Comments of ICLE to Commission Consultation on Proposed Measures for Interoperability Between Apple’s iOS Operating System and Connected Devices (DMA.100203)
Introduction
We appreciate the opportunity to respond to the European Commission’s Consultation on the Proposed Measures for Interoperability Between Apple’s iOS Operating System and Connected Devices (DMA.100203).
The Commission’s enforcement of Article 6(7) of the Digital Markets Act (DMA) has brought Apple’s iOS ecosystem under scrutiny. This provision mandates that designated operating systems and virtual assistants must ensure “effective interoperability” with third-party devices and services.
Unfortunately, while the provision is designed to benefit competition, that outcome is far from certain in the case at-hand. Indeed, as we explain in our comments, the maximalist vision of enforcement the Commission is contemplating poses grave risks to user security, the user experience, and innovation, with few countervailing benefits to competition. Apple’s iOS ecosystem is routinely praised for its integration and user safety, but both it and its users now face enhanced risks that stem from the Commission’s proposal for forced interoperability under the DMA.
Against this backdrop, these comments aim to highlight the potentially adverse effects of the Commission’s interpretation of Article 6(7). Specifically, they address: (i) the security risks associated with mandating far-reaching open access to iOS’s key features (as opposed to a more surgical approach); (ii) the economic and consumer implications of undermining the tightly integrated iOS ecosystem; and (iii) alternative and more balanced approaches to achieve interoperability without sacrificing user safety, impairing the user experience, or slowing innovation.
In short, we argue that it is possible to achieve the DMA’s goals while avoiding the harmful outcomes for European consumers and the tech ecosystem that are virtually inevitable under the approach the Commission currently envisions.
I. Background on Article 6(7) of the DMA
Article 6(7) of the DMA introduces a legal obligation for gatekeepers such as Apple to ensure “effective interoperability” between their operating systems and third-party devices and services, so long as this does not “compromise the integrity of the operating system”.[1]
The underlying rationale is to foster competition by granting smaller competitors access to ecosystems that traditionally have been closed or tightly controlled. While this principle has some intuitive appeal, its application to highly integrated and security-conscious systems like iOS raises significant questions about its practicality and potential downsides, especially when policymakers opt for an exceedingly narrow interpretation of the security justifications offered by the DMA.
Implementing the interoperability requirements outlined in Article 6(7) for iOS presents a series of intricate technical and operational challenges. One major issue stems from the fact that many core features of iOS—such as near-field communication (NFC) capabilities and background application activity—are deliberately designed to be locked down. These features play a critical role in ensuring both the system’s security and the seamless performance users have come to expect from Apple devices. As we explain below, allowing third parties entirely unfettered access to these sensitive functions would fundamentally alter iOS’s security architecture, introducing potential vulnerabilities that could lead to serious breaches of user data, unauthorized financial transactions, and other malicious activities.
Moreover, interoperability at the scale envisioned by the DMA would require significant technical investment to establish and maintain secure and reliable communication protocols between iOS and third-party systems. The development of such standards is inherently complex, demanding extensive collaboration among stakeholders, rigorous testing, and ongoing oversight to address emerging threats and to ensure a consistent user experience. Yet the current DMA framework lacks clear guidelines or mechanisms to facilitate such a process, leaving a critical gap in its enforcement strategy. In short, as we have argued elsewhere, the Commission needs to give gatekeepers (including Apple) more time to design and market test remedies that achieve an appropriate balance between the DMA’s competition-related goals and the protection of user security.
II. Are the Proposed Measures ‘Necessary and Proportionate’?
Under the principle of proportionality, Commission decisions must not go beyond what is “necessary to achieve the desired end”.[2] Furthermore, to comply with Article 6(7) of the DMA, the Commission must also allow “necessary and proportionate” departures from full interoperability. As a result, in the case at-hand, it must ask whether it is necessary to force unlimited interoperability between the Apple OS and third-party devices (as opposed to the DMA’s requirement of “effective” interoperability) in order to promote more “contestability and fairness” in digital markets.
In that regard, it is important to consider that market competition already provides significant interoperability between Apple and third-party devices. As a producer of complementary products (e.g., both smartphones like the iPhone and wireless headphones like Airpods), Apple may have the ability—and may appear to have incentive—to completely foreclose third-party products in order to maximize the sale of its own products. These incentives, however, are mitigated by the fact that at least some consumers want to use other brands.
