Reining in the Gatekeepers and Opening the Door to Security Risks

The European Union’s (EU’s) regulatory offensive against the world’s largest digital platforms, from Amazon and Apple to Meta and Microsoft, is designed to increase competition on the Internet. Its new Digital Markets Act (DMA) prohibits these designated “gatekeepers” from sharing data among their various divisions while requiring them to share data with users, businesses, and competitors.¹

In practical terms, the DMA means Amazon must stop favoring its own goods over those from independent vendors, Apple must unlock its App Store, and Google must no longer collect data from Maps and YouTube and combine it with Google Search data without users’ specific consent. Meta must allow its WhatsApp messaging service to accept calls from competitors such as Signal and Telegram. Microsoft might be forced to end tying to the Microsoft 365 Office bundle. Violators face penalties of up to 20% of their global revenue for repeated violations. “We are putting an end to the so-called Wild West dominating our information space,” vowed Thierry Breton, the EU commissioner in charge of enforcing the new rules.²

Although these changes seem justified by conventional antitrust analysis, the DMA has been enacted without proper consideration of the danger of malign entities leveraging the regulation to wage economic or, even worse, military cyberwarfare. In this paper, I analyze the potential security challenges stemming from opening up digital platforms and forcing data sharing. When gatekeepers’ messaging apps are obliged to allow their subscribers to receive calls from other messaging apps, end-to-end encryption could be jeopardized. When gatekeepers’ app stores are forced to weaken the vetting of their developers, it threatens not just our privacy, but also our protection from both private and state-operated hackers.

The landmark regulation fails to address the risk of geopolitical conflict. It falls disproportionately on Silicon Valley, while sparing and perhaps benefiting Russian, and most dangerous of all, Chinese tech giants.

The Digital Markets Act and the Gatekeepers

The DMA applies to large platforms identified as “gatekeepers.” These companies, owing to their size and their importance as gateways for business users to reach customers, play an essential role on the Internet.

The market value, number of users, and turnover thresholds to designate gatekeepers are set high — a market value of more than €75 billion or a core platform counting 45 million European users or European turnover of €7.5 billion over the past three years.¹ Only a few companies fall within the scope. In theory, the nationality of the gatekeepers is irrelevant. In practice, almost all those targeted are US-based platforms, including Google, Amazon, Apple, and Meta.³ As we will see, this emphasis on US companies is dangerous.

Dangerous Data Sharing

Among the many new obligations facing the gatekeepers, perhaps the most dangerous is data access. In Article 6 (10), the DMA stipulates that a gatekeeper must “provide business users and third parties authorised by a business user, at their request, free of charge, with effective, high-quality, continuous and real-time access to, and use of, aggregated and non-aggregated data, including personal data, that is provided for or generated in the context of” the business user’s sale of products and provision of services. Article 6 (11) states the act targets search engines: “The gatekeeper shall provide to any third-party undertaking providing online search engines, at its request, with access on fair, reasonable and non-discriminatory terms to ranking, query, click and view data in relation to free and paid search generated by end users on its online search engines.”

These mouthfuls translate into stiff demands and prohibitions: gatekeepers are required to share access to commercial data generated on their platforms with “business users.”⁴ Google will be forced to share European search queries with rivals that include Russia’s Yandex or China’s Alibaba.⁵ At the same time, the gatekeepers are not generally allowed to make use of the same data in competition with the business user, nor are they allowed to bundle it with other personal data generated elsewhere in their ecosystem unless they receive consent from users.

Competitors and business users are supposed to benefit. They have the right to obtain all data, including aggregated data, that is generated by the users’ activities on the gatekeeper platform. According to the act, “business user” refers to any natural or legal person acting in a commercial or professional capacity, who uses the core platform services while providing goods or services to end users.

This definition is broad. It includes small firms making use of platforms to boost their business. No exemption exists to exclude companies or even governments originating from unfriendly jurisdictions. Both Russian and Chinese firms would be able to make use of the data access rule to obtain data from the gatekeepers.

This is dangerous. Under a veil of extracting and gaining data from platforms, a malicious actor could create a service to scoop up data from users. The malicious actor might use the brand name of the platform to gain credibility. Authoritarian countries have the means to do this on a large scale.

Companies originating in the EU or the United States do not have a corresponding right to access data from Chinese platforms such as Alibaba or Tencent or from Russia’s Yandex search engine under Chinese or Russian law. While business users make use of US platforms in Europe, they may gain access to valuable user data that could give them a competitive edge.

Consider a few concrete examples. If Amazon’s Alexa or Amazon’s cloud are declared a gatekeeper service, voice assistants from competitors such as Huawei’s Celia to Telefonica’s Aura might be able to access data stored on them. Or consider cars. Apple and Android car systems generate reams of driving data. If declared gatekeeper services, they could be forced to share this information with other business users. Malign actors — even enemy armies — might be able to procure real-time information on traffic flows and automobile movements.

App Stores

Apple and Google control access to almost all of the world’s mobile phones through their iOS and Android software, respectively. Both run app stores on top of these platforms. Three quarters of Android and iOS apps already suffer security vulnerabilities, according to a report by enterprise security company Positive Technologies.⁶ Vulnerable storage of app data could allow hackers access to sensitive data such as passwords, financial details, personal data, and communications.

