Closing arguments are being made this week in Google’s antitrust remedies trial, following U.S. district court judge Amit Mehta’s August ruling that Google held a monopoly in online search. The Justice Department is seeking a set of sweeping remedies that includes requiring Google to divest the Chrome browser and share search data with competitors. The nonprofit Center for Cybersecurity Policy and Law voiced concerns in its recently-filed amicus brief, concluding in short that the required data sharing remedies and Chrome divestiture would significantly increase privacy and safety risks, particularly in light of the evolving cybersecurity threatscape. In testimony during trial, Google’s vice president for security engineering Heather Adkins explained that a divested Chrome would lose access to Google’s robust security infrastructure that currently protects billions of users from sophisticated nation-state attackers.

This case brings to mind the recent spate of near midair collisions within the national airspace and one major accident—the tragic outcome of two aircraft on intersecting routes, pursuing legitimate missions, but lacking coordination that might have prevented disaster. In the tech policy realm, we are witnessing similar collisions wherein the pursuit of a valid public policy interest—often competition or consumer privacy—threatens separate but equally compelling public policy interests like national security and foreign policy.

A Pattern of Tech Policy Collisions

The Google case is only the latest in a generation of examples that demonstrate this troubling pattern. Let’s examine several key collisions:

EU Antitrust Proceedings and Windows Kernel Access

Following years of antitrust proceedings, the European Commission’s 2009 interoperability agreement with Microsoft required the software maker to provide third-party security vendors with the same level of API access to the Windows operating system as Microsoft’s own security products. This enabled vendors like CrowdStrike to operate at the Windows kernel level. When CrowdStrike’s faulty update deployed in July 2024, this deep access caused Blue Screen of Death crashes on 8.5 million Windows machines globally. While the European Commission disputes blame, the technical reality is that kernel-level access significantly amplified what might otherwise have been a contained software failure. Apple, by contrast, decided in 2020 to restrict macOS kernel access—a choice that shielded Mac users from similar widespread failures.

FTC’s Pursuit of Qualcomm Creates National Security Tensions

Consider another collision in the mobile technology sector. Qualcomm faced global antitrust scrutiny over its dominant position in mobile chipsets and patent licensing practices, creating a complex policy dilemma. While the Federal Trade Commission pursued the company for anticompetitive conduct starting in 2017, the Justice Department intervened on national security grounds, arguing that weakening Qualcomm could harm U.S. competitiveness against China’s 5G expansion. The DOJ warned that undermining Qualcomm’s business model might cede technological leadership to Chinese firms like Huawei, which are central to China’s Digital Silk Road initiative—Beijing’s strategy to expand digital infrastructure influence globally.

GDPR’s Unintended Impact on Cybersecurity & Fraud Prevention

European privacy regulation provides yet another example of tech policy collision. The European Union’s General Data Protection Regulation (GDPR), implemented in May 2018, fundamentally altered the WHOIS database—a public directory of domain registration information created in the early 1980s—by requiring registrars to redact personal data from public records. While technical details remain available, over 85% of major WHOIS providers now redact personal information globally, not just for EU domains. This has significantly hampered law enforcement, cybersecurity researchers, and brand protection efforts in investigating phishing, fraud, and other cybercrimes. Though legitimate users can still request access through registrars, the process is more cumbersome than the previous open-access model.

EU Competition Investigation Challenges Apple’s Security Model

The pattern extends to app store regulation. The European Union’s 2024 Digital Markets Act (DMA) investigation into Apple focused on the company’s restrictive App Store “steering” practices that prevented developers from directing users to alternative purchasing options outside Apple’s ecosystem. Following preliminary findings of non-compliance, Apple implemented changes allowing alternative app stores and external payment systems in the EU. However, Apple has consistently warned that these DMA-mandated changes increase fraud and security risks, citing concerns about malware, scams, and reduced ability to protect users.

SEC Disclosure Rules Raise Concerns About Aiding Attackers

The pattern appears in cybersecurity disclosure requirements as well. The U.S. Securities and Exchange Commission’s cybersecurity disclosure rules, effective December 2023, require publicly traded companies to disclose “material” cybersecurity incidents within four business days of making that determination, aiming to provide investors with timely, consistent information about cyber risks. However, cybersecurity experts and industry stakeholders have raised concerns that mandatory public disclosure—even without technical details—could inadvertently assist malicious actors by revealing their discovery and potentially other valuable intelligence about successful attack vectors and organizational vulnerabilities.

Lawful Access Systems Become Attack Targets

Perhaps most troubling is the collision between law enforcement access and national security. Under the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994, U.S. telecom providers must design their networks with built-in surveillance capabilities to facilitate court-authorized electronic monitoring for law enforcement investigations. However, the recent data breach involving several of those mandated systems by Chinese government cyber actors nicknamed SaltTyphoon demonstrates how these mandated “backdoors” become attractive targets for malicious actors. This vulnerability is not unprecedented—over 100 Greek government officials were illegally surveilled in 2004-2005 when unknown parties exploited Greece’s lawful access program.

The Cost of Collisions

The costs of these collisions are measurable and devastating. The CrowdStrike incident alone affected airlines, hospitals, and emergency services globally, demonstrating how competition-driven policies can create single points of failure in critical infrastructure. WHOIS redaction has complicated cybercrime investigations precisely when they’re needed most; according to Cybersecurity Ventures, cybercrime costs the world an estimated $9.5 trillion annually in 2024—making cybercrime the world’s third-largest economy after the U.S. and China if measured as a country.

Each collision represents a case where the pursuit of one legitimate policy goal—competition, privacy, transparency—created vulnerabilities in another critical area. Given its rapid—and well-deserved—rise to the fore, artificial intelligence looks to be the next in line for poorly coordinated domestic and global regulation and the inevitable tech policy collision.

Building an Air Traffic Control System for Tech Policy

What might an air traffic control system for tech policy look like, if even possible? Several existing models offer insights, though none fully address the challenge. For example, the Committee on Foreign Investment in the United States (“CFIUS”) and Team Telecom represent interagency coordination models, but they focus on narrow domains and lack judicial influence. The President’s National Security Telecommunications Advisory Committee offers a public-private partnership model, but operates primarily in an advisory capacity.

A more comprehensive approach might include:

• Cross-sector impact assessments before major regulatory actions to identify potential collisions early;
• Interagency coordination protocols for cases with national security implications, ensuring agencies don’t work at cross-purposes;
• Industry consultation mechanisms that bring private sector expertise into policy deliberations before rules are finalized; and
• International coordination frameworks for global regulatory alignment, preventing the regulatory fragmentation that creates security vulnerabilities.

We at the Institute for Security and Technology are keen to begin work on this increasingly urgent topic. The alternative—continued policy collisions that undermine multiple legitimate public interests simultaneously—is simply too costly to accept.