Sunday, October 9, 2022

Recent reports of malicious iOS apps underscore the need for the rule-of-reason balancing that the Epic Games v. Apple judge failed to perform: security and privacy pretexts

On Friday, Meta (Facebook) published a detailed news item after identifying "more than 400 malicious Android and iOS apps this year that target people across the internet to steal their Facebook login information." Fewer than 50 of those are iOS apps, just like a recent report by security researchers identified only 10 iOS apps engaging in ad fraud vs. 75 such apps on Google Play.

Those numbers are almost reversely proportional to the headcount of the two companies' app review departments (Google employs about four times as many reviewers as Apple). One possible explanation is that Apple's App Review didn't actually do a better job at detecting fraudulent activities, but fraudsters typically create apps that "impersonate" other apps or otherwise merely pretend to be useful--and such duplicative and useless apps face a higher rejection rate from Apple. That's because Apple more aggressively rejects apps that appear to add no particular value to the App Store catalog. The downside, however, has also been reported by app developers (such as on Twitter): there often are cases in which apps are rejected as allegedly duplicative or low-value that actually do have intriguing functionalities. App Review is a tyranny: while there is an "appeal" process, those kinds of rejections are inherently subjective and often unfair, and may sometimes even be motivated by a strategic desire to limit choice in some areas (such as keyboard apps).

Arguably, any given number of fraud apps for iOS may be similarly bad as a several times larger number of such apps o Android as Apple lulls users into a false sense of security.

Every single fraudulent app is one too many, and apps that steal Facebook login data are not just a security but also a privacy issue. Security and privacy are Apple's pet pretexts for its multifaceted App Store monopoly abuse, from the infamous app tax to App Tracking Transparency to the Apple Pay aftermarket monopoly (see the previous post).

The Epic Games v. Apple appellate hearing--October 21--is approaching fast. The district court's judgment raises serious issues, and I just can't see how it could reasonably be affirmed in that form. One critical area is the absence of a proper rule-of-reason balancing--and that's exactly where security and privacy come into play.

Let's correctly define "pretext"

It's not that the word "pretext" always means something that is entirely made up, like declining an invitation to a party based on some other--but non-existent--commitment. Dictionary definitions of that term overwhelmingly focus on a pretext being an excuse or evasion for the purpose of hiding or concealing the real reason or true purpose of something.

Of course, the most extreme case of a pretext--based on the example I gave--is indeed that it may be totally fictitious. But that's hard to come by in an antitrust context. Normally, it's just that the positive aspects of something are blown out of proportion and the downside is grossly understated, which distorts the ratio between good and bad.

For instance, when Apple argues that human app review is better than a purely automated review (or even no review at all), it's undeniable that at some point a human reviewer will identify something that would otherwise go undetected. Judge Yvonne Gonzalez Rogers of the United States District Court for the Northern District of California made it sound in her judgment as if Epic could only have debunked Apple's security pretext if it had proved the complete uselessness of human app review. That is the wrong standard.

What renders Apple's security argument pretextual is not that there are zero security benefits from certain architectual and commercial decisions. It takes a holistic view:

  1. Is some incremental security actually capable of justifying a complete monopoly with all the problems (and, ultimately, consumer harm) it entails?

  2. To what extent could the positive effects be achieved without the adverse effects, such as by notarizing apps and/or by operating system-level measures?

  3. Wouldn't even security ultimately benefit from competition?

The sad thing is that Judge YGR actually had #2 and #3 all figured out. Her judgment did acknowledge that an App Store monopoly is not the only way to achieve a certain level of security. And during the trial she did raise the important question of whether competition between app stores wouldn't also force each app store to strive for maximum security.

She could have analyzed more fully the different aspects of "security" (though I cannot rule out--as I didn't follow the entire trial--that maybe the smokescreens put up by Apple were just too effective). Certain kinds of security are achieved through sandboxing, which doesn't even require notarization. Then there are security issues that involve user behavior such as "phishing" attacks, and it's simply not feasible to prevent all of that through human app review. Case in point, Epic's "hotfix" also passed app review.

What is, however, inexcusable and does constitute clear legal error is that she didn't really weigh the upside against the downside. But that's the only way to protect the competitive process and take care of consumer welfare when the case cannot be resolved at an earlier stage of the analysis.