Apps send data to a server, which is hosted by a developer. Few protections exist to protect data stored by such a third party. Apple makes a particular point of emphasizing security for its App Store, saying that it “provides layers of protection to help ensure that apps are free of known malware.”⁷ Thousands of developers “deliver hundreds of thousands of apps for iOS, iPadOS, and macOS—all without impacting system integrity. And users can access these apps on their Apple devices without undue fear of viruses, malware, or unauthorized attacks.” 

While the app stores are insecure, the DMA could accentuate these already dangerous vulnerabilities. As gatekeeper services, Google and Apple could be forced to accept requirements to ease ”sideloading,” the ability of third-party application developers to upload onto the app stores without their approval. Even though this may increase competition, Apple has criticized the DMA for compromising its safeguards, saying the law “will create unnecessary privacy and security vulnerabilities.”⁸

Google faces similar challenges to ensure Android’s security. Although more vulnerabilities were found in Android than iOS apps, the Positive Technologies report states that “this difference is insignificant, and the overall security level of mobile application clients for Android and iOS is roughly the same.” Vulnerabilities classified as “high risk” were identified in 38% of iOS apps and 43% of Android apps.⁹

App store vulnerabilities present potential national security risks that should have been taken into consideration in the DMA. This oversight is not limited to the DMA, it can be spotted in other European regulations as well. While European regulations all are reviewed for their impact on climate and privacy, former Estonian President Toomas Hendrik Ilves worries that “when it comes to security, there’s no review of legislation, which is a fundamental flaw.”¹⁰ He criticizes regulators for going “after Apple” for vetting and blocking apps uploaded to iPhones that can be “used for surveillance.” He said: “We cannot allow apps that help foreign entities listen to your conversations, or even shut down your electricity grid.”

Messaging Apps

Messaging apps such Microsoft’s Skype, Meta’s WhatsApp and Messenger, and Apple’s iMessage face stiff security challenges too. The DMA requires messaging apps owned by these gatekeepers to offer users of rival services like Signal or Telegram the ability to send and receive messages.

The goal is to promote competition. At present, it is difficult for users to move away from a service because they lose access to their friends who stay behind. Interoperability offers new services a chance to compete — offering new features and stimulating innovation.

But there’s a hitch.

Many popular messaging services are end-to-end encrypted.¹¹ Although the DMA says encryption should be maintained, many experts believe interoperability requires breaking this encryption. In addition, there is a timeline for finding a technical solution. According to the DMA, the services will be required to make “end-to-end text messaging,” including various kinds of media attachments, interoperable on request by a competing service within three months of a request.¹²) Group texts will need to be interoperable in two years, and voice and video calls in four years.

These could prove to be tight timelines. Meta announced plans to interconnect WhatsApp with Messenger in March 2019; this project remains unfinished.¹³ And that is within the same company, not with competitors.

Upstart messaging apps that would be interested in obtaining access to the gatekeeper’s massive subscriber pool are wary because consumers demand encryption on privacy grounds. Groups such as the Electronic Frontier Foundation worry about the threat to human rights, saying encryption is “critical to protecting human rights defenders who depend upon strong security while opposing or exposing abuses in dangerous environments.”¹⁴

Russia’s invasion of Ukraine underlines the importance of messaging apps. The Ukrainian government has depended on these apps to communicate with its citizens safely and securely.¹⁵ Its soldiers depend on them for communicating with their superiors. If Russian or Chinese messaging apps can demand interoperability, they could endanger these crucial tools.

Policy Recommendations

Security should not be used as a smokescreen to protect anticompetitive behavior. Yet the DMA was enacted without taking adequate account of security.

The European Commission is the main designated enforcer of the DMA. In exceptional circumstances, under Article 10 of the act, it could and should exempt specific platforms on the grounds of public security, judging that the cost to society of enforcing the data access obligation would be disproportionate to the potential benefit.¹⁶ Whether the exemption can be used with the speed and flexibility needed in today’s cyber environment remains unclear.

On interoperability, the European Commission should strengthen the security-protective exception for encrypted messaging. It should prohibit any messaging service that “breaks the promise of end-to-end encryption through any means—including by scanning messages in the client-side app or adding ‘ghost’ participants to chats” from being able to “demand interoperability,” says the Electronic Frontier Foundation.¹⁷

Above all, the European Commission should allow gatekeepers to raise security justifications based on system integrity — even where the DMA does not explicitly allow it. If it is impossible to make encrypted messaging interoperable in the timeframe demanded by the DMA, the commission should initiate a European standards-setting and governance process to solve the issue.

There is a way to accomplish this goal — an express proportionality safeguard. A proportionality safeguard would allow companies to justify their conduct based on security, if they can.¹⁸ In particular, a gatekeeper should be allowed to protect the legitimate security interests of its services, including system integrity. Including such a clause would improve the legitimacy of the DMA, be consistent with fundamental principles of proportionality under EU law, and come with no material downsides for effective enforcement.

