Today’s piece is about why auto sales in the United States are now on the fritz. Over the past week, key software used by car dealers has been disrupted by hackers. So the $1.2 trillion U.S. auto industry is paralyzed, with thousands of car dealers unable to sell cars and tens of thousands of consumers unable or finding it very hard to buy them.
While this story looks like a simple problem of clever hackers and lumbering software, it’s actually a story about how the Supreme Court defanged anti-monopoly law.
Let’s dive in.
Last Wednesday, Americans trying to buy a car were greeted with a troubling message. The system was down. Not everywhere, but at 15,000 of the roughly 18,000 auto dealers in the country, at giant dealers like AutoNation, Sonic Automotive, Penske Automotive Group, Group 1 Automotive, and Lithia Motors. A corporation named CDK Global, which had been taken over by private equity titan Brookfield in 2021, operated a software platform that serves as the nervous system for the car sales industry, what is known as dealer management software. And its DMS was down.
DMS helps dealers manage servicing, parts and inventory, vehicle financing, accounting, payroll, insurance information, customer information, completed and pending sales, etc. With that software down, auto dealers are paralyzed. And the system won’t be back up until the end of the month, at the earliest.
Car sales are still happening, but at a much slower pace. The few open dealers are deluged with customers, with one man in Minnesota driving 700 miles to buy a car. Some dealers reverted to pen and paper, but that caused its own problems. Consumers lost out on factory rebates, which couldn’t be applied without CDK software, nor could they legally drive their new cars, since electronic registration was impossible. The outage was a catastrophe for everyone involved. “The financial impact it will directly have on us will take months to correct, if not years,” said one Mazda dealer.
What happened? It turns out a Russian hacker group called BlackSuit found a vulnerability in CDK Global’s software, and hacked it. They then demanded tens of millions of dollars as a ransom. It’s not so different than what just happened to our health care system after UnitedHealth Group bought the critical health payment network Change Health, which then got held up by ransomware. The entire hospital and provider world quickly started bleeding cash, losing millions of dollars a day. Now it was the auto industry’s turn.
Perhaps worse than the hack itself was CDK Global’s response. Here’s the Wall Street Journal:
Chris Lemley, president of Sentry Auto Group, which sells Ford, Lincoln and Mazda vehicles at dealerships in New England, said CDK’s response to the crisis has been one of its most frustrating aspects.
“The emails they sent to customers were simply signed ‘CDK Customer Care,’ as if their executives were all too afraid to put their name at the end of an email,” he said. The messages tended to contain the same basic information, he noted, with no new details in real time…
“I have no idea what technological or security-related errors CDK management, and its private equity owner, Brookfield, may have made,” he said. “But their most fundamental and unforgivable error is a lack of leadership.”
CDK Global is indeed a rudderless organization, as are many private equity backed shops. It is what Americans in the 19th century used to refer to as an absentee owner, supposedly owning property, but unable to do caretaking of it. My guess is that BlackSuit hackers used some rudimentary technique, like cracking a password of 1-2-3-4-5, which is essentially how our nuclear weapons facilities were hacked through a private equity owned software company named Solar Winds in 2021.
It’s easy to get why CDK Global got hacked. What’s harder to understand is why CDK Global is still running the nervous system of most of America’s car sales industry. To get there, we have to go to an antitrust ruling by one of the most important Supreme Court justices of the 20th and early 21st century, Antonin Scalia. Because it was a ruling that allowed CDK Global to maintain its dominant position in the dealer management software industry, even as customers were primed to revolt.
The antitrust suit started, as many do, with a threat.
At a 2016 auto industry convention, Dan McCray, an executive at CDK Global, took an industry colleague, Steve Cottrell, aside. Cottrell was the founder of Authenticom, a partner and sometimes competitor of McCray’s firm. Cottrell’s firm helped connect auto dealers’ data to software apps, and it was so innovative and successful that it got singled out the year before by President Obama as an example of all that was right with American business. Authenticom competed fairly, paid good wages, and invested in workers, said Obama, even during the depths of the Great Recession.
