�鶹������ý

The free-wheeling and chaotic early internet has matured into a powerhouse of commerce, culture, and personal expression. Tech platforms have become an integral part of our daily lives, offering products and services that help us fulfill critical tasks online, such as communicating with loved ones, shopping for goods, seeking employment opportunities, and more. The infrastructure that these platforms offer has become even more critical as we navigate the COVID-19 pandemic. While these platforms offer many societal benefits, they have also changed the competitive dynamics of the marketplace. Not only have various online services threatened the economic viability of such businesses as brick and mortar stores, but many platforms have secured market dominant positions.

While these platforms offer many societal benefits, they have also changed the competitive dynamics of the marketplace.

The open and diverse internet of the past has given way to concentrated power and data in the hands of a few large companies. Those companies now control most of the traffic on the internet.¹ Online platforms consist of complex businesses, and because they benefit from significant economies of scale and network effects, they have radically changed the competitive dynamics of the digital marketplace. As a result, it is important to scrutinize how platforms exercise market power and exploit their dominance.

These platforms have become “walled gardens” within the larger context of the internet. In the past, interaction between people on the internet might have taken the form of links from one website to another, comments on blog posts, emails sent from one organization’s server to another, or posts on a given newsgroup on Usenet (the first message board system, which operated without a single centralized server, and instead shared postings among many servers to which individual clients connect). Today, all of those actions are likely to take place entirely within the confines of a single company’s services.

Policymakers are beginning to look into how this change is detrimental to competition and the internet at large. As Rep. David Cicilline (D-R.I.) and former Federal Trade Commission (FTC) Commissioner Terrell McSweeny have written using Facebook as an example,

The same network effect that creates value for people on Facebook can also lock them into Facebook’s walled garden by creating barriers to competition. People who may want to leave Facebook are less likely to do so if they aren’t able to seamlessly rebuild their network of contacts, photos, and other social graph data on a competing service or communicate across services. This friction effectively blocks new competitors—including platforms that might be more protective of consumers’ privacy and give consumers more control over their data—from entering the market.²

One of the ways that policymakers can fight back against this growing centralization is to create holes in the barriers between these walled gardens. Through these holes, the users of other competing services can reach out and connect with the people inside the garden, decreasing the stranglehold that the service has on its own users. Commonly known as “interoperability,” these holes provide ways for one system to interact with a second system, often exchanging data or causing some processing of data to take place. Interoperability is familiar to most people in the context of email applications—regardless of which email provider and software people use, they can all email each other across systems because all are interoperable. But social media sites and other platforms are not generally interoperable. Thus, if individuals want to leave a platform, they will not be able to reach their friends or followers or other contacts on the platform they left behind.

Interoperability decreases barriers to entry and facilitates greater competition by enabling new players to offer access to the users on, and at least some of the features of, the entrenched platforms. It also expands the overall market around a particular service or type of service by letting third parties fill in the gaps around the platform’s feature set, as many games and other apps have done around Facebook’s platform.

Interoperability is a promising lever for regulators to use in their efforts to oversee and correct monopolistic abuses amongst the dominant online platforms. It has a unique ability to promote and incentivize competition—especially competition between platforms—and can also offer users greater privacy and better control over their personal data generally. This report examines interoperability—the ability for disperate computer systems and services to interact and exchange data—as a principle that underlies the operation of the internet in all its parts, discusses why online competition problems present unique challenges to regulation, addresses the privacy and security risks raised by interoperability and appropriate mitigations for those risks, and explains how interoperability can directly increase platform competition on the internet.

Interoperability…has a unique ability to promote and incentivize competition—especially competition between platforms—and can also offer users greater privacy and better control over their personal data generally.

Editorial disclosure: This report discusses policies by Facebook, Google, and Mozilla. Facebook, Google, and Mozilla Foundation are funders of work at �鶹������ý but did not contribute funds directly to the research or writing of this report. �鶹������ý is guided by the principles of full transparency, independence, and accessibility in all its activities and partnerships. �鶹������ý does not engage in research or educational activities directed or influenced in any way by financial supporters. View our full list of donors at www.newamerica.org/our-funding.

Interoperability is a foundational principle of the internet. In fact, it could reasonably be described as what makes the internet what it is. As Mozilla puts it in a recent working paper, “[I]nteroperability is the internet’s secret sauce.”¹ Interoperability is a presumption built into everything from the Transmission Control Protocol (TCP),² which describes how devices using the internet should exchange information on a millisecond-to-millisecond basis, to the Hypertext Transmission Protocol (HTTP),³ which details how web servers respond to requests and send documents.

