Telegram hits out at Apple’s app store ‘tax’ in latest EU antitrust complaint

Apple has another antitrust charge on its plate. Messaging app Telegram has joined Spotify in filing a formal complaint against the iOS App Store in Europe — adding its voice to a growing number of developers willing to publicly rail against what they decry as Apple’s app “tax”.

A spokesperson for Telegram confirmed the complaint to TechCrunch, pointing us to this public Telegram post where founder, Pavel Durov, sets out seven reasons why he thinks iPhone users should be concerned about the company’s behavior.

These range from the contention that Apple’s 30% fee on app developers leads to higher prices for iPhone users; to censorship concerns, given Apple controls what’s allowed (and not allowed) on its store; to criticism of delays to app updates that flow from Apple’s app review process; to the claim that the app store structure is inherently hostile to user privacy, given that Apple gets full visibility of which apps users are downloading and engaging with.

This week Durov also published a blog post in which he takes aim at a number of “myths” he says Apple uses to try to justify the 30% app fee — such as a claim that iOS faces plenty of competition for developers; or that developers can choose not to develop for iOS and instead only publish apps for Android.

“Try to imagine Telegram or TikTok as Android -only apps and you will quickly understand why avoiding Apple is impossible,” he writes. “You can’t just exclude iPhone users. As for the iPhone users, the costs for consumers to switch from an iPhone to an Android is so high that it qualifies as a monopolistic lock-in” — citing a study done by Yale University to bolster that claim.

“Now that anti-monopoly investigations against Apple have started in the EU and the US, I expect Apple to double down on spreading such myths,” Durov adds. “We shouldn’t sit idly and let Apple’s lobbyists and PR agents do their thing. At the end of the day, it is up to us – consumers and creators – to defend our rights and to stop monopolists from stealing our money. They may think they have tricked us into a deadlock, because we’ve already bought a critical mass of their devices and created a critical mass of apps for them. But we shouldn’t be giving them a free ride any longer.”

The European Commission declined to comment on Telegram’s complaint.

We also reached out to Apple for comment but the company also declined to provide an on the record statement regarding Telegram’s complaint. A spokesperson did point to a piece of analyst research, from earlier this year, which found iOS had a marketshare of 15% vs Android’s 85%. They also flagged a separate analyst report, which looks at commission rates charged by app and digital content stores and marketplaces — suggesting this shows that rates charged for similar types of stores are generally also around 30%.

So the company’s overarching argument against ‘app tax’ complaints continues to be the claim that: A) Apple can’t have monopoly power, given its relatively small mobile OS marketshare (vs Android); and B) the App Store fee is fair because it’s basically the same as everyone else charges. (On the latter point it’s true Google also takes a 30% cut via the Play Store. However the Android platform lets users sideload apps; whereas, on iOS, users would have to jailbreak their device to get the same level of freedom to freely install apps of their choice).

Apple’s arguments are also now being actively looked into by EU regulators. Last month the Competition Commission announced it’s investigating Apple’s iOS store (and Apple Pay) — saying a preliminary probe of the store had identified concerns related to conditions and restrictions applied by the tech giant.

Specifically vis-a-vis the App Store, the Commission said it’s looking at Apple’s mandatory requirement that developers use its proprietary in-app purchase system, and at restrictions it applies on the ability of developers to inform iPhone and iPad users of alternative cheaper purchasing possibilities outside of the App Store.

The investigation by EU regulators is just the latest in a series of major big tech antitrust probes under the bloc’s current competition chief, Margrethe Vestager — who has also been digging into Amazon and Facebook business practices in recent years, as well as hitting Google with a series of record-breaking antitrust fines.

Over in the US, meanwhile, lawmakers are also actively grappling with competition concerns that have long been attached to a number of tech giants — and are being exacerbated by the pandemic concentrating platform power. Apple is one of the tech giants of concern, though not, seemingly, top of US lawmakers’ target list.

Yesterday, a hearing of the House Antitrust Subcommittee took testimony from four big tech CEOs: Amazon’s Jeff Bezos, Apple’s Tim Cook, Facebook’s Mark Zuckerberg and Google’s Sundar Pichai — with Pichai, Bezos and Zuckerberg getting the most questions from lawmakers.

Cook did face a number of questions around how the company operates the App Store, though — including about the commission it charges developers and a specific line of enquiry on why it had removed rival screen time apps. Asked whether Apple could ever raise its 30% take on app subscriptions Cook sought to sidestep the question, saying the fee had remained unchanged since the launch of the store.

He then followed up by arguing Apple faces huge competition for developers — citing alternatives platforms such as Windows and Xbox as also fiercely vying for developers, and likening the competition to attract developers as akin to “a street fight for market share”.

The contention from complainants like Spotify and Telegram is that Cook’s claim of Apple facing fierce competition for developers’ wares, from its position as the world’s second largest smartphone OS by marketshare, does not stand up to scrutiny. But it’ll be up to EU regulators to determine how to define the market for smartphone apps and, flowing from that, whether they identify harm or not.

Google’s “no choice” screen on Android isn’t working, says Ecosia — querying the EU’s approach to antitrust enforcement

Google alternative Ecosia is on a mission to turn search clicks into trees. The Berlin based not-for-profit reached a major milestone earlier this month, having used ad revenue generated by users of its privacy-sensitive search engine to plant more than 100 million trees across 25 countries worldwide — targeted at biodiversity hotspots.

However these good feels have been hit hard by the coronavirus pandemic. Ecosia has seen its monthly revenues slashed by half since COVID-19 arrived in Europe, with turnover falling from €2.6M in February to just €1.4M in June. It’s worried that its promise of planting a tree every 0.8 seconds is at risk.

It has also suffered a knock to regional visibility as a result of boycotting an auction process that Android OS maker Google has been running throughout this year, as a response to a 2018 Commission antitrust decision that found the tech giant had violated EU competition rules in how it operates the smartphone platform — including via conditions placed on phone makers to pre-load its own services (like Google search) as device defaults.

An auction process now determines which rival search engines appear on a search ‘choice screen’ Google began showing to Android users in Europe in the wake of the Commission decision. Currently, Google offers three paid slots via the auction to non-Google search engines. Android users setting up a new device always see Google’s own search engine as one of the four total options.

The tech giant’s rivals have consistently argued this ‘pay to play’ model is no remedy for its anti-competitive behavior with Android, the world’s dominant smartphone OS. Although most (including DuckDuckGo) felt forced to participate in its auction process from the get-go. Forgoing the most prominent route to the Android search market isn’t exactly a luxury most businesses could afford.

Ecosia, a not-for-profit, was the last major hold out. But now it says it’s been forced to end its boycott in a bid to remain competitive in the region. This means it will participate in the next auction round for the Android choice screen — scheduled for the beginning of Q4. If it wins any per country slots it will appear as a search choice option to those Android users in future, though likely not til next year given the length of the auction process.

It remains highly critical of Google’s pay-to-play model, arguing it’s no remedy for the antitrust violations identified by the Commission. It also laments that EU lawmakers are taking a ‘wait and see’ approach to determining whether Google’s ‘remedy’ is actually restoring competition, given all the evidence to the contrary.

“The main reason why we boycotted the auction is because we think it’s highly unfair and anticompetitive,” says Ecosia CEO Christian Kroll, speaking to TechCrunch via video chat. “Not only do we think that fair competition shouldn’t be sold off in an auction but also the way the auction is designed basically makes sure that only the least interesting options can win.

“Since we have a business model where we use most of our revenues to plant trees we basically can’t really win in an auction model. If you’re already a search engine that’s quite well known… then you have a lot of cannibalization effects through this screen. So we’re basically paying for traffic that we would get for free anyway… So it’s just super unfair and anticompetitive.”

Kroll expresses emphatic surprise that the Commission didn’t immediately reject Google’s auction model for the choice screen — saying it seems as if they’ve learned nothing from the EU’s earlier intervention against Microsoft’s tying of its Internet Explorer browser with its dominant desktop OS, Windows. (In that case the saga ended after Microsoft agreed to implement a ballot screen offering a choice of up to 12 browsers, which paved the road for Google to later gain share with its own Chrome browser.)

For a brief initial period last year Google did offer a fee-less choice screen in Europe, pushing this out to existing Android devices — with search rivals selected based on their market popularity per country (which, in some markets, included Ecosia).

However the tech giant said then that it would be “evolving” its implementation over time. And a few months later an auction model was announced as incoming for new Android devices — with that ‘pay-to-play’ approach kicking off at the start of this year.

Search rivals including DuckDuckGo and Qwant immediately cried foul. Yet the response from the Commission has been to kick the can — with regulators offering platitudes that said they would “closely monitor”. They also claimed to be “committed to a full and effective implementation of the decision”.

