Pluralistic: How Apple could open its App Store without really opening its App Store (21 Dec 2022)


Today's links



An EU flag. The blue background has a fine tracery of etched circuitry.

How Apple could open its App Store without really opening its App Store (permalink)

Last week, Mark Gurman published a blockbuster story in Bloomberg, revealing Apple's plan to allow third-party Ios App Stores to comply with the EU's Digital Markets Act. Apple didn't confirm it, but I believe it. Gurman's sourcing was impeccable:

https://www.bloomberg.com/news/articles/2022-12-13/will-apple-allow-users-to-install-third-party-app-stores-sideload-in-europe

This is a huge deal. While Apple's "curated" approach to software delivers benefits to users, those benefits are unreliable. As I explain in a new post for EFF's Deeplinks blog, Apple only fights for its users when doing so is good for its shareholders. But when something is good for Apple shareholders and bad for its customers, the shareholders win, every time:

https://www.eff.org/deeplinks/2022/12/heres-how-apple-could-open-its-app-store-without-really-opening-its-app-store

To see how this works, just consider Apple's record in China. First, Apple removed all working VPN apps from its Chinese App Store, to facilitate state spying on its Chinese customers:

https://www.reuters.com/article/us-china-apple-vpn/apple-says-it-is-removing-vpn-services-from-china-app-store-idUSKBN1AE0BQ

Then Apple backdoored its Chinese cloud servers, to further facilitate state surveillance of Chinese Iphone owners:

https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html

Then, just last month, Apple neutered Airdrop's P2P file-sharing in order to help the Chinese state in its campaign to stamp out protests:

https://www.theguardian.com/world/2022/nov/11/apple-limits-iphone-filesharing-feature-used-by-protesters-in-china

Apple claims that its App Store is a fortress that protects its users against external threats. But the Iphone is designed to block its owners from choosing rival app stores, which means that when Apple betrays its customers, the fortress walls become prison walls. Governments know this, and they rely on it when they demand that Apple expose its customers to totalitarian surveillance:

https://pluralistic.net/2022/11/11/foreseeable-consequences/#airdropped

Now, there's an interesting contrast here. When the DFBI demanded that Apple backdoor its devices to aid in the prosecution of the San Bernardino shooters, Apple took its customers' side, bravely refusing to compromise its devices:

https://www.eff.org/cases/apple-challenges-fbi-all-writs-act-order

That was the right call to make. Does it mean that Apple doesn't value privacy for its Chinese customers' privacy as much as it values it for American customers? Does it mean that Apple respects the CCP more than it respects the FBI?

Not at all. It just means that China was able to threaten Apple's shareholders in ways that the DoJ couldn't. Standing up to the Chinese government would threaten Apple's access to 350 million middle-class Chinese potential customers, and an equal number of Chinese low-waged workers who could be tapped to manufacture Apple devices under brutal labor conditions at rock-bottom prices.

Standing up to the FBI didn't threaten Apple's shareholders the way that standing up to the CCP would, so Apple stood up for its American users and sold out its Chinese users.

But that doesn't mean that US Apple customers are safe. In the US, Apple defends its customers from rival commercial threats, but actively prevents those customers from defending themselves against Apple's own commercial threats.

Famously, Apple took its customers side over Facebook's, adding an amazing, best-in-class, one-click opt-out to tracking, which is costing Facebook $10 billion per year. You love to see it:

https://www.cnbc.com/2022/02/02/facebook-says-apple-ios-privacy-change-will-cost-10-billion-this-year.html

On the other hand…Apple secretly continued to spy on its customers' clicks, taps, gestures, apps and keystrokes, even after those customers explicitly opted out of tracking, and used that data to build nonconsensual dossiers on every Ios owner for use in its own ad-targeting business:

https://pluralistic.net/2022/11/14/luxury-surveillance/#liar-liar

Apple defended its customers against Facebook's predation, but not its own. When Apple's shareholder interests are on the line, Apple's App Store becomes a prison, not a fortress: because Apple controls which software you can install, it can (and does) block you from installing apps that extend its block on commercial surveillance to Apple itself.

Then there's the app tax. Apple charges app makers a 30% commission on all their sales, which means that certain businesses literally can't exist. Take audiobooks: audiobook sellers have 20% gross margins on their wares. If they sell their audiobooks through apps and pay a 30% vig to Apple, they lose money on every sale. Thus, the only Ios app that will sell you an audiobook is Apple's own Apple Books.