Technological interoperability was around long before the advent of the internet. Telephone, telegraph, and radio communications all rely on interoperable protocols, such that someone using AT&T’s phone network in Atlanta can reliably place a call to someone else using Telefônica in Rio de Janeiro.⁴ Morse code is still Morse code whichever side of the telegraph cable you’re sitting on. The concept even predates electrical communications, and can be seen in the development of everything from railroad gauges to bullet calibers.⁵

On the internet, interoperability is everywhere. Email is one of the original interoperable services, dating back to the early 1970s and working still today. The World Wide Web is also interoperable on a few different levels. Any modern browser can load any web page out there, and any page can link to any other, creating a global system of interconnected pieces of data.

Other online services are less interoperable. Most messaging services don’t work with each other—a WhatsApp user can’t reach someone using iMessage—and social networks have also remained studiously separate from one another.

In the case of these networked computer services, interoperability is often divided into two types: that which is achieved through the use of standard protocols, and that which is achieved through Application Programming Interfaces (APIs).⁶ Both of these paradigms allow one computer system to interact with another, but they differ in some crucial respects that usually make the standard protocols approach better suited to solving the issues discussed in this paper.⁷

In the case of these networked computer services, interoperability is often divided into two types: that which is achieved through the use of standard protocols, and that which is achieved through Application Programming Interfaces (APIs).

APIs are interfaces between a single computer system and the outside world. They are a set of well-defined ways to interact with a system to get the system to take some action, to get some response from the system, or often both. APIs are distinguishable from a normal web page in that API invocations and responses are conducted in machine-readable formats rather than through user interfaces that a person would gather information from. A social network system’s API might provide a function that takes in a user’s numerical identifier and returns that user’s name and profile information as long as the entity requesting the information is authenticated and has the relevant permissions. APIs will vary widely from system to system, and can completely change whenever the entity responsible for the system desires, placing the burden of remaining compatible on the third parties using the API.

One example of a publicly available API is the National Oceanographic and Atmospheric Association’s (NOAA) weather service.⁸ Given a location, it will return the weather and forecast for that location in a format called Javascript Object Notation (JSON).

“Standardized protocols” (also known as “open protocols”), the other category of computer interoperability, differ from APIs largely in how they are developed and how they are intended to be used. These differences can have far-reaching effects. Because of these effects, standardized protocols encourage deeper interoperability and better reciprocity between services that implement them than we usually see from APIs.

Standardized protocols are referred to as such because the details of how they operate have been negotiated between many interested parties, agreed to by a cross section of people and organizations that are writing software to implement them, and published publicly for everyone to inspect. This process generally takes place within one of a few organizations responsible for developing these types of standards. The Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C) are two of the most prominent, and each has its own scope of topics that it covers.⁹

The IETF is primarily responsible for the lower-level workings of the internet. They write protocols like TCP, which describes how computers split up pieces of information into small packets to send through the network and reassemble them on the other side. They also develop the HTTP, covering how clients request web pages from servers.

The W3C focuses on a higher conceptual level, detailing how web browsers turn the code that makes up a web page into the result we see on the screen. They evaluate and agree on new web features, such as Web Bluetooth, which gives web pages the ability (with permission) to speak to Bluetooth devices, and Cascading Style Sheets (CSS), which browsers use to lay out a web page and apply styles ranging from bold fonts to dotted outlines.

These organizations are generally open and work transparently. The IETF welcomes anyone to join its mailing lists and attend its meetings.¹⁰ The W3C has a membership process and charges fees to enable its governance, but the public is able to observe and participate via mailing lists and other avenues.¹¹ While it is outside the scope of this paper, it is worth noting that both the IETF and the W3C face continued criticism for lack of accessibility to the public and non-technical audiences, a lack of formal accountability, and for tending to favor business outcomes over other concerns.¹²

This process—open and transparent dialog between different people and organizations looking to implement a given standard—is, despite some arguable flaws, one of the things that makes standardized protocols a better choice than API for implementing interoperability.¹³ Unlike APIs, which are largely designed by one company for use with its own service without regard to other companies’ services, standard protocols represent a consensus among many different parties on what would be best for the internet. This has a number of effects that serve to incentivize interoperability: (1) If many different platforms are using the standard protocol, new entrants can advertise compatibility and access to those services to potential users; (2) Because more developers are working with the protocol, there will be mature and reliable open source software libraries implementing its functionality that can be adapted by anyone to get a new service into the hands of people rapidly; and (3) The shared ownership of the protocol can help to level the playing field such that other services are not subject to the whim of one large platform.