However the missing adjective in that statement is ‘fast’. Google rivals would argue that for a remedy to be effective it needs to happen really fast, like now — or, for some of them, the risk really is going out of business. After all, the Commission’s Android antitrust decision (which, yes, Google is appealing) already dates back two full years

“I find it very surprising that the European Commission hasn’t rejected [Google’s auction model] from the start because some of the key principles from what made the choice screen successful in the Microsoft case have just been completely disregarded and been turned around by Google to turn the whole concept of a choice screen to their advantage,” says Kroll. “We’re not even calling it the ‘choice screen’ internally, we just call it the ‘auction screen’. And since we’re now stopping to boycott we call it the ‘no choice screen’.”

“It’s Google’s way to give the impression that there’s free choice but there is no free choice,” he adds. “If Google’s objective here would be to create choice for the user then they would present the most interesting options, which are the search engines with the highest marketshares — so definitely us, DuckDuckGo and maybe some other players as well. But that’s not what they’re trying to do.”

Kroll points out that another German search rival to Google, Cliqz, had to pull the plug on its anti-tracking alternative at the start of this year — meaning there’s now one less homegrown anti-tracking rival to Google in play. And while Ecosia feels it has no choice but to participate in Google’s auction game Kroll says it also can’t know whether or not participating will result in Ecosia overpaying Google for leads that then mean it generates less revenue and can’t plant as many trees… Or, well, any trees if the worst were to happen.

(NB: Kroll was speaking to TechCrunch ahead of signing an NDA that Google requires participants of the auction to sign which puts a legal limit on what they can say about the process once they’re involved — which, in turn, is a problematic element that another European search rival, Qwant, has also complained is unfair… )

“We don’t have any choice left, other than to participate,” adds Kroll. “Because we want to have access to the Android platform. So basically Google has successfully bullied everyone to play to its own rules — and it’s a game where Google is not only the referee but also they get a free ticket and they are also players…

“Somehow Google magically convinced the public but I think also the European Commission that they need to generate revenue in an auction because they have so many costs through the Android development and so on. It is of course true that they have costs… but they are also generating massive profit through the deals that they then make with the device makers and those profits are not at all shared.”

Kroll points out that Google shells out a (reported) $12BN per year to be the default search engine in Safari on Apple’s iOS platform — even as it pays nothing to get in front of the vast majority of mobile searchers’ eyeballs via Android (and does the same with Chrome).

“If they would pay the same amount of money for those platform they would soon be bankrupt,” he argues. “So they are getting all this for free and they are also getting other benefits for free — like having the Play Store preinstalled, like having Google Maps preinstalled, YouTube preinstalled and so on — which are all revenue sources. But they’re not sharing any of those revenue. They just try to outsource all of the costs that they have to their competitors, which is I think very unfair.”

While Alphabet, Google’s parent entity, doesn’t break out Google Play revenue specifically from within a generic “advertising” bucket when it reports its financials, data from SensorTower for the first half of 2020 suggests it generated $17.3BN in Play Store revenue alone over this six-month period, up 21% year-over-year. And Play is just one of the moneyspinners Google derives via ‘free’ Android.

Since the Commission’s antitrust 2018 decision against Android Kroll argues that nothing has changed for search competitors like Ecosia which are trying to offer consumers a more interesting value exchange for their clicks.

“What Google is doing very successfully is they’re just playing on time,” he suggests. “Our competitor, Cliqz, already went bankrupt because of that. So the strategy seems to work really well for Google. And we also can’t afford to lose access to those platforms… I really hope that the European Commission will actually do something about this because it has been done successfully in the Microsoft case and we just need exactly the same.”

Kroll also flags DuckDuckGo’s design suggestions for “a fair choice screen” — which we covered here last year but which Google (and the Commission) have so far simply ignored.

He suspects regulators are waiting to see how the market looks in another year or more. But of course by then it may be too late to save more alternative search engines from a Cliqz-style demise, thereby further strengthening Google’s position. Which would obviously be the opposite of an antitrust remedy.

Commissioner Margrethe Vestager already conceded last year that another of her interventions against the tech giant — the Google AdSense antitrust case — is an example of “enforcement that hasn’t succeeded because it has failed to restore competition”. So if she’s not careful her record on failed remedies could dent her high profile reputation for being an antitrust chief who’s at least willing to take on tech giants. Where competition is concerned, it must be all about outcomes — or what are you even doing as claimed law ‘enforcers’?

“I always fear that the point might come when big corporates are more powerful than our public institutions and I’m wondering if this point isn’t already reached,” adds Kroll, positing that it’s not clear whether the EU — as an economic and political project now facing plenty of its own issues — will have enough resilience to be able to enforce its own competition law in the near future. So really his key point is: If not now, when? (Or, well, how?)

It’s certainly true that there’s a growing disconnect between what the Commission is saying around competition policy and digital markets — where it’s alive to the critique that regulatory interventions need to be able to move much faster if they’re to prevent monopoly power irreversibly tipping these markets (it’s currently consulting on whether to give itself greater powers of intervention) — and its hands-off approach to how to remedy market failure. tl;dr there’s no effective enforcement without effective remedies. So dropping the ball after the fact of a decision really defeats the whole operation.

Vestager clearly recognizes there’s a problem in the digital context — telling the EU parliament last year: “We have to consider remedies that are much more far reaching”. (Albeit, still not committing to having much more far reaching remedies.) Yet in parallel she preaches ‘wait and see’ as her overarching philosophy — a policy ‘push-pull’ which seems to be preventing the unit from even entertaining taking on a more agile, active and iterative role in supporting markets towards actual restoration of competition. At least not before a lengthy consultation exercise which further kicks the can,

If EU lawmakers can’t learn the lessons from their own relatively recent digital antitrust history (Microsoft tying IE to Windows) to effectively enforce what is a pretty straightforwardly similar antitrust case (Google tying search & its other services to Android), you have to question why they think they need new antitrust tools to properly tackle digital monopolies now. Given they don’t seem able to effectively wield the tools they’ve already got.

It does rather look increasingly like the current crop of EU regulators have lost conviction — and/or fallen prey to risk aversion — in the face of platform power moves. (To wit: There are whispers the Commission is preparing to wave through Google’s acquisition of Fitbit, on paper-thin promises from Google, despite major concerns raised about privacy and increased data consolidation — which, if true, would again mean the Commission ignoring its own recent history of naively swallowing other similar tech giant claims.)

“My feeling is, what has happened in the Microsoft case… there was just somebody in the Commission crazy enough to say this is what the decision is and you have to do it… And maybe it just takes those kind of guts. That’s then maybe a political question. Is Vestager willing to really pick those battles?” asks Kroll.

“My feeling is if people really understand the situation then they would care but you actually need to do a little bit of explaining that it’s not good to have a dominant player that is in such an important sector like search, and that is basically shutting down the market for everybody else.”

Asked what his message is for the US lawmakers now actively eyeing antitrust concerns around Google — and indeed much of big tech — Kroll says: “I’m a fan of competition and I also admire Google; I think Google is a very clever company but I think there is a point reached where there’s so much concentration of power that it gets dangerous for society… We’ve been suffering quite a lot from all the dominance that Google has in the various sectors. There are just things that Google are doing that are obviously anticompetitive.”

One specific thing he suggests regulators take a close look at is how much money Google pays Apple to be the default search option on Safari. “It’s paying more money than it can actually afford to win the Safari search volume — that I think is very anticompetitive,” he argues. “They already own two-thirds of the market and they basically buy whatever’s left over so that they can just cement their dominance.

“The regulators should have a very close look at that and disallow Google to participate in any of those bids for default positions in other browsers in the future. I think that would even be beneficial for browsers because in the long term there would finally be competition for those spots again. Currently Google’s just winning them because they’re running out of options and there are not many other search providers left to choose from.”

He also argues they need to make Google repair “some of the damage they’ve done” — i.e. as a result of unfairly gaining marketshare — by enforcing what he calls “a really fair choice screen”; non-paid and based on relevance for users. And by doing so on Android and Chrome devices. 

“I think until a year ago if you visited Google.com with your Safari browser or Firefox browser then Google would recommend to install Chrome. And for me that’s a clear abuse of one dominant position to support another part of your company,” he argues. “Google needs to repair that and that needs to happen very quickly — because otherwise other companies might [go out of business].”

“We’re still doing okay but we have been hit heavily by corona and we have a huge loss in revenue. Other companies might be hit even worse, I don’t know. And we don’t have the same deep pockets that the big players have. So other companies might disappear if nothing’s done soon,” he adds. 

We reached out to Google and the European Commission for comment.

A Google spokesperson pointed us to its FAQ about the auction. In further remarks which they specified could not be directly quoted they claimed an auction is a fair and objective method of determining how to fill available slots, adding that the revenue generated via the auction helps Google continue to invest in developing and maintaining Android.

