Many people may have missed it, but just ahead of the holidays, the European Commission proposed specific new interoperability mandates under the Digital Markets Act (DMA). Trusted Future has written extensively about the DMA, particularly our concerns over the unintended consequences that the law could have on the privacy and security of users and laying out steps that the Commission could take to put the regulations on a better path. Unfortunately, this latest mandate looks to be a step further in the wrong direction.
What did the European Commission decide?
On December 19, the Commission issued preliminary findings under the DMA that indicate Apple must take steps to enable the interoperability of devices and software from third parties with its iPhones.
According to the Commission press release, “Under the DMA, Apple must provide developers and businesses with free and effective interoperability with hardware and software features controlled by its operating systems iOS and iPadOS, which are core platform services for which Apple was designated as gatekeeper.” This means, Apple must offer other businesses free interoperability with hardware and software features controlled by its operating systems. The finding is based on the preliminary conclusions from a probe the Commission launched in September into Apple’s iOS system under the new Digital Markets Act (DMA). These are essentially the Commission’s recommendations on what Apple should do to comply with the new law.
The preliminary findings cover interoperability obligations in relation to several iOS connectivity features for connected devices, including notifications, automatic Wi-Fi connection, AirPlay, AirDrop, or automatic Bluetooth audio switching. For example, the Apple features like the AirDrop file transfer would have to be open to third-party developers.
In terms of process, the Commission opened a truncated three-week public consultation period on December 18th that closes on January 9th. It then has six months to adopt a final decision.
Why is interoperability an issue?
Interoperability broadly speaking can be helpful to consumers – for example, in the many ways that smartphones today interoperate with and enable thousands of third-party devices and millions of apps to deliver incredible capabilities and previously unfathomable opportunities to consumers. In short, smartphones have already become the Swiss Army Knives of interoperability – connecting millions of apps and third party devices with innovative operating system functionality, a process for accessing trusted third-party apps, cutting-edge onboard sensors (cameras, microphone, accelerometers, location, touch, etc.), vast onboard computing power, a broad range of connectivity services and protocols (including Wi-Fi, Bluetooth, 5G, and Near Field Communication), and third party devices (smartwatches, wearables, IoT, and smart home devices etc.) in ways that enables a vast ecosystem of consumer opportunity. What makes all of this possible is that the interoperability is done in a way that simultaneously safeguards consumer privacy, safety, and security. But mandated interoperability, as is being proposed here, can be especially problematic when it is done in a way that directly harms or undermines consumers’ fundamental privacy, safety, and security protections currently built into those same technologies.
What would be the implication of this mandate?
The DMA has raised concerns among many analysts. Experts have looked at what may be well-intentioned theories and concepts in the economic and competition space having adverse effects on privacy and cyber security. Essentially, the concept may be interesting but the realities of implementation are simply not practical and the predictable effects will be adverse. This new interoperability mandate appears to be a case study in that concern and with three significant implications.
First, this is the first time a government regulator has effectively decided to become an operating system software designer, and they are doing so without conducting any kind of review for privacy or security impacts. What the European Commission is doing is designing major operating system features, functionality, and operations in detail. They are honing in on some of the most complex and sensitive functionalities of connected technologies – the intersection between different devices and the information to which they have access.
Yet, they are taking on this engineering problem without adhering to the standard security practices that are commonplace in industry and among software engineers. For example, Chapter 2 of the European Union’s own Cyber Resilience Act (CRA) requires manufacturers of both smartphones and connected devices to build in security from the start by design. It mandates that manufacturers factor in cyber security in the design, development, and production of products with digital elements. Yet the Commission’s new proposed mandate would not adhere to the EU’s own good requirement. In fact, the Commission’s consultation document never even asks about the privacy or security implications of the design changes they are seeking to mandate, and thus they will be unable to foresee the broad types of privacy and security implications of their decision.
The second major implication is that these design choices will have a particular impact on consumers because they fail to put consumers first. Consumers deserve the ability to control their privacy and security, but this approach to interoperability puts that control in the hands of third parties. For example, this appears to be the first time that a government is contemplating requiring one company to hand over access to private passwords to another company (e.g., for Wi-Fi). This is a bad regulatory and security practice.
Most consumers will be unaware that these proposed changes could allow a bad actor to read and collect data on their phone including everything from text messages, emails, photos, call records, and even passwords! This data could easily be used in harmful ways, with everything from national security concerns, corporate espionage, and the exploitation of personal data for profit. Bad actors could simply move the user data to their own servers, combine it with other data and sell to the highest bidder. It would be a boon for data brokers but a bust for those who value their privacy – or even those who just value the ability to make their own decisions on how their data is used and sold.
Finally, the third significant implication is that when taken together, these changes create even more problems for the national security agencies of EU Member States. As noted above, the Commission did not ask about the security implications in its consultation documents, which is troubling writ large. But it is the Member States, their national security agencies, and the critical networks and data in the Member States that will have their security affected. Given that security is not substantively mentioned in the proceeding, it is unlikely the national security agencies of Member States such as Germany, France, Italy, Spain, the Netherlands, Sweden, or Estonia have even been consulted about this proposed serious change. They should be. Each is deeply involved in device security, are active members of both the EU and global product evaluation and certification mechanisms (e.g., the new European Certification scheme, the CRA, and the global Common Criteria) and are the European governmental experts in security. Critical networks and data will be affected across Europe. The security agencies must be consulted, and must weigh in. The job of cyber securing Europe is hard enough, and being blindsided by EC ‘civil’ device regulation would make it even harder. The Member States national security agencies need to weigh in.
What’s next?
Trusted Future has long warned against the type of security and privacy concerns of the DMA that this interoperability mandate brings to light. We have offered guidance on how to make the DMA more serious when it comes to privacy and cybersecurity. Our hope is that the European Commission carefully reviews the feedback and analysis it receives during the public consultation period and moves towards a more productive path to improve and fix the problems associated with the Digital Markets Act, rather than doubling down on them. Consumers deserve to have their privacy protected and have trust that their devices and data will be kept secure, both in Europe and around the world.