Following up the initial implementation of the EU’s Digital Markets Act (DMA), which included such “successes” as the first porn app on iOS and diverting revenues away from hotels to online intermediaries, last week’s European Commission determinations regarding Alphabet and Apple once again demonstrate that the direct interests of users—including their privacy and security—remain an afterthought under the DMA.
The Commission sent its preliminary findings to Alphabet on “self-preferencing” in Google Search and on “steering rules” in Google Play. Apple received final specification decisions on the process for interoperability requests and on requirements for iOS’ interoperability with third-party devices.
Though the announcements provide some new details, their main thrust is unsurprising and fully in line with the trends we’ve observed since the DMA was just a legislative proposal. The Commission once again chose to privilege and advocate for the designated gatekeepers’ competitors above the interests of users and brick-and-mortar businesses.
Alphabet/Google
We don’t know much about the preliminary findings of noncompliance the Commission sent to Alphabet, but one aspect that especially caught my attention is the Commission’s concern that:
Alphabet technically prevents certain aspects of steering, for instance, by preventing app developers from steering customers to the offers and distribution channels of their choice.
This is quite vague, but Google’s response may help us understand what the Commission means:
Unlike on iOS where Apple must review apps first, developers can freely distribute apps on Android. This creates more choice than any other platform – users can access 50 times more apps on Android than iOS. But if we can’t protect our users from scammy or malicious links that take our users outside of the secure Play environment, then the Commission is effectively forcing us to choose between a closed model and an unsafe one.
Google devotes considerable resources to keep the Play Store as safe as possible for its users. One key measure they employ is to analyze the apps distributed through the Play Store by scanning their code. According to Google, this “prevented 2.36 million policy-violating apps from being published on Google Play” in 2024. When a user downloads an app from the Play Store, they can trust that the app passed such checks. These methods are not perfect, of course, and malicious apps are published sometimes. But Google’s control over the Play Store also means that, whenever an app is identified as malicious, it can be swiftly removed.
What the Commission appears to want Google to do is to allow app developers to include not only full apps in the Play Store, but also links to other websites where users could download apps (not from the Play Store). I would be very surprised if Commission officials realize it, but this is precisely what malicious app developers want and have long been seeking to achieve through other means.
Take, for example, the recent Spylend case, where the attackers managed to get seemingly innocuous apps published on the Play Store. The apps passed the Play Store’s security checks because certain malicious functionalities weren’t included in those apps, but only in additional apps that users were later directed within the “lure” apps to install, with promises of additional functionality.
Given that Google’s open model allows users to install apps from sources outside of the Play Store, they can be tricked into installing malicious apps. The source of the problem with Spylend was that the users may have been inclined to trust the “lure” apps precisely because they were in the Play Store. What Google can try to do to further limit such risks is to very strictly enforce a policy against links to external sources of apps within the Play Store (or within the code of apps available in the Play Store).
But this is precisely what the European Commission appears to be objecting to! The Commission wants to prevent Google from enforcing a “no links to external apps” policy in the Play Store. This would diminish the level of security for users; existing protections would go away, with users oblivious to that change. In other words, the Commission is about to offer an enormous gift to scammers and data thieves, making their jobs easier by helping them to capitalize on the trust that users have for the Play Store.
Apple
The decision on Apple iOS’ interoperability with third-party devices provides another example of how little regard or understanding the European Commission appears to demonstrate with regard to iOS users’ privacy and security concerns. Reading the document, it’s clear that the Commission sees any user privacy and security concerns as presumptively unjustified and not something that the Commission sees as their responsibility.
The Commission also continues to appear oblivious to the key argument that security protections are not just about technical measures, but also about whom a user chooses to trust. Ultimately, technical measures are always insufficient, as Ken Thompson famously articulated in his 1984 lecture “Reflections on Trusting Trust.” It is both inevitable and rational that users choose software and hardware ecosystems based on their trust for specific developers. Apple users have long chosen the company’s ecosystem for precisely that reason. From the user’s perspective, there’s a significant difference between the trust they place in Apple and in others. The following statement from the Commission needs to be read within that context:
An integrity measure cannot be considered strictly necessary and proportionate if it seeks to achieve a higher integrity standard than the one that Apple requires or accepts in relation to its own services or hardware.
I wrote about this in “Apple and EU DMA: A Road to Leave the EU?”:
(…) Apple could do what I just suggested—attempt to comply with the DMA by giving third-party developers the kind of access that the European Commission calls for, but with robust and effective safeguards controlled by users. This would be a transformation for Apple, because it would require treating its own apps as untrusted. (…)
Even though this may be the best option possible it would still in important ways be worse than the pre-DMA status quo. One key reason for that is that it would place a much more significant burden on users to preserve their pre-DMA level of user experience, including privacy and security—requiring time and knowledge that it may be unreasonable to expect consumers to want to invest. Arguably, this additional burden would mean that even with the best efforts from Apple to move to a robust zero trust environment, the customers would still be worse off.
As I noted there, I’m skeptical that, even if Apple wanted to apply “zero trust” to its own apps, the Commission would allow Apple to introduce effective user-controlled restrictions on all apps. They would probably argue that such a move doesn’t address a “genuine integrity risk,” precisely because Apple did not previously apply any such restriction to itself. Or they would claim that Apple remains privileged under this arrangement, because the APIs could always be better-documented and Apple could always hire more developer-relations representatives.
The post Google and Apple Determinations Show How Little Users Matter Under the DMA appeared first on Truth on the Market.