Platform Risk: What Online Platforms Really Owe Their Users
There’s a decent chance that you found this post through social media. Most of us today use some form of social media: Instagram, Facebook, X/Twitter, TikTok, and a few others. There are other platforms that we need to consider when we explore today’s topic of platform risk. We use online marketplaces like Amazon and other retailers, as well as the online versions of some of the brick-and-mortar stores we visit. There are Software-as-a-Service and Cloud services, like some office products, entertainment services like Spotify, and storage services like Dropbox. New(ish) to the scene are fintech/crypto platforms, including cryptocurrency exchanges and microlenders.
With so many different types of platforms, each boasting millions of users, we know there must be certain risks. They function as intermediaries for everything from personal relationships to financial markets and even critical infrastructure. It would seem obvious that each platform owns a particular set of responsibilities, but evidently that’s not the case. The question looms for us: Are Internet platforms neutral pipes, or are they active actors with duties to users and society at large? We’ll look at this today, considering everyday user risks, institutional risks, how platforms make money, and where the law is starting to hold them accountable.
COMMON RISKS TO GENERAL USERS
Since you’re reading a blog owned and written by one independent person, you’re probably a “general user.” As a general user, your risks are different from those that threaten institutional users, which I’ll define in just a minute.
Everyday Harms on Mainstream Platforms
You need to be alert to the exposure you face to scams, harassment, cyberbullying, impersonation, and misinformation on social media and messaging apps. Data harvesters scrape the web looking for information to sell in bulk to marketing agencies and others. Thieves are always trying to steal identities; phishing messages try to get you to click on malicious links and provide account information; someone would love to take over one or another of your accounts, and if you make someone mad, they may “dox” you by publishing your address and phone number to large audiences. If that isn’t enough, we need to add mental health and behavioral impacts of Internet use: the addictive design of many platforms, social comparison, sleep disruption, and problematic use, especially among teenagers.
Design Choices that Amplify Risk
Have you ever opened an app planning to spend a minute on it and found yourself, an hour later, still scrolling through it? That’s the behavior that the app designers want from you. Most social platforms thrive on keeping you on their site, so their algorithms amplify some harmful or misleading content because it drives more engagement. If you feel a sense of outrage and must respond, if you completely agree and feel a compulsion to give a “heart” or “thumbs up,” you’ve engaged. You’ve done what they hoped you’d do.
Then there are the “dark patterns” — these are tricks designed into website interfaces that platforms can use to steer you into actions that benefit the platform at your expense. They don’t look like scams; they’re more like a check-box you didn’t notice that might say something like “Please sign me up for marketing messages.” In reality, it behaves like “Oh, please, please, please, please send me a hundred messages a week!” Another dark pattern can show up as “No, thanks, I don’t like saving money.” It may seem obvious while you’re sitting here reading this, but in the heat of a buying moment, it’s effective enough that marketers use it a lot. These aren’t the only dark patterns, but now that you’re aware of them, you’ll start seeing them everywhere.
There are also weak default settings and controls that only do part of what they should, so they push the responsibility onto the users to protect themselves, while they provide platform growth. It can be extremely difficult to find the terms of service for a new app, but once you do find them, the legalese is often intimidating. As a result, most of us just click to agree to them without having a clue what we’re agreeing to.
Why “You Took the Risk” Rings Hollow for Individuals
Many times, we don’t see or evaluate the real risks that these data flows and algorithms drive. Often, platforms lock us into their networks; they function as default public squares, job markets, and communication infrastructure, making “just say no” or “opt out” unrealistic actions. We’re also seeing, increasingly, that certain groups, like adolescents, are just more vulnerable to these harms, and so they need additional safeguards.
DEEPER, SYSTEMIC PLATFORM RISKS TO INSTITUTIONAL USERS
An “institutional user” is a person or account using a product on behalf of an organization rather than for their own private, individual purposes. Since they are acting on behalf of an organization, their actions can impact masses of others – not just the people who work at that organization, but possibly customers or clients, and even casual contacts of the organization. Because they’re not acting on their own behalf, the risks can be very different and much broader.
Platform Risk for Businesses and Organizations
Organizations face a “rented land” problem. That is, brands, creators, and media outlets depend on third-party distribution – social media feeds, app stores, and ad networks, for example – that can change the terms, algorithms, and access literally overnight. The revenue structure and audience numbers are fragile when a platform can throttle links, suspend accounts, or change recommendation systems without notice and without recourse. Content publishers, software providers’ customers, and e-commerce sellers are often at the mercy of a single platform’s Application Program Interfaces (APIs), marketplaces, or payments stack.
Operational, Cyber, and Compliance Risks
Digital-asset and fintech platforms can suffer from operational failures, custody breaches, market manipulation, and unclear regulatory systems and functions. That could leave them at risk of severe financial and legal losses. There can be third-party and supply-chain risks that are beyond the control of the organization. Some of these risks include security flaws, compliance failures, and outages, and they can result in downtime or data breaches. Cross-border data flows carry a unique and complicated set of risks to customer confidentiality and privacy.
Fiduciary, Reputational, and Systemic Consequences
Institutions have duties to protect customer data and to maintain a certain level of operational resilience, so they can’t rely blindly on “as-is” platforms. An organization’s reputation can suffer as well when the platform experiences an incident that undermines public trust in it, such as misinformation campaigns, content suppression, and a breach announcement. However, there’s an emerging view that platforms themselves may hold a quasi-fiduciary obligation when they handle financial or highly sensitive data.
