 Hello, good afternoon. I am Vittorio Bertola and I'm here to give you an update around the digital market, the new European Union law that is going to address competition on digital markets. So I already gave a talk on this last year in this dev room, so I hope you remember it. I will still be recapping a little for the benefit of those that didn't see the talk and don't know what we are talking about. If you really don't know what we are talking about, I encourage you to also watch my main room talk tomorrow and Sunday at noon. This should be a much broader discussion of all digital sovereignty aspects and then we'll end up with a recap around the digital market sector. So I'm an engineer, I'm a digital rights activist in the 90s and I'm currently working for OpenExchange, which is a German open source software company. And so where are we? Well, we're still checked into the hotel in California. I mean, we are still as Europeans bound to use all these nice services provided mostly for free, not always, by the big companies that you really can do without. So it's even if you want to do without them, it's basically impossible for a number of reasons. And that's, I mean, partly it's the result and it's also the cause of the sheer economic size of these companies. So we saw last year that these companies, the five big companies were the five biggest public listed companies in the world and they had reached almost over $2 trillion in value. And now, one year later, we are nearing the trillion dollar mark. So $3 trillion is like France's GDP, the entire wealth produced by France in one year. And so it's growing at an incredible pace and so the problem is becoming bigger and bigger. And we're getting new companies now. I mean, Facebook changed name to Meta, Tesla Blockade, and actually it overcame Meta in value. So the problem is still there. It's not got better. And this is and we're still stuck with these silent services. I mean, I usually use instant messaging as a service because that's the easiest example. Services built as well gardens in which you're forced to stick inside. I mean, if you install an instant messaging application, you can only exchange messages with the users of that application differently from email. And so I mean, you really have to install all the different instant messages if you want to talk with everybody. And if you have a new instant messaging app, it's basically useless because no users are in it. And it's very hard to convince people to move in yet another instant messaging service. And so this prevents competition and prevents you from running your own services and we're still closed in. And another topic that has gained relevance during the year is bundling. So bundling was also quite closely debated and there was a last mint amendment to the DMA going at the very end of the plenary discussion in the parliament. It was the only one approved. So I mean, gives you that idea. So bundling is basically the practice to which the dominant companies in one of the platform services, especially those that, for example, dominate the operating systems markets, especially mobile, but not the only ones. I mean, they false your push you to use the also their services for other services. Disadvantaging competitors for those other services. And this is done by bundling them together by pre installing them so you get your own by phone you already have the search engine from the same company installed by using the defaults on the devices by integrating them so that the platform apps have a better performance because they are more integrated with the APIs and so on. And so we especially in the mobile market we really are at the point in which we have a lot of concentration. And so I before getting to the actual DMA, I wanted to mention a couple of technical issues that have been the subject of meetings, let's say, during this year in around this legislative process. And one is upstores, which are, I mean, I think this is also an issue, especially with Apple's upstores in the US. It is an issue mostly because of their 30% tax. So the fact that basically they, they say that if you want to, if you as a developer want to distribute and an app for for their own for for iPhones, then you have to comply with their own rules. So they set the rules and you can only, I mean, the apps can only be installed if they are within Apple's app store. I mean, basically, there's no real way of doing other things. The app store is sort of a monopoly. And you have to accept conditions, including the fact that if you have in a purchase is you have to give 30% as a commission to Apple, which is exorbitant. And so this is a clear example of bundling, you know, in which many functions are bundled together, like finding apps, indexing apps, showing them to you, helping you to install them, so downloading them, installing them, and then managing subscriptions and then payments. And all these, these functionalities are bundled together, and you have no way to separate them and so to pick a different provider for just one of them. Actually, you cannot pick a different provider for any of them. They are all managed by Apple and there's no alternative. And this is really not a technical need. I mean, we never had app stores in computers. We have package managers, but they don't have all these restrictions. They don't force you to go through them to pay for whatever you want to do with applications. So there was really a discussion on what is the Apple tax for. So is it for the payment system? It looks too much. It's the cost of examining the code and ensuring that it doesn't harm kids, which is what Apple says that it's one of the reasons. Nobody ever asked for this. This is a