European Assault on American Tech Risks Cybersecurity Catastrophe
European negotiators announced recently they have reached a deal on the “Digital Markets Act” (DMA). The legislation in the European Union (EU) seeks to hit out at major tech companies and impose major regulations on the way they operate, with steep fines for any violations. The way the bill is crafted will be disastrous for consumers not just in the EU, but across the globe. It will also open up a plethora of security vulnerabilities, with sweeping consequences for smart devices everywhere.
First, this legislation is clearly crafted to unfairly target American tech innovators. The rules implemented by the DMA will only target so-called “gatekeeper” companies that have a market cap at or above 75 billion euros. Depending on how this is calculated and when it applies, it is likely that only one European company – SAP – will actually qualify to be regulated by DMA. Meanwhile, 27 American tech companies currently have a market cap above that arbitrary threshold.
DMA would impose a number of onerous regulations on tech companies that would severely disrupt their business model. It will force tech companies to allow side loading of third party apps. It will prohibit companies from preferencing their own products and services (which most would just consider good business). There is also a provision barring providers from combining data across multiple services. Lastly – and perhaps most concerning – the DMA will require interoperability for services like messaging apps.
These regulations would act as a backdoor tax on consumers across the globe. Such radical shifts in operations will come at great cost to these tech companies utilized by billions. To offset those costs, prices will inevitably rise. Unfortunately, this price hike and these changes cannot be contained to just the EU, where the regulations were promulgated. They will impact smart devices and consumers everywhere, amounting to tax hikes and regulations from governments overseas.
Don’t believe it? The last time the EU passed major tech regulation, the General Data Protection Regulation, users across the world became subject to new “pop ups” on most websites.
Beyond the fiscal impact, the security ramifications are much worse. Forced side loading eliminates the ability of smart phone providers like Apple and Google to properly vet software on their devices. This restriction allows potentially malicious actors nearly unfettered access to smart devices and user data. These barriers to entry are put in place not to harm competition, but to ensure the integrity of devices and consumer privacy. To presume such actions illegal will do lasting damage.
Similar issues arise when companies are prohibited from prioritizing their own services. Aside from the fact that proponents of the DMA have failed to adequately explain why any company would not choose its own products, there are a number of security issues that accompany that. This will apply to security protocols and payment processing systems. Companies like Apple require app developers to use their payment processing system and go through their privacy screening. This is, again, to protect consumers. Making this a violation would open the door for hackers.
Combination of data is vital to ensure the security of digital devices, yet that too would be outlawed under DMA. Those who work to harden cybersecurity defenses require information. They need to scan the activity of potential attackers to find patterns for proactive security. Often, this requires the integration of other services – often provided by the companies in question themselves. This makes cybersecurity smarter and more efficient. Yet, under a DMA regime, it would be anywhere from difficult to impossible to run this type of interference.
Lastly, interoperability provisions in DMA not only require tech companies to share data with unvetted third parties, but they also require them to make it easy. It would force services like WhatsApp to have to integrate with smaller messaging platforms, even those that do not encrypt messages, exposing a bevy of users’ most personal data along with it. It would also require “free of charge” access to app stores and operating systems. Refusing to share data and services with potentially malicious actors should be a no-brainer for any tech company. Yet, the DMA would actually force the opposite, jeopardizing the private data of millions.
It is very clear DMA was drafted with personal, political considerations in mind, rather than the integrity of the cybersecurity of the developed world. It would have disastrous consequences that will echo for generations and benefit some of the more nefarious elements among us, from low-level criminals to hostile state actors.
Published on April 27, 2022