Admittedly, Apple does have some market power, and there is some “stickiness” to its ecosystem. But it is misguided to view this “stickiness” as a problem. Rather, because it arises from Apple’s integrated product design—its efforts to ensure that its products “work seamlessly together” to create “a magical experience” for users[3]—“stickiness”, in this context, is simply another way of describing features that better satisfy consumer demand. These efforts are a function of competition: Apple competes with Android to (among other things) provide consumers with the most integrated and most comfortable smartphone ecosystem.
But a non-negligible share of users prefer and use other brands, such as headphones from Sony, Sennheiser, Bose, and JBL, among innumerable others. Sophisticated audiophiles may prefer high-fidelity headphones; frequent travelers may prefer headphones with the best noise-canceling features, etc. Apple’s headphones, while apparently suitable for most people, may not satisfy all of these diverse consumer preferences. Thus, in response to such preferences, Apple not only allows these competing products to work with its own devices, but it also provides some enhanced connectivity/interoperability features that allow these devices to operate with much of the same core functionality as Apple’s own offerings. Apple products of course, have the best (“full”) interoperability: e.g., pairing is more seamless, and more information is displayed, sometimes automatically. But the differences are largely trivial. See, for instance, how the iPhone displays information about Airpods’ pairing and battery (Figure 1).
Figure 1: Airpods Pro Information Automatically Displayed on iOS
Source: Beebom[4]
That precise display isn’t available for other headphones. But other manufacturers’ products enjoy similar features, replicating the core functionality of Apple’s headphones. Once paired with an iPhone, for instance, most headphones can connect automatically to the smartphone. Information about the headphones’ battery, AirPlay, and other connectivity options are also easily accessible. See, for instance, how iOS displays information about the JBL Tune 700BT Headphones (Figure 2).
Figure 2: Third-Party Headphones Displayed on iOS
It is also possible to download third-party apps (from Sony, JBL, and Bose, for example) that allow a wider range of controls and provide more information about the devices.[5] The same is true of fitness trackers and other wearables.[6]
While this is not exactly the same treatment that Apple provides its own devices, it is difficult to see why the operation of such features must be identical to facilitate competition. Indeed, as noted, these third-party devices differ from Apple’s on many dimensions. It is unclear why differentiation on, say, battery display obviates the “contestability” engendered by Apple allowing third-party headphones with, say, higher sound quality or better waterproofing to connect with its devices.
Regardless, Apple quite clearly provides more than sufficient connectivity to allow users to try third-party devices, get more information about them, and to keep using them, if that is their preference. Considering that these devices do not entail significant switching costs and that consumers can and do readily “multi-home” (i.e., use AirPods while jogging, or JBL or Bose headphones for work purposes), the user experience that Apple provides facilitates considerable “contestability” and provides third-party manufacturers a manifestly fair chance to compete.
This matters, because Article 6(7) of the DMA tolerates limits to full interoperability where they are necessary and proportionate to protect “the integrity” of operating systems, software, and hardware.[7] The DMA therefore contemplates a weighing process, under which trivial limits to interoperability (which, as explained above, is the case here) are legal if they are necessary to preempt larger harms to the ecosystem (which, as explained below, would be a consequence of the Commission’s proposed measures). In other words, mandating full interoperability in this case, as the Commission seeks to do, would provide almost no additional benefits to third parties, but entail significant risks and costs for consumers. Given this, the Commission must permit small departures from full interoperability where they are both necessary and proportionate.
III. Risks of Forced Interoperability
Unfortunately, the trivial competitive benefits that might be achieved by the Commission’s proposed measures would come at a significant cost to European consumers.
The Commission’s preliminary findings suggest an expansive interpretation of Article 6(7), advocating for opening APIs and features broadly without sufficient regard for the consequences.[8] But this maximalist approach risks overwhelming gatekeepers (including Apple) with compliance requirements, diverting resources away from innovation, and potentially delaying the introduction of new features.
Furthermore, the indiscriminate nature of this enforcement could exacerbate users’ security risks, as third-party developers may lack the incentives or capabilities to match Apple’s stringent security standards. The combination of increased vulnerabilities and a slower pace of innovation threatens to undermine consumer welfare—and even to reduce the benefits to third-party rivals of platform connectivity.
