Operating Systems need privacy-protective friend-finding services

The New York Times headline (Did Apple just kill social apps?) is over-the-top, but a reminder of the impact Big Tech firms can have on entire market sectors with their product decisions — and why the EU was right to legislate rules for fairness and contestability in the Digital Markets Act (DMA). Indeed, further interventions might be necessary, like mandating privacy-protective friend-connecting services.

The latest version of the iPhone operating system, iOS 18, includes a function to allow users to limit app access to specific contacts in their address books. Many “social” apps have previously relied on full access to bootstrap a user’s social graph (all their connections). While this is hugely welcome from a privacy perspective,

‘[T]he drama demonstrates how powerful gatekeepers like Apple have become and how even minor changes to Apple’s products can create dramatic ripple effects in the rest of the tech industry… Nikita Bier, a startup founder and adviser who has created and sold several viral apps aimed at young people, has called the iOS 18 changes “the end of the world”, and said they could render new friend-based social apps “dead on arrival”.’

To reconcile these privacy and competition concerns, Apple (and other “operating systems”, “number-independent interpersonal communications services”, “video-sharing platform services” and “social networking services” designated as “gatekeeper core platform services” by the European Commission under the DMA) could be required in addition (with explicit user consent) to provide privacy-protective contact-finder services. This would let users who wanted to easily try out a new “social” service to communicate with existing contacts already using it, without needing to reveal their entire social graph (including unique IDs like telephone numbers and e-mail addresses) every time (and not least leave it open to data breaches by startup firms perhaps not paying full attention to data security).

While not privacy-protective, a number of such services already help users rebuild their X/Twitter social graph on more open platforms, such as Bluesky (despite Elon Musk’s best efforts to block them):

Screenshot from a tool to help an X user find existing followers/followees on Bluesky, based on username and text in their X bio

Such a friend-finding service was recommended by the UK’s Competition & Markets Authority in its 2020 online platforms study, and could potentially be mandated under the DMA (not least if its messaging interoperability Article 7 was extended to social networking services, which the European Commission must consider in its three-yearly DMA reviews):

“tools that make it easier for consumers to access their existing networks across multiple platforms could make new or smaller platforms more attractive to consumers and could reduce the extent to which same-side network effects act as a barrier to expansion in the social media sector” (CMA 2020, p.W9)

It would also be open to new social apps to run such privacy-protective protocols directly as a selling point to privacy-concerned users — and if Apple (or Google, or Microsoft) refused access to the iOS (or Android or Windows) address book for such purposes, it could be demanded under the DMA’s Article 6 paragraphs (7) and (9) (with user consent, of course.)

Given these privacy-protective contact connecting protocols are not new, they are arguably required under the EU’s General Data Protection Regulation (Art. 25). But that, of course, would require rather stronger enforcement than we have seen from national Data Protection Authorities so far 🤨