Jul 22, 2024

The EU's Blue Flag of Tech Death

The EC strikes again in the CrowdStrike Windows fiasco!

There's burying the lede, and then there's burying the lede all the way in the last paragraph of a story. Congrats on the feat Tom Dotan and Robert McMillan:

A Microsoft spokesman said it cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.

Microsoft has spent the past many days trying like hell to redirect the blame for massive computer outages worldwide back to CrowdStrike – which, to be clear, was to blame here. But that hasn't exactly mattered when all people see are the blue screens of death which are synonymous with Microsoft. It's a pretty classic case of shooting the messenger. And Microsoft can point out how this impacted less than 1% of Windows machines all they want – when that's still millions of machines that run, for example, airlines, no one cares.

But the above statement – again, the last paragraph in a 30-paragraph report – is the first I've seen that gets at the real heart of the matter.

That matter is the question of how this can happen? And why only to Windows machines? Why were Macs and Chromebooks machines unaffected? It's because those systems don't give third-parties access to the kernel of the operating system. As the article notes, Apple cut off such access in 2020 to developers. And with iOS and iPadOS, they've never had it. But Microsoft can't make such a change – legally, they say – because of a deal with the European Commission.

Yes, the EU crowd strikes again! This time, retroactively.

While this obviously has nothing to do with the current wave of EU regulation against Big Tech, it still highlights a very real risk of such regulation. The EC obviously felt they were helping out third-parties by requiring Microsoft to continue to grant the same level of kernel access that they have. And perhaps this was even a good thing for end-users as these companies could cover security bases that Microsoft wouldn't, for whatever reason – security in general, of course, has not been a Microsoft strong suit, of late. But there are also often unintended consequences of such actions. In this case, a third-party service with a single code-push could take out millions of machines overnight and thus, cripple key infrastructure around the world.

If I'm Apple today, I'm preparing a letter to the EC noting that this is exactly what we're talking about with regard to the security and integrity of our systems for our customers. It's not apples-to-apples, of course, but it's a pretty straight-line argument against what the EU is trying to get Apple (and others) to do. If nothing else, it's a great reminder of second-order effects of even well-intentioned regulation. And a showcase of why regulatory bodies should stay out of the system design and implementation weeds. But I look forward to seeing how the EC inevitably spins this as a "win" for their approach.