Epic v. Google: everything we’re learning live in Fortnite court

Kleidermacher, in an old deposition. After some discussion in a taskforce Google formed to discuss the issue, Google’s Edward Cunningham did indeed give Epic a 90-day disclosure deadline to fix it, according to an email we just saw in court from August 15th, 2018. Epic claims the bug was fixed on August 16th, one day later.

But in the taskforce’s meeting notes, Google decided to reveal the bug far earlier:

DECIDED: Ed to flip the bug on 8/24 at early morning LON time (just past the precise 8/23 4:12pm 7 day extension) then Shannon can tip people off on Fri 8am if nobody has picked it up organically.

They also discussed putting “three friendlies on it” (presumably three reporters or news outlets deemed “friendly” to Google) or passing the story to Lookout (presumably the mobile security company that often publicizes bug disclosures).

This all sounds shady on its face, but won’t Google just point out that the bug was fixed and the 90 days was no longer required? (In 2020, Google’s Project Zero team decided to start disclosing at 90 days regardless of fix status.)

Part of a document labeled RAW MEETING NOTES:

PR strategy

DaveK: Users are at risk in several ways, many copycats, it’s just a mess; somebody (Google?) should be telling the world how bad this is. Can we say it? Or will Epic just refuse to work with us?

Sameer: Ultimately we want Samsung to stop this kind of stuff (enabling the FN installer), we want other developers to realize this is complicated and there’s a lot of ways to mess up, and as a result of those 2 we want FN to feel the pressure and make fixes, and we want the world to know that this is not safe to do this. We need to make it safe and have an aggressive future action for GPP. We need to lay down a case for the reasons why we have to do this. On Samsung - what is the best way to make them feel a tremendous amount of heat?

JamieK: I should hear back from ES this afternoon, his team is looking into it. A chance he may conclude that they think this is stupid and they should not be doing this - 50/50 chance. If they don’t, then we need to tell them about this and the additional vulnerabilities they are enabling. 

DaveK is Android security head Dave Kleidermacher, Sameer is VP Sameer Samat, and JamieK is Google’s product manager in contact with Epic Games.

Kleidermacher, in a August 2018 email about the “fake Fortnite” bug that Google planted a story about in the press.

It wasn’t long before a member of the Android security team suggested that perhaps Google should make this public:

“(A Project Zero style external bug would be the most fun!),” they wrote.

We’re now seeing notes from the internal meeting where Google discussed what to do about it.

One Googler wrote:

I would appreciate if we could whitelist the official Fortnite before launch. I don’t want to get in a situation where any of the automated scorers (or any human really) flags Fortnite accidentally. HR fallout would be severe

Kleidermacher says Google doesn’t take such things into account for Unknown Sources, though. Again, it’s an operating system level flag. 

“That seems possible,” says Kleidermacher. Epic did not ask why Google has not done this — I humbly suspect the answer is that it would be quite an undertaking.

Now we’re talking about Google Play Protect, which automatically scans apps for malware. It’s recently been getting better at blocking malicious apps but didn’t block predatory loan apps and some knockoff apps in a TechCrunch test.

We’ve covered bad apps at The Verge for a while, particularly on the Apple side of things, and Epic is now casually suggesting that Google Play is no better than a direct app download from a website because Kleidermacher once called it a dumpster fire and, separately, said, “We’re not particularly good at keeping knockoffs off the store.”

I don’t know if Epic’s sticking the landing here with so few visceral examples of bad apps (we saw just two user reviews calling out a scam, and the title S-ON Sexual Therapy), but Kleidermacher did amusingly suggest that Google allows users to download the bad apps without warnings because of user consent.

“There is user consent in one place, there is not user consent in the other place,” he said.

Epic pounced — how could a user’s decision to download an app from a website not constitute consent? Kleidermacher suggested the consent comes as part of Unknown Sources: “You’d have to authorize the browser to install first.”

