Apple Warns of Privacy Risks in EU's DMA Interoperability Requirements

[surferfb]

Microsoft competes directly with other security vendors and endpoint security solutions. By restricting kernel access for third-party developers, these companies are effectively forced out of the market, stifling innovation and competition. Over the past 15 years, Microsoft had ample opportunity to create an equitable and secure framework that allows safe kernel access for all developers, including themselves, yet they did not do so. This suggests that locking out third-party vendors from kernel access was primarily intended to eliminate competition rather than to enhance security.

Would Crowdstrike have had kernel access without the EU directive? No, they wouldn’t have. Case closed.

You can argue all you want that it’s better for society overall that there is competition in that market, or that Microsoft could have prevented it if they worked harder, but you can’t argue that the EU isn’t responsible for the the outage. Because they are.

If EU demanded that a car manufacturer switch their seatbelt design away from a safe design to one that had a small chance to decapitate people in minor accidents, it’d be the EU’s fault when that seatbelt design decapitated someone.

You could argue the seatbelt design saved more people than it killed, or it was worth it because it allowed third parties to compete in the important seatbelt manufacturing market, or other car manufacturers figured out a fix to prevent decapitation and the regulated car manufacturer should have implemented that fix, but you can’t argue that the decapitated person wouldn’t have been decapitated if the EU hadn’t gotten involved.

In contrast, Linux implemented secure mechanisms like eBPF in 2014, allowing third-party modules to be loaded securely while maintaining system integrity. Similarly, macOS introduced System Extensions in 2020, providing a secure way for third-party developers to extend system capabilities without compromising kernel security. Despite having the same amount of time and resources, Microsoft has failed to develop a comparable solution. This is purely of Microsoft's own creation and problem.

Let’s not forget that Microsoft has billions more users than Linux and macOS combined. Making fixes for Microsoft isn’t as simple without as much disruption as it is for those two OSes. And I don’t believe for a second that had Microsoft attempted to implement said fix, the companies wouldn’t have run to the EU screaming about how big bad Microsoft was unfairly making these much smaller companies spend significant resources to completely rewrite their products.

 

[MilaM]

If EU demanded that a car manufacturer switch their seatbelt design away from a safe design to one that had a small chance to decapitate people in minor accidents, it’d be the EU’s fault when that seatbelt design decapitated someone.

What is your argument then? If seatbelts save 100 lives every year, and cause one fatal accident, should we then refrain from mandating seat belts?

The world has a little more nuance. It's not black and white only.

 

[Abazigal]

What is your argument then? If seatbelts save 100 lives every year, and cause one fatal accident, should we then refrain from mandating seat belts?

The world has a little more nuance. It's not black and white only.

That there is good in bad, and bad in good. That sometimes in trying to solve one problem, you end up creating another, and there is nothing wrong in acknowledging this. Right now, what I am seeing is that those supportive of EU legislation seem adamant that said legislation is perfect and there will be no long-term consequences whatsoever.

I agree in principle with some of the arguments above that Microsoft could in theory have tried to do something to prevent an incident like Crowdstrike from even happening in the first place. However, consider this. Crowdstrike was not caused directly by Microsoft to begin with. It was caused by a third party vendor, whose business model was enabled by the very legislation passed by the EU 15 years ago.

Which also raises the question - what even is Microsoft's incentive to fix this issue? My understanding is that they aren't going to be held liable over this, companies are still going to have kernel-level access to Windows thanks to EU regulation, and the only line of defence users have is to pray that the very cloud-based security companies whom they depend on will remain vigilant and don't repeat said accident.

Perhaps it is time to revisit said legislation and discuss whether makers of security software should continue to receive the same level of access to Windows that Microsoft gets? Yes, some users will argue that this is "unfair", but in a hypothetical alternate future where only Microsoft had kernel-level access (and therefore remain the only company who could in theory crash computers worldwide via a faulty patch), is a lack of competition in this space an unfair price to pay in exchange for improved security and stability to Windows users worldwide?

 

[surferfb]

What is your argument then? If seatbelts save 100 lives every year, and cause one fatal accident, should we then refrain from mandating seat belts?

The world has a little more nuance. It's not black and white only.

My point is the EU's actions have consequences and that they'd do well to remember that. You may think a worldwide multi-day outage that causes billions of dollars of damages it's a worthwhile price to pay to enable competition in a pretty scammy corner of the PC software market, but a lot of us don't. And the EU's response of "Microsoft never told us something like this could happen" proves the point of those of us who have been saying it's clear the EU doesn't understand the implications of what they're demanding in their burdensome and unnecessary regulations.

At least in the Microsoft case they have the argument that Windows has something like 90% marketshare. While I still say giving third parties the same level of access as the OS manufacturer is an incredibly stupid idea, Microsoft does have a monopoly on desktop computing software and therefore deserves stricter oversight. But they're doing the EXACT SAME THING to iOS, which has a 25% marketshare in the EU. Who knows what "interoperability" requirement they're pushing on iOS will lead to. Maybe their demand that anyone and everyone who wants access to AirDrop means malware gets shared more easily? Maybe their demand that side loading and alternate app stores be allowed lead to a significant increase in malware. We've already seen Google's model leads to Android users having 95% of all mobile malware targeted at them. So forcing that model onto iOS in the name of competition, when the model already is available to anyone who wants it in Android, is not a worthwhile endeavor.

 

[vantelimus]

What is your argument then? If seatbelts save 100 lives every year, and cause one fatal accident, should we then refrain from mandating seat belts?

The world has a little more nuance. It's not black and white only.

A more suitable seatbelt analogy would be:

Seatbelts save 100 lives every year. We shouldn't allow politicians, who lack the necessary engineering expertise, to dictate design changes in seatbelts that will cause 5.4 billion deaths every few years just because a constituent thinks he can make a little money by providing a cheaper and less reliable replacement product.

 

[Sophisticatednut]

Would Crowdstrike have had kernel access without the EU directive? No, they wouldn’t have. Case closed.

You can argue all you want that it’s better for society overall that there is competition in that market, or that Microsoft could have prevented it if they worked harder, but you can’t argue that the EU isn’t responsible for the the outage. Because they are.

If EU demanded that a car manufacturer switch their seatbelt design away from a safe design to one that had a small chance to decapitate people in minor accidents, it’d be the EU’s fault when that seatbelt design decapitated someone.

You could argue the seatbelt design saved more people than it killed, or it was worth it because it allowed third parties to compete in the important seatbelt manufacturing market, or other car manufacturers figured out a fix to prevent decapitation and the regulated car manufacturer should have implemented that fix, but you can’t argue that the decapitated person wouldn’t have been decapitated if the EU hadn’t gotten involved.


Let’s not forget that Microsoft has billions more users than Linux and macOS combined. Making fixes for Microsoft isn’t as simple without as much disruption as it is for those two OSes. And I don’t believe for a second that had Microsoft attempted to implement said fix, the companies wouldn’t have run to the EU screaming about how big bad Microsoft was unfairly making these much smaller companies spend significant resources to completely rewrite their products.

That there is good in bad, and bad in good. That sometimes in trying to solve one problem, you end up creating another, and there is nothing wrong in acknowledging this. Right now, what I am seeing is that those supportive of EU legislation seem adamant that said legislation is perfect and there will be no long-term consequences whatsoever.

I agree in principle with some of the arguments above that Microsoft could in theory have tried to do something to prevent an incident like Crowdstrike from even happening in the first place. However, consider this. Crowdstrike was not caused directly by Microsoft to begin with. It was caused by a third party vendor, whose business model was enabled by the very legislation passed by the EU 15 years ago.

Which also raises the question - what even is Microsoft's incentive to fix this issue? My understanding is that they aren't going to be held liable over this, companies are still going to have kernel-level access to Windows thanks to EU regulation, and the only line of defence users have is to pray that the very cloud-based security companies whom they depend on will remain vigilant and don't repeat said accident.

Perhaps it is time to revisit said legislation and discuss whether makers of security software should continue to receive the same level of access to Windows that Microsoft gets? Yes, some users will argue that this is "unfair", but in a hypothetical alternate future where only Microsoft had kernel-level access (and therefore remain the only company who could in theory crash computers worldwide via a faulty patch), is a lack of competition in this space an unfair price to pay in exchange for improved security and stability to Windows users worldwide?

My point is the EU's actions have consequences and that they'd do well to remember that. You may think a worldwide multi-day outage that causes billions of dollars of damages it's a worthwhile price to pay to enable competition in a pretty scammy corner of the PC software market, but a lot of us don't. And the EU's response of "Microsoft never told us something like this could happen" proves the point of those of us who have been saying it's clear the EU doesn't understand the implications of what they're demanding in their burdensome and unnecessary regulations.

At least in the Microsoft case they have the argument that Windows has something like 90% marketshare. While I still say giving third parties the same level of access as the OS manufacturer is an incredibly stupid idea, Microsoft does have a monopoly on desktop computing software and therefore deserves stricter oversight. But they're doing the EXACT SAME THING to iOS, which has a 25% marketshare in the EU. Who knows what "interoperability" requirement they're pushing on iOS will lead to. Maybe their demand that anyone and everyone who wants access to AirDrop means malware gets shared more easily? Maybe their demand that side loading and alternate app stores be allowed lead to a significant increase in malware. We've already seen Google's model leads to Android users having 95% of all mobile malware targeted at them. So forcing that model onto iOS in the name of competition, when the model already is available to anyone who wants it in Android, is not a worthwhile endeavor.

Just to provide the relevant excerpt in this case from the 2009 agreement.

A. GUIDING PRINCIPLES

(2) Microsoft shall ensure that third-party software products can interoperate with Microsoft’s Relevant Software Productsusing the same Interoperability Information on an equal footing as other Microsoft Software Products. (“Interoperability Commitment”)

(3) This Undertaking shall be interpreted in the light of these Guiding Principles.

(4) Microsoft shall not circumvent or attempt to circumvent the commitments in this Undertaking, including the Guiding Principles.

B. INTEROPERABILITY COMMITMENT

I. General Provisions

(5) The following general provisions shall govern the implementation by Microsoft of the Specific Commitments in Section B.II.

(6) Microsoft shall:

A. Make Interoperability Information available to interested undertakings in the way outlined in this Section for the purposes of achieving interoperability.
B. Support open, public standards in Microsoft’s RelevantSoftware Products in the way outlined in this Section.

(7) Interoperability Information shall be made available by Microsoft under the following terms:

A. Access to and use of the Interoperability Information shall be subject to reasonable and non-discriminatory terms.

1. “The EU is responsible for the outage because their directive allowed third-party access to the Windows kernel.”

The EU directive promotes interoperability, ensuring third-party software can compete fairly with Microsoft’s own products. According to the guiding principles in Microsoft’s interoperability commitments, Microsoft is required to provide third-party vendors with equal access to interoperability information to prevent monopolistic practices. However, this obligation does not absolve Microsoft of responsibility for ensuring a secure implementation.

The Crowdstrike issue arises from a failure in execution by the vendor and Microsoft’s own oversight in managing kernel access—not from the directive itself. The EU does not micromanage technical implementations; instead, it creates a framework for fair competition. If Microsoft had concerns about potential risks, their obligations under the directive included proposing reasonable, non-discriminatory safeguards to mitigate them. Blaming the EU for the vendor’s failure is a misdirection when the underlying issue is one of operational negligence.

Moreover, Microsoft retains a significant role in regulating kernel access. The EU does not prevent Microsoft from implementing safeguards or requiring higher standards from third-party vendors. If Microsoft neglected these precautions, that reflects their own strategic choices, not an inherent flaw in EU policy.


2. “Microsoft has too many users, making fixes harder, and the EU didn’t consider this.”

This argument conflates two separate issues: the complexity of Microsoft’s systems and the intent of EU regulations. The EU is not demanding immediate perfection but rather creating an environment for competition and innovation, which fosters long-term improvements in security and user choice. Microsoft’s vast user base is precisely why oversight is needed—it holds a disproportionate amount of control over consumer systems. Allowing unchecked dominance would lead to stagnation, higher costs, and reduced innovation, as seen historically in monopolistic markets.

The EU directive does not prevent Microsoft from imposing reasonable compliance measures on third parties. If Microsoft feared potential exploits, they had ample opportunity to collaborate with regulators to propose mitigations or technical standards. Suggesting the EU is unaware of the complexities in regulating monopolistic markets overlooks the detailed deliberations behind such policies.

Furthermore, Microsoft’s size is an advantage, not a handicap. With vast resources, Microsoft is uniquely equipped to implement safeguards for third-party access. If the company chose not to prioritize these safeguards, it is a failure of corporate governance, not EU regulation. The directive does not prevent Microsoft from requiring third parties to meet rigorous security standards or implementing automated checks to detect vulnerabilities.

3. “The EU doesn’t understand the implications of their regulations; burdensome rules are unnecessary.”

The guiding principles of the EU directive emphasize reasonableness and non-discrimination, ensuring competition without undermining security. Microsoft’s interoperability commitments were explicitly designed to balance competition and stability. Claiming the EU “doesn’t understand the implications” ignores the clear framework outlined in the regulation, which allows Microsoft to propose and enforce appropriate security measures while enabling competition.

The analogy of a “decapitating seatbelt” is flawed. EU regulations do not force insecure practices; they require equal access under reasonable terms. If Crowdstrike introduced vulnerabilities, it is because either the vendor failed to follow best practices or Microsoft failed to enforce adequate compliance measures—both of which are operational issues, not regulatory flaws.

4. “Competition leads to instability; wouldn’t we be safer if only Microsoft had kernel access?”

Relying solely on Microsoft for kernel access is a dangerous trade-off. Monopoly control reduces incentives for innovation and security. For example, vulnerabilities in Microsoft’s kernel would leave billions of users globally exposed with no alternative solutions. Competition mitigates this risk by diversifying responsibility and innovation, allowing independent companies to address gaps Microsoft might overlook.