While a spokeswoman for the Commission told us it has been “discussing” the choice screen mechanism with Google, following what she described as “relevant feedback from the market, in particular in relation to the presentation and mechanics of the choice screen and to the selection mechanism of rival search providers”.

The spokeswoman also reiterated earlier comments, that the Commission is continuing to monitor Google’s choice screen implementation and is “committed to a full and effective implementation of the decision”.

However a source familiar with the matter said EU lawmakers view paid premium placement for a few cents as far superior to what Google was offering rivals before — i.e. no visibility at all — and thus take the view that that something is better than nothing.

Google’s “no choice” screen on Android isn’t working, says Ecosia — querying the EU’s approach to antitrust enforcement

Google alternative Ecosia is on a mission to turn search clicks into trees. The Berlin based not-for-profit reached a major milestone earlier this month, having used ad revenue generated by users of its privacy-sensitive search engine to plant more than 100 million trees across 25 countries worldwide — targeted at biodiversity hotspots.

However these good feels have been hit hard by the coronavirus pandemic. Ecosia has seen its monthly revenues slashed by half since COVID-19 arrived in Europe, with turnover falling from €2.6M in February to just €1.4M in June. It’s worried that its promise of planting a tree every 0.8 seconds is at risk.

It has also suffered a knock to regional visibility as a result of boycotting an auction process that Android OS maker Google has been running throughout this year, as a response to a 2018 Commission antitrust decision that found the tech giant had violated EU competition rules in how it operates the smartphone platform — including via conditions placed on phone makers to pre-load its own services (like Google search) as device defaults.

An auction process now determines which rival search engines appear on a search ‘choice screen’ Google began showing to Android users in Europe in the wake of the Commission decision. Currently, Google offers three paid slots via the auction to non-Google search engines. Android users setting up a new device always see Google’s own search engine as one of the four total options.

The tech giant’s rivals have consistently argued this ‘pay to play’ model is no remedy for its anti-competitive behavior with Android, the world’s dominant smartphone OS. Although most (including DuckDuckGo) felt forced to participate in its auction process from the get-go. Forgoing the most prominent route to the Android search market isn’t exactly a luxury most businesses could afford.

Ecosia, a not-for-profit, was the last major hold out. But now it says it’s been forced to end its boycott in a bid to remain competitive in the region. This means it will participate in the next auction round for the Android choice screen — scheduled for the beginning of Q4. If it wins any per country slots it will appear as a search choice option to those Android users in future, though likely not til next year given the length of the auction process.

It remains highly critical of Google’s pay-to-play model, arguing it’s no remedy for the antitrust violations identified by the Commission. It also laments that EU lawmakers are taking a ‘wait and see’ approach to determining whether Google’s ‘remedy’ is actually restoring competition, given all the evidence to the contrary.

“The main reason why we boycotted the auction is because we think it’s highly unfair and anticompetitive,” says Ecosia CEO Christian Kroll, speaking to TechCrunch via video chat. “Not only do we think that fair competition shouldn’t be sold off in an auction but also the way the auction is designed basically makes sure that only the least interesting options can win.

“Since we have a business model where we use most of our revenues to plant trees we basically can’t really win in an auction model. If you’re already a search engine that’s quite well known… then you have a lot of cannibalization effects through this screen. So we’re basically paying for traffic that we would get for free anyway… So it’s just super unfair and anticompetitive.”

Kroll expresses emphatic surprise that the Commission didn’t immediately reject Google’s auction model for the choice screen — saying it seems as if they’ve learned nothing from the EU’s earlier intervention against Microsoft’s tying of its Internet Explorer browser with its dominant desktop OS, Windows. (In that case the saga ended after Microsoft agreed to implement a ballot screen offering a choice of up to 12 browsers, which paved the road for Google to later gain share with its own Chrome browser.)

For a brief initial period last year Google did offer a fee-less choice screen in Europe, pushing this out to existing Android devices — with search rivals selected based on their market popularity per country (which, in some markets, included Ecosia).

However the tech giant said then that it would be “evolving” its implementation over time. And a few months later an auction model was announced as incoming for new Android devices — with that ‘pay-to-play’ approach kicking off at the start of this year.

Search rivals including DuckDuckGo and Qwant immediately cried foul. Yet the response from the Commission has been to kick the can — with regulators offering platitudes that said they would “closely monitor”. They also claimed to be “committed to a full and effective implementation of the decision”.

However the missing adjective in that statement is ‘fast’. Google rivals would argue that for a remedy to be effective it needs to happen really fast, like now — or, for some of them, the risk really is going out of business. After all, the Commission’s Android antitrust decision (which, yes, Google is appealing) already dates back two full years

“I find it very surprising that the European Commission hasn’t rejected [Google’s auction model] from the start because some of the key principles from what made the choice screen successful in the Microsoft case have just been completely disregarded and been turned around by Google to turn the whole concept of a choice screen to their advantage,” says Kroll. “We’re not even calling it the ‘choice screen’ internally, we just call it the ‘auction screen’. And since we’re now stopping to boycott we call it the ‘no choice screen’.”

“It’s Google’s way to give the impression that there’s free choice but there is no free choice,” he adds. “If Google’s objective here would be to create choice for the user then they would present the most interesting options, which are the search engines with the highest marketshares — so definitely us, DuckDuckGo and maybe some other players as well. But that’s not what they’re trying to do.”

Kroll points out that another German search rival to Google, Cliqz, had to pull the plug on its anti-tracking alternative at the start of this year — meaning there’s now one less homegrown anti-tracking rival to Google in play. And while Ecosia feels it has no choice but to participate in Google’s auction game Kroll says it also can’t know whether or not participating will result in Ecosia overpaying Google for leads that then mean it generates less revenue and can’t plant as many trees… Or, well, any trees if the worst were to happen.

(NB: Kroll was speaking to TechCrunch ahead of signing an NDA that Google requires participants of the auction to sign which puts a legal limit on what they can say about the process once they’re involved — which, in turn, is a problematic element that another European search rival, Qwant, has also complained is unfair… )

“We don’t have any choice left, other than to participate,” adds Kroll. “Because we want to have access to the Android platform. So basically Google has successfully bullied everyone to play to its own rules — and it’s a game where Google is not only the referee but also they get a free ticket and they are also players…

“Somehow Google magically convinced the public but I think also the European Commission that they need to generate revenue in an auction because they have so many costs through the Android development and so on. It is of course true that they have costs… but they are also generating massive profit through the deals that they then make with the device makers and those profits are not at all shared.”

Kroll points out that Google shells out a (reported) $12BN per year to be the default search engine in Safari on Apple’s iOS platform — even as it pays nothing to get in front of the vast majority of mobile searchers’ eyeballs via Android (and does the same with Chrome).

“If they would pay the same amount of money for those platform they would soon be bankrupt,” he argues. “So they are getting all this for free and they are also getting other benefits for free — like having the Play Store preinstalled, like having Google Maps preinstalled, YouTube preinstalled and so on — which are all revenue sources. But they’re not sharing any of those revenue. They just try to outsource all of the costs that they have to their competitors, which is I think very unfair.”

While Alphabet, Google’s parent entity, doesn’t break out Google Play revenue specifically from within a generic “advertising” bucket when it reports its financials, data from SensorTower for the first half of 2020 suggests it generated $17.3BN in Play Store revenue alone over this six-month period, up 21% year-over-year. And Play is just one of the moneyspinners Google derives via ‘free’ Android.

Since the Commission’s antitrust 2018 decision against Android Kroll argues that nothing has changed for search competitors like Ecosia which are trying to offer consumers a more interesting value exchange for their clicks.

“What Google is doing very successfully is they’re just playing on time,” he suggests. “Our competitor, Cliqz, already went bankrupt because of that. So the strategy seems to work really well for Google. And we also can’t afford to lose access to those platforms… I really hope that the European Commission will actually do something about this because it has been done successfully in the Microsoft case and we just need exactly the same.”

Kroll also flags DuckDuckGo’s design suggestions for “a fair choice screen” — which we covered here last year but which Google (and the Commission) have so far simply ignored.

He suspects regulators are waiting to see how the market looks in another year or more. But of course by then it may be too late to save more alternative search engines from a Cliqz-style demise, thereby further strengthening Google’s position. Which would obviously be the opposite of an antitrust remedy.

Commissioner Margrethe Vestager already conceded last year that another of her interventions against the tech giant — the Google AdSense antitrust case — is an example of “enforcement that hasn’t succeeded because it has failed to restore competition”. So if she’s not careful her record on failed remedies could dent her high profile reputation for being an antitrust chief who’s at least willing to take on tech giants. Where competition is concerned, it must be all about outcomes — or what are you even doing as claimed law ‘enforcers’?

“I always fear that the point might come when big corporates are more powerful than our public institutions and I’m wondering if this point isn’t already reached,” adds Kroll, positing that it’s not clear whether the EU — as an economic and political project now facing plenty of its own issues — will have enough resilience to be able to enforce its own competition law in the near future. So really his key point is: If not now, when? (Or, well, how?)

