Randal C. Picker: “Security Competition and App Stores”

Dear readers,

I am delighted to announce that this month’s guest article is authored by Randal C. Picker, James Parker Hall Distinguished Service Professor of Law at the University of Chicago. Randy analyzes the Open Apps Market Act, and, more specifically, the security issues raised by the “open downloads provision.” This is a central topic, something we also find in the Digital Markets Act. I am confident that you will enjoy reading it as much as I did. Randy, thank you very much!

All the best, Thibault Schrepel

****

Security Competition and App Stores

People live on their smartphones. That was true before the pandemic, but app store revenue has grown substantially during the pandemic. In the first half of 2021, consumer global app store spending for the Apple App Store and Google Play were $64.9 billion (and were just $39.7 billion in the same period in pre-pandemic 2019). Even though Android’s worldwide market share is roughly 72% and Apple’s iOS is 27%, Apple’s customers are bigger spenders for apps ($41.5 billion in the App Store and $23.4 billion on Google Play in the first half of 2021).

Regulators worldwide have noticed. In April, the Australian Competition and Consumer Commission issued an extensive report on the app marketplaces, and in June, the UK Competition and Markets Authority launched its own investigation. Last week, Senators Blackburn (R-TN), Blumenthal (D-CT), and Klobuchar (D-MN) introduced a new draft bill, S.2710, the Open Apps Market Act, and that was quickly matched in the House. (Disclosure: Sen. Klobuchar and I went to law school together, just in case you care.)

The draft Open Apps Market Act is nice and concrete and so I will focus my attention there. The bill clearly seeks to facilitate competition in a market dominated by two large firms, Apple and Google. The bill is a recognition of the fact that traditional antitrust may not be the best tool for doing that. Antitrust cases, both in the U.S. and in Europe—the regimes I know best—are very slow and typically require a finding of fault by the firms in question. We might want to move faster here and proving fault will almost certainly turn out to be complicated. Plus even if fault is found that doesn’t necessarily result in changes on the ground in the market, as the European Commission has fined Google repeatedly for actions relating to Google search, seemingly without any real change in search markets.

Boosting competition in app stores is an understandable and laudable goal, but we need to do that without harming people using these devices. Firms will seek to leverage the political process for their private benefits and won’t necessarily take into account how changes that might benefit them will change the overall experience of using these devices. I assume that the draft bill is just that and will be developed through hearings and other input, hence this piece.

But we should be clear: legislation of this sort is an exercise in market and technological engineering. This is not likely to be an easy task even without conflicting agendas and part of what has to be taken into account is how the markets and technology are likely to evolve in the face of the duties and opportunities created by new legislation. It would be a mistake to regulate based solely on past practices without taking into account what the legislation is likely to accomplish given the changes that it will induce from firms and individuals in these markets.

Apple and Google are the targets of the bill, though there are other app stores out there—Amazon, Samsung, and Microsoft have stores for example—so the ultimate coverage may be broader. The bill would bar a covered app store from requiring app developers to use an in-app payment system controlled by the store and would bar app stores from insisting that terms in the app store be at least as favorable as those in another app store. The bill would also limit the ability of app stores to restrict communication between developers and their customers.

Developers upset about the current 30% fee that Apple collects for app sales and for in-app sales—Spotify and Epic Games (the maker of Fortnite) are two prominent objectors—would presumably welcome these provisions. Note that the draft bill doesn’t take on royalty rates directly, presumably because that would put some agency squarely in the business of regulating these rates, but instead hopes that increased options would address the issues raised by big app developers. (I say big developers, as Apple cut its fees in half in November 2020 for smaller developers.)

This is an example of needing to assess likely responses to the changes the bill would make. Apple could charge developers like Spotify and Epic in any number of ways for functions that they use on devices. The core of this system has been no fees for ad-supported apps and then a 30% fee for paid apps or for in-app charges. And note that that means that, I think, a firm like Uber has paid Apple very little money even though its businesses live off of these devices. The bill seeks to introduce more competition with regard to in-app purchases, but the point there isn’t really about competition as such, but rather that big developers are looking for lower fees. Apple and Google could, for example, levy fees on developers of ad-supported apps after their apps hit some very high threshold of downloads. If Apple and Google would move away from fees keyed to in-app purchases and instead just shift to a different way of charging big developers, there may not be much point in trying to change the rules.

The interoperability provision in the bill raises related issues. The bill would force firms with forcing operating systems associated with app stores to make it possible for users to install apps outside of the app store and to install competing app stores. (For clarity, I will call this the open downloads provision.) OS firms would be barred from blocking users from setting third-party apps or app stores as defaults and would have to make it possible for users to hide or delete app stores or apps preinstalled by the platform or its business partners.

The bill would also bar platforms from providing better treatment in the app store for their apps compared to third-party apps though it would seem to allow the app store to run ads for its own apps. A provision described as open app development would require the owner of an operating system to provide access to interfaces and development information on hardware and software features to other developers on a timely basis and on terms that are equivalent or functionally equivalent to those provided to the apps of the platform itself. There is also a provision that addresses security and privacy (more on that below).

