More from Epic v. Google: everything we learned in Fortnite court
Google is starting with the expert’s assertion that yes, it is possible to police the internet with notarized apps.
Here are some of Mickens’ words that are being thrown back at him now, from his written report:
As a result, Google carries the entire burden for reviewing app, generating tokens, and recalling tokens if, for example, an app that initially passed the review process is later found to be malicious.
Google is narrowly asking him about his “centralized” approach, though — he also suggested a decentralized one.
We’re back from lunch. Let’s see what Google takes issue with...
Ever heard of a “signed” application? Mickens says Google has the technology to do the same on Android, either by itself, or by approving third-party reviewing entities to confirm whether apps have been reviewed and sign them to let your Android phone know they’re safe.
“Would your proposals require Google to police the entire internet?” asks Epic’s attorney, referring to this quote from earlier in the trial.
“They would not,” replies Mickens, pointing to existing third-party entities like Verisign, Digicert, and GoDaddy — and saying that Google already trusts some of them with websites it displays in Chrome. (I don’t know if I buy that third parties do a good job in the aggregate.)
Not only did Epic call Professor Mickens as an expert witness (Google will have its own), but the questions from Epic’s lawyer are all in utter lockstep with what Mickens is presenting. Compelling or not — I find the reduced friction compelling! — it’s a fully rehearsed show.
Mickens has even been asked about the testimony of witnesses that were in this courtroom on previous days, and he’s been ready to go.
“We’re imagining a new world, this is a proposal, it’s not something that’s out in the world right now” he tells the jury, before presenting this mock screen:
Allow installation
Do you want F-Droid to be able to install apps?
Allow Don’t Allow
Then, if you click allow, and an app has not yet been scanned and reviewed by Google, there’d be a second optional friction screen:
Allow installation
The app-to-install has not been reviewed. Are you sure that you want to install it?
Cancel Install Anyway
What do you think?
We’re seeing this slide on screen:
Two Core Decisions for User Consent:
1) Do I want to allow this app to install other apps?
2) Has the app I want to install been scanned?
“I agree on a high level that friction, when it’s proportional and commensurate to the risk... is appropriate,” he says.
He thinks a single screen should be enough to get the user’s informed consent.
One of the Epic expert’s biggest points is turning out to be that Google automatically scans incoming apps for malware through a feature called Google Play Protect.
“Now the malware scanner’s going to run, and it’s going to look and see if the app you were trying to install is malicious,” Professor Mickens tells the jury.
Mickens says it’s Google’s most important protection against bad apps.
Judge Donato interrupts to ask: “Could all those other steps be skipped and a user go directly from ‘I’d like to install it’ to the GPP stage?”
Mickens won’t go quite that far: “I don’t think they should be skipped.” He promises to come back to that point in a couple of slides.
Epic’s security expert Mickens says despite Android’s scare screens about downloading apps outside of Google Play, “your phone is also vulnerable to attack by apps in the Play Store.”
Judge Donato interrupts: “If you’re downloading an app from the Play Store, do you see the same warning?”
“No, you do not see this warning,” says Mickens. He continues:
“It’s the same app, it’s just Wikipedia, it’s not like the potential nature of its maliciousness has changed... that’s a problem, and that’s why it’s important to look at these warning screens.”
Epic and Epic’s expert witness has been asked to speed things along — we’ve been promised there’s a new and salient comparison coming.
“We can think of the reviewing process from an app separate from the distribution process for an app.”
That’s core to Epic’s case — it wants the court to decide that Google has one monopoly on Android app distribution, and another on in-app payments.
James Mickens, Epic’s mobile security expert:
Even if a user does have the misfortune to download a potentially harmful app on their phone, there are going to be all these mechanisms in place trying to keep the user safe.
Google already has both automated and human review mechanisms on and off Play to help with this, he says.
Yet even on Google Play, some scam apps get through.
It’s called The Android Platform Security Model, and it contains phrases that are appearing in court, like:
Both users and developers are part of an open ecosystem that is not limited to a single application store. Central vetting of developers or registration of users is not required
It’s a little opaque, but I think he’s saying Google knows it needs to provide security outside the Play Store, already attempts to do this, and could do more.
[css.csail.mit.edu]
Epic’s mobile security expert, after showing us a slide that states the Google Play Store is “Mandatory on GMS devices” whereas the Samsung Galaxy Store is merely “Possible on GMS devices.”
