Recent scrutiny of digital platforms’ practices in the European Union has resurfaced a persistent tension: how can governments impose sweeping open access mandates on digital platforms while simultaneously allowing for the proactive gating measures necessary to detect, prevent, and remedy online scams and fraud? Meanwhile, the emergence of particularly troubling details around seemingly simple social engineering attacks is intensifying the need for policymakers in the European Union to adequately answer the consumer protection question. Certainly, they would say that protecting consumers from those who would take advantage of them is an important public policy goal. It is ironic, then, that EU law (notably the Digital Markets Act, or DMA) now inhibits the ability of designated “gatekeeper” platforms to take needed steps to protect consumers. As a result, the very controls platforms need to police scams are being weakened by interoperability obligations that dilute the everyday platform management functions needed to prevent them.
To understand the conflict, consider how small developers rely on platforms today to detect and block scams or malicious behavior. Small businesses and startups rely on platforms that use a combination of static and dynamic security scanning, review processes, and quick resolutions to provide a trusted environment through which they can efficiently reach consumers. But interoperability mandates erode those defenses. When untrusted external parties can gain deeper access to the operating system and even hardware features that make consumers’ devices work, new attack surfaces emerge. It is only a question of when malicious actors will exploit a weaker ecosystem to distribute scam content more easily. The EU’s interoperability requirements in the DMA are therefore at odds with the very safeguards platforms use to combat fraud and which are essential for small business digital economy innovators.
Another important dynamic to consider is the effect of rigid ex ante open access obligations, like those in the DMA (the term used in the law itself is “interoperability,” but the mandates are far more invasive to security than mere interoperability). These provisions mandate that “gatekeepers” enable unchecked access to core functionalities, allow access to technical documentation, and custom-build features for virtually any third party to make a request in the future. This latter mandate is particularly ominous as it would divert the time and energy platforms currently spend on building for all developers, including small business innovators, towards the needs of large, well-resourced business users with demands that sideline privacy and security. These mandates apply across the board, even in cases where a gatekeeper’s processes would be more effective at preventing scam propagation. In effect, the law is requiring a one-size-fits-all regulatory model over the nuanced judgment of platform defenders. This is harmful because that nuance and flexibility is what has enabled leading platforms to constantly improve features to compete for small business developers’ business, resulting in a continuously-improving digital economy that is directly correlated to small business growth and job creation.
Yet another dimension of the EU’s conflicting policy goals is enforcement resources and incentives. When governments focus on policing scams, they should be able to rely on developers and platforms as partners. Approaches like the DMA punish those efforts and reject these crucial partnerships. It does so by introducing an adversarial compliance dynamic that pushes platforms to prioritize meeting the moving target of DMA compliance far higher than the proactive measures they should be taking to optimize security and privacy. For example, platforms will be more hesitant and slower to communicate about, or push out, urgent security updates or remove malfeasant apps due to uncertainty about whether such steps would violate interoperability-related requirements in the DMA.
If the clear competing interests of the EU are not resolved, the continent’s competition regime will undermine the prevention of online scams and the protection of vulnerable users. And while our small business developer community – representing 95% of the developer ecosystem – has reflected on this conflict for some time, the EU’s recent public call for platforms to do more to prevent online scams without addressing the DMA has brought confusion to an all-time high.
We call on the EU and policymakers around the world, to take a calibrated and partnership-minded approach that does not preemptively prescribe and homogenize platform design. It is critical that regulators preserve platform incentives and capacity to fight fraud, and not to impose interoperability obligations that weaken consumer protection.