Google vs. Europe: 'This Is How You Are Endangering Billions of Users'

Google has once again escalated its confrontation with the European Commission over the Digital Markets Act (DMA), the regulation that requires large digital operators, defined as "gatekeepers", to open platforms and services more to competition. According to the security and privacy officials at the Mountain View company, whose positions have been reported by Wired, some of the proposed measures could have unintended consequences for cybersecurity, increasing the risk of fraud, hacker attacks, and violations of user privacy.

This confrontation comes at a particularly delicate time. The European Commission is expected to soon finalize decisions related to two separate proceedings concerning Google Search and Android interoperability. The new provisions aim to reduce the dominance of large tech operators, promoting the emergence of competitors that could access data and functionalities so far reserved for dominant platforms.

One of the most controversial points concerns Google Search. The European proposals envisage that Google share with other search engines a much broader set of data than what currently happens, including the queries entered by users, data related to clicks made, and information on the results displayed, naturally through anonymization procedures designed to prevent the identification of individuals.

According to Google, however, the issue lies precisely in the effectiveness of such techniques. Heather Adkins, vice president of the Security Engineering division and one of the historical members of the company’s security team, argues that the proposed anonymization methods have weaknesses that could allow, under certain circumstances, the reconstruction of user identities. If this were possible, the company observes, the data could no longer be considered truly anonymous.

David Lewis, head of privacy consulting for Europe, the Middle East, and Africa, states that Google engineers have already demonstrated internally the possibility of re-identifying such information. Additionally, in the past, Reuters had reported that the company’s security red team managed to link some anonymized data back to the original users in less than two hours, although the technical details of such tests have never been made public. Google also believes that the widespread adoption of modern language models could make de-anonymization even easier if this data falls into the wrong hands. According to Adkins, AI-based tools could indeed become particularly effective at cross-referencing large amounts of information from different sources.

The company also highlights another aspect: once shared with third parties, the data would leave its control perimeter. Although the European Commission anticipates contractual obligations, independent audits, and security requirements for companies that will receive such information, Google believes that many smaller entities could represent more vulnerable targets for cybercrime compared to large platforms.

Alongside the Search issue, there is the one related to Android. In this case too, Brussels intends to enhance the interoperability of the ecosystem, allowing AI services developed by third parties to access currently limited functionalities, such as using wake words, interacting with installed applications, and potentially accessing some data on the device.

Eugene Liderman, head of Android security, argues that a too rapid opening of these functionalities could conflict with some of the best practices adopted in recent years to protect users. In particular, Google fears that broader access to sensitive permissions, such as microphone, camera, and content displayed on the screen, could offer new opportunities for scammers to compromise devices or trick users through malicious applications.

On this specific issue, Apple has also expressed, albeit limitedly, positions partially aligned with those of Google, advocating the need to introduce transparency mechanisms, certification, and additional checks before expanding access to the capabilities of the operating system.

Google’s criticisms, however, do not find unanimous consensus. Numerous researchers, legal experts, and competing companies believe that the framework outlined by the European Commission is robust enough to limit risks to an acceptable level. Kamyl Bazbaz, head of public policy at DuckDuckGo, argues that the regulation does not require the elimination of any theoretical re-identification risk but rather its reduction to a negligible level. According to this interpretation, the concerns raised by Google could be addressed without radically changing the substance of the European proposals.