Two critical stories in the news this week highlight core challenges governments face when seeking to fast-track complex digital market legislation without fully considering or addressing the complex threats it creates for user privacy and security.
This week the Brazilian Congress rushed through Bill 4765/2025 – a complicated piece of legislation that implicates some of the most sophisticated technologies on the planet. Proponents of the legislation often point to the European Union’s Digital Markets Act (DMA) as a model for promoting market contestability – the primary goal of the legislation. The European experience, however, suggests that there are vast unintended consequences that can accompany this approach – especially as it relates to the privacy and security of technologies that Brazilians depend upon every day to run their businesses, protect critical infrastructure, and protect their families.
Instead of working through its committee processes, or calling upon cybersecurity experts to better understand and fully address the inherent privacy and security weaknesses in the bill, some politicians unknowingly decided to move forward anyway. However, what we found from Europe’s experience is that there are especially significant and technically complex harms that can arise from the kind of interoperability mandates for smartphones envisioned by the bill when key security, privacy, and consumer safety safeguards are undermined – something we have strongly warned against.
And on the same day that Brazil voted to short-circuit its committee process, security researchers highlighted a critical new security exploit that takes advantage of the exact kind of security weakness we highlighted following Europe’s failed interoperability approach. Wired is now reporting that millions of iPhones can be hacked with a new tool found in the wild. Thankfully, Apple already quickly recognized this threat and rendered it ineffective. Notwithstanding this, it’s important to note the public policy implications. While hackers have, in the past, hand-picked high value targets to compromise smartphones, Wired now explains, “a recent spate of espionage and cybercriminal campaigns has instead deployed those same phone-takeover tools, embedded in infected websites, to indiscriminately hack phones by the thousands.” Wired says, “one new technique in particular – capable of taking over any of hundreds of millions of iOS devices – has appeared on the web in an easily reusable form, putting a significant fraction of the world’s iPhone users at risk.” As we said, the good news is that these exploits have already been patched by Apple, and a helpful reminder of why you need to always keep your software up to date.
But policymakers would be wise to look under the hood at how this relates to their digital market proposals. According to the Google researchers who first identified the hack, the new hacks rely on JIT exploits as part of a sophisticated iPhone hacking technique known as DarkSword to take over an iPhone. What is a JIT? It’s short for “Just in Time Complier” and it’s one of the most complex, sophisticated and important pieces of technology built into your smartphone’s browser. As we explain here in more detail – smartphone interoperability mandates (like the DMA and those being considered in Brazil) can allow unfettered access to these fundamental compiling features, or allow the use of an insecure JIT, creating significant vulnerabilities that hackers can easily exploit to remotely take command of a phone.
The fundamental policy problem is that the EU’s DMA, like Brazil’s approach, requires large digital companies to ensure their software and hardware are interoperable with third-party developers. Sounds simple, and valuable. However, the very first interoperability request publicly posted by a developer under the EU’s DMA requested Apple provide it with direct access to features of its Just-In-Time Compiler, or JIT engine – the same feature that hackers exploited in the newly reported findings. The request for interoperability access to JIT features exposes an inherent tension in the digital market interoperability regulation. By forcing a smartphone to open up the JIT’s direct read/write/execute access to anyone, or to break other built- in features like the encryption it uses to protect notifications, the DMA fundamentally changes the security calculus for iPhone users. If forced to open up these features to any developer, it could lead to unprecedented new security risks, give nation state threat actors a leg up, and put the integrity of core enterprise business operations at risk.
Making matters worse, as Wired explains:
“iVerify cofounder and researcher Matthias Frielingsdorf notes that the Russian hackers who most recently used DarkSword in their espionage campaign left the full, unobscured DarkSword code – complete with explanatory comments in English that describe each component and include the “DarkSword” name for the tool – available on those sites for anyone to access and reuse. That carelessness, he says, practically invites other hackers to pick up the tool and target other iPhone users. “Anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones. It’s as simple as that,” says Frielingsdorf. “It’s all nicely documented, also. It’s really too easy.”
Imagine if Brazil’s new obligations are successful in mandating that this type of functionality is required to be interoperable and available to anyone. What would be the impact on Brazil’s government users, critical infrastructure providers, businesses and citizens? Would regulators be required to establish security and safety safeguards to protect its users? Would regulators have to review a patch that makes changes to an interoperability interface that other companies now rely upon? These are exactly the kinds of questions that should be addressed and answered in a fact based, expert laden committee process.
It’s a real world example of how the urgency of Brazil’s approach, and its effort to bypass the usual committee process, is incompatible with the complexity of the issues, and the important privacy and security safeguards they need to protect.