All of this is to say that you can believe two things.
On one hand, the principle of Apple’s sandboxed, managed, curated system (across both the OS sandbox and the store) is great for almost all developers, and users, and Apple. (Apple may or may not see things in that order.) Something over a billion people have an iPhone, and though we sometimes call it ‘closed’, it has millions of apps and billions of downloads: iOS is the largest open software ecosystem in history. The App Store model is not some kind of aberration incidental to the success of the iPhone: it is a core part of how Apple delivers the promise: a phone that just works and apps that just work.
But, on the other hand, Apple has sometimes also used the control inherent in that system to do things that are actively bad for users and developers and good only for Apple.
There are some theories of competition law that point out that Apple is far from a monopoly (especially outside the USA) and that the only necessary response to Spotify’s complaints is ‘tough’, and other theories that say that this calls for intervention: we can debate those in a bar, but meanwhile, the EU has intervened. So what happens next?
Let’s go back to the regulators’ problem - that ten year time lag. The EU’s attempt to solve this is to write laws of broad general principle that will cover new problems that might occur in the future: some of the DMA’s broad general rules address issues that only apply to Apple, but they’re still broad and general. Instead of banning particular things that Apple does, the EU has tried to redesign the entire system so that Apple doesn’t have that kind of control to abuse.
Hence: Apple uses its control of the app store to block some apps, so the DMA says that Apple must allow third party app stores and side loading. Apple uses its payment commission rules to limit some competitors, doesn’t let apps use a third party payment processor, and charges 30% when the going rate for processing credit cards is 3%, so the DMA says that Apple must allow apps to use third party payment.
But what does that mean for the other side of the trade-off - for that privacy, security and reliability?
Well, the EU has chosen some classic Boris Johnson ‘cake-ism’ - it is trying to have its cake and eat it. Apple must open up a bunch of holes in the security model without weakening the security model. Easy! (Tech regulation is full of this right now: we must have secure encryption that the police can read!)
The problem is that Apple has taken the EU at its word. Imagine the dialogue:
You want apps to be able to use a third party payment processor? OK - instead of paying us 30% commission, they can use a third party processor and pay us 27%
You want us to allow third party app stores while preserving security, privacy and reliability? OK: all those apps must be reviewed according to our rules, and notarised by us. And those stores can’t be in our app store - you asked for side-loading, so the stores will have to be side-loaded
Apps in those stores aren’t subject to our 30% commission rule? OK - they can pay us 50 eurocents per download instead
You want us to let people leave our safe, secure ecosystem while keeping them safe and secure? OK, we’ll need some giant scare screens to warn them
And (of course), this only applies in the EU (which Apple said this week is only 7% of its app store revenue), so you won’t have access to the global user base.
Spotify, of course, is furious at all of this, and Mark Zuckerberg said on the Meta earnings call this week that on this basis nothing would really change. On the other hand, in legal terms this is just a proposal. the EU will look at what Apple has done and decide whether it likes it (see Steven Sinofsky, formerly of Microsoft, on the time when the EU decided that Windows should not include video playback). This isn’t over: there will be argument, iteration and eye-catching fines that make no sense. Experts on EU law, and US law, and competition theorists who’ve never met an engineer, will argue at great length, as the people who gave us the cookie box try to design app stores.
However, that does not mean that the EU is going to give Apple’s critics what they want. Your enemy’s enemy is not your friend.
The misconception, I think, is that while YOU might believe that platform owners should not control what you can do and that everything should be open, the EU absolutely does not. The DMA and the DSA are full of requirements for platforms to control and restrict what happens. So even are the clauses aimed at Apple.
You might want your device to work like an open and unrestricted PC, but the EU doesn’t want that. The DMA, again, is an awful lot of having cake and eating it: this device should remove barriers to competition and innovation, but it should also preserve privacy, security and system reliability. This, again, is the Boris Johnson ‘cake-ism’ approach to product design, and that’s the pain point that Apple is pushing: “you told us you want us to control the platform.. and not to control it. So which is it?” If you look at Apple’s new rules, see Apple using them to maintain control, and call this ‘malicious compliance’, you’re missing the point. The EU told Apple to maintain control.
I think one could argue here that the DMA’s approach to app stores looks rather like the fiasco of its cookie box rules. The EU is looking for the right level of abstraction: if you ban specific behaviour you’ll probably be left behind by events, so instead you look for a general solution. However, both here and for cookies, instead of asking what specific problem it was trying to solve, it tried to to do system design. Here, to repeat, I don’t think the EU is trying to make iOS work like a PC: it’s trying to stop ‘gatekeepers’ from abusing their control over competitors, while also requiring them to use that control for all sorts of other policy objectives (CSAM, harmful content, privacy, etc, etc). I wonder if it might have done better to focus on a principle of ‘self-preferencing’ than on trying to redesign the smartphone software model.
Stepping back, though, how much does this matter? The funny thing about Spotify is that it’s the exception that proves the rule: Spotify, ebooks, audiobooks and a few other use cases are obvious things that Apple’s billing rules in particular rules caused problems for, but it’s really hard to think of any others. The same for streaming: this was one very specific model that Apple wanted to block, Microsoft made it work fine on the web instead, and now Apple has abandoned that rule (for that use-case, Apple has conceded entirely). Conversely, Epic didn’t want to pay, but there was no actual business reason why it couldn’t. How much was this about innovation and how much was it about money?
We don’t, obviously, know the counter-factual, but where are the models that work on Android, and especially the chaos of Chinese Android, that iPhones can’t have? It’s certainly very hard to look at a Chinese Android with three or four different app stores fighting each other and see a benefit to users or developers - that looks more like a tragedy of the commons. Ironically, it’s only now, with generative AI taking off, that the concept of an AI agent that can watch everything on your phone and make suggestions gives us an example of something really significant and potentially useful that Apple wouldn’t allow - and yet even though the DMA is supposed to be a set of general, future-proof rules, it isn’t clear if that’s covered by the DMA at all. Check back in ten years? Regulators, like generals, are always fighting the last war.
