In Britain, Parliament is debating the oft-revised U.K. Online Safety Bill, which seeks to regulate harmful and illegal content on the internet for children and adults. Without further modifications, however, the bill could undermine that laudable goal.

Fashioned by Ofcom, the U.K.’s digital communications regulator, the bill creates a formal “duty of care” for online platforms to remove harmful content on their websites with additional responsibilities for websites that also serve young people. If passed, adult websites would need to establish age verification and commit to removing illegal content such as content depicting hate crimes, sexual abuse, and terrorism. Websites with youth users would need to prevent young people from seeing illegal content as well as potentially harmful, but not illegal, content such as that promoting eating disorders, self-harm, or suicide. Penalties for failure to comply with these requirements include fines and potential criminal liability for platforms and tech executives if they fail to comply with Ofcom’s information requests.

As I’ve written previously, managing harmful content online, and creating specific youth-protection schemes, raises a host of thorny questions. In a recent blog looking at a U.S. youth online safety bill, I wrote that content moderation is technically challenging, because content moderation systems aren’t perfectly accurate at flagging inappropriate content. The systems can overcorrect and potentially censor acceptable information. In another piece about children’s privacy, I noted that definitively identifying internet users’ age online is both technically challenging and undermines everyone’s privacy.

The latest version of the U.K. Online Safety Bill fails to strike the right balance on content moderation versus censorship, or on privacy.

Content moderation creates a host of challenges, like defining what content is harmful, censorship of content that is not illegal, and encoding all the rules into an algorithm. Even with clear definitions, content moderation is technically challenging.

Content moderation algorithms are not perfectly accurate at flagging harmful content. This means that if an algorithm is 98% effective, 2% will slip through the cracks. On popular websites, 2% could be millions of posts. It remains unclear if firms will be punished if some illegal content passes through the filters. Free speech advocates worry that firms will overcompensate content removal because of the harsh penalties and the technical compliance challenge.

In addition to challenges of censorship, the bill also threatens privacy. First, by requiring users to disclose more personal data to access websites. Second by requiring a backdoor on encrypted messaging platforms for Ofcom to scan private messages for illegal conversations or content.

There is no easy way currently to verify age online without the user voluntarily giving up personal information. While the main trend in privacy legislation is toward decreasing the amount of personal information consumers have to provide to apps and websites, the U.K. bill points in the opposite direction, requiring users to make accounts and verify age through technologies like facial recognition checks or uploading a government-issued ID card to a website.

If personal information disclosure for every website wasn’t enough, the bill also contains provisions to allow Ofcom to search private messages on encrypted platforms. The bill as currently written gives new, large scale, citizen surveillance abilities to Ofcom regardless of wrongdoing. Seventy organizations, cyber security experts, and elected officials signed a letter to warn against allowing Ofcom to search private messages. Their main message is that creating a backdoor for the government creates a backdoor for anyone and undermines the rights of British citizens to privacy.

The U.K. government isn’t the only entity searching for a better solution to make the online space safer for users. This bill, however, stifles free speech online while undermining too many peoples’ privacy.

With the Supreme Court set to take on Gonzalez v. Google this term — a case with momentous implications for the legal viability of internet services as we know them — the fate of Section 230 of the Communications Decency Act is in question.

Section 230 is the statute that grants online platforms protection from liability for the content posted by their users, a fundamental protection that has been integral to the internet ecosystem’s explosive growth. By allowing internet platforms to take down third-party content that they deem harmful to their users in “good faith,” while also ensuring that they are not treated as the publishers of such content, Section 230 is the legal mechanism that has facilitated innovative business models which give a platform to user-generated content, shaping a robust digital economy enjoyed by both consumers and entrepreneurs today.

From a consumer standpoint, these business models provide a plethora of free resources, entertainment, and educational materials. In the case of entrepreneurs, the online creator economy is estimated to be worth more than $100 billion worldwide, with more than 425,000 full-time equivalent jobs reportedly supported by the YouTube platform alone.

In Gonzalez v. Google, however, the central question goes beyond Section 230’s protections for third-party content, asking instead whether the targeted algorithms employed by these platforms enjoy the same protections.

