EU negotiators agree new rules to rein in tech giants
politico.eu> Parliament also succeeded in convincing the Council of interoperability requirements for messaging services, meaning outfits such as WhatsApp, Facebook Messenger or iMessage will have to open up and interoperate with smaller messaging platforms. For group chats, this requirement will be rolled out over a period of four years.
This would be great. I remember using pidgin back in the day and it was really convenient to have every messaging app in one interface.
Pidgin is still there, still works and supports modern chat platforms too, via plugins:
Of course, some platforms ban you for using alternate clients.
> Pidgin is still there, still works and supports modern chat platforms too, via plugins
Nice!
> Of course, some platforms ban you for using alternate clients.
Less nice... Doesn't seem like that list outlines which platforms will/could ban you either, which makes the entire list a no-go for me, and I'm sure others.
Hard to even say on some of them. Discord for instance will only really ban you if they think you are spamming even though they say you can't use them at all
Also with offTheRecord Messaging for encryption.
I am really loving this news, i was able to convince some of my old icq contacts back then to switch to jabber this way. And why wouldnt they if its all the same interface?
Please note that OTRv3 has laughably insecure encryption these days (1024-bit keys etc). There is OTRv4 in progress but it isn't ready for use yet.
https://bugs.otr.im/otrv4/otrv4
The interface for Pidgin is exactly the same as it was back then (it still uses GTK2), modern users have much different interface tastes in 2022, so you might find it difficult to convince people to use Pidgin.
Damn, DH 1536 (and AES128), thanks for the heads up
>interoperability requirements for messaging services, meaning outfits such as WhatsApp, Facebook Messenger
Who will be decrypting WA and Signal message to pass them to Facebook Messanger?
Presumably if you as a user want to use an app that interoperates with Signal, Whatsapp and Messenger then you'll be logging in with your signal, whatsapp and messenger credentials and give it permission to read your messages and relay them
I don't think this is to be interpreted as "from now I need to be able to send messages from a Whatsapp client to a Signal client"
Of course any such app would be able to read all the messages in the clear and would be able to store them in the clear, leak them, sell them or whatever. As with any other case in which you choose to use a chat app you have to trust the chat app to read your messages if it wants to
I imagine if that's the case whatsapp or signal, when you do a first login from a different app, will flash a warning that you're using a third party client which might not be trustworthy
Why would they need to decrypt anything? If they use open standards such as the signal protocol, there's no need to decrypt anything.
That’s fine but if the European parliament finds out that companies can comply with the legislation without making it easier for the governments to read traffic, then we can expect the legislation to change until it achieves that goal.
Even though it may not be the EU’s overtly stated main goal, it is nevertheless a goal of many aligned politicians there, and no doubt the perception among foolish politicians and bureaucrats that it will achieve that goal can account for some of their support, and if they don’t get what they want they will “fix” it until they do.
yeah, i don't think this was thought out, or at least i haven't read anything on this subject. how does the draft text deal with cryptography?
I don't think laws have to explain how to technically solve these things. e2ee could be maintained, it all depends on the level of integration/interoperation that these companies will choose. Of course, it is equally likely that they won't bother (since e2ee is under constant attack from governments anyway) and just don't go that extra mile.
Something like this can't really make end to end encryption interoperable. There will be no encryption at the transitions between systems. Clients would have to use something that can work over arbitrary textual channels like OTR or PGP.
HTTPS works encrypted between multiple clients, servers and proxies without issues (mostly). There is nothing impossible about encrypted communication. It's just that all servers and clients need to work together to achieve this.
HTTPS is not end to end. End to end encryption does not require a server and could not use one anyway. Effective end to end encryption has to entirely happen on the ends.
No idea why this was downvoted. OTR is the correct answer here.
There's no need for decryption. If you want to send things to Facebook Messenger, you can just send it to that service directly.
The topic is e2ee.
Nobody said the encrypted messages should be readable. /s
I think the topic was interoperability, i.e. being able to send messages between apps regardless of encryption considerations.
I wouldn’t be surprised if the response was a Chrome-esque “drown the competition in feature velocity” approach. iMessage could add new features (with totally necessary payload shape updates) fast enough to prevent any integrations from working well and competing effectively. Throw in some EME-style approval-requiring binary blobs to enable decryption and a dash of CSAM-style regulation compliance and open vs closed won’t really matter (like we’ve seen on the web so far).
I'd say that's a feature not a bug. Let iMessage roll out exploding balloons and whatever else they want in every update. I want to use my own client which should just stay compatible with the core functionality – sending lines of text back and forth.
And if they are deliberately breaking existing third-party apps for no reason, well I'm sure EU courts would like to have a word.
They can do that as long as they keep the interoperability. Text with UTF8 emojis should be enough to start with.
Actually I expect the usual outrage about limiting innovation or threats to leave the EU but consider that this interoperability is also a moat especially if they agree on some complicated protocol with no previous implementation.
Hopefully regulators catch on to that crap.
What about Signal?
Moxie is strongly against it. Although the app and protocols are open, he doesn't tolerate third party clients on Signal official servers and he doesn't want federation. Even though I disagree, he has some good arguments.
And if WhatsApp has to interoperate, why not Signal?
To quote the original article : "platforms with a market capitalization of €75 billion or turnover in the European Economic Area equal to or above €7.5 billion"
I'm not sure what the current market cap for Signal is, but I'm fairly sure they don't have a turnover of 7+bn in the EU.
Ok, I didn't realize that. Signal may not even have a financial presence in the EU. In the US, according the Wikipedia, they have ~$20M in revenue, many orders of magnitude off...
It is also one of these weird non-profit + for-profit company mix, to which I don't know the effect it has. Anyways, the numbers are simply not there.
Ironically, if the law works as intended, making all major messaging platforms interoperable, if can make smaller players who don't want to join the club (like Signal) less attractive.
It doesn’t seem moral to do this on revenue. The only thing that should matter to regulators is the active-users metric, as a percentage of the population.
Doing it by money seems like sour grapes. You succeeded in the free market so we’re going to hamper your progress.
"Active users" is a metric that is:
(a) somewhat tricky to define with legislative-grade rigour, and much more importantly:
(b) only measurable by the very same entities who would be subject to this regulation
Were it not for the problem of measurement, I would agree that it would be a better proxy for "needs regulation" than market cap.
EDIT: On second thought, I don't even think that's true. Imagine a networking app that absolutely dominates a small but highly profitable and societally / strategically important sector, such as medicine or law.
That company could have relatively few users as a % of the population, but still have enough of a warchest to hobble most potential competitors, and to have undue influence in wider society thanks to its control of critical sectors. Going by market cap doesn't measure a company's pervasiveness, but it measures its sheer economic power.
Signal, Twitter, Snapchat, Discord, Zoom, etc won't be affected. Maybe even TikTok. It's basically just anything by Google/Apple/Facebook/Amazon, and perhaps a few odd ones like Steam and Epic's services.
I wish so much for that to happen. I still remember jabber being popular in Poland 15 years ago. One of the reasons I switched to gtalk at the time was the fact that it allowed me to keep my jabber contacts. Little did I know they would kill it in a couple of years.
good news. we also need interoperability requirements for social networks. like twitter and facebook must be mandated by law to provide access to their networks to smaller networks. only then would people be free to leave these networks without suffering from "network effect"
> like twitter and facebook must be mandated by law to provide access to their networks to smaller networks.
makes no sense. you can already pull all your data out of those services and import it into whatever other service you want.
Are you suggesting that someone who wants to publish their latest Facebook post to their Twitter followers needs to export all their Facebook data, select just one specific post from the dumped data, and then import that dumped post into Twitter?
I mean, that's theoretically possible, but it's not the most convenient workflow, and you run the risk that any tooling designed to automate it is frequently broken by deliberately incompatible changes made by Facebook or Twitter (or whichever other services you are using, in the general case).
Fundamentally the data belongs to the users, not to the platforms, so it is right that governments mandate that the data be able to flow according to the users' wishes. All property rights are legal fictions, especially "intellectual property" rights, but at least in this case the property right being defined is a socially beneficial one.
This is not what I mean. I mean make it mandatory for these networks to allow interconnection with eg the fediverse, so that I can connect with people on Facebook or Twitter without having an account on these services myself. Currently users are captive to a network, not due to an impossibility to recover their data, but due to the fact that their friends are using that network and that network is not interoperable. Basically I think networks like Facebook and Twitter are so big at this point that they should be infrastructure.
So, you mean "Fediverse" ;)
Fediverse is one possibe technology that can be used to implement this, but the core problem is not a technological one. Even in the Fediverse instances will refuse to peer with other instances - something that I don't think should be allowed for massive social networks that use their network effects to capture users.
i mean forcing the dominant networks to interoperate with the fediverse. i can open as many diaspora and mastodon accounts as i want, i will still be alone because everyone i know is on twitter and facebook. make it mandatory that facebook and twitter lets me connect my fediverse accounts and i can connect with my friends regardless of their network of choice
At the end of the day, chat apps are nothing more than a bunch of text, some compressed pictures, and maaaybe a voice recording. It's very simple data to be transmitted, and any problems with interop are self-made bloat and proprietorship.
Yeah, saw this and immediately thought of Pidgin. This is also great for smaller platforms -- If I could use something like Pidgin again then I'd probably log into ICQ again for the first time in... a very long time.
> meaning outfits such as WhatsApp, Facebook Messenger or iMessage will have to open up and interoperate with smaller messaging platforms
The way i read it, they're calling for open standards, which can be a good thing.
Sadly, open standards also slow down the development of new features, as everybody needs to be "on board" for new features to roll out. Take email (SMTP, IMAP, etc) as an example, where no major progress has been made in 25+ years, despite the platform being hopelessly insecure.
There has been some unsuccesful attempts at security, like PGP and Protonmail/Tutanota, but as they're addons they haven't seen widespread adoption.
Feel free to replace email for TCPv4/v6. The only successful open standard i can think of would be HTTP.
Open standards, once they mature, usually mean "lowest common denominator".
> The way i read it, they're calling for open standards, which can be a good thing. > > Sadly, open standards also slow down the development of new features,
No. They are asking for endpoints and public APIs. Nobody is forced to adopt a standard, that is a fallacy you have just built (and has powered a tangential thread of 20 messages and counting.. debating something that is not in the topic).
Services will be forced to provide public endpoints and public APIs. Nobody is forcing them to shape them in any way. Consumers can decide to interface with them, or not. The onus on implementing and interfacing with them lays on the consumers. You don't need an agreement between everybody.
> They are asking for endpoints and public APIs
How will they interface with the different APIs ? Or is it a single API defined by a standard ?
The first one means that most clients will play “whack a mole” with 20 APIs, trying to keep up with features. The second will be the lowest common denominator, limiting what can be sent between different clients. It would be the new “green bubble”.
Next, how do you identify people uniquely across different networks ? Phone number ? Email ? What happens if you’ve registered your Id in multiple places ? Or is it up to the sender to specify which network they wish to target ? Like someone@gmail.com@imessage ? The last one solves nothing. In case of multiple id registrations, should the network just keep trying round robin until it successfully delivers ? Or can I as a recipient register my preferred delivery network in case I never want Meta or Google to see my data ? Who maintains this central registry ? Will they do it for free ?
Now that we’ve established how to pass messages between networks, how do we secure them ? Do we use the iMessage model and use a central key repository ? Or do we implement a protocol (potentially per API) on how to acquire encryption keys ? Or do we simply skip encryption because security is hard ?
What about attachments ? Since most secure platforms use “per device” encryption, do we just send a 500GB attachment X times, one per device ? Do we limit the size of attachments ? iMessage solves this by encrypting it with a temporary key, and the attachment is then uploaded to Apples servers, and the temporary key is exchanged using normal messaging. Is that the way forward ? Will whoever handles it do it for free ? Do we trust them ?
What about Memoji/whatever the kids use ?
