![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
The EU’s Digital Markets Act will require certain large tech firms’ ecosystems to become more open. The Act contains few exceptions – but law-makers did include special protections for undertakings providing operating systems, like Apple and Google, to protect security. This paper explores how the Commission should assess these measures. It argues that security is not a “trump card” to undermine the Act’s objectives – instead, Apple and Google must balance security benefits of their measures against any limitations on contestability. Furthermore, the Act should continue to allow both firms to differentiate their products’ approach to security. However, Apple’s (and to a lesser extent Google’s) security measures are likely to be heavily disputed. The Act does not give the Commission effective powers to efficiently resolve such disputes nor to force gatekeepers to change their approaches to security.
Disclosure statement
Apple and Google are general corporate members of the Centre for European Reform.
Notes
1 Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector.
2 Statista, ‘Distribution of Time Spent Worldwide Using Mobile Browsers and Apps in 2022’, 3 April 2023.
3 See, eg, DMA arts 5(3), 5(4), 5(5) and 5(7).
4 Corporate Europe Observatory, ‘Big Tech’s Last Minute Attempt to Tame EU Tech Rules’, 23 April 2022.
5 See Apple, ‘Building a Trusted Ecosystem for Millions of Apps: A Threat Analysis of Sideloading’, October 2021.
6 Security is also mentioned in art 7 of the DMA, in relation to the obligation to ensure interoperability of a gatekeeper’s number-independent interpersonal communications services (such as instant messaging platforms). This is outside the scope of this paper, although much of the analysis in this paper may in practice also apply to art 7.
7 European Commission, ‘Joint Communication to the European Parliament, the European Council and the Council on ‘European Economic Security Strategy’’, JOIN(2023) 20, 20 June 2023.
8 According to the EU’s Cyber Security Strategy 2021, “around two-fifths of EU users have experienced security-related problems and three-fifths feel unable to protect themselves against cybercrime” while “one-third have received fraudulent e-mails or phone calls asking for personal details”: Joint Communication to the European Parliament and the Council, ‘The EU’s Cybersecurity Strategy for the Digital Decade’, JOIN(2020) 18, 16 December 2020.
9 These include a 2013 directive harmonising criminal offences and penalties for cyberattacks; the 2016 Network and Information Systems (NIS) Directive (replaced and expanded in scope in early 2023 to cover areas like healthcare and cloud infrastructure); the 2019 Cyber Security Act; the 2022 Directive on Critical Entities Resilience; the EU’s Hybrid and Cyber Diplomacy Toolboxes; the 2022 Digital Operational Resilience Act; and the proposed Cyber Solidarity Act.
10 Jeffrey Voas and others, ‘Cybersecurity Considerations for Open Banking Technology and Emerging Standards’ NIST (3 January 2022).
11 Certain communications services (known as “number independent interpersonal communications services” or “NIICS”) will be subject to obligations to ensure interoperability, so that users of one NIICS service can communicate with users of a regulated NIICS service. This obligation is also subject to security provisions but these are outside the scope of this paper.
12 European Commission, ‘Digital Markets Act: Commission Designates Six Gatekeepers’ press release (6 September 2023). At the time of writing, the Commission had also opened a market investigation to assess whether Apple’s tablet OS, iPadOS, should be designated. As iPadOS operates with a business model and security features largely similar to iOS, the remainder of this paper focuses solely on iOS. The relevant rules also apply to core platform services which are virtual assistants. However, no virtual assistants have been designated by the Commission.
13 For example, Microsoft has published a set of principles which commits it to an open ecosystem by not insisting on its own app store being the exclusive means of distribution. See Rima Alaily, ‘10 app Store Principles To Promote Choice, Fairness and Innovation’, <https://blogs.microsoft.com/on-the-issues/2020/10/08/app-store-fairness-caf-interoperability-principles/> accessed 8 October 2020.
14 Both Microsoft and Google do produce personal computers and/or smartphones which run their OSs, but in both cases this represents only a small proportion of their OS’s usage numbers.
15 See Fiona Scott Morton, ‘Digital Market Act designations: The Interoperability of Google Android’ Bruegel (8 November 2023).
