This piece originally appeared in Lawfare.
On Feb. 3, the Senate Judiciary Committee approved S.2710, the Open App Markets Act, with an impressive bipartisan vote of 20-2. The bill’s narrow focus on competition problems in the mobile app ecosystem might give it a better chance of moving forward than the broader non-discrimination bill that cleared the Senate Judiciary Committee on Jan. 20 with a smaller bipartisan vote of 16-6.
The Open App Markets Act seeks to give app developers more power to reach their customers without the control of the app stores run by Apple and Google, and in particular without paying the app store commissions of up to 30 percent on in-app purchases. It does this by requiring Apple and Google to permit users to load apps on their devices from sources other than the proprietary app stores, Apple’s App Store and Google Play. It also requires the companies to allow users to access other payment systems that do not charge the app store commissions.
The mobile app market is a concentrated duopoly. Apple has roughly half the market through its iOS operating system and its associated app store, which is the only way users can get mobile apps that work on iPhones and other iOS devices. Google has the other half of the market through its Android operating system and app store. It restricts but does not prohibit users from obtaining Android apps from other app stores or sideloading them from website distributors.
Pro-competition reformers are right to worry that the current duopoly puts too much power in the hands of Apple and Google. Seeking to dismantle this cozy duopoly is a worthwhile goal. But the bill might need some upgrades to do it properly.
The key improvement the bill needs would be to clearly enable the enforcing agency to pass rules to prevent evasion of the bill’s pro-competitive thrust and to ensure that the new, more open app distribution system does not endanger user privacy and security.
The need for regulation to stop evasion is evident from the experience of other antitrust authorities. For instance, the Senate bill requires app stores to allow the use of other payment systems, a measure meant to allow app developers to avoid the current excessive 30 percent commissions. A Dutch antitrust agency required this as well, but Apple is attempting to comply by charging a commission of 27 percent for developers that use other payment systems, which would effectively restore the former exorbitant fee for developers. Critics called this conduct a threat to the rule of law, but it is standard practice for companies to seek to evade one-off antitrust behavioral restraints using creative compliance practices.
Apple and Google would likely seek to evade the similar measure in the Senate bill, and the bill as written would not give the enforcing agency sufficient authority to stop them. It should be amended to clearly give the Federal Trade Commission broad supervisory and regulatory authority to write rules to implement the bill’s provisions and prevent evasion of its requirements.
The bill also requires providers of mobile operating systems to allow users to load programs from any independent websites or other app stores, not just from their own app store. If app developers think the proprietary app stores charge too much or impose other onerous conditions, they can reach their users through these other distribution outlets.
Apple objects that this open distribution mandate would undermine user security and privacy. Its proprietary app store, for instance, bans apps that interfere with the operation of other apps. Apple’s store also requires apps to obtain user permission before tracking them around the web, a powerful privacy feature that Facebook says will cost it $10 billion in 2022. Without the app store restrictions, Apple argues, these important security and privacy advantages will be lost.
There’s something to Apple’s argument. Apple’s refusal to allow sideloading has produced a demonstrably more security system than Google’s more open Android system. According to Nokia’s 2020 report on security in mobile communications networks, in 2020 Android devices were responsible for 26.65 percent of all malware infections while iPhones were responsible for only 1.72 percent. The report attributed this difference to Apple’s more restrictive distribution policies, saying, “[T]he fact that Android applications can be downloaded from just about anywhere still represents a huge problem, as users are free to download apps from third-party app stores, where many of the applications, while functional, are Trojanized. iPhones applications, on the other hand, are for the most part limited to one source, the Apple Store.”
The 2021 report similarly concluded that “[a]mong smartphones, Android devices remain the most targeted by malware due to the open environment and availability of third-party app stores. Android devices make up 50.31% of all infected devices[.]”
It seems logical to conclude that without app store control, the mobile app world might come to resemble the personal computer world, where users can download programs from any source and security threats are omnipresent.