Furthermore, the argument assumes that Microsoft is inherently more secure or capable, but history tells a different story. Microsoft itself has released faulty patches causing global disruptions. By opening access to third parties, the EU allows the market to explore alternative approaches to security, which can lead to better overall resilience.
Instead, they chose to comply without implementing robust safeguards for third-party access—reflecting strategic choices rather than regulatory shortcomings.

5. “Applying the same principles to iOS will lead to more malware.”

The argument oversimplifies the issue of security on iOS. The EU’s interoperability requirements for iOS do not equate to negligence in malware prevention. In fact, such regulations are accompanied by strict requirements for transparency, privacy, and security. Apple’s existing control over iOS is not immune to security flaws either, as demonstrated by multiple incidents of malware breaches and privacy violations. Competition in app stores or interoperability can coexist with robust safeguards if Apple invests in proper security protocols, just as they already do in macOS.

The claim that Android’s openness leads to higher malware rates ignores the fact that Google has taken steps to address these risks and improve its ecosystem over time. Increased competition does not inherently lead to insecurity—it leads to shared accountability, reducing the systemic risks posed by relying solely on one vendor.


TL;DR


The EU’s regulations are not about perfection but about creating a balanced ecosystem where consumers benefit from competition, innovation, and choice. Mistakes made by vendors or technical issues arising from individual actors do not invalidate the overall benefits of reducing monopolistic control, and either the vendor failed to follow best practices or Microsoft failed to enforce adequate compliance measures—both of which are operational issues, not regulatory flaws.
The fact that Microsoft didn’t implement greater security standards because EU didn’t explicitly require them to do so is a a shortsighted choice they made.

Nowhere is Microsoft required to design an insecure system, nor are they required to have minimal standards for third party access

 

[surferfb]

There are several errors in your (what seems to be AI-generated) response, but I don’t think there’s any point in going back and forth on this if you are going to continue to argue that somehow the EU isn’t responsible for something that literally wouldn’t have happened if the EU hadn’t forced Microsoft to make a change to its policies.

 

[Abazigal]

I echo @surferfb that @Sophisticatednut responses seem to have been generated by chatGPT (and here I am typing out my response by hand at 5 am in the morning). Still, I will give it the benefit of a doubt, and provide my counterarguments to anyone willing to read them.

That is my respect to you, the forum goer, that I will never use AI to generate any of my responses. Every single word I type is straight from my heart, nothing less. I hope you will have as much enjoyment reading them as I have had typing them.

Moreover, Microsoft retains a significant role in regulating kernel access. The EU does not prevent Microsoft from implementing safeguards or requiring higher standards from third-party vendors. If Microsoft neglected these precautions, that reflects their own strategic choices, not an inherent flaw in EU policy.

True, but at some point, if you are going to make it so hard for me to do my job through burdensome regulations that have zero benefit to me, then I fail to see why I should even bother to begin with.

Incentives do matter, and in this regard, there was little incentive for Microsoft to secure a problem that was not of their making in the first place.

Relying solely on Microsoft for kernel access is a dangerous trade-off. Monopoly control reduces incentives for innovation and security. For example, vulnerabilities in Microsoft’s kernel would leave billions of users globally exposed with no alternative solutions. Competition mitigates this risk by diversifying responsibility and innovation, allowing independent companies to address gaps Microsoft might overlook.

I think the fact that Linux and macOS can afford to close off kernel level access shows that there is really little benefit to be had from continuing to make this level of access available to companies and users outside of Microsoft.

To use an example, gun control. In every other country where the civilian population is not allowed free and ready access to firearms, the incidence of someone being randomly shot dead on the streets is basically zero. If we were to follow your line of reasoning, it would somehow be better to allow users to purchase firearms from a variety of vendors instead of making the government the sole source of firearms (eg: via the army and law enforcement), therefore "diversifying responsibility and innovation and allowing independent companies to address gaps that the government might overlook".

And maybe this is one area that you don't necessarily want or need innovation in. At least not with the current degree of tradeoff involved. Heck, my country banned chewing gum when irresponsible commuters started sticking them under seats and in the doors.

The claim that Android’s openness leads to higher malware rates ignores the fact that Google has taken steps to address these risks and improve its ecosystem over time. Increased competition does not inherently lead to insecurity—it leads to shared accountability, reducing the systemic risks posed by relying solely on one vendor.

I just wish to address this particular point, particularly within the context of Android and malware. I am not sure what additional safeguards Google has taken over time, but the issue remains that so long as sideloading is available, there will always be the risk that users may accidentally sideload malware onto their devices (and therefore run the risk of say, their banking details being compromised and their life savings being siphoned away).

Vs iOS where up till the DMA, sideloading was practically impossible. That's why in my country, the issue of malware being accidentally downloaded onto smartphones was a problem which specifically affected only Android handset users.

