[Plura-list] Improving the ACCESS Act; Juul's junk science; Peloton bricks its treadmills

Cory Doctorow doctorow at craphound.com
Tue Jun 22 12:37:04 EDT 2021

Today's links

* Improving the ACCESS Act: Six ways to make the most important tech law
of the legislative season even better.

* Juul's junk science: Reporting bias makes vaping's safety is a hazy mess.

* Peloton bricks its treadmills: Your kids are dead because you didn't
buy the subscription.

* This day in history: 2006, 2011, 2016, 2020

* Colophon: Recent publications, upcoming/recent appearances, current
writing projects, current reading


👨🏽‍🦳 Improving the ACCESS Act

Last week, Congress introduced the ACCESS Act, one of the most
significant, pro-competitive, pro-user tech laws in American legislative


It will require large tech platforms to open up to interoperability, so
you can leave the platform for a rival without losing contact with your
friends, communities, audiences and customers.

By lowering the switching cost of walking away from Big Tech, Congress
could create space for co-ops, tinkerers, nonprofits, startups and
public services to create small, user-centered communities built on
giving people technological self-determination.

This week, the ACCESS Act will likely go before the House Judiciary
Committee for markup, and there's going to be a fierce battle for the
future of this bill (predictably, Big Tech hates it and wants it dead).

We (EFF) just published our list of things that should be fixed ACCESS
during markup, a collection of six areas where the law could be improved:


I. Strong Consent and Purpose Limitation Requirements

The ACCESS Act is already pretty good on ensuring that when you take
your data from a platform, but the language is a little fuzzy at the edges.

We'd like crisply defined limits on data requires consent - for example,
do your friends have to consent to you exporting their replies to your
messages? Does it matter if they're private messages or public? We've
published some deep dives on this:


II. Define “Interoperability”

This is the second version of the ACCESS Act (the first was introduced
in the Senate during the 2019/2020 session). The Senate version actually
defined "interop" (too narrowly!), while the current version fails to do so.

The risk of underdefining interop is that ad-tech companies and other
human-rights abusers have called for interop to "fix the competition
problem" in surveillance-based advertising.

Unless Congress specifies what kind of interop ACCESS is supposed to
support, it might create a race to see who can most efficiently gut your
foundational right to privacy while giving you the least benefit in return.

III. Let the people sue

The ACCESS Act has incredibly stiff penalties for companies that violate
it - but these can only be invoked by the FTC. To be fair, the FTC is
enjoying a renaissance, with the amazing Lina Khan at its helm, but what
about the *next* FTC?

We think this bill needs a "private right of action" - that is, the
right of regular internet users to sue tech companies that break the
law, whether on their own, in class action suits, or through
public-interest law-firms like EFF.

IV. Bring back delegability

The 2019 version of ACCESS had a wonderful section on "delegatability,"
in which users could hand over the right to manage big services to other
entities whom they trusted.

Like, you could ask a privacy org to manage your privacy settings on
Facebook, or authorize a co-op platform to provide an alternative
interface (say, one with a tracker-blocker) to the services you use.

Delegatability was dropped from the 2020 ACCESS Act and we'd like it
back, please.

V. Government standards as safe harbors, not mandates

Under the ACCESS Act, a technical committee is charged with
standardizing a way for a big platform to create interoperability with
other systems. We think this is too constraining.

Rather than mandate that big platforms *must* use this standard
interface, we argue that using the standard would give you a "safe
harbor" (if you used it, you'd be sure you were following the law).

But big platforms would have the option of creating *other* interfaces
that were technically equivalent to the standard, with strict penalties
and a private right action if the alternative wasn't as good as the

That way, tech companies could offer *more* interop (including interop
for features that don't even exist yet) without having to wait for
revisions to emerge from the standardization process.

VI. About that standardization process

ACCESS creates a new standards committee for each Big Tech platform,
separate from existing standards bodies (which have a deserved rep for
being hostage to the tech giants). The structure of this standardization
process needs work.

First, the law specifies a minimum number of reps from Big Tech,
independent privacy experts, and smaller companies (as well as a rep
from NIST), but it doesn't set *maximum* numbers for these.

So it would be fine under the ACCESS Act for Facebook's "independent"
technical committee to consist of a NIST rep, two academics, two startup
people, and 500 Facebook lawyers and engineers. That's obviously not
right and it should be fixed in markup.