16 Competition and Markets Authority, ‘Mobile Ecosystems Market Study: Final Report’ 10 June 2022, para 4.73.
17 One exception is “jailbreaking”, or the use of unauthorized modifications to iOS to bypass Apple’s security measures. Apple treats jailbreaking as a violation of the iOS software license agreement. See Apple, ‘Unauthorized modification of iOS’, <https://support.apple.com/en-gb/guide/iphone/iph9385bb26a/ios> 2023.
18 Some of Google’s practices regarding its services were subject of the European Commission’s decision in the Google Android antitrust investigation: Commission Decision AT.40099 – Google Android, 18 July 2018.
19 Competition and Markets Authority, ‘Mobile Ecosystems Market Study: Final Report’, 10 June 2022, Appendix N, para 37.
20 Mishaal Rahman, ‘Android 13's New Sideloading Restriction Makes it Harder for Malware to Abuse Accessibility APIs’ Esper (3 May 2022).
21 So-called progressive web apps can also be downloaded and run offline, like other types of apps. However, they are not typically considered to be capable of providing the full experience of normal apps and therefore I have not focused on them in the remainder of this paper.
22 US Department of Commerce, National Telecommunications and Information Administration, ‘Competition in the Mobile App Ecosystem’, February 2023, pp 25–27.
23 See Jan Krämer and Richard Feasey, ‘Device Neutrality’, CERRE Report, June 2021. The Commission’s designation of Android OS includes Google Play Services, a separate software package which includes APIs required for many apps to function on Android.
24 Alex Hern, ‘Microsoft to Let Developers Keep All Their Windows App Store Revenue’ The Guardian (25 June 2021).
25 Dieter Bohn, ‘Why Amazon got out of the Apple App Store tax, and Why Other Developers Won’t’ The Verge (3 April 2020).
26 A US district court referred to Apple’s operating margin for the App Store at over 70%, for example: Epic Games v Apple (US District Court), ‘Rule 52 Order after Trial on the Merits’, 10 September 2021, p 44.
27 See Scott Morton, ‘Digital Market Act designations: The Interoperability of Google Android’ Bruegel (8 November 2023).
28 On Android devices, many important APIs are not part of Android (which is an open-source OS) and are only available through a separate proprietary package of services licensed by Google, called Google Play Services. Access to Google Play Services is tied to various conditions including pre-installation of the Google Play Store, thus securing the store’s predominance as an app distribution mechanism on Android devices. See Fiona Scott Morton, ‘Digital Market Act designations: the interoperability of Google Android’, Bruegel, 8 November 2023.
29 Apple, ‘Apple Introduces New Options Worldwide for Streaming Game Services and Apps That Provide Access to Mini Apps And Games’, 25 January 2024.
30 Nokia, ‘Threat Intelligence Report 2023’, <https://www.nokia.com/networks/security-portfolio/threat-intelligence-report/> accessed 12 November 2023.
31 Positive Technologies, ‘Vulnerabilities and Threats in Mobile Applications, 2019’, 19 June 2019.
32 Andy Greenberg, ‘How Safari and iMessage Have Made iPhones Less Secure’ Wired (9 September 2019).
33 The Commission is investigating Apple’s insistence that apps use Apple’s own in-app payment system for paid digital content (the mechanism through which Apple currently collects its 30% fee). See European Commission, ‘Antitrust: Commission Opens Investigations into Apple's App Store rules’ Press release (16 June 2020). The Dutch competition authority pursued a long-running investigation against Apple also in relation to Apple’s in-app payment system. Competition and Markets Authority, ‘Mobile Ecosystems Market Study: Final Report’, 10 June 2022, Appendix H, paras 6 and 9. In the Netherlands, Apple changed its policy regarding payment methods for dating apps to comply with requirements imposed by the Dutch Authority for Consumers and Markets (ACM): see ACM, ‘ACM: Apple changes unfair conditions, allows alternative payments methods in dating apps’, Press release, 11 June 2022. The CMA is similarly considering commitments by Google to close an antitrust investigation regarding the use of alternative payment systems: see Competition and Markets Authority, ‘Proposed commitments regarding changes to Google Play’s rules to allow certain app developers to use alternative billing systems for in-app purchases’, consultation paper, 19 April 2023.
