Google et al go to the government and say they've got this attestation thing that can something something security. No one is taking a bribe but also no one they're hearing from is telling them that doing this is going to cement the incumbents. "Security" is good, right? So it makes it into the law.
That doesn't meet most formal definitions of corruption. It's more like incompetence than malice. But the outcome is indistinguishable from corruption. The bad thing gets into the law.
The difference is, if the politicians are taking bribes and you get mad at them, they fob you off because they're more interested in lining their pockets. But if the politicians are just misinformed bureaucrats and you get mad at them, they might actually fix it.
And attributing everything to "corruption" discourages people from doing the latter even in cases where it would be effective.
It's not a given that it's incompetence.
I don't think that's even true, unless you're using "trust" as a synonym for centralization.
Suppose you had actual competing app stores. Google doesn't control which ones you use; you can use Google Play or F-Droid or Amazon or all three at once and anyone can make a new one. You could get Android apps through Apple's store and vice versa. And then you choose who you trust; maybe you only trust F-Droid and Apple and you think Google and Amazon stink. Maybe you install 90% of your apps through F-Droid but are willing to install your bank app on GrapheneOS from Google Play because you trust your bank and you also trust Google enough to at least verify that the bank app is actually from your bank.
This is the thing that doesn't help the incumbents, right? The bank and the customer both trust Google to distribute the bank app but Google isn't allowed to prevent the user from trusting F-Droid for other apps as a condition for getting the bank app from Google Play. You can have trust without centralization.
Consider how Linux distributions work. Every distribution is distributing variants on the same kernel and utilities, but there are hundreds of distributions and dozens of popular ones each with their own repositories. You can choose whichever you like, and make a different choice than someone else.
Coming in at #31 on DistroWatch is a lightweight distribution called Alpine Linux. It's popular on things like firewalls and VoIP servers but is rarely recommended to ordinary users because that isn't its niche. It doesn't matter that most people haven't heard of it because the people relevant to it have. It's fine for things to have a niche, and the people in that niche are the only ones who need to be familiar with it.
Meanwhile around half of Linux users use Debian derivatives. Debian and Ubuntu are very similar, but their repositories are maintained by different organizations, so even when choosing between two things that are nearly the same, you have different options.
And the distribution is not the only place to get software. Maybe you like a stable distribution in general but you want the bleeding edge drivers for your GPU. You can add the repository for the hardware vendor and still get everything else from the distribution. The vendor doesn't even need to maintain their own full distribution to have enough of a reputation for people to make an informed choice about where they want to get their drivers.
> Building broad trust requires scale on some dimension.
The flaw is in assuming that broad trust is a requirement. Narrow trust is good.
Broad trust is required in lots of situations. Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate. Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration. The economics don't work for 30 different players to cross-verify each other. So, we have oligopolies...
Regardless of which distribution you use, the distribution itself controls code that runs as root on your machine, and the users are by and large not reading all of the code themselves. It works entirely by reputation. If you ship trash, most people aren't looking, but if even one person is, they point it out to everyone else and then no one trusts you anymore. This works perfectly fine with 30+ distributors.
> Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate.
There are large numbers of financial clearing networks. The reason Visa and Mastercard are an effective duopoly for credit cards isn't the trust issue, it's the network effect. A lot of people have a Visa, so merchants want to accept Visa, and then customers want the card which is accepted at many merchants. It's essentially regulatory capture that they're allowed to get away with this, i.e. that the networks are allowed to force you to use their card in order to use their protocol. The way this should work is closer to how checks work, i.e. Alice tells her bank that she wants to transfer money to Bob, Bob's bank routing number is on the check and the banks just talk to each other using a standard protocol to work out how much money to transfer from one bank to the other on net, with no for-profit middle man taking a cut.
Supply chains are a pretty weird example to pick because they're actually a huge counter-example. When Walmart wants to stock some USB cables or camping stoves they're going to vet the supplier so they don't get sued for selling a fire hazard but there are still dozens or hundreds of suppliers, because they have to vet the ones they use, but they don't have to be the same ones Amazon or Target or Costco uses and frequently aren't.
Hardware attestation is a dumpster fire. It keeps getting pushed because it's excellent at monopolizing a market but anyone actually trying to rely on it has had nothing but a series of swift kicks between the legs. People should stop even attempting it. It should simply be banned.
> Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration.
Most of that stuff scales really well to large numbers of entities. The entire point of things like SLAs and legal liability is that they operate by preventing you from needing to enforce them. No company wants to get sued so they meet the SLA and satisfy the contract in order to minimize their legal costs, which is what allows you to contract with smaller companies as long as they're not so small you're concerned they'll go out of business, and the threshold for that is far smaller than any of these oligopolists.
> The economics don't work for 30 different players to cross-verify each other.
Which is why it's not supposed to be fully meshed. You don't need everyone to verify everyone, you only need the pairings that actually exist. If there are 1000 companies that make shoes and Walmart contracts with 10 of them then they need to verify 10 rather than 1000. Meanwhile the 1000 shoe companies each only have to contract with a dozen retailers, they're just not the same dozen retailers for every manufacturer.
The money that goes into lobbying in order to have that say is, depending on who you ask, corruption. I, as a random citizen, don't get the same say that a multi billion dollar international corporation does.
It's also kind of weird to propose it as an asymmetry. Google's parent company spends around $4M on lobbying in the US:
https://www.opensecrets.org/federal-lobbying/clients/summary...
That's around $0.01 per capita. Your per capita contribution for individuals to out-spend Google on lobbying is two cents.