Android malware scam victims lost more than S$10 million in first half of 2023: Police

Over 750 cases of Android malware-related scams were reported in the first half of 2023, including 11 cases involving the unauthorised withdrawal of Central Provident Fund savings.

www.channelnewsasia.com

To use another analogy, it's like forcing me to give rope to every single person in the country, while at the same time making it my responsibility (somehow) to expect that no one attempts to use the rope to hang themselves. If you want to make the latter my KPI, would it not be easier to simply make it such that users didn't have the rope to begin with, especially if they weren't really doing anything useful with the rope in the first place? Why should I be made to clean up a mess that was not created by me in the first place?

In this regard, I fail to see how systemic risk is reduced when it is the legislation which led to said risk even existing in the first place. You increase my work, there is no benefit (financial or otherwise) to be had on my end, and you still want me to take on the thankless job of ensuring that no one screws up as a result of your policies?

This is so uniquely "government sector". I should know, working for the government myself.

On paper, it's not wrong, but it also sounds like a case of the EU attempting to have its cake and eat it too. If they wanted the reap the recognition of being the one to successfully regulate a tech titan like Microsoft and increase competition in the space, then the onus of continuing to monitor the situation over the long term (and propose remedies to problems as they arise) should, IMO, rightfully come from the entity who instituted said regulation in the first place.

ie: the EU, not Microsoft.

It's not dissimilar to the problem people have with cookie banners of late. What exactly is the follow-up to the poor experience to be had from incessant pop-ups, because it's clear that there is zero incentive to improving the user experience by websites in this regard.

 

[Sophisticatednut]

There are several errors in your (what seems to be AI-generated) response, but I don’t think there’s any point in going back and forth on this if you are going to continue to argue that somehow the EU isn’t responsible for something that literally wouldn’t have happened if the EU hadn’t forced Microsoft to make a change to its policies.

There’s a difference between a regulation that is poorly written and enforced bad standards, and a regulation that leaves it more open to how you meet the minimum requirements.

If EU never required interoperability then it’s very likely that the crowdstrike incident wouldn’t happened. But it’s also equally true that Microsoft wasn’t prevented from having stringent security standards, nor allow the company in question to use such poor use of the kernel.

In the exact same manner as millions upon millions of other cases regarding interoperability.

I echo @surferfb that @Sophisticatednut responses seem to have been generated by chatGPT (and here I am typing out my response by hand at 5 am in the morning). Still, I will give it the benefit of a doubt, and provide my counterarguments to anyone willing to read them.
That is my respect to you, the forum goer, that I will never use AI to generate any of my responses. Every single word I type is straight from my heart, nothing less. I hope you will have as much enjoyment reading them as I have had typing them.

I don’t use AI generated responses, but I sometimes use it to restructure the text I write on my phone. But the information and arguments I present is wholly my personal creation in addition to EU legal text.

True, but at some point, if you are going to make it so hard for me to do my job through burdensome regulations that have zero benefit to me, then I fail to see why I should even bother to begin with.

Incentives do matter, and in this regard, there was little incentive for Microsoft to secure a problem that was not of their making in the first place.

I agree with you regarding burdensome regulations. But I would presume you’re self interested regarding the security and safety aspects of your software and allowing unsecure access to your software isn’t in your self interest?

Especially with regard to the 2009 agreement.

I tell you this, the only difference between MacOs/ Linux and microsoft regarding how they do these things is that Microsoft was required to allow interoperability, while Apple and those who write Linux have done the same thing voluntarily BUT actually have stringent security standards attached to it.

I think the fact that Linux and macOS can afford to close off kernel level access shows that there is really little benefit to be had from continuing to make this level of access available to companies and users outside of Microsoft.

Well I might be wrong, but it’s likely that windows is just less secure. But if windows defender requires kernel access to secure the system from threats then that’s a windows problem.

To use an example, gun control. In every other country where the civilian population is not allowed free and ready access to firearms, the incidence of someone being randomly shot dead on the streets is basically zero. If we were to follow your line of reasoning, it would somehow be better to allow users to purchase firearms from a variety of vendors instead of making the government the sole source of firearms (eg: via the army and law enforcement), therefore "diversifying responsibility and innovation and allowing independent companies to address gaps that the government might overlook".

And maybe this is one area that you don't necessarily want or need innovation in. At least not with the current degree of tradeoff involved. Heck, my country banned chewing gum when irresponsible commuters started sticking them under seats and in the doors.

Well I do actually believe that it would be better for the market if a diverse variety of vendors can manufacture and design weapons that meets the safety standards and even supersedes them in novel ways.

I don’t think anti-malware software would be in a better position if they where not able to use the same security features as the standard ”windows defense system”. Especially when it’s often ranked poorly.

I can emphasize with the notion ”And maybe this is one area that you don't necessarily want or need innovation in”, but I would rather think the free market is better at answering that question than ether the government or the company that benefits from no further innovation by competitors.