This process—open and transparent dialog between different people and organizations looking to implement a given standard—is, despite some arguable flaws, one of the things that makes standardized protocols a better choice than API for implementing interoperability.

Open protocols are intended to be used and implemented by anyone with the desire to do so, and copyright (and often patent) rights associated with the protocols are therefore affirmatively released as open source by the publishing body.¹⁴ This is important in the wake of a recent legal decision by the U.S. Circuit Court for the Federal Circuit in Google v. Oracle which found that APIs can, at least in some circumstances, be entitled to copyright protections (this case has been granted certiorari by the U.S. Supreme Court and is awaiting oral argument at the time of publication).¹⁵ The blanket disclaimers offered by these organizations mean that others can implement the protocol without fear of legal retribution.

Standardized protocols do have some downsides. Primarily, the inclusive and consensus-based method by which they’re developed means that they take a while to progress from idea to final specification. Relatedly, the consensus process means it can be difficult to revise standardized protocols over time, and later revisions to capture new features or technologies can lag behind experiments “in the wild.”¹⁶ Getting involved in the definition of specifications can also be an intimidating idea for anyone who hasn’t done it before. Despite these drawbacks, the collaborative and open process involved in developing protocols make them a better match for overall user freedom, and in particular the aims of interoperability.

Online platforms possess unique gatekeeping power. By setting API design and policy, they have the ability to control who has access to critical aspects of the vast datasets and user bases they’ve built—things like a user’s social graph that enables a hopeful competitor to grow its own user base and establish itself. Once a platform is sufficiently scaled, and especially if it is dominant, it no longer has the incentives to grant access to its APIs to facilitate a healthy downstream ecosystem. The more vertically integrated a platform is, too, the higher the risk that it may not offer APIs with sufficient data and functionality for other companies.¹ Whereas our current antitrust framework may not sufficiently ensure platform competition, platform interoperability offers a solution to promote a more competitive ecosystem.

Online platforms do not always offer a single product or service, but often build complex businesses across a wide range of commercial offerings. This business model includes many business lines that are vertically integrated on top of one another—meaning that a single company controls more than one stage of the supply chain. Google’s advertising intermediation business, for instance, is largely vertically integrated in that it operates: (1) as a publisher ad-server (offering advertisers the opportunity to run ads on Google’s digital properties—anywhere from alongside certain Google search results to on Google’s websites, such as Gmail, Blogger, and Youtube)²; (2) as a supply-side platform selling inventory on behalf of publishers (optimizing inventory usage through Google’s Ad Manager to maximize ad views); and (3) as a demand-side platform buying inventory on behalf of advertisers (offering advertisers access to display, video, and mobile inventory in real-time through Display & Video 360, formerly DoubleClick Bid Manager).³

Online platforms are complex, but they share several characteristics that distinguish them from traditional brick-and-mortar businesses. Public Knowledge Vice President Harold Feld defines a digital platform as a product that meets the following criteria: “(1) a service accessed via the internet; (2) the service is two-sided or multi-sided, with at least one side open to the public that allows the public to play multiple roles (e.g., content creator as well as content consumer); and (3) which therefore enjoys particular types of powerful network effects.”⁴ Because these platforms deliver services over the internet, they are able to take advantage of economies of scale. Their costs of scaling the network are dramatically reduced compared to brick-and-mortar businesses that have to build out a physical network to reach customers.⁵ In addition, operating in a two-sided or multi-sided market reduces a firm’s costs for inventory and market research.⁶

Online platforms also enjoy network effects, which further entrench their market dominance. A network effect means that the value of the network increases with each additional participant. Through the internet, platforms benefit from being able to reach greater numbers of other users and businesses. When platforms operate with closed systems, such network effects can also affect competition. For instance, Facebook’s network effects from the 2 billion plus users on its network means that users may be reluctant to leave it for a competitor, especially if it means that the user has to expend substantial switching costs by rebuilding their personal networks, posting content, and more from scratch.⁷ Switching costs and network effects can therefore lock in a user by making them dependent on a particular firm’s good or service.

