FTC Rightly Warns That Tech Companies Can’t Hide Behind Questionable Claims Of ‘Security’ To Block Interoperability
from the sometimes-tech-companies-exaggerate dept
One of the things we talk about quite a lot on Techdirt is how the “easy” policy ideas that many people have aren’t quite so easy, because everything has tradeoffs. You want strict privacy laws? Well, that might create issues for free speech and competition. You want stronger liability on social media services? Well, that’s going to limit competition.
Lately there have been some debates regarding interoperability and privacy/security. One of many examples of this is Apple blocking Beeper from reverse engineering iMessage, to allow iPhone users to more securely communicate with Android users. In that case, Apple claimed it had to do this for security reasons. This was Apple’s statement at the time:
At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.
Except that didn’t pass the sniff test. As noted, Beeper was actually increasing the security of iMessage users by making sure that their messages to Android users were end-to-end encrypted, as opposed to currently, where they are much less secure.
There are similar examples of this as well throughout the years. Right to repair laws are often lobbied against by big tech companies claiming they’ll create security and privacy problems. Companies like Facebook and LinkedIn have sued third parties for building new interfaces, claiming they were security risks.
Right before the holidays last year, however, the FTC (which I often criticize, but sometimes does the right thing) came out with a very interesting note, warning tech companies that it would be more carefully scrutinizing claims that they need to block interoperability in the name of security and privacy.
As the announcement points out, interoperability is important:
The FTC has highlighted these benefits to interoperability. Indeed, there are aspects of technology that people may take for granted while navigating their daily routines that turn on interoperability. Web pages can display regardless of web browser. Emails can be sent and received regardless of email provider. Computer accessories, including keyboards, mice, and monitors, can be plugged into most computers regardless of manufacturer. Interoperability can also enhance consumer choice and facilitate switching between products, and thereby enhance competition.
And then it notes that, obviously, security and privacy are also super important. But, the important part is that the FTC says it’s not just going to accept the claims of tech companies that they need to block interoperability for security and privacy reasons without at least something more to substantiate those claims.
As the FTC staff observed in the 2021 Nixing the Fix Report, “manufacturers may assert that restrictions on competition in aftermarkets are necessary for privacy [and] data security,” but such “justifications need to be scrutinized on a case-by-case basis and should be rejected if found to be a mere pretext for anticompetitive conduct.” Similarly, during the FTC’s 2020 workshop, Data to Go: An FTC Workshop on Data Portability, several expert panelists discussed the importance of identifying when companies raise security concerns as a pretext for anticompetitive conduct.
The FTC is no stranger to considering privacy and security and anticompetitive conduct. Through vigorous law enforcement, the FTC strives to support a vibrant marketplace where new businesses can emerge, new products can compete, and where consumers’ digital privacy and security are protected. The agency will continue to use our full range of tools to identify anticompetitive behavior and closely scrutinize claims that restrictions or bars on interoperability are the appropriate way to protect privacy or security.
Where dominant market participants use privacy and security as a justification to disallow interoperability and foreclose competition, the FTC will scrutinize those claims carefully to determine whether they are well-founded and not pretextual, and whether the chosen approach is tailored to minimize anticompetitive impact.
This sounds like a smart, thoughtful, balanced, and nuanced approach. Obviously, there may be some cases where privacy and security is legitimately put at risk through reverse engineering or other kinds of “adversarial’ interoperability. But, historically, those risks have been way more limited than companies would have you believe.
The FTC taking a nuanced approach, making it clear that it won’t just accept such claims from companies on blind faith seems like the correct approach. We should live in a world where the default expectation is for interoperability, right to repair, etc. If there are real security and privacy concerns, companies should raise them, but we shouldn’t take those claims as accurate, because the companies have billions of reasons to exaggerate those risks.
It’s good that the FTC is making it clear that it’s going to scrutinize such claims more closely.
Filed Under: ftc, interoperability, privacy, right to repair, security
Comments on “FTC Rightly Warns That Tech Companies Can’t Hide Behind Questionable Claims Of ‘Security’ To Block Interoperability”
This comment has been flagged by the community. Click here to show it.
FTC won’t do shit bruh.
No thanks to FTC, they did not a single thing about it. And the current situation is not heaven.
How much website are designed only for Chrome, or email for Outlook? I’m not even starting with devices compatibilities, I couldn’t stop for hours.