All of the above, and more, needs to be agreed on by all involved parties, which sets the lowest common denominator, either by a shared standard, or by reducing functionality for cross network messages. If it ends up complex enough to support all the features of modern instant messaging, it sets the bar rather high for new players. If it ends up simple, we have gained almost nothing over using SMS/MMS.
Things are never as simple as just exposing an API.
You are moving goalposts. This legislation is not the end all be all, and only applies to those with ~7 billion capitalisation (so, Alphabet, Meta, Apple, Microsoft, and little more).
If you want to solve all those problems, you can use and push for Matrix for example.
Am I though ?
It applying only to ~7 billion capitalization only increases the chance that somebody uses their network, and as is already evident today, that is where the majority of conversations happen. It also increases the risk that my messages will be routed to somebody I don’t want poking through my messages, even if it’s metadata only, like Meta and Google.
It also increases the risk that I have registered the same ID with multiple providers.
I am not interested in solving the problem, and especially not interested in using Matrix. My only interest in this is I want to have functional instant messaging between people I know. Matrix does not solve that (for me).
My point was/is, that either the legislation solves nothing (open APIs, native “own network only” clients), or it creates a lot of problems (unified API, shared standard, cross platform messaging for all).
Also, imagine the spam you’ll receive if every email you’ve ever registered with some ~7 billion provider suddenly routes messages.
Its not clear from the article what they are calling for- do you have a source?
But lets say you are right, and all that the affected messaging services have to do is provide an API- will the regulators require them to document this API (and if so, what standards will the documentation have to follow?) Will they complain if the API changes too rapidly? Will the API have to support tall of the same features as the messaging service?
As they say, the devils in the details, and right now I'm not seeing any details.
Yeah, but, I can send email to someone no matter what platform they're on. I can visit their website. I think this is "successful".
> Sadly, open standards also slow down the development of new features, as everybody needs to be "on board" for new features to roll out. Take email (SMTP, IMAP, etc) as an example, where no major progress has been made in 25+ years, despite the platform being hopelessly insecure.
A more successful example of open standards would be the various standards that browsers use. Would you say that browser innovation has slowed down? The model adopted there is less "Wait for everyone to adopt this new standard we wrote" and more "If you have a feature you found many people are using, suggest it as a standard and we'll get all browsers to implement it".
This model could be replicated to messaging solutions as well, without slowing down any innovation as companies can add new features, as long as they get standardized over time.
Yeah sure, but messaging apps don't need new features - they need to simply send messages to each other. Walled gardens suck as a user experience for messaging apps.
> messaging apps don't need new features - they need to simply send messages to each other.
Messaging apps have evolved in very pro-user ways over the years. Reactions, threads, voice/video/screenshare, and more are all popular with users. Stuff that we didn't have at all in the AIM era, or maybe only had on one chat platform.
And under the hood, I read that an important reason everyone left XMPP is it fundamentally requires an active connection, but that means your phone's radio can never enter low power mode, hurting battery life.
I miss Pidgin. I really liked having all my chats in one place. I sort of have that now with Beeper.
But it's also clear that we're not done evolving the medium, and standardized protocols, for all their upsides, often crystalize a platform in whatever state it's in when the standard is written.
> but that means your phone's radio can never enter low power mode, hurting battery life.
This problem has been solved by https://xmpp.org/extensions/xep-0352.html
> Version 1.0.0 (2020-10-14)
Glad to see it's being addressed, but:
- The proposal is stable, but not finalized
- 13 years is a long time to wait for a solution (iPhone debuted in 2007, got apps in 2008)
- Plus however long it takes for implementations to adopt this
- Plus whether they adopt it at all, since this is a protocol extension and not a protocol requirement. The XEP requires client-server cooperation, which means the clients and all servers the user connects to have to implement this to see the benefit.
> "The proposal is stable, but not finalized"
Is "stable" now a negative thing? I don't understand. If you are referring to the "document lifecycle" at the side of the XEP, and the "Final" status there... "Stable" is the "widespread adoption" stage. "Final" is a dead-end status that means the extension is frozen. It's rarely used for extensions that are actively in use until they are beyond updating.
> "13 years is a long time to wait for a solution (iPhone debuted in 2007, got apps in 2008)"
This extension was created in 2014, and implementations were already performing traffic optimizations (using other non-standard methods) before then (which is why we decided to standardize it).
> "Plus however long it takes for implementations to adopt this"
It's already adopted, implemented and deployed. You can see deployment stats at https://compliance.conversations.im/test/xep0352 - as for the handful of servers there that don't implement it, on investigation these tend to be private, abandoned or special-purpose servers.
> "Plus whether they adopt it at all, since this is a protocol extension and not a protocol requirement. The XEP requires client-server cooperation, which means the clients and all servers the user connects to have to implement this to see the benefit."
As I said, it's already implemented and adopted in clients and servers. It has been a requirement in the XMPP compliance suites for years (for reference, latest is here: https://xmpp.org/extensions/xep-0459.html#mobile ).
All in all, your comment seems to contain a lot of unfounded scepticism and negativity. This problem is solved, since a long time :)
> Is "stable" now a negative thing?
The XEP page indicates the proposal is still subject to change ("some changes to the protocol are possible before it becomes a Final Standard.)". That kind of thing sometimes holds up adoption of standards, creates incompatible implementations. But you've demonstrated it clearly doesn't in this case.
> This problem is solved, since a long time :)
I stand corrected! Thank you for your instructive reply.
I think most XMPP clients for mobile devices have supported this (and other protocol extensions like push notifications) for quite a while now. Conversations, the most popular one, certainly does.
> Would you say that browser innovation has slowed down?
For a long time it was, everyone was stuck on HTML4 while W3C was playing with XHTML. That only really changed when browser vendors came together and collectively decided to ignore start ignoring W3C and made WhatWG. Although IE6 was also a major factor here.
Entirely my point. It shifted from the flow of "Come up with standards > Software implements that" to "Software implements something > Standardize > Adjust software", the second flow works much better for innovation. Something we can do with chat apps too.
The Personal Computer is also a successful standard in my opinion. We see constant innovation but with interoperability. It's a little messy sometimes but keeps prices low and innovation high.
> Sadly, open standards also slow down the development of new features, as everybody needs to be "on board" for new features to roll out.
Capability negotiation is a thing. It's perfectly fine to support some baseline feature set (one-to-one text messages) and build more optional features on top of it. But, yes, it's important that the protocol is designed to be extensible in the first place.
> It's perfectly fine to support some baseline feature set (one-to-one text messages) and build more optional features on top of it.
So keep the status quo (SMS/MMS) and build more features on top of that ?
> the status quo (SMS/MMS)
There are countries that aren't the US. I honestly don't remember when was the last time I've actually sent an SMS. 99% of SMS messages I receive are notifications and 2fa codes. If anything, "status quo" over here is Telegram and VKontakte.
Besides, the issue with SMS/MMS is that it's a closed system tightly controlled by carriers. The internet is an open system.
In the EU (at least in Romania), MMS is not a thing, and even SMS is not the status quo. Everyone talks using WhatsApp mostly.
SMS stopped to be status quo here (central Europe) because it still costs money to send each single text. It made sense when no other mobile communication option was available (early 2000s) but not anymore. WhatsApp or any other messaging platform is strictly better as long as your phone is connected to the internet.
> So keep the status quo (SMS/MMS) and build more features on top of that ?
what you are describing can be called "iMessage" :)
Those are not extensible enough as they are bound to the transport layer.
If one side supports a feature, the other side doesn't, they're not interoperable.
If one side supports a feature and the other doesn't, they're still interoperable, just without that feature.
Liked "If one side supports a feature and the other doesn't, they're still interoperable, just without that feature."
--------
This is what my group chats look like when texting with iMessage users.
That's one way of doing it, a better one would be to hide the like button.
Group chats over SMS? What kind of madness is that?
how are they interoperable when one side uses a feature and the other doesn't support it? that's just degrading the experience...
and this is just one small reason why the industry decided against moving forward with this decades ago. it simply didn't make any sense then, certainly doesn't make sense now.
> that's just degrading the experience...
Uhhh yes? That's the point? The alternative to this degraded experience is no experience at all.
> how are they interoperable when one side uses a feature and the other doesn't support it?
The answer to that is: It depends.
For example, HTTP2 is basically an invisible upgrade which is faster (sometimes). If either end doesn't support it, falling back to a prior version is transparent to the user.
On the other hand, if you want to update IRC to be more like Slack/Discord, with features like oauth2 login? Well then clients that don't support it won't be able to connect.
> > that's just degrading the experience... > Uhhh yes? That's the point? The alternative to this degraded experience is no experience at all.
so basically it's either degraded experience but w/ interoperability or great experience but w/o interoperability?
that doesn't really make sense. why not a third way with great experience and great interoperability?
i'm asking because i can guarantee that no one will use clients that provide a degraded experience when you've got the established players providing a great experience.
It's important for the capability to be there. The issue is that currently "established players" control that experience. In a saner world, experience needs to be decoupled from infrastructure.
Somehow, ICQ worked wonderfully despite everyone I knew using an unofficial client. The official client (at least Windows one) was a terrible mess. It had ads and all those features no one ever asked for, like games and and news and an entire picture-based language (I'm not joking). But QIP, the client I used, only did the things I needed an ICQ client to do, and nothing more. It also had no ads.
I used to use slack-term and/or Ripcord specifically I wanted the "degraded" experience - i.e., smaller resource footprint and none of the gimmicky nonsense.
Sometimes, one feature can break the entire experience. If one side decides to do encryption in a particular way, the other side doesn't, they can't talk to each other. Of course, you can choose to not do that encryption, but then that proves the point that the unified standard can hinder progress.
Other than that, it can be death by a thousand cuts. If the rendering of a particular phrase relies on a specific custom feature, the other side might not see it properly. That can be multiplied by many times and make people frustrated, and worse, misunderstand each other.
Yes. That lowest common denominator will be probably being able to send text messages. Maybe a little more.
It's a big thing. And it's a great thing.
Already in email you have some cool features that only work Gmail to Gmail but you can still send basic emails to people outside of Gmail.
Businesses will not need business accounts on 6 different platforms just so thay can have a simple chat with all their customers.
> That lowest common denominator will be probably being able to send text messages. Maybe a little more.
It was my understanding that we already have a (fairly old) standard that does just that, which also currently works as a lowest common denominator for texting between at least android and iOS.
There’s a telecom protocol tied to your carrier and phone number that predates both android and iOS, but not a (free to use, free to implement) internet protocol. (EDIT: unless you are talking about email)
Whatever communication method you select, there will always be ties to a carrier.
In GSM it’s a IMEI ID / phone number, in TCP/IP it’s a MAC/IP address. Internet also requires a subscription, subscriber and more.
And how would you implement a messaging service with “anonymous” endpoints ? Can’t send messages without a unique identifier for the recipient.
SMSs are expensive in the EU. Typical mobile plans don't include them and they cost some cents per message (<255 bytes) which would add up quickly.
Only some "2fa" and notification systems use them. Actual people don't.
Open Standards enable downward compatibility, they do not prevent innovation that builds on top of them.
Nothing prevents people from releasing a new RFC describing their feature and how to implement it. See: EMail attachments (RFC 1521) which came after the original EMail definition (in RFC 822). And what you describe as "email insecurity" is just a common disagreement which encryption method to use in your MIME attachment (defined in RFC 989) - your argument sounds a bit like protesting that not everyone is using Word files when sending text attachments.
(Note: EMail metadata is deeply "insecure" and can theoretically be used to glean information about communication - but if that's your concern, maybe email is just the wrong format for you and something like encrypted messages over a network of Kafka-style message streams, ideally with lots of noise in it, would be better suited).
> maybe email is just the wrong format for you and something like encrypted messages over a network of Kafka-style message streams
How long before the instant message formats of today becomes “the wrong format” ?
