Last week, the Biden administration warned the American business community about the potential for Russian cyber attacks in the near future, citing intelligence that shows hackers linked to Russia are exploring the networks of American companies. The administration urged businesses to take every precaution to secure themselves from any attack. They also offered resources through the Cybersecurity and Infrastructure Security Agency (CISA) “Shields Up” program. However, while the administration demands private companies put shields up, its congressional allies are pushing legislation to make many such shields illegal.
The Open App Markets Act (OAMA), introduced by Sens. Richard Blumenthal (D-Conn.), Amy Klobuchar (D-Minn.), and Marsha Blackburn (R-Tenn.) would severely limit the ability for smart phone providers to determine which third party content and software developers get access to their devices. The bill requires companies like Apple and Google to allow expanded side loading on devices, giving developers an alternative to going through the usual app stores provided by said companies. Beyond that, OAMA requires these companies make side loading “readily accessible” to these third parties.
This accessibility requirement would undermine the ability for companies to put warnings and protections in place for their customers. These protections are in place to prevent users from having to unwillingly load unwanted software onto their smart devices. This goes further than the merely saying side loading must be available. For example, Google currently does allow some side loading on its Android devices. However, OAMA would force them not only to make it available, but to make it significantly easier for good and bad actors alike.
Bills like OAMA also ignore the fact that most protections for users from malware come through app store privacy policies, rather than controls that are inherent to the device itself. For example, Apple has App Store policies that prevent any app that wants access from being able to circumvent the iOS tracking controls. It is significantly more difficult, if not impossible for companies to protect their customers once a malicious actor has gained access to the device absent the screening in the app store.
Fears about side loading are unfortunately very real. Studies have shown that the vast majority of malware on Android devices come from side loading. Apple devices do not have similar issues because of their prohibition on side loading altogether. Legislative provisions that force companies like Apple to make side loading available and companies like Google to make it drastically easier will cause malware attacks to skyrocket across Americans’ smart devices. With more and more people becoming reliant on their smartphones to act as everything from their wallets to keys, this will leave more data vulnerable to attack than ever imaginable before.
For devices like Apple, software is aggressively compartmentalized. This means apps are only given access to a small sliver of the phone’s hard drive needed to operate. This is why, even if an iPhone is infected with ransomware or malware, the damage is very limited. However, Section 3(f) of OAMA requires that third parties be given the same access to iPhone features that Apple gives to their own software. This would tear down the walls that prevent malicious actors from accessing the whole data trove on a phone, because Apple services like iCloud and Restore require the whole hard drive to operate. Far from “shields up,” this would force shields down.
The digital age is often a confusing one. Outside viewers may look on and perceive unfairness. However, those who have worked tirelessly to develop this technology know that these very basic safeguards are in place to protect their products and their consumers. That is what antitrust enforcement should be about – protecting consumers. Unfortunately, OAMA does quite the opposite. It seeks to protect potential competitors at the expense of consumers, and benefitting malicious fraudsters along the way.
It is all well and good for lawmakers in Washington to wax poetic about how seriously they are taking the potential cyber threats to our nation. However, right now, actions do not match words. While they tell companies to erect barriers against adversaries, legislation is moving its way through the halls of Congress that would make the erection of such barriers impossible and illegal. Our business community and the American people deserve far better.