A. Compromised User Security
The forced interoperability proposed under Article 6(7) introduces significant risks to user security. Many of the features targeted for interoperability—such as devices’ NFC capabilities and wireless-file-transfer functionalities like AirDrop—are integral to the iOS ecosystem’s security infrastructure. These features were designed with stringent safeguards to prevent unauthorized access and to ensure that users’ sensitive information remains protected. By mandating that third-party developers gain access to these APIs and functionalities, the Commission’s approach would create opportunities for exploitation by malicious actors.
Requiring Apple to offer third-party developers unrestricted access to NFC functionalities could facilitate skimming attacks and other forms of unauthorized transactions.[9] A piece published on the NordVPN blog lists 10 security risks associated with the improper use of, and unbridled access to, smartphones’ NFC chips.[10] One such risk is that NFC prompts may be used to trigger the download and installation of malware—a risk further compounded by the DMA’s requirement that iOS users be allowed to sideload applications.[11] Mandating access to the NFC chip also increases the likelihood of relay attacks (where NFC information is intercepted by a third party), because NFC interoperability information and protocols will be made public.
Much the same can be said about mandating third-party access to iOS’s AirDrop functionality. Again, according to NordVPN, AirDrop presents several security risks that would be compounded by the measures the Commission seeks to impose. These risks range from comparatively mundane threats, such as leaks of email addresses and phone numbers (because AirDrop may use this personal information to identify parties) to more significant security hazards, such as “man-in-the-middle” attacks (where an attacker accesses a private exchange) and malware attacks (where an attacker sends an infected file via AirDrop).[12]
The point is that those parts of the iOS ecosystem that the Commission would seek to open are particularly sensitive. By refusing to acknowledge and account for the inherent tradeoffs, the Commission’s proposal risks degrading the security of European users. These risks are further compounded by other DMA provisions, such as users’ ability to sideload apps and the requirement that third-party apps should be able to function in the background.
This is not just theoretical speculation. The Microsoft/CrowdStrike outage that kept airlines, hospitals, banks, and other businesses down for hours, generating great disruption for thousands of consumers,[13] could have been—at least, in part—generated by an interoperability mandate. Indeed, as explained by the Financial Times:
Giving software companies that kind of access to an operating system is dangerous — it means you can quickly lose control of your computer if any of the software providers you rely on makes a mistake or is compromised. That is why Apple began informing third-party developers in 2020 that it would no longer grant them kernel-level access to the MacOS operating system (and also quite possibly why the CrowdStrike problem didn’t affect Apple devices).
But not all the fault lies with Microsoft. A 2009 agreement between the company and the European Commission requires it to grant outside developers the same access to Windows that its own security software has. The idea was to make it possible for other software companies to compete with Microsoft by ensuring many of its products and services are interoperable with outside software and tools. That’s a worthy goal, and many provisions in the agreement are entirely reasonable, such as requiring that Outlook support common calendar event and scheduling formats.
But the 2009 agreement is profoundly flawed in requiring Microsoft to make all of the APIs, or programming functions, that its own security software products use available to manufacturers of third-party security software products. This is the provision that requires Microsoft to give kernel-level access to companies such as CrowdStrike. Until it is changed, it’s not clear that Microsoft can implement the chief lesson of this debacle and start phasing out access, as Apple did four years ago.[14]
Critics of this view may retort that those third parties who interoperate with iOS are well-situated to ensure their services safely interact with Apple’s ecosystem, but things are not quite so simple. Third-party developers may lack the resources to implement equivalent security measures. Apple’s security protocols are supported by substantial investments in research, engineering, and real-time monitoring of threats. Third-party developers, particularly smaller firms, may not possess the same level of technical expertise or financial capacity to replicate these safeguards. And because security failings are likely to be attributed to the most visible entity—in this case, Apple—third parties might not have the right incentives to provide optimal levels of security.
At the same time, of course, unscrupulous actors with no incentive to maintain security safeguards are sure to try to exploit any loopholes created by the Commission. The result is an inevitable increase in vulnerabilities, leaving European users more exposed to risks that could have been mitigated within a more controlled ecosystem.
B. Degraded Device Performance and Reliability
Beyond the security risks discussed above, the sort of interoperability the Commission is demanding may also have a sizable impact on the performance of users’ devices.
For example, allowing third-party applications to run in the background without adequate controls can significantly reduce battery life, as has been observed on competing platforms like Android.[15] As one journalist put it: “Got the case of a quickly dying phone? It might be your background apps!”.[16] The issue arises because background activity consumes system resources, often without users’ awareness. And because users may be unable to attribute battery degradation to a specific application, developers may have weak incentives to minimize the energy their apps consume.