Email is an open standard, and as such it should be easy to push out a new RFC that secures metadata, yet that hasn’t happened in 25+ years.
I essentially agree that communication should be done over open, secure standards, but I’m not sure legislation is the right way of getting there. We will see how it all plays out.
Not always. One can use an open base but add proprietary extensions. This is exactly how the web has evolved from Netscape and IE having different tags in the 90s to the 00s CSS `ms-` / `o-`, prefixes. This is also how XMPP was designed: common base but support for extensions (open or otherwise).
Email is a totally different problem because it's a suite of a multitude of different standards used across countless different platforms. At least with proprietary messaging services Facebook et al will still be the implementation standard that most people will use (given that habit has already been well established) but lesser used 3rd party clients wont have to worry as much about Facebook breaking the protocol to intentionally break support for 3rd party clients. However I'd wager you will still see new proprietary features added that will not function in 3rd party clients if just to convince users that the 1st party app is the better client.
> Feel free to replace email for TCPv4/v6. The only successful open standard i can think of would be HTTP.
Btw, does anyone here remember off hand what happened to the "concern" the banking industry had with TLS 1.3?
My understanding is someone just came in at the last moment and basically wanted to change the entire design of TLS 1.3 because their workflow would no longer work because of forward secrecy.
Just secrecy I think. The complaint was that it would be harder to monitor TLS traffic in an organization by doing a man in the middle attack.
> open standards also slow down the development of new features
On one hand, that is not right: open standards mean no walled garden, rather than each garden equally ugly.
On the other hand, that is exactly the point: no new feature can be used to buy the users' freedom to interact with customers of other services.
> On the other hand, that is exactly the point: no new feature can be used to buy the users' freedom to interact with customers of other services
so the point is a degraded experience? how can that be the point?
Would you like to go back to the dark times of IE6?
All the browsers since IE6 are built on open standards. It was stagnation and lack of openness (ActiveX) which caused IE6 to hang around so long.
ActiveX was relatively open-ish. Back in the days young me used a Visual Studio 6 off of eDonkey to develop applets in VB6.
The problems were that:
- unlike modern compiled code for the web - WASM and transpiled JavaScript - Java and ActiveX got executed with host privileges which made both an incredible entry point for malware such as "dialers" and early viruses.
- many corporations and governments (e.g. Korea [1]) built their stuff in ActiveX or mandated its use in actual laws and regulations, while only MS Internet Explorer ever implemented ActiveX out of said security reasons.
- many corporations and governments only ever coded and tested against IE6 which meant that their sites and products were dependent on IE6-specific quirks
[1] https://www.forbes.com/sites/elaineramirez/2016/11/30/south-...
Are you arguing with yourself?
I think in this case it's more about services allowing stuff like third party clients or providing APIs, not binding themselves to a specific standard
So if I'm whatsapp I have to allow third party clients, but I can also change my API as needs change, as long as I don't lock it.
Email lacks development precisely because interopability is intentionally limited by existing stakeholders via opaque "spam" policies. We need regulation to require better interopability here as well so that we can have innovative mail providers that do no have to spend all their energy on being able to send mail at all.
Email is hard to replace in a similar way that BGP, IP, UDP and other old protocol is hard to replace. One need to have everyone switch everything, including hardware, at the same time in a coordinated fashion, and one also need to align incentives so that everyone agree that the money and time is worth the benefit of the new protocol.
Close standards is not inherently different (people who work in telecom can likely attest to that), but closed standards has a higher probability to be owned by a single entity. A single entity has a much easier time to coordinated a switch with themselves, or align their own incentives with their own incentives. If you are alone or don't need to work with others, cooperation is trivial. Obviously, having everything owned by the same entity also has its drawback. If you don't like the new price, features, tracking and forced advertisements, well tough luck. While spam is an issue with email, I am not forced to wait 3 seconds and click "skip add" every time I read an email. I also don't need to pay per email, in contrast to sms. Email could had been much worse if it was a closed standard owned by a single entity.
> Sadly, open standards also slow down the development of new features, as everybody needs to be "on board" for new features to roll out. Take email (SMTP, IMAP, etc) as an example, where no major progress has been made in 25+ years, despite the platform being hopelessly insecure.
The usual answer for avoiding the need for everybody being "on board" with the changes is capability negotiation. Unfortunately, that doesn't work for email since it's a unidirectional, store-and-forward protocol: the sender has no way to negotiate capabilities with the recipient (or recipients, in case of a mailing list). If for instance I invent a new rich-text format for email, I have to include a fallback format on every message, since I cannot know whether the recipient can read my new format.
> Feel free to replace email for TCPv4/v6.
With TCP, there's another issue: middleboxes. While TCP does have working capability negotiation, unrelated third parties (which were not part of the negotiation) interfere with things they don't understand. If for instance I introduce a new TCP option which when negotiated changes the meaning of the sequence number field, a stateful firewall would drop the data packets even though they're valid for both endpoints. Due to the large amount of middleboxes in the wild, the design of TCP has been effectively "frozen", in that any enhancement will break unexpectedly for a large subset of users.
> The only successful open standard i can think of would be HTTP.
What saved HTTP was SSL/TLS. By making it hard for middleboxes to interfere without actually acting as an endpoint (with negotiation), it allowed the protocol to evolve. The best example is HTTP2: while there is a cleartext version of HTTP2, nobody uses it because it would get broken by middleboxes.
> Sadly, open standards also slow down the development of new features, as everybody needs to be "on board" for new features to roll out.
Stop repeating this talking point of big tech. This is FUD. Sure, developing the standard further requires more work and is slower if just one person alone developed it, but the upsides clearly overweigh.
Furthemore, everonye is free to build their own features in their own app that are not part of an open protocol (good examples are snooze or send later features in email).
PS: As a sister comment pointed out, open standard is not even in the scope of this new EU act. It's only about opening up their APIs. They are not foced to use an open protocol.
But email evolved. You can now use a 8bit encoding, use formating with html content. Is encrypted with TLS. Send calendar events. PGP did take of for people who care. You can even revoke emails.
Interoperability is great but how is this going to affect end-to-end encryption? Will every app be required to support it?
Should mandate interoperability for all social media.
Seems like it does, but the size restrictions are crafted so it only applies to Facebook/Meta and not any of the smaller platforms.
I pray that this, especially the interoperability requirements comes through not only with teeth, but with claws and a ravenous hunger. I believe one of the key things that allow innovation to foster is beating down the rentseekers,i.e. enabling adversarial interoperability https://www.eff.org/fr/deeplinks/2019/10/adversarial-interop... and making it easy for individuals to tinker and innovate without needing capital or lawyers to protect themselves. I am severely envious of the californian "right to compete" for these reasons https://www.callahan-law.com/are-non-competes-enforceable-in... and a "right to interoperate" will go a long way towards breaking monopology-enabling network effects.
Digital Markets Act give very broad executive powers to EU Commission to make sure that it will get implemented.
Specifically:
- article 7: Compliance with obligations for gatekeepers
- article 10: Updating obligations for gatekeepers and
- article 11: Anti-circumvention
Fines are up to 10% of annual global turnover, or daily fines up to 5% of average daily annual global turnover.
In more detail:
Article 11, Anti-circumvention
1. A gatekeeper shall ensure that the obligations of Articles 5 and 6 are fully and effectively complied with. While the obligations of Articles 5 and 6 apply in respect of core platform services designated pursuant to Article 3, their implementation shall not be undermined by any behaviour of the undertaking to which the gatekeeper belongs, regardless of whether this behaviour is of a contractual, commercial, technical or any other nature.
2. Where consent for collecting and processing of personal data is required to ensure compliance with this Regulation, a gatekeeper shall take the necessary steps to either enable business users to directly obtain the required consent to their processing, where required under Regulation (EU) 2016/679 and Directive 2002/58/EC, or to comply with Union data protection and privacy rules and principles in other ways including by providing business users with duly anonymised data where appropriate. The gatekeeper shall not make the obtaining of this consent by the business user more burdensome than for its own services.
3. A gatekeeper shall not degrade the conditions or quality of any of the core platform services provided to business users or end users who avail themselves of the rights or choices laid down in Articles 5 and 6, or make the exercise of those rights or choices unduly difficult.
The stated aim is to reduce the need for complex antitrust cases, so yeah, chances are they will come with significant teeth - in the form of baseline requirements that you either clear or get automatically fined for.
There are serious fines attached ( up to 10% of global turnover, 20% for repeat offenders) so it will have plenty of teeth.
“up to” isn’t serious
“at least” would be serious
But that would require for politicians to actually want to do something to benefit the people, not just themselves and their bribers/lobbyists.
GDPR was up to 4%. As far as I know, this was never applied to anyone. I would expect the same here. Fines will likely be somewhat reasonable.
The EU handles fines differently than the US. While the US applies harsh singular punishments early on, the EU gives slaps on the wrist at the beginning but will relentlessly punish companies that repeatedly break the law. This can end up costing companies more than 4% because they will be fined over and over again.
Well, GDPR fines are ramping up over time, regulators seem to have been easing companies into it rather than starting off with the 10B fines from day 1. I still hope to see some serious fines on FB / Google in the coming years.
> mandates to allow users to install apps from third-party platforms
Some people at Apple are getting a headache right now. Other companies that have been dabbling with the idea to lock down their OS probably too.
If this happens my next phone might even be an iPhone.
This is nice to see. It's fully in line with a report [1] by a (relatively new) French "expert group" within the government found. They were looking specifically at the security implications. Of course, the report is short and written for political decision makers, so not super technical.
Money quote:
> The checks made during the audits conducted by current application stores owned by operating system developers are indeed all reproducible by third parties.
[1]: https://www.peren.gouv.fr/rapports/2022-02-18%20-%20Eclairag...
This is a surprisingly well-written report that an intelligent reader with exposure as an end-user to the mobile phone ecosystem should be able to comprehend, that summarises the risks around malware and app stores and a possible approach to opening up side loading of apps structurally.
Masterful communication on top of solid analysis. I’m going to keep a copy just to review when I’m writing my own reports to stakeholders.
Apple literally begged for this hammer to fall, ignoring calls for openness for 15 years and openly mocking efforts to get them to play ball (like the recent Dutch case, to which they responded by amending rules on dating apps, blatantly ignoring the spirit of the ruling).
I expect they employ enough smart people that they prepared for this moment of reckoning despite the hubris of their leadership.
> ignoring calls for openness for 15 years
I very much want this to happen now. However I would not have wanted this 15 years ago when the platform was a baby and little was known on how to move it forward. Last thing you wanted at that time was layers of regulation and laws that would hinder the speed of development.
15 years is probably too long and this could have happened 5-10 years ago.
I suspect you already know that 44 years ago when Apple's system was a baby, it was what, today, you would call "open hardware." See the last two pages of the user manual for the schematics. [1]
At that time, Apple's system needed to attract developers, so instead of a walled garden, the company did what they could to encourage interoperability.
[1] http://apple1.chez.com/Apple1project/Docs/pdf/AppleI_Manual....
> you would call "open hardware."
You are confusing the "norm" at the time, with Apple specific decision to open up their hardware. At the time, a lot of consumer electronics shipped with their schematics, including TVs, Radios, etc. You cannot find a single TV today that ships with how to talk over its diagnostics port let alone schematics.
The Apple computer you're referencing was more like an of IC of today, both in complexity (many $1 ICs today are orders of magnitude more complex than that entire computer), and the skills expected of the user of the computer. Both of which would require one to have intimate knowledge of the inner working of the device to be able to operate and maintain it. Users of that computer were like hobbyist of today, buying an electronics kit and rest assured, electronics kits come with detailed manuals, schematics and more.
I had the same thought.
Apple makes great hardware and the main thing that was holding me back from getting one was their heavy handed approach on what applications I am allowed to install on my device and from what source.
