Context: Two weeks ago, app developers found out that the next version of Apple’s iOS operating system will disable Progressive Web Apps (PWAs), which users can “install” on their home screens, in the EU (February 13, 2024 games fray article). In a Developer Q&A section of an official Apple web page on its EU app rules, Apple then confirmed that this is intentional (Apple website).
What’s new: On Monday (February 26, 2024), the Financial Times, which is among the favorite outlet for EU-related leaks and presumably used by the EC itself from time to time, reported (paywalled article) that the EC has sent out questionnaires about Apple’s disablement of PWAs in the EU. Such questionnaires are typically harbingers of antitrust investigations. The EC confirmed to various media that the web app inquiry is part of its ongoing analysis of Apple’s compliance with the Digital Markets Act (DMA) (February 27, 2024 Times of India article). The purpose of this games fray article is to infer from publicly available information what Apple’s defense strategy is likely going to be.
Direct impact: The swiftness of the EC’s action shows that Apple added insult to injury by not only designing new EU app rules that render the DMA practically inconsequential but by furthermore taking procompetitive functionality away from EU-based users and the companies serving them. Microsoft’s xCloud cloud gaming service would be a good example of a web app that is adversely impacted, but Apple can argue that it now allows native cloud gaming apps without having to subject each game to Apple’s app review. At this point, games fray is skeptical of the EC’s ability to impose fines, let alone hefty fines of up to 10% of worldwide revenues, on Apple, as PWAs are not a feature that is mandated by the DMA, the EC and especially the EU judiciary may easily be confused by Apple’s technical arguments, and above all, this move is of major impact only on the basis of the dynamic theory that newly allowed alternative browser engines would take PWAs to a new level, while PWAs were of extremely limited appeal before.
Wider ramifications: Apple’s belligerence vis-à-vis regulation is unprecedented for a company of that nature and stature. It forces the EC to take action, though the ultimate market impact (after appeals) of any such action, under the current DMA, is more than doubtful. It may derail the settlement of the tap-to-pay (Apple Pay) investigation, where the EC recently announced a market test. It may strengthen EU lawmakers’ resolve to make the DMA truly useful against Apple, which it will never be without an amendment. And looking beyond Apple, there is a possibility of other (not only but also Big Tech) companies coming under pressure from shareholders to stop being exceedingly cooperative with regulators who bark, but can’t really bite.
To understand Apple’s EU web apps move, one has to look at it from three angles:
- Apple’s attempted justification,
- Apple’s actual motivation and
- what will happen in court if the EC (as it very likely will) challenges this conduct on DMA and/or conventional antitrust grounds.
Apple’s pretextual justification is based on the assumption that third-party browsers are inherently untrustworthy
If one understands the technical and commercial aspects of the issue, it’s easy to identify the pretextual nature of Apple’s explanation. Below, Apple’s attempted justification is quoted in its entirety, with commentary below each passage and occasional explanations of terms in brackets.
“Why don’t users in the EU have access to Home Screen web apps?
To comply with the Digital Markets Act, Apple has done an enormous amount of engineering work to add new functionality and capabilities for developers and users in the European Union — including more than 600 new APIs and a wide range of developer tools.”
Somewhere else, Apple claimed to have spend tens of thousands of personhours on the above. But “sweat of the brow” (the effort Apple made) does not guarantee compliance. It will, however, be one of Apple’s arguments on appeal as discussed in the legal analysis further below.
“The iOS system has traditionally provided support for Home Screen web apps by building directly on WebKit [the engine of Apple’s own Safari browser, which all iOS browsers were required to use in the past, effectively making Chrome on iOS just Safari with a Chrome interface] and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.”
What Apple is saying here is that PWAs (which Apple calls Home Screen web apps here, but they mean the same) were acceptable from a security and privacy point of view as long as Apple controlled the entire technology stack from the operating system up to the browser engine. Simply put, it was all running on Apple software except for the most superficial layer, the browser interface.
On that basis, Apple was fine with PWAs storing some data locally (for example, gameplay progress) and with privacy permissions being assigned to PWAs in a similar way as to native iOS apps, though there always were significant differences impairing the user experience and the commercial potential of web apps (such as the need to reload the executable every time the pseudo-app is opened, and lack of access to various key iOS features).
In the section entitled War on web innovation of a February 13, 2024 article, games fray explained that Apple has traditionally imposed its browser engine dictate in order to stifle progress. Apple made sure that its own browser engine would not allow web apps to be useful for too many purposes (other than “adult content”), and prevented other browser makers from delivering a better experience. There cannot be a principled security concern over a browser like Chrome (Google) or Edge (Microsoft). It was all about protecting Apple’s walled garden.
