Cory Doctorow on Why Interoperability Would Boost Digital Competition

Cory Doctorow is an activist and science fiction writer. He was the co-editor of the blog Boing Boing and has served in various roles at the Electronic Frontier Foundation, a non-profit civil rights group. He holds an honorary doctorate in Computer Science from the Open University (UK) where he is a Visiting Professor. He is also a Research Affiliate at MIT Media Lab and Visiting Professor of Practice at the University of North Carolina’s School of Library and Information Science. He is the author of many books, including his most recent works Attack Surface (2020) and Chokehold Capitalism (2022) with Professor Rebecca Giblin.

Zander Arnao is an undergraduate and master’s student at the University of Chicago where he studies Public Policy and International Relations.

The Chicago Policy Review spoke with tech activist Cory Doctorow about mandatory interoperability, a policy idea that he has long championed. 

Chicago Policy Review: You’ve written extensively about interoperability, particularly an idea you call competitive compatibility. Can you explain what interoperability is?

Cory Doctorow: Well, interoperability is one of those ideas that is so natural and latent in the world, it’s easier to define by things that aren’t interoperable than things that are. You can wear any socks you want with any shoes. You can put any drink you want in any cup. And any sheet can go on your bed.

As a practical matter, there’s no reason that you can’t run Android apps on your iOS device and vice versa. There’s no reason that you can’t play your Audible audiobooks on a player that Amazon hasn’t blessed. There is no reason you can’t exchange messages with a Facebook user from Twitter. Those are decisions, not technical impossibilities.

When we observe a non-interoperable system, we tend to assume that there’s some law of physics at stake. For instance, the reason you can’t, you know, toast a grilled cheese sandwich inside a VCR is that the VCR just doesn’t work that way. But platforms are different. The reason you can’t switch from Facebook to, say, Mastodon and still message your Facebook friends is because an engineer at Facebook has taken the extra step to block the connection, and this creates some space for regulation.

CPR: Why should regulators intervene?

Cory Doctorow: Because the design of platforms affects how much power they have over their users. One of the reasons that people go on using services they don’t like is that they have to endure some switching costs when they leave. They have to throw away relationships or media or apps or data that they value, so they kind of just hang in there.

As our friends in economics remind us, incentives matter. A company that knows that its customers can’t leave is free to appropriate some of their surplus. The harder it is for those customers to leave, the more they can do this. Anyone who’s ever bought a $15 hot dog in an airport understands how this works.

This is not for the good of users or the business customers on the other side of the platform. If users are all locked in and can’t go anywhere, then the advertisers have to stay on Facebook and Google, which means they can be abused too. And ultimately, I think it’s not good for the platforms because when they’re not disciplined by competition, they can do this surplus harvesting thing until there’s nothing left, and they’re just surfing the line of being barely usable enough that no one will leave.

CPR: In your writing, you’ve described several different kinds of interoperability, and you champion a particular one you call “competitive compatibility.” What is competitive compatibility?

Cory Doctorow: Competitive compatibility is basically designing a new product or service to work on top of something that already exists without the permission and cooperation of the original designer, potentially even with their opposition.

The canonical example of competitive compatibility is Apple reverse engineering the Microsoft Office file formats to make the iWork suite, but there are many other past examples. For instance, modems were designed to run more or less over the cold dead bodies of executives at AT&T, who really hated the idea, and Phoenix Technologies (previously Phoenix Software) reverse-engineered IBM’s PC ROMs, selling to companies like Compaq and Dell. Competitive compatibility is really a profound part of the history of technology.

The importance of competitive compatibility is that it acts as an escape valve for things that are good for the public interest, for users and competition, even and especially if they’re bad for incumbents.

CPR: When it comes to platforms, what effects do you think greater interoperability would have for competition? How do you think that a more competitive marketplace would change the internet?

Cory Doctorow: Well, the point of mandating interoperability is reducing switching costs. It’s to make it easier for both sides of the market to move from one platform to another or to abandon platforms altogether. What the ability to switch would mean for users is that the firms who own the platform would have to measure their conduct against the possibility that displeasing their users could cause defection to a rival.

For instance, let’s say YouTube was required to interoperate with TikTok. When a content creator quits YouTube and goes to TikTok, YouTube would have an obligation to have some sort of forwarding address for that creator so the people who were subscribed to them on YouTube could see their TikTok videos now.

With this ability to switch, YouTube really has to give performers a good deal, and it also has to give users a good deal because the users can leave and go to TikTok but still follow their YouTube performers. And if advertisers can reach the same viewers regardless of whether they’re on TikTok or YouTube, then YouTube has to play fair with advertisers as well because they might run ads on a rival platform that can display the same videos.