royalty, but computers never work this way. So we never paid royalties just for the pleasure. So you see some of the closest in the DMA are directly targeting this problem. The other problem I wanted to mention is encryption, which is a much broader discussion, but it's not about the philosophical, the power side of the DMA discussion. So first of all, I want to be clear. Encryption is a good thing. You should encrypt your communications. Definitely, I'm not in favor of state and backdoors in encryption. So I'm not arguing on this. I think it's good that we have been progressively encrypting our protocols in the last 10 years, but there are different perspectives on this. So the problem now is that the discussion encryption is not really just about privacy and freedom, which is how it is commonly framed. Just like, okay, let's encrypt stuff so we will get more privacy. We will bypass censorship. It's partly that, but there are other things in it. And partly the real point to date of the discussion around encryption is the discussion around control. So we are building more and more services, devices in our homes, but increasingly also applications on our computers and smartphones that just bring up an encrypted channel to cloud service by the maker. They send data. You have no way of controlling what they send about you. You have no way of stopping them or preventing them because they don't work. If you even find a way to detect the connection and stop it, then the device would stop working. So this is really a loss of control for users, even before then it is for governments and ISPs. And this is actually functional to the preservation of these dominant positions and in general the position of power of service makers. So I mean, I have examples related to DNS because that's what I do, but it's the same with other encrypted protocols. And we've seen that the move to encrypted DNS in a way that is by some browsers was managed so that they would just ignore your DNS settings and send their DNS queries to their own or a friendly DNS resolver in another country which was out of reach by the government and by the ISP. And so they would make controlling possible both by the ISP and by the government and by you, by the way. So this was framed as a discussion around DNS filters. And so the first thing to say is that Europe likes DNS filters differently from the US, which is a strong first amendment. So there are, I mean, it really depends on the country. Some countries don't filter anything, but there are many countries that really filter thousands of websites. And this is because of their cultural values. And but there are things that should be filtered. I mean, first of all, there's a growing usage of security filters like blocking malware and phishing and botnets, which is very important for non-technical users like my elderly mom. I mean, she's not able to. It's not easy for non-technical people to avoid phishing websites and so if someone blocks for them, I mean, it's much better. There's parental controls, there's blocking child sexual abuse, there's blocking gambling websites, counterfeit shops. Each country has different policies and wants to block different stuff. But I mean, independently from what you think about DNS filters, the problem is that the local DNS or the local locking system is also the only control point that the government has to prevent a foreign service operator from reaching their citizens if they don't comply with the laws. So this doesn't really completely apply maybe to big tech companies that are subsidiaries. So they have a hard presence in European countries. For all the others, being able to avoid the risk that the council just shuts you out of their market is really a game changer. And from the government's point of view, they are afraid of this for this very reason. So if everything gets encrypted, DNS and also the direct communications, blocking internet platforms, blocking internet services from the abroad becomes impossible. And it's even worse because this is also applying to you as a user. So I mean, I don't know if anyone else has a piehole, which is a small DNS resolver you install on a Raspberry Pi and run it in your home. And it's something that, I mean, if all your devices use it as a DNS resolver, it will just filter out your ads. It will block the connections to tracking and tracker websites and filtering and surveils and advertising servers. And so it's a user. I like this. But then if this new paradigm takes ground, then also this kind of usage of local filters becomes impossible. So the message I wanted to send is that there's a growing understanding in the discussion is around control and more is happening. It's also around centralization. So the very phenomenon that allow these companies to grow. In the last year, we've been seeing the so-called oblivious connection model. This is sort of a scaled down version of Tor with only two hops. And basically, so all your traffic gets encrypted with a key for a second proxy, but first it gets sent to a first proxy. So the first proxy gets to know your IP address. But I mean, they also get your traffic, but it's encrypted in a way that they cannot access. So they don't know what the traffic is. The second proxy gets your traffic, the creeps it and sends it on. So they get to see your traffic, but they don't get to see your IP address. So this is the coupling information and making it harder actually for people to track you. And the final destination only sees a flow of aggregated traffic from the second proxy. So it gets even less information about you. This is what Apple has been implementing in the so-called Eichler private relay, which is a new paid additional service for the