EU should step up its game with big tech – interview


The EU's Digital Markets Act (DMA) is supposed to give users more choices by promoting competition. Yet, implementing it can be challenging. Jeff Reich, Executive Director at the Identity Defined Security Alliance (IDSA), believes that limiting tech giants' consolidation and ensuring interoperability contradict each other, and we need more user-centric solutions.

A week after the DMA came into force, installing Fortnite or any third-party apps on iPhones in Europe is still not possible, at least for now. On Samsung phones, users still can’t remove some preinstalled apps, and that probably won’t change as Samsung isn’t even considered a “gatekeeper.” Searching for a location on Google still opens Google’s own Map service.

While the data I generate is considered mine, it is someone else who is mining, controlling, valuing, and profiting from it.

ADVERTISEMENT

The only notable change I observed was Google sending an email to “review your choices about linked Google Services” and the iPhone prompting me to choose a default internet browser.

In an interview with Reich, we discussed the challenges that regulators face when dealing with big tech and the options consumers have for ensuring their security and privacy. IDSA is a nonprofit that provides resources to help organizations reduce the risk of a breach by combining identity and security strategies.

“I think that the intent of the politicians that created the law was good, to say, let’s have more choice and uniformity in the marketplace,” Reich said. The intent was honorable because it would be wonderful if we could level the playing field for all the different sports and for all the different players out there. But the challenge you have is that a startup can't be equal to Apple or Google. They aren't the same.”

And the internet doesn’t have political or geographical boundaries. Governments around the world should work more closely on interoperable environments.

jeff-reich

The inner struggle

To Reich, the DMA represents a struggle between two broader trends. The first one is fighting further tech consolidation.

“An organization like Alphabet, Apple, or Meta can say, ‘I want to gobble up as much information, take in the information from as many apps as possible so I can federate access to all of them through me.’ I think that’s one force that's in play right now, and the EU is trying to stop that. That was the whole point of the DMA,” Reich said.

ADVERTISEMENT

The second force in play is interoperability, which aims to give users more autonomy, distribute control over their data, and remove platform-related locks.

“These two are in conflict with each other. And the question is going to be, does one win, or do they find a way to play nice together and cooperate?” Reich said.

Tech giants have no incentives for cooperation as they consolidate data within their own ecosystems and have significant control over users' digital identities, which can be used for targeted advertising, cross-selling, personalization, or other benefits.

Reich suggests that the future should involve interoperable and user-centric solutions prioritizing privacy and security.

He advocates for creating a secure digital wallet where users could put their sensitive data, such as passport number, national ID number, insurance, and other critical information. A vendor-neutral digital wallet for authentication and personal data control could be a good start.

“In the US, we have a Social Security number, which is the only countrywide identifier that we have, and even then, it's not to be used for identification; it's simply used for some tax purposes and for the federal retirement program,” Reich said. “You need to have higher criteria than simply a nine-digit number that was issued to you at birth. Because that's what a Social Security number is, and it's very difficult to change it. That's a very low bar to pass to say, oh, I authenticated you.”

Who’s to say that you are who you claim to be?

Reich believes that it’s possible to achieve both larger competition and service interoperability by having a disinterested third party, whether it’s a governmental organization, a non-profit, or another organization.

“I think you need to get commercial players that have a vested interest out of the picture,” he believes. “An organization that says I'm handling that, so it's not to Google's advantage, it's not to Apple's advantage, or it's not to Meta's advantage, but rather it's to the individual's advantage to have interoperable identification. Then Google could use that, Apple could use that. And each one's treated truly.”

Apple may have a great wallet solution already, but it depends on an individual having a credit card or bank information, which, in the US, can be acquired with a Social Security number or “a weak link,” as Reich explained. And “what if Apple says I don't want to deal with that vendor?”

ADVERTISEMENT

He noted that some organizations around the world are already working on the standards and criteria that could be used to verify someone’s identity, i.e., using a combination of physical, biometric, or other methods to make sure that the person is who they claim to be.

“You may be familiar with the internet. You know, every website has an IP address and domain name. And how those are divvied up is done by ICANN, which is an independent third-party organization,” Reich compared. “When you request a domain name, they look if it’s taken, at anything that's similar. Then, they can set it aside for you. You pay the nominal fee, and that domain is yours, as well as this IP address range. That system seems to work pretty well, and I think if we could parallel that with interoperable digital wallets.”

Reich hopes that future standards of identity verification and protection will be agreed upon between different countries, enabling individuals to access services without multiple verification processes. Even machines now need identity protection to be trusted.

“Over the next three to five years, you'll start seeing that actually happen to a level that you might have a level of trust in it. Now, the big challenge is going to be interoperability – how many countries are willing to adopt it.”

No matter the solutions, users must always watch their back

While regulators are trying to keep up with market developments, even the most secure systems won’t protect users who are susceptible to social engineering. Often, a big part of consumer protection rests on their own shoulders.

“All the technology is here, but if you look, almost every big data breach that has happened is a result of social engineering. It's not very often a case of true technology hacking,” Reich noted. “So, number one, be aware of your surroundings. If someone is looking over your shoulder at the ATM, would you enter your PIN? Probably not. But I still see people at ATMs being completely unaware of what’s going on behind them.”

The same goes for security and privacy online. Users online often get tempted by “€10 certificates” if they provide the date and place of birth, mother’s maiden name, or other information.

“A lot of people will still do that because they think, oh yeah, I get €10 out of it. But is giving up that portion of your identity worth €10? Probably not. So just think of the situation. Situational awareness will go a long way to prevent technical problems from rearing their heads.”

Reich shared that he even keeps the microphone on his phone disabled so that neither Siri, Alexa, nor Google Home wouldn’t listen if he plans for a new trip or a lawnmower. And he would recommend everyone doing the same.

ADVERTISEMENT

We already have some control over what data is collected about us and how it is used, but still, most users just auto-accept all cookies and give all permissions. Users should also think twice before linking services, as it often includes information sharing with third parties.

On April 9th, 2024, IDSA is hosting Identity Management Day, an annual free conference about the dangers of casually or improperly managing and securing digital identities.