콘텐츠로 이동
The App Fair Project
문서 블로그

Blog

Apple DMA Compliance Workshop

- 6 min read - 1093 words

Update: The video for the workshop has been made available at https://webcast.ec.europa.eu/compliance-with-the-dma-apple-2024-03-18. I’ve updated the blog post with timecodes for each of the questions and answers listed herein.

On March 18th I attended an EC-hosted workshop1 in Brussels on Apple’s compliance measures for the Digital Markets Act. It was a grueling 8-hour affair in a hot windowless room. There were around 75 attendees by my count, from a wide cross-section of organizations, few of whom seemed to feel that Apple was upholding the letter and spirit of the law in their compliance efforts.

Apple’s team of three, headed by Kyle Andeer (formerly an FTC trial lawyer), gamely managed to fend off the barrage, mostly by appealing to Apple’s paramount respect for “user security, privacy and safety” over and over again. The questions tended to be hostile and self-serving, and the responses tended to be vacuous, non-committal, and lacking any technical substance. In short, it went as one might expect.

Questioners were selected randomly from the attendees (both in-person and online). I managed to get two in. Following are my questions and their responses (pulled out of a whisper-generated transcript from the video, which can be accessed here).

Question (Marc Prud’hommeaux, the App Fair Project) [12:25:41] (transcript link):

Section titled “Question (Marc Prud’hommeaux, the App Fair Project) [12:25:41] (transcript link ↗):”

Hi, my name is Marc Prud’hommeaux, and I’m here representing the nonprofit App Fair Project, which is building an app marketplace to create and distribute free and open source apps as non-commercial digital public goods.

To be approved for an iPhone app marketplace entitlement, Apple is currently requiring that an organization, either 1: have been an Apple developer program member for two years and have an app that has been downloaded one million times in the EU in the previous year.

We’ve been a developer program member since April of 2022, but it’s impossible for us to satisfy the download count requirement because the web browser app that we submitted that year was rejected by Apple.

Option number 2: provide a one million euro standby letter of credit from an A-rated institution as has been discussed.

That number presents a discriminatory and insurmountable barrier to a nonprofit organization such as ours.

I’ve requested an exemption from our Apple representative and was denied.

My question is, since nonprofit organizations are exempt from the core technology fee, what is the rationale for requiring any letter of credit at all?

And what is the objective fairness and reasonableness standard that prevents Apple from increasing that number to 10 million euros or 100 million euros or some arbitrarily high amount that would effectively exclude all alternative app marketplaces at some point in the future?

Answer (Kyle Andeer, Apple Vice President of Products and Regulatory Law) [12:33:24] (transcript link):

Section titled “Answer (Kyle Andeer, Apple Vice President of Products and Regulatory Law) [12:33:24] (transcript link ↗):”

Again, when we think about alternative marketplaces and this was something we thought about for a long period of time, we wanted to assure that we had credible and accountable operators of stores and we want to have a single set of objective criteria.

We did not want to have special deals.

We did not want to have special assessments because as soon as you do that, you open yourself up to charges of discrimination.

And so what we focused on was what is a set of criteria that we could apply to make sure that the operators of these stores were credible and accountable and responsible.

And those were the two criteria that we established in addition to some of the other things I talked about, which is the other commitments, whether it’s engaged and ongoing monitoring of fraud to comply with laws like the DSA or the GDPR to publishing transparent data collection policies.

All these other things are important, but at the end of the day, if you don’t have an accountable and responsible operator, then those things mean nothing.

And so what we tried to do, and again, I think I answered this in response to an earlier question, we looked to find criteria that would allow us to have some confidence that the operator is someone we can trust to operate a store in the best interest of our users.

There may be others, and so we welcome feedback about what other criteria could we use to accomplish the goal that we’ve set out.

So we’re going to continue and see how things emerge.

Clearly, it hasn’t been an issue for a number of different developers, some of which we’ve heard from today, some of which we know are out there in terms of being able to secure the line of credit to allow them to enter this program.

Question (Marc Prud’hommeaux, the App Fair Project) [16:04:26] (transcript link):

Section titled “Question (Marc Prud’hommeaux, the App Fair Project) [16:04:26] (transcript link ↗):”

Hi, Marc Prud’hommeaux from the App Fair Project.

