Google Warns of Security Risks in EU Digital Markets Act Plans
Google’s senior privacy and security staff have issued warnings that upcoming European Union (EU) proposals, designed to open Google’s search data and Android operating system to competitors, could result in increased hacking of search queries and a surge in cybercrime. These concerns were highlighted in multiple interviews and documents shared with WIRED.
EU Decisions Under the Digital Markets Act
The warnings come as European Commission officials prepare to finalize decisions in July regarding two key cases: Google Search and Android interoperability. These decisions fall under the EU’s Digital Markets Act (DMA), adopted in late 2022, which aims to force dominant tech companies to open their systems and data to competitors, fostering greater market competition.
Heather Adkins, Google’s vice president of security engineering, expressed concerns about the proposed changes for both Google Search and Android. In April, the European Commission outlined plans for Google to share anonymized search data with rivals and grant broader access to Android for AI services.
Risks to Android Security
Adkins warned that the proposed changes to Android could lead to a 'significant increase in fraud' in the EU within weeks of implementation. She cited concerns that fraudsters could exploit the increased access to apps’ permissions, such as microphones, cameras, and onscreen information, undermining mobile security best practices.
Eugene Liderman, director of Google’s Android security team, echoed these concerns, emphasizing the need for proper tools and transparency to mitigate risks. Apple has also supported some of Google’s positions on operating system access.
Concerns About Search Data Anonymization
Google claims that the EU’s proposed anonymization techniques for search data contain 'deep weaknesses' and that the data could be reidentified by bad actors. David Lewis, Google’s director of privacy advisory for Europe, the Middle East, and Africa, stated that Google’s security team had demonstrated the ability to reidentify search users in less than two hours.
Adkins suggested that large language models could be used to de-anonymize data if it falls into malicious hands, further highlighting the risks. She also warned that smaller companies receiving shared data could become targets for hackers.
Mixed Reactions from Competitors and Experts
The EU’s proposals have drawn mixed reactions from competitors, researchers, and privacy advocates. Some, like privacy-focused search engine DuckDuckGo, argue that Google’s concerns are addressable within the existing framework. Others, including Brave and independent experts, have raised doubts about the adequacy of the proposed anonymization measures.
Alissa Cooper, executive director of the Knight-Georgetown Institute, described the EU’s technical and contractual proposals as a 'very robust regime' but called for independent experts to validate the data-sharing measures.
Broader Implications of the Digital Markets Act
The DMA has designated several tech giants, including Google, Amazon, Apple, and Microsoft, as 'gatekeepers' due to their large market shares. These companies are required to open their systems and data to competitors under the act. Google’s search business, which dominates the global market, is a key focus of the regulations.
The EU’s plans for Google Search include sharing search queries, click data, and ranking results with competitors. While the data is intended to be anonymized, Google has raised concerns about the effectiveness of the proposed measures.
Conclusion
As the European Commission’s July 27 deadline approaches, Google has become increasingly vocal in its opposition to parts of the EU’s plans. The company argues that the proposals could undermine user privacy and security, despite the intended benefits for market competition. The outcome of these decisions will have significant implications for both Google and the broader tech industry.