It’s certainly true that there’s a growing disconnect between what the Commission is saying around competition policy and digital markets — where it’s alive to the critique that regulatory interventions need to be able to move much faster if they’re to prevent monopoly power irreversibly tipping these markets (it’s currently consulting on whether to give itself greater powers of intervention) — and its hands-off approach to how to remedy market failure. tl;dr there’s no effective enforcement without effective remedies. So dropping the ball after the fact of a decision really defeats the whole operation.

Vestager clearly recognizes there’s a problem in the digital context — telling the EU parliament last year: “We have to consider remedies that are much more far reaching”. (Albeit, still not committing to having much more far reaching remedies.) Yet in parallel she preaches ‘wait and see’ as her overarching philosophy — a policy ‘push-pull’ which seems to be preventing the unit from even entertaining taking on a more agile, active and iterative role in supporting markets towards actual restoration of competition. At least not before a lengthy consultation exercise which further kicks the can,

If EU lawmakers can’t learn the lessons from their own relatively recent digital antitrust history (Microsoft tying IE to Windows) to effectively enforce what is a pretty straightforwardly similar antitrust case (Google tying search & its other services to Android), you have to question why they think they need new antitrust tools to properly tackle digital monopolies now. Given they don’t seem able to effectively wield the tools they’ve already got.

It does rather look increasingly like the current crop of EU regulators have lost conviction — and/or fallen prey to risk aversion — in the face of platform power moves. (To wit: There are whispers the Commission is preparing to wave through Google’s acquisition of Fitbit, on paper-thin promises from Google, despite major concerns raised about privacy and increased data consolidation — which, if true, would again mean the Commission ignoring its own recent history of naively swallowing other similar tech giant claims.)

“My feeling is, what has happened in the Microsoft case… there was just somebody in the Commission crazy enough to say this is what the decision is and you have to do it… And maybe it just takes those kind of guts. That’s then maybe a political question. Is Vestager willing to really pick those battles?” asks Kroll.

“My feeling is if people really understand the situation then they would care but you actually need to do a little bit of explaining that it’s not good to have a dominant player that is in such an important sector like search, and that is basically shutting down the market for everybody else.”

Asked what his message is for the US lawmakers now actively eyeing antitrust concerns around Google — and indeed much of big tech — Kroll says: “I’m a fan of competition and I also admire Google; I think Google is a very clever company but I think there is a point reached where there’s so much concentration of power that it gets dangerous for society… We’ve been suffering quite a lot from all the dominance that Google has in the various sectors. There are just things that Google are doing that are obviously anticompetitive.”

One specific thing he suggests regulators take a close look at is how much money Google pays Apple to be the default search option on Safari. “It’s paying more money than it can actually afford to win the Safari search volume — that I think is very anticompetitive,” he argues. “They already own two-thirds of the market and they basically buy whatever’s left over so that they can just cement their dominance.

“The regulators should have a very close look at that and disallow Google to participate in any of those bids for default positions in other browsers in the future. I think that would even be beneficial for browsers because in the long term there would finally be competition for those spots again. Currently Google’s just winning them because they’re running out of options and there are not many other search providers left to choose from.”

He also argues they need to make Google repair “some of the damage they’ve done” — i.e. as a result of unfairly gaining marketshare — by enforcing what he calls “a really fair choice screen”; non-paid and based on relevance for users. And by doing so on Android and Chrome devices. 

“I think until a year ago if you visited Google.com with your Safari browser or Firefox browser then Google would recommend to install Chrome. And for me that’s a clear abuse of one dominant position to support another part of your company,” he argues. “Google needs to repair that and that needs to happen very quickly — because otherwise other companies might [go out of business].”

“We’re still doing okay but we have been hit heavily by corona and we have a huge loss in revenue. Other companies might be hit even worse, I don’t know. And we don’t have the same deep pockets that the big players have. So other companies might disappear if nothing’s done soon,” he adds. 

We reached out to Google and the European Commission for comment.

A Google spokesperson pointed us to its FAQ about the auction. In further remarks which they specified could not be directly quoted they claimed an auction is a fair and objective method of determining how to fill available slots, adding that the revenue generated via the auction helps Google continue to invest in developing and maintaining Android.

While a spokeswoman for the Commission told us it has been “discussing” the choice screen mechanism with Google, following what she described as “relevant feedback from the market, in particular in relation to the presentation and mechanics of the choice screen and to the selection mechanism of rival search providers”.

The spokeswoman also reiterated earlier comments, that the Commission is continuing to monitor Google’s choice screen implementation and is “committed to a full and effective implementation of the decision”.

However a source familiar with the matter said EU lawmakers view paid premium placement for a few cents as far superior to what Google was offering rivals before — i.e. no visibility at all — and thus take the view that that something is better than nothing.

As remote work booms, Everphone grabs ~$40M for its ‘device as a service’ offer

The latest startup to see an uplift in inbound interest flowing from the remote work boom triggered by the coronavirus pandemic is Berlin-based Everphone, which sells a ‘mobile as a service’ device rental package that caters to businesses needing to kit staff out with mobile hardware plus associated support.

Everphone is announcing a €34 million Series B funding round today, led by new investor signals Venture Capital. Other new investors joining the round include German carrier Deutsche Telekom — investing via its strategic investment fund, Telekom Innovation Pool — US-based early stage VC AlleyCorp and Dutch bank NIBC.

The Series B financing will go on expanding to meet rising demand, with the startup telling TechCrunch it’s expecting to see a 70-100% increase in sales volume vs the pre-crisis period, thanks to a doubling of inbound leads during the pandemic.

“The global pandemic has been a catalyst for growth in the field of digitization,” said CEO and co-founder, Jan Dzulko, in a statement. “We are currently experiencing a significant increase in demand at home and abroad, which is why we are aiming for European expansion with the funding.”

Everphone describes its offer as a one-stop-shop, with the service covering not just the rental of (new or refurbished) smartphones and tablets but an administration and management wrapper that covers support needs, including handling repairs/replacements — with the promise of replacements within 24 hours if needed and less client risk from not having to wrangle traditional rental insurance fine print.

Other touted pluses of its “device as a service” approach include flexibility (users get to choose from a range of iOS and Android devices); lower cost (pricing depends on customer size, device choice and rental term but starts at €7,99 a month for a refurbished budget device, rising up to €49,99 a month for high end kit with a 12-month upgrade); and rental bundles which can include standard mobile device management software (such as Cortado and AirWatch) so customers can plug the rental hardware into their existing IT policies and processes.

Everphone reckons this service wrapper — which can also extend to including paid apps (such as Babbel for language learning) as an employee on-device perk/benefit in the bundle — differentiates its offer vs incumbent leasing providers, such as CHG-Meridian or De Lage Landen, and from wholesale distributors.

It also touts its global rollout capability as a customer draw, checking the scalability box.

While its investors (including German carrier, DK) are being fired up by the conviction that the COVID-19 induced shift away from the office to home working will create a boom in demand for well managed and secured work phones to mitigate the risk of personal devices and personal data mingling improperly with work stuff. (On that front Everphone’s website is replete with references to Europe’s data protection framework, GDPR, repurposed as scare marketing.)

“Everphone envisions that every employee will one day work via their smartphone,” added Marcus Polke, partner at signals Venture Capital, in a supporting statement. “With this employee-centric approach and integrated platform, everphone goes far beyond the mere outsourcing of a smartphone IT infrastructure.”

The 2016-founded startup has more than 400 customers signed up at this point, both SMEs and multinationals such as Ernst & Young. It caters to both ends of the market with an off-the-shelf package and self-service device management portal that’s intended for SMEs of between 100 and 1,500 employees — plus custom integrations for larger entities of up to 30,000 employees.

It says it’s able to offer “highly competitive” prices for renting new devices because it gives returned kit a second life, refurbishing and reselling devices on the consumer market. “Thanks to this profitable secondary lifespan, we are able to offer highly competitive prices and extensive service levels on our rental devices,” Everphone writes on its website.

The second hand smartphone market has also been seeing regional growth. Swappie, a European ecommerce startup that sells refurbished iPhones, aligning with EU lawmakers’ push for a ‘right to repair’ for electronics, raised its own ~$40M Series B only last month, for example. Its secondhand marketplace is one potential outlet for Everphone’s rented and returned iPhones.

As remote work booms, Everphone grabs ~$40M for its ‘device as a service’ offer

The latest startup to see an uplift in inbound interest flowing from the remote work boom triggered by the coronavirus pandemic is Berlin-based Everphone, which sells a ‘mobile as a service’ device rental package that caters to businesses needing to kit staff out with mobile hardware plus associated support.

Everphone is announcing a €34 million Series B funding round today, led by new investor signals Venture Capital. Other new investors joining the round include German carrier Deutsche Telekom — investing via its strategic investment fund, Telekom Innovation Pool — US-based early stage VC AlleyCorp and Dutch bank NIBC.

The Series B financing will go on expanding to meet rising demand, with the startup telling TechCrunch it’s expecting to see a 70-100% increase in sales volume vs the pre-crisis period, thanks to a doubling of inbound leads during the pandemic.

“The global pandemic has been a catalyst for growth in the field of digitization,” said CEO and co-founder, Jan Dzulko, in a statement. “We are currently experiencing a significant increase in demand at home and abroad, which is why we are aiming for European expansion with the funding.”

Everphone describes its offer as a one-stop-shop, with the service covering not just the rental of (new or refurbished) smartphones and tablets but an administration and management wrapper that covers support needs, including handling repairs/replacements — with the promise of replacements within 24 hours if needed and less client risk from not having to wrangle traditional rental insurance fine print.

Other touted pluses of its “device as a service” approach include flexibility (users get to choose from a range of iOS and Android devices); lower cost (pricing depends on customer size, device choice and rental term but starts at €7,99 a month for a refurbished budget device, rising up to €49,99 a month for high end kit with a 12-month upgrade); and rental bundles which can include standard mobile device management software (such as Cortado and AirWatch) so customers can plug the rental hardware into their existing IT policies and processes.

Everphone reckons this service wrapper — which can also extend to including paid apps (such as Babbel for language learning) as an employee on-device perk/benefit in the bundle — differentiates its offer vs incumbent leasing providers, such as CHG-Meridian or De Lage Landen, and from wholesale distributors.

It also touts its global rollout capability as a customer draw, checking the scalability box.

While its investors (including German carrier, DK) are being fired up by the conviction that the COVID-19 induced shift away from the office to home working will create a boom in demand for well managed and secured work phones to mitigate the risk of personal devices and personal data mingling improperly with work stuff. (On that front Everphone’s website is replete with references to Europe’s data protection framework, GDPR, repurposed as scare marketing.)

“Everphone envisions that every employee will one day work via their smartphone,” added Marcus Polke, partner at signals Venture Capital, in a supporting statement. “With this employee-centric approach and integrated platform, everphone goes far beyond the mere outsourcing of a smartphone IT infrastructure.”

The 2016-founded startup has more than 400 customers signed up at this point, both SMEs and multinationals such as Ernst & Young. It caters to both ends of the market with an off-the-shelf package and self-service device management portal that’s intended for SMEs of between 100 and 1,500 employees — plus custom integrations for larger entities of up to 30,000 employees.

It says it’s able to offer “highly competitive” prices for renting new devices because it gives returned kit a second life, refurbishing and reselling devices on the consumer market. “Thanks to this profitable secondary lifespan, we are able to offer highly competitive prices and extensive service levels on our rental devices,” Everphone writes on its website.

The second hand smartphone market has also been seeing regional growth. Swappie, a European ecommerce startup that sells refurbished iPhones, aligning with EU lawmakers’ push for a ‘right to repair’ for electronics, raised its own ~$40M Series B only last month, for example. Its secondhand marketplace is one potential outlet for Everphone’s rented and returned iPhones.

No grace period after Schrems II Privacy Shield ruling, warn EU data watchdogs

European data watchdogs have issued updated guidance in the wake of last week’s landmark ruling striking down a flagship transatlantic data transfer mechanism called Privacy Shield.

In an FAQ on the Schrems II judgement, the European Data Protection Board (EDPB) warns there will be no regulatory grace period.

The EU-US Privacy Shield is dead and any companies still relying on it to authorize transfers of EU citizens’ personal data are doing so illegally is the top-line message.

“Transfers on the basis of this legal framework are illegal,” warns the EDPB baldly. Entities that wish to keep on transferring personal data to the U.S. need to use an alternative mechanism — but must first determine whether they can meet the legal requirement to protect the data from US surveillance.

What alternatives are there? Standard Contractual Clauses (SCCs) were not invalidated by the CJEU ruling. Binding Corporate Rules (BCRs) are also still technically available.

But in both cases would-be data exporters must conduct an up front analysis to ascertain whether they can in fact legally use these tools to move data in their specific context.

Anyone who is already using SCCs for the transfer of EU citizens’ data to the US (hi facebook!) isn’t exempt from carrying out an assessment — and needs to inform the relevant supervisory authority if they intend to keep using the mechanism.

The rub here for US transfers is that the CJEU judges invalidated Privacy Shield on the grounds that US surveillance laws fundamentally clash with EU privacy rights. So, in other words, Houston, you have a privacy problem…

“The Court found that U.S. law (i.e., Section 702 FISA [Foreign Intelligence Surveillance Act] and EO [Executive Order] 12333) does not ensure an essentially equivalent level of protection,” warns the EDPB in answer to the (expected) frequently asked question: “I am using SCCs with a data importer in the U.S., what should I do?”.

“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place.”

The ability to use SCCs to transfer data to the US hinges on a data controller being able to offer a legal guarantee that “U.S. law does not impinge on the adequate level of protection” for the transferred data.

If a EU-US data exporter can’t be confident of that they are required to pull the plug on the data transfer. No ifs, no buts.

While, those who believe they can offer a legal guarantee of “appropriate safeguards” — and thus intend to keep transferring data to the US via SCC — must notify the relevant data watchdog. So there’s no option to carry on ‘as normal’ without informing the regulator. 

It’s the same story with BCRs — on which the EDPB notes: “Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool.”

So, again, a case by case assessment is required to figure out whether you can be legally confident in offering the required level of protection.

No grace period after Schrems II Privacy Shield ruling, warn EU data watchdogs

European data watchdogs have issued updated guidance in the wake of last week’s landmark ruling striking down a flagship transatlantic data transfer mechanism called Privacy Shield.

In an FAQ on the Schrems II judgement, the European Data Protection Board (EDPB) warns there will be no regulatory grace period.

The EU-US Privacy Shield is dead and any companies still relying on it to authorize transfers of EU citizens’ personal data are doing so illegally is the top-line message.

“Transfers on the basis of this legal framework are illegal,” warns the EDPB baldly. Entities that wish to keep on transferring personal data to the U.S. need to use an alternative mechanism — but must first determine whether they can meet the legal requirement to protect the data from US surveillance.

What alternatives are there? Standard Contractual Clauses (SCCs) were not invalidated by the CJEU ruling. Binding Corporate Rules (BCRs) are also still technically available.

But in both cases would-be data exporters must conduct an up front analysis to ascertain whether they can in fact legally use these tools to move data in their specific context.

Anyone who is already using SCCs for the transfer of EU citizens’ data to the US (hi facebook!) isn’t exempt from carrying out an assessment — and needs to inform the relevant supervisory authority if they intend to keep using the mechanism.

The rub here for US transfers is that the CJEU judges invalidated Privacy Shield on the grounds that US surveillance laws fundamentally clash with EU privacy rights. So, in other words, Houston, you have a privacy problem…

“The Court found that U.S. law (i.e., Section 702 FISA [Foreign Intelligence Surveillance Act] and EO [Executive Order] 12333) does not ensure an essentially equivalent level of protection,” warns the EDPB in answer to the (expected) frequently asked question: “I am using SCCs with a data importer in the U.S., what should I do?”.

“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place.”

The ability to use SCCs to transfer data to the US hinges on a data controller being able to offer a legal guarantee that “U.S. law does not impinge on the adequate level of protection” for the transferred data.

If a EU-US data exporter can’t be confident of that they are required to pull the plug on the data transfer. No ifs, no buts.

While, those who believe they can offer a legal guarantee of “appropriate safeguards” — and thus intend to keep transferring data to the US via SCC — must notify the relevant data watchdog. So there’s no option to carry on ‘as normal’ without informing the regulator. 

It’s the same story with BCRs — on which the EDPB notes: “Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool.”

So, again, a case by case assessment is required to figure out whether you can be legally confident in offering the required level of protection.

Slack has filed an antitrust complaint against Microsoft Teams in the EU

Workplace instant messaging platform Slack has filed an antitrust complaint against Microsoft in the European Union accusing the tech giant of unfairly bundling its rival Teams product with its cloud-based productivity suite.

A spokeswoman for the Commission’s competition division confirmed receipt of a complaint, telling us via email: “We confirm that we received a complaint by Slack against Microsoft. We will assess it under our standard procedures.”

We’ve also reached out to Microsoft and Slack for comment.

Per the FT, which has a statement from Slack, the company is accusing Microsoft of illegally abusing its market power by tying its competing product, Teams, to its dominant enterprise suite, Microsoft 365.

“Microsoft has illegally tied its Teams product into its market-dominant Office productivity suite, force installing it for millions, blocking its removal, and hiding the true cost to enterprise customers,” Slack said in the statement.

