Comment by zoobab
15 days ago
I contacted the European Commission DMA team on this gross abuse of power (Google just followed Apple in this regard, who reacted to the DMA by coming out with this notarization of developers), here is they flacky answer:
"Dear citizen,
Thank you for contacting us and sharing your concerns regarding the impact of Google’s plans to introduce a developer verification process on Android. We appreciate that you have chosen to contact us, as we welcome feedback from interested parties.
As you may be aware, the Digital Markets Act (‘DMA’) obliges gatekeepers like Google to effectively allow the distribution of apps on their operating system through third party app stores or the web. At the same time, the DMA also permits Google to introduce strictly necessary and proportionate measures to ensure that third-party software apps or app stores do not endanger the integrity of the hardware or operating system or to enable end users to effectively protect security.
We have taken note of your concerns and, while we cannot comment on ongoing dialogue with gatekeepers, these considerations will form part of our assessment going forward.
Kind regards, The DMA Team"
The DMA is in fact cementing their duopoly power, the opposite of the objective of the law.
Post author here. I've also been in various DMA enforcement workshops and consulted with EU regulators on the topic of app distribution. The "strictly necessary and proportionate measures to … not endanger the integrity of the hardware or operating system" defense comes up time and time again, and is clearly a primary talking point for those lobbying against effective enforcement.
From a developer's perspective, this stipulation is obviously intended to ensure that the existing on-device protections (sandboxing, entitlement enforcement, signature checks, etc) are not permitted to be circumvented by third-party app stores. But the anti-DMA brigades have twisted their interpretation to imply that that gatekeepers are permitted to ... keep on gatekeeping.
Apple still requires that all software be funneled through its app review (they call it "notarization", but it is the exact same thing as review: developer fees and T's&C's, arbitrary review delays, blocking apps based on policy, etc.) before it is signed, encrypted, and re-distributed to third party marketplaces like AltStore. And now Google is going to introduce its own new gatekeeping for all software on Android-certified devices, which covers 95%+ of all Android devices outside of China.
The lack of alarm has been, for me, quite alarming. Every piece of software installed on billions of mobile devices around the world is going to be gate-kept by two US companies headquartered 10 miles away from each other and with increasingly authoritarian-friendly leadership.
If you have an Android device, install F-Droid today and make it be known that you won't give up your right to free software without a fight.
Telling users that your platform will allow them to run any software they like so you can quickly gain market share, only to break your word after driving competing platforms out of the market is fraud.
I'm pretty sure fraudulent marketing is still illegal.
I agree. But I can hear the defense:
> Telling users that your platform will allow them to run any software they like
That is mere puffery, no reasonable person could belive it....
2 replies →
What are your thoughts as obviously someone with deep knowledge of the ecosystems at play on the various parental control laws that are going into effect in the US?
The one in Utah that was already signed and the one in California plus the looming federal bill? The ones that make app stores verify kids' ages and request permission from parents?
How is F-Droid planning on tackling this?
I think your take is a bit unbalanced
1. You cannot expect a public body to take a legal conclusion with significant financial impact on the basis of a single citizen report or in reply to that report. This takes analysis, technical and legal work, etc. So your expectation that they respond to your message eith something akin to "of course, you provide evidence of a breach. I, the single case officer responding, confirm the facts are true. Thanks for telling us we will now fine them 5 billion" is a bit unreasonable.
2. I don't see how even inadequate application and a non-committal response leads to the conclusion that this is intended to (or even just allows) to entrench the Android/IOS duopoly.
> You cannot expect a public body to take a legal conclusion with significant financial impact on the basis of a single citizen report or in reply to that report. This takes analysis, technical and legal work, etc. So your expectation that they respond to your message eith something akin to "of course, you provide evidence of a breach. I, the single case officer responding, confirm the facts are true. Thanks for telling us we will now fine them 5 billion" is a bit unreasonable.
Both judging or supporting are conclusions. The message is more supporting than necessarily required and that also can have a significant financial impact. If there is even some unclarity, they should just state that they are investigating it, while noting that DMA may allow this. Otherwise this creates foothold for Google, which is not fair either.
>We have taken note of your concerns and, while we cannot comment on ongoing dialogue with gatekeepers, these considerations will form part of our assessment going forward.
It hasn't happened yet, so a fine would not be in question.
[dead]
Regarding (1): I don't see why you cannot expect it. If the matter at hand is significant enough, all it should take is a single person spreading the awareness of something going terribly wrong, like in this case.
I find it rather infuriating, to get treated like a low rightless peasant, as if to say: "How dare you speak to us above?"
It is the difference between people doing their job and being transparent about it. An answer like: "Thank you for reporting, we currently are already looking into this and are taking your report serious. Please note, that drawing legal conclusions takes time, but that we will keep you updated, when we reach a conclusion." would already be great. To know, that one didn't just waste ones time, but that actually people there hear and look into things.
That is, assuming, that there actually is something significant at hand. If it's rubbish, then no need to get processes started.
That's not actually what the reply said, it was extremely noncommittal as you'd expect. If you contacted one of your MEPs they might have a stronger opinion they'd want to promote, but the DMA team are just not going to render judgement based on one email.
But my initial reading of F-Droid's explanation was "hang on, Google are going to get slammed for the same thing Apple got slammed for" so I hope they do come to the same conclusion and do it quickly, before F-Droid is entirely dead.
Maybe that's Google's intention - that the time lag on enforcement is going to be long enough that they achieve half the goal anyway.
This is the primary legal strategy of (1) tobacco companies, (2) investment bank pushing risky products to unknowing customers, and (3) big oil&gas' environmental policy. Regarding EU DMA laws, I feel that Apple and Google are pursuing the same strategy.