If this works I would probably go for it.
I’m the opposite. I buy an iPhone specifically because I want a locked-down device. World is about to get a little worse on this front.
I fail to understand how this is affecting you. Do you think that the existence of other App-Stores is reducing the quality of the apps in the Apple-Store?
Yes it will once it happens on iOS. Large companies like Facebook (not picking on Meta, just an easy example) really don’t want to follow Apple’s privacy guidelines, don’t want to ask users for permission to track their location, and don’t want to tell users what info they gather and how it’s used.
Once Apple has to allow third-party app stores, many major software companies will either create their own App Store (great now I have to download 15 different stores) or move to a third-party store where these rules are non-existent.
So what will happen is that there will be a major exodus of software from the Apple App Store and on to third-party stores, which for me means a rollback of all of the momentum and progress Apple has made by collectively bargaining on behalf of users against developers.
In addition, this will fracture things that are easy and convenient, like Apple Pay, or Sign-in With Apple being a privacy-focused mandatory alternative to other SSO options.
It’ll also long-term enable more dark patterns. Oh you signed up for this $14.99/month app? Well gotta call if you want to unsubscribe. Hell maybe even have to send a letter!
For some completely asinine reason people think that “allow third party stores” means “I get all the same stuff now but stuff will be cheaper and ‘more innovative’ because developers won’t have to pay the ‘Apple Tax’” but the reality is you’ll just get the same stuff, at the same prices, but it’ll be less convenient and you’ll lose any benefits that we previously had when Apple was able to collectively bargain for users. Companies will not lower prices.
> “This hasn’t happened on Android”
Yes. Because when companies start enacting these rules, users will flee to iOS. You need to be able to launch your store and dark patterns on both platforms simultaneously. Otherwise users have options.
> “I disagree, this won’t happen”.
Ok sure. What assurances do I have? What are you doing to make me feel better that my experience won’t get worse? Until then I’m firmly against third-party stores.
> “Apple enables oppression and a single point of failure for regulation - China for example can ‘control’ what’s on the store”
Any third-party App Store that’s not a complete scam will be forced to comply with any exact rules that Apple has to. There’s no difference.
> It’ll also long-term enable more dark patterns. Oh you signed up for this $14.99/month app? Well gotta call if you want to unsubscribe. Hell maybe even have to send a letter!
The same EU legislation explicitly bans this.
> Any third-party App Store that’s not a complete scam will be forced to comply with any exact rules that Apple has to. There’s no difference.
This is a misrepresentation. China's worst fear is the lack of choke points for application distribution. Once peer to peer distribution of applications happens without central distributors then their ability to lock down protests will take a significant hit.
> The same EU legislation explicitly bans this.
Companies will find work-arounds as they always do.
> This is a misrepresentation.
It's an opinion, not a misrepresentation. I'm not misrepresenting anything.
> China's worst fear is the lack of choke points for application distribution. Once peer to peer distribution of applications happens without central distributors then their ability to lock down protests will take a significant hit.
Practically speaking though, who will create app stores that will be "safe", and functional? Most people will use a few major app stores (maybe as many as 6, as few as 2) because they are positive feedback loops. Any major company operating one of these will have enough exposure to China that they'll comply with local laws, as they do now. If a company doesn't have exposure that the CCP can leverage, they'll just ban the app store from ever entering the market. Unless of course you think that we'll wind up with hundreds of app stores, like "Bob's Great Apps", but then you have a much worse problem which is the entire ecosystem has turned into a pile of dogshit. Maybe globally there could be 50-100 app stores, but they'll be localized.
If what you're saying is true, that China wants choke points, then why is the Great Firewall so successful? Wouldn't the distributed Internet, and VPNs, and other web-based peer-to-peer applications win out?
Yep, much of this experiment already happened: Android, Windows, etc. If it is so easy / steady-state to have both experiences simultaneously on one platform, why didn't it happen on either of those two? It will absolutely devolve into the lowest denominator.
And that's why I choose not to be on Android.
Yes it will once it happens on iOS. Large companies like Facebook (not picking on Meta, just an easy example) really don’t want to follow Apple’s privacy guidelines, don’t want to ask users for permission to track their location, and don’t want to tell users what info they gather and how it’s used.
Note though that in the EU they have to ask for permission to track their location and tell users what info they gather, thanks to the GDPR.
Sure but they’ll just outrun regulation and find ways around it. This is even a problem with the App Store now when it comes to technologically sophisticated companies, but there’s a balance because if they’re too aggressive Apple will give them the boot. Once XYZ Tech Company has its own App Store it’ll be able to hide more nefarious activity, create legal fictions to avoid responsibility, and hide how it circumvents GDPR. Using the third-party store might require consenting to location tracking even. So users who want to use XYZ app will agree to a bunch of terms and conditions before being able to even use the app, and then it’ll just be open season.
I do not trust GDPR to handle this effectively. It’ll be like a lion trying to squash ants, and now there’s no single company that the EU can go to and say “fix this”. Apple will say “not my problem”.
This will lead to fragmentation where apps can only be bought in some app stores. Some will stay in the Apple app store, because people trust it. Others will flock to other stores to pay a lower commission fee.
Regardless, I am in favor of this legislation. The iOS and Android ecosystems have become crucial infrastructure in modern life. So either Apple and Google act more like they are a utilities companies with lower fees and a more fair, equal market [1] or they should be regulated.
Though I would have preferred if they EU had just set upper bounds for the commissions, etc. The result would have been less messy.
[1] No more private APIs that only they can use, etc.
This is the world that android already lives in, and there is no meaningful fragmentation in app stores. I think your fears are overblown.
This doesn’t really apply because the Play Store doesn’t have half as strict rules. If you’re point is “Apple will have to give up all the annoying for publisher but good for user rules to keep apps from leaving” then we’ve really gained nothing.
But you can still choose to only download apps from Apple's app store?
I explained this to another user. It’s not “I can just download apps from Apple’s App Store”. It’s everything that comes along with that.
Also you can just buy a different phone if you want third-party stores.
I really don’t get how people on a tech forum seem to believe that software is fungible. If I’m an Instagram user then I have to go to where it’s offered which will be the Meta store. As a user I can’t just download it on the App Store if it isn’t there. All of this legislation has been about publisher choice. Users do not not gain any choice in this — that’s all marketing.
It's a shame that apple has been so obstinate for so long. Their behaviour is very clearly about money and not consumer protection, which is just used as a convenient excuse to hide behind.
They could have allowed third-party payments through vetted providers. They could have reduced their rates to match those providers and no one would be so keen to use them anyway. They could mandate subscriptions must be cancellable with one click and even mandate using an api to make these all appear in the settings app. They could have ensured that their review staff were better trained to prevent capricious rejections.
They instead decided to ride the wave of the apple tax for as long as they possibly could and then deal with whatever that caused later. And this is what it's caused.
There are those of us that would prefer to be protected, and those of us that would prefer to be free to make those decisions for ourselves. I've been an Android user for over a decade because of the latter.
> World is about to get a little worse on this front.
I think you underestimate the talent at Apple. The reason things are locked down isn't just that it makes them secure, spam free, etc. That's true of course, but it's not the only way to do it. It is however, the easiest way and in absence of external force, there is little reason to complicate it.
If EU succeeds in forcing Apple to open somethings up, then the brilliant folks at Apple will rise to the challenge and will innovate to either keep the quality as is or even make things better.
It doesn’t allow people to install abusive and spyware apps on their spouse’s, girlfriend’s, coworker’s, roommate’s, and children’s devices… not to mention harmful ones on your own… that’s a feature.
If you really want some nasty stuff on your phone for some reason you can always write it yourself or find something open source and install it with Xcode. You are free to do this; the idea that you are not is a myth regurgitated by haters who don’t think for themselves. Just good luck doing it on someone else’s iPhone without their permission.
> that’s a feature
It's a feature that can be implemented, with similar if not better effectiveness, in various ways that doesn't completely lock down a platform. Don't ask me how because I'm no match for brains at Apple but if EU succeeds in forcing Apple to open things up, Apple will rise to the challenge and will figure it out, just the same way they figure out how to roll out an ECG monitor that complies with local regulations of multiple countries. In other words, Apple already works under large amount of constraints of existing laws and regulations when creating products and that requires a lot of constant innovation in itself. This will just be another constraint they have to follow.
Nobody ever said Apple was static. They roll out updates all the time, of course. No different here. It helps to understand the reasons behind some of the lockdown.
Good, laws are supposed to be a headache for monopolists. If this happens, my next phone will also be an iPhone.
If only they’d apply those rule to grocery store chains as well. The model for the big ones is to charge stocking fees for any shelf space (250k per item at times) and then replace the best sellers with proprietary generic brands. So soda giants who don’t want competition can just buy out the shelf space to keep smaller players out and then lower the quality of ingredients of their mass stocked products and boost the marketing to keep the shelf space monopoly. The best new products try out and then fizzle out in that environment in exchange if more generic tastes or artificially tasting junk. This model needs to be stopped in more than just online marketplaces. It is the original sin of chain retail.
It will be fun to see how tech companies will react when they get to taste their own “my platform my rules” medicine.
ah wow this is a brilliant sentence! I never saw governments as platforms but they DO ARE! In fact I was always critizing Apple App Store 30% by saying: "What is the App Store a government that can charge me a 30% tax?" and in fact my fear is the reconstruction of a DIGITAL FEUDAL SYSTEM.
Where there is a King that charge a tax and then there is smaller and smaller nesting of feudal lords that charge other taxes.
KING US Government charging 20-45% income tax
I think we need to be careful to not smother the fire of innovation which brings social mobility across classes/income groups. If we allow Apple/Google/Amazon/Facebook to suffocate the innovation coming from the smaller companies we might find ourselves into a new medieval/dark age period with a lot of zero sum games and hierarchy and little innovation.DUKE Apple charging 30% App Store tax DUKE Google charging 30% Google Play Store tax DUKE Microsoft charging X% Microsoft Store tax MARQUEES Spotify/Netflix/Airbnb charging a fee for their platformThe economist Yanis Varoufakis elaborates on this. I think he makes a good and important point, and is incredibly smart and knowledgeable. But I also think this view of economy and corporations is too total. In the end these things are symptoms.
> KING US Government charging 20-45% income tax
> DUKE Apple charging 30% App Store tax
Note that Income tax is in reality earnings tax (as expenditures are generally subtracted), while Apple/Google fee is based on just income.
*Marquis
Both Marquess and Marquis are correct so I guess I merged them into Marquees XD
https://en.wikipedia.org/wiki/Marquess
In Italian, which is my native language, it would be MARCHESE.
Fun fact, there is a whole Italian region called Marche: https://en.wikipedia.org/wiki/Marche
Further fun fact, still in Italy, the territory around the city of Treviso is called La Marca since medieval times (and still today): https://en.wikipedia.org/wiki/March_of_Treviso
<MARQUEE>, instead, is an ancient HTML abomination.
Yep, that's where the term 'Marquis' comes from. He's the one supposed to guard the 'marche' (stair in french) which in latin used to mean frontier.
Seems like you are arguing that Apple should be able to choose which government it wants to run under when using the France platform.
Did I interpret correctly that I’ll soon be able to install a multi-protocol IM app on my iPhone without going through the App Store ?
I can barely believe it. It looks monumental in terms of competition potential.
The "soon" has to be interpreted in a political context, so we're likely talking a few years. FAANG will put their lobbyists on overdrive to get extensions to whichever cut-off date is approved.
The primary feature will be end to end decryption.
Yep, because we have absolutely no way to do e2e encryption without closed protocols like GPG.
Okay sure but how do you reckon Signal to Messenger is gonna work? Not gonna be E2E that’s for sure. It’s gonna be “this chat will be unencrypted because one or more parties doesn’t support E2E.”
Pretty funny to think that Apple has been going on about their platform without realising that they run on the EU's legislative and societal platform. Which also comes with rules.