In further comments to the newspaper, Slack executives said they’re asking EU regulators to move quickly to “to ensure Microsoft cannot continue to illegally leverage its power from one market to another by bundling or tying products”.

Slack told the newspaper it wants the Windows maker to be forced to sell Teams separately to Microsoft 365 at a separate price, rather than bundling it with the existing suite and absorbing the cost.

The complaint is not a surprise given Microsoft and Slack have been at odds for years, ever since the Redmond-based software giant announced its Teams product back in 2016. At the time Slack took out a newspaper advertisement sardonically mocking Microsoft and welcoming the competition. In the ensuing years, Microsoft’s Teams product has also grown from also-ran to legitimate competitor.

Teams most recently announced that it had reached 75 million daily active users (DAU) in April of this year, a gain of 70% from a March number of 44 million DAUs. Like many remote-work friendly products and services, Slack and Teams have seen usage gains in the wake of COVID-19 and its economic disruptions. (Both services are also rolling out new features, combating for media attention, user mindshare, and new customer accounts).

Slack’s last shared DAU number that TechCrunch could find came from March, when Slack’s CEO reported 12.5 million daily actives.

Microsoft’s competing Teams product has managed to transition from dismissed upstart, to rival, to perhaps leading competitor in the space of a few years — but with the advantage of being bundled with a dominant office suite product. Slack’s business is still growing nicely, but with the power of Microsoft’s enterprise sales channel stapled to its growing Microsoft 365 product suite, it’s not surprising to see Slack seek regulatory relief against the larger company.

Whether you agree with Slack’s antitrust take, the move is likely good business. Slack’s shares dropped after its most recent earnings report after its growth and future guidance failed to meet investor expectations (in fairness, Slack did grow 50% on a year-over-year basis, even if Wall Street was unimpressed). If Microsoft’s Teams product is eating into its famed business expansion, Slack could see its share price suffer further. So, heading off Microsoft in a region famed for active government intervention into business appears savvy.

EU competition chief Margrethe Vestager is famed for her relative alacrity in grappling with complex digital cases. Though her record when judged by outcomes remains contested.

Also noteworthy: EU lawmakers are consulting on whether to give regional antitrust regulators greater powers to intervene in digital markets when they suspect a market might be being tipped unfairly in favor of one player.

For long time tech watchers, Microsoft being accused of unfairly bundling in the EU will of course bring back plenty of memories. Although, most recently, the tech giant has been making hay out of Apple being put under formal antitrust probe in the region — with president Brad Smith claiming in a Politico video interview last month that Cupertino’s app store walls are “higher” and “more formidable” than anything it threw up in years past.

Reminder: All the way back in 2004 EU antitrust regulators slapped Microsoft with the (then) biggest ever fine — around a half billion euros — for abusing a near monopoly position with its desktop OS, Windows, to try to crush competitors in the digital media player and low end server market. So, er…

UK gov’t asleep at the wheel on Russia cyber ops threat, report warns

The UK lacks a comprehensive and cohesive high level strategy to respond to the cyber threat posed by Russia and other hostile states using online disinformation and influence ops to target democratic institutions and values, a parliamentary committee has warned in a long-delayed report that’s finally been published today.

“The UK is clearly a target for Russia’s disinformation campaigns and political influence operations and must therefore equip itself to counter such efforts,” the committee warns, calling for legislation to tackle the multi-pronged threat posed by hostile foreign influence operations in the digital era.

The report also urges the government to do the leg work of attributing state-backed cyber attacks — recommending a tactic of ‘naming and shaming’ perpetrators, while recognizing that UK agencies have, since the WannaCry attack, been more willing to publicly attribute a cyber attack to a state actor like Russia than they were in decades past. (Last week the government did just that in relation to COVID-19 vaccine R&D efforts — attacking Russia for targeting the work with custom malware, as UK ministers sought to get out ahead of the committee’s recommendations.)

“Russia’s cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security,” the committee warns.

On the threat posed to democracy by state-backed online disinformation and influence campaigns, the committee also points a finger of blame at social media giants for “failing to play their part”.

“It is the social media companies which hold the key and yet are failing to play their part,” the committee writes, urging the government to establish “a protocol” with platform giants to ensure they “take covert hostile state use of their platforms seriously, and have clear timescales within which they commit to removing such material”.

“Government should ‘name and shame’ those which fail to act,” the committee adds, suggesting such a protocol could be “usefully expanded” to other areas where the government is seeking action from platforms giants.

Russia report

The Intelligence and Security Committee (ISC) prepared the dossier for publication last year, after conducting a lengthy enquiry into Russian state influence in the UK — including examining how money from Russian oligarchs flows into the country, and especially into London, via wealthy ex-pats and their establishment links; as well as looking at Russia’s use of hostile cyber operations to attempt to influence UK elections.

UK prime minister Boris Johnson blocked publication ahead of last year’s general election — meaning it’s taken a full nine months for the report to make it into the public domain, despite then committee chair urging publication ahead of polling day. The UK’s next election, meanwhile, is not likely for some half a decade’s time. (Related: Johnson was able to capitalize on unregulated social media ads during his own election campaign last year, so, er… )

The DCMS committee, which was one of the bodies that submitted evidence to the ISC’s inquiry, has similarly been warning for years about the threats posed to democracy by online disinformation and political targeting — as have the national data watchdog and others. Yet successive Conservative-led governments have failed to act on urgent recommendations in this area.

Last year ministers set out a proposal to regulate a broad swathe of ‘online harms’, although the focus is not specifically on political disinformation — and draft legislation still hasn’t been laid before parliament.

“The clearest requirement for immediate action is for new legislation,” the ISC committee writes of the threat posed by Russia. “The Intelligence Community must be given the tools it needs and be put in the best possible position if it is to tackle this very capable adversary, and this means a new statutory framework to tackle espionage, the illicit financial dealings of the Russian elite and the ‘enablers’ who support this activity.”

The report labels foreign disinformation operations and online influence campaigns something of a “hot potato” no UK agency wants to handle. A key gap the report highlights is this lack of ministerial responsibility for combating the democratic threat posed by hostile foreign states, leveraging connectivity to spread propaganda or deploy malware.

“Protecting our democratic discourse and processes from hostile foreign interference is a central responsibility of Government, and should be a ministerial priority,” the committee writes, flagging both the lack of central, ministerial responsibility and a reluctance by the UK’s intelligence and security agencies to involve themselves in actively defending democratic processes.

“Whilst we understand the nervousness around any suggestion that the intelligence and security Agencies might be involved in democratic processes – certainly a fear that is writ large in other countries – that cannot apply when it comes to the protection of those processes. And without seeking in any way to imply that DCMS [the Department for Digital, Culture, Media and Sport] is not capable, or that the Electoral Commission is not a staunch defender of democracy, it is a question of scale and access. DCMS is a small Whitehall policy department and the Electoral Commission is an arm’s length body; neither is in the central position required to tackle a major hostile state threat to our democracy.”

Last July the government did announce what it called its Defending Democracy programme, which — per the ISC committee report — is intended to “co-ordinate work on protecting democratic discourse and processes from interference under the leadership of the Cabinet Office, with the Chancellor of the Duchy of Lancaster and the Deputy National Security Adviser holding overall responsibility at ministerial and official level respectively”.

However the committee points out this structure is “still rather fragmented”, noting that at least ten separate teams are involved across government.

It also questions the level of priority being attached to the issue, writing that: “It seems to have been afforded a rather low priority: it was signed off by the National Security Council only in February 2019, almost three years after the EU referendum campaign and the US presidential election which brought these issues to the fore.”

“In the Committee’s view, a foreign power seeking to interfere in our democratic processes – whether it is successful or not – cannot be taken lightly; our democracy is intrinsic to our country’s success and well-being and any threat to it must be treated as a serious national security issue by those tasked with defending us,” it adds.

The lack of an overarching ministerial body invested with central responsibility to tackle online threats to democracy goes a long way to explaining the damp squib of a response around breaches of UK election law which relate to the Brexit vote — when social media platforms were used to funnel in dark money to fund digital ads aimed at influencing the outcome of what should have been a UK-only vote.

(A redacted footnote in the report touches on the £8M donation by Arron Banks to the Leave.EU campaign — “the biggest donor in British political history”; noting how the Electoral Commission, which had been investigating the source of the donation, referred the case to the National Crime Agency — “which investigated it ***” [redacting any committee commentary on what was or was not found by the NCA]; before adding: “In September 2019, the National Crime Agency announced that it had concluded the investigation, having found no evidence that any criminal offences had been committed under the Political Parties, Elections and Referendums Act 2000 or company law by any of the individuals or organisations referred to it by the Electoral Commission.”)

“The regulation of political advertising falls outside this Committee’s remit,” the ISC report adds, under a brief section on ‘Political advertising on social media’. “We agree, however, with the DCMS Select Committee’s conclusion that the regulatory framework needs urgent review if it is to be fit for purpose in the age of widespread social media.