Online platforms also enjoy network effects, which further entrench their market dominance. A network effect means that the value of the network increases with each additional participant.

Given these dynamics, the dominance of a few online platforms reflects an unsurprising trend toward greater concentration. The rise of these platforms, in fact, can be attributed to hundreds of mergers consummated in rapid succession.⁸ Platforms are keen to capitalize on economies of scale and tap into network effects, especially through vertical integration and data consolidation.⁹

The complex, integrated nature of online platforms makes it challenging to address competition concerns under current antitrust law.¹⁰ Digital platforms do not always fit into clear, static market definitions that are foundational to traditional antitrust cases. They also operate in multi-sided markets that antitrust case law may not clearly address.¹¹ The fact that platforms are venturing out into new markets—many of which are rapidly consolidating—adds another layer of complexity for antitrust attorneys and economists to unpack.¹² Take, for example, Amazon’s 2017 acquisition of Whole Foods. The FTC cleared the deal and let the parties merge without issuing a second request to conduct a more thorough, formal investigation. The merger between a traditional supermarket and a digital platform with extensive e-commerce operations might have raised difficult questions about defining the relevant market. Many advocates raised concerns that the deal might enhance Amazon’s dominance in fields such as logistics, expand the company’s data trove on consumers, and allow the company to replicate its anticompetitive online tactics in the brick-and-mortar space.¹³ But it’s not clear that current antitrust law can address these concerns if the merging parties may not appear to directly compete.

The challenge for enforcers is how to measure dominance when the technology, market, and industry are constantly changing. Antitrust agencies must also be empowered with additional resources to improve their capacity for analyzing how market power can be leveraged through data and networks. Further, the case-by-case nature of antitrust enforcement means that even when antitrust interventions are applied, only the specific company involved is obligated to abide by the conditions mandated by the remedy.

The challenge for enforcers is how to measure dominance when the technology, market, and industry are constantly changing.

Antitrust enforcement operates ex post, meaning that enforcement might only come after the problematic behavior has occurred. Merger review is an exception to this rule, in that enforcers might be able to intervene if the likelihood of anticompetitive harm post-merger is apparent—and even then, merger conditions are often time-limited and the merged entity is not required to abide by them once they’ve expired. Additionally, whether an antitrust enforcer is successful in attaining a desired enforcement action depends on the facts of the specific case, the resources available to bring a case, and, if the enforcers file a lawsuit, the litigation outcome. Ultimately, antitrust enforcement requires a significant time investment, which does not necessarily sync up with the lifecycle of technological innovation and growth. Firms that find themselves excluded from a fair shot at competing—for example, because a dominant platform is engaging in anticompetitive self-preferencing and denying access to its API—might go out of business waiting for the outcome of a case challenging those actions.

Further, structural separation would not remedy all of the competition concerns that online platforms pose.¹⁴ Even if a platform is broken up, it could still enter into an anticompetitive arrangement in which only some downstream products are compatible with the platform through proprietary integration or an exclusive contract.

But requirements for interoperability could address some of these threats to competition. As a result, Congress should promote interoperability in new legislation, and the FTC, too, should promote interoperability when appropriate in antitrust enforcement to protect against the anticompetitive risks that arise from dominant platforms’ gatekeeping power.

Interoperability is all the more important when platforms are vertically integrated and, as a result, may have fewer incentives to offer open APIs on their own. Vertically integrated firms offer products that feed into one another along a single production vertical. In the absence of vertical integration, different companies usually produce a different product or service along a supply chain. When firms vertically integrate, however, they usually seek to tap into efficiencies gained from the supply chain integration, and give preference to their own supply chain components when designing products and services to the exclusion of other players in the ecosystem—in their API design, for instance. The more vertically integrated a platform is, the higher the risk that it may not offer APIs with sufficient data and functionality for other companies, particularly downstream businesses, to build products that are compatible with theirs.¹⁵ This practice may sometimes threaten competition, but our current antitrust framework insufficiently addresses these risks and does not promote interoperability ex ante (“before the event”).

Interoperability is all the more important when platforms are vertically integrated and, as a result, may have fewer incentives to offer open APIs on their own.

