In an amicus curiae brief filed in the antitrust case, United States v. Google LLC, the Center for Cybersecurity Policy and Law (CCPL) urges the U.S. District Court for the District of Columbia to account for cybersecurity – and public safety – in mandating remedies for the case. CCPL’s position is simple: efforts to promote market competition should not come at the expense of cybersecurity, user privacy, or public safety.

Specifically, the brief:

• Reminds the court of the combination of nation-state actors and financially motivated criminals have fueled an exponential increase in cybercrime. 
  
  • The brief highlights the increasingly sophisticated actions of cyber criminals and malicious foreign adversaries that seek access to Americans’ data and intellectual property – and the associated risks to national security and personal privacy. This part of the brief also warns how vulnerabilities in a single app or data transit point can provide an entry point into broad systems – leading to far-reaching exposure of data and potential surveillance.
• Warns that some of the Government’s proposed remedies risk undercutting key security and privacy protections – thus undermining the security and privacy of users. 
  
  • Of particular concern, the Government proposes a requirement that Google shares numerous datasets – including its search index and ad data – with so-called “Qualified Competitors.” In short, this is a requirement that Google share search queries and click information going back a year. This is not limited to technical information. It includes information that can reveal incredibly sensitive information about a person’s health concerns, political affiliations, religious beliefs, location – providing valuable insight into user behavior, preferences, and patterns of activity. 
  • The Government claims that security and privacy concerns can be dealt with “suitable” privacy and security safeguards, using “ordinary course techniques” to remove personally identifiable information. But as the government’s own expert highlighted, what is suitable depends on a complicated assessment of the properties of the data, context in which it is shared, and intended use. 
  • There is also no “ordinary course” for even defining, let alone removing, personally identifiable information, and even with sophisticated de-identification tools, the risk of re-identification exists. What would best protect the data – such as large-scale redactions, generalization and aggregation of data, noise addition, hashing, and pseudonymization – run counter to what appears to be the purpose of the proposed remedy, which is to give competitors access to sufficiently granular data to be able to recreate much of what Google has build.
  • CCPL also urges the court to weigh the potential security risks with respect to the proposed divestiture of Chrome, particularly given the lack of information about a future buyer and government proposal that they have sole discretion in approving such buyer.  As the Center notes, the security of Chrome impacts the security or any person or organization that downloads it. A divestiture that results in increased vulnerabilities in Chrome – or even worse, malicious code being transmitted through browser updates – would have negative consequences for the security of the digital ecosystem and general public safety.
• Forewarns that the Government’s proposed Technical Committee to oversee the data sharing provisions, including the security and privacy elements, does not adequately address the concerns.
  
  • The key security and privacy questions, and their implications for public safety, are simply too significant to delegate to a committee, let alone one that has not yet been stood up.

Broader Considerations

This brief builds on the Center’s ongoing work spotlighting the unintended security harms of policy interventions in the digital ecosystem. In earlier amicus filings – including in cases involving app market regulation and consumer data protection  – the Center has noted that even well-intentioned reforms can inadvertently degrade cybersecurity protections if not properly scoped and safeguarded. (See the Center’s amicus briefs in Epic Games v. Apple (2020) and Epic Games v. Google (2024))

The Center’s report on Trusted App Stores similarly warned of the risks that arise when regulatory mandates force competition outcomes, like openness or interoperability, without sufficiently accounting for security. Any complex system will suffer when it is thrown off balance, and our digital ecosystem is no different.

The Center strongly supports competitive digital markets, but also considers strong cybersecurity as critical for creating those competitive markets. Competition remedies and other policy proposals designed to increase competitiveness should preserve or enhance, rather than compromise, the cybersecurity foundation upon which the digital economy depends. 

The Center urges the court in the Google case to prioritize core security concerns and to ensure that any proposed remedies adequately address the risks to privacy and national security. 

Competition policy and strong cybersecurity should go hand in hand.

‍