Pretty funny that you think it's ok for EU government monopoly to enforce rules but not ok for Apple to do so, despite not being a monopoly. Which is it? Are rules ok or not ok?
Apple didn't win any elections, so they can fuck off.
People voted with their cash: "Shall I spend my money on an iPhone or an Android?" And that is the whole point. Apple represents freedom of choice. You people want winner-takes-all, might makes right. It's the tyranny of the majority. If you want a phone you can install anything on, get an Android. Don't take away my right to freely choose a phone that behaves differently.
> The new rules for so-called gatekeeper platforms, derived from years of antitrust enforcement in the digital economy, include restrictions on combining personal data from different sources, mandates to allow users to install apps from third-party platforms, prohibitions on bundling services, and a prohibition on self-preferencing practices.
The first one sounds very damaging to adtech, but might not be enforced.
While I think big tech needs to be controlled, I think this is the wrong approach.
This will slow down development by being forced to implement interop where they shouldn't be forced to IMO, and will confuse less savvy users (e.g. "Why can't I send this $platform_native_content to Bob but can send perfectly to Alice in the same app?").
Controlling entities' presence within the public (the Internet) is one thing, forcing to do things within their own platform/domain is another.
Sadly, EU picked the latter.
Well then they better get their shit together and implement the features on both ends.
They have lots of devs and project management experience. If they don't want to do interop it's just fair that customers are complaining.
Nothing a typical chat group on WhatsApp uses is particularly innovative or unique. Text, Voice, Images, Video, map links and attachments probably cover roughly 99% of the use case and everyone supports that.
They are free to compete on additional features.
They can, but why they should be forced? I mean its their own platform, they shouldn't be used to offer interop. They _could_, if they wanted to, but it's their platform after all, and forcing a private company to open their own pripriatery platform to 3rd parties is plain wrong and against the rights of the company. It's theirs after all.
The right thing here would be making a standard, modern way of communication that supersedes SMS/MMS with a push for global adoption that has all the necessary features of sending videos/images/links/locations etc. with E2EE that is part of GSM technology suite which is either super cheap or free, to offer a sensible alternative to free but closed down services offered by giant companies. That would be much more fair play for a free market.
I (and apparently the EU law makers) think they should be.
When elected officials decide that a Plattform/network is now part of the public space the owners loose out.
It happened to railways, telephone grids and all in all was an improvement.
If government thinks access to a commonground chat platform is a necessity for the public, then they should either provide it themselves or buy/outsource a state-operated private service instead of messing up with private companies' private platforms. What they are doing is equivalent of trespassing private property, such laws shouldn't exist in 2022.
> a state-operated private service
If they implement a public service, freemarketers not unlike yourself will accuse them of unfair competition and spend their lives sabotaging them, like Murdoch does with the BBC in the UK.
The reality is that your position is effectively that nothing should change, and everything in this space is as good as it can be. The public at large clearly disagrees, and this is a step in the direction of addressing some problems that are extremely hard to deny.
Besides, nationalisation would be nothing new. There are laws in your country, whichever it may be, for the state to confiscate your land for the public interest. That's not trespassing, that's the power of the collective trumping other rights. This is not it anyway - this is mandating standards, like the size of your electrical plugs.
Confiscating someone's land should also be illegal, but unfortunately government has too much power.
Mandating size of plugs is a good thing for anyone to build things that can operate with electricity, mandating some private entity with a perfectly functional ecosystem without any interest to open its system to provide a certain type of socket, is not.
> Confiscating someone's land should also be illegal
Genuine question, why?
If it were "perfectly functional", people wouldn't be campaigning for this sort of laws. The reality is that these conglomerates are anything but perfect.
They are perfectly functional, and no one has to use them.
You either pay for their hardware (Apple) or be okay with some data harvesting (others) and get a free chat service in return. It's a fair game. And no one forces you to use anything: all my friends, literally every single person here uses WhatsApp for primary communication, and I've deleted my WhatsApp account 2 years ago and still communicate with anyone without issues.
> They are perfectly functional
For the people building them, yes. For the people using them, they are basically a massive con. "We will help you communicate!" Yeah, because this will allow you to harvest my data and sell me more shit. "We have these great features!" Yeah, that other networks had 20 years ago and you killed to enable the beforementioned con and monopolistic practices.
> I've deleted my WhatsApp account 2 years ago and still communicate with anyone without issues.
Well, good for you. I have WA groups that provide information about my kids' whereabout, schoolbus info, all sorts. Can I leave them? Yeah, in the same way I could walk out of civilization to go live on Jakku.
Why should they do it themselves?
Food is necessary for the public, but there aren't a lot of governments running their own farms. Or construction companies, power generators, or really anything else. The best possible system is where people create goods and provide services to each other, and the government ensures a system where this exchange can be fair and thrive. This is exactly what they are doing with this law.
If food farms or construction companies do something wrong, people can die.
Power companies are being created while there are rules so they know what they're dealing with.
What's happening here is someone created a platform, spent years building things, and now EU is coming and saying oh you HAVE TO open it up. Not even mentioning the mess about having different rules at different places (e.g. I can't send many things to people in the EU in Instagram DM).
This is plain wrong.
They don't have to do business in the EU then.
Their government decided what is allowed in their country.
If the companies don't like it, then they should have won the election, or they should leave and go do business elsewhere
Full functionality with platform native users, limited functionality with third parties is still a lot better than no functionality for third parties.
The bigger issue is malicious compliance. I can see companies deliberately making the experience horrible.
I think it will just mess things up UX-wise. From what I've observed, people expect things to be simple and just work.
If there is an inconsistency introduced (e.g. I can send something to one user but can't to another) it will just confuse the users more.
About malicious compliance, yup, it will probably happen. If I were a company with my platform and someone comes to me and says that I have to open up my own private platform, I probably would implement the bare minimums to not get fined, and cripple that part in every conceivable way, while still "complying" with the law. I'm a private company and want people on my platform, simple as that.
I fail to see any relevant innovation happen in the current fragmentation of giant silos.
Well, it brought up to here what we have. Even though there are many people complaining, what we currently have, even if fragmented, is a great collection of apps that are free and allow us to send text/images/videos/rich links to anyone using the app on Earth in a split second.
Not saying that it couldn't happen in other setting, but innovation definitely did happen in the current fragmentation of silos.
We have had that for over a decade now
There's nothing that I'm aware of that is standard in all (acceptably decent) phones, built into the standard by, say, 3GPP, without need to install an external app, that can send a good quality (so no MMS here) images and videos to any group of people, with verifiable E2EE, with welcome features of things like realtime location sharing (with explicit permission of sender of course), read notifications, online/delivered status, reactions to messages, and starting video calls (3G video features never took off), other "fun" and convenient features like shareable stickers etc.
Almost all of WhatsApp, Telegram, Apple ecosystem, Discord, Slack etc. have almost all of it.
Which public standard that's available on phones do we have that provides these features worldwide?
We've been living with similar limitations for a very long time now. See: blue versus green SMS bubbles. As an Android user, iOS-sent SMS/MMS means lower quality photos, extremely low quality video, and I get "So and so loved this message" instead of a heart emoji. I believe people will adapt and recognize differences quickly.
> forced to implement interop
I didn't read this as the EU forcing the apps to actually implement interop. I read it as forcing them to publish the details of their protocols and not ban people for using 3rd party clients.
Now, will market forces force them to implement interop? Maybe, but based on my reading an app that doesn't talk to other apps is still legal.*
*Do not base your entire business strategy off of a single HN post from someone who is not a lawyer.
Oh founders please do not sell your shares to Apple/Google/Microsoft/Facebook/Amazon!
We are in danger of creating Big Monsters that will devour everything until there won't be founders anymore...only employees. Once there will be only employees in truth there will be only servants.
We need a lot of small/medium tech companies to maintain freedom and competition instead of 2-5 mega corps.
The future will be/is that entrepreneurs create new cool stuff, and runs it until the valuation is high enough they feel it's pay day. They sell to big corp, who are large code maintenance (and patent accumulation) shops, scales them to bigger users and runs until deprecation.
The entrepreneurs, though, continue on with the next idea.
Seems like a good thing.
Looking at the google lawyer privilege drama it sure seems like big tech needs a firmer hand
Honestly that's some great news and it was about time for such a regulation. It will curtail monopolies/oligopolies and enable a lot of new innovation. Win-win, with the only "losers" ( as in lower profit margins, not actually losing anything) being the huge tech companies like Google, Meta and Apple.
> EU officials have agreed on landmark rules
I'm not sure what this means in terms of the timeline. Will it be voted for in European Parliament and if yes, when? To what extent this may be changed in the final edition? And if it's adopted as a law, how much of a grace period will the companies have?
The trilog between the parliament and the member states decided upon a text.
Next each chamber will vote on it but this is usually just a formality since they gave the negotiators a mandate beforehand.
If it passes, the text will become a EU directive which needs to be incorporated into national law by the member states.
After that it becomes enforceable.
>If it passes, the text will become a EU directive which needs to be incorporated into national law by the member states.
The DMA is a Regulation, not a Directive. It doesn't need to be transposed in to national law in member states.
Regulations become law across the whole EU (and usually the EEA as well) as soon as they are published in the Official Journal.
Aaah damn it you are right.
For some reason I thought it was a directive...
Too late to edit my comment.
Edit: whoops
I'm pretty sure it's the other way around.
https://en.wikipedia.org/wiki/Directive_%28European_Union%29...
Regulations can built upon the foundations laid down by directives and they apply directly.
Yes, somewhat reminded that some things move slow. Of note I remember the whole Microsoft monoply for web browser fiasco by the EU with the time they got around to a rulling/actioning, Google had come out of no were and usurped Microsoft as the dominante browser.
Why do you say it was a fiasco ? It seems to have worked as expected, browsers are much better than IE from those days due to competition.
Time they did anything, the problem/market had sorted itself out.
You believe the (very public) inquiries had no effect on the market?
I don't - I think a better product came along, one that was aggressively pushed by the dominant search engine that swathes of the internet used each day (which is not in and of itself a good thing either, FWIW).
Microsoft couldn’t employ their standard anticompetitive playbook on Chrome due to the antitrust process. So that gave it a chance to become viable.
Maybe you’re right in this case, but I find it impossible to believe that apple would allow third party apps ever, if not for regulatory intervention. Given that the existence of Android has not caused that to happen naturally yet, there’s basically no other chance that any other market player would be able to reasonably upset that. Same with google search, Bing and Baidu have a laughably small market share in search, despite both being multibillion dollar companies behind them. And forget small players like DDG or Pinephone, they don’t even register on the charts.
So yeah, market regulation is necessary here, I’d rather roll back useless regulation later than continue with the status quo.
I don't remember any public inquires having any kind of effect. I remember Chrome being much better and people switching because of that.
lots of confusion in this comment.
> Will it be voted for in European Parliament and if yes, when?
the European Parliament only votes on a text. It cannot take decisions by itself. it can only present a voted upon text to the EU Council. and even then it's not a given it will become a directive.
> And if it's adopted as a law
There is no such thing as a "law" in the European Union. (Simplified) The EU has directives and regulations. Text is drafted by the EU Commission, which is then sent to the EU Parliament which is then sent to the EU Council. And the same text can bounce between those institutions for some time. Finally, if all goes well, it becomes an EU Directive. After this member states have a few years to put the Directive into national law.
This process is extremely cumbersome, full of gotcha's, and overall, inefficient, but it's the best thing these politicians came up with. Most likely the next level of simplification would normally involve some sort of federal union.
>If it passes, the text will become a EU directive which needs to be incorporated into national law by the member states.
The DMA is a regulation, not a directive btw.
> lots of confusion in this comment.
That's why I'm asking these questions.
I still don't quite understand on which stage this initiative is at the moment and how long until it is enforced.