Vertically integrated platforms have incentives to build their API design solely to their own needs, tailored to their own specific apps, features, and competitive strategy. Twitter, for instance, vertically integrated by purchasing apps like TweetDeck (a social media dashboard application for managing Twitter accounts) in 2011,¹⁶ Tweetie (then a leading iPhone Twitter client) in 2010,¹⁷ and Summize (a search engine built specifically for indexing Twitter posts) in 2008,¹⁸ and as a result was in a position to discourage developers from using Twitter’s APIs to make apps that directly competed with their platform.¹⁹ Twitter rejected apps that relied on tweet feed via its API and revoked API access. This practice certainly harmed competition, but may not have been considered anticompetitive within our current antitrust framework because of the challenges in assessing the relevant market, market power, and consumer harm.²⁰

These risks also exist when a platform updates or expands its product offerings.²¹ For instance, there is a chance that a company may choose to replace older, more open technology with a substitute that is more closed and not conducive to interoperability. A company may also deliberately restrict access to its API as a strategy to deter would-be competitors. Evidence suggests that Facebook has employed this strategy in the past with regards to its API that gave third-party apps the ability to allow users to find and add their Facebook friends on their apps: Facebook turned off its friend-finding API access for Vine (an app owned by Twitter that allowed users to create six-second videos) in 2013 when it began to build out its own video product.²² Facebook said that this policy was geared at cutting off access to its social graph for “apps that [were] using Facebook to either replicate our functionality or bootstrap their growth in a way that create[d] little value for people on Facebook, such as not providing users an easy way to share back to Facebook.”²³ The same year, Facebook cut off access to its social graph for MessageMe, a messaging app that had previously been able to allow users to find and add friends from Facebook—just a week after it launched.²⁴ It did the same thing to Voxer, a calling and voice chat communications app that had had access to Facebook’s social graph through its API for over a year before getting cut off.²⁵ It’s worth noting that all three of these competitors ultimately exited the market or shut down—while this loss of competition may be clear, the anticompetitive harm from Facebook restricting its API access in this manner may be more difficult to prove.²⁶

Our current antitrust framework insufficiently addresses the competitive threat of online platforms’ unique gatekeeping ability via control over their own APIs. This practice falls outside of the antitrust theories that have historically addressed similar behaviors from firms: (1) refusal to deal and (2) the essential facilities doctrine.²⁷ Under the former, a monopolist refuses to do business with other firms or prevents customers or suppliers from dealing with the firm’s rivals (i.e., “I refuse to deal with you if you deal with my competitor”) to acquire or maintain its position in the market.²⁸ Under the latter, a monopolist obtains a competitive advantage by denying access to an essential “facility.”²⁹ Neither are entirely applicable to addressing a platform’s control over competitors’ ability to utilize certain aspects of its data and user base to build their own products and services. This distinction is largely because APIs and the underlying data are subject to a variety of other considerations, too, such as the need to protect data security and avoid fraud; these factors require some limitations in the form of access controls and restrictions on usage volume.³⁰ As such, antitrust law is an insufficient tool to address the competitive effects that platforms may raise through their API policies and lack of interoperability.

Despite the benefits of interoperability described above, there are some unique privacy and security implications that arise when platforms implement interoperability. This makes sense: Any time that a system is opened to the outside network, you create an opportunity for potential attacks. Two major categories of risk arise. The mere existence of a service designed to interact with other devices over the internet creates the potential for lapses in security that would not otherwise exist. That service therefore requires comprehensive systems of security and authentication to ensure its own protection. An interoperable service also runs the risk that its users will end up, either by accident or through malicious deception, granting access to personal information to an unintended recipient. The former is a known problem to which there are a variety of solutions that are outside the scope of this paper.¹ The latter, however, is a more nuanced challenge that is worth exploring further.

Failure to protect users from malicious interoperability was a crucial element in the leaking of Facebook users’ information to Cambridge Analytica, as revealed to the public in 2018.² The data that Cambridge Analytica used in its operations came from a researcher who collected personal information from Facebook users through Facebook’s app API. Users who wished to take the “This is Your Digital Life” quiz offered by the app were required to hand over not just their own personal information, but also that of their friends.

On the surface, that may seem to be an odd trade for a person to make. What online quiz could possibly be worth handing over so much information about yourself and your entire social network? This disconnect reflects the unfortunate reality that many people do not understand the enormous complexity of what access to data actually means in any given instance (or how it shifts from context to context). Nor do they comprehend the difference between access that is requested because it is needed to enable functionality and that which is simply going to be collected and sold. It does not help that that difference is often hidden or minimized in the name of profit.

