Well, well, well, the saying goes … if it isn’t the consequences of my own actions. As compliance plans roll out under the Digital Markets Act (DMA) in Europe, self-aware DMA advocates must be thinking these rueful thoughts. But it’s never a sentiment anyone wants to express unironically in public. The largest companies in the world that distribute apps through the main app stores certainly are not admitting they made a mistake. Instead, they’re melting down over Apple’s compliance plan, feigning(?) shock that Apple would continue to charge for distribution. The irony here derives only partially from the fact that this is exactly what they have been asking for—a shifting of the costs away from themselves and onto the rest of the app economy. The balance of it radiates from a belief, either sincere or insincere, that costs may be waved away by government fiat, that lunch may be deemed “free.” Big App may have the luxury of learning nothing from the DMA experiment, but it’s not too late—and it’s vitally important—for other governments to take some notes. There are several lessons we can take away already from this experience as policymakers around the world are asked to intervene DMA-style, including with proposals like the American Innovation and Choice Online Act (AICOA) and the Open App Markets Act (OAMA):
Lesson 1: DMA-style intervention would inevitably introduce privacy and security vulnerabilities. DMA’s Article 6, paragraph 4, requires covered software platforms to allow third-party app stores. As we pointed out, if regulators enforced the mandate strictly, it would eliminate most commonsense, proactive cybersecurity and privacy measures that currently protect consumers on their smart devices. The exceptions to the mandate are narrow, allowing only measures that address threats that “endanger the integrity of the hardware or operating system.” European regulators hopefully see the problems with a strict reading of this passage, as Apple’s compliance program retains its ability to use notarization to authenticate that apps are what they claim to be and are not counterfeits. This is an especially important win for consumers in the compliance process. However, notarization is just one of the basic means of assurance against privacy and security threats. For example, notarization alone would not allow for enforcement of parental controls (more about this below) and does not necessarily address permission vetting. As we’ve discussed before, vetting for permissions is what enables the app store to ensure that the categories of data an app requests match with its purpose. Permission vetting addresses a shocking percentage of the attempts to compromise people’s devices or steal their information, identity, or money. Some might say that throwing this layer of security open to competitors is good. But remember that competition itself is what produced a vertically integrated solution that consumers apparently prefer and have selected over alternatives. It does us no good to forget that competition on this one feature, among others, under DMA is a regulator-driven simulacrum of competition taking place on top of individual companies’ platforms.
Notably, OAMA is unlikely to allow for a compliance plan that includes notarization, since it presumes the illegality of disallowing access to operating systems, hardware, and software. OAMA’s allowance for providing an “end user with the technical means to verify the authenticity and origin of third-party apps or app stores” is only available by affirmative defense. That affirmative defense is, in turn, only available if the platform can establish that notarization is not used as a pretext “to exclude, or impose unnecessary or discriminatory terms” on third parties (among other things that must be shown). This language seems to dangle notarization out of reach for software platforms, unless and until they are willing to spend tens of millions in litigation to defend it. It would be, after all, a retention of a small measure of control over security and privacy on the smart devices Apple has manufactured, and AICOA and OAMA are both drafted on foundational assumptions that those measures are pretexts to harm competition.
Lesson 2: DMA-style intervention would undermine parental control and online safety at a time when Congress is prioritizing these policy aims. Another limit of notarization, and the broader allowances under DMA, they do not provide for enforcement of platform-level parental controls for apps purchased on a third-party store. Instead, DMA appears to require that any parental controls for apps downloaded through an alternative app store be facilitated by that app store. This makes a parent’s ability to oversee what their children can download much more difficult and adds friction to an emerging parenting function that often collapses under the weight of added red tape. Under current law in the United States, parents can set up a device for their child and enable the ability to review any app downloads, purchases, or usage of an app from their own smart devices. In the EU, this arrangement will be far more complicated and will not work for apps downloaded via third-party stores. This is especially concerning, as we know that even some of the most well-established, well-resourced advocates for alternative app stores are dedicated children’s privacy violators. As a result, we know that resources will be deployed to create alternative app stores that intend to evade parental controls and oversight. Ultimately, DMA’s tradeoff largely forfeits a powerful tool parents have to protect their kids online in favor of alternative business models that will purposely—not incidentally—make it harder than it is now to be a parent online.
Lesson 3: DMA-style intervention shifts those costs to smaller developers. For years now, we have warned that DMA-style bills like AICOA and OAMA would shift distribution costs down to smaller developers. Mainly, those costs will manifest in indirect ways yet to be seen, such as by requiring app makers to write apps for more stores and comply with differing app store terms of service, forcing consumers to adopt a more buyer-beware attitude on their smart devices in general, and the list goes on. However, it is immediately clear that we were right about the direct costs. During state legislative hearings on bills to impose must-carry mandates on app stores, we pointed out that eliminating the in-app purchase fee imposed on the largest app makers would necessarily result in those fees being redirected at all app makers, disproportionately raising costs and barriers to entry for small app makers. One lawmaker’s response was to suggest that the app stores should charge several thousand dollars for developer registration fees, thus distributing the costs to all developers. This way, the lawmaker reasoned, the largest app companies would be relieved of shouldering so much of the cost of maintaining the app store and distributing apps. Of course, that is exactly the opposite of what public policy should strive to achieve, as the posited solution would (rather inequitably) increase app store fees for the smallest app companies by over 100 times current costs, while virtually eliminating all the app store costs the largest companies bear. Mission somewhat accomplished for Big App in this regard, as they have received at least some of what they have been desperately seeking.
So much of what DMA will produce remains to be seen. What we do know is that with the recent compliance plan rollout, Big App is getting what it asked for, and it is difficult to see how consumers and small app companies are better off. The time is now for governments around the world to see this exercise for what it is: a vast outflow of political capital, privacy and security protections, taxpayer dollars, consumer value, and app distribution value, in return for little if any discernible benefit other than slightly lower costs for Big App.
Translations: