Pluralistic: 22 Jun 2021

Today's links

EFF's interoperability banner graphic, a kind of Rube Goldberg machine integrating pulleys, belts, megaphones, emoticons, lightbulbs, HTML tags, a Creative Commons icon, a radio tower, a padlock, etc.

Improving the ACCESS Act (permalink)

Last week, Congress introduced the ACCESS Act, one of the most significant, pro-competitive, pro-user tech laws in American legislative history.

It will require large tech platforms to open up to interoperability, so you can leave the platform for a rival without losing contact with your friends, communities, audiences and customers.

By lowering the switching cost of walking away from Big Tech, Congress could create space for co-ops, tinkerers, nonprofits, startups and public services to create small, user-centered communities built on giving people technological self-determination.

This week, the ACCESS Act will likely go before the House Judiciary Committee for markup, and there's going to be a fierce battle for the future of this bill (predictably, Big Tech hates it and wants it dead).

We (EFF) just published our list of things that should be fixed ACCESS during markup, a collection of six areas where the law could be improved:

I. Strong Consent and Purpose Limitation Requirements

The ACCESS Act is already pretty good on ensuring that when you take your data from a platform, but the language is a little fuzzy at the edges.

We'd like crisply defined limits on data requires consent – for example, do your friends have to consent to you exporting their replies to your messages? Does it matter if they're private messages or public? We've published some deep dives on this:

II. Define “Interoperability”

This is the second version of the ACCESS Act (the first was introduced in the Senate during the 2019/2020 session). The Senate version actually defined "interop" (too narrowly!), while the current version fails to do so.

The risk of underdefining interop is that ad-tech companies and other human-rights abusers have called for interop to "fix the competition problem" in surveillance-based advertising.

Unless Congress specifies what kind of interop ACCESS is supposed to support, it might create a race to see who can most efficiently gut your foundational right to privacy while giving you the least benefit in return.

III. Let the people sue

The ACCESS Act has incredibly stiff penalties for companies that violate it – but these can only be invoked by the FTC. To be fair, the FTC is enjoying a renaissance, with the amazing Lina Khan at its helm, but what about the next FTC?

We think this bill needs a "private right of action" – that is, the right of regular internet users to sue tech companies that break the law, whether on their own, in class action suits, or through public-interest law-firms like EFF.

IV. Bring back delegability

The 2019 version of ACCESS had a wonderful section on "delegatability," in which users could hand over the right to manage big services to other entities whom they trusted.

Like, you could ask a privacy org to manage your privacy settings on Facebook, or authorize a co-op platform to provide an alternative interface (say, one with a tracker-blocker) to the services you use.

Delegatability was dropped from the 2020 ACCESS Act and we'd like it back, please.

V. Government standards as safe harbors, not mandates

Under the ACCESS Act, a technical committee is charged with standardizing a way for a big platform to create interoperability with other systems. We think this is too constraining.

Rather than mandate that big platforms must use this standard interface, we argue that using the standard would give you a "safe harbor" (if you used it, you'd be sure you were following the law).

But big platforms would have the option of creating other interfaces that were technically equivalent to the standard, with strict penalties and a private right action if the alternative wasn't as good as the standard.

That way, tech companies could offer more interop (including interop for features that don't even exist yet) without having to wait for revisions to emerge from the standardization process.

VI. About that standardization process

ACCESS creates a new standards committee for each Big Tech platform, separate from existing standards bodies (which have a deserved rep for being hostage to the tech giants). The structure of this standardization process needs work.

First, the law specifies a minimum number of reps from Big Tech, independent privacy experts, and smaller companies (as well as a rep from NIST), but it doesn't set maximum numbers for these.

So it would be fine under the ACCESS Act for Facebook's "independent" technical committee to consist of a NIST rep, two academics, two startup people, and 500 Facebook lawyers and engineers. That's obviously not right and it should be fixed in markup.

The current ACCESS draft doesn't provide for public scrutiny of the standards development process. The tech committee's work should all be public, with opportunities for public comment and a requirement to answer substantive issues raised during comment periods.

Finally, the Act doesn't guarantee public access to the final standard (only "competing businesses or potential competing businesses" get to see it). That's absurd. It's the law, the law should be public, and we should all be able to see it and implement it. I mean, duh.

None of this stuff is insurmountable; a lot of it appears to be oversights, and other parts are probably good faith disagreements that can be hashed out during markup. We're so glad to see this bill introduced and can't wait for the committee meeting!

A Juul vaping device, wreathed in smoke.

Juul's junk science (permalink)

Every time I write about vaping and the extraordinary lengths that the tobacco industry (epitomized by Juul, a sister company to Marlboro) has gone to in order to convince children to vape, I hear from people who tell me that vaping is safe, especially compared to smoking.

This month, I wrote "I Quit," about my own smoking cessation, with some of Juul's dirtiest tricks, including increasing the nicotine in its child-targeted fruit flavors and its fake "mental health seminars" in schools where they promote vaping.

One Juul trick I wasn't aware of at the time? Faking the research on the safety of vaping.

In a just-published paper for BMJ Tobacco Control, a group of evidence-based medicine specialists document Juul's safety research fraud.

The paper is paywalled, but they've also published a pre-press on Oxford's research archive.

The authors document how Juul exhibits classic "reporting bias" in its safety research studies.

"Reporting bias" is when you researchers report on studies (or parts of studies) that support their employers' commercial goals (or their own ideological ones), leaving out the results that are inconclusive or harmful to their cause.

Reporting bias was once endemic to pharma research, to the point where half of the human subject studies pharma companies started never reported in.

Imagine a study of coin-tosses where you only reported half the results – you could "prove" that coins always came up heads.