Most major online platforms use data at various levels to recommend content to users, whether by using specific personal or demographic information to tailor the experience to a user’s specific interests, or by presenting users with popular or relevant content at the top of the feed. These automated decisions curate a feed appealing to the user and beneficial to the content creator, whose work is then highlighted to new audiences.

Colloquially, those referring to social media algorithms are most likely referring to the sophisticated code used by many of these companies to target content to their users. However, from a technological standpoint, the term “algorithm” refers to any type of content sorting — whether it be a simpler iteration that might show content ordered chronologically or alphabetically, or the more complex, individually curated version. There is no default method of content sorting, meaning that every company or developer must choose an algorithm to sort content. The only difference lies in the complexity of the algorithm they chose to employ.

It is difficult to draw legal lines around this complexity. For example, if a platform lists a seemingly harmful piece of content first, thus making it the most obvious choice for users to select, are they liable for that content only if proven to be the result of a curated algorithm, or are they also liable if the reason it is listed first is that the feed is shown chronologically? Either way, there is some risk of exposing users to harmful third-party content. Prohibiting one platform’s algorithms — say Google’s — thus doesn’t provide a general solution.

That means the Supreme Court would either have to define algorithms in such a way that only specific types are implicated for liability, or rule that Section 230 liability protections are lost for all types of content displayed online.

Let’s be clear: A court decision that ended Section 230’s liability protections would make hosting third-party content functionally impossible for websites. On YouTube alone there are over 500 hours of content uploaded every minute, making vetting every video prior to each upload a monumental task. The risk of getting sued will lead most companies to conclude that it’s not worth it for them to offer third-party content. And in the case where only data-driven, targeted algorithms are ruled to be exposed to liability, how likely is it that users would sort through 500 hours of content with no curation in hopes of discovering useful information?

Moreover, the ramifications of making all content providers liable to lawsuits will spread across the entire Internet ecosystem, including online shopping, travel sites, and app stores, all of which rely on user reviews that are curated to reduce fakes and “ballot-stuffing.” In an era of deep fakes and sophisticated artificial intelligence chatbots, it’s all the more essential for online platforms to be able to apply algorithms that users can trust.

There’s no doubt that Section 230 raises difficult issues that need to be carefully considered by policymakers. But subjecting online platforms to lawsuits because their algorithms occasionally highlight content that someone objects to would fundamentally destroy the internet economy, while failing to address the threat posed by truly dangerous online content.

Will the combination of high cost increases and low digital inflation spur reluctant companies to digitize?

One of the pleasant economic surprises in recent months has been the low rate of inflation for digital goods and services, compared to the overall inflationary surge. The latest producer price report, released November 15, shows that a basket of digital goods and services (described below) had a median year-over-year price increase of 1.9%. By comparison, the overall year-over-year price increase for final demand, less food and energy, was 6.7%.

We wrote about this big gap between “New Economy” digital inflation and “old economy” inflation  in a December 2021 blog item. In June 2022, leading economic statistician Marshall Reinsdorf wrote a paper for PPI examining the continued slow rate of price increases for most digital goods and services.

The growing gap between overall inflation and digital inflation means that the relative price of digital goods and services is falling. To put it another way, in the low-inflation era that preceded the pandemic, many companies  enjoyed the benefit of low costs without having to make expensive and potentially risky investments in digitizing their operations.

Now that easy period is over. Companies are looking at technology as a way out of their high-cost trap. Business spending on software, computers, and communication gear hit an all time high in the third quarter of 2022. The layoffs at companies such as Amazon and Facebook notwithstanding, there’s no evidence that companies in the aggregate are cutting back on tech investment. A survey from Gartner predicts a 5% gain in tech spending in 2023.

Nobody likes inflation. But there may be a silver lining if the threat of rising costs forces companies to take digital steps that should have come years ago.

Our price index of digital goods and services includes:

Bundled access services
Cable and other subscription programming
Communications equipment mfg
Computer & peripheral equipment mfg
Data processing and related services
Electronic and mail-order shopping services
Internet access services
Internet publishing and web search portals
Semiconductor and other electronic component mfg
Software publishers
Video programming distribution
Wireless telecommunications carriers
Information technology (IT) technical support and consulting services (partial)

Earlier this month, a bipartisan group of representatives and senators released a discussion draft of a federal digital privacy bill: the American Data Privacy and Protection Act. It has now moved out of committee and, if passed, would create new legal rights for all Americans regarding the collection, access, and security of their personal data.