One thing is the formal process, another the practical one. It's like nominating a new UK Prime Minister: nominally it's the Queen doing something, in practice it's parliamentarians agreeing on a name through some sort of meeting of leaders.
The formal process of EU approval for directives and regulations resulted in certain practical norms. Basically, representatives for the three main organs (EUParliament, EUCouncil - i.e. national ministers - and EUCommission) sooner or later have to sit down and bang together a compromise on texts put forward by one or more of them. This is where we are today, this is what's been reported - that step has been completed.
Now the text gets put through the formal process, and it should be guaranteed to pass (bar surprising developments or upsets, like a country switching government and hence reneging on their position or EUParliament being particularly angry about specific bits of the text).
In terms of speed of approval this can be as short as a week, for the urgent stuff, but this will probably take a bit more as lobbyists will now go in overdrive trying to delay the cut-off enforcement dates that the text will contain.
In terms of distance from enforcement, this sort of world-changing rule typically gets put into force on 1 January of some future year. I reckon 1 January 2023 looks good, but we'll have to see the actual text to know for sure.
If you start doing the right thing now not only can you beat the competition, you don't need a grace period.
Honestly? Looks good.
They only missed one: must provide human support for any and all products and supported services.
Google/MS/Apple have 0 user support for account/app suspension/removal and we have seen many stories here on how final those things are, and without any recourse possible
Pretty sure a ton of companies would cease to exist if they had to provide human support. Maybe that's a good thing, but really all it would do is strengthen incumbents who can afford the massive call center bill.
Mind boggling that content recomendation by tech giant algorithms that is used by european consumers are unregulated.
The algorithms maximize content view / platform usage diregarding mental health and addiction. Further there is no regulation that the content from recomendations are from reliable truthful sources.
The interoperability features are needed. We all should have a look at Russia and see what can happen if your infrastructure depends to strongly on locked systems.
Sure this time we all support the sanction, next time it might be us.
Interop can be useful, but who gets to collect all the data when you hoopkup e.g. WhatsApp and Telegram? Both, I'd imagine. How would you remove data/opt out of a platform you never accessed before? There's a lot of leeway there.
I‘m not sure if this is a good thing. Despite email being an open standard we have now the situation that most emails are processed by either Google or Microsoft. When the same happens to Matrix we will have a situation where it’s so hard to make your own home server that nobody wants to do it anymore.
> processed by either Google or Microsoft
Let's first clear up why this is: spam control. Google along with the rest of the industry has essentially killed email spam through the many additions to classical email standards. From reputation based delivery, to spam databases, crypto signatures and more. This isn't just to reduce an eye sore in your inbox. Spam does real damage, financial and otherwise.
Despite the complexity needed to run a reliable email system, it's still possible to do and many do. It also allows for innovation without a lot of capital (e.g. licensing fees paid to walled garden owners). Without open interoperability, it's either impossible (e.g. general iMessage), limiting (e.g. iMessage, WhatsApp for business) or expensive to do.
> Let's first clear up why this is: spam control.
I'm running my own mail server. The problem with regards to spam is not that it's hard for me not to be inundated by spam: I'm just running spamassassin and qpsmtpd with mostly standard configuration and my account on my own server is rather better at catching spam and not ham than my Gmail account. The problem I've always been fighting with (it's better lately) is that Google (and to a lesser degree Yahoo and Microsoft) tends to put my mails into the recipients' spam folders.
It's understandable that a minimal level of centralisation is necessary with email so as to build up server reputation. I think that level is already satisfied with just a few dozen or maybe hundreds of emails sent per day. If there are many installations of that size, companies like Google are forced to accept mails from them, and there's no need for further centralisation.
> Google along with the rest of the industry has essentially killed email spam through the many additions to classical email standards. From reputation based delivery, to spam databases, crypto signatures and more.
I don't see Google having had an exceptional role in "killing" email spam that way. Spam databases (both server reputation as well as content fingerprints) existed before Gmail started, DomainKeys was designed by Yahoo[1], the DKIM (the current way to add cryptographic signatures) RFC[2] does not list anyone from Google as its authors, bayesian learning was published by PG[3] in 2002. Gmail launched 2004[4]. Giving reputation much weight was something easy for them to do and it does tend to come at the cost of small legit servers.
They had a solid implementation early on (both the spam filter and, for the time, a top notch HTML UI), had of course a good name, and were free, so they were a default choice for anyone who was with an email provider that didn't do well (like many (most?) ISPs). There are reasons for people to flock to a strong, large company, that's not different here, but I contest that spam necessitated this.
That said, any new protocol would do well to take the problem of handling spam seriously and learn from and improve upon the past.
TL,DR: my argument is that spam is (somewhat) easier to handle in a centralised way, just like most problems are, but handling spam doesn't inherently require centralisation.
[1] https://en.wikipedia.org/wiki/DomainKeys [2] https://www.rfc-editor.org/rfc/rfc6376.txt [3] http://paulgraham.com/spam.html [4] https://en.wikipedia.org/wiki/Gmail
This has to extend to business as well as consumer use. Give people the power to choose technology in all contexts. That's all we need.
You use Zoom, Teams, Facebook or whatever you like, I'll use my Jitsi or home grown WebRTC solution. Fairness can be that simple.
But interoperability legislation can only go so far to fixing things because we also need to tackle:
- Regulator and institutional capture by vendor lobbying (bribes)
- "Preferred solution" impositions masquerading as fake security "policy"
- Lack of skills in organisations.
- Poor education about the risks of technological mono-cultures
- Technical lock-in measures, DRM, TPM enclaves
BigTech domination has been going on for 10-15 years now, and it has become more than just than just a set of facts around market shares and network effects. It's gotten soaked into our culture and the marrow of our institutions and will take a good deal of pain to chase out.
> You use Zoom, Teams, Facebook or whatever you like, I'll use my Jitsi or home grown WebRTC solution. Fairness can be that simple.
that's naive. the problem is that we moved away as an industry from that model for 2 specific reasons:
- widely used standards take decades to change just slightly, or never (see SMS, email)
- interoperability means either lowest common denominator or a huge cost to keep things interoperable
both are horrible for innovation, both are a killer for funding, both pull money away from other things.
all for giving "jitsi" or your "home grown webrtc solution" a reason to exist.
meanwhile apps like zoom simply took everyone by storm during covid even thou lots and lots of others (including webrtc and jitsi) existed for a long time.
You do realise that Microsoft Teams, Meet and Zoom Browser clients are all basically WebRTC underneath right? (Sometimes changed to make them deliberately incompatible with everything else).
Zoom illegally sold users' personal data [1] and Teams unsurprisingly turned out yo have all the security features we'd expect from Microsoft [2]. Jit.si comes out looking pretty good.
It's hard to hold up as paragons of good tech products that required a global pandemic to do their marketing and still couldn't deliver the goods without getting caught with their hands in the cookie jar.
[1] https://www.cbsnews.com/news/zoom-app-personal-data-selling-...
[2] https://www.forbes.com/sites/thomasbrewster/2020/04/27/your-...
> that's naive.
Please attack my arguments, don't make aspersions as to my disposition.
> the problem is that we moved away as an industry
Please don't try to define the narrative from a parochial viewpoint. No. we didn't. Some of us did. And those few have arguably done a great deal of damage to "the industry".
> widely used standards take decades to change just slightly, or never (see SMS, email)
It's arguable that they _should_ take a long time to adapt, because stability is also a value. That doesn't preclude the emergence of new and better standards which have a fair chance of adoption in the market for protocols. Interoperability would be a key factor in their success of course.
> interoperability means either lowest common denominator
I see no justification for this statement. There are many factors that portend lowest-common outcomes, like efficiency, reckless engineering in pursuit of fast time to market... but interoperability isn't one of them.
> or a huge cost to keep things interoperable
This is what you're really shooting at isn't it? Less profit for people who want to "move fast and break things" and get out when they're done extracting. I prefer to build lasting things and treat technology as a part of long-term culture. It's just a personality type thing.
> horrible for innovation
Advancing dichotomy between standards and innovation is simply disingenuous. The entire existence of the internet is a counterexample.
> killer for funding, both pull money away from other things.
Money.
> all for giving "jit.si" or your "home grown WebRTC solution" a reason to exist.
No. Everything else you've said is about differences of value and philosophy. Fair enough. But on this point you are missing some fundamental understanding of technology.
It is not "all for" my choice. Choice is a means not an ends. Choice is what underpins the drive for innovation, but ultimately there is telos (purpose) in technology beyond making profit. Those ends include resilience, opportunity, reliability, hybrid vigor of hetrogenous systems to name a few. Naivety is having a partial or immature understanding of a bigger picture, though I would not accuse you of that of course.
respects
I like the idealism of your arguments, but tech idealism doesn’t matter without users. And the majority of users have repeatedly chosen proprietary UX innovations over things like standards and interoperability. And many of these things are just an underlying standard with some changes/additions sprinkled on top, but those changes are differentiating to the product. Slack, Zoom, Gmail, etc. Some of their success is network-driven, but their unique work play no small part. And other companies tried different ideas and failed, and we’re lucky that Atlassian didn’t somehow get bad Hipchat-specific additions onto the IRC spec to albatross us all forever. On the web people chose non-standards overwhelmingly enough to basically kill the standards body (W3C) and push us into the land of “Whatever’s Worked on by Google” (WHATWG in essence). Until governments start funding competitive efforts (to relieve monetary pressure, which comes with its own problems) into projects pushing for your telos principles, profit (as an imperfect indicator of people’s choices) will continue to be the North Star for technology.
I get the feeling there's a kind of bleak, hopeless circularity in your thinking, but I can't quite nail it. It feels like saying;
Universal suffrage is great idealism, but it doesn't matter unless women vote for it.
That's to say, the means by which change might occur are also the goal of that change. That's a hard place to get out of.
> idealism doesn’t matter without users.
It absolutely does, because "idealism" is precisely that force in the world that exists despite and in hope for better things than the status-quo. It's the engine of all progress, and is almost always a minority concern in the face of a herd mentality. I'm glad you like my idealism though, because some (fake pragmatists with narrow horizons and fear of losing the privilege) treat idealism as a fault, whereas we see it as a badge of honour.
> the majority of users have repeatedly chosen
For very small values of "chosen". People accept what they're given. Not even the "consumers" themselves believe in the myth of demand driven markets now. They mostly adopt stuff to fit in and be like their friends. If pressed, they'll rationalise. Today, digital literacy does not extend to social, economic and political awareness of why choice might even matter. Some of us are trying to fix that (see [1]), and I am happy that in Europe we are gaining greater strength.
Number of users matters for making money. I get that. And I can see why many people here fixate on that. Making money is nice. But one shouldn't let it distort ones better judgement. And one should know when enough is enough and when greed is working against our future capacity to make money.
> choose UX innovations over things like standards and interoperability.
That's a false dichotomy. Those things aren't even on the same axis. It is the sloth of companies wanting to lock-in users that gives motive to break interoperability standards. That doing so is necessary for innovation is a blatant falsehood peddled in so many of the comments I've read here today. You say yourself, that it's a thin veneer over standards. Not to recognise the value of foundations paid for with generations of public money and the role of government in maintaining the very conditions that allowed tech firms to prosper is ungrateful and parochial. I'm getting downvoted because that hurts to hear.
so, all the software companies need to do is implement also SMS feature in their messengers like Signal does for instance and they will be immediately interoperable, while keeping their own messaging service separated
Digital Markets Act- [Status]: "Awaiting Parliament's position in 1st reading"
https://oeil.secure.europarl.europa.eu/oeil/popups/ficheproc...
"The Digital Markets Act: ensuring fair and open digital markets"
https://ec.europa.eu/info/strategy/priorities-2019-2024/euro...
From here:
https://news.ycombinator.com/item?id=30777016
"...The legislation is now expected to target companies that have a market capitalisation of at least €75bn and run one core online “platform” service such as a social network or web browser, according to two people directly involved in the deal..." "...To qualify as a “gatekeeper” — the powerful internet groups that are the focus of the new law — a company will also have to have at least 45,000 active users, the same people said..."
"...Google, Amazon, Facebook, Apple and Microsoft all meet this standard, but it is likely to also include far more groups than previously thought such as accommodations site Booking.com and ecommerce group Alibaba..."
----------------------------------------
Examples of the “do’s” - Gatekeeper platforms will have to:
- Allow third parties to inter-operate with the gatekeeper’s own services in certain specific situations
- Allow their business users to access the data that they - generate in their use of the gatekeeper’s platform
- Provide companies advertising on their platform with the tools and information necessary for advertisers and publishers to carry out their own independent verification of their advertisements hosted by the gatekeeper
- Allow their business users to promote their offer and conclude contracts with their customers outside the gatekeeper’s platform
Example of the “don’ts” - Gatekeeper platforms may no longer:
- Don't treat services and products offered by the gatekeeper itself more favourably in ranking than similar services or products offered by third parties on the gatekeeper's platform
- Don't prevent consumers from linking up to businesses outside their platforms
- Don't prevent users from un-installing any pre-installed software or app if they wish so
----------------------------------------
I imagine being told which tech I have to use when developing my services. When they pay my bills they just might have a saying but only just. What even is the reasoning for this?
It's so easy to destroy a sector when you have nothing to lose.
> It's so easy to destroy a sector when you have nothing to lose.
The EU is choosing to favor acting on behalf of their people, rather than some sector. If that sector can't make money in ways that are not immoral with regards to the people, so be it.
For example: Why shouldn't a 30%-fee walled garden be destroyed?
I don't feel like I need protecting by the EU. Overall I'm very happy with the products produced by the US tech sector.
As someone in the US I wish this sort of thing happened here and sooner. Maybe we wouldn't be stuck with Windows and Office if MS had been forced to interoperate.
Free market isn't really free if you have no competition due to network effects and lock-in.
> I don't feel like I need protecting by the EU. Overall I'm very happy with the products produced by the US tech sector.
I do. Apple repeatedly discriminates against sexual minorities in the App Store, and it's appropriate for a government to step in and stop that.
30% fees are not immoral. You may not like them, but that's very far from the same thing.
A moral question would be "how much should governments control voluntary interactions between customers, platforms and products?" The immoral answer might well be "As much as it will help them gain short-term votes", not the moral one.
I didn't say 30% fees are immoral, I said 30% fee walled gardens are immoral.
Especially when you make it all but impossible for third parties to operate outside of that walled garden.
Yea but you except and promote them in other areas of your life. Even countries are walled gardens.
I don’t think third parties really add value either. It’s just going to result in a bunch of spam and scams, with us losing out on privacy features and convenience.
Countries are walled gardens. The only thing stopping them from being immoral is democracy and respect for individual rights, neither of which exists in tech giants' walled gardens.
Don't use third parties then. Problem solved!!
Don't use an iPhone then. Problem solved!!
It's difficult for an iPhone user to notice that apps they might want aren't available (unless they search the web and find references to an Android-only app that does what they want), but, even more so, it's very expensive for users to buy a new Android phone just to use that one app.
Equally, when someone is considering buying a phone, they are unlikely to compare the lists of apps available for each platform when making their decision, just as car buyers don't look at the levels of tailpipe emissions when comparing possible cars. In such situations we accept that the government can intervene to prevent socially negative outcomes, even if it means increasing the costs (or decreasing the profit margins) for companies.
In any case, the problem isn't just the switching costs for users who discover their platform is limiting their app choices (or increasing their app charges), it's that companies trying to sell apps to users can't choose to simply "Don't use an iPhone", as Apple is preventing commerce between iPhone users and those companies, which is again not socially beneficial.
Similar logic can be applied when comparing app stores. Users aren't going to compare Company XYZ app store with Apple's app store line-by-line to see how they're missing out on having their data hoovered up for ads or other purposes. App Stores have high switching costs too. Apps won't be available on different stores, that would defeat the entire purpose of having the third-party store for the company wanting to escape Apple's rules.
What if, and hear me out, what if there was a technology which allows two or more App stores side-by-side as to minimize the undue burden to switch between them. If only we were so advanced in technology. If only...
Why stop at two? Why not five?
- You can download Facebook and WhatsApp from the Meta Store
- You can get Google software from the Google Store, except Gmail and Maps which are available in the Apple App Store too, but YouTube is a Google Store exclusive. Or and Authenticator is only available on the Google App Store with a valid company login. So you'll have to switch accounts depending on if you are logging in as a user for yourself or your company.
- You can get Netflix from the App Store, Google Store, or Facebook store but each requires that you log in to the respective store with an account before logging in to your Netflix account and the pricing is different depending on the cut each of the stores takes. Google is interested in finding what Netflix shows you are watching so they can adjust your YouTube algorithms.
- You can download Twitter from the Apple App Store and Google, but not Facebook.
And you can download the MLB App if you have a Prime subscription because of a new partnership, but only if you have the Amazon Prime App.
Can't wait!
Don't operate in the EU then. Problem solved!!
If we're going to continue to be pedantic about this, I live in America so I couldn't care less.
-edit-
As a general shareholder I care. But in that area I think Apple will figure out a solution that keeps the status quo. They're #1 for a reason.
YOU live in America, Apple operates worldwide. And the USA has plenty of bills in the pipeline targeting the same issues. Apple won't have their cake and eat it too.
I think you missed the point, which was I don't care if Apple left the EU market over this, because I live in America where (at least for now) things will be how I prefer them. So saying "good, leave the EU" or similar doesn't really bother me...
You're right that there are other bills in the pipeline. I think the user experience will be worse off because of them and we'll lose lots of ground on privacy and convenience, but it's inevitable because small, vocal minorities usually win even when they make everything worse for everyone else.
It'll be interesting to see the fallout though. It won't take long for others to connect the dots and start filing lawsuits for any store or platform with any sort of standards. Obvious first targets are companies like Sony, Nintendo, and Microsoft for consoles. But other non-obvious targets will start being platforms. Take Chrome - why can I only use (and maybe I can't and I don't know) Google's Chrome Store to install third-party software? Or rather, why can't I install another "App Store" on Chrome and replace Google's? Maybe you can (and I'd argue it has to be identical in terms of convenience and ease of use to qualify) but there will definitely be other, similar targets for lawsuits.
> I think the user experience will be worse off
Two points
1. User experience is already bed. No access to game streaming services and many valid open source apps not available on iOS
2. User experience is not be the only matrix that matters. What about poor indie developer whose app is banned due to opaque App store rules. What about having control over device you bought with your own money
Why not just buy a different product with different features then? Mobile phones have a lot of different features. Some have better cameras than others. Some have longer battery life, can fold, or come in different colors. Some have different operating systems. App stores/software isn't any different. The user experience on the Nintendo Switch is terrible. I can't play World of Warcraft of Halo on it at all! And why can't I watch Netflix shows through the Hulu app? Why does Netflix get to buy content and keep it on their Netflix store? At least the Apple App Store is free. I don't have to pay for access to apps.
> What about poor indie developer whose app is banned due to opaque App store rules
They'll just have the opportunity to get banned from more than one store I guess. Then once this indie developer decides its profitable to scam their customers they'll create their own app store and just install their software that way, bypassing any legitimate bans too.
> They'll just have the opportunity to get banned from more than one store I guess.
1. More app store will compete with each other to provide better app delivery service to developers.
2. Host the app on a website and install it from there. No need for app stores. There I solved it for you
I'm not going to reply to you anymore as your arguments lack depth and seriousness
That seems broadly the same; in fact if anything a 30% fee walled garden is just easier to identify and choose to avoid than one without a walled garden.
Anybody is more than welcome to build their own garden, but if you own the garden you also get to decide if it has walls around it or not.
EU isn't actually motivated by voting here, because they have power regardless of who votes for them or not. The Parliament "negotiates" with the Commission (executive branch) for this reason - the EU is set up to ensure that decision making is so far removed from voting that it's entirely irrelevant.
The real reason they do this is they perceive it as a free source of income, which they can then use to buy off states to keep them in the EU itself. Note how the rules only apply to really big companies (i.e. US companies), and the fines are really big, and the rules are vague. It'll be a cash cow that avoids upsetting any local interests, the fact they can drape it in pro-consumer clothes is just a bonus from their perspective.
Because it's their corporation and they can do whatever they want with it, and because it's far from a monopoly since there are alternatives.
> Because it's their corporation and they can do whatever they want with it
That is not true. there are many things corporations cannot do even if they want to. There's lots of different regulations that impose restrictions and obligations on companies against "what they want".
So now it's just defining where that line is, which is what law-making is.
The scope at which those alternatives exist are different than where the monopoly is established. Ie. The App Store has a monopoly on iOS, but iOS does not have a monopoly in the mobile space.
This is like saying a state-mandated ISP/Gas company wouldn't be a monopoly since you can just move to another country.
You might wanna push the argument that nobody is forcing you to use iOS, but I think the problem runs deeper. In many fields and even just everyday life, you are now required to run a modern phone OS (eg. the option for not having the official COVID green pass app here in Italy is to find an authorized place that will print you a green pass on paper, and it's hard to find one, let alone schedule everything and get there without a pre-existing pass) and we're barely lucky that Google is playing by laxer rules than Apple is. If not punishing existing bad actors, these rules are a nice framework to prevent them for taking over in the future.
> the option for not having the official COVID green pass app here in Italy is to find an authorized place that will print you a green pass on paper, and it's hard to find one, let alone schedule everything and get there without a pre-existing pass
Apple's pseudomonopoly does not strike me as the root cause issue here, developing processes and using tech to solve a people problem does.
When the public administration does things with pen and paper, it's blamed for being ancient and "should get with the times". Now they are getting on with the times, but the times are ones ruled by giant American companies with no regulation.
Also, it's the country's duty to protect citizens from themselves using laws and regulations. For an example of what kind of "far west" digital tech is living right now, I point you back to before TV was regulated as heavily as today, where companies used cartoons to advertise smoking cigarettes to children (https://www.youtube.com/watch?v=NAExoSozc2c).
> Because it's their corporation and they can do whatever they want with it
No, they can't do whatever they want with it. Consumer protection laws are an obvious example for how corporate interests can be limited.
> because it's far from a monopoly since there are alternatives.
It's a duopoly. iOS and Android together represent about 98% of mobile devices.
Can you clarify in this instance what is
- the sector
- who has nothing to lose
- and what could be lost
I think I understand who/what you imply but I don't want to misunderstand you.
* Tech sector
* The EU
* Tech sector
Thanks for clarifying.
>Included in the rules' scope will be platforms with a market capitalization of €75 billion or turnover in the European Economic Area equal to or above €7.5 billion
So the rules are meant to target only the TOP part of the Tech Sector. Not the Whole Tech Sector. There could be backfires on everyone though.
I do feel though that the Apple/Facebook/Microsoft/Google/Amazon are innovating less and less and are going into cash squeeze mode. There has been a lot of talk on Hacker News on how Google search quality is decreasing.
All the privacy laws containing Facebook push them to bet on something new Meta/Oculus. So I think here the effort is to allow smaller tech to thrive and grow.
> There has been a lot of talk on Hacker News on how Google search quality is decreasing.
I have a lot more faith in a viable competitor coming out of California than I do in EU regulations improving search results.
Me too...not sure where you are going with this...
If poor little Google can't adapt to a changing landscape, it should die. That will not plunge the world into the dark ages.
Yes indeed if Google can't adapt it should die instead of being a monopole and just staying alive by abusing the dominant position. No innovation and abuse of the dominant position will lead to the dark ages, Google dying because not adapting will actually let other smaller companies to thrive and innovate in it's place.
