A closer look at Apple’s browser-related changes to iOS in EU

10 months ago 61
ARTICLE AD

The raft of iOS changes Apple dropped in the European Union yesterday, as it prepares for enforcement of the bloc’s Digital Markets Act (DMA) to kick in March 7, include some big developments around browsers that look set to shake up a pretty stale market.

The goal for the EU regulation is exactly that: To force digital markets that are dominated by a handful of powerful intermediaries, which the DMA calls “gatekeepers”, to be more open and welcoming to competition. Apple is one of six designated gatekeepers, with its iOS App Store and Safari browser listed as “core platform services” under the regulation — meaning Apple us subject to set of obligations and restrictions on how it can operate these services.

Currently, Apple sets its Safari browser as the default on iOS — and while users of its mobile platform can dig into settings and specify another default browser (if they’ve downloaded one) Apple’s platform does not exactly make it obvious to iOS users that this is a possibility.

A lot of people will, inevitably, stick with iOS defaults — just because it’s less effort and hassle; aka, one less tech-related decision to make. But the upshot is the owner and operator of a dominant mobile platform can also dominate in mobile browsing software on their platform which isn’t great news for competition. This is the sort of lock-in EU regulators hope the DMA will change.

Default browser choice screen

Article 6(3) of the pan-EU regulation puts obligations on gatekeepers to let users “easily un-install” their own apps (with some narrow restrictions for apps that are “essential for the functioning of the operating system or of the device and which cannot technically be offered on a standalone basis by third parties”). Furthermore, the text states gatekeepers must let users “easily change default settings”.

The regulation then essentially stipulates that gatekeepers must show a choice screen at users’ first use of a core platform service — letting them choose from a list of “main” rival service providers.

So it’s no surprise that Apple’s DMA-related changes include the provision of a choice screen.

In a briefing the journalists yesterday, Apple representatives said that when users in the European Economic Area open Safari for the first time after they update to iOS 17.4 they will be prompted to choose a default browser from a list of the most downloaded browsers in their market.

Apple’s reps said the screen will also provide an opportunity for users to learn more about each browser before making a decision. So how exactly Apple will present information about rival browsers remains to be seen. The deadline for gatekeepers’ compliance with the DMA is March 7 so the changes are expected to be operation by then.

The iPhone maker is clearly unhappy about the obligation to display a browser choice screen. In a press release it claims the enforced change “means that EU users will be confronted with a list of default browsers before they have the opportunity to understand the options available to them”.

“The screen also interrupts EU users’ experience the first time they open Safari intending to navigate to a webpage,” it further warns, suggesting Apple may be hoping to lean into the risk of iOS users getting irritated by a choice screen popping up in place of the webpage they were trying to get to.

Irritated, choice-fatigued iOS users might be more likely to affirm Safari as their default browser just to make the screen go away. So European Commission regulators are likely to be watching and carefully assessing exactly how Apple presents these choices to decide whether or not they comply. 

It’s worth noting Google’s Android platform has, for years, been offering choice screens to users in the EU — following an earlier EU competition intervention — that lets users pick between its own search engine and a list of rival search engines. However the impact of the measure has been muted.

Initially, because Google devised an auction model that require rivals to bid for slots on the choice screens. There has also been frustration from search engine competitors that the choice screen model Google deployed still creates too much friction for users to switch. Meanwhile Google continues to command a 90%+ market share of search in Europe

Non-WebKit-based browsers incoming to iOS

Another huge change the DMA is driving on Apple will see the tech giant open up the underlying code-base browsers running on iOS can use. Currently Apple mandates third party browsers use WebKit, the same browser engine that underpins its own Safari browser. Which is why, even if you do make the effort to download and use a rival browser on iOS, the software experience can feel rather same-y.

This, too, is set to change after Apple announced yesterday it will start letting developers submit non-WebKit-based browsers — both for full web browser apps, which offer an alternative to using Safari, and for developers offering in-app browsers for displaying webpages within their iOS apps.

Apple’s restriction on browsers on iOS has been a long-standing bone of contention, with the tech giant accused of blocking innovation in the browser market by restricting user choice and developer opportunity to differentiate compared to Safari — akin to putting a pace car on a motorway.

“Apple never allowed external web browser engines to be used in iOS,” explains Lukasz Olejnik, independent researcher and consultant, and author of a cybersecurity handbook called Philosophy of Cybersecurity. “When users used other web browser apps, like Firefox or Chrome, this was still Safari’s WebKit engine. No cutting-edge features could be delivered fast. There was no competition here. The whole web community complained on this for years.”

The effect of Apple mandating WebKit’s use has been to limit the delivery of “cutting-edge features fast”, he tells TechCrunch. “The frequent complaint in the web community was the inhibition of web development in general.”

iOS users should expect to see browsers with richer features as a result of the change, per Olejnik.

Article 6(4) of the DMA contains interoperability provisions that are likely the driving force for Apple to open up to non-WebKit-based browsers, as the regulation demands gatekeepers “allow and technically enable” third party apps to work with and be accessible via their platforms.