Now, however, that Apple is required to allow alternative browser engines in the EU, Apple pretextually claims it can’t have enough trust and therefore felt forced to disable web apps altogether:
“Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent.”
Technically, third-party browsers are apps, just like other apps, and are subject to Apple’s app review like any other app. Even if they were to be distributed via alternative app stores, Apple would still reserve the right to notarize them based on a security check. It is technically incorrect that a browser like Chrome couldn’t solve the problem, even without controlling the operating system: Chrome sandboxes web apps, meaning that as long as there is no software bug (which can happen to anyone, including Apple), web apps will be secure.
“Browsers also could install web apps on the system without a user’s awareness and consent.”
This, again, would be purely a behavioral issue. It’s obvious that a company like Google wouldn’t do that because it has a reputation to protect.
“Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps.”
This relates to the first paragraph where Apple talks about how much of an effort it has already made to comply with the DMA. Technically, Apple’s argument here must be understood the following way:
- The underlying assumption is that there would be untrustworthy third-party browsers. If browsers like Chrome solve the problem through their own sandboxing at the application level, they don’t need any new functionality from Apple to ensure that web app A won’t access data or hijack permissions from web app B.
- If in such an untrustworthy environment Apple nevertheless wanted to ensure that web apps are secure even if the browser itself doesn’t properly sandbox, then it is—to be fair—technically true that Apple would have to take measures at the level of the operating system with respect to web apps. iOS would have to control the execution of web apps to a greater extent and couldn’t just delegate that task to the browser, as the browser is no longer going to be Safari itself or a Safari in disguise (a third-party browser forced to use the same engine as Safari, WebKit). At the operating system level, Apple would then control the way that web apps store data locally and the way their permissions are managed.
By pointing out that iOS does not currently have that type of functionality (which is perfectly credible) and that it would take a lot of effort while PWAs are not used a lot so far, Apple makes a proportionality argument that hinges on a static view of the market where Apple’s efforts to hobble web apps limited their market adoption. Things could change with alternative browsers offering a better web app user experience. But that is a dynamic perspective Apple purposely doesn’t want to take here.
“And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.”
Apple doesn’t state explicitly why it then also removed the feature from Safari, meaning that web apps now just open in a Safari browser tab, which (as games fray explained in a February 13, 2024 article) particularly impacts web games, which need to run in full-screen mode in order to be practically usable (without hitting the wrong user interface controls all the time) and esthetically pleasing.
Apple obviously does trust Safari, even if it doesn’t third-party browsers. So why just remove procompetitive functionality from users, and why only in the EU?
What Apple implies here through its reference to “the DMA’s requirements” is that it had to ensure parity between its own Safari browser and third-party browsers. Had Apple continued to support PWAs in Safari like before (with full-screen mode, local storage, notifications etc.), it would have disadvantaged third-party browsers that can soon come with their own browser engines in the EU.
The DMA lacks clarity with respect to app stores, which is why games fray believes Apple is in compliance with the law as it stands unless purposive interpretation is taken to an unprecedented level (February 19, 2024 games fray article) or, more realistically, lawmakers amend the DMA (February 20, 2024 games fray article). But the rule about browser engines is clear and straightforward:
“The gatekeeper shall not require end users to use, or business users to use, to offer, or to interoperate with, an identification service, a web browser engine or a payment service, or technical services that support the provision of payment services, such as payment systems for in-app purchases, of that gatekeeper in the context of services provided by the business users using that gatekeeper’s core platform services.”
Art. 5(7) DMA (emphases added)
If Apple then limited PWAs to its own browser but prohibited third-party browsers (with their potentially new engines) from running PWAs, Apple could be deemed to violate that rule, or at least to run afoul of the DMA’s general anti-circumvention clause.
“EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality. We expect this change to affect a small number of users. Still, we regret any impact this change — that was made as part of the work to comply with the DMA — may have on developers of Home Screen web apps and our users.”
Here, Apple further elaborates on its argument that supporting PWAs with a new operating system-level security mechanism would be disproportionate given that only “a small number of users” (which is probably true) will experience “minimal impact” (which is debatable, as web games definitely become unusable if they require swift interaction, unlike, say, a web chess game that gives users plenty of time per move).
Apple’s motivation is clearly anticompetitive but Apple is right that the DMA’s browser engine rule potentially creates security issues
It’s obvious that Apple prefers native apps over web apps, as Apple can control and tax native apps in ways it can’t practically control and tax web apps. Essentially, web apps serve only two purposes for Apple:
- Apple uses them for a shield against monopoly abuse claims, arguing that the App Store is not the only way to bring “apps” to iOS users. For instance, Apple made that argument when defending against Epic Games’s U.S. complaint. Apple is also known to have made that argument to competition authorities around the globe on every occasion.
- Apple also doesn’t want to lose users who look for content that Apple refuses to carry in its own store, particularly adult content. For the purposes of just viewing images and watching videos, much less functionality is needed than to properly support browser games or other demanding applications. By supporting web apps more or less just to the extent that such use cases require, Apple avoids that people to whom such material is a key part of a smartphone’s value proposition will migrate to Android.
Why didn’t those two motives dissuade Apple from making this move against web apps in the EU?
- Apple doesn’t need the web app defense in the EU anymore because the DMA requires it to allow alternative app stores. Those won’t really play a role in the mass market for the reasons games fray discussed in various articles), but technically they are allowed and for certain purposes such as adult content and NFTs they may indeed get traction.
- Apple is less concerned about users migrating away from the iPhone only because certain websites won’t run in full-screen mode anymore. And if there was a market for such material that Apple’s own App Store doesn’t allow, alternative app stores may capitalize on such a niche market opportunity.
That said, Apple’s stated concern over untrusthworthy third-party browsers may also be genuine, not with respect to Big Tech browsers like Chrome and Edge or Mozilla’s Firefox, but given that the DMA would require Apple to allow anyone, even the shadiest organization imaginable, to offer their own web browser with a third-party engine. The cost of browser development is so high by now that only a few can afford it at all. But third parties could use, for instance, the Chromium open-source engine and then build their own browser with limited effort.
Legal analysis: the EC won’t be able to force Apple to re-enable Home Screen web apps in the EU, at least not in the foreseeable future, and fines will be low
In the browser engine context, the DMA’s flaw is not that it isn’t clear enough (that’s an issue with respect to app stores and the direct installation of apps), but that it wasn’t thought through from a technical and economic perspective. If in a hypothetical alternative universe very knowledgeable and analytically gifted people had designed the DMA, and if they had asked themselves how bad actors might exploit it (such as by capitalizing on the resource constraints of well-meaning browser makers with insufficient resources) and how Apple might seek to minimalize its impact, they would never have allowed just anyone out there to offer iOS browsers with alternative engines. Instead, they’d have determined that there would still be enough competition in the iOS browser market if the privilege to run a browser on one’s own engine was granted to only major players. The criterion could have been that Apple must allow the use of alternative browser engines if a browser maker delivers proof of a certain level of market acceptance (number of installations) of its browser on other platforms.
Like in the FRAND (fair, reasonable and non-discriminatory terms) context, the problem is a non-qualified requirement. It’s far easier to say “offer FRAND terms” or “allow alternative browser engines” than to get it right and propose a workable rule that Apple can’t circumvent.
Apple does have a valid security argument that if every Tom, Dick and Harry can offer a browser with its own engine, there are security and privacy risks, and the DMA does recognize Apple’s rights to ensure security and privacy.
The complete disablement of PWAs even in Safari would normally be worth a traditional antitrust investigation. There are adversely impacted parties, such as Microsoft with its xCloud cloud gaming service. But it is difficult under antitrust law to force a company to offer a feature (though in this case it’s clear that they have the technology for Safari-run web apps in place and just block it in the EU), and no court of law is going to identify an antitrust violation where Apple can point to the need to comply with its obligations under the DMA.
That means the judicial decision is going to be about whether Apple would have (and would already have had) to undertake the effort to support PWAs even if they run on untrustworthy third-party browsers.
The first legal question is then whether the DMA requires Apple to support Home Screen web apps at all. It doesn’t explicitly talk about them. And there is no Most Favored Nation requirement under the current DMA, which is a change that games fray believes would be helpful in this context and many others (February 20, 2024 games fray article). Therefore, an appeal by Apple of a Commission decision relating to web apps could fail at that hurdle.
For the EC to get over that hurdle, despite the DMA neither referencing PWAs explicitly nor having a Most Favored Nation requirement, the anti-circumvention clause would have to be interpreted broadly and purposively.
