Given the broad impacts that technology has on our lives, policymakers are right to be looking for smart ways to further improve the vital technologies we use every day – by supporting efforts to improve our privacy, safety and security – and expand digital opportunities for all Americans.

But occasionally we hear of proposals that miss the mark – proposals that take us in exactly the wrong direction. That’s why we are concerned to hear reports that a few Members of Congress are set to consider the controversial Open App Markets Act (OAMA) – a bill which essentially copies Europe’s failed Digital Markets Act (DMA) – and undermines core consumer safeguards designed to protect user privacy, safety, and security. There’s a similar proposal in the House, the App Store Freedom Act, with the same problems. 

Despite the growing evidence of Europe’s failed DMA regulatory experiment, these members of Congress are proposing legislation that copies key mistakes – risking the same technical consequences to put millions of consumers’ devices at risk. At its heart, the legislation would fundamentally undermine the security and privacy features that have made modern mobile devices so powerful and useful.

Experts, for example, point out that the DMA and OAMA undermine key safeguards designed to protect consumer privacy and children’s safety. They warn about the harmful impact that comes from weakening important security protections that enterprises, governments, and critical infrastructure users of mobile technologies rely upon to keep their systems safe. 

Instead of proposing proven solutions or targeting specific consumer harms, the legislation replicates key elements of Europe’s digital framework without key privacy safety and security safeguards, without the benefit of learning from Europe’s mistakes, and without a full understanding of the broad types of consumer harms that these DMA-style mandates deliver.  

We don’t need to guess, we can now see how this type of regulatory framework undermines key digital safeguards that consumers, business, critical infrastructure providers and others depend upon. For example, while these frameworks are intended to restructure technology markets in the EU in a way that the government in Brussels thinks is ‘fair,’ there is nothing fair about mandates that undermine consumer protection. Nor does mandated insecurity make markets fairer.  

Instead, OAMA enables unsafe alternative app stores that have as much as 50 times more malware, and allows risky payment options without the basic protection necessary to protect users against malicious actors. It also requires key smartphone security safeguards to be disabled in order to allow other third parties to unprotected access to core features like the content of private notifications, near unrestrained access to almost everything on your phone, and access to almost anything a bad actor might want. 

Bad actors gain access to these features through one of the bill’s key features, which mandates interoperability be done in unsecure ways. We’ve already seen how requests for sensitive interoperability features under the DMA can put sensitive user data at risk. For example:  

• Trusted Future did a deep dive into the first interoperability request publicly posted as part of the DMA’s new rules and found its mandates are having dangerous unintended consequences that actually weaken cybersecurity. Our analysis found that it could lead to significant new security risks, give nation state threat actors a leg up, and put consumers and enterprises at greater risk.  
• Likewise, third parties are seeking to leverage the DMA’s required interoperability to gain access to sensitive private notifications. Push notifications – alerts that pop up on your smartphone screen – play an integral role in the way we use smartphones. They help us stay informed about messages, calls, weather alerts, events, news, multi-factor authentication codes, and a host of other private information at a glance. But they are also enormously valuable to unscrupulous third parties. Russia and other governments have long sought access to Google and Apple smartphone notifications as a way to surveil users. Hackers want access to notifications and texts because they contain temporary access codes that can be used to bypass multi-factor authentication security. And data hungry apps are already using the DMA’s interoperability rules which OAMA proposes to replicate, to request access to this sensitive features to hoover up all of our personal and private notifications in an unencrypted form to be sent to its servers – where it could be mined, used for targeted ads to underage minors, or sold to unscrupulous third parties without restriction.   
• In addition, under these same interoperability rules being replicated by OAMA, third party companies are requesting access to user Wi-Fi history which can be abused to track users location, digitally fingerprint your online activity, and is a huge security risk for users who use their phones and Wi-Fi for work.

And because smartphones are in the pockets and purses of almost every CEO, critical infrastructure operator, national security professional, elected official, military commander, judge, and journalist, when weakening security for one, it weakens it for us all.

But OAMA goes further. Like the DMA, the OAMA legislation requires device manufacturers to allow unvetted app downloads, even though the government’s own cybersecurity experts warn against it. For example:

The National Security Agency says, “Install a minimal number of applications and only ones from official application stores.”

The Cybersecurity and Infrastructure Security Agency says, “Limit your download sources to your device’s manufacturer or operating system app store to reduce the risk of malware on your device.”

The Federal Trade Administration says, “Use official app stores. To reduce the risk of installing potentially harmful apps, download apps only from official app stores, such as your device’s manufacturer or operating system app store. Also, research the developer before installing an app.”

The Small Business Administration says, “If an app isn’t from a trusted source, you could potentially be downloading malware or some other security threat to your device. The major app marketplaces such as Google Play & Apple Store have gotten good at screening apps for security issues.”

General Services Administration says, “Installation of applications from unknown sources is not authorized. These unknown sources include third party application sources…Allowing mobile apps to be loaded from an unknown source presents one of the greatest risks…[for] mobile devices.”

The Department of Homeland Security says, “[U]sers should avoid (and enterprises should prohibit on their devices) sideloading of apps and the use of unauthorized app stores.”

The Federal Bureau of Investigation says, “it is highly desirable to limit allowable applications to a pre-approved pool of apps via MDM or organizational App store structures and device policy.”

National Institute of Standards and Technology says, “Application stores pose an additional threat vector for attackers to distribute malware or other harmful software to end users. This is especially true of third-party application stores not directly supervised by mobile OS vendors.”

Given this broad consensus within government that downloading unvetted apps poses serious cybersecurity risks, why then is Congress even considering bills like this that require it? To build trust, we need to raise not lower cybersecurity protections, improve privacy protection not weaken them, and boost digital safeguards instead of opening the door to a vast array of new scams and frauds. 

Thus, this is not the time to recycle Europe’s failed experiments, to push through legislation that we know has deep flaws or to rush an effort that has not been fully baked. Instead of inadvertently taking steps backwards, we urge leaders to stay the course by continuing to press forward on advancing pragmatic policies and private sector action on efforts to improve privacy, safety, security, and trust in our digital ecosystem. Because continued advances that drive continuously better privacy, safety and security are the keys to enabling a more trusted future.