Not a lawyer, but seems to me the term "strictly necessary and proportionate" is doing a lot of work here.
I could imagine lobbyists have been trying to do a classic motte-and-bailey there, painting the picture of some poor granny whose phone is instantly taken over by a malicious third party app, because without Google's loving oversight, every dodgy candy crush clone would of course immediately get root and bootloader access.
So they managed to get in a "common sense" exception, which they're now trying to use for things that are entirely not common sense.
At least I would find it hard to argue that a measure is "strictly necessary" to ensure the "integrity of the hardware or operating system" if everything has been working without problems for decades without this measure.
> The DMA is in fact cementing their duopoly power, the opposite of the objective of the law.
Power centralization is a key component of control and we live in times of unprecedented control being exerted on citizens.
This is why the only way forward is open standards not owned by anyone, like SMTP.
When you have a duopoly they just ignore them. There were plenty of open standards that Microsoft just ignored for the longest time. Lawsuits took years or decades. Companies this size buy congresses to ensure laws don't get past demanding things like this. And lastly, the average person is ignorant to why we would need things like this.
Some days it's rather depressing to think how most people would just gladly sign themselves up for slavery.
Try setting up a SMTP server for youself. You'll instantly get added to a spam blacklist.
1 reply →
I saw some new announcements about new Linux phones (other than Librem and Pine). Unfortunately I don't remember what they're called. Hopefully this is starting a new wave of Linux phones.
For Europe, I'd say there are quite a few good options now like Volla[1], Fairphone 5 (the best supported phone for ubuntu touch) [2] and the Furi FLX1s [3]
I'm from India and I cannot import any of these devices (due to extreme import tariffs) so I went with an unlocked Redmi Note 10 which I found on the used market and flashed postmarketOS on it, so that is an option as well.
[1] <https://volla.online/en/operating-systems/ubuntu-touch/>
[2] <https://devices.ubuntu-touch.io/device/fp5/>
[3] <https://furilabs.com/shop/flx1s/>
2 replies →
it's also the EU's[1] raison d'être
it was created, and exists entirely to centralise power
[1]: the organisation itself, not the countries in it
Of course they want them: if not one could install a modified Signal client from F-Droid and bypass the mass surveillance they want to introduce with Chat Control.
I'm considering that the UK did not take a bad decision of leaving the EU. The EU is demonstrating itself as a more and more corrupt institution that is not democratic (in the sense of doing what the people want it to do) at all.
They are also shooting themself in the foot: the USA impose to us tariffs, we make laws from which benefit 2 big American companies, instead of pushing for developing alternatives to these companies.
> The EU is demonstrating itself as a more and more corrupt institution that is not democratic (in the sense of doing what the people want it to do) at all.
While I agree that democracy could be strengthened at the EU level, representative democracy for better or for worse doesn't imply the representatives' decisions have to match the public's opinion at all times.
> I'm considering that the UK did not take a bad decision of leaving the EU.
That's ironic, given that the UK has always seemed way ahead of the EU when it comes to mass surveillance.[0]
[0]: See https://www.eff.org/deeplinks/2023/09/uk-government-knows-ho... for a recent example.
Have to say that someone played this really well if this was preparation for Chat Control in reality.
A single email can't be expected to shake Google but it has done it's job and from the response, it seems they have included that into their discourse and it can't be ruled out that this concern comes up in not so distant future allowing free side loading of apps.
> Google just followed Apple in this regard, who reacted to the DMA by coming out with this notarization of developers
Apple has required developer "notarization" since the very first App Store in iOS 2.0, no?
They have answered you that they have no answer to give.
Everything hinges on what "strictly necessary and proportionate measures" effectively are and the EU has yet to state if notarisation is ok. I personnaly doubt it will be considering the spirit of the law but the currently German dominated and mostly focused on German interests commission is spineless so who knows.
If you want actual change, pressure your MEP to fire Von Der Leyen and stop voting for the PPE.
> ongoing dialogue with gatekeepers
"Gatekeepers"? "Ongoing dialogue"? Tell me more!
When I wrote to the Commission regarding the Chrome Web Store monopoly and that Google can remove any addon that they don't like (which already happened) they told me that the Web Store isn't a gatekeeper (...of course it is, there is no other way to install Chrome Add-Ons and Chrome is designated as a gatekeeper):
>Thank you for your email in which you raise concerns that some browser extensions are not allowed by Alphabet in its Chrome Web Store or are removed as unwelcomed extensions after they have previously been available. As you may know, the European Commission has designated Alphabet as a gatekeeper for a number of its core platform services on 5 September 2023 under the Digital Markets Act (DMA), including its browser Chrome. As a result, Alphabet must comply with a set of obligations as from 7 March 2024. The Commission has not designated its online intermediation service Chrome Web Store, since it does not meet the criteria under Article 3 DMA, to be designated as a gatekeeper. We would like to thank you for the information brought to our attention and assure you that the Commission will monitor compliance of gatekeepers with the applicable obligations as well as monitor any other core platform service that may meet the criteria to be designated as a gatekeeper under Article 3 of the DMA.
So this doesn't surprise me at the slightest. DMA, DSA and GDPR only strengthen the big american companies because they have infinite money in complying with this bullshit while smaller plays get shafted. You will never be able to "just install an IPA" on an iPhone, mark my words.
The term "gatekeeper" is strictly defined in the DMA and currently doesn't cover the Chrome Web Store. Perhaps in the future it will. The DMA and DSA don't strengthen the big American companies; it rather specifically targets them. Smaller players can do whatever they want.
What the heck.
Those kind of concessions were likely necessary to get them to pass the law at all.