What Will 2021 Hold for Tech Policy?

Out of the 7.5 billion people on Earth, I’m guessing that approximately zero percent will be sad to see this benighted year come to an end. Looking back is too depressing, so I want to take a look forward. There are glimmers of hope for 2021 — multiple COVID-19 vaccines, a new U.S. presidential administration — but the challenges that concerned me in the tech policy realm this year aren’t going anywhere. Here are some of the domestic U.S. issues I’m keeping my eye on:

• Anti-encryption bills in Congress. 2020 saw the introduction of both the EARN IT Act and the Lawful Access to Encrypted Data Act. I’ve characterized the former as a sneak ban on strong encryption, and the latter as a full-frontal assault. The LAED Act bill in particular crossed a line in the sand that congressmembers and federal law enforcement hadn’t previously dared cross during the many years the encryption debate has been dragging on in the U.S. Though it seemed designed to fail, the LAED bill nevertheless moved the Overton window, making it more acceptable to introduce legislative ideas that are extremely hostile to everyone’s online security and privacy. While the good news is that LAED may not gain any traction in 2021, the bad news is that EARN IT might. That bill enjoyed bipartisan support, had passed out of a Senate committee, and had been introduced in the House. I predict that EARN IT will be reintroduced in the next Congress, and it will pose a serious threat, especially because it’s part of...

• Section 230 “reform” proposals. Many politicians on both sides of the aisle concur that Section 230 needs to be reformed or even repealed, though they don't agree on exactly what's wrong with it or how to change the oft-misunderstood law. The politicians who think it should be repealed outright include both the outgoing president (who has petulantly threatened to blow up America’s national security over this issue) and the incoming president-elect. In Congress, there have been numerous proposals (of which EARN IT is one) to amend Section 230 in one way or another. (A full list has been maintained in this incredible spreadsheet put together by the indefatigable Jess Miers.) It seems likely that we’ll see some sort of Section 230 reform bill make significant headway in the next Congress. What remains to be seen is whether it will take the form of something as horrible as EARN IT (or SESTA/FOSTA before it), or something that even some Section 230 defenders may be able to live with, such as the PACT Act bill that my colleague Daphne Keller wrote up here. Should any bill make it into law, it will surely draw a constitutional challenge, as SESTA/FOSTA did.

• Reining in the sale of location data to the government. Apps on your phone may be collecting your geolocation information without you realizing it. And that information may in turn get sold by data brokers to all comers — including U.S. law enforcement agencies, the IRS, the Secret Service, immigration authorities, and the military. They’ve been on a buying spree, snapping up this data without a warrant, subpoena, or court order, and without any individualized suspicion to investigate any particular person. As more stories came to light in 2020 about this end-run around legal process, Apple and Google have started to crack down on the data brokers engaging in these sales, and lawmakers and agency watchdogs have started demanding some answers. Senator Ron Wyden (D-OR) has announced that he plans to introduce a bill soon that would close this loophole that our government has been exploiting to warrantlessly obtain this sensitive information. Geolocation data uses your movements to paint a vivid picture of how you live your life. That’s why the Supreme Court has recognized that when government investigators want to obtain such information about you, they should get a warrant. Out of all the legislation that members of Congress are likely to introduce next year, Wyden’s bill is the only one I’m positively anticipating, rather than dreading.

• CFAA reform. The Supreme Court recently heard its first big Computer Fraud and Abuse Act (CFAA) case, United States v. Van Buren. It will issue its decision sometime in the first half of 2021. The Court has the chance to rein in the notoriously broad scope of the law, which has been used to turn violations of Terms of Service or (in Van Buren’s case) employer computer-use policies into federal crimes and to chill good-faith security research. Given how oral argument went, I’m not alone in thinking that Van Buren (represented by Stanford Law’s own Prof. Jeff Fisher) has good odds of prevailing. (Dear SCOTUS: please keep up live audio streaming of oral arguments, even after the COVID-19 crisis has passed!) Regardless of how the case comes out, it’s high time for Congress to reform the CFAA and narrow its scope. To me, those changes should at least include (1) limiting the law’s abuse by private entities, which have used or threatened to use the CFAA not only to enforce their TOS as though it were on par with federal law, but also for anti-competitive purposes and to punish departing employees, and (2) creating a safe harbor to protect good-faith security research. But to be honest, I doubt that reining in the CFAA will be a high priority for the next Congress, at least absent a disastrous decision in Van Buren — so, fingers crossed for a good decision from SCOTUS.

This is only a partial list of tech policy issues that will be hot topics in 2021! For example, with the federal government and multiple states teaming up to file lawsuits against Google and Facebook, antitrust is going to be huge in 2021. Likewise disinformation, particularly around COVID-19 vaccines, which is squarely in the wheelhouse of my colleagues at the Stanford Internet Observatory. Election security is having its moment in the sun, thanks to the Streisand effect of the lame-duck president’s misguided firing of Chris Krebs from CISA for daring to speak the truth. (SIO is deepening our bench on that issue, too.) And I’ve only talked here about domestic concerns, even though threats to encryption, cybersecurity, online speech, and privacy are still brewing in Europe, India, and elsewhere. 

There are just too many hot-button tech policy issues to name them all here. Whatever else 2021 may hold, it definitely promises continued job security for soft-handed academic pundits like yours truly. Until then, stay safe this holiday season, have a happy New Year, and wear a mask!