This is not the only consumer privacy bill considered by Congress, and there may be others. As written, this bill would align the United States with other nations, such as the European Union, that have thus far set global standards for digital privacy. Introduced in 2018, the European Union’s digital privacy law filled an important gap in regulating consumer privacy. Four years on, the data revealing how the law interacts with innovation and whether it succeeds in its goal of protecting consumers is still unclear. This should give US lawmakers pause to potentially explore more creative solutions for digital privacy.

The Progressive Policy Institute released a comparative report providing a general framework for analyzing privacy legislation across three separate but interrelated layers: legal access, security, and innovation.

Legal access defines what rights individuals have to see, access, update, and delete their data. Security describes the technical responsibilities for protecting collected data. And the third level, innovation, addresses how the laws interact with economic growth.

How does the new bill fit into these layers?

1. Legal Rights

If passed, the ADPPA would codify a set of data collection and access rights for all Americans who share data with private companies. It’s important to note that ADPPA does not apply to government collection or storing of personal data. As noted in PPI’s report analyzing countries’ privacy legislation, Canada, the European Union, and the United Kingdom put some controls on government use of data, but China did not.

ADPPA requires firms that collect consumer data to gain clear “affirmative express consent.” Consent for data disclosure is firmly rooted in the European Union’s landmark data protection law, the General Data Protection Regulation. It is typically solicited via checkboxes on web pages, and the bill requires clear, plain language description of data collection needs. Specifically highlighted in the bill is the right for consumers to opt-out of targeted advertising and a prohibition of targeted advertising to children.

Once the data is collected, ADPPA states that individuals have the right to access, correct, delete, and transfer data about themselves, with private companies; China and the European Union provide similar access rights to citizens. How to exercise these rights must be clearly stated in easy-to-read privacy policies.

Overall, the bill provides very similar data rights as other countries. 

2. Security

Global privacy laws typically address security as a principle and design feature, the U.S. bill follows this trend. Without being overly prescriptive, as digital security is highly technical and evolving, it directs data collectors to implement a risk-based approach depending on the level of sensitivity of the data collected. High-risk data includes biometric or genetic information, passport or social security numbers, and private communications like text messages or email.

In line with other data privacy laws around the world, ADPPA requires large data collectors to appoint a data protection officer and to first conduct a data protection impact assessment, which is a plan for data security and risk.

Additional security and privacy measures recommend data minimization (an essential pillar of the GDPR), or restricting data collection to specific uses and deleting data after use. Data minimization is important because if data is not collected or not stored, it can’t be improperly used or exposed. (they direct not recommend, and i write measures and only add one additional measure. Is this bill simply a copy of the GDPR, does it try to be the same thing in the American context. How it relates to the ADPPA discussion.)

3. Innovation

It’s challenging to predict how a privacy law like ADPPA will impact digital innovation. Crucially, a federal privacy law will provide clear guidance for online companies that serve Americans across multiple states. In the current system, where states are passing digital privacy laws only for their residents, a federal law would ease compliance burdens on firms.

Similar to the GDPR, the bill exempts researchers, journalists, and small data holders except for those who derive 50%of their revenue from data sales. However, it does not clarify whether research conducted by big firms for platform improvements or marketing is exempt. The bill’s right to opt-out of targeted advertising and data transfers, which include data sales, may negatively impact certain industries like advertising and data brokers. Additionally, the bill recommends a study for a universal opt-out portal, which could be an innovation, but also could bankrupt the industries that rely on that data.

These provisions have broad implications for the data economy and should be evaluated carefully. Notably missing from the bill are recommendations for studies of other privacy-preserving technologies or security technologies. To assess the full impacts on innovation it requests an economic impact study five years after the enactment of the Act.

Conclusion

This draft bill is the newest of many privacy bills to be considered by Congress. Many of its provisions mirror the GDPR, as many global privacy laws do, with a major exception that this law does not apply to government data collection.

A key point of consideration for American legislators as they consider this bill is that it replicates many statutes from the GDPR. Enacted in 2018, we still don’t yet know the full impact of regulations like the GDPR on long-term digital innovation or whether its consumer protections are effective, but more information is coming out all the time. A new study from the University of Oxford in 2022 found that small business profits were most affected by the GDPR regulation. A National Bureau of Economic Research study found that the GDPR decreased the number of apps on the Google Play app store and depressed new entrants into the app market. As of the writing of this post, this author found no data detailing the state of data breaches since the introduction of the GDPR.

