NRPLUS MEMBER ARTICLE T he nature of personal security is changing quickly as more aspects of everyday life take place online. Technology is evolving, and criminals are adapting. It’s far more difficult and more complex to lock the doors and bar the windows in the cyber world than in the physical one. A recent report, published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with several other domestic and foreign agencies, issued a set of cybersecurity recommendations for device manufacturers. The core of that report is the notion that manufacturers should build and pre-configure software to ensure that it prioritizes the user’s security.

“The burden of security should not fall solely on the customer,” maintains CISA. “Software manufacturers should take ownership of the security outcomes of their customer’s purchase and evolve their products accordingly.” CISA endorses the principle of “secure by default.” This states that a device’s out-of-the-box, default settings should provide high levels of security. However, this sound tenet is incompatible with several antitrust proposals, such as the Open App Markets Act (OAMA) and the American Innovation and Choice Online Act (AICOA), that have surfaced in Congress and aim to regulate online markets.

Advancing dubiously under the flag of antitrust, supporters of these proposals want to limit the influence in various digital markets of platforms such as Amazon, Apple, and Google. But, if successful, these pieces of legislation would greatly threaten Americans’ security online. These bills gained congressional traction in 2022 but ultimately fell short of passage. They may return, and there is a danger that driven by their notion of antitrust — and their distrust of Big Tech — lawmakers may dismantle important consumer cybersecurity protections that have developed organically in the free market, an approach that would run against the thrust of CISA’s recommendations.

Proponents of the AICOA and the OAMA claim that major platforms’ existing bans on “sideloading” — the process of downloading applications from sources other than sanctioned app stores — harms competition by limiting users’ access to apps not available on those stores. This complaint is typically focused on Apple’s App Store and the Google Play Store. Apple and Android (created by Google) have differing restrictions on third-party downloads for mobile devices. Apple’s iOS software is largely a closed system, whereas Android allows some degree of sideloading. Almost any restrictions, advocates say, allow companies unfair control over the app economy.

Platforms discourage sideloading for good reason. It’s an inherently risky process (made even more so by most consumers’ lack of cybersecurity awareness and experience) that exposes consumers to dangerous malware. Android devices, whose settings users can reconfigure to allow sideloading, are 15 times more likely to be infected by malicious software than their iOS counterparts.

Most consumers prefer the relative safety of default settings and sanctioned app stores. Those who don’t may purchase an Android device, tweak its settings, and sideload freely. Mandating that manufacturers configure their devices or systems to allow or promote sideloading would almost certainly expose many risk-averse and unwilling consumers to potential harm. Before listing software for sale, the proprietors of app stores inspect products for malware and other security defects, thereby providing consumers with a predictably safe shopping experience.

“Software manufacturers should take ownership of the security outcomes of their customer’s purchase and evolve their products accordingly,” CISA writes. Yet that’s precisely what the above proposals sought to ban. AICOA would have disallowed platforms from “materially restrict[ing] or imped[ing] a business user from accessing data generated . . . by the activities of the business user.”

For example, had AICOA become law, the App Store, which now withholds customer payment information from third-party vendors, would have been likely required to share it with all third-party sellers, creating a cornucopia of data-security risks. Similarly, Amazon currently declines to share payment data with third-party sellers. As they’ve done with regard to sideloading, market actors have built innovative protections for users’ digital purchases. Bills such as the AICOA and the OAMA would only serve to eradicate these protections.

While policy-makers frequently predicate interventions on “market failures,” their policies too often ruin the market’s successes. Although lawmakers opposed to the approach taken in the proposed legislation fended off the AICOA and OAMA at the closing bell of the 117th Congress, the underlying ideas those bills reflected remain popular among many others for reasons that, in many cases, appear to owe more to grievance politics, convoluted theories of competition, and general economic nonsense rather than anything of intellectual substance.

The Biden’s administration endorsed both the AICOA and OAMA. Going forward, it would do well to think through the implications of CISA’s reasoning as it might apply to online platforms. After all, CISA is staffed with security experts who recognize the increasing number and complexity of the dangers present in the modern digital world. These threats can come from private hackers as well as the cyber spies of Beijing, Moscow, Pyongyang, and elsewhere. Those who continue to advocate ideas such as the AICOA and OAMA ought to take these dangers more seriously.