34 The Commission is, for example, investigating Apple’s refusal to allow third-party apps to use the payments chips on iPhones so they can offer the same “tap and go” functionality of ApplePay. European Commission, ‘Antitrust: Commission sends Statement of Objections to Apple over Practices Regarding Apple Pay’ Press release (2 May 2022).
35 As in the Netherlands, where Apple changed its commission from 30% to 27% for dating apps which chose not to use Apple’s payment system: see Romain Dillet, ‘Apple to Charge 27% Fee for Dutch Dating Apps Using Alternative Payment Options’ TechCrunch (4 February 2022).
36 Anthony Cuthbertson, ‘Tim Cook Says New European Law Would ‘Destroy’ iPhone security’ The Independent (16 June 2021).
37 Björn Lundqvist, ‘Reining in the Gatekeepers and Opening the Door to Security Risks’ CEPA insight (30 March 2023).
38 Apple submission to ACCC Digital Platform Services Inquiry, App Marketplaces Issues Paper, 2 October 2020. These incentives may be weakened now that most consumers have smartphones and given that few existing smartphone users switch between iOS and Android: Competition and Markets Authority, ‘Mobile ecosystems market study: final report’, 10 June 2022, p 28.
39 Epic Games v Apple (US District Court), ‘Apple’s Answer and Counterclaims to Epic’s Complaint for Injunctive Relief’, 8 September 2020. <https://www.documentcloud.org/documents/7203851-Epic-v-Apple-counterclaims.html>.
40 Apple, ‘Mobile Ecosystems Market Study: Apple Response to Interim Report’, 7 February 2022, p 2.
41 ibid 19.
42 For example, the Swiss competition authority has publicly stated that Apple takes approximately 44% of a card-issuing bank’s fees for ApplePay transactions: Schweizerische Eidgenossenschaft, Wettbewerbkommission, ‘Verfügung – Untersuching 22–0389 – Kreditkarten Domestische Interchange Fees II’, 1 December 2014. Note that retailers pay the same acceptance fees for card transactions, with no specific additional charge for ApplePay transactions. Apple’s fees therefore appear to take revenue from card-issuing banks’ profits, but it cannot safely be concluded that this leads to higher charges for retailers or consumers.
43 Autoriteit Consument & Markt, ‘Market Study into Mobile App Stores’, 11 April 2019, p 105. There have also been more limited examples of security-enhancing apps which Apple has not allowed in its app store, such as apps that would inform a user if their smartphone had been surreptitiously hacked or ‘jailbroken’. See EFF amicus curiae brief in Epic Games v Apple (US Court of Appeals, 9th circuit, Case 21-16506), 27 January 2022, p 17.
44 Autoriteit Consument & Markt, ‘Market Study into Mobile App Stores’, 11 April 2019, p 95.
45 ibid 104.
46 Australian Competition and Consumer Commission, ‘Digital platform services inquiry – Interim report No. 2 – App marketplaces’, March 2021.
47 ibid 60.
48 ibid 120.
49 Competition and Markets Authority, ‘Mobile Ecosystems Market Study: Final Report’, 10 June 2022, para 7.76.
50 CMA, ‘Investigation into Apple AppStore’, 4 March 2021; CMA ‘Investigation into suspected anti-competitive conduct by Google’, 10 June 2022.
51 Epic Games v Apple (Rule 52 Order) (US District Court), Case No 21-16506, 10 September 2021, <https://s3.documentcloud.org/documents/21060696/epic-v-apple-ruling.pdf>, p 148 fn 612.
52 ibid 113.
53 On appeal, the court’s findings regarding security were not disturbed: Epic Games v Apple (Judgment) (US 9th Circuit Court of Appeal), Case No 21-16506.
