Sunday, November 24, 2024

Understanding Apple’s Response to the DMA

Must read

What a week. When it began to look like Apple would announce how it planned to comply with the EU’s Digital Markets Act (DMA), I expected small changes at the margins that wouldn’t significantly move the needle in the EU or anywhere else. Boy, I was wrong.

Instead, we got a far-reaching, complex response that touches aspects of iOS, system apps, the App Store. There’s a lot of ground to cover, but Federico and I have talked to Apple a couple of times each about what was announced and ask questions, so it’s time to dive and try to make sense of everything.

Before getting too deep into the weeds, it’s important to understand why Apple made its announcement last week and, whether you share it or not, the company’s perspective. That makes understanding the details of what was announced easier and will hopefully help you parse legitimate criticisms of Apple’s plans from hollow hot-takes.

A DMA-Shaped Response

What makes understanding last week’s announcement difficult is that, superficially, Apple’s press release bears a vague resemblance to a typical Apple product announcement, at least until you catch its tone. EU users will now have a choice of browser engines, new payment options, and access to alternative app marketplaces. If you were watching a WWDC keynote and heard these things, you’d probably expect they’d apply across Apple’s OSes.

However, that’s not the case with most of what was announced last week. Instead, the changes announced are carefully tailored to address the DMA and nothing more. These aren’t product announcements. They’re regulatory compliance responses by a company that has made clear in various contexts that it will respect local law that impacts its products, but isn’t interested in letting one country (or countries in this case) dictate how it designs its products. I’ll revisit this point at the end of this story, but it’s important to keep in mind from the outset. Once you view the details through this prism, you can see the shape of the DMA in every facet of what Apple announced, which makes the situation easier to understand.

So, what’s the deal with the DMA? As I explained earlier this week:

The DMA is a law enacted in the European Union that’s intended to ensure that the economically significant platforms of large tech companies are operated fairly and openly. In the case of Apple, the EU has designated Apple as a platform ‘gatekeeper’…

The other concept the DMA introduces is Core Platform Services. These are services that the European Commission has decided require regulation because they’re important to the digital economy and concentrated in the hands of a handful of gatekeepers. I know that’s a little vague and unsatisfying, but so is the DMA. However, since the DMA was passed, the European Commission has created a list of Core Platform Service categories into which three of Apple’s products fall:

  • iOS, in the Operating Systems category
  • Safari, in the browser category
  • App Store, in the Intermediation category

Apple has appealed the European Commission’s designations, but that does not excuse it from complying with the law by March 6th.

So, a key point to take away from Thursday’s announcements is that as far-reaching and complex as they are, they are simultaneously very carefully constructed to address just three regulation-worthy products. That’s also why the changes only apply to people in the EU.

A corollary to this point to keep in mind is that Apple is making these changes because it has to under EU law. It’s clear from the tone of the company’s press release and our conversations with its representatives that they strongly believe the changes are bad for the security and privacy of its users. By extension, it’s also clear that Apple doesn’t think the benefits to users imposed by the EU’s regulations outweigh those privacy and security tradeoffs. And that, right there, is where reasonable people can differ and what will continue to fuel this debate for a long time.

For now, though, let’s dig into the details.

Changes That Apply Worldwide

Alright, I just finished telling you that Apple’s announcement is an EU-only thing, but that’s not quite right. There are actually two things that apply worldwide.

First, Apple has changed the App Review Guidelines to allow game streaming apps in the App Store worldwide. This change represents an about-face by Apple on game streaming apps. In 2020, Microsoft was beta testing an iOS app that would allow Game Pass subscribers to stream games on their iPhones. That beta was abandoned when Apple told Microsoft each Game Pass game would have to be separately downloadable from the App Store and go through its app review process. Microsoft changed course and offered Game Pass through Safari instead. The solution works and has been implemented by other companies, too, but it’s not ideal.