Epic is pointing out that though Google does create risk assessments of different developers on the Play Store, it chose (Epic’s words) not to use those systems to assess app downloads from websites.

“We have risk measurements for developers on the Play Store,” says Kleidermacher. (They’re explained here.)

“Generally speaking, the operating system views internet downloads as coming from an unknown source,” he said later.

Well, this wasn’t on my bingo card: Google’s VP of Android security once proposed “Project Cake,” a plan where there would be two classes of Android apps — a smaller number of “more curated” thoroughly vetted apps, representing as much as 90 percent of the downloads on the store, and a second set that would be less curated and vetted and might warn users about risk.

It never happened. “My proposal has not launched in that form,” says Kleidermacher.

Epic attorney Yonatan Even seems to be trying to suggest it was the genesis of the Unknown Sources idea that adds friction when users sideload apps — but hasn’t yet made a firm link.

It’s time to dig into the security argument. But Epic gets to dig into it first.

Is Google justified in charging its fees because it protects Android users?

Before the break, we saw Google present an internal slide that included the phrase: “75% of Android Owners say Google Play is a safe place to get apps even while less than half are aware of Google Play Protect.”

Where by “Vjeran” I mean this guy, our Verge supervising producer and my dear collaborator on gadget videos.

I really do use the blue cushion every single day in court. Keeps this laptop from slipping off my lap.

We’re going on lunch, but Google’s final question before Rasanen was dismissed was a pointed one — she was asked to tell the court what she saw on the final slide Epic showed.

It was a presentation titled “What we worry about.” She said: “There’s an Apple logo on that phone.”

Epic had previously pointed out that several of Google’s presentations about competition made no mention of Apple.

Partners agreed “not to agitate”? That seems wild if true — it’s the language in an email from former Google Play boss Jamie Rosenberg, though he wasn’t asked about it Monday on the stand, and we didn’t really get to the heart of it now that Epic is questioning Rasanen again.

Epic, by the way, did not miss that paragraph about the “world of pain.” Hueston made sure the jury saw it and heard it.

An “Android Brand Health Report” showed a “concerning trend for security,” with a declining number of people reporting they thought Android phones were secure: from 74 percent in March to 70 percent in June.

“Which store is a safe place to get apps?” Android declined from 78 percent to 75 percent, while iOS went up from 80 percent to 84 percent in three months. I wonder if Google had anything related to security around that time that made the news?

Rasanen points out that because Android has over 3 billion phones “out there in the world,” 6 percent of switchers represents “huge numbers of people.”

“6 percent may seem like a small number, but out of 3 billion...” she does the math, seemingly instantly, and says it’s 180 million people potentially switching.

On the giant spreadsheet we saw earlier, Google points out a different number than Epic did: nearly 14 percent of Android users switch to iOS in the United States specifically, according to Google’s internal estimates.

Part of an internal Google email about how to handle developers worried Google Play Billing was making it too easy for users to cancel subscriptions:

he seems to be upset that we’re allowing our users to easily manager their subs vs. being locked into their product, which is not putting their users first.

Another Googler replied:

this is actually incredibly important to our business to respect user intent. We believes it yields better long term outcomes for developers as well when they allow their users choice when it comes to their products, even if that is leaving.

Here is part of that same 2018 email that Google did not try to highlight for the jury, for obvious reasons:

lastly, we then compute a 30% rev share on top of these numbers and we’re looking at a world of pain

It’s been tough to get a read on the jury so far in this case, but I think it’s fair to say many of them don’t find Google Play Billing exceptions very riveting.

One yawned. I saw another looking down at his hands. Some were looking around the room, etc. Maybe they’re just hungry. We’re 23 minutes away from lunch.

The jurors have typically been extremely attentive. This is the first time in seven days I’ve noticed otherwise.

Google Play biz dev and developer partner Kirsten Rasanen, explaining how Google built some of its language around mandated Google Play Billing for in-app purchases and what did count as an exception. (Physical goods, for example.)

She claims fairness was another reason: it was a firm rule because Google didn’t want to disadvantage smaller developers.

There was also a suggestion that security was a reason, that Google wanted to be responsible since it was effectively selling the apps, but I don’t follow how that logic applies to mandating GPB. Maybe I missed it.

It’s not impossible to switch phones weekly!

I did it recently, and it did take a while to get my phone set up just the way I liked, but I had the essentials ready to go on Android (coming from iPhone) pretty fast. Same was true when I switched the other way in 2018.

Google is starting its cross-examination by being the friend Epic wasn’t. Rasanen explains that her job was to work with developers not only to “help adopt our products and features and hear their feedback” but to make sure “we can understand the developer’s perspective.” To make sure they were being heard, she says.

Epic asked if that was true, and Rasanen said yes, that’s what the spreadsheet shows.

Presenting her with all the numbers, Epic attorney Hueston asks: “The studies we’ve seen show that people buy phones for reasons that are primarily other than the App Store, right?”

She waffles. He presents a new slide titled “Top reasons for smartphone purchase,” a list with maybe a dozen reasons including these top four:

I liked the smartphone brand

My prior smartphone stopped working or slowed down

The price of the smartphone was afffordable

It was a good deal

“Nowhere in that list is the app store identified as a reason for purchasing the smartphone, right?” asks Hueston.

She answers: “The app store, no.”

If they had an iPhone, iPad, and Apple TV, according to Google’s survey, 98 percent of them weren’t considering a switch.

I didn’t catch when this survey was from as we paged around quite a bit, but Epic showed us internal Google studies from both 2021 and 2020 to make its larger switching costs argument.

“While owners may consider the other OS, the intent to use another OS is incredibly low, potentially driven by high switching costs and/or loyalty to their existing OS,” reads part of an internal Google study from June 2020.

We’re getting a whirlwind tour of several studies now — depending on the date, they suggest that just 9 percent, 12 percent, or as low as 6 percent of surveyed Android users would switch. (Even fewer iOS users were switching to Android, they suggested, at 9 percent, 12 percent, and 6 percent, respectively.)

One study did show that “roughly one-fifth of iOS and Android are considering another operating system for their next purchase,” but Epic has already somewhat defused that counterargument:

“And you’ll agree with me that people say they’re considering lots of things they don’t end up doing, right?” asked Epic’s lawyer.

“Yes, I agree with that,” laughed Rasanen.

This is Epic’s argument, not an old Google document, as laid out for the jury in a “demonstrative” slide:

Cost

Time: people keep their phones 2.8 years on average

Switching phones = switching ecosystems

It feels a lot like learning a foreign language

Transfer and set up involves an average of 40 steps and 9 hours

There is no one place for help

A successful transfer of data does not equal a successful switch

Losing data

Apps/feature incompatibility

Phone spec inequality

Users are attached to key features

Users’ technical acumen

Committed to other devices in the ecosystem.

So far, Rasanen has only been able to argue with “time.” “There are reasons people don’t switch, but time isn’t a reason in and of itself,” she said.

And it’s relying partially on an old internal Google study, prepared by Rasanen, if I heard correctly. Here’s the executive summary:

Switching phones = switching ecosystems

You not only have to learn how to use a new OS, but completely new platforms around it.

It feels a lot like learning a foreign language.

From iOS to Android; from App Store to Play Store; from iTunes to Play Music / Google Music / etc; from iOS coreApps to infinite choices.

It really IS NOT as easy as 1, 2, 3.

Transfer and set up involves an average of 40 steps and can take as long as 9 hours if you use the cloud.

There is no ONE place for help.

It needs to be clear and easy to find the right switching resources. We have 4 websites currently.

A successful transfer of data does not equal a successful switch.

Switching happens in 3 phases. Prep work, data transfer, and then adapting to the new phone.

It’s an individual experience.

Because what’s on our phone is unique to us, the process and what works/does not work is is also individual.