Breaking Up Big Tech Would Not Make Consumer Data More Secure
A growing number of advocates are arguing that many U.S. technology firms are too big and that antitrust regulators should break them up. For example, Senator Elizabeth Warren (D-MA) recently detailed how the government should break up Amazon, Google, and Facebook. Some advocates have wrongly justified similar positions by stating that smaller firms would have less data, and so consumers would be better protected from data breaches.
Data breaches refer to incidents of hacking that allow individuals to exfiltrate data from another party’s computer system, such as when hackers copied the data of nearly 150 million Americans from Equifax’s servers. Frequently, hackers use phishing attacks or ransomware to illicitly access data, but they can also exploit vulnerabilities in code, which is how hackers gained access to 30 million Facebook users’ accounts.
Many of the calls for antitrust action have to do with Facebook data. For example, two co-founders of the anti-Facebook campaign “Freedom From Facebook” published an op-ed in USA Today arguing that because of the recent data breach at Facebook, the Federal Trade Commission should go beyond a “historic fine” and “break up Facebook’s social media monopoly.” Some members of Congress have echoed these sentiments. For example, Senator Mark Warner (D-VA) stated that the data breach was “a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.” Later, when asked about breaking up Facebook, he did not take the option off the table, instead saying “I see breakup as more of a last resort.” And Senator Richard Blumenthal (D-CT) noted that “Facebook has become a honeypot for malevolent lawbreakers who seek to undermine our society and democracy.” He too has stopped short of explicitly calling to breakup Facebook but has argued there is a link between competition and data protection, stating in January, “This is yet another astonishing example of Facebook’s complete disregard for data privacy and eagerness to engage in anti-competitive behavior.” The remedy, according to organizations like Open Market Institute and Color of Change, is for regulators to force Facebook to divest its ownership of Instagram and WhatsApp.
But if the problem is data breaches, antitrust is the wrong tool. There is no reason to believe that consumer data is more protected if five firms each hold data on 20 million Americans versus if one firm holds data on 100 million Americans. Plenty of companies with less data than Facebook—from Under Armour to Caribou Coffee—have had data breaches. And even if the government were to break up some of the largest tech firms, the resulting organizations would still represent enormous “honeypots” to malicious actors—for example, Instagram alone has 1 billion monthly users.
But more importantly, breaking up large tech firms would not make those smaller companies more secure. Indeed, larger firms have several advantages over smaller ones when it comes to security. Many security upgrades involve fixed, rather than variable costs. Larger firms can better afford to invest more in security since they can amortize the cost over a larger user base and benefit from economies of scale. They can also hire larger and more experienced security teams to prevent, detect, and respond to new threats. For example, Facebook has steadily increased the size of its staff dedicated to addressing security threats on its platform. In addition, breaking up large tech firms will not make U.S. elections less vulnerable to Russian interference, which Senator Warren has suggested. The data on large platforms is a rich source of intelligence on cyber threats. Alex Stamos, the former chief security officer at Facebook, has noted that Google “has the most useful data set available to any private company for tracking state adversaries and intelligence services.”
Those calling to break up large tech companies also ignore how doing so would negatively impact the user experience. Platforms like Facebook exhibit what economists call network effects, where the value of the platform increases to others with the number of users. Indeed, Facebook’s massive user base allows people to communicate with their friends and businesses to connect with their customers with one click. Consumers would be worse off if when sharing photos of their children, they had to post both to Facebook and “Friendbook,” or if when sharing comments on politics they had to post to both Twitter and “Chitter.”
If lawmakers want to protect users from data breaches, they should focus on steps that will make security better, not worse. First, Congress should pass a national data breach notification law which covers traditional breaches as well as data misuse, such as the data misuse that caused the Cambridge Analytica scandal. Second, Congress should increase funding for law enforcement agencies fighting cybercrime to deter future attacks and coordinate with international partners, as not enough data breaches caused by outside hackers result in prosecution. Third, Congress should require more companies to disclose details about their security practices, so that other businesses and consumers can better manage risk and the Federal Trade Commission can hold them to their commitments. Lastly, Congress should take steps to make stolen data less valuable for identify theft, such as replacing Social Security numbers with a more secure alternative.
In sum, taking the bludgeon of anti-trust to tech companies will make cyber security worse, not better.