On April 10, Margrethe Vestager, the executive vice-president (EVP) of the European Commission, spoke about AI governance and global technological advancements at an event hosted by the American Enterprise Institute (AEI). In discussing the downstream cybersecurity and content moderation policy implications of the EU’s antitrust actions and the Digital Markets Act (DMA), EVP Vestager’s comments exposed the limited attention EU regulators have paid to the downstream and potential long-term effects while shaping these impactful laws, calling concerns about security and privacy vulnerabilities mandated by the DMA a “red herring.” This casual disregard for the serious privacy and security risks that accompany DMA-style frameworks should give other governments—like Japan’s, Brazil’s, and South Korea’s—serious pause before moving forward with their own versions of DMA.
Passed in 2022, the DMA identifies six major online platforms as “gatekeeper” companies, imposing specific conduct requirements in the digital marketplace. A key provision of the DMA is that it requires mobile operating systems of these gatekeepers to support app installations from non-gatekeeper app stores and mandates equal levels of interoperability for non-gatekeeper services.
Mobile devices continue to be prime targets for cyberattacks. Analysts have raised concerns that while the DMA aims to enhance competition, it will inadvertently lower security by facilitating the installation of third-party apps, thus increasing the risk of malware and security breaches. We also published a white paper outlining how specific DMA provisions, if implemented strictly, would eliminate proactive security measures and greatly advantage cyber attackers and other bad actors.
Companies such as Google and Apple have heavily fortified their app stores with security protocols, drastically reducing the incidence of malicious apps compared to those found in third-party stores. Curated online marketplaces (COMs), such as Google and Apple app stores, implement rigorous standards, including sandboxing apps to restrict their access to data from other apps unless explicitly permitted. However, the DMA’s directive to open the ecosystem could dilute these safeguards. Allowing installations from third-party sources could make managing app permissions more complex, thereby making it more difficult for users to oversee what data apps can access and potentially heightening the risk of data breaches.
Furthermore, existing security measures like continuous app behavior monitoring and frequent updates to counteract emerging threats might lose their effectiveness if apps can be sourced from any vendor.
Significantly, there’s a substantial gap between users’ perceived security and the actual security practices they are reasonably able to employ. Many users lack the necessary awareness or expertise to make secure choices, heightening risks with third-party app installations. The DMA’s rules could confuse users unfamiliar with app security nuances, potentially leading to inadvertent downloads of harmful or invasive apps.
Regardless of one’s opinion on the overall benefits of EU regulations, they undeniably introduce a trade-off between promoting competition and upholding cybersecurity and content moderation standards. EVP Vestager’s comments at AEI overlooked the critical role of policymakers in managing these trade-offs. Instead, she shifted the entire responsibility for adhering to complex regulations onto the industry, overlooking the broader public policy challenges that these regulations introduce. This approach by the EU has exposed a significant oversight by regulators in considering the consequences of their policies.
This oversight has already had potentially harmful effects. For instance, the Federal Trade Commission’s (FTC’s) complaints against companies like SpyFone heavily reference the fact that consumers must be misled into downloading the app outside of the main channels and despite myriad warnings by Android. Meanwhile, the DMA’s requirements, which permit access to any alternative app store regardless of their content moderation capabilities, could prevent gatekeeper companies from playing even the warning role on their operating systems and in their app stores.
Mobile app store security is a feature that benefits all users, suggesting that regulatory frameworks should support efforts to bolster security and protect users. EVP Vestager’s remarks at AEI illustrate how policymakers can sometimes be too narrowly focused in their decision-making processes, resulting in unbalanced and potentially dangerous outcomes.