moment. And so they run the first proxy for everyone. And the second proxy is provided by some of the big dominant CDNs like Cloudflare, Fastly, Akamai, and then under a contract with Apple. So what's the point here? The point is that this can be a very good thing, especially if you're concerned about your ISP, having a look at your traffic, or if you want to bypass governmental blocks, it really provides you more privacy and reduces what the websites see about you. On the other hand, the con is that you don't really get a choice over the proxy operators and even a bigger con in my view, is that now all your internet traffic goes through Apple. And in the long term, the question is really what guarantees you that Apple and their supplier that provides the second proxy will never start to cross-match your data. Because if they started to cross-match your metadata, at least, they would basically see all your internet traffic and they would be able to track you much better than you are currently being tracked today. And so there is some concern in Europe by the industry, but also by the commission, the policy environment, that this might not be a desirable model for the long term. Or at least there should be some guarantees and some discussions around it. So the message is that encryption is really about control. And we'll see, I guess, more legislative processes around encryption, more rules and more discussion around this. So now let's get back to the actual legislative processes. So what's been happening? Well, in the meantime, the legislative processes have been going on. And so they are proceeding. But in the meantime, all the countries are starting to think, hey, maybe we can make some money. That's really the only weapon they have against the big companies. So they can find them. With the current, I mean, until the new rules get in place, I mean, they can only apply all the sort of blunt rules around competition and privacy, especially GDPR offers quite some opportunities. And so there have been lots of fines to this big company. I mean, this is just in the last 12 months. We've seen France finding basically 150 million euros, Google and 60 million Facebook for the misleading cookie. And the fact that there are cookie pub apps would basically push people to say, yes, I'm just proceed. Yeah, same. I mean, Italy has been finding Google and Apple for lack of correct user information on privacy treatments and data processing and so on. Italy has also been finding Google for Android Auto for well over 100 million euros. I mean, Google was using Android Auto to shut out the competitors and preventing some of the apps from being installed there. And I mean, there was a lot of talk at this very huge fine, 1.2 billion euros that Italy gave to Amazon for the anti-competitive practices in general in the logistics and delivery chain and so on. So these figures are starting to get higher and higher. But still they are negligible. So the feeling is that this is not really effective. The companies will challenge them with all the lawyers they have and in the end if they have to pay, they will pay. But this is not disrupting their positions. The interesting thing is now, I mean, even San Marino find Facebook for four millions and four millions might look a little bit. I mean, for a country of 34,000 people, it's actually 120 euros per citizen. So this is for some of the smaller countries. This might actually become a governmental business model in a way. So that way to get some relevant amount of money. So in the meantime, as I was saying, the legislative processes have been proceeding. These are all the things that are still under discussion are going on. The digital services sector, which is the part around the content moderation. And so the digital market sector is about competition. Welcome to that. Data governance sector that rules for open access to public data. There's a new entry this year. It's the computer chips act because Europe realized that during the crisis of the last 12 to 24 months, that if the factories in China and Taiwan stop sending you chips, then all your industry has to talk because they cannot get because doctors and chips and boards and whatever. So there will be funds and policies to promote the birth of new European factories around to make semiconductors. There will be the corporate tax directive implementing the recent agreement on the minimum corporate tax, which should be at least 15% or according to Ireland 50% and no more than that. So that was the agreement. There will be the revision of the IDIS regulation. So we'll get maybe a new, a newer generation of open public identities. And there's Gaia X, which is an interesting process originally a German one then European. It went through a sort of soul searching. And now it's a basically a consortium that is working on common cloud standards for portability. So basically provisions are standards that would allow you to easily move your applications and services from one cloud infrastructure provider to another. And similarly also that ontologies for interaction. So if you want to have multiple companies in the same niche working together and exchanging data to build common integrated services, then you need common ontologies and the project is trying to work out basically work them out. It's been producing at the moment a bit of software and a lot of paper, but I think it's getting better. So it's, it's, we should keep an eye over it. So as we discussed last year, the remedy, one of the remedies, not the only one, but one of the remedies for the this situation of a wall gardens is interoperability. So let's get back to the original principles. Let's make sure that all these applications are built