The App Store and the Digital Markets Act, Third-Party App Stores, Messaging Interoperability Madness

Posted on Author by Ben Thompson

Good morning,

Stratechery Plus Gifts are available for the holiday season! Well, they’re always available, but Stratechery Plus, which now includes the Stratechery Update, Stratechery Interviews, Dithering, Sharp Tech, and Sharp China, make for great Christmas gifts; you can even specify that the email be delivered to the recipient on Christmas, or any other day of your choosing.

To send a gift (or gifts!), visit the gifts page.

On to the update:

The App Store and the Digital Markets Act

From Bloomberg:

Apple Inc. is preparing to allow alternative app stores on its iPhones and iPads, part of a sweeping overhaul aimed at complying with strict European Union requirements coming in 2024. Software engineering and services employees are engaged in a major push to open up key elements of Apple’s platforms, according to people familiar with the efforts. As part of the changes, customers could ultimately download third-party software to their iPhones and iPads without using the company’s App Store, sidestepping Apple’s restrictions and the up-to-30% commission it imposes on payments…

If similar laws are passed in additional countries, Apple’s project could lay the groundwork for other regions, according to the people, who asked not to be identified because the work is private. But the company’s changes are designed initially to just go into effect in Europe.

Even so, the news bolstered shares of companies that offer dating services and other apps. Match Group Inc. jumped as much as 10% and Bumble Inc. was up as much as 8.6% — a sign investors think the companies could get a break from Apple’s commissions. Spotify Technology SA, the audio streaming service, climbed as much as 9.7%. Apple’s shares, meanwhile, were little changed.

To help protect against unsafe apps, Apple is discussing the idea of mandating certain security requirements even if software is distributed outside its store. Such apps also may need to be verified by Apple — a process that could carry a fee. Within the App Store, Apple takes a 15% to 30% cut of revenue. Apple hasn’t made a final decision on whether to comply with a component of the Digital Markets Act that allows developers to install third-party payment systems within their apps. That would let users sign up for subscriptions to a travel app, for example, or buy in-app content from a game maker — without involving Apple.

That last sentence is a bit strange: Apple doesn’t have any choice but to comply; the reason for uncertainty is that it’s not entirely clear if the Digital Markets Act requires Apple to allow developers to install third-party payment systems within their apps. Here is what it does require:

The gatekeeper shall not prevent business users from offering the same products or services to end users through third-party online intermediation services or through their own direct online sales channel at prices or conditions that are different from those offered through the online intermediation services of the gatekeeper.

This means that Twitter, for example, can charge one price in its app and another price online; Apple did at one point ban this, but changed that rule several years ago.

The gatekeeper shall allow business users, free of charge, to communicate and promote offers, including under different conditions, to end users acquired via its core platform service or through other channels, and to conclude contracts with those end users, regardless of whether, for that purpose, they use the core platform services of the gatekeeper.

The first part undoes what is maybe the most egregious App Store rule: the fact that an app cannot tell users within its own app about offers that may be available on its website. I do wish this section specified that an app can also include a link to their website.

The second part is what I am unclear about: “conclude contracts” certainly could mean “make a purchase”; if it does, the fact they don’t need to “use the core platform services of the gatekeeper” suggests it could be in-app (using a different payment service), in addition to the aforementioned website. Notice also that this must be “free of charge.”

The gatekeeper shall allow end users to access and use, through its core platform services, content, subscriptions, features or other items, by using the software application of a business user, including where those end users acquired such items from the relevant business user without using the core platform services of the gatekeeper.

This expands the “Reader” rule — in which users can access content they paid for elsewhere — to all aspects of an app, including features.

The gatekeeper shall not require end users to use, or business users to use, to offer, or to interoperate with, an identification service, a web browser engine or a payment service, or technical services that support the provision of payment services, such as payment systems for in-app purchases, of that gatekeeper in the context of services provided by the business users using that gatekeeper’s core platform services.

This makes clear that the App Store can’t force users to use in-app purchase; this was the issue at play with the 2020 Hey controversy.

All of these regulations are great news; I would have preferred that Apple self-regulate, but they haven’t, so I think these measures are appropriate. Moreover, I think these specific rules — even if applications have to kick users out to web browsers for conversion — are more important than third-party App Stores.

Third-Party App Stores

The relevant rules pertaining to Third-Party App Stores are as follows:

The gatekeeper shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system and allow those software applications or software application stores to be accessed by means other than the relevant core platform services of that gatekeeper. The gatekeeper shall, where applicable, not prevent the downloaded third-party software applications or software application stores from prompting end users to decide whether they want to set that downloaded software application or software application store as their default. The gatekeeper shall technically enable end users who decide to set that downloaded software application or software application store as their default to carry out that change easily.

The gatekeeper shall not be prevented from taking, to the extent that they are strictly necessary and proportionate, measures to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper.