To McCray, Authenticom’s track record of pleasing customers was a threat, not a virtue. Authenticom doesn’t make dealer management software, it helps run what is essentially an app store for dealers, built on top of CDK and its big rival Reynolds software. In the industry, running such an app store is known as being a ‘data integrator.’ CDK and Reynolds also run such app stores, on top of their own platforms. Just as consumers have a lot of different apps on their phone, auto dealers have a bunch of external vendors that use their data, to help with stuff like electronic titling, tracking vehicle inventory, managing service and repair appointments, dealing with recalls, etc.
McCray suggested to Cottrell that they “take a walk.” He led the entrepreneur down a service ramp to a secluded area, and told him a story. The year before, when Obama praised Authenticom, his firm, CDK and Reynolds had cut a deal. Together, they controlled 70% of the auto dealer software market. And they had decided they were no longer going to let firms like Authenticom get access to dealer data from their respective systems. Both shut down the ability of third party integrators to access data from their systems. CDK stopped doing data integration for Reynolds, and vice versa, which was market allocation. Dealers were unhappy. One dealer told CDK, “You do not have our authorization to disable user accounts. It is my data and I decide who has access to it.” It didn’t matter. CDK told the dealer it controlled access to the dealer’s own data.
So McCray gave him an ultimatum. Sell out to us for $15 million. “For god’s sake,” McCray said, “you have built a great little business, get something for it before it is destroyed otherwise I will f***ing destroy it.”
Cottrell then had a choice. Most of his fellow data integrators had given up, selling out or quitting the business. Threats tend to work, and a lawsuit against the titans in the industry upon whom he depended would cost millions of dollars and worse, huge amounts of time. But Cottrell didn’t like being bossed around. And what McCray was demanding was immoral; it wasn’t CDK Global’s data, it was information owned by car dealers, about their customers, their employees, and inventory. They should be able to do what they want with it, and use Authenticom’s better cheaper service if they chose. So Cottrell decided to fight. A year later, Authenticom sued both Reynolds and CDK Global, alleging the two firms formed a cartel to control the market, leading to high prices on inferior software for dealers.
Normally, these suits take years to have any impact, but shockingly, new district judge James Peterson granted Authenticom a quick injunction against the bad behavior, voiding “those provisions in its contracts with dealers or vendors that restrict, or have the effect of restricting, any dealer or vendor from obtaining data integration services from Authenticom,” including any provisions that “require, or have the effect of requiring, a software vendor to obtain integration services exclusively from [Reynolds or CDK] for all of that vendor’s applications or all of that vendor’s dealer customers.”
CDK Global and Reynolds would have to continue sharing data with third parties and their dealer customers. The market would be oxygenated.
And it made sense that they should lose. It wasn’t just the threat, which sounded like that of a mobster. Everyone knew CDK Global and Reynolds were dominant despite poor quality and high prices. Together, they held 70% of the franchise dealer market by number of dealers and 90% by number of cars sold. A small dealership paid up to $150,000 per year, mid-size dealership groups (5 to 10 stores) paid $1,500,000 or more per year, and large dealerships forked over more than $5,000,000 per year. A bunch of quick copycat suits followed on from angry auto dealers.
After they cut their deal to collude, CDK and Reynolds extended their market power in dealer management software into data integration. That’s what the Authenticom threat was about; not content with just owning dealer management software, they wanted Cottrell’s market of data integration to themselves as well. They also quickly raised prices. One dealer testified that in 2011 he bought data integration for $30-35 per dealer from Authenticom, vs $247 from Reynolds. Once collusion started, that price went up to $893. For CDK, pricing went from $160/month to $735/month. How did they justify these price increases? CDK said, well, we have to spend so much more on data security, which today looks laughable.
The injunction didn’t end the litigation, it was just meant to stop the harm while the case continued. But then something happened that is all too common in antitrust. The smarty pants set chimed in.
In 2017, Seventh Circuit appeals court judges heard the CDK Global case. The panel of judges included ‘legendary’ Democrat Diane Wood, who is often considered the most knowledgeable liberal on antitrust, as well as conservative law and economics titan Frank Easterbrook. In their enthusiastic opinion, they argued it was wrong to tell CDK Global and Reynolds who they could and couldn’t do business with. Judge Peterson’s decision, the panel of appeals judges said, “fails to adhere to the lessons of Verizon Communications Inc. v. Law Offices of Curtis v. Trinko,” a 2004 unanimous Supreme Court decision authored by Scalia, and one widely considered the most important monopolization decision of the 2000s, one that in a very real sense paved the way for firms like Google, Facebook, and Amazon to become Big Tech.