It’s undoubted that consumers deserve enhanced transparency and protection of their personal data online. If ADPPA passes, it would provide new data collection and protection rights for Americans which is an essential step toward digital privacy. But remember that the United States has a unique and strong innovation culture that is not necessarily well-reflected in the GDPR and other similar global privacy legislation. Those approaches shouldn’t be the only model being considered by lawmakers to enhance digital privacy. Congress has the opportunity to use existing research and data on alternative privacy-protecting technologies and ideas to set new global standards.

How can we move the humble state driver’s license or ID card into the 21st century? Today, U.S. state licenses are the principal consumer ID for day-to-day purposes. They certify identity and age using anti-counterfeiting features and are used to verify driving, or non-driving, privileges.

However, they have two major flaws. First, showing identification cards reveals all personal information to the identifier. If the ID is scanned, personal information is then stored with the scanner. Second, current state IDs are only usable in-person, despite the trend of moving public and private services online. Estimates suggest that in 2022, Americans will be spending 60% of their time online often giving away personal information for every new site or transaction.

However, some states are using existing and well-tested technology to make their state ID cards more useful and more private at the same time without compromising security: digital ID.

Digital IDs are authorized digital copies of a physical card that, using encryption and secure hardware, verify identity without sharing personal details. They bring identity verification from the physical sphere to the digital one, filling a security gap online by offering verifiable, and private, identification for public sector benefits and services but also private transactions. In addition, digital ID programs can facilitate greater children’s privacy, by requiring age verification to access certain websites.

On the rise globally, Estonia, Canada, Germany, India, the U.K., and the European Union, among others, already use or have announced digital ID programs.

In the United States, which has no national ID, Arizona and Louisiana adopted programs where residents can digitize their state ID cards. Since its launch in 2016, a million Louisianans use the digital ID accessible from the state’s ID app. Arizona’s digital ID launched in 2022 in partnership with Apple and Google, too, announced a new mobile wallet with digital ID features at Google I/O 2022. Their program, rather than using a state-specific app, allows users to add their mobile ID directly to their smartphone mobile wallet; if Arizona’s model is successful, other states may follow. 

Naturally, there is consumer skepticism that a digital system could be as secure, or more secure, than a physical card. Tying immutable identity characteristics to government databases requires high levels of trust, security, and privacy.

India’s digital ID program has been infamously insecure, exposing the biometrics and unique identity number a million residents. Kenya’s digital identity program was halted by the Kenyan High Court, which ruled that enrolling all citizens in a biometric ID database was illegal without clear documentation of data privacy risk assessment and mitigation strategies. The United States, too, lacks universal privacy protections for citizens.

The U.S. case is different from other digital ID systems as the country has no national ID — the Louisiana and Arizona digital ID pilot do not propose that. In addition, REAL IDs, which are the current gold standard in the U.S. for secure, physical ID cards, are not linked to citizen biometrics or immutable characteristics apart from a photo compatible with facial recognition scans. These features help keep physical ID cards secure. The Louisiana and Arizona mobile ID systems do not capture any additional data that is not already captured by the state Department of Motor Vehicles. In the Arizona case, the digital copy is stored in a smartphone using mobile wallet technology. Personal information is not shared with the phone or service provider.

The digital ID system being implemented by Arizona is based on the same technology that allows consumers to add credit cards to their digital wallets for wireless payments. They require the use of a pin or biometric authentication, and due to dynamic encryption, which assigns a unique, random number to every transaction, are more secure and private than a traditional card. If a phone is lost, it can be remotely wiped, and users will still be able to use their physical credit or ID card. Digital state IDs, using this design, could be used in any situation where identity verification is required but need not be revealed, like traffic stops, in bars, with the TSA, and even in online shopping or website sign-up, all while keeping user identity secure.

ID cards are essential tools to verify access to services. In their current form, they require giving away personal information without giving users a way to securely identify themselves in a crucial modern space: online. Mobile IDs bridge this gap and, with appropriate security and privacy measures, can serve consumers more effectively than standard ID cards alone.

How do mobile wallets work?