“OEM can’t just take the GMS suite and put that on the OEMs phone... they have to engage in contractual engagements with Google.” Those phones have to go through Google Test Suites for compliance.
There’s also a Compatibility Definition Document and a Compatibility Test Suite to make sure phones are compliant.
We’re looking at a slide titled “Android Operating System” which contains these stacked elements:
“User Apps”
“AOSP Middleware” and “GMS Middleware” and “OEM & SOC Middleware”
“AOSP Kernel”
and at the bottom, “Hardware.” The AOSP and middleware items are all within an “Operating System” bracket.
but rather what it tries to do, says Epic’s security expert.
He says that based on a review of Google’s source code, documents produced for the court, public statements, and academic articles, Google has “under-resourced its security monitoring of off-Play distribution channels” and “has the ability to identify and review apps at the point of installation.”
We’ve heard Google’s security boss suggest the latter isn’t possible: “We can’t make the internet safe.”
Mickens came in with an agenda — he decided to “Examine whether the friction that Android imposes on non-Google Play Store app installation is justified by security concerns.”
His conclusions, as presented to the jury:
Conclusion 1: “The friction imposed by an operating system during app installation should be proportional to the likelihood that the app is harmful (as determined by a high-quality security review)
Conclusion 2: The friction that Google imposes to installing apps via third-party channels is unwarranted and disproportionate to the security risks posed
Conclusion 3: By making small changes to Android, Google could reduce the unwarranted friction while preserving (or even strengthening) the status quo of security on Android today
He teaches a class on operating systems, another on computer security, and is co-director of the Berkman-Klein Center for Internet and Society and the Institute for Rebooting Social Media. He says he used to work for Microsoft Research, and has published papers on mobile device security including “the propagation of malware on mobile devices.”
Epic has submitted him as an expert witness on mobile device security — and Judge Donato agrees he’s qualified. On we go!
Epic lead attorney Gary Bornstein to Google lead attorney Glenn Pomerantz, as they walked back into the courtroom together.
Both were chatting in the hall; it’s not out of the ordinary for the two parties’ attorneys to get friendly from what I’ve seen. But the judge has also sometimes sent them explicitly to work something out re: witnesses, sealing, or scheduling. Do they have an idea to present Judge Donato after the break?
Update: Not yet; Judge Donato brought out the jury. Bornstein says he’s working out something with Google about playing a pair of video depositions, though.
One would think so: we know Xbox handed out many policy exceptions for streaming apps, and I bet some astute reader can figure out which of the ones at my link is Spotify.
We’re on break now, and Spotify’s deposition is done, without returning to the Coalition for App Fairness at all. What might we see when we return?
Alzetta says that unlike with many other companies, Google didn’t make its own payment system mandatory for Spotify to adopt — the very first time Google approached Spotify about adding Google Play Billing, it was with a proposal in hand.
Spotify’s Sandra Alzetta says it’s against the company’s “principles,” too, and that “strategically,” Spotify simply won’t do it, full stop.
Alzetta says Spotify has been forced to raise its prices over the years: “We had to increase our prices to consumer. We had to increase them significantly. That is not a good thing for a consumer.”
It is true that Spotify has rarely turned a profit; it generally prioritizes growth, which gives it the scale to broker deals like the zero-percent arrangement with Google.
We’re hearing a lot of assertions how hard Spotify has worked to build its own payment system and how important choice is to users (Alzetta says “we know that” choice results in increased conversion rates), but there was only a passing mention of the Coalition for App Fairness, a controversial lobbying group which, I revealed in 2021, was set up explicitly by Epic Games to help win its case.
It’s pretty rich to be a member of the Coalition for App Fairness and also work out a secret zero percent deal with Google that you want to keep hidden, isn’t it?
We are looking at a line in the actual agreement between Google and Spotify where Spotify made out like a bandit compared to other Android developers. It reads:
The program fees are payable on account of Google Play’s billing system services.
Epic’s lawyer asks: what about distribution? (Google has argued that Play provides massive scale distribution, security, and many other features in exchange for the fee.)
Spotify’s Alzetta says no — Spotify is only paying Google for payment processing. There were also “some commitments with regard to product” and a “marketing success fund” as part of the deal, but that’s it.
Spotify’s Sandra Alzetta is the one who brokered the secret deal, we’re learning — and she just confirmed in no uncertain terms what we learned yesterday about Google’s zero percent sweetheart deal for Spotify.
If users choose Google Play Billing to pay for Spotify, she says, Spotify only pays to cover Google’s cost to process the payment.