The specific apps that people install and run, including where and when they launch them, can be considered sensitive information when it comes to political and social activity, women’s health and free speech.

Does Apple track personally identifiable information about which apps are installed from third-party marketplaces and where and when they are when the apps are launched?

If so, Apple may be compelled to disclose this information to any of the various legal jurisdictions they operate in.

This could jeopardize vulnerable users.

Will this app installation launch activity still be reported to Apple, even when they opt out of sharing analytics with Apple?

Answer (Gary Davis, Apple Data Protection Officer) [16:08:24] (transcript link):

Section titled “Answer (Gary Davis, Apple Data Protection Officer) [16:08:24] (transcript link ↗):”

In that instance, I’m going to somewhat highlight Apple track record in relation to responding to requests from law enforcement where we consider that the requests are disproportionate or inappropriate and clearly in such circumstances we have shown that we will raise questions about those requests and where appropriate pushback.

Obviously, if a request is lawful and is proportionate, we do our best to assist law enforcement in those circumstances.

Where we do have personal data associated with the download of an app, it is simply the download of an app.

It doesn’t indicate anything about usage.

We do not collect any information about your individual usage of an app in a personally identifiable way.

Some will come from analytics that is shared with developers, but that’s across the population of users, not individual users.

And the same installed information that we have from the App Store will be available for app marketplace downloads as well.

Footnotes

Section titled “Footnotes”

  1. https://digital-markets-act.ec.europa.eu/events-poolpage/apple-dma-compliance-workshop-2024-03-18_en

App Fair Retrospective, 2023

- 4 min read - 653 words

2023 was the first full year of the App Fair Project’s existence. This post looks back on the year, and towards 2024.

The mission of the App Fair Project — as conceived in the Spring of 2022 — is to nurture and distribute global digital public goods in the form of mobile applications. In other words, we will make free and useful apps, and we will make them global.

“Global” is meant both in consumer terms (apps will be translated and localized for many languages and regions) as well as in hardware terms (apps will be universally available for both iPhone and Android devices: 99% of all smartphones). An App Fair app aims to reach the entire global community of smartphone users, regardless of language, device, or region: a market that encompasses over 75% of the world’s population.1

The year 2023 was spent laying the technological foundations to support the project. We now have the beginnings of a development pipeline to create and contribute apps, and to build and submit those projects – via the App Fair organization – to both the Apple App Store and the Google Play Store. We have shipped a single app through to production on the App Store, and another as a beta to the Play Store. This has served as a proof of concept for us, and we envision this pipeline evolving to support all aspects of the app submission and distribution process.

In 2024 we intend to complete these workflows, to the point where independent projects can start contributing their own apps through the project. This will allow app projects to release their apps through to Android devices that run the Google Play Store and iOS devices that use the Apple App Store. However, this does not cover all the devices: there are numerous Android distributions provided by other organizations, such as Amazon, LineageOS, and most Chinese smartphone vendors, that do not use the Google Play store.

In order to support 100% of the available devices, we will be releasing our own universal “App Store” for both iOS and Android: the App Fair app. This app will be available everywhere, and will act as a transparent and unbiased directory of App Fair projects. It will provide a unified interface for finding, downloading, installing, and updating App Fair apps, but it will be unencumbered by advertisements, tracking or other analytics. The App Fair app will be — like all our other projects — 100% free and open-source software.

Android already has the sufficient technological capabilities to support this sort of app-store app, which is already being utilized by other free software projects such as F-Droid. And while there has historically been no equivalent support for this on the iPhone side, they recently added a new ManagedAppDistribution2 framework to support this as required by the Digital Markets Act (DMA)3. We have taken the first steps to obtain the necessary approvals and entitlements from Apple to utilize this framework. We will be writing articles and technical posts on the process once we have been granted these entitlements, in order assist with other similar projects who may want to create their own app store.

Our goal is to provide a free and ubiquitous source of apps that smartphone users can trust and rely on for everyday needs. App Fair apps will contain no advertisements, no in-app purchases, analytics, or other dark patterns. Contributors to these projects can be confident that their efforts will be available to everyone in the world, in perpetuity.