Apple Books requires authors and publishers to wrap their books in Apple's DRM, and the DMCA makes it a felony to supply your own readers with a tool to convert the books you published to a rival's format. That means that readers have to surrender every book they've bought on Apple Books if you switch platforms and ask them to follow you. It's not just social media that turns creators into digital sharecroppers.

It's not any better when it comes to the businesses that can eke out an existence under the app tax's yoke. These businesses pass their extra costs on to Apple's customers, who ultimately bear the app tax burden. Because every app maker has to pay the app tax, they all tacitly collude to hike their prices. And because mobile is a duopoly, the app tax is also buried in every Android app, because Google has exactly the same app tax as Apple (Google will also be forced to remove barriers to third-party app stores under the DMA).

All this to say that it is a terrible error to impute morals or values to giant corporations. Apple and Google are both immortal colony organisms that view human beings as inconvenient gut flora. They are remorseless paperclip-maximizing artificial life forms. They are, in other words, limited liability corporations.

https://knowyourmeme.com/memes/paperclip-maximizer

"If you're not paying for the product, you're the product" sounds good, but it's absolutely wrong. You can't bribe a paperclip-maximizing colony organism into treating you with dignity by spending money with it. Companies' treatment of you depends on what they can get away with – not their "personalities." Apple doesn't respect privacy – it thinks it can make more paperclips by giving some of its customers some privacy. As soon as Apple finds a way to make more paperclips by spying on you (say, by starting its own internal adtech business), it will spy on you, and the $1000 you spent on your Iphone will not save you.

Once you understand that corporate conduct is a matter of power, not personality, then you understand that the way to prevent companies from harming you is to meet their power with countervailing power. This is why tech worker unions matter: organized labor has historically been the most important check on corporate power, which is why tech companies are so vicious in the face of union drives:

https://www.epi.org/publication/unions-decline-inequality-rises/

Beyond labor, two other forces can discipline corporate conduct: regulation and competition. The biggest threat to a business's customers is that business's own shareholders. A company might defend its customers against a rival, but they will never defend its customers against its own shareholders.

Regulation and competition both impose costs on shareholders who abuse their customers: regulation can punish bad conduct with fines that come out of shareholder profits, and competition can create a race to the top as businesses seek to poach each others' customers by offering them progressively better deals.

Which brings me back to the DMA, the EU's pending regulation forcing Apple to open its app store, and Apple's leaked plans to comply with the regulation. This is (potentially) great news, because rival app stores can offer Apple customers an escape hatch from mandatory surveillance and price-gouging.

But the devil is in the details. There are so many ways that Apple can use malicious compliance to appear to offer a competitive app marketplace without actually doing so. In my article for EFF, I offer a checklist of fuckeries to watch for in Apple's plans:

  • Forcing software authors into Apple's Developer Program. Not only does this force developers to pay Apple for the privilege of selling to Iphone owners, but it also forces them to sign onto a Bible-thick EULA that places all kinds of arbitrary limits on their software. It's not enough for Apple to open up to rival app stores – it also must not sabotage rivals who produce competing SDKs for Ios.

  • Forcing App Store criteria on rival app stores. Apple mustn't be permitted to turn legitimate vetting for security or privacy risks into editorial control over which apps Ios users are allowed to use. Apple may not want to carry games that highlight labor conditions in high-tech manufacturing sweatshops:

https://venturebeat.com/games/apple-drops-uncomfortable-sweatshop-hd-game-from-app-store/

And it may object to apps that track US drone killings of civilians abroad:

https://www.theguardian.com/technology/2012/aug/30/apple-blocks-us-drone-strike-app

But those arbitrary editorial conditions shouldn't be imposed on rival app stores.

  • Taxing rival app stores for "security vetting." Apple is not the only entity qualified to assess the security of apps:

https://www.schneier.com/essays/archives/2022/01/letter-to-the-us-senate-judiciary-committee-on-app-stores.html

and it's just as capable as its rivals of making grave errors:

https://www.infosecurity-magazine.com/news/apple-fixes-exploited-iphone-zero/

It's fine to say that app stores must submit to third-party security certification, but they should be free to choose Apple out of a field of qualified privacy certifiers.

  • Requiring third-party app stores to process payments with Apple. The app tax should be disciplined by competition. Allowing Apple to extract 30% from transactions in its rivals' app stores would defeat the whole purpose of the DMA.

  • Arbitrarily revoking third party app stores. It's foreseeable that some third-party app stores would be so incompetent or malicious that Apple could revoke their ability to operate on Ios devices. However, if Apple were to pretextually shut down third-party app stores, it could sour Iphone owners off the whole prospect of getting apps elsewhere.

