Concerned about a handful of “tech giants” who are often referred to as "gatekeepers" that control vast swathes of online activity, the European Union decided to take action after years of rhetoric and legal squables, to limit their outsized influence and potential stifling of competition. The result was the Digital Markets Act (DMA), a landmark regulation aimed at creating a fairer and more contestable digital space.
The DMA was officially adopted in September 2022 and set out a rulebook for gatekeepers, defined as platforms meeting specific criteria, such as having a large user base and significant impact on the market. These platforms are subject to various obligations, including:
Interoperability: Allowing users to easily transfer data between platforms and use third-party services.
Fair ranking: Preventing self-preferencing and ensuring fair treatment of business users on the platform.
Transparency: Providing clear information on how algorithms work and why specific content is promoted.
Data sharing: Enabling access to certain data for smaller businesses under certain conditions.
Banning certain practices: Prohibiting self-preferencing, tying of different platform services, and unfair access conditions.
The DMA aims to promote competition, which means leveling the playing field for smaller businesses and startups by limiting the dominance of larger organizations. The supposition there is that by encouraging new entrants and fostering more dynamic digital ecosystems, the EU will boost innovation. Those who have worked at large, lumbering companies might agree. Those who have worked at functional organizations of any size might not. In short, people who think “all big companies suck” are gonna’ think that no matter what. By and large, they aren’t wrong, except use a regex to sub out all with most!
The DMA also aims to increase user choice and control by empowering users with more options and transparency regarding their data and online experience. They also seem to think that this protects customers by addressing concerns about unfair practices and to ensure a safer online environment. The way that the larger companies choose to implement the DMA really has more to do with whether this is true or not. There have been large platforms with decentralized app store options for a long time, and the end result is debatable, based on the perspective of users and what their expectations are when it comes to privacy and security of apps they find on these app stores.
Still, what’s in the DMA is substantial and will impact people who run platform-based App Stores (e.g. Apple, Google, Microsoft, etc), end users who buy apps, and organizations that buy apps on behalf of their users. Some will need to adapt new business models and practices to comply with the new regulations. Smaller businesses could benefit from a more level playing field, potentially leading to increased innovation and competition. Or they might end up actually paying more, given that the large companies can’t then regulate cost. Users might see greater control over their data and more choices in terms of online services. Even if it’s potentially a less refined set of apps.
Let’s not go into the full DMA or rehash what others have written, let’s look at the following as a starting point:
The official DMA website: [https://digital-markets-act.ec.europa.eu/]
The European Commission's explanation of the DMA: [https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_]
A Wikipedia article on the DMA: [https://en.wikipedia.org/wiki/Digital_Markets_Act]
The DMA's implementation and enforcement will pose challenges. Defining "gatekeeper" objectively, ensuring compliance, and addressing potential unintended consequences are just some of the hurdles. Additionally, the DMA's effectiveness will depend on its interaction with other regulations, like the Digital Services Act (DSA), which focuses on illegal content online. It’s also doubtful that the DMA will remain European-only. For example, South Korea is already doing something similar, and there are suits working their way through lower courts to force judicial interpretation that’s likely to be followed by regulatory guidance in the US.
At the hart of the regulations is to tame the tech titans and usher in a new era of digital competition. This has happend in the US as well, but often with true monopolies, not necessarily with what could be construed as monopolies within a given ecosystem. Ma Bell, for example, controlled nearly all telephony in the US - not only did they regulate what could be plugged into a phone jack at a customer’s home, but they also owned the infrastructure, which they argued was why they imposed such limitations. IBM actually took anti-competitive action in the punchard and then the timesharing era, and the actions that the US government took to limit their progress basically forced them to divest their timesharing business, which in part led to re-inventing the company as a PC company in the early 1980s. But rather than be permanently dominant, the same very action also led IBM to implement language in their contracts that stated all suppliers were non-exclusive, which led to companies like Compaq and Dell taking the market away from them eventually.
