Apple to EU: “Go fuck yourself”

The dictionary definition of malicious compliance.

Cory Doctorow
10 min readFeb 6, 2024

--

If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/02/06/spoil-the-bunch/#dma

There’s a strain of anti-anti-monopolist that insists that they’re not pro-monopoly — they’re just realists who understand that global gigacorporations are too big to fail, too big to jail, and that governments can’t hope to rein them in. Trying to regulate a tech giant, they say, is like trying to regulate the weather.

This ploy is cousins with Jay Rosen’s idea of “savvying,” defined as: “dismissing valid questions with the insider’s, ‘and this surprises you?’”

https://twitter.com/jayrosen_nyu/status/344825874362810369?lang=en

In both cases, an apologist for corruption masquerades as a pragmatist who understands the ways of the world, unlike you, a pathetic dreamer who foolishly hopes for a better world. In both cases, the apologist provides cover for corruption, painting it as an inevitability, not a choice. “Don’t hate the player. Hate the game.”

The reason this foolish nonsense flies is that we are living in an age of rampant corruption and utter impunity. Companies really do get away with both literal and figurative murder. Governments really do ignore horrible crimes by the rich and powerful, and fumble what rare, few enforcement efforts they assay.

Take the GDPR, Europe’s landmark privacy law. The GDPR establishes strict limitations of data-collection and processing, and provides for brutal penalties for companies that violate its rules. The immediate impact of the GDPR was a mass-extinction event for Europe’s data-brokerages and surveillance advertising companies, all of which were in obvious violation of the GDPR’s rules.

But there was a curious pattern to GDPR enforcement: while smaller, EU-based companies were swiftly shuttered by its provisions, the US-based giants that conduct the most brazen, wide-ranging, illegal surveillance escaped unscathed for years and years, continuing to spy on Europeans.

One (erroneous) way to look at this is as a “compliance moat” story. In that story, GDPR requires a bunch of expensive systems that only gigantic companies like Facebook and Google can afford. These compliance costs are a “capital moat” — a way to exclude smaller companies from functioning in the market. Thus, the GDPR acted as an anticompetitive wrecking ball, clearing the field for the largest companies, who get to operate without having to contend with smaller companies nipping at their heels:

https://www.techdirt.com/2019/06/27/another-report-shows-gdpr-benefited-google-facebook-hurt-everyone-else/

This is wrong.

Oh, compliance moats are definitely real — think of the calls for AI companies to license their training data. AI companies can easily do this — they’ll just buy training data from giant media companies — the very same companies that hope to use models to replace creative workers with algorithms. Create a new copyright over training data won’t eliminate AI — it’ll just confine AI to the largest, best capitalized companies, who will gladly provide tools to corporations hoping to fire their workforces:

https://pluralistic.net/2023/02/09/ai-monkeys-paw/#bullied-schoolkids

But just because some regulations can be compliance moats, that doesn’t mean that all regulations are compliance moats. And just because some regulations are vigorously applied to small companies while leaving larger firms unscathed, it doesn’t follow that the regulation in question is a compliance moat.

A harder look at what happened with the GDPR reveals a completely different dynamic at work. The reason the GDPR vaporized small surveillance companies and left the big companies untouched had nothing to do with compliance costs. The Big Tech companies don’t comply with the GDPRthey just get away with violating the GDPR.

How do they get away with it? They fly Irish flags of convenience. Decades ago, Ireland started dabbling with offering tax-havens to the wealthy and mobile — they invented the duty-free store:

https://en.wikipedia.org/wiki/Duty-free_shop#1947%E2%80%931990:_duty_free_establishment

Capturing pennies from the wealthy by helping them avoid fortunes they owed in taxes elsewhere was terribly seductive. In the years that followed, Ireland began aggressively courting the wealthy on an industrial scale, offering corporations the chance to duck their obligations to their host countries by flying an Irish flag of convenience.

There are other countries who’ve tried this gambit — the “treasure islands” of the Caribbean, the English channel, and elsewhere — but Ireland is part of the EU. In the global competition to help the rich to get richer, Ireland had a killer advantage: access to the EU, the common market, and 500m affluent potential customers. The Caymans can hide your money for you, and there’s a few super-luxe stores and art-galleries in George Town where you can spend it, but it’s no Champs Elysees or Ku-Damm.

But when you’re competing with other countries for the pennies of trillion-dollar tax-dodgers, any wins can be turned into a loss in an instant. After all, any corporation that is footloose enough to establish a Potemkin Headquarters in Dublin and fly the trídhathach can easily up sticks and open another Big Store HQ in some other haven that offers it a sweeter deal.

This has created a global race to the bottom among tax-havens to also serve as regulatory havens — and there’s a made-in-the-EU version that sees Ireland, Malta, Cyprus and sometimes the Netherlands competing to see who can offer the most impunity for the worst crimes to the most awful corporations in the world.

And that’s why Google and Facebook haven’t been extinguished by the GDPR while their rivals were. It’s not compliance moats — it’s impunity. Once a corporation attains a certain scale, it has the excess capital to spend on phony relocations that let it hop from jurisdiction to jurisdiction, chasing the loosest slots on the strip. Ireland is a made town, where the cops are all on the take, and two thirds of the data commissioner’s rulings are eventually overturned by the federal court:

https://www.iccl.ie/digital-data/iccl-2023-gdpr-report/

This is a problem among many federations, not just the EU. The US has its onshore-offshore tax- and regulation-havens (Delaware, South Dakota, Texas, etc), and so does Canada (Alberta), and some Swiss cantons are, frankly, batshit:

https://lenews.ch/2017/11/25/swiss-fact-some-swiss-women-had-to-wait-until-1991-to-vote/

None of this is to condemn federations outright. Federations are (potentially) good! But federalism has a vulnerability: the autonomy of the federated states means that they can be played against each other by national or transnational entities, like corporations. This doesn’t mean that it’s impossible to regulate powerful entities within a federation — but it means that federal regulation needs to account for the risk of jurisdiction-shopping.

Enter the Digital Markets Act, a new Big Tech specific law that, among other things, bans monopoly app stores and payment processing, through which companies like Apple and Google have levied a 30% tax on the entire app market, while arrogating to themselves the right to decide which software their customers may run on their own devices:

https://pluralistic.net/2023/06/07/curatorial-vig/#app-tax

Apple has responded to this regulation with a gesture of contempt so naked and broad that it beggars belief. As Proton describes, Apple’s DMA plan is the very definition of malicious compliance:

https://proton.me/blog/apple-dma-compliance-plan-trap

Recall that the DMA is intended to curtail monopoly software distribution through app stores and mobile platforms’ insistence on using their payment processors, whose fees are sky-high. The law is intended to extinguish developer agreements that ban software creators from informing customers that they can get a better deal by initiating payments elsewhere, or by getting a service through the web instead of via an app.

In response, Apple, has instituted a junk fee it calls the “Core Technology Fee”: EUR0.50/install for every installation over 1m. As Proton writes, as apps grow more popular, using third-party payment systems will grow less attractive. Apple has offered discounts on its eye-watering payment processing fees to a mere 20% for the first payment and 13% for renewals. Compare this with the normal — and far, far too high — payment processing fees the rest of the industry charges, which run 2–5%. On top of all this, Apple has lied about these new discounted rates, hiding a 3% “processing” fee in its headline figures.

As Proton explains, paying 17% fees and EUR0.50 for each subscriber’s renewal makes most software businesses into money-losers. The only way to keep them afloat is to use Apple’s old, default payment system. That choice is made more attractive by Apple’s inclusion of a “scare screen” that warns you that demons will rend your soul for all eternity if you try to use an alternative payment scheme.

Apple defends this scare screen by saying that it will protect users from the intrinsic unreliability of third-party processors, but as Proton points out, there are plenty of giant corporations who get to use their own payment processors with their iOS apps, because Apple decided they were too big to fuck with. Somehow, Apple can let its customers spend money Uber, McDonald’s, Airbnb, Doordash and Amazon without terrorizing them about existential security risks — but not mom-and-pop software vendors or publishers who don’t want to hand 30% of their income over to a three-trillion-dollar company.

Apple has also reserved the right to cancel any alternative app store and nuke it from Apple customers’ devices without warning, reason or liability. Those app stores also have to post a one-million euro line of credit in order to be considered for iOS. Given these terms, it’s obvious that no one is going to offer a third-party app store for iOS and if they did, no one would list their apps in it.