Now, however, Microsoft, NVIDIA, and other game streaming services will be able to build native apps for their services just like they do on Android. I haven’t seen any of those companies say they intend to release apps yet, but I’m sure we’ll hear more soon.

Apple’s change to the App Review Guidelines also applies to what it describes as ‘mini apps.’ I asked about this and was told it applies to things like plug-ins. That sort of app wasn’t prohibited before. A good example is Obsidian, which has an extensive plug-in system on all platforms. What’s changed, though, is that developers will be able to distribute plug-ins and other ‘mini apps’ through the App Store as In-App Purchases.

Second, Apple has introduced over 50 new iOS and App Store reports that all developers will have access to through App Store Connect. These reports were developed in connection with the DMA compliance process, but Apple decided to roll them out globally. The reports offer new insights into how people use developers’ apps and more.

Apple also introduced a new App Store Connect API called the Analytics Reports API that will allow developers to access the information for iOS and the App Store programmatically. Developers will be able to give third-party services access to their reports via the new API, too.

With iOS 17.4, developers will be able to distribute web browsers with alternative browser engines in the EU. The rest of the world will still be limited to WebKit, the engine that powers Safari.

Developers that want to use an alternative browser engine in the EU for a standalone web browser or in-app browser will need to apply for a special entitlement that will only be given if the engine they want to use meets a long list of security, privacy, and other requirements. We asked Apple whether extensions designed for alternative browser engines would be allowed under the EU rules, but we haven’t received an answer as of the publication of this story.

Users will be given a new way to manage their default web browser too. The first time an EU user launches Safari in iOS 17.4, they will be offered a randomly sorted list of the 12 most popular alternative browsers that they can set as their default browser. The list of available browsers will vary by country.

Developers of contactless payment systems and wallet apps will be able to offer alternatives to Apple’s Wallet app and payment system in the EU if they request a special entitlement and are approved. The entitlement requires that licensing and other security standards are met. Users in the EU will be able to set contactless payment alternatives as their default payment method, too.

Alternative Payment Processors in the App Store

For apps sold in Apple’s App Store, developers will be allowed to use alternative payment processors or link out to external payment systems on the web in the EU. Using either option carries with it disclosure requirements for developers that will be displayed to shoppers in App Store listings. For users, refunds from Apple will be unavailable, as will the App Store’s Family Sharing and the Ask to Buy features.

Operating an Alternative App Marketplace

Beginning with iOS 17.4, EU residents will have access to alternatives to the App Store for iOS apps (and only iOS apps), which Apple refers to as alternative app marketplaces. An app marketplace is a special type of app that allows users to access iOS apps outside the App Store.

However, not just anyone can offer an app marketplace. Operating a marketplace comes with unique obligations:

Operating an alternative app marketplace requires significant responsibility and oversight of the user experience, including content rules and moderation processes, anti-fraud measures to prevent scams, transparent data collection policies, and the ability to manage payment disputes and refunds.

Among other limitations, only businesses organized or registered in the EU can operate an app marketplace, and they must provide a letter of credit in the amount of €1,000,000 from an A-rated or equivalent financial institution.

I’ve seen some confusion over the letter of credit requirement, so it’s worth noting that letters of credit are not unusual requirements, especially where cross-border commerce is involved, and it doesn’t mean app marketplaces have to give Apple €1,000,000. All it means is that a bank or other financial institution has promised to backstop the marketplace’s obligations to Apple up to €1,000,000, which banks will gladly do for a fee based on the amount of the letter of credit after investigating the creditworthiness of the marketplace. If that sounds like insurance for commerce, that’s because that’s essentially what it is.

Also, operators of app marketplaces can’t use them as a way of distributing only their own apps. The terms of the marketplace must be published, and it must accept any developer’s app that meets its terms. So, for example, Nintendo couldn’t operate a marketplace just for first-party Nintendo mobile games. However, someone else could run a marketplace limited to just games if they accepted games from other game developers, too.

