Recently, the European Commission quietly issued a “tender” seeking a study on the cybersecurity vulnerabilities the Digital Markets Act (DMA) might introduce. Reporters from Reuters appear to think its purpose is to “counter any Apple, Google antitrust pushback.” Whether or not this is an accurate characterization of the European Commission’s (EC’s) purpose with the tender, there are serious issues with this approach to governance.
First, DMA’s vertical interoperability and open access mandates are, at least facially, mandates to introduce new vulnerabilities to the mobile ecosystem. The white paper we published in June analyzes the provisions at issue in more detail, including how they would affect current privacy and security safeguards on existing mobile devices. Given the undisputed purpose of these mandates, the inquiry the EC now seeks should have taken place before the DMA went into effect in May. Second, if the purpose is, in fact, to “counter” arguments that the DMA’s mandates lead to cybersecurity problems, the study will have already failed to inform the DMA’s implementation. There is reason to believe Reuters is right in its assessment. Seeking this study after the DMA has gone into effect puts substantial pressure on the EC to a) select a company that is friendly to the EC’s purpose in enacting the DMA and therefore b) will avoid serious attempts to infiltrate a mobile device that complies with DMA’s requirements.
As discussed in our white paper, the only mobile cyber defense allowed under the DMA is reactive, narrow, and only available if “duly justified,” presumably with evidence of harm to a gatekeeper’s customers. Specifically, the open access mandate is tempered only by a clarification that a gatekeeper “shall not be prevented” from taking measures to ensure that third-party apps or app stores do not “endanger the integrity of the hardware or operating system,” but only to the “extent they are strictly necessary and proportionate” and if they are “duly justified by the gatekeeper.” If the company conducting the study designs their attacks on a device so poorly that they fall into this vanishingly narrow allowance, the study might successfully reinforce the EC’s position, if only superficially. It will also be totally useless as a predictor of whether the DMA adequately allows gatekeepers to protect privacy and security against real adversaries.
The timing of the inquiry appears to dictate its purpose, as it can no longer inform the development of the DMA and must either serve to undermine or strengthen its purpose. The former would be an own goal on the part of the EC and one it should be able to avoid by carefully selecting its partner. Governments being asked to follow in the EC’s footprints should avoid regulating first and asking questions later.