Given this, forcing Apple to allow background execution for all apps would compel Apple to include larger batteries in its phones. iPhones currently offer comparable battery life to Android devices, despite using smaller battery packs.[17] In turn, this can be expected to raise the cost of Apple devices and to degrade the user experience.
Similar problems may also arise with regard to data privacy. Third-party applications may intentionally or inadvertently collect user data during background operations, raising serious privacy concerns. Such changes not only diminish the user experience, but also erode trust in the iOS platform, which has built its reputation on seamless performance and reliability. While privacy breeches entail a direct threat to users, degrading platform quality will harm both users and the very third-party rivals the Commission intends to help.
The upshot is that the Commission’s proceedings threaten to degrade aspects of the iOS experience that European consumers value deeply.
IV. Economic Implications of the Commission’s Approach
The economic consequences of the Commission’s approach to interoperability extend beyond security and performance issues. By undermining Apple’s tightly integrated ecosystem, the DMA creates incentives for companies—including other large platforms covered under the DMA, such as Meta—to leverage Apple’s platform rather than invest in creating competing functionality, devices, and operating systems.
This strategy runs counter to the DMA’s stated goal of fostering competition. Instead of encouraging innovation and the development of new ecosystems, the current enforcement approach facilitates free-riding, wherein competitors stand to benefit from Apple’s investments without bearing the associated costs. This dynamic would not only stifle competition, but may also lead to higher costs for consumers, as regulatory compliance expenses are passed on through increased product prices. Additionally, the uncertainty surrounding broad and indiscriminate enforcement could deter investment in the European technology sector. Companies might hesitate to commit resources if they perceive that their proprietary innovations could be subject to forced sharing without adequate protections.
Finally, the economic implications extend to the broader market structure. By facilitating access to Apple’s APIs and features, the DMA might inadvertently entrench large competitors who are better positioned to capitalize on these openings, rather than enabling smaller firms to grow. This could lead to further consolidation, contrary to the DMA’s goals of decentralizing power and enhancing competition.
In summary, the Commission’s maximalist interpretation of Article 6(7) creates a confluence of risks that could compromise user security, degrade device performance, and undermine economic incentives for genuine competition. A more measured approach to interoperability—one that prioritizes user safety and fostering innovation—would better serve the interests of European consumers and the broader tech ecosystem.
V. Alternative Solutions
In light of these considerations, a more nuanced approach to interoperability is essential. By focusing on targeted solutions that balance the desire for competition with the imperatives of user security and system integrity, the Commission can better align its enforcement of Article 6(7) with its overarching objectives.
A. Encouraging Targeted Interoperability
A more effective way to achieve the goals of Article 6(7) without compromising user safety or innovation is to adopt a targeted approach to interoperability. This would involve limiting access to critical APIs and functionalities to a select group of trusted partners, vetted through stringent qualification processes.
For instance, Apple could work with the Commission and industry stakeholders to identify high-value use cases where interoperability is most beneficial to consumers. These could include APIs related to productivity, health monitoring, or other well-defined areas that enhance the user experience without exposing sensitive features like biometric authentication or NFC to unnecessary risks.
By focusing on specific high-impact areas, the Commission could encourage competition and innovation without disrupting the core integrity of Apple’s ecosystem. Such a framework would also allow for tighter oversight and quality control, ensuring that third-party developers meet the same high standards for security and performance that users expect from Apple products.
B. Fostering Collaborative Development
Another viable solution would be to encourage collaborative development between Apple and its competitors to establish secure interoperability protocols. This could involve creating industry standards for interoperability that prioritize security and reliability. For example, Apple, Meta, and other key players could collaborate to develop APIs with well-defined parameters, ensuring that only necessary data is shared, while safeguarding critical system functions.
Collaborative frameworks have the added benefit of fostering mutual accountability, as all parties would share responsibility to maintain the integrity of interoperable features. Such an approach would not only minimize security risks, but could also build trust among users, developers, and regulators.
C. Adopting a Risk-Based Approach
A risk-based approach to interoperability would prioritize user safety by categorizing system features according to their sensitivity and potential significance. For example, low-risk features like calendar synchronization or basic file sharing could be made relatively more accessible, while high-risk features like background execution and NFC capabilities would remain restricted. This tiered system would allow for a gradual and controlled expansion of interoperability, giving Apple and its partners the time and resources to adapt to new standards without jeopardizing user safety or system performance.