Gatekeepers need to retain tools to protect security in their app stores, on their messaging apps, and in their obligations to share data while opening up for competition. The DMA says that the gatekeeper can take “duly justified” and “strictly necessary and proportionate” measures to ensure the preservation of security. As the regulation’s enforcer, the European Commission should not accept every request from the gatekeepers to delay. But it should be careful before dismissing legitimate claims.

Björn Lundqvist is a nonresident senior fellow with the Center for European Policy Analysis (CEPA). He is a professor of law in the Department of Law at Stockholm University, the head of the EU Law Research Group, director of the European Law Institute, and director of Ascola Nordic.

1. “The Digital Markets Act: Ensuring Fair and Open Digital Markets,” European Commission, October 12, 2022, https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en. [↩] [↩]
2. Adam Satariano, “E.U. Takes Aim at Big Tech’s Power with Landmark Digital Act,” The New York Times (The New York Times, March 24, 2022), https://www.nytimes.com/2022/03/24/technology/eu-regulation-apple-meta-google.html. [↩]
3. Samuel Stolton, “US Pushes to Change EU’s Digital Gatekeeper Rules,” POLITICO (POLITICO, January 31, 2022), https://www.politico.eu/article/us-government-in-bid-to-change-eu-digital-markets-act/. [↩]
4. The European Commission, “Digital Markets Act: Rules for Digital Gatekeepers to Ensure Open Markets Enter Into Force” (Press Release, Brussels, 2022). https://ec.europa.eu/commission/presscorner/detail/en/IP_22_6423 [↩]
5. “Digital Markets Act: Rules for Digital Gatekeepers to Ensure Open Markets Enter into Force,” European Commission Press Corner (European Commission, October 31, 2022), https://ec.europa.eu/commission/presscorner/detail/en/IP_22_6423. [↩]
6. “Vulnerabilities and threats in mobile applications, 2019,” Positive Technologies, June 19, 2019, https://www.ptsecurity.com/ww-en/analytics/mobile-application-security-threats-and-vulnerabilities-2019/ [↩]
7. “App security overview,” Apple Platform Security (Apple, May 13, 2022), https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web [↩]
8. Sophie Mellor, “Apple and Google criticize the new EU Digital Markets Act that will radically change the way they have operated for the past 20 years,” Fortune.com, (Yahoo!, March 25, 2022), https://www.yahoo.com/now/apple-google-criticize-eu-digital-192134850.html [↩]
9. Vulnerabilities and threats in mobile applications, 2019,” Positive Technologies. [↩]
10. Bill Echikson and President Toomas Hendrik Ilves, “Missing in Europe’s Tech Regulations – Security,” Bandwidth (Center for European Policy Analysis, October 5, 2022), https://cepa.org/article/missing-in-europes-tech-regulations-security/. [↩]
11. Bojan Jovanovic, “What is End-To-End Encryption,” DataProt, January 20, 2023, https://dataprot.net/articles/what-is-end-to-end-encryption/. [↩]
12. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act [↩]
13. Gennie Gebhart, “A Privacy-Focused Facebook? We’ll Believe It When We See It.,” Electronic Frontier Foundation (EFF, March 10, 2022), https://www.eff.org/deeplinks/2019/03/privacy-focused-facebook-well-believe-it-when-we-see-it. [↩]
14. Andrew Crocker Mitch Stoltz, “The EU Digital Markets Act’s Interoperability Rule Addresses an Important Need, but Raises Difficult Security Problems for Encrypted Messaging,” Electronic Frontier Foundation (EFF, June 3, 2022), https://www.eff.org/deeplinks/2022/04/eu-digital-markets-acts-interoperability-rule-addresses-important-need-raises. [↩]
15. Elad Natanson, “How Encrypted Messaging Apps Have Become a Vital Tool for Surviving Warfare,” Forbes (Forbes Magazine, April 14, 2022), https://www.forbes.com/sites/eladnatanson/2022/04/13/how-encrypted-messaging-apps-have-become-a-vital-tool-for-surviving-warfare/?sh=4a42c17a106b. [↩]
16. “Lex – 32022R1925 – En – EUR-Lex; Article 10: Exemption,” EUR-Lex (Official Journal of the European Union, September 14, 2022), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925#:~:text=of%20this%20Regulation.-,Article%C2%A010,-Exemption%20for%20grounds [↩]
17. Mitch Stoltz and Andrew Crocker, “The EU Digital Markets Act’s Interoperability Rule Addresses an Important Need, but Raises Difficult Security Problems for Encrypted Messaging,” Electronic Frontier Foundation (EFF, June 3, 2022), https://www.eff.org/deeplinks/2022/04/eu-digital-markets-acts-interoperability-rule-addresses-important-need-raises. [↩]
18. Maurits Dolmans, Henry Mostyn, Emmi Kuivalainen, “Rigid Justice is Injustice: The EU’s Digital Markets Act Should Include An Express Proportionality Safeguard,” Ondernemingsrecht issue 2-2022, (SSRN, December 10, 2021), https://ssrn.com/abstract=3985562. [↩]