So mandating interoperability really requires firms to succeed by being better than everyone else over long timescales, not to succeed by allocating a little bit of surplus to early users so that their friends will pile in. The idea here is to actually make them offer a good service rather than winning them through more deceptive tactics like artificially inflating creators’ view count after they start making content, and then taking away those benefits after they’ve devoted substantial resources to creating on the platform.

CPR: So, you think that greater options and choices for both sides of the market would modify the incentives platforms face to better serve users and employ less deceptive tactics?

Cory Doctorow: Yes. Think about how the Audible platform works where, at least as of a couple of years ago, once you bought a subscription, you would get a credit that you could exchange for any audiobook on the platform every month, and Audible lets you return any one of those credits for a full refund. In fact, they bombarded you with pleas to return the audiobooks. If you were dissatisfied for any reason, there was a reminder, an email, a pop-up at the top of the page reminding you that that’s the case. Then Audible would claw back the royalty from the performer who put the book on the platform.

From the user’s perspective, they were paying for one credit, but they could get as many credits as they wanted, and Amazon was getting those performers to subsidize that bonus content for those users. The users didn’t know it, and the performers didn’t know it because Amazon only reported royalties to performers on a net basis.

CPR: There’s currently a bipartisan interoperability bill pending before Congress called the ACCESS Act. What do you think of its approach to mandating interoperability?

Cory Doctorow: Very broadly, the ACCESS Act’s approach goes like this: get everyone around a table, design an Application Programming Interface (API) for interoperability between rival platforms, then allow–but don’t require–new market entrants to avail themselves of that API, and subject users of that API to certain strictures about not monetizing user data and conducting commercial surveillance. That’s the course of action. I think it’s sound, but also that there are some devils in the details.

The first one is this thing where you gather around a table and figure out what the API should look like. Standardization is really important; I’m a giant believer in it. But it’s hard to get right even when it’s negotiated by firms of similar power who take different approaches in the market, and it’s much harder when you have a single firm that is dominant in the market.

The ACCESS Act basically stipulates that you do this for each large firm. There’s a Facebook version of it, a Google version of it, and so on. When the major interest at the table is one firm that has one approach, and then the other entities of the table are a few academics, an expert from the National Institutes of Standards and Technology, and perhaps a couple of startups, it’s going to be a very unbalanced negotiation. It’s hard to figure out how to balance it.

For example, even if you keep Facebook from putting more than two employees on its standards committee, there’s nothing to stop those employees from marshaling a team of 100 engineers and 100 lawyers to write all the submissions read by the committee and mark up all the submissions that everybody else produces. They can basically end up running the show. It’s a situation similar to that joke from Ireland: “If you want it to get there, I wouldn’t start from here.” This is a really thorny problem.

CPR: A crucial provision of the EU’s Digital Markets Act (DMA) is its requirement that major messaging services become interoperable. Security experts, however, have warned that this move could jeopardize their ability to be encrypted. What are your thoughts on this situation and messaging interoperability more generally in the DMA?

Cory Doctorow: Well, I don’t think that it’s impossible to build interoperable messaging systems. I think that it’s absolutely within the realm of technical capability, but it’s pretty varsity level stuff because small errors in encrypted messaging protocols are really high stakes. It’s not that it’s just harder to get encryption right, it’s that small mistakes in encryption that would otherwise be inconsequential in social media can expose users to enduring damage when we’re talking about encrypted messaging.

To concretize, there are companies like the NSO Group that hunt for vulnerabilities in widely used encrypted messaging systems and sell them to dictators who are trying to figure out how to spy on their adversaries’ communications. Most notably, the NSO Group helped the Saudi Government hack the phones of Jamal Khashoggi’s colleagues and lure Khashoggi to his death by deploying a tool called Pegasus against WhatsApp.

So, you really don’t want to get this wrong. The doomsday scenario is that you introduce a vulnerability that can be used to hack messages on all the major messaging protocols because they’re interoperable. It would therefore expose anyone who uses end-to-end encrypted messages to risk.

A small number of bad actors could discover this vulnerability and, rather than disclosing it, it could be used in secret for a long time. It could be sold to despots and corrupt autocrats, who would then use it to round up and attack human rights defenders, dissidents, and journalists. We really don’t want that to happen, so we should proceed with extreme caution.