as modules and each module is interchangeable so that you can if you are dissatisfied with the specific function has been implemented by one app or service provider, you just can switch to another service provider and everything else will continue working. And this also requires as we were saying care, especially on mobile phone so that the user actually has the user interface opportunities to switch easily and pick a different application and so on. So we're trying to to get to a world of interoperable apps in which I will only have one instant messaging application, and I will be able to use it to send messages to all the other users on all other I am applications. So I can actually pick the best one, even a new one, and move into it and then still keep my contacts but at the same time, this will help competition since there will be a chance for people to try new and actually use new applications even if there are no users in them yet. So what's the pain with the digital market sector. So you will remember that this started as a proposal by the Commission in December 2020. And the entire year was spent discussing the proposal and public consultation and then the parliament took care they started discussing it and several commissions committees. And in the end, it was approved by the parliament in first reading on the 15th of December by the parliament made 229 minutes. So there was significant changes, mostly in the direction of expanding the scope and strengthening the provision so the parliament is really in favor of this act. Now, according to the legislative process, what's happening is the so-called the triologue phase in which this parliament approved version has to be discussed with the Commission, which of course is still has their own initial proposal. And with the council so the member states that have maybe different ideas on what should go into the text. And currently the US under the French presidency, they really care about this. They want to deliver this and approve it before they expire the presidency ends in June because I mean for political reasons to show that they could manage to conclude this. And so there's a good chance that the trial will end in March, April, pretty soon. And then the parliament takes to vote again and the final approval could happen in the first half of 22. And so in the end we could get the law at least approved and then of course it will take one, two, three years maybe for implementation and getting into force. But at least we will approve the final text. So the law is, well, it was aimed at business users, but one of the things that actually we as an open source community bought the NGOs, the digital rights NGOs and the open source companies in Europe. I like it for and we mostly made it is that it should not really be about the business users. It should also consider the end users. And if you introduce the rights, I mean, at least the ones some of the rights those that make sense should apply to any user, not just to business users of internal platforms. And so that that's more or less happened. You see the things in italics are the changes that parliament brought in respect to the original commission proposal. So it's aimed at very few companies, the global gatekeepers. There's been a lot of discussion on the criteria for a gatekeeper that the only change at the moment that the parliament made was that the threshold of turnover to be qualified as a gatekeeper has been moved to 8 billion euros, not 6.5. I didn't do the math. Possibly there are some companies in the middle that were pushing for this right now. In general, this is meant to be a new antitrust instrument for non-traditional dominant positions. So stuff the economists insist on saying, but this is not a dominant position. But still everybody else realizes it's a problem for our competition. So this is the current list of covert services. So the first part is from the commission's proposals. It includes marketplaces. So Amazon booking.com. It includes the search engines and social media, video sharing websites, instant messaging, opening systems including mobile ones, cloud computing services, very vaguely defined, any advertising service provided by the gatekeepers in the above services. And then the parliament added three specific more services, web browsers, voice assistants and smart televisions. So this is the exhaustive list of what will be covered, meaning that any other type of internal product or service, which is not in the list, will not be covered or affected by these provisions, even if they had a gatekeeper in it. So there are two types of provisions. The article five provisions are there in the executive ones. You must not do this. And the list is more or less the same. There were some changes, some things were moved, and we will see some things were moved from article six to article five. But this is really more or less the same list that I showed last year. But now we have some specific anti-bundling clauses. The first one was already there. It's been refined. It's been moved, as I said, from article six to article five to become immediately executable by the parliament. And it's about the fact that, I mean, business users should be free to use only one of the services of a gatekeeper without being forced to use any of the others. Both in terms of ancillary services like delivery, for example, you use Amazon's marketplace, you must not be forced to use Amazon's delivery service, and also others. So you use Google search engine, but you must not be required to access, to be able to use Google search to also use Google's video sharing service, for example. And then there's a new one. This was really pushed by the parliamentarians. It was a