Remaking the app store
There’s very little we can say about Apple’s App Store policies that we didn’t say when it launched in 2008, in 2011 when it first tightened the rules, or in 2020, when Epic tried to stunt its way out of them. Meanwhile, the world has moved on: generative AI is the centre of tech innovation, excitement and company creation now, not smartphone apps. The Vision Pro might swing the pendulum back to AR/VR and Apple, but not for years. Seen from Silicon Valley, this is an argument from a decade ago.
That time-lag itself is a broader structural problem: the decision-cycle of regulation and due process tends be longer than the life-cycle of technology platform. Everyone in the regulation industry is very conscious of that, but the alternative is to speculate about the future development of markets that don’t exist yet, and that has its own problems, as the FTC found when it tried to stop Meta from buying Within. Pick your trade-off.
And yet, this platform is the primary computing device for over a billion people, and with the DMA we have a big new law from the EU that tells Apple it has to change things. There’s also a court ruling in the USA (rather narrower and focused on Apple’s anti-steering rule), and perhaps more coming from a rumoured DoJ/FTC lawsuit. Apple has responded with a very broad set of proposals and changes to how things work, or might work. These are not at all what people who wanted change hoped to see. However it’s much less clear whether they are what the EU wanted, or indeed whether it’s actually possible to build what the EU wanted… presuming that anyone involved in the DMA actually knows what that is.
The challenge for the EU is that the iPhone proposed a new kind of tradeoff for the software industry. IBM’s mainframes gave giant companies a computer and software as one sealed system that IBM controlled. In contrast, the PC was an open system that no-one really controlled (not even Microsoft), where anyone could do anything with their computer, and so could any developer. This was freedom, but it also meant that it was easy for you to break your computer and easy for a developer to break it (accidentally or on purpose), and easy for them steal your data. When there were millions of PCs, owned mostly owned by pretty technical people, and they were not connected to an open global network, that was one thing, but once billions of people connected to the internet, that was a big problem.
Hence, the iPhone software model proposed a new level of abstraction and a new trade-off. Random third-party developers cannot do whatever they want with your data or break your computer, and indeed you cannot break your computer. The iPhone puts security, privacy and reliability over the freedom to change anything and do anything. This has been a huge success: iOS has the largest mobile app ecosystem, and indeed the largest software ecosystem there has ever been, with millions of apps and billions of downloads, which makes it rather incomplete to call it ‘closed’.
This is the right trade-off for almost everyone. A small number of highly-technical people would like to be able to change anything on their computer even at the cost of opening security holes everywhere: they are free to buy a different device.
However, Apple uses the control inherent in this model in ways that are sometimes mostly or entirely about Apple, and not about that security, privacy and reliability at all.
Generally, this is a spectrum. Some restrictions are entirely about privacy, security and performance (no, you can’t have root access to the file system), but others are are also about making life harder for competitors, or extracting rent, or both. Why can’t WhatsApp be your default SMS client, say, and why can’t Square make a wallet app that uses NFC? There are serious security and ease-of-use answers to this, but also, serious business answers. Banning streaming games services has no security reasoning: it’s purely a desire to protect Apple’s own ecosystem.
The payment rules are a subset of this, and they have have some of the clearest examples. Apple believes that developers should pay it for using the platform (a well-established model on games consoles, but not on PCs or Macs), and it chose to charge them by letting most developers use it for free (Uber and Tiktok don’t pay anything) but charging a 30% commission for digital content bought inside apps. That sounded simple in 2008, but quickly led to an inverted pyramid of increasingly complex problems, exemptions, carve-outs and edge-cases.
But while you can at least argue whether newspapers should be paying that 30%, Apple again uses this to hurt or block competitors in ways that have no user benefit. The obvious problem right from the beginning was music and ebooks. Neither of these have the gross margin available to pay Apple a 30% commission (meanwhile, Apple’s store model has a cap of 10,000 products per app, so you couldn’t use it for an ebook store even if you were willing to pay), so they have to use their own subscription, but Apple banned them from telling the user how to do that.
In case there was any doubt, Steve Jobs was very clear about this internally in 2011, in the email below: the new rules introduced in 2011 would preclude some competitors. These rules would be good for users in some ways (see Eddy Cue’s comment further down about the app experience) but bad in others.
All of this is to say that you can believe two things.
On one hand, the principle of Apple’s sandboxed, managed, curated system (across both the OS sandbox and the store) is great for almost all developers, and users, and Apple. (Apple may or may not see things in that order.) Something over a billion people have an iPhone, and though we sometimes call it ‘closed’, it has millions of apps and billions of downloads: iOS is the largest open software ecosystem in history. The App Store model is not some kind of aberration incidental to the success of the iPhone: it is a core part of how Apple delivers the promise: a phone that just works and apps that just work.
But, on the other hand, Apple has sometimes also used the control inherent in that system to do things that are actively bad for users and developers and good only for Apple.
There are some theories of competition law that point out that Apple is far from a monopoly (especially outside the USA) and that the only necessary response to Spotify’s complaints is ‘tough’, and other theories that say that this calls for intervention: we can debate those in a bar, but meanwhile, the EU has intervened. So what happens next?