The current ACCESS draft doesn't provide for public scrutiny of the
standards development process. The tech committee's work should all be
public, with opportunities for public comment and a requirement to
answer substantive issues raised during comment periods.

Finally, the Act doesn't guarantee public access to the final standard
(only "competing businesses or potential competing businesses" get to
see it). That's absurd. It's the law, the law should be public, and we
should all be able to see it and implement it. I mean, duh.

None of this stuff is insurmountable; a lot of it appears to be
oversights, and other parts are probably good faith disagreements that
can be hashed out during markup. We're so glad to see this bill
introduced and can't wait for the committee meeting!


👨🏽‍🦳 Juul's junk science

Every time I write about vaping and the extraordinary lengths that the
tobacco industry (epitomized by Juul, a sister company to Marlboro) has
gone to in order to convince children to vape, I hear from people who
tell me that vaping is safe, especially compared to smoking.

This month, I wrote "I Quit," about my own smoking cessation, with  some
of Juul's dirtiest tricks, including increasing the nicotine in its
child-targeted fruit flavors and its fake "mental health seminars" in
schools where they promote vaping.


One Juul trick I wasn't aware of at the time? Faking the research on the
safety of vaping.

In a just-published paper for BMJ Tobacco Control, a group of
evidence-based medicine specialists document Juul's safety research fraud.


The paper is paywalled, but they've also published a pre-press on
Oxford's research archive.

The authors document how Juul exhibits classic "reporting bias" in its
safety research studies.


"Reporting bias" is when you researchers report on studies (or parts of
studies) that support their employers' commercial goals (or their own
ideological ones), leaving out the results that are inconclusive or
harmful to their cause.

Reporting bias was once endemic to pharma research, to the point where
*half* of the human subject studies pharma companies started never
reported in.

Imagine a study of coin-tosses where you only reported half the results
- you could "prove" that coins *always* came up heads.

One of the most effective fighters against reporting bias is Ben
Goldacre, whose 2012 book BAD PHARMA documented the practice - and its
human cost - in eye-watering detail.


Goldacre went on to help found the Register of All Trials, where every
pharma trial is pre-registered in a public repository, allowing
regulators to disqualify drugs whose trials don't report in.

Goldacre is a co-author on the Juul study.


The Register of All Trials model has been replicated around the world,
including in the US, where the FDA maintains a similar repository. The
researchers used this to locate trials registered by Juul Labs and then
checked whether and how they'd reported in.

What they found was a classic case of reporting bias. Trials that
measured five phenomena might only report back on one or two of them,
which supported the safety of vaping (leaving us to assume that the
remainder showed vaping to be dangerous).

And, of course, some trials didn't report back at all.

This is deeply unethical.

For one thing, the trial subjects engaged in conduct potentially harmful
to their own health in order to further science.

It's bad enough if they were injured in these trials, but if the fact of
their injury was suppressed in order to serve Juul's profits, then they
were harmed for *nothing*.

The tobacco industry has a long history of bad science, of faking the
research on the way its products harm their customers. Juul tells us
that its products are safe, but it suppresses significant amounts of its
own research.

*Not one* of the Juul studies the researchers investigated had fully
reported in.



Now, maybe Juul is keeping its research outcomes a secret because it
knows we'll be delighted with the results and it doesn't want to spoil
the surprise.

But I'm not betting on it.


👨🏽‍🦳 Peloton bricks its treadmills

"Tread," a $3000 "smart" treadmill from Peloton, is a deathtrap. 125,000
Treads have been recalled after the devices injured 72 people and killed
a child.


Say what you will about Peloton's safety engineering, but never fault
the evil genius of its strategists. The company responded to the news by
bricking the Treads in the field and demanding $40/month "subscriptions"
from owners to continue using them.


The pretense here is that the subscription comes with safety software
that means that you treadmill will not maim you or murder your children.

This raises an obvious question: why not just put that software into all
the existing Tread devices for free?

But the answer is obvious. Because a free software update will cost the
company money, and charging $40/month will make the company money -
$480/year/customer, free net revenue for software that they've already

You might as well ask, "Why don't ransomware gangs just tell pipeline
owners about the defects in their software for free, rather than
demanding millions of dollars?"