In that hypothetical scenario, the question would then be whether Apple has a valid disproportionality claim. Apple would point to the substantial engineering effort it has already made to comply with the DMA, to the significant effort (which Apple would likely overstate, but it can’t be denied that this isn’t a small thing) to support sandboxed PWAs at the operating system level if alternative browser engines are used, and it would argue that the very low adoption of Home Screen web apps (as compared to native apps) does not make it reasonable when there is the far less costly alternative of simply disabling web apps.
If one treats the environment as static, Apple is right that the effort would be disproportionate. Apple can argue that users can still view those websites in a browser tab, even in a browser of their choice, which may (thanks to the DMA) come with a browser engine of its choice. They just don’t get such benefits as full-screen view, notifications, local storage and stored privacy settings. But above all, Apple can present numbers according to which most people don’t use web apps at all, and even those who do don’t to it a huge extent, normally.
The EU would have to identify web apps that are really hurt by Apple’s web app move. For now, games fray believes that such web apps would be cloud gaming apps like Microsoft’s xCloud, and Apple has separately (because of regulatory pressure in the UK, not the EU) decided to allow such native apps now without requiring that each and every streamed game be reviewed by Apple.
Only if one takes a dynamic view, Apple can get into trouble. The low adoption of Home Screen web apps in today’s market is the fully intended result of Apple’s efforts to limit them to a fig leaf for antitrust purposes and to retain users who want certain types of functionality or especially content that Apple’s own App Store wouldn’t allow. Apple never wanted web apps to take off after it launched its own App Store. Only the very original iPhone vision that Steve Jobs announced in 2007 would have foreseen a more important role for web apps. But that was a very long time ago.
The dynamic perspective is that the Googles, Microsofts and Mozillas of the world would now have a strong incentive to make web apps work, especially because Apple’s new EU app rules prevent alternative app stores from taking off. In particular, highly functional web apps delivering a great user experience would be a means of avoiding the commissions and per-install fees Apple charges.
The three aforementioned browser makers are anything but satisfied with Apple’s compliance with the DMA. Microsoft didn’t specifically mention browsers, but generally criticized Apple on X (formerly known as Twitter) (January 30, 2024 games fray article), The Mozilla Foundation said Apple’s browser rules are “as painful as possible” for its Firefox browser (January 26, 2024 article by The Verge), a statement that Google’s browser chief endorsed and elaborated on:
But none of that necessarily means that the courts of law will hold Apple liable for a DMA infringement. The EC and/or any private plaintiffs would have to convince the EU judiciary that (a) Apple must not discontinue its support for PWAs despite generally being within its rights to design its products as it pleases and (b) in order to support PWAs that are secure even if untrustworthy browsers (by bad actors or underresourced app makers) enter the market, Apple has to make a substantial engineering effort because there is a future potential for web apps due to new competition in the iOS browser market (now that they can all use their own engines), though there hasn’t been much demand for PWAs so far.
Judges aren’t technical experts (even the EC doesn’t have a lot of technical expertise), much less are they experts in predicting how a market will evolve once Apple’s browser engine dictate is removed.
In games fray‘s assessment, the EC has no more than a 40% chance of convincing the courts that Apple’s web app move is unlawful, and even if it did, the fact that web apps don’t have much traction in the market so far will limit the amount of any fines that the EU judiciary would be prepared to uphold. Then, after a final and enforceable court ruling (after 5 years or so) forces Apple to do what it takes to make PWAs run in third-party browsers, Apple will have to be given a reasonable period of time to implement such a change. Apple would probably argue that it takes 18 or 24 months (if not more). It would then be hard to disprove that claim.
So after a multi-year litigation, there would be a low fine and a generous grace period to technically implement the decision. All in all, it means that there wouldn’t be any competitive impact (if ever!) for the remainder of the 2020s. And tackling just the PWA issue wouldn’t be enough as the concerns stated by major browser makers go far beyond this one. At this point, with the EU being only a relatively small market for iOS apps compared to the U.S. and some other geographic regions, there’s hardly an incentive for anyone to compete with Apple on iOS browsers despite the problems Apple intentionally causes with its various rules.
In the light of that harsh reality, games fray believes the EU institutions should be realistic and amend the DMA at the earliest opportunity. The way Apple has responded ot the initial version of the DMA is the first part of debugging: to identify the flaws.
In the PWA context, an amended DMA could require them and could at the same time limit the right to use alternative browser engines to companies that are already significant players in the browser market. It could then also address other issues, such as the fragmentation that Apple imposes because browsers that use alternative engines must be available only in the EU (Apple developer website). An anti-fragmentation rule is also part of games fray‘s suggested amendments.