Apple must not be permitted to use its power to shut down app stores in an anti-competitive way, but distinguishing pretextual shutdowns from bona fide ones is a time-consuming, fact-intensive process that could leave customers in limbo for years.

One way to manage this is for regulators to dangle massive fines for pretextual shutdowns. In addition to this, Apple must make some provision to continue its customers' access to the apps, media and data from the app stores it shuts down.

All of this points to the role that regulators play, even (especially) when it comes to disciplining companies through competition. The DMA is overseen by the EU Commission, which has the power to investigate, verify and approve (or reject) the standards that Apple sets for privacy, security, and app stores themselves. The Commission should anticipate and fund the regulators needed to manage these tasks quickly, thoroughly and efficiently.

Finally, Europeans shouldn't have all the fun. If Apple can do this for Europeans, it can do it for every Apple device owner. If you bought an Ios device, it's yours, not Apple's, and you should have the right to technological self-determination that Europeans get when it comes to deciding which software it runs.

(Image: Electronic Frontier Foundation, CC BY 3.0)


Hey look at this (permalink)



This day in history (permalink)

#15yrsago Trade court allows Antigua to violate US copyright https://www.nytimes.com/2007/12/22/business/worldbusiness/22gambling.html

#10yrsago New Orleans schools ban teaching Creationism, reject Texas Creationist “science” textbooks https://web.archive.org/web/20121221192335/https://www.wwltv.com/news/Orleans-Parish-School-Board-Votes-To-Ban-Creationism-184204671.html

#10yrsago Book digitization: 1971-present https://blogs.loc.gov/thesignal/2012/12/before-you-were-born-we-were-digitizing-texts/

#10yrsago Go opt out of Instagram’s bullshit arbitration clause, right now https://consumerist.com/2012/12/21/heres-how-to-opt-out-of-instagrams-new-arbitration-clause/

#5yrsago Ars Technica’s Dan Goodin is being sued by Keeper Security over an article about a defect in its password manager https://www.documentcloud.org/documents/4333677-Keeper-Security-Inc-v-Goodin-et-al.html

#5yrsago Daranide, a 1958 drug, used to be free – now it costs your insurer at least $109,500/year https://www.latimes.com/business/la-fi-drug-price-20171218-story.html

#5yrsago Trump’s Space Council chief says space is “not a commons” and promises that it will become property of US corporations https://qz.com/1159540/space-is-not-a-global-commons-top-trump-space-official-says

#5yrsago The majority of US workers live in “employment monopsonies” where there is little or no competition for workers https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3088767

#5yrsago After Grenfell, local UK governments pay the developers who chose lethal cladding to replace it https://web.archive.org/web/20171213103135/https://uk.reuters.com/article/uk-britain-fire-cladding-exclusive/exclusive-after-grenfell-fire-same-builders-rehired-to-replace-dangerous-cladding-reuters-finds-idUKKBN1E714Z

#5yrsago “Blatantly unlawful”: companies use Facebook targeting to ensure older workers don’t see help-wanted ads https://www.propublica.org/article/facebook-ads-age-discrimination-targeting

#5yrsago The Australian health authority believed it had “anonymised” a data-set of patient histories, but academics were easily able to unscramble it https://pursuit.unimelb.edu.au/articles/understanding-the-maths-is-crucial-for-protecting-privacy

#5yrsago Property of the People sues the FBI for details on “Gravestone,” its reassuringly named secret mass-surveillance tool https://www.sparrowmedia.net/wp-content/uploads/2017/12/2017.12.21_FBI_Gravestone_Complaint.pdf



Colophon (permalink)

Currently writing:

  • The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. (92849 words total) – ON PAUSE

  • A Little Brother short story about DIY insulin PLANNING

  • The Internet Con: How to Seize the Means of Computation, a nonfiction book about interoperability for Verso. REVISIONS COMPLETE – AWAITING COPYEDIT

  • Vigilant, Little Brother short story about remote invigilation. ON SUBMISSION

  • Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

  • Spill, a Little Brother short story about pipeline protests. ON SUBMISSION

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Daddy-Daughter Podcast, 2022 Edition https://craphound.com/podcast/2022/12/12/daddy-daughter-podcast-2022-edition/

Upcoming appearances:

Recent appearances:

Latest books:

Upcoming books:

  • Red Team Blues: "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books, April 2023

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

(Latest Medium column: "'Metaverse' means 'pivot to video'" https://pluralistic.net/2022/12/18/metaverse-means-pivot-to-video/)

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla