Categories: Net Neutrality Security

ARCEP report: “Device neutrality” and the open internet

What happened?

A french version of this blog post is also available.

In February 2018, the French regulator, ARCEP, published a report on how device, browser, and OS level restrictions (under the broad label of “devices”) could be the ‘missing link’ towards achieving an open internet. In March 2018, the Body of European Regulators for Electronic Communications (BEREC) also published a report  on how devices can impact user choice, where it noted the possible incentives for providers with sufficient market power to allow for a “less open use of the internet.”

It should not be possible for device, OS, and app store providers to leverage their gatekeeping power to distort the level playing field for content, to unfairly favour their own content or demote that of competitors. This could be done in a variety of ways, and the report highlights some of these: restricting device and API functions, unfairly discouraging the use of alternative app stores, or non-transparency in app store rankings. In this blog, we put forth a principles-based response to these concerns, and potential policy solutions put forth by ARCEP.

Overall, we think that:

  • Applications should generally have the opportunity to become full replacements of default applications.
  • Users should be informed of privacy risks associated with downloading content from alternative app stores. However, in order to exercise meaningful choice, greater specificity rather than blanket warnings are preferable.
  • Some degree of transparency in app store rankings is critical to ensuring accountability, although “algorithmic transparency” might be an unhelpful framing.
  • Access to device or API functions should not be restricted to distort the level playing field for content services, for example, by unfairly limiting access to non-affiliated content.

Is this a net-neutrality concern?

The ARCEP report notes that issues of device-level restrictions have been “overlooked” in Europe’s net neutrality regulation (2015/2120). While we welcome this discussion as taking a holistic view of internet policy and the multiple levers that influence user choice and innovation,  we think these issues fall outside the scope of the net neutrality legal framework. Net neutrality rules are directed at the behaviour of internet service providers (ISPs) on the premise that they are uniquely situated to act as gatekeepers to access content/information. More bluntly, the traffic shaping and management practices of ISPs are wholly outside the control of users, and therefore protections are needed to ensure ISPs do not abuse their gatekeeper position. Foundational principles of net neutrality like the end-to-end principle and the best efforts principle translate into practical requirements on ISPs to treat all data on the internet without discrimination, restriction, or interference no matter the sender, receiver, content, website, platform, application, feature, attached equipment, or means of communication, or any types thereof.

Where this discussion does resonate with net neutrality, however, is in its commitment to the principle of “innovation without permission.” This is the principle that everyone and anyone should be able to innovate on the internet without seeking permission from anyone, any entity, or other gatekeepers. This includes device, OS, and app store providers. In this spirit, we review and respond to the the four courses of action that ARCEP proposes to put into effect at the national level.

ARCEPs policy proposals

1. Allow users to delete pre-installed apps

ARCEP’s Proposal: The report proposes that users must be allowed to delete pre-installed applications. Pre-installed apps (whether configured by the device manufacturer or the OS provider), the report notes, can “lure users away from certain content and services, particularly when these apps are displayed on the device home screen.”

Our view: Applications should have the opportunity to become full replacements of default applications, which includes the ability to delete the default option. For certain categories of applications, this value is amplified, for example the ability to toggle between or change the default maps, calendars, or emails. However, device manufacturers may reasonably restrict the deletion of pre-installed applications when doing so would risk the core functionality or security of the device (e.g., system preferences and settings). Following this principle, ARCEP refers to the South Korean example, where guidelines allows users to delete any pre-installed app from their device, provided they are not vital to the device’s operation or security.

2. Enable alternative rankings for the online content and services available in app stores/ More transparency in app store rankings

ARCEP’s Proposal: The ARCEP report recommends enabling alternative rankings as a possible solution for the app store. More accountability in app store rankings is valuable, however, we think there may be less interventionist (but equally impactful) methods to go about this, such as transparency.

ARCEP does highlight transparency in indexing and ranking as a key proposal, noting with concern that app store providers remain opaque about the rules they use to approve and index these same apps, whether in terms of how long it takes to review an app or rules of a more editorial nature. ARCEP notes that transparency “would encourage app stores to treat developers more fairly, in a way that would foster internet openness.

Our view: Some degree of transparency in how app stores rank and index content is critical to accountability. Without it, it is possible for app stores to leverage their gatekeeping power to unfairly favour affiliated content, demote the content of competitors, or to distort the level playing field.