No organization wants to be the poster child, like a US Steel was, for anti-monopolistic action. But again - they controlled entire markets, not market segments. Enter the DMA, and how Apple and other vendors have chosen to implement them. Let’s take Apple as the perfect case study, because like most things they do, they are as transparent as they can be (code is still being written to facilitate this stuff). Let’s start with a few articles that lay out different competing thoughts about Apple’s implementation of compliance to the DMA:
I usually don’t write about things above my paygrade like this, but as an engineer, some of these articles kinda’ bugged the crap out of me (and by kinda’ I mean totally). Basically this falls into a couple camps. Those who like Apple (Phil Schiller top of the list there) and those who don’t. But honestly, it’s a lot of spin, much of which isn’t impactful to any debate, and I’m pretty sure that very (very) few of the people talking have looked at StoreKit API documentation or could tell you what an entitlement is. Which is a good place to start when thinking about what an “alternative” app store means to Apple. A couple of links that explain Apple’s policies around access to the entitlement and for app developers:
This is most easily put into a few succinct bullet points:
Business stuff:
Alternative distribution will only be available in EU countries and South Korea for now (unlike a GDPR where every tech vendor started to comply with an EU directive really quickly).
Alternative app stores would need guidelines to distribute apps through the app store. Each has to build their own guidelines.
Technical bits:
Apps still go through notarization and apps still go through App Store Connect.
Apple can still revoke certificates for apps that violate things like privacy guidelines.
Stores host their own ipa bundle and distribute them. But Apple still signs them.
Apple has noted they will only revoke a certificate when evidence of malware or privacy violations occur.
Apple doesn’t allow cross-posting an app from their App Store to a third party app store (notice how I use case sensitivity in this sentence).
Developers still need a current Apple developer account.
It’s currently iOS only.
Users can install apps from both app stores.
Developers currently request framework access for alternative distribution, but can do so through the third parties as well - just not publish the “same” app - which is again a somewhat subjective thing. For example, is it sufficiently different to name the same app that compiles with almost identical symbols for each app store, or is there something like with copyright where a percentage difference is required. Guess time will tell based on the abuse of a system in most cases (why does my mind always go to how to abuse a system?).
There are also some unknowns here. I’ve asked for clarification and will update this article as I get that clarification:
Developers might or might not get feedback about whether or not an app has been blocked.
Volume Purchase Program support, what? And as an add to VPP, Managed Open-In for alternative purchases?
Will a developer need unique developer accounts for each service?
Now let’s look at a slightly more meta discussion. The gist is that Apple still controls what apps can actually be installed on an iOS (arguably anyone can still make an .ipa and get apps on devices, but not for consumers). In other words, if the point of the DMA was to provide a framework to limit the control a “gatekeeper” can exert, the notarization and ability to control entitlement access is not in alignment. However, it’s also far, far too early for any potential third party app store to actually have sufficiently built out machine learning technology to actually spot apps that do what they shouldn’t or aren’t transparent about what they’re doing. So maybe this comes later, or maybe not.
If Apple is still the Gatekeeper (again with the intentional case sensitivity) then are they more of an Amazon Affiliate type of program, or Amazon as a reseller, or more poignant, a Shopify, where anyone can setup a digital storefront and take payment themselves? Ultimately I’m an engineer and so when I look at something like this, I’m really just curious about whether the APIs exposed to me solve a temporary problem or get to the heart of an RFC or legislation or is technical debt. I suspect the Apple APIs are still being written, so a little bit of both. But isn’t that true for version 1 of any API? Maybe not those for ARKit (which is really well written).
I suspect that anyone that actually bothers to read my dribble will either be fans of Apple and agree with any spin from Apple. And those that aren’t won’t dig what Apple’s done. Given that Microsoft has been moving to a self-contained, compiled distribution bundle for software with similar seatbelt architectures, it’s easy to imagine the signing architecture could be distributed to servers - but then wouldn’t those need to be allowed by a signing certificate or certificate enrollment or something that keeps those same rogue elements from occuring. Otherwise the world’s just an even more centralized and well documented set of macro-viruses than we had in the Code Red era… Because here’s the thing about spin as I called it earlier, there’s some truth in it, it’s just repositioning an argument. And Apple’s perspective comes from the fact that an entitlement that gives access to something like the endpoint protection framework can be incredibly dangerous in the wrong hands. And again, no third party store can have the sufficient technology to find and eliminate threats effectively. But we should revisit this conversation when they’ve had sufficient time to do so, and maybe proven the business model isn’t just a fancy affiliate program.
No organization is going to do something that makes everyone happy all the time. But this is a safe foray into the tepid waters of alternative app stores from a company who famously removed expansion days at a time in the early days of computing when doing so was sacrilege. And yet, it was exactly what pushed the desktop computing world beyond just the hands of the hobbyist market.
Commentaires