Variations on these issues have been present since the early days of the internet. They even apply to some of the most basic internet functionalities, such as email. An email protocol that predates browser-based email services and that is still widely used allowed a mail application (such as Apple Mail, or Mozilla’s Thunderbird) to gain access to all of the person’s messages and, using a second protocol, the ability to send emails on behalf of the person. Of course, mail applications used by most did so on behalf of the account’s owner, but the potential existed for malicious uses as well. We might expect attacks that exploit access via APIs or protocols to increase as more services allow robust interoperability, but there are steps that both companies and users can take to limit exposure while gaining the competitive benefits.

For example, as a society we are still developing our “common sense” about the internet. People have learned to spot email spam, corporate training to protect employees from phishing is a regular practice, and we are learning to distinguish “fake news” from the real thing. One area of online common sense that has seen less development is how we share our personal data.

As noted above, it’s not easy for an average person to analyze the tradeoff between the permissions that an app using an API is asking for, the functionality it provides, and the personal information it accesses. Services offering interoperability to their users can help on this front by striking a more cautious tone when presenting users with choices about allowing apps access to data. They could also begin highlighting for users those apps that, like the quiz in the Cambridge Analytica example, demand permission to collect far more information than is relevant to the operation of the service. There is also a role for government, educators, parents, and society more broadly to translate common sense lessons like “don’t take candy from strangers” to the internet age.

…it’s not easy for an average person to analyze the tradeoff between the permissions that an app using an API is asking for, the functionality it provides, and the personal information it accesses. Services offering interoperability to their users can help on this front by striking a more cautious tone when presenting users with choices about allowing apps access to data.

There is also a category of solutions aimed at deterring people who aim to use interoperability to steal data. Services can learn from the fight to contain email spam and start tracking and blocking bad actors, as well as sharing information about those bad actors with other services, so that blocking begins to happen at an ecosystem level, instead of service-by-service. Finally, as a society, we may begin combating the incentives to engage in data theft by strictly limiting and regulating the sale of personal information. There are already laws and proposals circulating that would regulate and limit markets for personal information.³ If there is no market for the data gleaned through abusing interoperability, many of the risks to privacy are much easier to manage.

It can be tempting to view interoperability and privacy as purely at odds with each other. In reality, both are important aspects of personal data control. Interoperability has the potential to cause privacy harms, but the mitigations that are available mean that it is still an attractive way to increase competition in online marketplaces.

Platform interoperability can promote competition by facilitating a more robust and diverse online ecosystem. It also makes it possible for new entrants to quickly move into the market and compete with incumbents. Although interoperability is a technically precise functionality and it may be difficult for the government to mandate its implementation, we should encourage platforms to take steps to make their products and services interoperable. In addition, antitrust enforcers can assess the degree to which a company restricts platform interoperability as an indication of an anticompetitive practice on a case-by-case basis. The current antitrust framework, as detailed above, makes this assessment difficult, however. In the absence of a regulatory framework to promote interoperability, advocates should be calling for greater interoperability, and industry should offer open APIs to encourage others to interoperate and contribute to developing standards that promote interoperability.

Interoperability promotes competition. In order for users to be able to easily switch services or “multi-home” (the idea of belonging to more than one network) and still reach users of the original service, the two services must be interoperable. Data portability is the first step; users must be able to take their data with them (port it) when they choose to leave a service.¹ But portability is insufficient to promote competition if the individuals will not be able to use their data on a new service; interoperability is critical to ensuring that the data the consumer ports is compatible with different platforms. Together, data portability and interoperability substantially lower switching costs and empower consumers to move between firms more easily—or even at all.²

Together, data portability and interoperability substantially lower switching costs and empower consumers to move between firms more easily—or even at all.

