Tuesday, June 28, 2022

Stats suggest Apple's browser engine monopoly poses threat to national security--at minimum, anti-competitive rule is unjustified by security concerns

This is a follow-up to yesterday's post on Apple's browser monopoly abuse, Anti-innovative effects of Apple's Orwellian prohibition of alternative browser engines finally being discussed and investigated. After that post I spotted a top-notch Twitter thread by the Open Web Advocacy group:

Note that they subsequently clarified that the 70 billion figure for App Store Revenue is greater than Apple's income from the "app tax" (usually 30%; exceptions apply, but only to a small portion of App Store-related revenues). Also, for the avoidance of doubt, what Open Web Advocacy means is that Apple disallows alternative browser engines (Chrome or Firefox on iOS aren't truly Chrome or Firefox--they're just Safari with a slightly different UI, but with WebKit--Safari's engine--under the hood) in order to (a) ensure that the user experience of web apps is too bad to seriously challenge native apps (on which Apple imposes its app tax and over which Apple acts as a tyrannical censor) and (b) to be able to collect huge amounts of money--around $15B per year--from Google for making it the default search engine on the iPhone (alternative browser engines could have other defaults--or even no default at all).

According to its website, Open Web Advocacy is "a group of software engineers from all over the world who have come together to advocate for the future of the open web by providing regulators, legislators and policy makers the intricate technical details that they need to understand the major anti-competitive issues in our industry and how to solve them." (emphasis in original)

Based on the material they've put as well as a brief chat I had with them via Twitter direct message, I can attest to their in-depth technical understanding. They are actual software developers, which is more than certain folks defending Apple's anticompetitive conduct can say. For more background on Open Web Advocacy, I recommend this Register article by Thomas Claburn, Web devs rally to challenge Apple App Store browser rules.

When lobbying against such initiatives as the Open App Markets Act, Apple emphasizes two pet pretexts: privacy and security--and in order to give the term security more gravitas, Apple--and all sorts of people beholden to it--stress that it's about national security. What no one can deny is that Apple is the market leader in the U.S. smartphone business, so security issues affecting the iPhone are, by extension, an issue of concern to the country as a whole. But at the heart of Apple's national security argument resides a total non sequitur:

Apple considers it an axiom that whatever Apple does is inherently secure, and whatever anyone else does is inherently insecure. It's Apple's version of what's called infallibility in connection with various religions.

Against that backdrop, it's impossible not to ask the question of how Apple's browser security stacks up against other browser technologies. Open Web Advocacy (OWA) says that the UK Competition & Market Authority (CMA) has found--at the preliminary investigation stage--that Apple's prohibition of browser engine competition fails to serve the interests of security, and may even compromise security.

Competition is one of the most powerful forces in the technology universe. One of the benefits--we may call it a consumer surplus--that robust competition can bring is that different vendors have to compete with each other on security. In the absence of competition, companies will be tempted to engage in rent-seeking. They get lazy.

While the district judge presiding over Epic Games v. Apple got the law, the economics, and the technology terribly wrong in connection with (at least) market definition, she did say some great things throughout the trial, culminating in how she effectively got Tim Cook to admit that Apple's C suite doesn't give a damn about developer satisfaction. The single best thing she said (weeks before Tim Cook's deposition) was that competition could also be desirable from a security point of view.

What I find so interesting about the OWA's work (by the way, here's a link to their response to the UK CMA's interim report) is that they've compiled information that throws into doubt Apple's conclusory claim of monopolistic behavior being in the interest of (national) security.

I encourage you to read the OWA's Twitter thread. I'm going to be following the UK investigation with great interest, and I guess there'll be more opportunities to discuss the OWA's--as well as other organizations'--material related to the iOS browser engine monopoly issue. For the purposes of this post, I'd just like to show you the four charts shown at the start of the OWA's Twitter thread.

First, there are two charts according to which in the years 2014-2021 Apple's Safari (again, WebKit is the engine that all other iOS browsers are forced to use) was responsible for twice as many browser code execution vulnerabilities--that's the worst stuff because it means that a security issue arises only because of someone visiting a website containing malicious code--as Chrome and Firefox combined (click on an image to enlarge):

2024-2021 is an eight-year timespan. How did things change? Unfortunately, another chart suggests it's getting worse, with Safari's browser code execution vulnerabilities more recently (particularly in 2020 and 2021) having dwarfed those of the other two browsers, as the high red columns (compared to the low blue and yellow ones) in the following chart indicate:

The other important metric--besides the number of vulnerabilities--is how swiftly an issue is resolved. Security isn't static: issues will arise, so it takes an ongoing effort to solve the problem. It's about closing the window of opportunity for those seeking to exploit a vulnerability, and this is all the more critical when a security issue is widely known.

In that regard, the OWA also sees Apple underperforming its hamstrung-on-iOS rivals:

Here's how to interpret that chart, called a histogram: the Y axis (height of columns) shows the percentage of all security issues that got fixed during the relevant period (number of days on the X axis). Again, the red columns relate to Apple's WebKit browser engine, the yellow ones to Firefox, and the blue ones to Chrome. Columns can overlap. Apple has a small percentage (4) of fixes that shipped at the earliest point (0). But there's no red on the next several columns, which indicate bugfixes shipped within 5 to 25 days--only Chrome and Firefox play int hat league. Starting at 30 days, you can see some red columns again, and toward the end (80, 85, and 91+ days), Apple is alone because the other browser engines have long fixed their problems.

Another chart shows for the year 2021 that Apple (blue line) on average had far longer intervals between updates than Google, and it looks like things didn't get better at all during the second half of the year:

It does look like competitive constraints on Apple are needed, not only but also in the browser engine context, to make a better, more secure browser engine, and to work harder to fix any issues that arise. There should be far fewer issues, and Apple should address them much faster.

May other studies yield different results? Well, a company with such vast resources can even fund (through a third party) a poll according to which 71% of "American voters" say "it's extremely / very important for manufacturers to be able to license standard-essential patents [SEPs] in a way that is fair, reasonable, and non-discriminatory, just 23 percent say it's only somewhat or not too important." In reality, it would be hard to find even 0.071% of the U.S. electorate that even knows what a SEP is...

Apple's maintenance of its iOS browser engine monopoly is a serious issue. Google presumably doesn't like it either (otherwise it would do the same on Android, though there is a risk of Google adopting some of Apple's anticompetitive schemes unless regulators take action). But as long as Google can just pay Apple $15 billion or so per year to remain the default browser engine, Google can live with the status quo. The same company that always claims competition to its search engine is just one click away prefers to create an additional entrance barrier, as other search engines simply couldn't afford to outbid Google.

Apple's neo-absolutism is not in the interest of (national) security. The UK CMA is now ahead of other competition enforcement agencies to tackle the issue. Others will--hopefully--follow.