HOW PLATFORMS MAKE MONEY, AND WHY IT MATTERS
One of my driving principles is that I don’t buy stock in a company if I can’t explain how they make money. I believe that’s an important thing to be able to understand if I’m going to be doing any sort of business with someone. This table shows the type of digital platform, how it makes money, and how that revenue model promotes the incentive to push risk onto their users.
|
Platform Type |
Typical Revenue Model |
Risk Incentive |
|
Social Networks |
Ads, data‑driven targeting |
Engage at all costs, even via polarizing or harmful content. |
|
Marketplaces |
Transaction and commission fees |
Maximize volume, sometimes at the expense of vetting sellers |
|
SaaS/Cloud Services |
Subscriptions, usage‑based pricing |
Keep uptime and lock‑in high; security may lag growth |
|
Fintech/crypto |
Transaction, spread, lending, and custody fees |
Push usage of risky products; security failures devastate users |
Here are a few things that the table illustrates:
- Ad-driven models reward increasing engagement, even if that means that the platform will recommend borderline content or that it will fail to aggressively monitor and punish abuse.
- Transaction and marketplace models reward growth in volume and certain categories before concern for safety and due diligence.
- Subscription and enterprise contracts can align incentives better, but they may still under-prioritize long-term security if the turnover remains low.
The Misalignment Between User Safety and Platform Growth
Investments in safety and security are often in direct conflict with short-term metrics like growth, time-on-site, and transaction volume. The revenue models that depend on being able to collect user data and behavioral profiling make it expensive for platforms to allow customers to default to minimal tracking or privacy preservation. Those platform lock-in strategies I mentioned above discourage transparency about risks and failures.
LEGAL PRECEDENTS ON PLATFORM RISK AND EMERGING DUTIES
Times are changing as the Internet matures. Many jurisdictions used to treat certain platforms more like conduits than publishers, which shielded them from any liability for user-generated content. These safe harbors are coming under pressure as regulators and courts have to deal with misinformation, online harms, and systemic design risks. A new generation of legislators is increasingly able to distinguish between passive content hosting and active design choices that shape amplification and user behavior.
Some legal scholars are arguing for frameworks outlining Platform Design Negligence. These frameworks would specify that companies may be liable when design choices can foreseeably facilitate deception or harm. Courts and regulators have started to recognize that platforms may bear some responsibility around data security and cybersecurity, especially where negligence leads to breaches or financial loss. We’ve seen some decisions and reports from regulatory agencies treat failure to implement reasonable security and risk mitigation measures as grounds for financial restitution.
Corporate officers in some jurisdictions may face personal liability when their direct control of security policies and budgets causes user harm. There’s been an upsurge in class actions and regulatory enforcement remedies, like mandated security improvements, audits, and changes to algorithms and default settings. Institutional users may also benefit from some overlapping regulations and duties that a platform can’t completely waive with “as-is, you know the risks” disclaimers. If one aspect of a platform may be able to get away with something, some other aspect of it may not.
WHAT PLATFORMS OWE TO DIFFERENT KINDS OF USERS
Having explored all of that, where are we with our original question? Do different platforms owe us anything at all? Do they owe us anything under some conditions but not others? Here’s a basic rundown of what has either been legally defined, court-decided, or self-determined by the platforms.
A Baseline Duty of Care to General Users
We should expect reasonable content moderation and abuse prevention that is aligned with known risks, especially to vulnerable populations. Platforms ought to provide transparent, usable controls over privacy, data usage, and safety features, with default settings that favor protection over maximizing data collection. We have a right to honest communication about risks, limitations, and incidents. Platforms should avoid deceptive design and security theater.
Heightened Duties to Institutional and High-Risk Users
Platforms that serve institutions and other high-risk users should provide robust, auditable security practices and uptime commitments when organizations rely on platforms for critical operations or asset custody. (Asset custody is when a trusted third party holds and safeguards your money or investments for you, while you stay the legal owner. ) The normal operations should include clear contract terms on liability, incident response, data retention, and exit and switching options. Platforms should have in place governance structures that treat platform failures as systemic risks, instead of just PR issues.
Rethinking “Use at Your Own Risk”
That old disclaimer model assumed a symmetry of power and information. That symmetry just doesn’t exist in our modern digital communications ecosystem. Anytime a platform profits from shaping behavior and collecting and holding sensitive data, it also inherits duties to anticipate, mitigate, and remediate foreseeable harms. Enough information about threats and risks exists to make that possible.
YOUR TURN
What experiences have you had that have shaped your opinion of what responsibilities platforms have to us? What should the future be? Should we lean toward maintaining a “Wild West” atmosphere in cyberspace, should we have a world where everything is governed and regulated, or is the sweet spot somewhere in between? Tell me about it in the comments section.
My photography shops are https://www.oakwoodfineartphotography.com/ and https://oakwoodfineart.etsy.com, my merch shop is https://www.zazzle.com/store/south_fried_shop.
Check out my New and Featured page – the latest photos and merch I’ve added to my shops! https://oakwoodexperience.com/new-and-featured/
Curious about safeguarding your digital life without getting lost in the technical weeds? Check out ‘Your Data, Your Devices, and You’—a straightforward guide to understanding and protecting your online presence. Perfect for those who love tech but not the jargon. Available now on Amazon:
https://www.amazon.com/Your-Data-Devices-Easy-Follow-ebook/dp/B0D5287NR3
