More from Epic v. Google: everything we learned in Fortnite court
We’re watching a taped video deposition from January 13th, 2022, and lawyers are asking Cramer about Google’s P&Ls — the profit and loss accounting used by businesspeople to help make decisions about how to run a company.
Cramer is testifying that Android had a separate P&L from Google Play, which relates to a point Epic has been trying to subtly make for a while. Google has argued that its Google Play app store isn’t as much of a “profit center” as it seems because it doesn’t account for all of Google’s costs — the money it had to invest bring you Google Play and Android.
But maybe Google’s costs were considered a separate business? We’ll find out.
We’re back in the courtroom in San Francisco, and we’re going to be hearing from more experts today — we’ve been told accountants and economists will arrive to (presumably) argue why Google does or doesn’t deserve its full app store fee.
We’ll start with accountants, and Judge Donato says he wants things to run smoothly and quickly. “This is the week to wrap up the facts,” says the judge. “We’re going to drive the wagon over the pass and reach the promised land.”
Judge Donato believes we may be able to finish by next Friday, December 1st — and he’s calling us all in that day. (Usually court here is Monday through Thursday.)
He’s also telling both sides we don’t need to go through sideloading screens or redefine what MADA is or go through anything we’ve already heard three times before. “We’re going to start losing people,” he says.
“Everything new and fresh next week, otherwise I may have to ask you to stop.”
Next week, we’ll hear from both side’s economists. Then Google plans to call six witnesses (including three Google employees) to help bring its counterclaim against Epic (for breach of contract, etc.).
Both sides are supposed to file their final proposed jury instructions tomorrow — the questions the jury may actually have to decide (pending approval by the judge).
“Let’s not talk about a party that none of us were invited to but you two,” Judge Donato chided Epic’s lawyer, who keeps showing Dr. Qian things he said previously.
Earlier, the judge said we needed to finish the cross-examination of Google’s expert today no matter what. “You’ve got 15 minutes,” he said five minutes ago. “Remember this is an antitrust case.”
I wonder what he meant by the last part.
Epic’s lawyer just asked about the frosting (is this it?), and Google’s security expert says he’s heard of it. The point seems to be that Google does already have a mechanism for signing some apps outside the Play Store, reportedly for peer-to-peer distribution. Epic pointed out a while ago that some countries, including India, tend to distribute apps peer to peer rather than solely over the internet.
Epic’s attorney is trying to get Dr. Qian to admit that Google has the capability to block bad apps, period. But apparently he already, did in an old deposition, so he didn’t need to say it again in court today.
I’m fascinated with how many questions in this courtroom have been a lawyer asking something they already asked months ago — partly so the jury can see if they’re being consistent and partly so the lawyer can get to a new question that builds on top of the previous answer.
We’re looking at a spreadsheet of Android devices by country that Google’s expert used to come to the conclusion that 53 percent of Android users outside China have successfully enabled the sideloading flow.
In particular, Epic has found that 880 million devices were listed as from unknown countries. Epic also found that smart TVs and Chromecasts were included in his data.
Dr. Qian is saying these findings don’t change his conclusion.
We’ve never seen this spreadsheet or his chart before in the courtroom — we’ve only heard the billion user figure stated as fact.
Told ya. He’s Epic’s witness again, and it was the very first line of questioning.
Dr. Qian is asserting that Android would be less, not more safe if it notarized apps because they could become compromised over time — requiring Google to follow up.
He also suggests users could be desensitized to the new warning screens and just click through. (But doesn’t that apply to any warning screen? What’s the point of mass warning screens at all if we assume desensitization by default?)
And, he suggests, a bad actor could steal the key to sign bad apps, making them look like good ones. He says that’s not just a theoretical risk.
(I’ll point out that a Microsoft signing key got stolen and led to the theft of US government emails.)
“There are profound ramifications on the entire Android ecosystem, all the stakeholders.” says Dr. Qian, who suggests Android OEMs would need to agree and would want to negotiate.
I’m not necessarily buying that argument: haven’t we seen in this trial that Google mandates quite a few things with regards to its partners? Maybe a Samsung has the bargaining power, though.
Google’s own head of security explained this to us a few days ago, but Qian is taking another stab — he says that because Google Play doesn’t have a “relationship” with off-Play apps, has less information, it isn’t as effective.
He says bad apps can use polymorphism to avoid detection by scan, making “every single version look different.”
Dr. Qian is explaining the security concept of “defense in depth,” using a castle with a moat, drawbridge, walls, and guards as an analogy.
You want to introduce multiple layers of defense in case one layer is bypassed by the attacker.”
“We want to grant that [app install] permission only when it is necessary.”
He says the sideloading friction screens follow another principle, “securing the weakest link,” because the weakest link is often the human being who doesn’t think it through.
