Antitrust reform advocates argue strenuously that consumers will not lose privacy or security benefits if Congress prohibits mobile software platforms from being able to remove malware and other bad actors from app stores. The bills they are pushing, the American Innovation and Choice Online Act (S. 2992) and the Open App Markets Act (S. 2710), would prohibit centralized software distribution on mobile software platforms, including the enforcement of privacy and security requirements. According to the advocates, prohibiting these protections is fine because operating system security and automated features are adequate. But our lived experience with app store privacy—including App Tracking Transparency (ATT)—provides some insights as to how the advocates erroneously minimize the role of app store management and overvalue automated security controls in this rhetoric.

Here’s a breakdown, using ATT as an example, of the role of centralized app store management in security and privacy protection, and why prohibiting it would have a major impact on mobile device security and privacy:

  1. ATT has two components: automated tracking prohibitions enforced by the operating system; and app store-enforced prohibitions on other kinds of tracking the operating system is unable to stop.
  2. When a device owner opts out of cross-app tracking through ATT, the operating system can block access by apps to the identifier data brokers reference to profile the user.
  3. However, apps can track users across other apps in ways that the operating system is not equipped to prevent. For example, an app can track a user using their IP address, third-party single sign-on, device fingerprinting, or even the user’s email address. The operating system alone lacks the means of preventing this kind of tracking all by itself.
  4. The only way to stop an app from tracking users across apps using one of these alternative methods—or a combination of them—is to subject apps to review before they can be available on a device and then to enforce their adherence to baseline privacy and security requirements. As our analysis of the App Store guidelines illustrates, Section 5.1 requires apps to adhere to these kinds of requirements, and S. 2992 and S. 2710 would mainly prohibit their enforcement.
    1. Section 5.1.2 says “Apps that share user data without user consent or otherwise complying with data privacy laws may be removed from sale and may result in your removal from the Apple Developer Program.” If the platform knows an app is circumventing ATT’s automated controls using an alternative method, the app is subject to removal.
  5. Beyond ATT, some security and privacy protections only humans and app store reviews can accomplish.
    1. For example, Section 5.1.1 says “Apps should only request access to data relevant to the core functionality of the app and should only collect and use data that is required to accomplish the relevant task.” In other words, the guidelines require data minimization and empower app store reviewers to ensure a flashlight app isn’t requesting persistent location data from a user unnecessarily. We have learned the hard way that bad actors use dark patterns to manipulate users to consent to information collection unrelated to any meaningful service. Automated security is not equipped to determine whether an app’s proposed data collection practices are suspicious in light of the app’s stated purposes, so this is a function of app store management that would be lost if Congress enacts either S. 2992 or 2710.

 

The ways in which bad actors seek to circumvent automated protections and manipulate users with dark patterns illustrate clearly how centralized app store management prevents these activities and benefits the ecosystem. App store privacy and security protections are toothless if the platform cannot impose consequences on an app (ultimately, removal from the store) for ignoring them. Removing those enforcement mechanisms would spell disaster for consumers and small app companies trying to convince consumers to download their offerings in an environment where malware and fraud goes unpunished.