So what is this Verizon vs Trinko decision? At heart, Trinko was part of a series of decisions that made it harder to bring monopolization claims against platforms.
The facts of the Trinko case were somewhat similar to what we’d see with most platforms, including Authenticom. At the time the case was brought, Verizon was a local phone monopoly controlling access to customers. The 1996 Telecom Act had required Verizon to lease its lines to competitors at a wholesale rate so that they could compete with Verizon to sell telecom services. But Verizon had refused to do so, and the FCC didn’t really enforce the Telecom Act. So customers, led by a law firm run by Curtis Trinko, sued under the Sherman Act, alleging Verizon had monopolized the market by refusing to give rival phone companies access to their network, and thus deprived them of competitive options and cheaper prices.
The Supreme Court ruled for Verizon, asserting that corporations, even monopolists, have no duty to deal with rivals. In the decision, Scalia offered an astonishing and ringing rhetorical endorsement of monopoly. “The mere possession of monopoly power and the concomitant charging of monopoly prices,” he wrote, “is not only not unlawful; it is an important element of the free-market system.” Forcing such firms to “share the source of their advantage is in some tension with the underlying purpose of antitrust law, since it may lessen the incentive for the monopolist, the rival, or both to invest in those economically beneficial facilities.” Trinko is a potent weapon for the monopolist. Judge James Boasberg, for instance, used the decision to dismiss an antitrust claim against Facebook, and it’s going to be a key decision for Apple in its defense against the Antitrust Division.
That said, the analogies for Trinko to Authenticom aren’t perfect. Trinko involved a monopolist giving access to a direct competitor to its system, whereas Authenticom was about giving access to a customer or partner. Moreover, the Telecom Act applied to Verizon, meaning that regulation was supposed to fill in if antitrust couldn’t. No such regulatory fallback existed for Authenticom, or any tech platform for that matter.
Nevertheless, in their opinion, Wood and Easterbrook enthusiastically used Trinko to undercut the Authenticom case, under the premise that interfering with CDK Global’s ability to restrict access to its system would limit its incentives to invest in its own software. And so the judiciary enabled yet one more economic termite, in the form of fortifying an auto dealer software cartel.
There was one more inflection point before we get to last week’s hack, which was government enforcement action. In 2018, CDK Global tried to buy a small rival, Auto/Mate, but the Federal Trade Commission, as flaccid as it was under Trump, blocked the deal. So there are some auto dealers who escaped the 2024 meltdown as a result. But unfortunately, the FTC could have fixed the whole problem, and had a monopolization investigation ongoing. But it likely shut down the investigation.
Private litigation, as well as follow-on complaints from auto dealers, continues to this day, with no incentive for the cartel to fix the market, but plenty of incentives to continue paying lawyers. There were allegations of computer fraud and accusations against Reynolds’ billionaire CEO Robert Brockman of “intentional destruction of evidence.” (The Federal government would later accuse Brockman of hiding $2 billion from the IRS, the largest tax fraud in American history.) Car dealers are still litigating.
In 2021, CDK Global was sold off to private equity, probably because of its pricing power and because Brookfield saw the ability to cut spending on extraneous things like security to generate cash. And then, in 2024, BlackSuit took advantage of these weaknesses to break into CDK Global and paralyze our car sales industry.
This story isn’t a one-off. It happens in places you might not notice. I’ve mentioned health payment network Change Health, which got hacked after Judge Carl Nichols overruled the Antitrust Division and let UnitedHealth Group buy it. It happens among no name but important software companies, like when hackers took advantage of private equity acquisitions to hack the New York City subway, or when they broke into consumer software that holds bank passwords. It also happens to fancy and famous big firms. After a spree of acquisitions in the cybersecurity space, for instance, Microsoft refused to fix known security flaws, opening the door to corporations and governments getting hacked.