Distributing Apps in an App Marketplace

Distributing apps in app marketplaces is optional. If a developer would rather continue with the existing App Store system and business terms, they can. However, if a developer opts to offer their apps in an app marketplace, there’s no going back to the old system. Apple representatives addressed this when we spoke to them, and there are a host of technical and practical complications to unwinding participation in an app marketplace that doesn’t make doing so practical. However, developers who sell apps through an app marketplace aren’t barred from selling in Apple’s App Store, either.

Apps that are offered through an app marketplace undergo a less rigorous review process and must be notarized, which is a cryptographic signing process that ties apps to their developers, which Apple has done for several years for Mac apps sold outside of Apple’s store. Those apps will be checked using automated systems for malware, malicious code, and other security and privacy violations. Apps will also undergo limited human review to ensure they do what the developers submitting them claim they do.

That’s significantly less than the review an App Store app undergoes. Apple will not police the content in apps because they aren’t allowed to under the DMA. As a result, apps that are not permitted in the App Store, like adult content and game emulators, may be available in third-party app marketplaces. It’s the responsibility of the app marketplace to ensure that apps don’t violate the law and meet that marketplace’s content rules, moderation policies, and other user protections.

Buying Apps from an App Marketplace

When a user tries to purchase from an app marketplace, they’ll have to approve the marketplace as an authorized seller from their iPhone. They’ll have the option to set any marketplace or the App Store as the default storefront, too. Users will be able to review past-approved marketplaces and revoke their authorization from the iOS Settings app at any time. Revoking a marketplace’s authorization to provide apps prevents new apps or updates from being downloaded from that storefront, which can also be accomplished by deleting the marketplace’s app from an iPhone.

When a user purchases from an iOS app marketplace, that app isn’t downloaded through the marketplace app or the App Store. Instead, users will be kicked to a webpage where they’ll be presented with a new card interface that includes information about the app, such as its name, developer, description, and screenshots. In other words, if you’re running an app marketplace, it’s your job to host and distribute your apps, not Apple’s.

Also, at the risk of belaboring what should be obvious by this point, the new EU rules are not unfettered sideloading. Yes, apps can be installed from the web, but only via an approved app marketplace. That’s far more open than the options that are available in the rest of the world, but it’s not as open as the Mac, where I can buy an app from a developer without first installing an app marketplace app.

Business Terms

Along with the changes to the mechanics of selling iOS apps covered above are new business terms that reflect the unbundling required by the DMA. It bears repeating that developers can stick with the status quo if they want, and the App Store will remain an available distribution channel even for developers who adopt the new EU business terms. However, if the new terms are accepted, the fee structure changes too.

First, payment processing is a separate charge of 3% for developers who use the App Store to complete transactions. Alternatively, a developer can use a third-party in-app processor or link out to a website for payment processing at no additional charge. Payment processing isn’t available to apps distributed in app marketplaces.

Second, commissions paid to Apple will be reduced to 10-17% as opposed to the current 15-30% commission. Developers who sell through app marketplaces will pay no commission to Apple.

Third, a Core Technology Fee (CTF) will be charged for all apps, free or paid, equal to €0.50 per first annual app install over 1 million installations. Educational institutions, government agencies, and non-profits don’t have to pay the CTF. The CTF applies to any developer who accepts Apple’s new EU business terms no matter where their apps are sold.

I want to pause to examine the Core Technology Fee more closely because it’s a new beast and a significant departure from the way the App Store has worked historically. When the App Store was launched, one way Apple encouraged developers to make apps for the iPhone was by not charging for listing free apps on the App Store. That’s changing, but not as drastically as some have feared.

Apple estimates that the CTF would be paid by fewer than 1% of developers if all of them adopted the new EU business terms. That’s driven by the 1 million installation threshold combined with how installations are counted. First annual installs are counted by user, not device. That means that someone in the EU can install an app on as many iPhones as they want, but only the first install counts against the 1 million threshold. This also means that after a first annual install, a user can install, update, delete, and reinstall an app as many times as they want without those actions counting against the 1 million install threshold. Apple told us that it’s counting this way to avoid unintended consequences that might otherwise discourage developers from updating their apps if updates counted against installs, for example. Another mitigating factor is that developers only pay the CTF for the installations in excess of that first 1 million.

