With all eyes on U.S. competition with China, Congress’ next session—starting the week of April 17—will be a fascinating one for tech policy. On the heels of a lackluster Senate hearing on the American Innovation and Choice Online Act (AICOA) and the Open App Markets Act (OAMA), we are watching closely to see if the sponsors will reintroduce those measures. In the meantime, tangible examples of how they would harm the app ecosystem continue to pile up.
On April 3, CNN published thorough reporting on Pinduoduo’s shocking foray into spyware. The company’s conduct illustrates vividly the insecurities OAMA and AICOA would force onto smart devices. Pinduoduo is one of China’s “most popular shopping apps,” selling a wide range of consumer goods and competing credibly with JD.com and Alibaba, despite the latter marketplaces’ relative market share. In 2020, Pinduoduo began to explore pushing updates to the app enabling it to collect sensitive data on its users well beyond that to which consumers consented—in fact, they invested heavily, putting about 100 engineers on the project. Researchers found that Pinduoduo included a spyware feature in the version of its app issued in February that would automatically escalate permissions. As we’ve discussed in previous posts, permissions refer to the category of data to which a consumer affirmatively provides an app. App stores typically vet apps for permissions to ensure that they line up with the apps’ use and consumers’ reasonable expectations. For example, if a simple flashlight app with minimal features wants to prompt users for access to all of their photos and text messages, a red flag is raised, and app reviewers will ask for an explanation as to how that helps with the app’s functionality.
The Google Play store is not allowed in China, so Google Play does not vet apps for permissions via the store. However, 75 percent or so of smart devices run on some version of Android (consumers use a variety of local app stores). Thus, Pinduoduo was able to sneak its malicious updates onto devices by exploiting vulnerabilities in the operating systems without having to worry about the expansiveness of the permissions it sought. But the app was also escalating its own permissions by manipulating the operating system’s settings, remaining mainly undetected for months. According to a former employee, Pinduoduo brazenly targeted its attacks to people in rural areas so that word would not spread of suspicious things happening on consumer devices. Before Android booted Pinduoduo in March, the app successfully collected granular data on how its victims used competing services, their personal messages, and essentially all their other activity on their phones in order to inform its marketing practices and business strategy.
What does this have to do with OAMA and AICOA? First, under either bill, Android would be presumptively barred from booting Pinduoduo. OAMA has an exception for apps that are on a federal list, but as the CNN article points out, Pinduoduo is not on any official threat list. But that’s almost beside the point. Only allowing proactive removal of an app for cybersecurity concerns if the ownership entity is on a list is inadequate because the attacker could easily reform under a new shell company name that is not on a list of threats. In that scenario, the game of cat and mouse quickly becomes a game of mouse dancing on the cat’s cage.
Second, both bills would require Android to be in essentially the position it finds itself in China—unable to enforce its operating system terms of service based on prior vetting. In China, it lacks an app store, disabling it from prior vetting. Under OAMA and AICOA, Android would be presumptively barred from restricting an app’s access based on Google Play vetting. The inability to remove an app based on exceeding the vetting permissions puts Android and its consumers a step behind attacks like Pinduoduo’s (which are unfortunately common), where the initial version of the app complies with terms of service at first, but an update brings it way out of compliance. Just as important, this situation shows clearly that the profit incentive to steal data and get away with it is quite strong. Fending off attackers is not only an exercise in combatting low-investment, half-hearted attempts—it also involves anticipating well-resourced attempts from ostensibly rule-abiding companies. You can see how a presumption of illegality for app removal completely negates this wary, security-first approach, which the federal government’s own Cybersecurity and Infrastructure Security Administration (CISA) is promoting tirelessly.
Third, the only other way to remove Pinduoduo legally besides the official list exception is extremely narrow and difficult-to-meet. Both bills would allow Android to overcome the presumption that restricting Pinduoduo’s access is illegal by showing that such an action is not pretextual, narrowly tailored, and could not be achieved through a less discriminatory means. Such a showing would require a great deal of evidence that the app had actually harmed people, imposing on Android an obligation to wait and watch while people are harmed before acting to protect them. In short, we’d be waiting much longer for Android to remove it under either regime, as its attorneys put together a case to rebut the presumption that the removal is illegal. If you think this is overstatement, consider that up to 10 percent of the company’s revenue would be on the line under AICOA and treble damages under OAMA (which would give Pinduoduo its own private cause of action to punish Android for removing it). Legal departments tend to require a buffer zone around laws with huge penalties.
Pinduoduo is not an isolated incident. A University of California at San Diego (UCSD) study just found that the number of smart devices infected with spyware increased by 63 percent between September 2020 and May 2021. As the study’s authors observe, “All of these challenges highlight the need for a more creative, diverse and comprehensive set of interventions from industry, government and the research community. While technical defenses can be part of the solution . . . to prevent surveillance from becoming a consumer commodity.” Unfortunately, AICOA and OAMA would punish the app stores for developing any of these proactive interventions, since they would render the enforcement mechanisms presumptively illegal. That legal backdrop would only widen spyware’s path to consumer commodity and accelerate its development. If Congress wants to help avoid America’s own Pinduoduo episode and stem the spyware tide, it should work on privacy and data security and avoid subsidizing spyware by passing OAMA or AICOA.