Over the last several years, regulators, Congress, and most recently state legislatures, have been taking a hard look at “big tech” companies, the relationship they have with small businesses, like our members, and have raised concerns about competition in the digital market.
We also have concerns. Real-life concerns that transcend political donations or complicated, misleading language found in legislation in statehouses across the United States. When we look at legislation like Rhode Island’s HB6055, we see through what seems to be well-intentioned legislation and understand the way it will impact the lives of developers, consumers, and the app economy at large.
In this blog series, we’ll be discussing those concerns, breaking down the policy, and laying out the risky, everyday scenarios we could all find ourselves in if this kind of bad policy goes into effect. First up: harm to the consumer.
There was a time when downloading anything from the World Wide Web meant risking a virus on your device, or even worse, on the family computer. But right now, to us – the consumer – launching a marketplace application to download the latest app on your smartphone feels about as threating as walking into your local mall. And that’s not an accident. Platforms, like the Apple App Store and Google Play store, allow app developers of all sizes to reach a global audience through a trusted, safe, and robust online marketplace. These platforms, which process millions of transactions daily, are built with a tremendous amount of care for users’ privacy and security, all with the consumer in mind.
Unfortunately, the purposeful work done by online marketplaces to keep you safe could quickly unravel and lead to some seriously threatening scenarios due to legislation under consideration in a number of states. These potential threats are not too different from, say, the family computer snafu of 1997, but this time the risk isn’t just a Cha-Cha Baby mp4 file not playing correctly. This time there are pictures of your kids at bath time at risk. This time your payment information is at risk. This time your personal health information is at risk. Point blank: this time you are at risk.
But how did we get here? What are the potential policies putting you at risk? Legislation aimed at mobile marketplaces is popping up in legislatures across the United States with similar themes that claim to “protect consumers” from perceived harms of big players in the app ecosystem. However, many of these offer differing standards for consumer protection, carving out their own caveat for your security. Below, we’re breaking down some of the most worrisome aspects of one of these bills and explaining clearly what this means for your online safety.
Rhode Island- HB6055
What it says:
- A “proprietor of a digital application distribution platform” (defined as a mobile app store and its accompanying operating system) “may not: . . . require a developer to use an in-application payment system as the exclusive mode of accepting payment from a user . . ..”
- The bill also provides that an app distribution platform may not “[r]etaliate against a developer for choosing to use an alternative application store or in-application payment system.”
What it does: As written, the bill would 1) prohibit a software platform from disallowing the use of ANY third-party payment option (including potentially fraudulent ones); and 2) prohibit a software platform from “retaliating” against sideloaded apps by removing them from a device (again, including potentially fraudulent ones or malware). Together, the provisions offer a false promise of greater choices at the expense of important layers of security protecting consumers from all kinds of threats, which are more numerous and sophisticated in the mobile context than on laptops or desktop computers.
Think about the role your smartphone plays in your life – it is always with you, so chances are you have at least one app with full access to your location at all times, such as a weather or mapping app. Most people store credit card information on their phone or use it to pay at point of sale units. We store health information, banking, contact information, and passwords—a veritable buffet of data for bad actors hungry to use your information. Below we break down these specific harms:
Financial Harms: You search and find an app that looks just like the one your child needs to complete their homework. The app costs $1.99. You, trusting the platform’s recommendation, pay the $1.99 and download the app. Except this is a copycat app and the $1.99 you just sent was only the beginning because the payment processor used was one out of Lithuania called “Circle,” built to steal your info and store your money in Russia. The $1.99 turns into a much larger number, and the app is gone before you can raise the alarm. Not only is the platform unable to confirm whether the processor stole your money, it is also unable to determine whether the processor stole your data as well and will not be able to help much as enforcement agencies try to track it and shut it down.
Why that doesn’t happen under the current rules: Apple and Google both only allow apps to use approved in-app payment systems, allowing them to bar (or remove, if their malicious conduct comes to light later on) bad actors. The legislation doesn’t just require a platform to make a variety of options available, it completely bars the platforms from saying “no” to any payment processor. This means that fraudulent payment processors must be allowed on the platform. If faced with a situation like the one described above and the platform removed the app and payment processor, the Rhode Island state attorney general would have to punish the platform for removing the payment processor because such a move would constitute “retaliation.” At the same time, the enforcer would have trouble bringing the payment processor to justice because the platform was not allowed to review and approve the processor and therefore knows little or nothing about it.
Privacy: Your 12-year-old has a smartphone that is strictly limited in its functionality using parental controls at the platform level. You’ve set these parameters to ensure that your child does not accidentally (or purposely) download or use an app that shares their data or otherwise allow them to engage with objectionable content or communications. The parental controls only work on apps that have been vetted and approved by the app store. Searching for messaging apps on the browser, your 12-year-old downloads a messaging app that allows a child predator to communicate with and even track them.
Why that doesn’t happen under the current rules: Both Apple and Google (and other software platforms) prohibit sideloading of apps by default. On Android, a user can selectively allow the sideloading of an app from a particular source (for example, the browser), but that can only be done consistent with parental controls: a child is unable to unlock this feature if a parent stops them from using it. If HB6055 were enacted, on the other hand, the software platform would be prohibited from “retaliating” against an app that the developer makes available via sideloading. This means that subjecting the app to review processes and requiring it to comply with parental controls would probably be illegal. In other words, the state of Rhode Island would require the platform to expose your 12-year-old to bad actors that operate unrestricted by parental controls.
Safety: Unfortunately, there is a market for illicit “stalker apps” to track a person’s movement. If someone gains access to a target person’s device, they can download a tracker app that sends the target’s location to the stalker’s own device in order to track their movements. HB6055 would require Google and Apple to allow the stalker app to circumvent their controls that prevent access to data, like location, from bad actors. Even though the stalker app’s activities in this example would be illegal under federal and state laws, the platform would be barred from removing the apps or “retaliating” against them by barring their access to location and other sensitive data.
Why that doesn’t happen under the current rules: Both Apple and Google (and all software platforms generally) “retaliate” against bad actors by removing them from their respective platforms. They are able to do this because they only allow vetted and compliant apps to be downloaded. Even when Google allows users to sideload apps, it retains the ability to remove or restrict the access of those apps if they engage in illegal or suspect activity. The legislation would remove that essential gatekeeping function.
Looking at these three areas of concern alone, it leads you to wonder “So where’s the consumer protection?” Protection in many of these bills is a vague concept, and often is a sticking point for debate as bills advance. Many of the proponents claim the “protection” comes in the form an alternative to the so-called monopolies of Apple and Google over the app ecosystem. Others state these bills will lead to lower prices on in-app purchases like extra coins in mobile games or the price of apps in general, but the details of exactly how that would lower prices are hazy at best. It’s enough to make a consumer wonder who is protecting whom with these bills?