54 Epic Games v Apple (Petition for a writ of certiorari) (US Supreme Court), Case No 21–16506.
55 European Commission, Competition Case AT.40452, file available at <https://competition-cases.ec.europa.eu/cases/AT.40452>
56 DMA recitals 55–57.
57 DMA recital 50.
58 There is one difference: in Art 6(7) the provision also allows measures which protect the gatekeeper’s software generally – not just its hardware and the operating system. Given iOS and Android use sandboxing, which limits an app’s ability to modify both the OS and other software equally, it is unclear that the inclusion of “software” in Art 6(7) substantively expands the measures which would be allowed under Art 6(7) compared to those allowed under Art 6(4).
59 DMA recital 50.
60 The Commission included these requirements in recitals. The Council and Parliament proposals moved these requirements to the text of what is now Article 6(4) – which can be understood as emphasising that the security exceptions are meant to be narrowly construed. See Commission proposal, recital 47 and art 6(1)(c).
61 Treaty on European Union, art 5(4).
62 Vasiliki Kosta, ‘The Principle of Proportionality in EU Law: An Interest-based Taxonomy’, 2.
63 Kai Möller, ‘Proportionality: Challenging the Critics’ (2012) 10(3) International Journal of Constitutional Law 715.
64 Brian Barrett, ‘How 18 Malware Apps Snuck Into Apple's App Store’ Wired (25 October 2019).
65 Mikołaj Barczentewicz, ‘Interpreting the EU Digital Markets Act Consistently with the EU Charter’s Rights to Privacy and Protection of Personal Data’, 3 August 2023, p 7.
66 Apple, ‘Apple Announces Changes to iOS, Safari, and the App Store in the European Union’, 25 January 2024.
67 Apple, ‘Update on Apps Distributed in the European Union’, 2024 <https://developer.apple.com/support/dma-and-apps-in-the-eu/#distribution-eu>.
68 Apple, ‘Update on Apps Distributed in the European Union’, 2024 <https://developer.apple.com/support/dma-and-apps-in-the-eu/#distribution-eu>.
69 Apple, ‘Apple Announces Changes to iOS, Safari, and the App Store in the European Union’, 25 January 2024.
70 Google, ‘Enhancing Cybersecurity and Digital Resilience in Europe’, <https://services.google.com/fh/files/blogs/cybersecurity_and_digital_resilience.pdf>.
71 Samuel Stolton and others, ‘Vestager Snubs Apple’s Security Claims for iPhone Payments’ Politico (3 May 2022).
72 For Apple, these are set out in its App Store Review Guidelines <https://developer.apple.com/app-store/review/guidelines/>, its Apple Developer Agreement <https://developer.apple.com/programs/terms/apple_developer_agreement.pdf> and its Paid Applications Agreement. For Google, these are set out in its Developer Content Policy <https://play.google.com/about/developer-content-policy-print/> and its Developer Distribution Agreement <https://play.google.com/intl/ALL_nl/about/developer-distribution-agreement.html>.
73 UK Department for Digital, Culture, Media and Sport, ‘Cyber Security Breaches Survey 2022’, 11 July 2022.
74 See examples taken from US National Institute of Standards and Technology, set out at <https://csrc.nist.gov/glossary/term/integrity>.
75 UK National Cyber Security Centre, ‘Secure Design Principles’, May 2019, principle 2.9.
76 Autoriteit Consument & Markt, ‘Market Study into Mobile App Stores’, 11 April 2019, p 76.
77 Parliament proposal art 6(1)(c); Parliament position art 6(1)(f); Council position art 6(1)(f).
78 The user empowerment provision refers to ‘security’ without defining it. Art 7(9) – which imposes obligations on certain communications services to offer interoperability with competing services – allows gatekeepers to take measures to protect “integrity, security and privacy”.
79 Linux Foundation, ‘App Defense Alliance Migrates Under Joint Development Foundation with Google, Meta, and Microsoft as the Steering Committee’ Press release (8 November 2023).
80 Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 art 5.
81 Alternative compliance options may emerger too. For example, in the absence of suitable standards, the Commission is allowed to adopt specifications which can be used by developers to demonstrate compliance. And the Commission can also allow some products to be certified under a certification schemes to prove compliance.
82 Notably, for example, the DMA refers specifically to security measures including ‘contractual’ measures not only technical ones: see, eg, DMA art 6(4).
