States are Imperiling Consumers' Online Safety

Legislative efforts to rein in online application stores currently exist on two planes. At the federal level lawmakers are considering the Open App Market App Act (OAMA). While the bill has been moving through the legislative process, enjoying broad bipartisan support, four state legislators are considering their own bills, perhaps believing federal efforts will ultimately amount to nothing.

While cracking down on how online application stores like Apple and Google operate may follow a broader public and political trend of attacking big tech companies, these bills could inadvertently expose consumers’ sensitive financial and personal information to cybercriminals.

State legislators must resist any temptation to pass bills that, while satisfying public emotion, could leave consumer information vulnerable to cybercriminals.

Four states – Minnesota, Rhode Island, Illinois, and Arizona – are currently considering bills that would prohibit online application stores from mandating a specific in-app payment system and allow consumers to sideload apps, bypassing the app store completely.

Much of the hostility toward online application stores is centered around the belief that they are overcharging developers. Until recently, both Apple and Google charged a 30% commission of each sale. These commissions helped Apple’s App Store generate $85.1 billion and Google’s Play Store generate $47.9 billion in revenue in 2021. These fees, according to Senator Richard Blumenthal (D-CT), sponsor of the federal OAMA, amount to “coercive anticompetitive walls” that have “quashed competitors and kept consumers in the dark—pocketing hefty windfalls.”

In response to public and political concern about how these online application stores operate, both Google and Apple announced significant reductions in the commissions they charge developers. In November 2020, Apple announced that small businesses that earn less than $1 million per year would only be charged a 15% commission. Businesses that earn more than $1 million would continue to pay a 30% commission. Google announced announced a similar policy. The cut in fees makes further federal and legislative efforts to allow multiple payment options meaningless. 

Allowing developers to use alternative payment systems could jeopardize consumer safety by routing transactions through less secure systems. As a result of the commissions, Apple, for example, has developed one of the most sophisticated and secure payment processing systems. Transactions on Apple Pay are encrypted, but consumer financial information is then re-encrypted with a “developer-specific key before the transaction information is sent to the developer or payment processor.” 

These measures mean that vendors do not have access to financial information, and Apple does not retain any of the information. Finally, consumers must also authenticate every transaction. Google Play also offers similar protections and requires a password to authenticate each transaction with a password or personal identification number. 

These security features cannot likely be offered by other payment processing systems, where sensitive financial information is at risk for cybercrime. Allowing the sideloading of applications between devices also presents substantial cybersecurity concerns. Sideloading occurs when consumers transfer “a file between two local devices without the use of the internet.” Under state bills, consumers would presumably be free to transfer apps between devices without having to download it directly from an app store.

While sideloading may allow developers and consumers to cut out application stores, the National Institute of Standards and Technology has warned that sideloading, “if done incorrectly could make a mobile device extremely vulnerable to attack,” as malicious apps containing malware or ransomware can be transferred between consumers. This risk is possible because consumers could end up sharing apps that have “not been approved by the developer of the device’s operating system.”

State and federal legislators might be tempted to pass legislation that reigns in how online application stores operate, but they should understand the broader consequences of such appetites. For consumers, the results of any efforts to allow sideloading and the use of other in-app payment systems could leave sensitive financial information in the hands of cybercriminals who can exploit vulnerabilities. 

Consumers deserve the confidence that when they download applications to their personal devices, their financial and personal information is secure and that apps don’t contain ransomware or malware. Unfortunately, bills currently under consideration will take this right away from consumers. 

Edward Longe is a policy manager at the American Consumer Institute, a nonprofit educational and research organization. For more information about the Institute, visit www.TheAmericanConsumer.Org or follow us on Twitter @ConsumerPal.