forward a number of our recommendations that will allow the DMU to oversee an effective and robust digital markets regime in the UK.

“The CMA stands ready to assist the government to ensure that legislation can be brought forward as quickly as possible, so consumers and businesses can benefit.”

UK lagging Europe

The DMU started work in shadow form in April last year, ahead of the anticipated “pro-competition” reform of oversight of tech giants which the government has said it will introduce to regulate the most powerful platforms, aka with so-called “strategic market status”, following similar moves elsewhere in Europe.

Germany is leading the pack here — having already (this year) designated Google and Facebook/Meta as subject to its reformed competition regime for the most powerful tech giants, after it updated the law at the start of 2021 — meaning its Federal Cartel Office is empowered to intervene more quickly to address problems linked to Big Tech’s market dominance.

Back in March, European Union lawmakers also agreed the final details of an ex ante regime proposed at the end of 2020, which will apply across the bloc — applying a set of up-front operational obligations on what the incoming pan-EU law refers to as Internet “gatekeepers”, with fines of up to 10% of global annual turnover for compliance breaches.

The EU ex ante regulation, called the Digital Markets Act (DMA), is due to come into force next Spring.

This means the UK is already lagging on addressing key structural competition problems with digital markets — problems which its own competition authority, the Competition and Markets Authority (CMA), has spent years looking into in some cases (such as the digital advertising market which it concluded is so broken it needs new powers to regulate adtech giants; it has also, more recently, set out preliminary concerns with Apple’s and Google’s duopoly of mobile app stores).

And while the DMU is, technically, up and running, it does not yet have powers to be able to rein in too-powerful tech giants — leaving UK consumers and businesses to continue sucking up unfair T&Cs.

It is also still not clear how much further the UK will fall behind.

In recent weeks, reports have suggested the government is getting cold feet over the plan to more proactively regulate tech giants. Although DCMS has claimed ministers remain committed to the reform — just without specifying when exactly the government will actually deliver it.

A reform that’s delayed can’t fix anything in the short or even medium term, given how much time is typically baked into regulatory regimes for procedural purposes etc. And with Big Tech market power so entrenched any delay looks costly for UK consumers and competition — who are already missing out.