83 In other words, this provision does not require ‘equivalence of inputs’ in the sense of requiring Apple and third parties to use exactly the same APIs to access iPhone hardware and software functions (cf Marc Bourreau, ‘DMA Horizontal and Vertical Interoperability Obligations’, in Alexandre de Steel and others, ‘Effective and Proportionate Implementation of the DMA’, CERRE, January 2023, p 157). Article 6(7) only requires interoperability and access to be “effective”, not identical. While equivalence of inputs might be more effective, to the extent it required gatekeepers to rework their existing apps, it might be disproportionate.
84 Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 art 6(2).
85 Open Web Advocacy, ‘Bringing Competition to Walled Gardens’<https://open-web-advocacy.org/files/OWA%20-%20Bringing%20Competition%20to%20Walled%20Gardens%20-%20v1.2.pdf> accessed 13 November 2023; Bennett Cyphers and Cory Doctorow, ‘Privacy Without Monopoly: Data Protection and Interoperability’ EFF (12 February 2021).
86 The user empowerment provision did not appear in the Commission’s original proposal. Instead, it first appeared in the Council’s proposal. We can speculate that it may have been a counter-offer to MEPs’ attempt to expand the integrity provisions, which the Council rejected. See Council position recital 47a and art 6(1)(c).
87 A choice screen or setting might also be allowed by the integrity provision, which does not have a requirement that the setting or measure cannot be pre-installed or the default. But in that case, the measure could only apply in relation to ‘integrity’ as narrowly defined. It does not appear likely that Apple or Google would apply choice measures that protect only against “integrity” risks and not broader security risks. This means that, in practice, measures are likely to be justified as either ‘user empowerment’ measures or “integrity” measures but not both.
88 Competition and Markets Authority, ‘Mobile Ecosystems Market Study: Final Report’, 10 June 2022, para 4.117.
89 BEUC, ‘An effective choice screen under the Digital Markets Act: BEUC recommendations’, 17 October 2023.
90 M Ostrovsky, ‘Choice Screen Auctions’ (2023) 113(9) American Economic Review 2486.
91 See, Aurelien Portuese and Kir Nuthi, ‘App Store Implementation of the Digital Markets Act Exemplifies Law’s Uncertain Future’ ITIF (20 March 2023).
92 Within 6 months of a CPS being listed in a designation decision, the gatekeeper is required to comply with the DMA’s obligations (art 3(10)).
93 DMA Art 11(1).
94 DMA Art 11(2).
95 DMA Art 8(3).
96 Alternative processes could be triggered if (i) the gatekeeper sought to apply the “public security” exemption; or (ii) the Commission considers there to be systematic non-compliance by the gatekeeper. The Commission could also provide informal assurances about how it would seek to enforce the security provisions. That, however, would be unwise given the Commission would presumably issue an informal opinion without having an open discussion with all relevant stakeholders. And for a gatekeeper such assurances may not be sufficiently legally binding.
97 Comments by Alberto Bacchiega, Director, Platforms, DG Competition European Commission at ‘Antitrust, Regulation and the Next World Order’, Brussels, 31 January 2024.
98 DMA Art 8(2).
99 DMA Arts 20 and 29.
100 DMA Art 8(2).
101 DMA Art 8(2).
102 DMA Art 30.
103 This would reflect Apple’s current scope for app developer appeals: a developer is allowed to challenge both the application of an App Store guideline, and the guideline itself. See Apple, ‘Apple Reveals New Developer Technologies to Foster the Next Generation of Apps’ Press release (22 June 2020).
104 Apple, ‘App Store Review Guidelines’ <https://developer.apple.com/app-store/review/guidelines/#data-security> accessed 13 November 2023.
105 Still today, Openreach/BTW’s agreements in the UK cover many aspects of security and network integrity (SIPIA ss3 and 19): see <https://www.btwholesale.com/help-and-support/regulatory.html#reference-offers>.
106 Directive (EU) 2018/1972 establishing the European Electronic Communications Code (EECC), recital 35.
107 EECC art 26(1).
108 EECC art 26(2).
109 See <www.offta.org.uk>.