Monopolization and vulnerabilities to hacking go together, because monopolies produce poor quality software. And that’s the story with CDK Global and Reynolds. The whole crisis was avoidable, because there were possible entrants into the market that could have forced them to offer better software at cheaper prices. “Anybody who knows anything about the conduct of American business,” historian Richard Hofstadter noted in 1964, “knows that the managers of the large corporations do their business with one eye constantly cast over their shoulders at the antitrust division.”
That’s no longer true. And Wood and Easterbrook, dancing to the tune of Scalia, butchered antitrust law, which led to CDK Global’s investment in lawyers instead of quality assurance engineers. And so now people can’t buy cars.
There is some good news here. The FTC could relaunch its investigation of CDK Global and Reynolds, and would have political support if it did, especially because it’s increasingly clear cybersecurity vulnerabilities and consolidation are related.
There’s also intriguing news on the legal front. In 2023, three judges in the 10th circuit, spurred by an amicus brief from the Biden Antitrust Division, started the narrowing of Trinko, ruling in Chase Manufacturing v. Johns Manville Corporation that the Scalia-authored opinion only applies to monopolists who don’t want to deal with rivals. If a monopolist is refusing to deal with a customer or dealer, then a different precedent, Lorraine Journal, applies, allowing for antitrust claims to move forward.
This shift is a big deal, because the Authenticom injunction could have been upheld today under that framework. And we wouldn’t have to deal with a frozen auto dealer network. More broadly, under this new precedent, tech platforms cannot use Trinko to defend themselves as easily as they have been.
Trinko, and the series of cases descended from it, could be rolled back further, especially as the philosophy underpinning it is eroded. After all, when writing that decision, Scalia wasn’t dealing with a world full of platforms and app stores, or hacks and disasters. It was 2004, and Google was still a small company that one could believe was doing no evil. There’s a reason the decision was unanimous. The philosophy of mid-20th century economist Joseph Schumpeter, often considered the patron saint of Silicon Valley having coined the term ‘creative destruction,’ was ascendant.
Schumpeter hated antitrust law, arguing in his 1942 book Capitalism, Socialism, and Democracy that antitrust was foolish for two reasons. First, monopolists were inherently checked by the ever present potential of disruptive new technology. “A monopoly position is in general no cushion to sleep on,” he wrote, defending then-monopolist Alcoa in its ongoing antitrust litigation. “As it can be gained, so it can be retained only by alertness and energy.” And second, monopolies were the entities who delivered innovation precisely because their market power afforded them the luxury of long-term planning and investment. Big business is “the most powerful engine of progress… not only in spite of, but to a considerable extent through, this strategy which looks so restrictive when viewed in the individual case.”
The logic from Schumpeter to Trinko is direct. And yet, it’s also quite obviously wrong. From Boeing to Too Big to Fail banks, many examples, far beyond the CDK Global and Reynolds situation, where incumbents used their consolidated position to hinder innovation and lower quality, shows that Schumpeter’s thinking about commerce is both old and odd.
That said, there’s also an important legal reason why Trinko was problematic. Schumpeter opposed antitrust law itself. But Scalia didn’t. He was simply rewriting antitrust law from the bench. Such behavior today outrages conservatives, who often talk about the need to stick to statute and not have judges impute meaning to laws beyond what Congress legislated.
On a basic level, as Justice Oliver Wendell Holmes once said, “The life of the law has not been logic, but experience.” Today, it’s obvious that those who control platforms are reckless financiers, not sober entrepreneurs with an aggressive fear of the next wave of technology making them obsolete. And judges, like the rest of us, are starting to see the difference. Not in time to stop the CDK Global hack, but perhaps in time to stop the next vulnerable system controlled by an absentee owner.
Thanks for reading! Your tips make this newsletter what it is, so please send me tips on weird monopolies, stories I’ve missed, or other thoughts. And if you liked this issue of BIG, you can sign up here for more issues, a newsletter on how to restore fair commerce, innovation, and democracy. Consider becoming a paying subscriber to support this work, or if you are a paying subscriber, giving a gift subscription to a friend, colleague, or family member. If you really liked it, read my book, Goliath: The 100-Year War Between Monopoly Power and Democracy.
cheers,
Matt Stoller
P.S. Yes I know it was President Scroob, not Dark Helmet, who demanded his luggage combination be changed.
Originally Published: 2024-06-27 14:50:41
Source link