C4_Trusted Future_Logo_Light
The Perverse Brussels Effect

The “Brussels Effect” – where the impact of European Union policy goes far beyond the borders of Europe – is well established in digital policy. It usually takes place in two forms: multinational corporations adopt the EU’s standards so they don’t have to have two versions of their services or processes or countries adopt copycat legislation that are aligned with the EU’s laws. GDPR privacy regulation is the hallmark of this effect. 

The real world impacts of this effect are mixed, with outcomes ranging from the perhaps positive, such as some of the changes to global privacy and environmental standards, to the annoying, like requiring USB-C chargers on all devices. Having said that, the EU itself is now rolling back some of the GDPR misguided mandates.

But we are now seeing a peculiar new take on the Brussels effect: countries turning to failing EU policies. 

Let’s explain. The Digital Markets Act (DMA) has been fully in place for over a year now and we are seeing the reality of this policy experiment play out. Trusted Future did a deep dive into the first interoperability request publicly posted as part of the DMA’s new rules and found its mandates are having dangerous unintended consequences that actually weaken cybersecurity. Our analysis found that it could lead to significant new security risks, give nation state threat actors a leg up, and put consumers and enterprises at greater risk. 

A new statement by Apple just this week highlights the multiple security threats and impacts on consumers they are seeing as a result of the DMA, including: 

  • Requests from third parties to access sensitive user data including user’s messages, emails, medical alerts, and any other notifications – data that Apple can’t even access now;
  • Requests from companies for access to user Wi-Fi history which can be abused to track users location, digitally fingerprint your online activity, and is a huge security risk for users who use their phones and Wi-Fi for work; 
  • Greater risks when downloading apps and making payments, which are exposing users to more scams, fraud, and compromise of device and data integrity;
  • Exposure to harmful content, including pornography apps that are available on the iPhone for the first time from other marketplaces and gambling apps that are available even in locations where it is illegal;

Despite the growing evidence of this failed regulatory experiment, other countries, like Australia, Brazil, and South Korea, are considering regulation that could risk the same technical consequences for privacy. 

For example in August, an Australian federal judge, citing the DMA on 51 separate occasions  as rationale for its decision, ordered Apple and Google to enable unsafe alternative app stores, and to allow risky payment options without the basic protections necessary to protect users against malicious actors. Unfortunately, the decision was made before the vast scale and scope of the DMA’s unintended consequences could be considered, without the benefit of learning from Europe’s mistakes, and without a full understanding of the broad types of consumer harms that these DMA-style mandates deliver.  

In addition, The Australian recently reported that the Australian Competition and Consumer Commission (ACCC) is advancing efforts, once again modeled on Europe’s failed Digital Markets Act experiment, that would create new mandatory security weaknesses by forcing open Apple’s ecosystem and dismantling important consumer privacy safety and security safeguards. These fundamental changes would degrade Australian user privacy, undermine key safety and security safeguards, open the door to new forms of scams and fraud, degrade tools parents use to protect their children, and put Australian competitiveness at risk.

For example, under the well-meaning goal of advancing digital interoperability, the ACCC is replicating key aspects of Europe’s failed model. Its proposal, outlined in a 408-page report with recommendations similar to those in the DMA, would disable key smartphone security safeguards in order to allow other third parties to access core features like the content of private notifications, near unrestrained access to almost everything on your phone, and access to almost anything a bad actor might want. 

As The Australian story points out, under the DMA’s provisions, Meta is now demanding access to incredibly sensitive user data, including Wi-Fi history. Knowing which Wi-Fi networks a user has been on can identify a lot of personal information about them, including private and personal information such as visits to a weight loss clinic, an alcoholics anonymous meeting, or a courthouse.

In fact Wi-Fi data is so private that an executive at Apple says, “is so sensitive we don’t have access to it… We don’t see it. We don’t get it. But under these rules, we’d be forced to hand it over to other companies, no matter who they are or how they plan to use it, in the name of interoperability.” And this is but one example of the proposals’ many challenges.

Despite the risk of undermining core privacy, safety and security protections, the Australian Competition and Consumer Commission (ACCC), referencing the DMA 146 times to justify its proposal, is pressing for DMA-style mandates that force Apple to open its iOS ecosystem to rival app stores, third-party payments, and other services in a way that puts Australian users, business and economy at risk. 

Canberra may be learning a bad lesson from Brussels.

Twitter Medium
hello@trustedfuture.org | Privacy Notice