I just wish to address this particular point, particularly within the context of Android and malware. I am not sure what additional safeguards Google has taken over time, but the issue remains that so long as sideloading is available, there will always be the risk that users may accidentally sideload malware onto their devices (and therefore run the risk of say, their banking details being compromised and their life savings being siphoned away).

Vs iOS where up till the DMA, sideloading was practically impossible. That's why in my country, the issue of malware being accidentally downloaded onto smartphones was a problem which specifically affected only Android handset users.

Android malware scam victims lost more than S$10 million in first half of 2023: Police

Over 750 cases of Android malware-related scams were reported in the first half of 2023, including 11 cases involving the unauthorised withdrawal of Central Provident Fund savings.

www.channelnewsasia.com

Android have implemented their own version of Secure Enclave as well as isolating the system, but regarding the improvements android have done is massive over the last 10 years.
But It’s probably an indisputable fact that side loading being a little easier( irrespective of degree unless proven otherwise) likely increases the chances of malicious attacks occurring. But regarding iOS I would say have been largely a trivial action before the DMA. But regarding the security of their banks I would say it’s unfortunately lacking security standards such as security verification etc etc.

And unfortunately most fraudulent activities can’t be dumb proofed as it’s mostly a social engineering problem.

To use another analogy, it's like forcing me to give rope to every single person in the country, while at the same time making it my responsibility (somehow) to expect that no one attempts to use the rope to hang themselves. If you want to make the latter my KPI, would it not be easier to simply make it such that users didn't have the rope to begin with, especially if they weren't really doing anything useful with the rope in the first place? Why should I be made to clean up a mess that was not created by me in the first place?

Well to adjust your analogy a little and ignoring the obvious safety issues that a government mostly are responsible for. If EU dictates that you must allow other cars to use their own seatbelt in your car models. And if other dealers implement the seatbelt that goes across your front legs only, and you sign that as completely fine use of your seatbelts.

Now when the cars crash we notice that in your standard the seatbelt can be made out of pasta as long as it has the word seatbelt written on it.

Would you honestly say it’s the government’s fault because it didn’t tell you that pasta with the word seatbelt that only covers your legs isn’t a brilliant idea…?

Or would you say it’s probably first the dealerships fault for doing something so crazy, and secondly that your standards are so poor is something you’re responsible for?

I don’t think you can blame the government for stupid decisions

In this regard, I fail to see how systemic risk is reduced when it is the legislation which led to said risk even existing in the first place. You increase my work, there is no benefit (financial or otherwise) to be had on my end, and you still want me to take on the thankless job of ensuring that no one screws up as a result of your policies?

Well there is a benefit in having your core software not being easily exploited because you don’t have the ability to require a secure standard for any access.

This is so uniquely "government sector". I should know, working for the government myself.

On paper, it's not wrong, but it also sounds like a case of the EU attempting to have its cake and eat it too. If they wanted the reap the recognition of being the one to successfully regulate a tech titan like Microsoft and increase competition in the space, then the onus of continuing to monitor the situation over the long term (and propose remedies to problems as they arise) should, IMO, rightfully come from the entity who instituted said regulation in the first place.

ie: the EU, not Microsoft.

Well I don’t think EU has any business dictating the security standard for how you get to access an API, especially when Microsoft is the one in the best position dictating that standard. And if they thought it should be zero then that’s their prerogative. 🤷‍♂️

Allowing competition doesn’t mean dictating the standard they must meet.

It's not dissimilar to the problem people have with cookie banners of late. What exactly is the follow-up to the poor experience to be had from incessant pop-ups, because it's clear that there is zero incentive to improving the user experience by websites in this regard.

There is a follow up, bu it’s only limited to EU. So unfortunately most of the popup and how they are designed and implemented regarding non EU IP addresses is outside EUs control.

The law explicitly say you need to have a clear ” no to everything, yes and third option to customize” pressing NO must be equally easy as pressing yes.

 

[I7guy]

There’s a difference between a regulation that is poorly written and enforced bad standards, and a regulation that leaves it more open to how you meet the minimum requirements.
[…]

Think the former hit the nail on the head.

 

[Sophisticatednut]

Think the former hit the nail on the head.

Well ther is a downside with a regulation that allows companies to be dumb.
But I wouldn’t say if a regulation tells you to allow interoperability is badly written just because it doesn’t require you to implement security standards.

EU is full of poorly written regulations as a consequence of trilateral policy negotiations that allows politicians to make changes over technical experts. But I wouldn’t say this is an example of it.