2024 will be an exciting year for the App Fair. Please follow this blog for progress and updates.

Footnotes

Section titled “Footnotes”

  1. 75.05% as of 2020 according to https://www.statista.com/topics/840/smartphones/#topicOverview

  2. Apple developer documentation: “Provide a consistent app presentation in your organization’s app store” https://developer.apple.com/documentation/managedappdistribution/fetching-and-displaying-managed-apps

  3. Compliance principles for the Digital Markets Act: https://www.bruegel.org/policy-brief/compliance-principles-digital-markets-act

A Future for iPhone App Stores, Part I

- 4 min read - 752 words

With the announcement of the official Gatekeeper designations under the Digital Markets Act, iPhone owners will soon regain the ability to install apps from outside the confines of a single App Store. This capability has been blocked by the platform for years, requiring that owners of an iPhone obtain their software exclusively through a single platform-locked App Store, whose terms and conditions dictate the types of software that can be distributed, and whose rules demand a percentage of all digital commerce transacted through the apps listed therein.

App Store tariffs and regulations have diminished the range and quality of software available to iPhone owners. They are the reason you cannot browse and purchase books from within the Kindle app, and why the massively popular game Fortnite was disappeared from the entire iOS marketplace in August 2020. Furthermore, a gag rule imposed on app developers forbids them from mentioning other avenues of commerce. The Spotify music app’s [Premium] tab intimates this with a lone pithy statement: “You can’t upgrade to Premium in the app. We know, it’s not ideal.”

But by March of 2024 – the date that gatekeepers must be in full compliance and good standing with the rules of the DMA – joyous gamers will again be able to show off their Fortnite dance mojo from the comfort of their iPhones. Consumers will likely be able to browse and buy books from within the Kindle app, purchase a music subscription from within the Spotify app, and pay for goods and services using their preferred digital payment service provider rather than having one imposed by their device’s operating system. And the door will finally be open for truly free software to compete on a level playing field alongside commercial vendors.

Lest a gatekeeping entity be tempted to simply ignore these new regulations, or take a creatively self-preferencing interpretation of the provisions, the penalties for violations are hair-raisingly severe: between 4% and 20% of the designated gatekeeper’s total annual turnover. With a quarter-trillion dollars of revenue at stake, and under vigilant public scrutiny, we can expect very careful adherence to the letter of the legislation.

What does compliance look like, exactly? For everyday iPhone users, how will you find and install independently-distributed apps? Will they be listed in a separate section of the “App Store” app, or will they have their own separate app management apps? Or will you need to download apps individually using a web browser? If so, how will app updates be handled? And what about security and privacy and malware and curation and content moderation?

As for the creators of these apps, companies and individuals alike, what will change for them? Can they distribute their apps in multiple marketplaces simultaneously? And which system APIs (“Application Programming Interfaces”, the dialects that software components use to communicate with each other and with their host operating system) will be available to developers of independently-distributed apps? Will these apps need to be digitally signed, and if so, who is the signing authority and what standards must these signatures adhere to? Will the prevailing system of special app “entitlements” persist, and if so, who grants these entitlements to supplicants, and what appeal process is available to rejectees? And what about oversight and taxes and piracy and local regulatory compliance?

There are many outstanding questions, and no concrete answers at this time. The picture will clarify itself in the coming weeks and months, as iOS is updated to remove its blocks on installing third-party applications. In addition, the third party app marketplace vendors and aspirants will need official published documentation on the MobileInstallation framework APIs that are used by iOS to install and update applications. All of this will need to be available well in advance of the March 6 deadline, as the initial attempts at compliance are likely to be found lacking.

This is the first part in a series leading up to March 6, 2024 that will discuss the changing landscape of mobile software marketplaces, with a focus on free software and digital public goods. My name is Marc Prud’hommeaux and I’ve been programming computers for 40 years. I’ve written all manner of apps, great and small, for the iPhone App Store since its inception in 2008, and before. I recently created the App Fair Project to nurture and maintain truly free software for the devices people use everyday. You can reach me at marc@appfair.org.

Comments and discussion for this article can be found at Hacker News.