Interoperability also promotes innovation. Open APIs enable other companies to build upon existing services and innovate by giving rivals access to or the ability to replicate necessary elements and functions. Interoperability also prevents lock-in effects, as discussed previously in this report, and makes it possible for new entrants to move into the market quickly. Without access to Google Contacts’ API, for instance, Facebook would not have been able to grow its network as fast as it did.³

To the extent possible within the current antitrust framework, antitrust enforcers should examine the novel ways that online platforms exert their gatekeeping power to inhibit new entrants and fair competition. Some behaviors may be considered an anticompetitive practice in certain scenarios, and antitrust enforcers may be able to apply tailored remedies, such as requiring interoperability, to ameliorate their effects. For instance, enforcers should carefully scrutinize as a potential anticompetitive practice any company’s actions to discontinue formerly open APIs or restrict access to APIs to stifle downstream competition that seeks to rely on access to key data and functionality offered through the API. In addition, they should assess whether a company undermines standards bodies by exerting so much influence that, as Mozilla’s Director of Public Policy Chris Riley wrote, it “co-opt[s], manipulate[s], or render[s] meaningless a standards body if the participation of that company is necessary for the collective set of companies to achieve critical mass.”⁴ These practices are not always anticompetitive, and antitrust enforcers must evaluate each individual company and scenario on a case-by-case basis.

…enforcers should carefully scrutinize as a potential anticompetitive practice any company’s actions to discontinue formerly open APIs or restrict access to APIs to stifle downstream competition that seeks to rely on access to key data and functionality offered through the API.

Antitrust enforcers do not necessarily have to alter their merger review process to accommodate these new theories of harm. The agencies already scrutinize whether vertical mergers can lead to competitive harm if the companies integrate in a closed fashion. As part of the enforcers’ analysis of the merged entity’s incentives post-merger, they should also consider the potential for anticompetitive harm if the company were to restrict or discontinue APIs that the merging companies offer third parties. Depending on the facts of the case, data portability and interoperability may serve as sufficient remedies for these problems. When appropriate, antitrust enforcers should rely on these tools as a proposed condition on a merger that would otherwise be anticompetitive, or for a company engaging in anticompetitive conduct in negotiating a settlement or pursuing litigation. For example, in 2001, when the Federal Communications Commission (FCC) found that the AOL/Time Warner merger would give the merged entity a significant and anticompetitive first-mover advantage in the market for advanced instant messaging services, it conditioned merger approval on an interoperability remedy.⁵ The FCC required AOL to either implement an industry-wide standard for interoperable instant messaging or create a protocol for interoperability with other instant messaging providers via contracts.⁶ While agencies with merger review jurisdiction may be able to intervene through merger conditions that are specifically tailored to prevent these anticompetitive risks, it’s worth noting that under antitrust statutes, agencies would only be able to intervene if they, or a judge, conclude that the merger is likely to result in anticompetitive harm.

Antitrust enforcers should also adopt a dominant platform presumption: A merger is anticompetitive if a dominant platform seeks to acquire a firm that has a substantial probability of entering the market absent the merger, or if the platform acquires a competitor in an adjacent market.⁷ As OTI and Public Knowledge detailed in joint comments to the FTC and Department of Justice (DOJ) on the proposed revisions to the vertical merger guidelines, a “platform with market power could substantially disadvantage firms in an adjacent market by refusing to interoperate with them. If a platform purchased one adjacent market firm, it would then benefit from preferencing the owned firm over competing adjacent market firms, either by denying interoperability or making interoperability difficult, thereby diverting substantial business to the owned firm.”⁸

Antitrust enforcers should also adopt a dominant platform presumption: A merger is anticompetitive if a dominant platform seeks to acquire a firm that has a substantial probability of entering the market absent the merger, or if the platform acquires a competitor in an adjacent market.

Interoperability promotes innovation by helping an entire ecosystem of players thrive—it enables new players to enter the market, and incumbent players to create new products and services based on those offered by other players. Interoperability also promotes network effects. The more people in a network, the more valuable it is. If a company interoperates with others, their network gets that much bigger. Therefore, industry should also promote greater interoperability.

Standard protocols that promote decentralized, open, and interoperable networks have already contributed to a more competitive ecosystem. For instance, there is a growing “Fediverse” of decentralized services that rely on the W3C-developed protocol “ActivityPub,” which in turn is based on the open “Activity Streams 2.0” standard.⁹ The Fediverse includes an open source Twitter-like service called Mastodon that runs on a decentralized network of servers and a YouTube-like service called PeerTube. Using the same protocols promotes interoperability. For example, a user on Mastodon can follow a user on PeerTube, and both users are able to watch and comment on the second user’s PeerTube videos from the Mastodon software client itself.

In the absence of regulations mandating interoperability, regulators should consider imposing interoperability conditions where appropriate. Advocates should also call for greater interoperability, while companies can lead by example and offer robust, open APIs and encourage others to interoperate. Companies should also contribute to the development of standards that advance the efficiency or capabilities of the network.