I mean, ransomware gangs have bills to pay, and so does Peloton. No one
will write ransomware for free.

This is the predictable failure-mode of designing devices that can be
updated without their owners' permission or consent.

It's not even the first time Peloton has done this - in 2020, they
bought their competitor Flywheel and bricked all its bikes.


The whole scam is only possible because Peloton - like most other "smart
device" companies - gets to abuse copyright, patent, and cybersecurity
law to ban third parties from making alternative software for its devices.

Without laws like Section 1201 of the DMCA and the CFAA, a small group
of coders could hack up their own Tread firmware, one that re-enabled
the standalone mode, or offered a cheaper (or better) (or both)
subscription service.

Without Adversarial Interoperability (AKA Competitive
Compatibility/comcom), Peleton's dead hand lays on your property
forever, long after you've paid, and if you have demonstrate disloyalty
to its shareholders, that hand punches you in the face.


Devices that answer to their manufacturers, not their users enable a
toxic new usury, with riskier loans made to precarious people, with the
threat of "digital repossession" to ensure a steady flow of payments
that are securitized as bonds.


Peloton is in the usury business, lobbying Iowa's legislature to
maintain the "rent-a-bank" system preferred by loansharks who offer
Peloton financing at "0% down, 0% APR, 0% fees" but reserve the right to
charge *30%* APR in the fine-print.


This is dystopian on its face. My novella UNAUTHORIZED BREAD is a good
place to start if you want to see where the Internet of Shit leads us to
in terms of class war and exploitation.



👨🏽‍🦳 This day in history

#15yrsago Darwin’s tortoise dead at 176

#10yrsago A Brief History of the Corporation: understanding what an
attention economy is and where it comes from

#10yrsago Why fair use doesn’t work unless you’ve got a huge war-chest
for paying lawyers https://waxy.org/2011/06/kind_of_screwed/

#10yrsago University of Michigan to stop worrying about lawsuits, start
releasing orphan works

#5yrsago Broken Windows policing is nonsense

#5yrsago Misconfigured database exposes sensitive data for 154 million
US voters https://www.dailydot.com/debug/154-million-voter-files-exposed-l2/

#5yrsago To understand the Trump campaign, study real-estate developer

#5yrsago Writing the Other: intensely practical advice for representing
other cultures in fiction

#1yrago Against AI phrenology

#1yrago A/B Seattle

#1yrago Privacy in tracing tokens

#1yrago Congress wants to read all your DMs

#1yrago Blueleaks

#1yrago Surveillance electoralism


👨🏽‍🦳 Colophon

Today's top sources: Ben Goldacre (https://twitter.com/bengoldacre/).

Currently writing:

* Spill, a Little Brother short story about pipeline protests.
Wednesday's progress: 280 words (6554 words total).

* A Little Brother short story about remote invigilation.  PLANNING

* A nonfiction book about excessive buyer-power in the arts, co-written
with Rebecca Giblin, "The Shakedown."  FINAL EDITS

* A post-GND utopian novel, "The Lost Cause."  FINISHED

* A cyberpunk noir thriller novel, "Red Team Blues."  FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Inside The Clock Tower

Upcoming appearances:

Future Tech: Working the Science into Your Fiction (Locus Awards), Jun
26, https://locusmag.com/2021-locus-awards-weekend/

Recent appearances:

* The ACCESS Act, Consumer Reports:

* Raging Chicken podcast:

* Darts and Lasers podcast:

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone
technothriller for adults. The *Washington Post* called it "a political
cyberthriller, vigorous, bold and savvy about the limits of revolution
and resistance." Order signed, personalized copies from Dark Delicacies

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet
analyzing the true harms of surveillance capitalism and proposing a
(print edition:
(signed copies:

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:

Upcoming books:

* The Shakedown, with Rebecca Giblin, nonfiction/business/politics,
Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.


Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.


👨🏽‍🦳 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Medium (no ads, paywalled):


(Latest Medium column: "Illegitimate Greatness," on what we can learn
from Ida M Tarbell's century-old critique of John D Rockefeller

Twitter (mass-scale, unrestricted, third-party surveillance and


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion
Guy" DeVilla

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20210622/e67054e3/attachment.sig>

More information about the Plura-list mailing list