The two dominant app stores do publicly disclose broad criteria for ranking. The Google Play Store states that “apps are ranked based on a combination of ratings, reviews, downloads, and other factors” but states that the relative weights and values of these criteria are “a proprietary part of the Google search algorithm.” On the other hand, the Apple app store discloses that ranking is based on two main criteria: “text relevance” such as apps title, keywords, primary category (and tips on how to optimize for this), as well as “user behaviour” such as downloads and the number and quality of ratings and reviews.

These disclosures give developers and the public a standard with which to hold app stores accountable. It provides a basis on which to call out preferential treatment to apps that is not explained by these criteria.

Beyond these broad criteria, the ARCEP report is also concerned about proprietary search and ranking algorithms being “black boxes.”  We believe, however, that “accountability” rather than “transparency” is the best frame in which to consider algorithmic decision-making. While asking to “show me how it’s done” is an appealing idea in principle, in practice it is often very difficult, and ultimately not as helpful as may seem in understanding and addressing problems that arise.

This also opens up a larger debate on how to optimize discoverability to best serve user interest. In Mozilla’s work on Equal Rating, we urged app stores to give users more control over how information was displayed in order to better surface locally relevant content, which is seen as an important driver for getting people to see the value in using and paying for the internet. This is fertile ground for further research.

3. Allow users to easily access applications offered by alternative app stores, once they have been deemed reliable

ARCEP’s Proposal: The Report recommends that users should be able to easily access applications offered by alternative app stores. They make the case for conditions that are conducive to the “emergence of effective competition between stores.” While they acknowledge that “app stores undeniably play a crucial role in terms of security,” this should not mean that “other stores could not guarantee the same prerogatives.” As an example of a perceived barrier to entry, ARCEP refers to the F-Droid Open Source app store which can only be downloaded after activating an advanced setting and acknowledging a warning  that apps downloaded off third-party stores can be harmful.

Our view: As a matter of principle, users should be informed of risks and given the opportunity to exercise meaningful choices. Users do indeed often face significant barriers to using alternative app stores. We generally believe that users own their devices and should be able to put whatever apps and services they desire on those devices. However, we also note that many alternative app stores do contain significant amounts of malware, which OS and device manufacturers are rightly concerned with protecting users from. To that end, we would caution against restricting security warnings. Users should be informed of security risks, although greater granularity and specificity in warnings may be useful. For example, there may be a less stringent warning attached to an app in an alternative app store that has otherwise verified its security bona fides. Giving warnings about an app store itself (e.g., “all apps on the F-Droid store may be insecure”) doesn’t provide the user with the most helpful information.

Finally, we note that the need to empower an entity to determine an app or an app store’s reliability risks creating another gatekeeper with complex incentives in the internet ecosystem.

4. Allow all content and service developers to access the same device function.

ARCEP’s Proposal: ARCEPs recommendation is that device and OS providers should not prevent app providers from accessing the functions they need to fully operate their services “merely for business reasons.” In addition to device functions like calling or access to phonebook or messages, they recommend that it should not be possible to “confine access to one or several APIs to only certain content and service providers, and particularly to apply different pricing terms depending on the content and service provider, for no reason other than commercial ones.” As an example, they state that Google should no longer be the only entity able to use Android’s APIs for accessing ‘physical geolocation components’; a company such as Open Street Map should also be able to use them.              

Our view: In principle, device and OS providers should not exercise their gatekeeping powers to unfairly restrict access to device and API functions. We would agree with ARCEPs proposed limitation on commercially motivated restrictions, such as preferences to affiliated content or shutting out competitor services. Core functions like access to the kernel, however, may justifiably be restricted since it raises potential security and privacy concerns.

The principle here, as it is in data protection, should be collection limitation, purpose limitation, data minimization, and privacy by design. The direction to collect what you need, and to use data and permissions for the purposes that relate to the service offered to the user, is a useful rule of thumb for the kinds of access that should be made available to third party app developers.

Conclusion

While outside the scope of traditional net neutrality regulation, regulators should be vigilant about the potential of device and OS providers to abuse their their roles as gatekeepers to online content and services. ARCEP’s report, which demonstrates a strong commitment to the open internet, is a good first step.