That’s Google’s security expert. He told Google’s lawyer that sideloaded apps inherently have a higher risk of being malware (because they haven’t been reviewed, which seems obvious), that the research is consistent that sideloaded apps are riskier, and that entities like Samsung and Verizon warn their users about the risks of sideloaded apps.
Now that Epic’s expert Professor Mickens is no longer on the stand, his Google counterpart is taking advantage — twice suggesting to the jury that Mickens would agree that some of Google’s existing screens make sense, at least in terms of ensuring user consent to an app install.
Mickens is still technically here — now, he’s in the courtroom galley like me, taking notes with pen and paper.
Google’s security expert Dr. Qian is describing various types of annoying and scary malware that have hit Android devices, including adware, ransomware, and spyware. One example was a fake Cyberpunk 2077 game that wasn’t a game at all.
Like his Epic counterpart, Qian has three basic arguments that we’re now seeing on-screen:
Android devices face a significant threat of malware that can harm users
Android sideloading screens are prudent and consistent with best practices
Prof. Mickens’ proposals are less flexible, would introduce new security risks, and impose significant burdens on Google.
He’s a professor at UC Riverside who spent two years working on Android anti-malware solutions, and Google is taking care of a question about his financial conflict of interests right away: his lab received a grant from Google for a couple hundred thousand dollars, but he says it was less than 5 percent of the lab’s funding and received none personally.
He didn’t say if Google paid him to consult on this case though, yet.
Mickens, prompted by Epic’s attorney, says the Switch, PlayStation and Xbox gaming devices — not general purpose computers like an Android phone — and that game consoles are often sold at a loss, making their money back on software, so there’s an economic reason to lock them down.
Mickens says his notarization proposals would keep that optional.
In other words, Epic Games could make Fortnite a trusted, non-scare-screen app by getting it notarized, but other developers wouldn’t have to if they’re fine with more warnings.
Google also tried to draw him into some questions to promote its “we compete with the iPhone” narrative, asking if Android was much less restrictive than iOS (he agreed) and if Apple hammers Android on security in its marketing.
Google asked if Apple would have a field day if it dropped its sideloading warnings — setting up a straw man, since Mickens doesn’t propose dropping them entirely.
I think I got one word wrong in this quote, but this is almost entirely what he said:
“I think if Google did not replace those sideloading warnings with something that protects users, then Apple would make some hay out of that.”
He’s Epic’s witness again, just to go over some fine points of what he told Google.
We’re seeing that after we eliminate steps in the modern install flow that are out of the Android operating system’s direct control, there are few that Mickens takes issue with — mostly just the scare screens.
“You agree with the concept of asking users for consent before you allow one app to be an installer on the phone, right?” Yes.
In a March video deposition, Mickens suggested that the discriminatory nature of the scare screens (that is to say, they don’t pop up when you install via Google Play, only third-party stores and sideloaded apps) was his primary remaining concern with them.
“All APK/XAPK files on APKFab.com are original and 100% safe with fast download,” reads the listing at APKFab, which also has a fancy “Trusted App” badge with a green checkmark.
Professor Mickens admits he doesn’t know if APKFab reviewed this app at all, and that the “com.tveemobilee.nitflix” file hosted there is likely not a legitimate app.
The point, I assume, is that decentralized notarization would lead to confusion about which websites have legitimate apps? We didn’t quite get to that.
He makes $750 an hour, he tells Google’s lawyer.
Wonder if a jury will take that into account. Surely, Epic will ask the same question of Google’s expert now.
Speaking of Google’s expert, a Professor Qian — Google says Qian warned Epic’s expert that agencies like CISA recommend against one of his suggestions (I missed which, sorry), and he admits he didn’t incorporate those warnings into his report.
Correction: We’re now learning it’s Professor Qian, not Chen. Dr. Zhiyun Qian. I apologize for the error.
Mickens admits that no popular operating system has ever implemented decentralized notarization but waffles on “new domain,” saying he believes it’s possible for Google to do this relatively easily.
“You don’t say how much it would cost Google to scale up its human review teams,” says Google.
“You don’t say how much Google should charge for a centralized app review process, right?”
The phrases “Cost to Google: ???” and “Cost to developers: ???” appear on Google’s slide, which is clearly designed to suggest Mickens hasn’t thought his proposal through.
Mickens says yes.
Google’s point seems to be that his proposal would give Google more, not less control and burden, but I’m not seeing the problem with that just yet...
Now Google’s asking whether Mickens asked any OEM or developer if they’d prefer it that way. “You didn’t ask any OEM whether they’d be willing to accept this change, correct?”
Mickens says no.
Google puts a phrase up on the screen: “Would OEMs agree: ???” It appears alongside “Google carries the entire burden for Android App Review” and “Warning screen for any app not reviewed by Google.”