B&B_NEW_LOGO_400

How the American Choice and Innovation Online Act may affect cybersecurity

By Mark Lanterman

Less than a decade and a half into the smartphone era, it is already hard to envision a world in which instant information gathering, communication, and computing abilities aren’t available to us all the time, anywhere. Much of our lives is tracked and stored on our phones, making our lives easier but also less private and less secure. A pending piece of federal legislation, the American Choice and Innovation Online Act,1 highlights the tension and illustrates the complicated set of expectations we have for Big Tech.  

The American Choice and Innovation Online Act is intended to address online discrimination, and “would ban major tech firms like Amazon and Google from favoring their products over their competitors.”2 The bill is being presented as a means of counteracting the enormous influence that big tech companies have over consumer experience, from search results to the availability of applications. The hope is that the measures outlined in the bill would allow for competitive pricing, encourage improvement of products and services, and prioritize the experience of consumers.

While consumer choice and antitrust action are being framed as the primary issues driving this bill, many are concerned about the far-reaching implications the legislation would have on other facets of technology. Opponents worry that default security measures may not be implemented properly on platforms, users may not be able to opt out of cross-site tracking, and insecure websites, apps, and links will be given equal ranking on Google.4

Another concern involves the privacy and security vulnerabilities of Apple’s iPhone if sideloading becomes an option. “Sideloading” essentially refers to the process of installing third-party software, such as an app, that is not directly approved by the original retailer. In Apple’s case, this would be any app not originating from the App Store, which is known for its “walled garden” approach to security. In response to the bill, Apple’s head of federal government affairs, Tim Powderly, stated in a letter this past February, “Sideloading would enable bad actors to evade Apple’s privacy and security protections by distributing apps without critical privacy and security checks. These provisions would allow malware, scams, and data exploitation to proliferate.”5 Apple essentially pre-approves applications before making them available via the App Store. The unhindered installation of unvetted third-party apps weakens this process and make users susceptible to cybercrime. 

Powderly also wrote in his letter that this change would effectively extend to social media platforms, allowing them to bypass Apple’s App Store policies. In an article I wrote here last year, ‘Apple’s new iOS strikes a blow for data privacy’ (May/June 2021), I described Apple’s efforts to maintain user privacy through app tracking transparency as well as privacy nutrition labels (which essentially give users a summary of how an app developer protects their data). These kinds of measures are intended to give users greater control of their data and online presence, especially when it comes to custom advertising. 

This past May, it was announced that the American Choice and Innovation Online Act was being amended to address some of these issues. But concerns about allowing unauthorized applications still remain. Apple responded to the revision by noting, “The changes made to the bill are a recognition that the legislation, as originally drafted, created unintended privacy and security vulnerabilities for users. We believe the proposed remedies fall far short of the protections consumers need, and urge lawmakers to make further changes to avoid these unintended consequences.”6 Indeed, the sheer number of iPhone users and the vast variety of data stored on these devices make the risks particularly alarming. The vague language of the bill may cause problems for consumers down the road, including an increase in malware attacks.7 While some may want the ability to easily download third-party apps, security risks may be amplified for all iPhone users should Apple be forced to change its policies. 

The American Choice and Innovation Online Act is being promoted as a blow for consumer choice in a world where we increasingly rely on Big Tech to make a living and operate in daily life. But it remains to be seen how these changes could negatively affect digital security. Some argue the legislation would ultimately hurt consumers while only benefitting other tech companies. Many fear that sideloading iPhones opens a door to increased cybercrime and diminished privacy, and that the risks outweigh the benefits. As Tim Cook has said, android phones are an alternative for those who believe Apple’s requirements are too restrictive. No piece of technology is ever going to be perfect, and there is always room for improving functionality. But favoring convenience over security is never the best idea, and any act of legislation designed to improve consumer experience must fully reckon with the importance of both. 

NOTES

1 https://www.congress.gov/bill/117th-congress/house-bill/3816/text
2 https://www.politico.com/news/2022/05/26/vulnerable-senate-democrats-back-off-big-tech-bill-00035307
3 https://bipartisanpolicy.org/explainer/s2992/
4 https://www.csis.org/analysis/breaking-down-arguments-and-against-us-antitrust-legislation
5 https://www.bloomberg.com/news/articles/2022-02-02/apple-urges-senate-to-reject-bill-that-allows-outside-app-stores
6 https://www.macrumors.com/2022/05/26/apple-statement-revised-sideloading-bill/
7 Supra note 3.

Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.