The CMA Final Report on the Mobile Ecosystems market study: a repudiation of Apple’s narrative over privacy and safety as justifications for the status quo

On 10 June 2022, the UK Competition and Markets Authority (CMA) published its Final Report on its year-long market study into mobile ecosystems – namely mobile operating systems, app stores, and web browsers. The CMA found that Apple and Google have a tight grip over these increasingly crucial ecosystems, which in turn places them in a very powerful position. As a result, thousands of businesses which rely on these ecosystems to reach their users face restrictions and terms which they have little choice but to accept, while consumers are likely to miss out on new innovations, have less choice, and ultimately face higher prices. In response, the CMA has identified a wide range of potential interventions that could help unlock competition and protect millions of businesses and people.

Even so, ecosystem operators – and Apple in particular – have fiercely opposed any intervention on the part of the CMA, arguing that this would compromise user privacy, security, and safety. This is not the first (nor the last) time such arguments are raised – indeed, privacy and security considerations were among Apple’s chief defenses in recent antitrust litigation (see the Epic Games litigation in the US) and are likely to be relied upon by Apple in the future to resist compliance with ex ante regulation such as the EU Digital Markets Act.

It goes without saying that a platform operator such as an app store operator has a legitimate interest in setting (and enforcing) rules meant to ensure the quality of its platform, including rules on the products and services offered by business users to consumers through the platform. Platform governance (sometimes also referred to as ecosystem stewardship) is crucial to a platform’s success, in light of the strong indirect network externalities at play (if for example a platform gets infested with fraudsters, consumers’ trust in the platform will be compromised and consumers may start abandoning the platform, leading to a death spiral). Digital platforms thus often set rules aimed to protect the privacy, security, and online safety of their users.

In this context, the CMA accepts that ecosystem stewardship is essential and brings benefits for consumers and businesses. At the same time, the CMA rightly stresses there are clear risks that this rule-setting and oversight role oversteps the mark: “[w]here private companies such as Apple and Google adopt a quasi-regulatory role, for example in relation to data protection law, there are risks that these companies face conflicts of interests, as their own profit-driven incentives may not always be fully aligned with those of their users” (para. 7.9).

In its market study, the CMA did not hesitate to carefully examine Apple’s proffered privacy, security, and safety justifications, including by means of obtaining independent expert advice from a University Professor and a tech consultancy. The CMA found that many of the privacy and security risks flagged by Apple were likely to be overstated and not supported by the available evidence.

This is a significant blow for Apple and its strategy of relying on privacy, security, and safety as all-purpose justifications to defend problematic conduct. It also repudiates the narrative Apple has woven to resist intervention, whereby there is a binary choice and an inherent trade-off between enabling greater competition and protecting user privacy, security, and safety. These are not mutually exclusive objectives, and the evidence in the CMA Report clearly shows it is possible to increase competition while preserving user privacy, security, and safety. Considering the increasing frequency with which Apple (but also other digital platforms) invoke privacy and security to escape antitrust liability, the CMA’s evidence-based and balanced approach sets an important precedent for regulators across the world.

Against this background, this post discusses how the CMA has approached the various privacy, security, and safety arguments Apple has raised to justify its prima facie restrictive practices on its iOS mobile ecosystem. This is the case for at least the following restrictions and/or practices of Apple: restrictions in app distribution; restrictions in browser engines; restrictions in cloud gaming; restrictions in accessing the NFC chip; and the App Tracking Transparency framework.

Restrictions in app distribution: Apple does not allow alternative app stores or sideloading on iOS. The App Store is the only way to distribute native apps on iOS devices. The CMA considered that measures aimed at promoting competition in native app distribution (namely, allowing alternative app stores and sideloading on iOS) would have the potential to deliver a range of benefits, such as putting pressure on app stores to improve their services to attract users and improve their terms of access for developers, or allowing for the entry of specialist app stores (e.g., for gaming).

In response, Apple submitted that the envisaged interventions would fundamentally change the iPhone and have huge implications for consumers, whilst jeopardizing Apple’s holistic approach to security. Even so, the CMA is of the view that there appear to be several safeguards available that could enable greater competition in native app distribution without compromising the safety and security of users’ devices. The CMA’s understanding (informed by expert advice) is that security checks could be carried out by an approved reviewing party, such as the operating system owner or a certification body which digitally signs apps that have passed a review process. The CMA noted that the app review need not be tied to a specific app distribution channel. The CMA also referred to the notarization process on MacOS which scans apps for malicious content, and noted that the current app review process could be replicated for apps downloaded directly or through alternative app stores.

Restrictions in browser engines: Apple requires all browsers on iOS to use WebKit as their browser engine; browser vendors cannot make any adjustments to WebKit but have to rely on the engine already installed on iOS. Besides restricting competition between browsers (in the sense that their ability to differentiate themselves from Safari on factors such as speed and functionality is limited), the WebKit restriction is also likely to impede the adoption of web apps, as it limits their functionality (WebKit does not support important features related to web apps). The CMA noted that Apple benefits from the WebKit restriction, in that holding up the development of web apps limits the competitive constraint they may pose to the App Store.

In response, Apple submitted that the WebKit restriction is primarily motivated by security considerations; Apple said it has tightly integrated WebKit into iOS to protect users from malicious actors, providing key benefits including better distribution of security updates and security features leveraging technical integration with the operating system and hardware.

After considering the available evidence and obtaining expert advice, the CMA concluded that the WebKit restriction is unlikely to be justified by security concerns. According to the experts consulted by the CMA, all three main browser engines are very secure for the average user; Apple’s dedicated Safari sandbox and hardware-level security mitigation are not the only ways to secure a browser engine on Apple devices; and allowing Blink and Gecko to be used on iOS by dedicated browser apps is highly unlikely to materially worsen security. The CMA also provided evidence that Apple updates WebKit less frequently than Google updates Blink, and noted that Apple has no similar restriction on MacOS.