Let’s go back to the regulators’ problem - that ten year time lag. The EU’s attempt to solve this is to write laws of broad general principle that will cover new problems that might occur in the future: some of the DMA’s broad general rules address issues that only apply to Apple, but they’re still broad and general. Instead of banning particular things that Apple does, the EU has tried to redesign the entire system so that Apple doesn’t have that kind of control to abuse.
Hence: Apple uses its control of the app store to block some apps, so the DMA says that Apple must allow third party app stores and side loading. Apple uses its payment commission rules to limit some competitors, doesn’t let apps use a third party payment processor, and charges 30% when the going rate for processing credit cards is 3%, so the DMA says that Apple must allow apps to use third party payment.
But what does that mean for the other side of the trade-off - for that privacy, security and reliability?
Well, the EU has chosen some classic Boris Johnson ‘cake-ism’ - it is trying to have its cake and eat it. Apple must open up a bunch of holes in the security model without weakening the security model. Easy! (Tech regulation is full of this right now: we must have secure encryption that the police can read!)
The problem is that Apple has taken the EU at its word. Imagine the dialogue:
You want apps to be able to use a third party payment processor? OK - instead of paying us 30% commission, they can use a third party processor and pay us 27%
You want us to allow third party app stores while preserving security, privacy and reliability? OK: all those apps must be reviewed according to our rules, and notarised by us. And those stores can’t be in our app store - you asked for side-loading, so the stores will have to be side-loaded
Apps in those stores aren’t subject to our 30% commission rule? OK - they can pay us 50 eurocents per download instead
You want us to let people leave our safe, secure ecosystem while keeping them safe and secure? OK, we’ll need some giant scare screens to warn them
And (of course), this only applies in the EU (which Apple said this week is only 7% of its app store revenue), so you won’t have access to the global user base.
Spotify, of course, is furious at all of this, and Mark Zuckerberg said on the Meta earnings call this week that on this basis nothing would really change. On the other hand, in legal terms this is just a proposal. the EU will look at what Apple has done and decide whether it likes it (see Steven Sinofsky, formerly of Microsoft, on the time when the EU decided that Windows should not include video playback). This isn’t over: there will be argument, iteration and eye-catching fines that make no sense. Experts on EU law, and US law, and competition theorists who’ve never met an engineer, will argue at great length, as the people who gave us the cookie box try to design app stores.
However, that does not mean that the EU is going to give Apple’s critics what they want. Your enemy’s enemy is not your friend.
The misconception, I think, is that while YOU might believe that platform owners should not control what you can do and that everything should be open, the EU absolutely does not. The DMA and the DSA are full of requirements for platforms to control and restrict what happens. So even are the clauses aimed at Apple.
You might want your device to work like an open and unrestricted PC, but the EU doesn’t want that. The DMA, again, is an awful lot of having cake and eating it: this device should remove barriers to competition and innovation, but it should also preserve privacy, security and system reliability. This, again, is the Boris Johnson ‘cake-ism’ approach to product design, and that’s the pain point that Apple is pushing: “you told us you want us to control the platform.. and not to control it. So which is it?” If you look at Apple’s new rules, see Apple using them to maintain control, and call this ‘malicious compliance’, you’re missing the point. The EU told Apple to maintain control.
I think one could argue here that the DMA’s approach to app stores looks rather like the fiasco of its cookie box rules. The EU is looking for the right level of abstraction: if you ban specific behaviour you’ll probably be left behind by events, so instead you look for a general solution. However, both here and for cookies, instead of asking what specific problem it was trying to solve, it tried to to do system design. Here, to repeat, I don’t think the EU is trying to make iOS work like a PC: it’s trying to stop ‘gatekeepers’ from abusing their control over competitors, while also requiring them to use that control for all sorts of other policy objectives (CSAM, harmful content, privacy, etc, etc). I wonder if it might have done better to focus on a principle of ‘self-preferencing’ than on trying to redesign the smartphone software model.
Stepping back, though, how much does this matter? The funny thing about Spotify is that it’s the exception that proves the rule: Spotify, ebooks, audiobooks and a few other use cases are obvious things that Apple’s billing rules in particular rules caused problems for, but it’s really hard to think of any others. The same for streaming: this was one very specific model that Apple wanted to block, Microsoft made it work fine on the web instead, and now Apple has abandoned that rule (for that use-case, Apple has conceded entirely). Conversely, Epic didn’t want to pay, but there was no actual business reason why it couldn’t. How much was this about innovation and how much was it about money?
We don’t, obviously, know the counter-factual, but where are the models that work on Android, and especially the chaos of Chinese Android, that iPhones can’t have? It’s certainly very hard to look at a Chinese Android with three or four different app stores fighting each other and see a benefit to users or developers - that looks more like a tragedy of the commons. Ironically, it’s only now, with generative AI taking off, that the concept of an AI agent that can watch everything on your phone and make suggestions gives us an example of something really significant and potentially useful that Apple wouldn’t allow - and yet even though the DMA is supposed to be a set of general, future-proof rules, it isn’t clear if that’s covered by the DMA at all. Check back in ten years? Regulators, like generals, are always fighting the last war.