“In particular, we note and affirm the Select Committee’s recommendation that all online political adverts should include an imprint stating who is paying for it. We would add to that a requirement for social media companies to co-operate with MI5 where it is suspected that a hostile foreign state may be covertly running a campaign.”

On Brexit itself, and the heavily polarizing question of how much influence Russia was able to exert over the UK’s vote to leave the European Union, the committee suggests this would be “difficult” or even “impossible” to assess. But it emphasizes: “it is important to establish whether a hostile state took deliberate action with the aim of influencing a UK democratic process, irrespective of whether it was successful or not.”

The report then goes on to query the lack of evidence of an attempt by the UK government or security agencies to do just that.

In one interesting — and heavily redacted paragraph — the committee notes it sought to ascertain whether UK intelligence agencies hold “secret intelligence” that might support or supplement open source studies that have pointed to attempts by Russia to influence the Brexit vote — but was sent only a very brief response.

Here the committee writes:

In response to our request for written evidence at the outset of the Inquiry, MI5 initially provided just six lines of text. It stated that ***, before referring to academic studies. This was noteworthy in terms of the way it was couched (***) and the reference to open source studies ***. The brevity was also, to us, again, indicative of the extreme caution amongst the intelligence and security Agencies at the thought that they might have any role in relation to the UK’s democratic processes, and particularly one as contentious as the EU referendum. We repeat that this attitude is illogical; this is about the protection of the process and mechanism from hostile state interference, which should fall to our intelligence and security Agencies.

The report also records a gap in the government’s response on this issue — with the committee being told of no active attempt by government to understand whether or not UK elections have been targeted by Russia.

“The written evidence provided to us appeared to suggest that HMG had not seen or sought evidence of successful interference in UK democratic processes or any activity that has had a material impact on an election, for example influencing results,” it writes.

A later redacted paragraph indicates an assessment by the committee that the government failed to fully take into account open source material which had indicated attempts to influence Brexit (such as the studies of attempts to influence the referendum using Russia state mouthpieces RT and Sputnik; or via social media campaigns).

“Given that the Committee has previously been informed that open source material is now fully represented in the Government’s understanding of the threat picture, it was surprising to us that in this instance it was not,” the committee adds.

The committee also raises an eyebrow at the lack of any post-referendum analysis of Russian attempts to influence the vote by UK intelligence agencies — which it describes as in “stark contrast” to the US agency response following the revelations of Russian disops targeted at the 2016 US presidential election.

“Whilst the issues at stake in the EU referendum campaign are less clear-cut, it is nonetheless the Committee’s view that the UK Intelligence Community should produce an analogous assessment of potential Russian interference in the EU referendum and that an unclassified summary of it be published,” it suggests.

In other recommendations related to Russia’s “offensive cyber” capabilities, the committee reiterates that there’s a need for “a common international approach” to tackling the threat.

“It is clear there is now a pressing requirement for the introduction of a doctrine, or set of protocols, to ensure that there is a common approach to Offensive Cyber. While the UN has agreed that international law, and in particular the UN Charter, applies in cyberspace, there is still a need for a greater global understanding of how this should work in practice,” it writes, noting that it made the same recommendation in its 2016-17 annual
report.

“It is imperative that there are now tangible developments in this area in light of the increasing threat from Russia (and others, including China, Iran and the Democratic People’s Republic of Korea). Achieving a consensus on this common approach will be a challenging process, but as a leading proponent of the Rules Based International Order it is essential that the UK helps to promote and shape Rules of Engagement, working
with our allies.”

The security-cleared committee notes that the public report is a redacted summary of a more detailed dossier it felt unable to publish on account of classified information and the risk of Russia being able to use it to glean too much intelligence on the level of UK intelligence of its activities. Hence opting for a more truncated (and redacted) document than it would usually publish — which again raises questions over why Johnson sought repeatedly to delay publication.

Plenty of sections of the report contain a string of asterisk at a crucial point, eliding strategic specifics (e.g. this paragraph on exactly how Russia is targeting critical UK infrastructure: “Russia has also undertaken cyber pre-positioning activity on other nations’ Critical National Infrastructure (CNI). The National Cyber Security Centre (NCSC) has advised that there is *** Russian cyber intrusion into the UK’s CNI – particularly marked in the *** sectors.)”)

Most recently Number 10 sought to influence the election of the ISC committee chair by seeking to parachute a preferred candidate into the seat — which could have further delayed publication of the report. However the attempt at stacking the committee was thwarted when new chair, Conservative MP Julian Lewis, sided with opposition MPs to vote for himself. After which the newly elected committee voted unanimously to release the Russia report before the summer recess of parliament, avoiding another multi-month delay.

Another major chunk of the report, which tackles the topic of Russian expatriate oligarchs and their money; how they’ve been welcomed into UK society with “open arms”, enabling their illicit finance to be recycled through “the London ‘laundromat’, and to find its way inexorably into political party coffers, may explain the government’s reluctance for the report to be made public.

The committee’s commentary here makes particularly awkward reading for a political party with major Russian donors. And a prime minister with Russian oligarch friends

“It is widely recognised that the key to London’s appeal was the exploitation of the UK’s investor visa scheme, introduced in 1994, followed by the promotion of a light and limited touch to regulation, with London’s strong capital and housing markets offering sound investment opportunities,” the committee writes, further noting that Russian money was also invested in “extending patronage and building influence across a wide sphere of the British establishment – PR firms, charities, political interests, academia and cultural institutions were all willing beneficiaries of Russian money, contributing to a ‘reputation laundering’ process”.

“In brief, Russian influence in the UK is ‘the new normal’, and there are a lot of Russians with very close links to Putin who are well integrated into the UK business and social scene, and accepted because of their wealth,” it adds.

You can read the full report here.

UK gov’t asleep at the wheel on Russia cyber ops threat, report warns

The UK lacks a comprehensive and cohesive high level strategy to respond to the cyber threat posed by Russia and other hostile states using online disinformation and influence ops to target democratic institutions and values, a parliamentary committee has warned in a long-delayed report that’s finally been published today.

“The UK is clearly a target for Russia’s disinformation campaigns and political influence operations and must therefore equip itself to counter such efforts,” the committee warns, calling for legislation to tackle the multi-pronged threat posed by hostile foreign influence operations in the digital era.

The report also urges the government to do the leg work of attributing state-backed cyber attacks — recommending a tactic of ‘naming and shaming’ perpetrators, while recognizing that UK agencies have, since the WannaCry attack, been more willing to publicly attribute a cyber attack to a state actor like Russia than they were in decades past. (Last week the government did just that in relation to COVID-19 vaccine R&D efforts — attacking Russia for targeting the work with custom malware, as UK ministers sought to get out ahead of the committee’s recommendations.)

“Russia’s cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security,” the committee warns.

On the threat posed to democracy by state-backed online disinformation and influence campaigns, the committee also points a finger of blame at social media giants for “failing to play their part”.

“It is the social media companies which hold the key and yet are failing to play their part,” the committee writes, urging the government to establish “a protocol” with platform giants to ensure they “take covert hostile state use of their platforms seriously, and have clear timescales within which they commit to removing such material”.

“Government should ‘name and shame’ those which fail to act,” the committee adds, suggesting such a protocol could be “usefully expanded” to other areas where the government is seeking action from platforms giants.

Russia report

The Intelligence and Security Committee (ISC) prepared the dossier for publication last year, after conducting a lengthy enquiry into Russian state influence in the UK — including examining how money from Russian oligarchs flows into the country, and especially into London, via wealthy ex-pats and their establishment links; as well as looking at Russia’s use of hostile cyber operations to attempt to influence UK elections.

UK prime minister Boris Johnson blocked publication ahead of last year’s general election — meaning it’s taken a full nine months for the report to make it into the public domain, despite then committee chair urging publication ahead of polling day. The UK’s next election, meanwhile, is not likely for some half a decade’s time. (Related: Johnson was able to capitalize on unregulated social media ads during his own election campaign last year, so, er… )

The DCMS committee, which was one of the bodies that submitted evidence to the ISC’s inquiry, has similarly been warning for years about the threats posed to democracy by online disinformation and political targeting — as have the national data watchdog and others. Yet successive Conservative-led governments have failed to act on urgent recommendations in this area.

Last year ministers set out a proposal to regulate a broad swathe of ‘online harms’, although the focus is not specifically on political disinformation — and draft legislation still hasn’t been laid before parliament.

“The clearest requirement for immediate action is for new legislation,” the ISC committee writes of the threat posed by Russia. “The Intelligence Community must be given the tools it needs and be put in the best possible position if it is to tackle this very capable adversary, and this means a new statutory framework to tackle espionage, the illicit financial dealings of the Russian elite and the ‘enablers’ who support this activity.”