parliament amendment, and it's about the installation. So basically now smartphones and devices will be required to, I mean, at the first installation of the device, first bring it up, you will be asked which service you want. You will be given a list and you will choose, for example, which search engine you want to use. And also the operating system must not prevent the uninstallation of their own apps. So if you have Android, I mean, you must still be allowed to uninstall Google search engine and apps, I mean, all the other apps. And so free up space and use something else. Then there's the interoperability closes. And this was really the subject of a big fight for the community. And you may remember that last year, the only thing we had, apart from this real time data probability close, which is nice, but not really very important. And it was this close for interoperability for auxiliary services. So the only thing that gatekeepers would be required to open up would be the auxiliary stuff like payments, identification and logins, delivery, advertising. And now this was expanded and there's an explicit mention of access to operability operating system features, so that the operating system cannot advance their own apps in regard to other competing apps for access to API slides and whatever, which is good. But then the success we had is that we actually managed to convince the parliament to add the two closures of interoperability of specific core platform services. There's messaging and social media. Well, the gatekeepers of these two services, which are Facebook, the same company, Facebook, WhatsApp, Meta, sorry. They will be required to open up their services and interoperate with any competitor that wants to. And the details are of course not yet to be defined, but the closures are there at least in the parliament solution. So there are some concerns around this because then of course the text of law only gives you some high level definition, but then there's there will be an implementation phase and even in text there's still a discussion on the wording. But the institution that I mean, it's concerned, I mean, there are people within the institutions that are not convinced around this. And they say maybe we're not convinced that there is actually industry demand because they've been told by the gatekeepers. I mean, also by the close to the industry that they don't want this. I'm not worried about privacy because the father of the gatekeepers was like, I mean, yeah, but now we will have to exchange and send personal information to these unknown interoperating servers and it will be an nightmare for privacy. I mean, some concerns are bad, but it's not a real issue. On the other hand, and from the community that have been concerns around the implementation, especially who will pick the standards because there's, I mean, it makes a world of difference if the standards are really open or not. If anyone will be allowed to interoperate or if the gatekeeper will be able to set conditions, ask for money or input terms and conditions. And then also there was the initial idea that we should get interrupt for all the other core services, which unfortunately we were unsuccessful. So there are still many open questions and the technical model should this be be achieved by each gatekeeper working out their own API and exposing it to which gives them more control. Or should we actually explicitly write in the law in some way that there should be a neutral open standard, which I think would be preferable. But there's also an issue about business models. So we've seen some moves by some of these big companies, not Meta themselves, for example, Zoom and Cisco and Slack and others that have been investing in companies that want to provide you interrupt as a paid service. So I think that's any, I mean, rather than having a right to interpret a bit like privacy, it's a different view in Europe privacy is a right in the US privacy seems to be a service that you have to pay for on top of the actual service. So I mean, again, this is a model that in Europe is we wouldn't like. And so we have to make sure that this is not allowed. So if they have to interoperate, it's not like, yeah, go to buy, you have to go buy interoperability from this company, which I invested, so I will still make money out of it. So this is the state of the discussion I want to leave a little room for discussion and then happy to take questions questions and then we can follow up also in private and thank you for listening. Because are quite high. Will the DMA actually have an effect. This is a discussion around it so that my chain, actually the US is pushing them down that more European companies because I need to because currently it's just basically about US companies. But then this really will depend also on the implementation. So if, if the gatekeepers will be forced to open up and use a standard open protocol, then it's possibly not really will start using it. It will just be forced to open up a cloud and their own private ones will be interoperability with them, but I don't think there will be any other effect in general on the direct system. Excellent. And then the next question would be regarding the interoperability of messengers. Perhaps you can give a really short question afterwards. Yeah, we can discuss in the chat, the whole topic. Yeah, well, basically, I think that the fact that you can interoperate doesn't prevent your clients from, for example, deciding that they will never send a message to any telegram user because it's insecure or that they will negotiate an encryption level which is fine with them and not accept communication. So it's still controlled by you as a user. Okay, thank you.