The fuckery goes on and on. If an app developer opts into third-party payments, they can’t use Apple’s payment processing too — so any users who are scared off by the scare screen have no way to pay the app’s creators. And once an app creator opts into third party payments, they can never go back — the decision is permanent.

Apple also reserves the right to change all of these policies later, for the worse (“I am altering the deal. Pray I don’t alter it further” -D. Vader). They have warned developers that they might change the API for reporting external sales and revoke developers’ right to use alternative app stores at its discretion, with no penalties if that screws the developer.

Apple’s contempt extends beyond app marketplaces. The DMA also obliges Apple to open its platform to third party browsers and browser engines. Every browser on iOS is actually just Safari wrapped in a cosmetic skin, because Apple bans third-party browser-engines:

https://pluralistic.net/2022/12/13/kitbashed/#app-store-tax

But, as Mozilla puts it, Apple’s plan for this is “as painful as possible”:

https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox

For one thing, Apple will only allow European customers to run alternative browser engines. That means that Firefox will have to “build and maintain two separate browser implementations — a burden Apple themselves will not have to bear.”

(One wonders how Apple will treat Americans living in the EU, whose Apple accounts still have US billing addresses — these people will still be entitled to the browser choice that Apple is grudgingly extending to Europeans.)

All of this sends a strong signal that Apple is planning to run the same playbook with the DMA that Google and Facebook used on the GDPR: ignore the law, use lawyerly bullshit to chaff regulators, and hope that European federalism has sufficiently deep cracks that it can hide in them when the enforcers come to call.

But Apple is about to get a nasty shock. For one thing, the DMA allows wronged parties to start their search for justice in the European federal court system — bypassing the Irish regulators and courts. For another, there is a global movement to check corporate power, and because the tech companies do the same kinds of fuckery in every territory, regulators are able to collaborate across borders to take them down.

Take Apple’s app store monopoly. The best reference on this is the report published by the UK Competition and Markets Authority’s Digital Markets Unit:

https://assets.publishing.service.gov.uk/media/63f61bc0d3bf7f62e8c34a02/Mobile_Ecosystems_Final_Report_amended_2.pdf

The devastating case that the DMU report was key to crafting the DMA — but it also inspired a US law aimed at forcing app markets open:

https://www.congress.gov/bill/117th-congress/senate-bill/2710

And a Japanese enforcement action:

https://asia.nikkei.com/Business/Technology/Japan-to-crack-down-on-Apple-and-Google-app-store-monopolies

And action in South Korea:

https://www.reuters.com/technology/skorea-considers-505-mln-fine-against-google-apple-over-app-market-practices-2023-10-06/

These enforcers gather for annual meetings — I spoke at one in London, convened by the Competition and Markets Authority — where they compare notes, form coalitions, and plan strategy:

https://www.eventbrite.co.uk/e/cma-data-technology-and-analytics-conference-2022-registration-308678625077

This is where the savvying breaks down. Yes, Apple is big enough to run circles around Japan, or South Korea, or the UK. But when those countries join forces with the EU, the USA and other countries that are fed up to the eyeballs with Apple’s bullshit, the company is in serious danger.

It’s true that Apple has convinced a bunch of its customers that buying a phone from a multi-trillion-dollar corporation makes you a member of an oppressed religious minority:

https://pluralistic.net/2024/01/12/youre-holding-it-wrong/#if-dishwashers-were-iphones

Some of those self-avowed members of the “Cult of Mac” are willing to take the company’s pronouncements at face value and will dutifully repeat Apple’s claims to be “protecting” its customers. But even that credulity has its breaking point — Apple can only poison the well so many times before people stop drinking from it. Remember when the company announced a miraculous reversal to its war on right to repair, later revealed to be a bald-faced lie?

https://pluralistic.net/2023/09/22/vin-locking/#thought-differently

Or when Apple claimed to be protecting phone users’ privacy, which was also a lie?

https://pluralistic.net/2022/11/14/luxury-surveillance/#liar-liar

The savvy will see Apple lying (again) and say, “this surprises you?” No, it doesn’t surprise me, but it pisses me off — and I’m not the only one, and Apple’s insulting lies are getting less effective by the day.

--

--