Actually, only EU has the guts to force companies to use the same standard (instead of creating their own every year). So if FTC decides to go that way even a single bit of it, it still be a huge gain for everybody.
Let’s just hope the next President won’t lick the genitals of Big Corp like some Chupa-Chups lollipops (you known, the ones with Apple or Coca-cola favors).
Re:
What can the FTC do about that? They mostly have the authority to deal with false advertising. So when Apple claims they do something for security, they make themselves vulnerable to the FTC if that’s bullshit.
If sites were falsely claiming to work in any browser, it’d be easy for the FTC to deal with. In theory they can also deal with anti-trust behavior, but that’s a hell of a lot harder.
Re:
dafuq?
Re:
I have not yet seen an email designed for Outlook (or for any other specific browser). …especially because I do not read http-only emails. Nor, if I can help it, use a browser (or Outlook) to read email. Web-based email browsing is a thinly disguised hell-on-earth.
Websites designed only for Chrome? Again, not a thing. However, there ARE websites that refuse to operate if you’ve disabled javascript. Or use a very very old browser. Perhaps you’re still using IE6?
Re: Re:
Both outlook and gmail have “reactions” that only work inside their own systems and end up sending a separate email out as a reply containing only an emoji.
Re: Re: Re:
“Both outlook and gmail have “reactions” that only work inside their own systems and end up sending a separate email out as a reply containing only an emoji.”
Sounds like something to avoid.
Re: Re:
We used to have this bullshit: https://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format
20 years ago, this made it very hard for email with attachments to interoperate well between Outlook and non-Outlook mail clients. Caused me no end of expensive headaches.
Re: Re: Re:
I use Firefox, fully up-to-date, and there are multiple websites that flat-out refuse to work for me because I’m not using Chrome. Note that there’s nothing in them that won’t work on Firefox (as switching the user agent makes them work fine), but some companies do choose to build “only for Chrome” in at least that sense.
Re:
It’s been a long, long while since I have had a website only work on another browser.
Re: Browser-specific sites
Ten years or so ago, some websites would still only properly render on Windows’ Internet Explorer. One executive and I were talking about how their devices would only connect through the internet if running Explorer, and he was very dismissive of customers that wanted other browsers for security reasons.
Re: Re:
Not even 10 years ago. RealPage still only works in Internet Explorer, or Edge with the IETab Extension installed.
So yeah, that privacy and security thing: Maybe if your damned car* had half the pointless electronics ripped out, along with and all the code that tracks everything and creates privacy and security nightmares in the first place, there wouldn’t be an issue, would there?
*or whatever.
You can’t just say “That doesn’t pass the sniff test”. If you think Apple’s statement is dishonest/incorrect, then it’s on you to rebut it, piece by piece. Which you haven’t done, instead dragging out an imagined advantage of E2EE.
As an iPhone user, I really don’t care at all whether my messages to my Android-using friends are secure, OR if my messages to my iPhone-using friends are secure. I guess I just don’t send those kind of messages; if I have something private to say I make a phone call.
I DO care about
Until I’m given convincing proof otherwise, I’m going to assume Apple’s statements are true.
Re:
Mike’s already done that. It’s in the linked article, my man
Re:
Your comprehension problems aren’t Mike’s fault.
Sniff test?
Is that correct from the perspective of the iMessage network?
The iMessage network has a set of protocols to ensure the validity of every member of the network.
Beeper demonstrated some embarrassing gaps in those protocols that allowed validated members to join and potentially abuse the network.
Apple closed those security vulnerabilities with its tail between its legs.
At almost the same time, popular messaging service Signal indicated that operating its network with about 40 million users was approaching USD$50 million per year. Meanwhile, the iMessage network operates at the scale of about 2 billion of users, or 50 times larger than Signal.
Should Apple not fix the critical security bugs that Beeper identified and protect their network? Should Apple be forced to provide free service to Android users when so many other solutions exist, and when there are such clear costs per user?
Re: Correction
That should be” non-validated members”
Re:
That is a protocol designed to validate that the user is an Iphone user, and has nothing to do with security, but rather it is a means to crate a captured marker, and try to increase the captured user base by convincing Android user to switch to Iphone to securely talk to their friends.
A secure system should only rely on the protocol to provide communications security, and users should validate other users by a means that is outside the system.
“FTC Rightly Warns That Tech Companies Can’t Hide Behind Questionable Claims Of ‘Security’ To Block Interoperability”
Whyever not? Apple does.