Furthermore, the gatekeeper shall not be prevented from applying, to the extent that they are strictly necessary and proportionate, measures and settings other than default settings, enabling end users to effectively protect security in relation to third-party software applications or software application stores, provided that such measures and settings other than default settings are duly justified by the gatekeeper.

My biggest disappointment with this regulation is the word “or”: gatekeepers must allow third-party software applications (i.e. side-loading) or third-party stores; if this report from Bloomberg is correct then Apple is going to allow the latter but not the former. To me the biggest value of side-loading is for apps that push the frontier of what is possible with a device, and while randomly installing apps on the Internet certainly has risks, I would like it to be a possibility, even if you have to jump through hoops to enable it (like Android). Trading the Apple gatekeeper for another gatekeeper isn’t as compelling.

Indeed, I don’t think that third-party App Stores are going to be that big of a deal, particularly if apps are able to easily point users to alternative payment systems from within App Store apps. There will just be too much friction entailed in requiring users to first have a 3rd-party app store installed before you can even get an app.

The big question is how Apple plans on collecting its fees, which it does not plan on giving up! As you will recall from the Epic trial and other concessions Apple has made in individual countries, the company insists that its 30% App Store tax is in fact a fee for using its IP broadly; that just happens to be the most efficient way to collect it. That means that when Apple has been forced to allow alternative payment methods, it audits the developer for 27% of its purchases; there is nothing in the Digital Markets Act preventing this.

Of course this could be more difficult to enforce with a third-party App Store; similarly, a third-party App Store would be under no obligation to enforce the aspects of App Tracking Transparency (ATT), like the ban on server-to-server communication that is unenforceable by Apple technically, that are current enforced by App Store Review. This is where the suggestion in the Bloomberg article that Apple may still demand to review apps in third-party app stores and charge a fee for the privilege makes sense (from Apple’s perspective): it can still enforce its rules and get its fee in a different way.

Of course the other alternative for Apple would be to dramatically increase its developer fees from $99/year to pay for its IP, but that would cut out smaller developers and new entrants. Indeed, that gets to the truth of the matter: Apple supports apps because it’s good for the iPhone; it charges them for the privilege because it can, and it’s not going to give that up easily.

Messaging Interoperability Madness

I wrote previously that the Digital Markets Act had some good parts — see above — but it also had some insane parts, and I should note that the messaging interoperability I mentioned then as an insane part did make it into the final version.

Where a gatekeeper provides number-independent interpersonal communications services that are listed in the designation decision pursuant to Article 3(9), it shall make the basic functionalities of its number-independent interpersonal communications services interoperable with the number-independent interpersonal communications services of another provider offering or intending to offer such services in the Union, by providing the necessary technical interfaces or similar solutions that facilitate interoperability, upon request, and free of charge.

You might think that “basic functionalities” would be something like text and maybe photos; you would be wrong! Basic functionality includes text, photos, videos, file attachments, voice calls, video calls, and all of this for both one-to-one conversations and group conversations; simply supporting SMS, a perfectly fine fall-back that works on every phone in the world, will not be enough.

This is — and there really is no other word for it — stupid. Not only will implementing this level of interoperability be exceptionally difficult and likely take far longer than the 1~4 years allowed for in the rules, but it will completely halt all new innovation in the space and make it impossible for new entrants to join, for basically zero benefit to anyone.

Here’s the truly crazy part, though:

The level of security, including the end-to-end encryption, where applicable, that the gatekeeper provides to its own end users shall be preserved across the interoperable services.

This is flat out impossible. End-to-end encryption means that the two devices at either end need to exchange keys; this can be done manually but is very difficult and error-prone — note the adoption, or lack thereof, of PGP for encrypted email. The way that messaging services implement end-to-end encryption is by managing that key exchange on behalf of the users; there is some degree of trust inherent in this key exchange, as whoever handles the key exchange could execute a man-in-the-middle attack, but the trust necessary goes no further than that.

This would not be the case with interoperable end-to-end encryption. Beyond the madness of needing to build a centralized key exchange, every single party that took part in that key exchange would be a vector for a man-in-the-middle attack, which is to say that interoperable end-to-end encryption is inherently less secure. There literally is no way to fulfill this dictat.

Frankly, this entire section is a disaster. It is solving a problem that doesn’t exist — there is plenty of competition in messaging, and SMS is a lowest common denominator — in a way that will at best destroy innovation in the space and deliver a worse experience for customers, and at worst is just impossible.

This Update will be available as a podcast later today. To receive it in your podcast player, visit Stratechery.

The Stratechery Update is intended for a single recipient, but occasional forwarding is totally fine! If you would like to order multiple subscriptions for your team with a group discount (minimum 5), please contact me directly.

Thanks for being a subscriber, and have a great day!