Two weeks ago, we saw the Senate Judiciary Committee (SJC) hold a contentious vote on S. 2992, a bill that would prohibit certain privacy and security practices where software platforms restrict access to sensitive data and software and device features. Ahead of the vote, the sponsors of the bill circulated a Manager’s Amendment, which we analyzed from our members’ perspective. Long story short, the Manager’s Amendment was barely a nod to privacy and security concerns and doubled down on breaking open the security of software platforms.

Fast forward to today, and SJC will vote on a different bill, S. 2710, that (as introduced) would again prohibit platform privacy and security measures where software platforms prevent and remove the sideloaded software. This time, however, the sponsors’ Manager’s Amendment makes a more credible effort to shield platform level privacy and security measures from direct liability.

But unfortunately, the remaining mandate for software platforms to allow sideloading would still handcuff software platforms, outlawing the general iOS prohibition on sideloading and homogenizing software platform offerings (for developers and consumers) to a more open version of Android’s.

Despite what appears to be the intent for the Manager’s Amendment to enable software platforms to actively manage app stores and operating systems for safety and privacy, the requirement to host sideloaded apps and app stores would nonetheless introduce new cybersecurity and privacy vulnerabilities. For example, the new text, if adopted, would still require software platforms to provide “readily accessible means” for software platforms to allow consumers to install third-party apps and app stores. Just because the Manager’s Amendment now clarifies that no liability attaches if a software platform were to remove a sideloaded “malicious or fraudulent apps or app stores” from an end user device does not mean the software platform has the technical means to do so, in light of the fact that it has to accept the malicious app in the first place in a manner that is “readily accessible” to the user.

In other words, the mandate still opens a new threat vector that locks the platform into a similar game of trying to stay one step ahead of bad actors as is the norm in the desktop space. Similarly, the new exemption in the Manager’s Amendment for “providing an end user with option to limit the collection sharing of the data of the user with third-party apps or app stores” is a good step insofar as it would limit liability for some security measures. However, the remaining mandate to allow sideloaded software on end users’ devices coupled with the requirement to provide that software with access to hardware and software features would remove the technical ability for the platform to enforce the consumer’s preferences.

So, even though a software platform could enable a consumer to tell an app not to collect their location data in the device’s settings, it is unclear how the operating system would be able to enforce that preference if the software is sideloaded.

The new language also maintains serious litigation risk for platforms as they seek to remove or prevent access to device features by bad actors, maintaining the requirement for the platform to show that the security measure is “applied on a demonstrably consistent basis to . . . apps of the covered company or its business partners; and (B) other apps; (2) not used as a pretext to exclude, or impose unnecessary or discriminatory terms on, third-party apps, in-app payment systems, or app stores; and (3) narrowly tailored and could not be achieved through a less discriminatory and technically possible means.” That set of restrictions really constrains the practical ability for a platform to deal with threats from sideloaded software and discourages the development of new and better protection measures by introducing serious litigation risk.

One basic premise that tends to be inaccurate in this debate is the characterization of consumers as having “no choice” when they buy an iPhone. In a letter to SJC, Bruce Schneier said, “S. 2710 will finally give users the freedom to leave the walled garden . . ..” But app developers generally create apps for a variety of platforms including the web, Android, iOS, and cross-platform, as opposed to just iOS or just Android. Similarly, consumers leave the walled garden all the time, and it’s much easier to do so than Mr. Schneier suggests. An outsized portion of what drives a consumer’s choice of smartphone is whether they are prioritizing security and privacy or variety and customizability. In fact, in our recent survey, more than 96 percent of consumers in the market for a new smartphone say that protecting privacy is a “top” or “very important” priority in an app store that offers apps for downloads. The evidence weighs heavily against Mr. Schneier’s implication that consumers are unable to “leave” the walled garden and that, in fact, many of them choose iPhones because they are walled gardens.

This brings us to the question of why it is necessary for Congress to legislate in a way that supplants software platforms with the government as the primary manager of app platforms. The major app stores currently offer valuable distribution options for App Association member companies. Because the bill would outlaw some of the struts in place that support a trusted marketplace and prevent bad actors from targeting mobile devices, the bill would diminish the value of software platforms as a favored distribution method. We appreciate that Senators Blumenthal and Blackburn have made clear efforts to address the privacy and security concerns we raised, but we continue to urge Senators to oppose the legislation.