EU regulators accused Apple on Friday of distorting competition in the music streaming market, siding with Spotify in a case that could lead to a hefty fine and changes in the iPhone maker’s lucrative business practices.
The preliminary findings are the first time Brussels has leveled anti-competitive charges against Apple, although the two sides have had bruising clashes in the past, most notably a multibillion-dollar tax dispute involving Ireland.
Apple, Spotify and other parties can now respond. If the case is pursued, the EU could demand concessions and potentially impose a fine of up to 10% of Apple’s global turnover – as much as $27 billion, although it rarely levies the maximum penalty.
Apple found itself in the European Commission’s crosshairs after Sweden-based Spotify complained two years ago that the U.S. tech giant unfairly restricted rivals to its own music streaming service Apple Music on iPhones.
The EU competition enforcer, in its so-called statement of objections setting out the charge, said the issue related to Apple’s restrictive rules for its App Store that force developers to use its own in-app payment system and prevent them from informing users of other purchasing options.
European Competition Commissioner Margrethe Vestager said there were clear signs Apple’s App Store rules were affecting music streaming rivals’ business development and affecting app developers more widely.
“They [app developers] depend on Apple App Store as a gatekeeper to access users of Apple’s iPhones and iPads. This significant market power cannot go unchecked as the conditions of access to the Apple App Store are key for the success of app developers,” she told a news conference.
Vestager said Apple should end restrictive practices and refrain from doing anything that would replicate them.
She also said other authorities were looking into the issue. “We have contact with other jurisdictions doing similar
cases, that could be the Dutch, the Australians, the Americans,”she said, adding she also was interested in the app gaming market, although it was early days.
Apple rebuffed the EU charge. “Spotify has become the largest music subscription service in the world, and we’re proud of the role we played in that,” it said in a statement.
“They want all the benefits of the App Store but don’t think they should have to pay anything for that. The Commission’s argument on Spotify’s behalf is the opposite of fair competition,” it added.
Spotify welcomed the EU move, describing it as “a critical step toward holding Apple accountable for its anticompetitive behavior, ensuring meaningful choice for all consumers and a level playing field for app developers.”
Reuters was first to report about the imminent EU antitrust charge in March.
Spotify, one of Europe’s few global success stories in consumer technology, is the market leader in music streaming with 356 million active users and 158 million paid subscribers.
Apple Music, launched more recently in 2015, is estimated to have more than 70 million subscribers although the company does not give a separate figure for that part of its business.
Competition between the two companies has intensified in recent weeks, with both seeking to build their customer base via supremacy in the market for podcasts.
“Europe’s consumers expect and deserve access to a full range of music streaming services without their choices being restricted or prices being inflated unfairly by internet gatekeepers,” said European consumer organization BEUC.
The EU charge comes a week before Apple’s face off with Epic Games in a U.S. antitrust trial following a lawsuit by the “Fortnite” creator alleging that Apple has abused its dominance in the market for mobile apps.
Epic has complained to the Commission on the same issues. Last month, the UK Competition and Markets Authority opened an investigation into Apple after complaints the iPhone maker’s terms and conditions for app developers were unfair.
For at least the third time since the beginning of this year, the U.S. government is investigating a hack against federal agencies that began during the Trump administration but was only recently discovered, according to senior U.S. officials and private sector cyber defenders. It is the latest supply chain cyberattack, highlighting how sophisticated, often government-backed groups are targeting vulnerable software built by third parties as a steppingstone to sensitive government and corporate computer networks. The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Connect Secure on their networks, according to public contract records. An emergency cybersecurity directive last week demanded that agencies scan their systems for related compromises and report back. The results, collected Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. “This is a combination of traditional espionage with some element of economic theft,” said one cybersecurity consultant familiar with the matter. “We’ve already confirmed data exfiltration across numerous environments.” The Ivanti logo and cyber binary codes are seen in this illustration taken April 20, 2021.The maker of Pulse Connect Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this coming Monday, two weeks after it was first publicized. Only a “very limited number of customer systems” had been penetrated, it added. Over the last two months, CISA and the FBI have been working with Pulse Connect Secure’s maker and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment. The U.S. government’s investigation into the Pulse Connect Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear. Security researchers at U.S. cybersecurity firm FireEye and another firm, which declined to be named, say they’ve watched multiple hacking groups, including an elite team they associate with China, exploiting the new flaw and several others like it since 2019. FILE – Security firm FireEye’s logo is seen outside the company’s offices in Milpitas, California.In a statement last week, Chinese Embassy spokesperson Liu Pengyu said China “firmly opposes and cracks down on all forms of cyberattacks,” describing FireEye’s allegations as “irresponsible and ill-intentioned.” The use of VPNs, which create encrypted tunnels for connecting remotely to corporate networks, has skyrocketed during the COVID-19 pandemic. Yet with the growth in VPN usage so too has the associated risk. “This is another example in a recent pattern of cyber actors targeting vulnerabilities in widely used VPN products as our nation largely remains in remote and hybrid work postures,” Hartman said. Three cybersecurity consultants involved in responding to the hacks told Reuters that the victim list is weighted toward the United States and so far includes defense contractors, civilian government agencies, solar energy companies, telecommunications firms and financial institutions. The consultants also said they were aware of fewer than 100 combined victims so far between them, suggesting a fairly narrow focus by the hackers. Analysts believe the malicious operation began around 2019 and exploited older flaws in Pulse Connect Secure and separate products made by cybersecurity firm Fortinet before invoking the new vulnerabilities. Hartman said the civilian agency hacks date to at least June 2020. Hacking the supplyA recent report by the Atlantic Council, a Washington think tank, studied 102 supply chain hacking incidents and found they surged the last three years. Thirty of the attacks came from government-backed groups, primarily in Russia and China, the report said. The Pulse Connect Secure response comes as the government is still grappling with the fallout of three other cyberattacks. FILE – The SolarWinds logo is seen outside its headquarters in Austin, Texas, Dec. 18, 2020.The first is known as the SolarWinds hack, in which suspected Russian government hackers commandeered the company’s network management program to burrow inside nine federal agencies. A weakness in Microsoft’s email server software, named Exchange, exploited by a different group of Chinese hackers, also required a massive response effort, although there was ultimately no impact to federal networks, according to U.S. officials. Then a weakness at a maker of programming tools called Codecov left thousands of customers exposed inside their coding environments, the company disclosed this month. Some government agencies were among the customers whose credentials were taken by the Codecov hackers for further access to code repositories or other data, according to a person briefed on the investigation. Codecov, the FBI and the Department of Homeland Security declined to comment on that case. The U.S. plans to address some of these systemic issues with an upcoming executive order that will require agencies to identify their most critical software and promote a “bill of materials” that demands a certain level of digital security across products sold to the government. “We think [this is] the most impactful way to really impose costs on these adversaries and make it that much harder,” said the senior U.S. official.