Dispute over EU AI orders: Google receives help from Apple

Contents

Apple has intervened in the EU Commission's ongoing DMA proceedings against Google with an unusual and extensive statement. Although the iPhone group is not formally a party to the proceedings, it urgently warns in 38 pages against the preliminary interoperability measures (Draft Measures, DMs) that Brussels sent to Google at the end of April – and uses the opportunity to publicly present an alternative AI security model for the first time. The EU Commission had set Google a deadline of six months in January 2026 as part of Article 6(7) of the Digital Markets Act (DMA) to provide competitors with deeper access to core Android functions – especially for AI assistants, which are currently disadvantaged on Android compared to Google's own Gemini assistant. Interested parties could comment on this until May 13.

Apple: A Security Experiment on Europeans

Apple describes the proposed measures as a serious threat to the privacy, security, and device stability of European users. The regulations would expose the functions that malicious actors and compromised AI systems would seek to exploit: permanent microphone access, live screen content, cross-app control, and privileged system resources. At the same time, the measures would circumvent the core protection functions of an operating system. The EU Commission is thus conducting “a large-scale security and data protection experiment on European users – precisely at a time when AI-driven threats are increasing most rapidly.”

Apple's statement criticizes that other parts of the commission are actively working on AI security initiatives themselves, while the responsible department completely ignores these risks in Google's case. Apple's Head of Regulation, Kyle Andeer, had already publicly expressed Apple's deep frustration with the DMA and accused the EU Commission of systematically ignoring data protection and security concerns. Neither the European Data Protection Board (EDPB) nor the EU cybersecurity agency ENISA had been involved in the proceedings despite repeated requests.

Wake Words, Phishing, and Spyware Risks

In detail, Apple names four serious security problems. Firstly, voice activation: the measures would require that any third-party app could register its activation words and determine itself when an audio recording ends. This would open the door to unintentional or intentional continuous recording.

Secondly, data access: the measures would grant third-party apps unlimited access to the most sensitive user data – notifications, SMS, contacts, screen content, and installed apps. This combination of data would be sufficient to create user profiles that reveal, for example, health status, religion, sexual orientation, political beliefs, and financial situation. Apple writes that the measures open a “Pandora's Box”: for example, discriminatory pricing would be enabled based on signals for addiction or distress, for instance.

Thirdly, so-called overlay attacks: the measures would require apps to be able to overlay content on the user interface of other running apps. This very technique has been misused for years for banking Trojans. iOS has no API that allows such overlays – for precisely this security reason.

Fourthly, device access: the required simultaneity of multiple always-on wake-word models from third parties on the digital signal processor (DSP) is technically problematic. On an Amazon Echo, for example, detection alone already consumes about 50 percent of the CPU's processing power. Multiple parallel implementations without central coordination would lead to resource conflicts, system slowdowns, thermal problems, and significantly reduced battery life.