One of the most effective fighters against reporting bias is Ben Goldacre, whose 2012 book BAD PHARMA documented the practice – and its human cost – in eye-watering detail.

Goldacre went on to help found the Register of All Trials, where every pharma trial is pre-registered in a public repository, allowing regulators to disqualify drugs whose trials don't report in.

Goldacre is a co-author on the Juul study.

The Register of All Trials model has been replicated around the world, including in the US, where the FDA maintains a similar repository. The researchers used this to locate trials registered by Juul Labs and then checked whether and how they'd reported in.

What they found was a classic case of reporting bias. Trials that measured five phenomena might only report back on one or two of them, which supported the safety of vaping (leaving us to assume that the remainder showed vaping to be dangerous).

And, of course, some trials didn't report back at all.

This is deeply unethical.

For one thing, the trial subjects engaged in conduct potentially harmful to their own health in order to further science.

It's bad enough if they were injured in these trials, but if the fact of their injury was suppressed in order to serve Juul's profits, then they were harmed for nothing.

The tobacco industry has a long history of bad science, of faking the research on the way its products harm their customers. Juul tells us that its products are safe, but it suppresses significant amounts of its own research.

Not one of the Juul studies the researchers investigated had fully reported in.



Now, maybe Juul is keeping its research outcomes a secret because it knows we'll be delighted with the results and it doesn't want to spoil the surprise.

But I'm not betting on it.

(Image: William Warby, CC BY)

A still from the opening credits of The Jetsons in which George Jetson is about to be maimed by a high-tech treadmill; superimposed over the image is a quote from the Peloton email announcing that its treadmills now require subscriptions ('Unfortunately at this time, 'Just Run' is no longer accessible without a Peloton Membership').

Peloton bricks its treadmills (permalink)

"Tread," a $3000 "smart" treadmill from Peloton, is a deathtrap. 125,000 Treads have been recalled after the devices injured 72 people and killed a child.

Say what you will about Peloton's safety engineering, but never fault the evil genius of its strategists. The company responded to the news by bricking the Treads in the field and demanding $40/month "subscriptions" from owners to continue using them.

The pretense here is that the subscription comes with safety software that means that you treadmill will not maim you or murder your children.

This raises an obvious question: why not just put that software into all the existing Tread devices for free?

But the answer is obvious. Because a free software update will cost the company money, and charging $40/month will make the company money – $480/year/customer, free net revenue for software that they've already written.

You might as well ask, "Why don't ransomware gangs just tell pipeline owners about the defects in their software for free, rather than demanding millions of dollars?"

I mean, ransomware gangs have bills to pay, and so does Peloton. No one will write ransomware for free.

This is the predictable failure-mode of designing devices that can be updated without their owners' permission or consent.

It's not even the first time Peloton has done this – in 2020, they bought their competitor Flywheel and bricked all its bikes.

The whole scam is only possible because Peloton – like most other "smart device" companies – gets to abuse copyright, patent, and cybersecurity law to ban third parties from making alternative software for its devices.

Without laws like Section 1201 of the DMCA and the CFAA, a small group of coders could hack up their own Tread firmware, one that re-enabled the standalone mode, or offered a cheaper (or better) (or both) subscription service.

Without Adversarial Interoperability (AKA Competitive Compatibility/comcom), Peleton's dead hand lays on your property forever, long after you've paid, and if you have demonstrate disloyalty to its shareholders, that hand punches you in the face.

Devices that answer to their manufacturers, not their users enable a toxic new usury, with riskier loans made to precarious people, with the threat of "digital repossession" to ensure a steady flow of payments that are securitized as bonds.

Peloton is in the usury business, lobbying Iowa's legislature to maintain the "rent-a-bank" system preferred by loansharks who offer Peloton financing at "0% down, 0% APR, 0% fees" but reserve the right to charge 30% APR in the fine-print.

This is dystopian on its face. My novella UNAUTHORIZED BREAD is a good place to start if you want to see where the Internet of Shit leads us to in terms of class war and exploitation.

(Image: The Jetsons/Hanna-Barbera)

This day in history (permalink)

#15yrsago Darwin’s tortoise dead at 176;_ylt=Ave_b4Ps2r9TGXqs5nZIVIoFO7gF;_ylu=X3oDMTA5bGVna3NhBHNlYwNzc3JlbA–zoo

#10yrsago A Brief History of the Corporation: understanding what an attention economy is and where it comes from

#10yrsago Why fair use doesn’t work unless you’ve got a huge war-chest for paying lawyers

#10yrsago University of Michigan to stop worrying about lawsuits, start releasing orphan works

#5yrsago Broken Windows policing is nonsense

#5yrsago Misconfigured database exposes sensitive data for 154 million US voters

#5yrsago To understand the Trump campaign, study real-estate developer hustle

#5yrsago Writing the Other: intensely practical advice for representing other cultures in fiction

#1yrago Against AI phrenology

#1yrago A/B Seattle

#1yrago Privacy in tracing tokens

#1yrago Congress wants to read all your DMs

#1yrago Blueleaks

#1yrago Surveillance electoralism

Colophon (permalink)

Today's top sources: Ben Goldacre (

Currently writing:

  • Spill, a Little Brother short story about pipeline protests. Wednesday's progress: 280 words (6554 words total).

  • A Little Brother short story about remote invigilation. PLANNING

  • A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown." FINAL EDITS

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Inside The Clock Tower
Upcoming appearances:

Future Tech: Working the Science into Your Fiction (Locus Awards), Jun 26,

Recent appearances:

Latest book:

Upcoming books:

  • The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Medium (no ads, paywalled):

(Latest Medium column: "Illegitimate Greatness," on what we can learn from Ida M Tarbell's century-old critique of John D Rockefeller

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla