Insight

DETOUR Act Gives Sweeping Powers to FTC

Senators Mark Warner and Deb Fischer recently introduced a bill seeking to “prohibit the usage of exploitative and deceptive practices by large online operators and to promote consumer welfare in the use of behavioral research by such providers.” In plain language, the Deceptive Experiences To Online Users Reduction, or DETOUR, Act seeks to reduce nefarious manipulation by large websites, especially toward children.

While the Act’s goals are laudable, it suffers from a crippling fault: ambiguity. Its broad language would give the Federal Trade Commission (FTC) legal space to second guess every design decision by online companies, and, in the most expansive possible reading, it would make nearly all large web sites presumptively illegal.

The Act defines large online operators as any online service with more than 100 million “authenticated users of an online service in any 30 day period” that is also subject to the jurisdiction of the FTC. Conspicuously, the Act doesn’t define what constitutes an “authenticated user,” which is important for understanding its scope. If authenticated user means that a site must have user profiles, then Google wouldn’t be included at all because it doesn’t require users to create a profile. Furthermore, if these 100 million users all had to be in the United States, then only Facebook, Instagram, and Facebook Messenger would be regulated because only these sites hit the threshold.

Broader definitions increase the reach of the law, however. If authenticated users includes all users irrespective of their country of origin, it would mean Facebook, Youtube, WhatsApp, Facebook Messenger, Instagram, Tumblr, Twitter, Reddit, LinkedIn, Snapchat, and Pinterest would be covered, as well as email providers such as Gmail, Outlook, and Yahoo Mail. And what about Apple’s App Store and Google Play? They would also probably fit under the definition of an online service. If authenticated users means simply unique visitors, however, then web sites such as the New York Times, Fox News, ESPN, and CNN would be subject to this bill. Given how loose the definition is, this law could come to cover a large number of Internet services.

The most important part of this bill is Section 3, which makes the manipulation of user interfaces an unfair and deceptive act. Policing unfair and deceptive acts constitutes a key pillar of FTC’s enforcement authority, and the agency often cites this particular authority when bringing privacy cases. Section 3 of the DETOUR Act doesn’t create a new, narrow authority for policing manipulating, but rather massively extends current FTC authority by making it unlawful for any large online operator:

  1. to design, modify, or manipulate a user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data;
  2. to subdivide or segment consumers of online services into groups for the purposes of behavioral or psychological experiments or studies, except with the informed consent of each user involved; or
  3. to design, modify, or manipulate a user interface on a website or online service, or portion thereof, that is directed to an individual under the age of 13, with the purpose or substantial effect of cultivating compulsive usage, inclusive of video auto-play functions initiated without the consent of a user.

These provisions give the FTC a tremendous amount of ill-defined authority. For example, what exactly does it mean to design an interface with the substantial effect of impairing user autonomy to obtain user data? According to critics of tech companies such as Matthew Yglesias and Zeynep Tufekci, every social media site manipulates their user interface to get data—meaning they all would presumably be illegal. Even if the most expansive interpretation isn’t taken, it is still the case that “obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data” is an imprecise phrase and would be subject to substantial legal battles.

The disclosure requirement creates more issues with this bill. The Act would require large online services to disclose both to users and to the public any experiments or studies they perform through their websites. Since authenticated users isn’t defined, it is not clear how those users will be alerted to the experiments. If the FTC were to define this group in the broadest terms, then web sites using simple tracking measures such as cookies and IP addresses would be required to alert users even though they couldn’t communicate with them. Clarification is needed.

Experiments are also broadly defined as the “study, including through human experimentation, of overt or observable actions and mental phenomena inferred from behavior, including interactions between and among individuals and the activities of social groups.” This phrasing is sure to sweep up a lot of very common techniques in user design such as A/B testing. Also known as split testing, A/B testing is a widely used testing method that splits audiences into two groups to determine the effectiveness of web site changes. While hard data on the number of tests is hard to come by, in 2011 Google conducted 7,000 such tests. The bill does acknowledge this kind of testing and has a de minimis carve out for those experiments that explore “interface changes derived from testing consumer preferences, including different styles, layouts, or text, where such changes are not done with the purpose of obtaining user consent or user data.” But this exemption wouldn’t include the minor algorithmic A/B testing that most of the large platforms do every day to reduce spam, for example. Every minor change to the algorithm would have to be reported to users, which would be weaponized by scammers and other nefarious actors to reverse engineer changes. As soon as this group has a better understanding of the nuanced changes in the algorithm, they will be able to circumvent these changes.

The intent of the DETOUR Act is noble. Users should know when they are subject to a psychological experiment. But the Act’s ambiguity, as it is currently written, massively expands FTC authority without the proper safeguards.

Disclaimer