The report labels foreign disinformation operations and online influence campaigns something of a “hot potato” no UK agency wants to handle. A key gap the report highlights is this lack of ministerial responsibility for combating the democratic threat posed by hostile foreign states, leveraging connectivity to spread propaganda or deploy malware.

“Protecting our democratic discourse and processes from hostile foreign interference is a central responsibility of Government, and should be a ministerial priority,” the committee writes, flagging both the lack of central, ministerial responsibility and a reluctance by the UK’s intelligence and security agencies to involve themselves in actively defending democratic processes.

“Whilst we understand the nervousness around any suggestion that the intelligence and security Agencies might be involved in democratic processes – certainly a fear that is writ large in other countries – that cannot apply when it comes to the protection of those processes. And without seeking in any way to imply that DCMS [the Department for Digital, Culture, Media and Sport] is not capable, or that the Electoral Commission is not a staunch defender of democracy, it is a question of scale and access. DCMS is a small Whitehall policy department and the Electoral Commission is an arm’s length body; neither is in the central position required to tackle a major hostile state threat to our democracy.”

Last July the government did announce what it called its Defending Democracy programme, which — per the ISC committee report — is intended to “co-ordinate work on protecting democratic discourse and processes from interference under the leadership of the Cabinet Office, with the Chancellor of the Duchy of Lancaster and the Deputy National Security Adviser holding overall responsibility at ministerial and official level respectively”.

However the committee points out this structure is “still rather fragmented”, noting that at least ten separate teams are involved across government.

It also questions the level of priority being attached to the issue, writing that: “It seems to have been afforded a rather low priority: it was signed off by the National Security Council only in February 2019, almost three years after the EU referendum campaign and the US presidential election which brought these issues to the fore.”

“In the Committee’s view, a foreign power seeking to interfere in our democratic processes – whether it is successful or not – cannot be taken lightly; our democracy is intrinsic to our country’s success and well-being and any threat to it must be treated as a serious national security issue by those tasked with defending us,” it adds.

The lack of an overarching ministerial body invested with central responsibility to tackle online threats to democracy goes a long way to explaining the damp squib of a response around breaches of UK election law which relate to the Brexit vote — when social media platforms were used to funnel in dark money to fund digital ads aimed at influencing the outcome of what should have been a UK-only vote.

(A redacted footnote in the report touches on the £8M donation by Arron Banks to the Leave.EU campaign — “the biggest donor in British political history”; noting how the Electoral Commission, which had been investigating the source of the donation, referred the case to the National Crime Agency — “which investigated it ***” [redacting any committee commentary on what was or was not found by the NCA]; before adding: “In September 2019, the National Crime Agency announced that it had concluded the investigation, having found no evidence that any criminal offences had been committed under the Political Parties, Elections and Referendums Act 2000 or company law by any of the individuals or organisations referred to it by the Electoral Commission.”)

“The regulation of political advertising falls outside this Committee’s remit,” the ISC report adds, under a brief section on ‘Political advertising on social media’. “We agree, however, with the DCMS Select Committee’s conclusion that the regulatory framework needs urgent review if it is to be fit for purpose in the age of widespread social media.

“In particular, we note and affirm the Select Committee’s recommendation that all online political adverts should include an imprint stating who is paying for it. We would add to that a requirement for social media companies to co-operate with MI5 where it is suspected that a hostile foreign state may be covertly running a campaign.”

On Brexit itself, and the heavily polarizing question of how much influence Russia was able to exert over the UK’s vote to leave the European Union, the committee suggests this would be “difficult” or even “impossible” to assess. But it emphasizes: “it is important to establish whether a hostile state took deliberate action with the aim of influencing a UK democratic process, irrespective of whether it was successful or not.”

The report then goes on to query the lack of evidence of an attempt by the UK government or security agencies to do just that.

In one interesting — and heavily redacted paragraph — the committee notes it sought to ascertain whether UK intelligence agencies hold “secret intelligence” that might support or supplement open source studies that have pointed to attempts by Russia to influence the Brexit vote — but was sent only a very brief response.

Here the committee writes:

In response to our request for written evidence at the outset of the Inquiry, MI5 initially provided just six lines of text. It stated that ***, before referring to academic studies. This was noteworthy in terms of the way it was couched (***) and the reference to open source studies ***. The brevity was also, to us, again, indicative of the extreme caution amongst the intelligence and security Agencies at the thought that they might have any role in relation to the UK’s democratic processes, and particularly one as contentious as the EU referendum. We repeat that this attitude is illogical; this is about the protection of the process and mechanism from hostile state interference, which should fall to our intelligence and security Agencies.

The report also records a gap in the government’s response on this issue — with the committee being told of no active attempt by government to understand whether or not UK elections have been targeted by Russia.

“The written evidence provided to us appeared to suggest that HMG had not seen or sought evidence of successful interference in UK democratic processes or any activity that has had a material impact on an election, for example influencing results,” it writes.

A later redacted paragraph indicates an assessment by the committee that the government failed to fully take into account open source material which had indicated attempts to influence Brexit (such as the studies of attempts to influence the referendum using Russia state mouthpieces RT and Sputnik; or via social media campaigns).

“Given that the Committee has previously been informed that open source material is now fully represented in the Government’s understanding of the threat picture, it was surprising to us that in this instance it was not,” the committee adds.

The committee also raises an eyebrow at the lack of any post-referendum analysis of Russian attempts to influence the vote by UK intelligence agencies — which it describes as in “stark contrast” to the US agency response following the revelations of Russian disops targeted at the 2016 US presidential election.

“Whilst the issues at stake in the EU referendum campaign are less clear-cut, it is nonetheless the Committee’s view that the UK Intelligence Community should produce an analogous assessment of potential Russian interference in the EU referendum and that an unclassified summary of it be published,” it suggests.

In other recommendations related to Russia’s “offensive cyber” capabilities, the committee reiterates that there’s a need for “a common international approach” to tackling the threat.

“It is clear there is now a pressing requirement for the introduction of a doctrine, or set of protocols, to ensure that there is a common approach to Offensive Cyber. While the UN has agreed that international law, and in particular the UN Charter, applies in cyberspace, there is still a need for a greater global understanding of how this should work in practice,” it writes, noting that it made the same recommendation in its 2016-17 annual
report.

“It is imperative that there are now tangible developments in this area in light of the increasing threat from Russia (and others, including China, Iran and the Democratic People’s Republic of Korea). Achieving a consensus on this common approach will be a challenging process, but as a leading proponent of the Rules Based International Order it is essential that the UK helps to promote and shape Rules of Engagement, working
with our allies.”

The security-cleared committee notes that the public report is a redacted summary of a more detailed dossier it felt unable to publish on account of classified information and the risk of Russia being able to use it to glean too much intelligence on the level of UK intelligence of its activities. Hence opting for a more truncated (and redacted) document than it would usually publish — which again raises questions over why Johnson sought repeatedly to delay publication.

Plenty of sections of the report contain a string of asterisk at a crucial point, eliding strategic specifics (e.g. this paragraph on exactly how Russia is targeting critical UK infrastructure: “Russia has also undertaken cyber pre-positioning activity on other nations’ Critical National Infrastructure (CNI). The National Cyber Security Centre (NCSC) has advised that there is *** Russian cyber intrusion into the UK’s CNI – particularly marked in the *** sectors.)”)

Most recently Number 10 sought to influence the election of the ISC committee chair by seeking to parachute a preferred candidate into the seat — which could have further delayed publication of the report. However the attempt at stacking the committee was thwarted when new chair, Conservative MP Julian Lewis, sided with opposition MPs to vote for himself. After which the newly elected committee voted unanimously to release the Russia report before the summer recess of parliament, avoiding another multi-month delay.

Another major chunk of the report, which tackles the topic of Russian expatriate oligarchs and their money; how they’ve been welcomed into UK society with “open arms”, enabling their illicit finance to be recycled through “the London ‘laundromat’, and to find its way inexorably into political party coffers, may explain the government’s reluctance for the report to be made public.

The committee’s commentary here makes particularly awkward reading for a political party with major Russian donors. And a prime minister with Russian oligarch friends

“It is widely recognised that the key to London’s appeal was the exploitation of the UK’s investor visa scheme, introduced in 1994, followed by the promotion of a light and limited touch to regulation, with London’s strong capital and housing markets offering sound investment opportunities,” the committee writes, further noting that Russian money was also invested in “extending patronage and building influence across a wide sphere of the British establishment – PR firms, charities, political interests, academia and cultural institutions were all willing beneficiaries of Russian money, contributing to a ‘reputation laundering’ process”.

“In brief, Russian influence in the UK is ‘the new normal’, and there are a lot of Russians with very close links to Putin who are well integrated into the UK business and social scene, and accepted because of their wealth,” it adds.

You can read the full report here.