But I don’t think There anything EU could do to make windows a more secure when the foundation is largely rotten by design 😅

And I don’t know about you, but I don’t think we need banking level of security regulations written for Google, Microsoft or Apple etc

 

[vantelimus]

Well ther is a downside with a regulation that allows companies to be dumb.
But I wouldn’t say if a regulation tells you to allow interoperability is badly written just because it doesn’t require you to implement security standards.

Regulation often works better in theory than in practice. On paper, regulations look clean and well-organized, with their intended benefits clearly outlined in the preamble. However, unlike judicial rulings, regulations rarely include a section for dissent or opposing viewpoints. They rarely account for unintended negative consequences or present historical evidence that might weaken support for the law.

When regulations are implemented in the real world, a host of challenges emerge. For one, people are responsible for interpreting and enforcing these laws, and this can lead to misunderstandings, misapplications, or misinterpretations. Regulations can also be manipulated or exploited by citizens, businesses, law enforcement, politicians, or the courts. Competition and time constraints can encourage quick and bad decisions by engineers under pressure from management, which might not understand the technical or long-term business consequences.

We've seen this in this case with Microsoft. We also saw it with the diesel emissions scandal caused by EU regulations. We saw it with the Boeing 737 Max trying to comply with safety standards under the pressure of market competition with Airbus. We see it with GDPR, where small companies struggle to comply and block EU access as a result. We saw it the EU single-use plastics directive, resulting in improper disposal of plastic waste. We saw it with Europe's ban of BPA, which led to the use of even worse chemicals. We see it with the Electronic Waste directive: manufacturers have redesigned products to be harder to repair and more disposable to reduce their costs now that they are held responsible for product disposal.

I could add a much longer list of examples, but the point is made. Regulations that look straightforward in theory can trigger cascading unintended consequences once they interact with the complexities of human behavior, organizational structures, business competition, and real-world constraints. The EU isn't exempt from regulatory short-sightedness and abuse.

 

[MilaM]

Which also raises the question - what even is Microsoft's incentive to fix this issue? My understanding is that they aren't going to be held liable over this, companies are still going to have kernel-level access to Windows thanks to EU regulation, and the only line of defence users have is to pray that the very cloud-based security companies whom they depend on will remain vigilant and don't repeat said accident.

You're reasoning that EU is responsible is flawed on so many levels.

Large corporations put this security software on their clients voluntarily. They even demand this kind of service and would not be happy if they could not monitor their clients for threats. They would also not be happy, if the only provider of such a software would be Microsoft. We are not talking about small kids who are being told what to do by their parents. These are very sophisticated organisations we are talking about who know how to lobby for their interests. I'm sure the EU received a lot of input from them on this matter and others.

Kernel access for some types of software has been a feature of Windows OS from the very beginning. Many essential third-party hardware drivers work in kernel space even today. MacOS (or OSX) has the same thing, where it's called "kexts". Kernel level third party software has not been mandated by the EU or anyone else. Third party code running with high privilege has historically been the norm, not the exception.

It's true that commercial OS designers have been working to limit the ability of third party code to run with very high privilege in kernel-space, for good reason. This has been a gradual process and even Apple is not completely finished with this transition yet. At the same time OS vendors know, that they have to provide certain APIs for security software to make corporate customers happy.

The gist is, the EU never mandated how security software should work. They only mandated, that third party tools should have the same access as the equivalent tools offered by MSFT.

And the EU's response of "Microsoft never told us something like this could happen" proves the point of those of us who have been saying it's clear the EU doesn't understand the implications of what they're demanding in their burdensome and unnecessary regulations.

Please provide a source where someone in official capacity said something like this. There has never been a mea culpa from the EU. It's not even necessary, because it's completely Microsoft's and CrowdStrike's fault that this fiasco happened.

 

[Abazigal]

They only mandated, that third party tools should have the same access as the equivalent tools offered by MSFT.

Which feels to me like a distinction without a difference, and is precisely where we are divided on.

You feel that this level of "fairness" is justified in the name of improved competition. I am arguing that with the benefit of hindsight, allowing Microsoft to give itself preferential treatment with regards to OS-level permissions may not have been a bad thing if we consider competition vs security as comparable tradeoffs, rather than declare competition as some sort of fundamental right that is not to be compromised under any circumstances.

Like if you ask me, I personally couldn't care less if Denuvo was not able to mandate anti-piracy software that was able to run at kernel-level of Windows, which is incredibly invasive and has been known to impact gaming performance.

Large corporations put this security software on their clients voluntarily. They even demand this kind of service and would not be happy if they could not monitor their clients for threats.

You don't hear about iOS users needing to install anti-virus software on their devices, because of how walled off everything is.

Isn't the issue that these threats are a problem precisely because they are able to access the kernel of your Windows computer (in order to do funny stuff), and that the solution, ironically enough, is anti-malware software that do the same thing?

It's like I have this hole in the fence, yet the law is preventing me from patching this hole and instead, I have to devote resources towards constantly monitoring this hole and ensuring that no threats slip through.

