The effort to impose European-style regulation on app stores is seeing a late surge as sponsors are fast-tracking (or hotlining) the Open App Markets Act (S. 2710, OAMA) through the Senate. Under the Senate’s hotline procedure, legislation is circulated by email to every Senate office. If no office objects within the given timeframe, the bill passes the Senate by unanimous consent. In part because OAMA didn’t traverse the full legislative process, which would have involved a legislative hearing, Senate offices are doing last-minute homework on OAMA.
Complicating matters even more, OAMA sponsors made a few changes to the text before hotlining it. And competing interpretations of how OAMA—and changes to it—would work in practice intensify the confusion for Senate offices. However, the outcome for small app companies is the same (still bad) or worse. The sponsors’ edits address none of the core issues and may exacerbate the problems OAMA would create for app makers.
Here’s a quick breakdown of the new edits:
– “Covered company” definition. The new definition is nominally narrower, but still applies to the main app stores. Before the edit, the definition of covered company included any company that owns or controls an app store for which users in the United States exceed 50 million. The edit narrows the definition to apply to companies that own, certify, or control an app store with 50 million users and the operating system or operating system configuration on which the store operates. This doesn’t change the coverage in any relevant way because it still applies to the Apple App Store and the Google Play store, the bill’s two targets.
– “Self-preferencing in search.” The edits to this section appear to be non-substantive.
– Doubling down on illegality of app store management to protect “digital safety.” Instead of encouraging app stores to take measures to protect digital safety, privacy, and security, OAMA deems those measures illegal unless voluminous evidence portraying a vanishingly slim confluence of circumstances can be shown via an affirmative defense. The original affirmative defense is already so narrow that software platforms are unlikely to be able to rely on it meaningfully to address cybersecurity and privacy threats proactively. Further narrowing the defense to exclude basic consumer protections the app stores enforce—like digital safety—only worsens the bill and takes away another aspect of app store management small app companies and consumers rely on now to protect the marketplace.
– Rule of construction for cybersecurity. The original provision is supposed to allow software platforms to take some limited cybersecurity measures, but the new text makes it even narrower. Before the edit, the rule of construction clarified that OAMA shall not be construed to require a software platform to interoperate or share data with entities that “have been identified by the Federal Government as national security, intelligence, or law enforcement risks.” We’ve criticized this approach for falling far short of enabling software platforms to proactively prevent cybersecurity risks. The new text further narrows this rule of construction so that it only applies to a “foreign entity that has been identified by the Federal Government” as a national security, intelligence, or law enforcement risk. Under this new provision, the major app stores would only be able to remove a cybersecurity threat if it a) has been identified by the federal government as one of the listed risks; and b) is also a foreign entity. As we’ve discussed before, if a software platform is trying to figure out whether a cyber threat is ultimately owned by or affiliated with a foreign entity before deciding to remove it, they’re already an unacceptable number of steps behind the attackers. OAMA is a “must carry” mandate for app stores to accommodate foreign and domestic cyber threats, absent crystal-clear instruction that they are “foreign entit[ies]” that are “national security, intelligence, or law enforcement” risks. The ultimate effect of this is to impose extreme costs on proactive cybersecurity, and for the ex-post measures that are possibly allowed, slowing them down to the speed of thorough evidence gathering and legal analysis.
Disputes between large tech companies and the major app stores come and go, just like impasses between broadcasters and cable companies. Most are resolved, and those that aren’t go to the courts. Small app companies are not asking for OAMA to solve battles between behemoths over billions. The two provisions that presume the illegality of app store cybersecurity and privacy measures are unchanged in the updated OAMA, and the already inadequate digital safety and cybersecurity allowances were eliminated or narrowed even further. Senators should put a hold on OAMA and reject it when it’s reintroduced in the 118th Congress.