Without Apple’s privacy restrictions, moreover, app developers once again might be able to track users of iPhone apps without their affirmative consent. Facebook, for instance, could encourage other app developers to distribute their iPhone apps through independent app stores that would not require user permission for tracking. It could even start an iPhone app store of its own for this purpose and thereby hope to offset some of its projected $10 billion losses.
At the same time, many observers think Apple’s security and privacy concerns are overblown. Microsoft, for instance, supports the bill and announced that it would allow developers access to its stores for Windows software and for its gaming platform “as long as they meet reasonable and transparent standards for quality and safety” and that it would continue to allow Windows developers “to choose whether they want to deliver their apps for Windows though our app store, from someone else’s store, or ‘sideloaded’ directly from the internet.”
In addition to Microsoft, prominent security analyst Bruce Schneier rejects Apple’s security and privacy concerns. He thinks that a more open app market might improve app privacy and security. Open app distribution, he argues, might allow users to download apps that block ads in other apps, a possibility that is restricted now in both proprietary app stores by rules prohibiting apps that interfere with the operation of other apps.
In a recent episode of the Cyberlaw Podcast, however, computer scientist Nick Weaver disagrees with Schneier’s idea that open app distribution would allow app developers to evade Apple’s restrictions. He points out (at around 5:50) that the mobile operating systems are far more restrictive than the PC operating systems and many privacy and security rules are currently enforced through the operating systems, not the app stores, including the restrictions on ad tracking and not interfering with the operation of other apps. As a result, Weaver thinks, Apple’s loss of control over app distribution might not have the harmful privacy and security impacts Apple predicts, because Apple could maintain these protections through its iOS operating system.
It is hard for nonspecialists to know who is right here. It seems to me that the open distribution model does create additional security risks, as indicated by the Nokia security reports. There must be limits to protecting security through the operating system alone; otherwise, the Android system would be just as secure as the iPhone and, as Nokia points out, it is not.
Microsoft also appears to take the Schneier position that operating system controls are not sufficient. Perhaps for security reasons, Microsoft will not voluntarily apply its open distribution policy to games written for its Xbox platform. Nor would it be required to do so under the Senate bill, which, as Microsoft notes, is written for “PCs, mobile phones and other general purpose computing devices,” not for “specialized computing devices, like gaming consoles.”
In either case, however, the bill, as written, has loopholes that create opportunities for abuse. If Weaver is right that Apple can impose whatever privacy and security measures it wants through the operating system, then the company can use the same mechanism to impose the anti-competitive restrictions the bill is seeking to outlaw, including its 30 percent commission.
By contrast, if Schneier is right that app developers can evade operating system restrictions, then that freedom creates its own range of security vulnerabilities. Allowing apps that interfere with other apps would enable, for instance, rogue developers to steal personal data including financial data that users have entrusted to other apps. If operating system restrictions are porous, then app developers would also be able to avoid Apple’s requirement to obtain user permission for tracking. Apple would be helpless to stop these privacy and security abuses.
The fix to the bill is the same, regardless of who is right. In either case, a regulator must be clearly empowered with sufficient supervisory and rulemaking authority both to prevent anti-competitive abuse and to ensure that mobile operating system restrictions really are needed for privacy and security. But, as I pointed out in a recent Brookings post, in making this assessment of privacy and security needs, the regulator must not be required to privilege competition over privacy, as is done in both the Open App Markets bill and S.2992, Sen. Amy Klobuchar’s nondiscrimination bill.
This amendment would provide needed regulatory oversight for both antitrust enforcement and privacy and security for mobile apps. It would not create the comprehensive national privacy law that advocates are seeking, which seems to be stuck in congressional limbo. But it would respond to the potential for evasion of the bill’s pro-competitive thrust and to new risks to privacy and security created by the bill’s promotion of a more competitive app store marketplace.
Apple, Google, and Microsoft are general, unrestricted donors to the Brookings Institution. The findings, interpretations, and conclusions posted in this piece are solely those of the author and not influenced by any donation.