This approach would also enable the Commission to better align its enforcement efforts with its stated goals of fostering competition and protecting consumers. By addressing interoperability in a measured and strategic manner, the DMA could achieve its objectives without imposing undue burdens on developers or exposing users to unnecessary risks.
VI. Conclusion
The enforcement of Article 6(7) of the DMA presents a complex set of challenges that demand careful consideration. While the goal of fostering competition through interoperability may be laudable, the Commission’s current approach risks undermining user security, degrading device performance, and imposing economic costs that outweigh the benefits. The unintended consequences of broad and indiscriminate enforcement threaten to weaken consumer trust and stifle innovation in Europe’s digital markets.
To better achieve the DMA’s objectives, the Commission should adopt a more targeted, risk-based approach to interoperability. This would require focusing on high-value use cases, fostering collaboration among key industry players, and ensuring that mandates are proportionate to the risks involved. By aligning enforcement with these principles, the Commission could promote genuine competition and innovation while safeguarding the interests of European consumers.
[1] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on Contestable and Fair Markets in the Digital sector and Amending Directives (EU) 2019/1937 and (EU) 2020/1828, art. 6 (7), 2022 O.J (L 265) 1, 36 (hereinafter “DMA”).
[2] Consolidated Version of the Treaty on European Union, art. 5(4), 26 October 2012, O.J. (C 326) 13 (hereinafter “the TEU”).
[3] Felix Richter, Apple’s Tightly Knit iPhone Ecosystem, STATISTA (25 March 2024), https://www.statista.com/chart/31973/likelihood-of-iphone-users-using-other-apple-devices.
[4] Beebom Staff, How to Check AirPods Battery Level, Beebom (18 December 2023), https://beebom.com/how-check-airpods-battery-level.https://beebom.com/how-check-airpods-battery-level.
[5] See, e.g., JBL, APPLE APP STORE, https://apps.apple.com/us/app/jbl-headphones/id1053136947 (last visited 8 January 2025); Sony Sound Connect, APPLE APP STORE, https://apps.apple.com/us/app/sony-sound-connect/id1168502924 (last visited 8 January 2025); Bose Connect App, BOSE, https://www.bose.com/apps/bose-connect?srsltid=AfmBOoq89DANpx8D7U3jdKDzX-MxXYfK6ID7vYJCBvxmt5X6JRiZC4Bi (last updated 8 January 2025).
[6] See, e.g., Fitbit, APPLE APP STORE, https://apps.apple.com/us/app/fitbit-health-fitness/id462638897 (last visited 8 January 2025).
[7] DMA, art. 6(7).
[8] Case Summary, Case DMA, 100203 – Consultation on the Proposed Measures for Interoperability Between Apple’s iOS Operating System and Connected Devices, EUROPEAN COMM’N, (18 December 2024), available at https://digital-markets-act.ec.europa.eu/document/download/ee7ba643-6cd6-494d-8552-cbaaaf18426a_en?filename=DMA.100203%20-%20Case%20summary.pdf (hereinafter “Apple IOS Case Summary”).
[9] Malcolm Higgins, NFC Security: 10 Security Risks You Need to Know, NORDVPN (10 August 2023), https://nordvpn.com/blog/nfc-security.
[10] Id.
[11] Id.
[12] Ilma Viena?indyt?, Is AirDrop Secure? How to Use It Safely, NORDVPN (12 December 2023), https://nordvpn.com/blog/is-airdrop-safe.
[13] Adam Satariano, Derrick Bryson Taylor, Remy Tumin, & Danielle Kaye, Outage for Microsoft Users Knocks Out Systems for Airlines and Hospitals in Chaotic Day, N.Y. Times (19 July 2024), https://www.nytimes.com/live/2024/07/19/business/global-tech-outage.
[14] Josephine Wolff, Software Crash Exposes Tensions Between Security and Competition, F.T. (28 July 2024), https://www.ft.com/content/60dde560-194a-40d1-8c98-1d96d6d019a0.
[15] Tristan Rayner, How to Stop the Android Apps Running in the Background, Android Auth. (13 May 2024), https://www.androidauthority.com/stop-android-background-apps-664842.
[16] Id.
[17] Robert Triggs, iPhone 16 and 16 Pro vs Android Battery Life Test: Which Phones Last the Longest?, Android Auth. (19 October 2024), https://www.androidauthority.com/iphone-vs-android-battery-life-3490706.