I’ve seen suggestions that this will end the free and freemium app market as we know it, which I doubt will be the case. The parameters are defined in a way that I expect Apple’s estimate that the CTF would only be paid by 1% of developers will be borne out in time. Plus, developers of free apps can always choose to remain in the App Store under its existing terms.

However, that begs the question of why Apple would charge the CTF for free apps in the first place. My guess is that it’s to encourage large free apps to stay in the App Store fold where Apple can review and regulate their behavior because, historically, free apps have engaged in the most egregious privacy violations.

Who Is an EU User and How Can I Get What My EU Friends Have?

It isn’t easy to geofence the Internet. By its nature, the Internet doesn’t conform to geographic boundaries. If you’ve dealt with purchasing hardware or content from Apple that isn’t available in your country before, you may be wondering if you can simply set up an Apple ID with an EU address to take advantage of some of the changes announced. It’s a reasonable assumption but not a good one because Apple is looking at a host of factors beyond users’ Apple IDs to determine if the new EU rules apply to them.

I expect that there will inevitably be stories of people who have gotten caught up in weird geographic edge cases, but Apple says they’ve thought through this. Simply vacationing outside the EU won’t eliminate access to app marketplaces, for example. Nor should working in a non-EU country but living in the EU. But moving outside the EU for an extended period will eventually end your access to third-party marketplaces and updates to any apps you bought.

Is Anything Really Going to Change?

I seriously doubt that many of the smaller developers who you read about on MacStories every day will adopt the new EU rules anytime soon. Maybe companies like Epic Games or Spotify will do so, but the App Store remains the path of least resistance. It’s easy to look at that and conclude that Apple is making the new EU rules complex to steer developers into staying in the App Store, and it’s certainly clear Apple would prefer that outcome, but there’s more to it.

iOS is a complex, integrated system that wasn’t designed to be separated into the component parts required by the DMA. Maybe it shouldn’t have been designed that way over a decade ago, but that’s where we are today, so pulling it apart is complex by its very nature. Just look at the over 600 APIs introduced to make these changes possible. Moreover, no matter what Apple does, its one-stop-shop that handles everything from hosting apps to payment processing is easier than putting those pieces together ad hoc.

Personally, I’m glad to see that EU developers will have more choices. As attractive as the App Store is to some of them, it’s not for everybody, and hopefully, expanding developer options will wind up enhancing the apps that are available. That’s probably wishful thinking, given that the rules are EU-only, but I wouldn’t be surprised, if over time, more parts of the world require similar changes.

I’m less certain what this will mean for users. There will undoubtedly be demand for apps that Apple doesn’t let into its store, and perhaps app prices will go down as developers’ commission costs go down, although I doubt it. There are things I’ve wanted to see change about the App Store experience as a user for a long time, but I suspect most people are fine with the status quo.

Regardless of the practical impact of the DMA, it’s still important. The law may be vague and ill-defined, but the idea is a valid one. A handful of very large tech companies have a tight grip on large swaths of our digital lives. I think there is less to worry about when it comes to Apple than some of its competitors, but that doesn’t mean that things won’t change over time, and governmental bodies like the EU are just about all there is that can stand up to that sort of power. I’ve never been a big fan of regulation, but I do believe in the threat of regulation to keep companies’ worst instincts in check.

As for what’s next, I guess we’ll see. Next month, a grand new app experiment will begin in the EU. I’m interested to see how it goes, even if I won’t be able to test the changes from the US myself. I also expect we haven’t heard the last from the European Commission. They still haven’t decided if iMessage is a Core Platform Service, and it remains to be seen if the announcements made last week satisfy the DMA. One thing’s for certain, though: we are still in the very early stages of what will be a drawn-out, global tug-of-war between Apple and government regulators.

Latest article