Challenges and Trade-Offs Facing Access to Ecosystems in Digital Markets

Introduction

Competition authorities regulating access to digital platforms such as the operating system and app stores of Google and Apple would seem to be a simple and straightforward objective in digital markets. However, in practice, it is much more complex. The underlying technology is often intricate and enabling access can involve navigating various challenges, ranging from technical barriers to security and privacy concerns. This is evidenced by Apple’s recently published whitepaper on the security and privacy measures taken alongside opening up its platform to alternative app stores, payment processors and browser engines in response to the Digital Markets Act (DMA) in the EU.^[1]

Amidst a backdrop of keen interest in platform access in competition matters spurred by new digital regulations, this article explores some of the challenges faced by regulators and firms alike in imposing and complying with access requirements. It discusses the sometimes inconvenient, but nonetheless unavoidable, trade-offs that can come with facilitating access.

Platform access in digital regulations

Ensuring fair and transparent access to platforms is currently top of mind for competition regulators in various jurisdictions.^[2] Such a requirement is aimed at preventing platforms from favouring their own services (i.e., self-preferencing) and from obstructing competing firms’ ability to offer equivalent services. In the EU, the DMA mandates gatekeepers to technically enable third-party apps and app stores on their operating system (Article 6(4)), prevents them from self-preferencing their services (Article 6(5)) and ensures they provide third parties with access to their operating system, hardware and software features (Article 6(7)).

Similarly, under the UK’s draft Digital Markets, Competition and Consumers Bill (DMCC) which has now passed both Houses of Parliament, a firm designated as having a Strategic Market Status (SMS) is prevented from restricting interoperability between its relevant services or digital content and third-party offerings. Moreover, such firms are restricted from controlling users’ engagement with the relevant digital activity.^[3]

A common trade-off that competition authorities grapple with is between enforcing equal access to platform features on the one hand and protecting user privacy and security on the other. For instance, the UK’s Competition and Markets Authority (CMA) has been scrutinizing the restrictions imposed by Apple (and to a lesser extent Google) on a series of services, including third-party browsers, cloud gaming apps and alternative distribution channels, as part of its recent investigations into mobile ecosystems and the cloud gaming market.^[4] While acknowledging the importance of Apple and Google opening up their ecosystems to competing products, the CMA is rightly aware of the importance of considering the impact on security when designing potential remedies.^[5] Similarly, the Federal Trade Commission (FTC) in the US recently acknowledged the trade-off between interoperability and security but highlighted the importance for enforcers to closely scrutinize security or privacy-led defence of practices that restrict competition.^[6]

As competition authorities increasingly recognize these trade-offs, they are integrating them into the regulations they enact. For example, the DMA provides that a gatekeeper is allowed to take “strictly necessary and proportionate measures” to ensure that interoperability does not compromise the integrity of its core platform service, such as the operating system or hardware or software features provided by the gatekeeper.^[7]

So, how does an authority or a business evaluate whether access is a reasonable technical expectation and wouldn’t compromise customer privacy or weaken security standards? Conversely, how does one determine whether the security measures in place (or proposed in response to pro-competitive interventions) are justified and do not unduly hinder access and innovation?

In the next section, we highlight this trade-off in the recent DMA compliance announcement by Apple and the related cases in the US.

Case study: Apple’s DMA compliance and related lawsuits

Apple has historically imposed restrictions on alternative app distribution channels in its mobile operating system, iOS. The company has justified these restrictions on the grounds of security, claiming that enabling the installation of apps from alternative sources, often referred to as “sideloading”, either via a user directly downloading apps from a webpage or downloading an alternative app store, would compromise the security and privacy protections that make its devices safe.^[8] Despite years of effectively resisting calls to open up its ecosystem, Apple is finally having to comply in the EU following the European Commission’s (EC) designation of iOS, Safari, and Apple’s App Store as “core platform services” under the DMA. On January 25^th 2024, Apple announced the long-awaited changes to its policy for these products, which subsequently went into effect on March 7^th, ^[9] The EU has since opened a non-compliance investigation under the DMA into Apple’s revised rules for app stores on iOS.^[10]

Among the company’s new offerings are developer tools and APIs^[11] that enable the creation and installation of third-party app stores, which Apple refers to as “alternative app marketplaces”, along with the installation of apps through these stores.^[12] These offerings are accessible to developers with apps in the EU, who ‘consent’ to Apple’s new business terms.^[13] Once developers agree to the new terms, they will have a one-time option to revert to the old terms, as long as they have not distributed an alternative app store, distributed apps through an alternative app store, or used alternative payment processing or linking out (i.e. redirecting users to the developer website to purchase digital goods or services). In other words, Apple only allows developers to switch back to the old terms if they have not yet taken advantage of any of the freedoms enabled by the DMA, essentially rendering the switch irreversible.

In parallel, Apple is introducing a series of controls in an attempt to alleviate the “new risks the DMA poses to EU users”.^[14] These include enhanced on-device protections against malware that apply to all apps regardless of their distribution channel, authorization for prospective developers of third-party app stores, as well as a centralized notarization process for all third-party apps – a combination of automated and human-led checks, which scan apps for security threats prior to distribution. Notably, the new notarization process is an extension of notarization on macOS, Apple’s operating system for desktops and laptops. Apple claims that macOS notarization has “worked well,” which prompted its adoption on iOS.^[15] This goes against Apple’s persistent opposition to this very idea in the lawsuit, where it made claims that macOS security was in a bad state, that adopting a similar system on iOS would lead to a “very bad situation for [Apple’s] customers”^[16] or that adding a necessary human review element to implement notarization on iOS would not scale well.^[17] This raises real questions about the consistency and the reasoning behind security-based limitations Apple imposes.

Apple’s security measures in response to the DMA may appear appropriate at first glance, given the expanded ‘attack surface’ that inevitably results from introducing additional distribution channels. However, a closer look into the underlying detail raises several questions about the proportionality of the required steps compared to the actual security risks involved. For instance, Apple continues to exercise a significant amount of control and apply technical hurdles on the alternative distribution of apps in its ecosystem in several ways. In particular, Apple imposes a variety of barriers on third-party app stores, requiring users to navigate extra steps to enable their use:

1. • To install a third-party app store, a user will need to first approve it by making the effort to navigate separately to the “Allow Marketplace from Developer” control in Settings, before going back to proceed to download it.^[18]
   • Further, a user will be shown an additional screen summarizing the information about the third-party app store before completing the installation.
   • The user will encounter the same screen every time they attempt to install an app through the third-party app store as well.^[19]

This additional friction is not warranted from a security perspective, given that every alternative app store and the apps it hosts will be checked for malware and other security threats, manually reviewed by a human prior to distribution and be subject to the same enhanced on-device security measures as the App Store, including install-time checks and automatic disabling if malware is detected after installation.^[20]

The hurdles in the installation process will likely act as a practical deterrent and steer users towards Apple’s App Store, which in contrast, requires no such steps for users to access and utilise it.^[21] Furthermore, Apple’s App Store will remain pre-installed, prominently displayed, and initially set as the default app store (though this can now be changed). The ability to attract users is particularly critical on multi-sided platforms, such as app stores, which have significant network effects. Unless alternative app stores can attract sufficient users and app developers, these stores will struggle to even “get off the ground” – let alone grow to exert sufficient competitive pressure on Apple’s App Store.

Apple’s new approach to enabling alternative app distribution is not far off that of Google in the Android ecosystem. While, in theory, Google permits installation through third-party app stores and browsers on Android devices, Google discourages it by erecting a series of user-facing ‘scare’ screens and mandatory Settings changes, which warn users about the potential harm of “unknown sources”. In its recent legal battle with Epic Games, Google justified these additional ‘security’ measures by claiming that alternative sources have higher rates of malware and present a higher risk of a user’s device being compromised. However, Epic’s security expert, Professor James Mickens,^[22] debunked these arguments as pretextual, because the warning screens are not based on any security evaluation of the app-to-install.^[23] He further concluded that in order for the operating system-imposed installation friction to be justified from a security perspective, it “should be proportional to the likelihood that the app is harmful (as determined by a high-quality security review).”^[24]

Therefore, to justify their security measures, Apple (and Google) need to demonstrate the objectivity of their baseline review standards, as well as the strict necessity of any steps they take to obstruct the users’ ability to download apps from third-party sources. If these measures are truly distribution channel-agnostic, there should be no justification for imposing exclusive hurdles on installation through alternative sources, especially if the same hurdles are not equally applied to Apple’s or Google’s proprietary app stores.

Where next?

Following the growing swell of third-party concerns about gatekeeper compliance under the DMA, on March 25^th, 2024, the European Commission (EC) announced non-compliance investigations into the measures implemented by several gatekeepers, including Apple. In particular, as discussed above, the EC is concerned that Apple’s measures to allow alternative app stores may not be compliant.^[25] The EC intends to conclude the proceedings within 12 months and lay out its preliminary findings and potential remedial features.

It will be interesting to observe how the Commission assesses and navigates the balance between providing access to a platform and the associated security risks. In this context, business users have the potential to play a significant role in providing valuable insights for the evaluation.

About the Authors:

Nitika Bagaria is a Senior Principal at Keystone. She holds a Ph.D. in Economics from LSE. Her previous professional experience includes roles at the UK competition regulator and in competition economics consulting.

Arzu Mammadova is Senior Software Engineer at Keystone. She holds a B.Sc. in Computer Science from Cornell University and brings professional expertise in assessing the technical aspects of legal and regulatory matters within the technology sector.

References

[1] Apple, “Complying with the Digital Markets Act: Apple’s Efforts to Protect User Security and Privacy in the European Union”, p.6., March 2024.

[2] In addition to the EC, CMA and the FTC (US) discussed in the draft, the Japan Fair Trade Commission and South Korean Communications Commission are among many other regulators considering regulating access to mobile operating systems. See, for example, Nikkei Asia, “Japan to crack down on Apple and Google app store monopolies – Nikkei Asia”, December 2023; and Mlex, “Apple, Google face hefty fines for app-store violations, South Korean watchdog says”, October 2023.

[3] DMCC bill, see Article 20(3)(e) and (f).

[4] CMA, “Mobile browsers and cloud gaming market”, January 2024;

[5] CMA, “Mobile ecosystems – market study final report”, June 2022.

[6] FTC, “Interoperability, Privacy & Security”, December 2023.

[7] See Article 6, paragraph 7.

[8] Apple, “Building a Trusted Ecosystem for Millions of Apps: A threat analysis of sideloading”, October 2021.

[9] Apple, “Apple announces changes to iOS, Safari, and the App Store in the European Union”, January 2024.

[10] EU, “Commission opens non-compliance investigations against Alphabet, Apple and Meta under the Digital Markets Act”, March 2024.

[11] Apple, “Apple announces changes to iOS, Safari, and the App Store in the European Union,” January 2024. Apple’s announcement also includes enabling developers to use alternative browser engines and alternative payment processing for in-app purchases.

[12] Apple, “MarketplaceKit: Create an alternative app marketplace or distribute your app on one”.

[13] Apple, “Alternative Terms Addendum for Apps in the EU”.

[14] Apple, “Apple announces changes to iOS, Safari, and the App Store in the European Union”, January 2024.

[15] Apple, “Complying with the Digital Markets Act: Apple’s Efforts to Protect User Security and Privacy in the European Union”, p.6., March 2024.

[16] Forbes, “Apple Exec Admits Macs Have A Malware Problem – Its Website Says Otherwise”, May 2021.

[17] See United States District Court, “Rule 52 Order After Trial on the Merits”, p. 148. September 2021.

[18] Apple, “Alternative distribution user experience”.

[19] This will be the case unless a user makes the third-party app store their default marketplace, which can be done through a new default setting. See Apple, “Alternative distribution user experience”.

[20] See Apple, “Notarization for iOS apps” and “Complying with the Digital Markets Act: Apple’s Efforts to Protect User Security and Privacy in the European Union”, p.8., March 2024.

[21] In addition, a developer’s ability to distribute a third-party app store relies on meeting a set of criteria and obtaining final approval from Apple. These criteria include the establishment of an independent review process, separate from Apple’s notarization, to vet apps for intellectual property infringement. Additionally, developers must have the infrastructure to identify and mitigate harmful apps within their stores. Therefore, despite not permitting alternative review entities to vet and approve apps for distribution, Apple mandates developers to implement their own quasi-app review processes as a prerequisite for obtaining the final approval to distribute their app stores on the web. The resulting stringency and lack of flexibility may pose a further barrier for developers of third-party app stores, potentially limiting their ability to enter and innovate. See Apple, “Requesting the entitlement”.

[22] James Mickens is a Professor of Computer Science at Harvard University. See: James Mickens (harvard.edu).

[23] Law360, “Epic and Google Security Experts Battle In App Antitrust Trial”, November 2023.

[24] Forbes, “Apple Exec Admits Macs Have A Malware Problem – Its Website Says Otherwise”, November 2023.

[25] European Commission, “Commission opens non-compliance investigations against Alphabet, Apple and Meta under the Digital Markets Act”, March, 2024.