Restrictions in cloud gaming: The CMA found that Apple has obstructed the development of cloud gaming services on iOS, thus holding back potentially disruptive innovation. Under Apple’s Guidelines, an app providing access to a catalogue of games is not allowed on the App Store; each game must be individually submitted to the App Store so that it can be approved by Apple, has a product page, has user ratings and reviews, and can be managed with parental controls. Each game must be individually downloaded to the user’s device. This in turn limits the feasibility of developing cloud gaming apps on the App Store, and has pushed cloud gaming service providers to offer their services through web apps (in which case they are forced to offer a lower-quality service). The CMA found that the adoption of cloud gaming services on iOS has been much slower than on Android. Crucially, the CMA found that Apple has an incentive to obstruct the development of cloud gaming services, in that the latter (1) act as a distribution mechanism and may over time reduce users’ reliance on the App Store for discovering games (a key source of IAP revenue for Apple); and (2) may reduce the importance of premium hardware for users’ experience of gaming apps as well as reduce switching costs by offering platform-agnostic services, thereby threatening Apple’s device revenue.

Apple provided various justifications for its cloud gaming restrictions, including arguments about security, privacy, and user experience and expectations. It also tried to distinguish cloud gaming from other media streaming platforms based on the distinct nature of games (which are interactive). The CMA found that Apple’s proffered reasons did not provide a compelling justification:

  • The privacy and security protections for games distributed through the App Store could be replicated for games within cloud gaming apps – e.g., through a mixture of Apple applying them to the cloud gaming app as a whole and the cloud gaming service applying equivalent protections within their apps.
  • Contrary to Apple’s assertions, user and market research evidence suggests that users expect to be able to instantly access all of the games in a cloud gaming service, without having to download additional applications.
  • Other types of streaming content also demonstrate interactive features, e.g., Netflix, and Apple’s treatment of such apps provides a model for how it could allow cloud gaming apps on the App Store without compromising user safety or experience.
  • Google allows cloud gaming apps without any indication that this has compromised user safety.

Restrictions in accessing the NFC chip: NFC is a standards-based technology allowing two NFC-enabled devices to transfer information between them. Modern mobile devices have NFC chips, which among others allow the device to transmit data to be read by other NFC devices. This is known as card emulation, and allows the user to make mobile contactless payments. On iOS, Apple does not allow third party developers to use the NFC chip for card emulation; the only service that can do so is the Apple Wallet, which provides Apple with a decisive advantage over competing mobile wallets.

Apple justified its restriction on security grounds. The card emulation mode is often used for security sensitive functionalities, where the user may identify themselves using secure credentials. To guard against the risk of malicious actors getting hold of the credentials, these are stored in secure environments. In the case of iOS devices, the payment credentials are stored in a physical chip known as Secure Element (SE). When a user makes a payment, the credentials are transmitted directly to the payment terminal via the NFC chip, bypassing the rest of the device. An alternative approach (used on Android devices) is host-card emulation (HCE), whereby the payment credentials are stored on the server of the wallet provider. When a user makes a payment, these details are passed through the device to the payment terminal via NFC. Apple argued that allowing the use of HCE on iOS, or granting third parties access to SE, would increase the “attack surface” of iOS and give third parties the ability to compromise details stored in the SE.

The CMA noted it has not been able to comprehensively assess Apple’s justifications, but based on the evidence gathered, it considered that Apple has overstated the security risks of opening up NFC access, particularly through the use of HCE. Among others, the CMA relied on: (1) the fact that HCE is widely used in Android devices and has been accepted by the payments industry as offering a sufficient level of security (plus, there was no evidence there are higher fraud rates on Android); and (2) Apple’s inconsistency in arguing that HCE allows for sensitive details to be passed through the device, while at the same time arguing that rival mobile wallet providers can use Bluetooth for contactless payments, which similarly include sensitive details passing through the device.

App Tracking Transparency framework: App Tracking Transparency (ATT) is a privacy framework introduced by Apple in April 2021, which requires app developers wishing to access the iPhone’s advertising identifier (used to target and attribute app advertising) to show a specific prompt (the ATT prompt) asking users’ permission for the app to “track” them. The CMA (after engaging with the ICO) considers that ATT enhances user privacy and control, while improving compliance with privacy law by app developers. However, the CMA expressed the following concerns over the ATT framework.

First, the choice architecture for the ATT prompt – which Apple chose without conducting any user testing – may not maximise user comprehension and thus could unduly influence some users to opt out of data sharing. Among others, the framing of the prompt could result in limited user comprehension, while Apple bars developers from offering any incentives for users to opt in to sharing their data (which in principle is not unlawful under UK privacy legislation).

Second, the CMA is concerned that Apple is not applying the same standards to itself when it comes to seeking opt in from users for personalized advertising, in that it has introduced a Personalised Ads prompt employing a different choice architecture. While Apple has tried to draw a distinction between first-party and third-party data collection (arguing that it does not engage in “tracking”, as it only relies on first-party data), the CMA observed that Apple’s data processing activities for personalized advertising could be characterized as “tracking” as described in the ICO Commissioner’s Opinion on online advertising expectations.

The CMA considered that ATT has given Apple’s advertising services (which continue to grow very fast and are expected to reach $5.5 billion in 2022) a competitive advantage, and that this has likely contributed to Apple’s advertising revenue being higher than they would otherwise have been. In addition, the CMA is concerned that ATT may reinforce Apple’s market power in app distribution (by undermining app install ads as an alternative discovery channel) and cause developers to shift to monetization models where Apple charges a commission.

Photo by Dan Nelson on Unsplash

Leave a Reply