In this edition of AdGuard's Digest: Apple may be legally required to allow third-party app stores, Google is accused of violating data protection law, Amazon's voice assistant raises the dead, a crypto exchange helps the US government to track users, new iOS beta has a hyper-secure lockdown mode, and India delays a controversial VPN law.

Apple may be forced to open iPhone to third-party app stores in the EU

Apple may soon say goodbye to its closed heavily-moderated App store ecosystem. Earlier this month the EU Commission adopted the new antitrust law, which will force big online platforms ("gatekeepers") to allow users download third-party app stores and developers use alternative in-app payment systems.

The law, known as the Digital Markets Act (DMA), has yet to be formally adopted by the Council of the European Union and it is not expected to apply until 2023. If Apple, which is not specifically named in the DMA but fits the profile of a gatekeeper, fails to comply with the law, it will face a hefty fine of up to 10% of total worldwide annual turnover, and up to 20% in case of repeated offenses.

Unlike Google, which allows app distribution through multiple app stores on Android devices, Apple has clung to its App store monopoly, claiming it's necessary to protect user privacy and secure transactions. Nevertheless, a host of alternative iOS app stores have popped up over the years and can be sideloaded on iPhone without jailbreak. But while third-party app stores may provide better marketing opportunities for app developers and may not charge a listing fee, they often lack security. Apple, with its robust vetting system, guarantees the safety of apps, while it's unlikely that smaller alternative app stores can and will scrutinize the apps through and through.

The new law may be good news for developers, but it poses a threat to not-so-tech-savvy iPhone users who are unaware of the potential privacy and security risks associated with poorly moderated third-party stores.

Google is not GDPR-compliant and sets a bad example, consumer groups say

European consumer groups have accused Google of ignoring EU data protection law, the General Data Protection Regulation (GDPR). The tech giant is faulted for "unfairly steering consumers towards its surveillance system when they sign up to a Google account, instead of giving them privacy by design and by default". One click is all it takes to activate account settings that allow Google to track and profile consumers for ads. If they want to opt out of data collection and ad personalization, users need to go down a far bumpier and longer road: it takes five steps and ten clicks to make an account more private. The situation is made worse by the fact that Google, being a tech giant and an ad behemoth, has "set the tone" for the rest of the market, the groups say. The privacy complaints have been filed with national data protection bodies across the EU.

Google has denied that its multi-step opt-out process is deceptive by design. The tech giant argued that the "layered" way in which it presents the information is based on the guidance by the European Data Protection Board (EDPB).

Speaking dead: Alexa spooks users with new eerie feature

Amazon will allow its voice assistant to mimic the voice of a real person, including that of a dead one. Unveiling the new feature, Amazon played a short promo clip showing a child asking Alexa to read a book in the voice of his dead grandma.

The feature, according to Amazon, should provide comfort to those who have lost their relatives. However, not everybody is excited about the prospect of receiving "human-like empathy" from a robot, it seems. The reaction to the clip was that of concern, with users describing Alexa's experimental feature as "creepy, "utterly disturbing" and pointing out that it is vulnerable to abuse.

Indeed, the feature, when debuted, is likely to be riddled with security loopholes. Someone can potentially abuse it to make a false alibi, approve of a transaction, smear a public person, or even a regular user. Moreover, if it's the voice of a dead person which is imitated, an ethical dilemma arises: should we use the voice of a deceased person without their consent?

Amazon is far from the only one to foray into the world of deep fake technology. Genealogy site MyHeritage "enlivens" the photos of dead relatives, and we have all seen those fake clips of Elon Musk promoting crypto scams or Tom Cruise's too realistic fake TikTok frantics. One has to be extremely careful with proliferating such a double-edged sword of technology, which, on balance, may bring more harm than good.

Crypto exchange provides 'geo tracking data' to US government

Coinbase, the largest US-based cryptocurrency exchange, has provided the US immigration and customs enforcement agency (ICE) access to its intelligence-gathering tool Coinbase Tracer, the Intercept reported.

The tool is designed to facilitate the job of tracing transactions through public blockchain ledgers, a feature that could come in handy for the US law enforcement. According to the contract between ICE and Coinbase, the agency can not only track transactions in about a dozen digital currencies, but can also access "historical geo tracking data". It's not clear where this data comes from, but Coinbase claims that its tracking tool obtains information exclusively from public sources and does not include "any personally-identifiable information for anyone".

Created by libertarians with an idea to decentralize corporate power and eschew excessive regulation, cryptocurrencies have proved to be not immune from government control. Secret deals between governments and crypto exchanges do not help the reputation of Coinbase, as well as the crypto market in general.

Apple's new feature to protect against sophisticated cyberattacks

Apple will let users go into a digital bunker by enabling the so-called 'Lockdown Mode', which will come with iOS 16, iPadOS 16, and macOS Ventura releases this fall. The feature is described by the tech giant as "an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security". Once a user has enabled the Lockdown Mode, many of the mundane functions will stop working or become severely limited. Messages attachments other than images won't load, link previews won't work, incoming invitations and service requests from strangers will be disabled, FaceTime calls from people you have not called before will not connect, configuration profiles won't install, and all wired connection as well as certain web technologies and browsing features will be blocked.

Apple said that it plans to add new protection layers to its Lockdown Mode "over time" and has set up a bounty up to $2,000,000 for those who could break through the its defenses.

Judging by the size of the bounty alone, it's fair to suggest that Apple is taking the security and privacy of its users seriously. The new feature will help to minimize the attack surface while at the same time keep the phone functioning.

India delays VPN rules enforcement after backlash

India has delayed the enforcement of a controversial cyber security directive that would require VPN providers to store user logs for at least 5 years and give them to the government upon request. The directive was supposed to take effect late June, but the Indian cyber security agency CERT postponed its implementation after facing backlash both from the industry and cybersecurity experts. In a letter to CERT, two dozen Indian and foreign experts argued that the new rules would have "the unintended consequences of weakening cyber security, and its crucial component, online privacy" and called for seeking feedback from stakeholders. We at AdGuard have also voiced our reservations about the law together with other VPN providers with strict no-logs policies.

While CERT has moved the schedule for the implementation of the directive to September 25, it has done so ostensibly to give VPNs more time to comply with "the validation aspects of the subscribers/customers details". Since the Indian government has not fundamentally changed its approach, the new rules continue to be a source of concern for us.