 

[MilaM]

It's like I have this hole in the fence, yet the law is preventing me from patching this hole and instead, I have to devote resources towards constantly monitoring this hole and ensuring that no threats slip through.

There is a fundamental trade-off between how closed off (secure) an operating system is and how useful and versatile it is. If corporations only needed their employees to play Candy Crush all day, they would probably be better off giving their employees heavily restricted iPads and iPhones instead of Windows PCs. I'm exaggerating a little, but not too much.

Instead, they want to customize how the infrastructure they operate works. One aspect of this being the monitoring for security and compliance purposes. They don't necessarily need kernel access for that. Although I'm sure that the largest organisations will still demand it. What they do need though, are ways to monitor what is happening in kernel space, be it through APIs or direct access.

 

[surferfb]

Please provide a source where someone in official capacity said something like this. There has never been a mea culpa from the EU. It's not even necessary, because it's completely Microsoft's and CrowdStrike's fault that this fiasco happened.

Here you go:

The spokesperson also said that "the incident was not limited to the European Union and that Microsoft has never raised any concerns about security with the Commission either before or after the incident.

What’s next, EU requires banks to let anyone who wants access into their vaults and then when robberies happen says “the banks didn’t raise security concerns with letting random people into vaults” and posters here blame the banks for not hiring more security guards?

The amount of backflipping being done to say EU isn’t at fault here is amazing. Again, you can say the outage was an acceptable price to pay for competition in the antivirus software market, or that Microsoft/Crowdstrike could have done more, but you can’t say the EU isn’t responsible because it literally would not have happened if the EU hadn’t required Microsoft to give others the same access it had.

 

[I7guy]

There is a fundamental trade-off between how closed off (secure) an operating system is and how useful and versatile it is.

Agreed. And it seems the more closed off the more useful it is.

If corporations only needed their employees to play Candy Crush all day, they would probably be better off giving their employees heavily restricted iPads and iPhones instead of Windows PCs. I'm exaggerating a little, but not too much.

Instead, they want to customize how the infrastructure they operate works. One aspect of this being the monitoring for security and compliance purposes. They don't necessarily need kernel access for that. Although I'm sure that the largest organisations will still demand it. What they do need though, are ways to monitor what is happening in kernel space, be it through APIs or direct access.

 

[MilaM]

What’s next, EU requires banks to let anyone who wants access into their vaults and then when robberies happen says “the banks didn’t raise security concerns with letting random people into vaults” and posters here blame the banks for not hiring more security guards?

Ok. Now I understand your point. Microsoft knew all this time since 2009 that there was a secuirty risk. But they kept their mouth shut and waited all this time for the CrowdStrike incident to happen, just so that they could blame the EU to prevent further regulation. Makes perfect sense 👍.

 

[MilaM]

Agreed. And it seems the more closed off the more useful it is.

If you think so for your personal devices, fine. Most enterprises seem to have a different opinion. Windows is still overwhelmingly dominant in this market.

 

[I7guy]

If you think so for your personal devices, fine. Most enterprises seem to have a different opinion. Windows is still overwhelmingly dominant in this market.

That's not correct. Most corporations have no issues with apple devices in the enterprise. If the above were true, ios wouldn't be allowed in corporate america.

 

[MilaM]

That's not correct. Most corporations have no issues with apple devices in the enterprise. If the above were true, ios wouldn't be allowed in corporate america.

They have no issues, as long as you can install office, teams, outlook on them.

 

[I7guy]

They have no issues, as long as you can install office, teams, outlook on them.

Well thats not the definition of closed, is it?

 

[MilaM]

Well thats not the definition of closed, is it?

I was not arguing about the merits of closed or not closed operating systems here. You picked out this one sentence. But I'm not really interested in discussing this tangent further.

I was arguing against the popular opinion that there is a causal relationship between the EU-MSFT agreement from 2009 and the CrowdStrike incident.

 

[surferfb]

Ok. Now I understand your point. Microsoft knew all this time since 2009 that there was a secuirty risk. But they kept their mouth shut and waited all this time for the CrowdStrike incident to happen, just so that they could blame the EU to prevent further regulation. Makes perfect sense 👍.

Or maybe they assumed that the EU was competent and understood what they had ordered Microsoft to do. If the EU passed a regulation banning the sale of gas-powered cars, do they need someone to tell them it’ll eventually lead to gas stations going out of business?

 

[MilaM]

Or maybe they assumed that the EU was competent and understood what they had ordered Microsoft to do. If the EU passed a regulation banning the sale of gas-powered cars, do they need someone to tell them it’ll eventually lead to gas stations going out of business?

Ah yes. Of course it's completely plausible that Microsoft, or any other large corporation, will assume that.