Overview of issues on appeal

Before I talk about rule-of-reason balancing, I'd like to put it into the context of the various questions to be addressed on appeal. Using chess terminology, the adjudication of an antitrust claim has an opening, a middlegame, and an endgame.

  • Opening

  • Middlegame: The key issue here is the standard for tying. One part of that overlaps with a question relevant to market definition: whether there can be a market for something Apple doesn't sell separately. (That's also an issue in the Apple Pay case I mentioned further above.)

    While I have a firm opinion that Apple engages in tying, I have yet to analyze that part more fully in order to elaborate on it, which I intend to do before the Ninth Circuit hearing.

  • Endgame: rule-of-reason balancing.

Why Epic is right on rule-of-reason balancing

I've read all the arguments in the case, and numerous decisions referenced therein. It's actually not all that complicated:

The first step is for a plaintiff to prove anticompetitive harm. A complaint may fail at that hurdle (example: Amex).

The second step is--if there is no per se violation (see my latest post on Epic v. Google)--for the defendant to come up with procompetitive justifications. The analysis can end there if those procompetitive justifications are totally ridiculous, but as I said further above, totally fictitious excuses are unlikely. What's more likely to happen--and should have happened in Epic v. Apple--is that some justifications are simply noncompetitive (example: NCAA v. Alston, where the Supreme Court saw that the NCAA pays millions to coaches but exploits players, and its so-called justifications were related to other considerations than competition).

The third step is an analysis of less restrictive alternatives. Epic argues that it actually has shown enough of them (and I tend to agree) that it's entitled to a favorable judgment on the merits.

Now, what about a potential fourth step?

If a court finds that the plaintiff has shown anticompetitive harm, the defendant has put forward some procompetitive justifications, but the less restrictive alternatives outlined by the plaintiff aren't good enough, the final part is all about weighing the upside (procompetitive justifications) against the downside (anticompetitive harm).

Apple disputes that this is required under the law--and says Judge YGR performed that balancing anyway.

I've read the Epic v. Apple decision in full detail several times (among other things, I documented 271 typos and similar errors in it). There is no balancing in the sense of a passage that would say procompetitive benefits X and Y outweigh the anticompetitive effects A, B, and C. If she had said that a supracompetitive app tax and an inherently subjective app review are justified by a security benefit that goes beyond the security gain that competition between app stores would bring, one could talk about it. However, there's nothing like it in the decision.

There's a lot of trees in that ruling, but the forest is missing. Apple's lawyers may just be betting on the appeals court getting confused by the sheer length of the decision below.

As for whether there is a legal requirement, both parties and various of their amici point to different authorities. The two key questions in the end are the following:

  1. What has the Supreme Court recently decided?

  2. What does Professor Herbert Hovenkamp say?

One doesn't have to look far to answer the second question. Herbert Hovenkamp, "the dean of American antitrust law" according to the New York Times and America's leading antitrust scholar even according to Apple's own amici, signed an amicus brief in support of Epic Games. And that brief also explains that under the relevant circumstances, balancing is required.

The Apple camp argues that the Supreme Court discussed only a three-step test in Amex and NCAA v. Alston, the last two major antitrust opinions handed down by the top U.S. court. And a balancing between a company's product design decisions and competitive effects would be "unadministrable," Apple says.

As Epic explains in its reply brief, and the DOJ already explained in its amicus brief months earlier, the Supreme Court never specifically abolished the balancing step. In Amex and NCAA v. Alston, the fourth step just wasn't reached because the cases were resolved at an earlier stage.

In those recent rulings, the Supreme Court cited to earlier decisions, at least some of which do also mention the fourth step (balancing).

It strikes me as very compelling that the Supreme Court doesn't overrule its earlier decisions without explicitly saying so. In case of doubt, an earlier decision should still be presumed to be good law.

There's another argument Apple makes in the balancing context: an answer that Epic's counsel gave Judge YGR and which--taken out of context--suggested that the third step (less restrictive alternatives) and the fourth (balancing) are practically the same. Epic explains in its reply brief why it never actually said that balancing wasn't required in a scenario in which the court wouldn't deem Epic's less restrictive alternatives satisfactory.

I'm very optimistic that the district court's rule-of-reason decision won't stand. A remand seems more likely than direct entry of liability, but even the latter is yet more probable than affirmance.