There is much to be said about each of those provisions, but focus on the open downloads provision and the security issues that seem to raise. It is worth replaying, briefly, the history of the iPhone. Apple introduced the iPhone on January 9, 2007. It did so into a crowded market facing successful, leading firms, including Nokia, Microsoft, and Research in Motion (the makers of the Blackberry). At the product launch, Steve Jobs made clear that Apple had modest goals, say 1% of the cell phone market in the next year. And there was no app store. When introduced, the iPhone home screen came with 15 icons. That was what you got, no more no less. You couldn’t install other software, but Apple had, Jobs hoped, delivered a great new phone that made possible phone calls, acted as an iPod, and allowed genuine Internet use through the Safari browser.

But even in that locked down, limited framework, there were two ways in which Apple integrated with third parties. The maps functionality built into the iPhone was provided by Google, plus Apple added a YouTube application right before it started selling the iPhone on June 29, 2007. So one way for developers to get onto the iPhone was through direct negotiations with Apple. Of course, there would have been natural limits to how many applications were included—how would Apple know what customers wanted and not all customers were the same of course—but this was a path to added functionality.

Second, the iPhone came with Safari, a full-blown browser, so iPhone users have full access to the internet. And Safari came with access to Google search and Yahoo search preinstalled. The antitrust remedy in the U.S. Microsoft case was intended to make it possible for software firms to cut deals with device makers and not face threats from Microsoft. That had worked—in May 2006 the young Google was paying Dell to preinstall Google’s search toolbar—and that had emerged as an important way to make money on the browser even as users paid nothing for it. So the original iPhone was locked down, making it more secure, and as part of the business model, Apple could sell positions on the iPhone to firms like Google and Yahoo.

Apple moved away from that model in two ways. First, on June 11, 2007, Apple announced that it could effectively run Web 2.0 applications through the browser. That would be a way to add functionality while, as Jobs put it, “keeping the iPhone secure and reliable.” Apple would collect zero dollars in connection with this and would not somehow filter what could be experienced through the browser. But by October 2007, Apple realized that developers wanted more than that and wanted some sort of native access to the iPhone. The question was how to do that while preserving the underlying security of the iPhone. The App Store, announced on March 6, 2008, and opened for business on July 10, 2008, was the answer.

Return to security and the possible risks that would be created by an open downloads rule of the sort mandated by the draft bill. Nokia—which sold its handset business to Microsoft business in 2014 but is still a substantial telcom firm—produces an annual report on malware threats to communications networks. In 2019, Android devices were responsible for 47.15% of all infected devices (for the iPhone, the figure was 0.86%). In 2020, the Android figure had dropped to 26.64% (and the iPhone was at 1.72%). Some of the changes in those numbers seems to be driven by an increasing number of attacks on new Internet of Things (IoT) devices.

But given the approach of the draft bill, a key conclusion of the Nokia report is worth quoting in full:

In the smartphone sector, the main venue for distributing malware is represented by Trojanized applications. The user is tricked by phishing, advertising or other social engineering into downloading and installing the application. The security of official app stores, such as Google Play Store, has increased continuously. However, the fact that Android applications can be downloaded from just about anywhere still represents a huge problem, as users are free to download apps from third-party app stores, where many of the applications, while functional, are Trojanized. iPhones applications, on the other hand, are for the most part limited to one source, the Apple Store.

Nokia, Threat Intelligence Report 2020, p8. That really is quite a striking statement. The approach of the draft bill in requiring all app stores to move to an open downloads model would seem to risk exposing iPhone users to exactly the kind of malware attacks seen in the Android ecosystem.

This is a core design point, not some sideshow. We should not think of user control over the device as free given the concerns about bad actors. Phishing is about fraud and deception and, the question for users is whether they want to be protected from the risk of phishing through the basic design of the mobile OS and the associated app store. And whether Congress will force consumers to bear those malware risks by engineering universal openness, as the open downloads provision would seem to require, even in a world, where, as the malware differences between Android and iOS make clear, openness isn’t free.

Section 4 of the draft bill addresses security and privacy and puts the burden on a platform to establish by “clear and convincing evidence” that a feature is, to simplify, necessary to protect security and can’t be done by less restrictive means. The formulation is appearing in a number of the draft platform bills in Congress. I am not sure that that is a good standard, but if so, I think that we should apply it to the draft bill itself.

There has been competition over security models for smartphones. As the Nokia report makes clear, Apple has taken one path, Google another, and there are dramatic differences in results. The open distribution provision of the draft bill would reduce security competition between the two leading app stores and would seem to risk exposing iPhone users to the level of malware attacks seen in the Android ecosystem. What is the clear and convincing evidence that that is a good idea?

Randal C. Picker

***

Citation: Randal C. Picker, Security Competition and App Stores, CONCURRENTIALISTE (August 23, 2021)

Read the other guest articles over here: link

Related Posts