What most policymakers don’t understand is that SMS is a dumpster fire, a completely insecure, really risky, terrible protocol that we desperately need to get rid of. And that encrypted messaging that succeeded it is much harder to make interoperable across platforms.

CPR: Some analysts have voiced concerns regarding the implications of interoperability for user privacy. How do you think governments should promote interoperability while also protecting privacy?

Cory Doctorow: We need a free-standing privacy regulation that sits alongside these interoperability mandates. It’s not enough to hope that firms conduct themselves in a measured way. Even the most careful firms have privacy issues simply from lapses in judgment or uncertainty about when privacy should and shouldn’t be respected.

The big example most recently is that Apple added a switch to iOS, its mobile operating system, that allows iPhone and iPad users to, with one tap during setup, block tracking from all the apps they install, most notably from Facebook. Facebook attributes this to a $10 billion loss last year because, once they gave people the choice of opting out of commercial surveillance, 96% of them did. Presumably, the other 4% either work for Facebook or were confused.

The kind of sad trombone moment, though, is that subsequently, we learned that Apple had been covertly collecting exactly the same data from iOS users to target them with Apple’s ads. What they said was that you were opting out of third-party tracking, not first-party tracking. If you parsed their fine print closely enough, you would have understood that Apple is going to spy on you even if Facebook isn’t.

Firms have really bad incentives when it comes to protecting privacy. No matter how safe they keep you, and no matter how many attacks they foil, the one entity they will never keep you safe from is their shareholders. Apple will keep you very safe from Facebook. Apple will not keep you safe from Apple.

CPR: Another big wrinkle in any policy regime is the autonomy of platforms to design their products. In Privacy Without Interoperability, your whitepaper with Bennett Cyphers on interoperability, you write, “navigating this tension–between the platform’s undeniable technical expertise and knowledge about their own systems and their anti-competitive incentives–is key to making the whole thing work.”

When should large platforms be able to exclude other parties from interoperating with their services for reasons not having to do with competition?

Cory Doctorow: Well, I think they should be free to technically block third parties, at least from interoperating with them through adversarial means.

I think that there’s no point in giving them the technical right to block an API that we also mandated they implement. If we’re going to say to third parties, “If you don’t like the API, go ahead and try and figure out how to reverse engineer their stuff. Pit your wits against theirs,” I think they should be allowed to change the way that their code base works to plug up the holes that these new market entrants are exploiting.

But, again, I think that all things being equal, the best way to avoid having to devote a lot of resources to that is to comply with the regulation, both in spirit and letter, such that there’s no good reason for new market entrants to devote a lot of energy to figuring out how to get around your defenses.

CPR: You think conditions of competitive compatibility will incentivize platforms to hew to more standard means of interoperability?

Cory Doctorow: Yes.

CPR: If you delegate some autonomy to platforms to protect privacy, perhaps in situations where the standard privacy law is unclear, how do you as a regulator verify those motivations? How do you ensure the platforms are acting in good faith?

Cory Doctorow: It is a fact-intensive matter to determine when a platform shuts down an API because they thought something bad was happening there. It is also a fact-intensive matter to figure out whether the shutdown was pretextual, not least because to your first approximation, everybody who understands how the platform works is an employee of that platform. So, it’s just very hard to make those determinations, and it might take a long time to do it.

When we do have fact-intensive regulatory questions, we try to resolve them in two ways. One is by creating self-help mechanisms or backup systems so a new entrant that is blocked by the dominant firm can then switch to a reverse engineering method to get at it while they’re waiting for the fact-intensive question to be resolved.

And second, by creating eye-watering penalties for pretextual use of a circuit breaker, a shutdown protocol. If we say to a firm, you’re allowed to reject renters for any bona fide reason, but not for reasons of racial discrimination, it’s another really fact-intensive question.

CPR: You’re about to release a new book Chokehold Capitalism. Can you share a bit about what you and your co-author Rebecca Giblin wrote?

Cory Doctorow: Rebecca Giblin and I have both been involved in the copyright wars for a couple of decades, and over the last 40 years copyright has expanded kind of monotonically in every way. Copyright now lasts longer. It covers more works. The statutory damages are higher, and the ease of extracting damages is greater than at any time in history. The entertainment sector is richer than ever, and the share of money accruing to artists both proportionately and in real terms has fallen.

So, if the point of copyright was to create a kind of pseudo-labor regulation that helped the workforce of the creative industries secure a decent living, then it has failed. It has failed because musicians who are reaching audiences as large as the musicians who used to make a decent living back when there was less copyright are not making a decent living anymore even though the intermediaries are making more money.