The law does not require a free-for-all, though — with the text stipulating gatekeepers may take “strictly necessary and proportionate” measures to ensure third party software doesn’t “endanger the integrity” of their hardware or software, provided any such measures are “duly justified by the gatekeeper”.

Unsurprisingly, then, Apple is intending to impose a number of conditions on developers wanting to tap the chance to use non-WebKit browser engines — including performance standards and privacy and security requirements. For example, Apple, warns developers they must: “Prioritize resolving reported [security] vulnerabilities with expedience, over new feature development.” (Olejnik generally sums up the standards Apple is requiring here as “sane”.)

The iPhone maker will surely be making the case to EU regulators that the standards it plans to impose on developers wanting to access the non-WebKit entitlements are “strictly necessary and proportionate” to protect the “integrity” of its platforms — in line with what the DMA allows gatekeepers to do (provided they justify their conditions and criteria).

On the privacy side, a notable demand Apple is imposing stipulates that developers tapping the chance to offer non-WebKit-based browsers on iOS must: “Block cross-site cookies (i.e., third-party cookies) by default unless the user expressly opts to allow such cookies with informed consent”.

Apple, via Safari, has long been invested in combating privacy-hostile web tracking. So, again, it’s not surprising to see it making tracking-cookie-blocking a condition for the new browser entitlements. But it is notable.

The stipulation could have the effect of helping Google — which happens to be another DMA gatekeeper; and the operator of the (EU designated “core platform service”) Chrome browser — as it could nudge developers towards adopting an alternative adtech stack for targeted ads that Google has been brewing for several years.

Privacy Sandbox, as Google brands the initiative — which it’s in the process of rolling out to Chrome (including on Android); meaning it’s also in the process of switching off support for third party tracking-cookies — offers a Google-devised alternative to third party cookie-based tracking and targeting, developed by Google under UK competition and privacy authority scrutiny. Its ambition is to push the revised approach to monetizing web users’ attention via interest-based ad targeting across as much of the web ecosystem as it can reach.

Apple maintaining iOS as a cookie-free-tracking zone, therefore, looks helpful to Google’s prospects of getting its Sandbox more widely adopted — and unhelpful for rival adtech players who may be trying, against the odds (and with zero respect for web users’ privacy), to keep tracking cookies alive.

Asked what implications there could be for Chrome in light of Apple allowing non-WebKit browsers, Olejnik suggests the move looks like a “huge” deal for Google.

“Chrome is known for fast-paced development of web and web browsers, so they have a significant leverage over Apple. This means that Apple will have to expand on web development teams,” he predicts. “Otherwise they will lose on being competitive because users will change from Safari.”

“Of another consequence is that should Apple decide against adopting Privacy Sandbox in its web browsing experience. It will be available on iOS anyway,” he also points out. “We’re speaking about multi-billion dollar market here. That’s pretty significant, and I don’t see this point as being properly read in public comments about this change.”

A big, general limit on the browser changes from Apple is that it’s stipulating developers taking advantage of the non-Webkit browser entitlements can only do so for apps available in the EU. So the new choices for browser developers are not being allowed to bleed outside the region where the DMA does not apply.

It means, for example, that a non-WebKit-based version of Chrome on iOS will be limited in terms of its growth potential to scaling within the EU market — at least pending other laws, elsewhere, also forcing Apple to open up this element of its managed ecosystem.

There’s no doubt Cupertino is not going willingly into this shake-up of iOS. It’s being made to enact changes because the EU passed a law. So the simple message here is that regulation works. (Or, well, that it can work. How exactly the DMA will work — and whether or not it will really deliver the competitive boost the EU hopes — remains to be seen.)

It could also be the case, as Apple contends, that the law ends up reducing the level of security and privacy for iOS users. (On this topic Olejnik emphasizes “the details matter”. “Questions may remain about other forms of tracking [i.e. non-cookie-based],” he warns. “Now such considerations will be mediated through the DMA competition law/policy structures, though.”)

But, equally, some reduction in Apple’s controlled protections may be considered a price worth paying to boost choice and competition — provided users have real agency to choose and are properly (and fairly) informed of any risks.

“I think that the web browser change is unequivocally for the better,” Olejnik also tells us. “The problem is having other in-app browsers, since many such apps lack security and privacy. But in case of legitimate web browsers, this is a change for the better. I don’t see any security or privacy risks of allowing Mozilla or other legitimate web browser engines.”

Beyond all that, the wider point stands — that reigning in platform power is possible if lawmakers have a will (plus courage and grit) to get it done.

“Apple could not refuse to abide by the EU law. The biggest change in this move is certainly web browsers,” he adds. “It turns out that all that was needed was a few years of work of Brussels policymakers and lawmakers.

“The DMA is working here. No question about it. There’s more. It not only works. It would be one of the most successful technology/competition based regulations in EU history.”

Read Entire Article