EU has tech (Linux, ASML), they just chose to not screw their real users, a costly but morally better decision.
So now we will have to accept 2 pop ups on every website?
This is awful. EU has no idea how to properly regulate tech.
One reason the EU missed out on the internet is our unlimited willingness to be regulated. And we keep piling more and more bureaucracy on top of it.
This only cements the power of US big tech like Google and Facebook.
And it sets the stage for the next big applications of the web all being build outside the EU as well.
Here in Germany, everyone is afraid to start a web startup. And if they do, they spend endless amounts of energy on agonizing over the GDPR and how to build useful international services without using international tools. We sanctioned ourselves by making the use of foreign SAAS illegal.
If you are in the EU, try out surfing the web via a non EU IP once. It is an eye-opening experience. No cookie banners! Only Europeans have to deal with those.
But it gets worse: Look at European websites from a US IP. You do get cookie banners. European companies deal with degraded user experience, slower build time and worse monetization. On a worldwide basis. While the rest of the world only applies these downsides to the European part of their business.
Oh, man, such a shame about all these laws.. [checks notes].. protecting users from predatory company behavior. Things would be so much easier if we didn't have those laws - we could all start web startups.
This is already a pattern in HN discussions: legislation is proposed, news outlets vaguely summarize it, the HN crowd interprets the summary in absurdly maximalist way without bothering to read the spirit and letter of the law; outrage ensues. This is coupled with an "I-know-better" condescension towards authorities, reinforced by a weird ideology that code is above law
The legislation, at least the one coming from Brussels, is nearly always reasonable in scope, extent, impacts, penalties, and tends to strike a fair balance between specificity and vagueness as to allow the courts for some wiggle room for interpretation
As an example, with interoperability, the final legislation might stipulate something similar to this:
* once a software service reaches sufficient market size
* the core functionality of the service must be exposed for interoperability
* any breaking changes to core functionality must allow for sufficient period of backwards-compatibility and deprecation warnings. Exceptions for security breaches or other emergencies
So, for Youtube, this would mean logging in, viewing videos and history. It doesn't mean that every single feature of every single web site must be publicly exposed and be backwards-compatible for eternity
The GDPR had consequences that were both wider and wilder than even its most aggressive critics predicted at the time, such as making it illegal for the banking system to continue using their existing EBCDIC-based systems: https://news.ycombinator.com/item?id=28986735 The HN discussion was also full of comments about how the bank should've changed its systems already because it had ample time to come into compliance with the GDPR, never mind that no-one really even anticipatd this as a compliance issue at the time.
That's a wild edge case. And yes, a bank or whoever should be able to note your real name. It's the banks' problem for using obsolete things, not a GDPR problem.
What about the 'discovery' that Google Analytics is illegal under GDPR? Not raised even once right up until the moment the courts decided it.
EU privacy law is so vague that people routinely 'discover' new impacts of the rules only when some judge pulls them out of thin air. The fate of EU tech firms is pretty much well described above: endless agonizing over how these rules might be interpreted, followed by maximally damaging interpretations, because the nature of such law making is that enforcement is arbitrary.
Won't somebody think of the surveillance capitalists?!
Your wild edge case is someone else's life and living. People who love controlling other people (like the government and those who support it) never seem to understand that.
"the government" lol
> Your wild edge case is someone else's life and living.
Yes, the person whose name is mangled by a shitty bank's IT systems. Or the people who can see what a shitty data vacuuming company has on them( that now has to ask for consent beforehand).
Regulations are there to protect people like that, not just for fun.
In the 20th century 151,000,000 people were killed by "the government". lol? Maybe don't laugh about people that kill people for power.
"government" isn't a monolithic entity. You can't compare the EU, USA, or a random dictator in Iraq or Congo. Trying to imply they're the same and that they're all somehow inherently bad is libertarian bullshit that fails a basic sniff test.
The article you've linked is obviously biased ( why does it make a point of talking about totalitarian communist regimes and their death toll and not any other totalitarian regimes'? Some of the most infamous and deadly totalitarian regimes aren't communist - Iran's Islamic one, Saddam in Iraq, Hitler, Mussolini). And the argument that totalitarian regimes are bad because they wage war and that democracies can't even execute serial killers falls apart when the US is brought in. I won't even bother with the rest.
Regulating local companies is making things only worse. That is the reason why all of Europe depends on foreign tools in the first place.
It is a similar death spiral to how we deal with the housing problem. People have a hard time finding affordable apartments in the city centers? Create more laws that limit rents! Does this create more apartments? No. It just send the local housing market further down the drain.
By your own argument, foreign companies can navigate the rules for selling into Europe just fine - so what is stopping a European company from doing the same?
If there is any remaining problem it is that the rules are not enforced strictly enough on tech giants.
Lets talk about startups first:
An indie dev in New York does not care about the GDPR. The just build cool shit and put it online. Look at all the Show HNs here.
In the EU, the situation is very different. Indie devs are super afraid and work hard to make their stuff less useful to please the GDPR.
Now about larger players:
EU companies agonize their worldwide users with cookie banners. Because that is what the GDPR tells them to do.
Non EU companies dont do that. Because why should they? Will a lone Italian traveller in the USA sue them for using Google fonts? Probably not. And if they do - they can handle it. So they only agonize their EU users with cookie banners.
Unlike in UE, EU companies are not allowed to sell their customers data to random third parrty spammer, scammers, adtech companies and bounty hunters.
That is it - as a startup, GDPR is not a massive prohlem. You know what is a real problem? The fact that you can raise 10x more investment in the US with the same slide deck.
Small correction: the indie devs just building cools shit are fine under GDPR. The indie dev who wants to monetize his community while not caring about the externalities of possibly leaking their information has a headache.
If your business model depends on creating undesirable externalities for your "users" then you don't have my sympathy. The only shame is that we still need to enforce GDPR properly on large players, but that's a political and social thing, not per se a problem with the law itself.
And the oh so horrible cookie banners: the solution would be to not track people. If you aren't fully acting in the users interest, the cookie banner is easy to implement, or maybe not even required. So whenever you are annoyed by a cookie banner, it should be directed at the company, not the law.
What's the limit that an indie could go without caring about GDPR. Is it actually until they want to be "commercial"?
It's not until you decide you want to start tracking people or in other ways use their PII that you should become worried, indie or not.
No, it's until they decide they want to abuse personal data.
Until they start saving PII that is not necessary for their core business relationship with the user.
If your app is literally about self quantification and the user pays you to collect that data and keep it private? You might not even need to state it anywhere, although the safe thing is of course to list all the ways you do or do not collect data.
If your app is about self quantification and you monetize by selling user data or its aggregates... GDPR. If you use a third party data provider instead of hosting the data yourself: GDPR etc. Because user data might not be important to you, but it is to your users, so you probably shouldn't be allowed to YOLO handling it
> you probably shouldn't be allowed to YOLO handling it
Exactly. If a company doesn't care enough about its users to even tell them what they are doing with their data (or in some cases even know what they are doing with it) then the user can't expect that company to secure it or to provide a valuable service with it.
And yet US companies keep biting the bullet and abiding by regulations (or bleeding money to pay the massive fines for violating them) to keep doing business in the EU. So what if those companies can get away with abusing their non-EU users and use those to generate most of their profits. Are you more concerned about providing services and improving quality of life in the EU or with a handful of rich kids in the EU being able to rake in the same kind of cash as their American counterparts?
It's funny you think deregulating housing would solve the housing crisis. If you think rent limits are a disincentive to build more affordable housing, how about we just subsidize loans for non-commercial home ownership instead of expecting investors who want a ROI to either make their luxury apartments more affordable for no good reason or adhere to health and safety standards in their barely profitable social housing projects? After all, if tenants can cough up the money to regularly pay ever-increasing rents they can surely pay back loans with similar rates.
Funny how I have worked both as a developer and a business owner building applications for startups and established businesses alike and yet as both a consumer and a professional I'm glad to live under EU jurisdiction instead of the US because all those evil privacy protections and regulations mean I can have a reasonable expectation that companies can't just do what they want with the data I entrust them.
People like you love to complain about cookie banners but somehow fail to acknowledge that the reason cookie banners are a thing is that companies go out of their way to try and game the regulations instead of actually implementing them. Sure, you can't build the next Facebook in the EU but maybe not being able to build a business on intentionally abusing your users' trust is not a bad thing.
If you just want to get rich, there's still plenty of nigh-unregulated banking and speculative investment you can get involved in with narry a consequence. If you want to build software, I'm not very sorry you're inconvenienced by regulations that actually protect people from your overreach.
So you like that your code is protected by intellectual property so that you can make money off it and noone can just take it and use it whoit permission?
But you dont like that your users data is protected by GDPR, so that you cant take it without permission? Thats unnessesary regulation holding back business?
Does not sound like it has anything to do with regulation, it sounds like you want the fovernment to give you an advantage.
There's no contradiction.
Intellectual property protection is opt-in. It requires the individual to enforce his rights before a court in the relevant jurisdiction. The government only facilitates registration and adjudication. Courts don't force individuals into global protection schemes against claimant's own will.
Whatever the expected merits were, GDPR's existence as a policy has been of little more use than a protectionist beating stick in service of the EU. It gave the EU the power to dictate how websites are to be designed. Non-Europeans with business interests inside the EU had no say or representation in the matter. Governments shouldn't claim universal jurisdiction over the Internet, whatever their reasoning for such claims might be.
So if governments didnt sue you for violations of GDPR, but your users did so personally then the situations would be exactly idebtical and you would be happy?
Yes and No.
Yes in that people already have that agency to sue. I'm sure you've heard of a class action lawsuits.
No in that I don't approve of the GDPR prescribing what constitutes a privacy violation rather than leaving such deliberations to contracts and courts.
The law prescribes what constitutes an IP violation. Contracts and courts didnt invent the concept of copyright. You benefit from the privilidge granted to you by law.
While I'll grant you that copyright is a privilege granted by government, copyright is not the only form of IP protection and not all of them are treated in the same way. I will also add that what constitutes an IP violation is determined by the particular claims of the rights-holder with respect to the wording of license/contract in question. Those violations are not predetermined "defaults" set up by legislation.
The GDPR, on the other hand, presupposes a global positive right to privacy irrespective of national sovereignty or contractual agreement to the contrary and that any alleged violation from any point on the planet carries with it a presumption of guilt. A regular complaint on this forum is that the US regularly oversteps it's bounds via legislation like the CLOUD ACT. I don't see why it's any less of a concern when the EU does it.
In this case, the rules only apply to corporations with large enough revenue, so startups remain unaffected.
Fellow EU entrepreneur here: you being downvoted says enough about what kind of people are commenting here.
US works with a "better ask forgiveness than permission" model, where you are pretty free to do what you want, but people can sue you.
EU works with the opposite: create rules and keep companies compliant with those rules.
It's pretty obvious to see that the 1st model is very beneficial for startups and bootstrappers.
I didn't downvote but I thought it was a weak comment: it's a generally valid perspective but doesn't seem tailored to the actual news, which is mostly tailored to large capitalisation/turnover companies.
The general pro-vs-anti regulation dimension of the argument over tech policy seems to lack the necessary nuance if it doesn't ask about antitrust. The lack of antitrust regulation in the US has meant that the SV pipeline which fifteen years ago supported a diverse tech landscape is at risk of degenerating into one that only aims to produce targets for monopolists to buyout. It's a possible future of your "1st model" I'd rather we were more worried about.
Are there any actual cases of EU startups being fined under GDPR without being given a chance to fix their stuff. I was under the impression that the enforcement so far has been pretty lenient.
The real problem is not the fines, but to comply to all of them.
For example, EU article 13 has a direct impact on my product (my users can upload custom resources). Good thing that Belgium didn't implement it yet. But when they do, I probably need to move my business to Delaware or something.
They claim that article 13 is to reign in the big companies like YouTube. But in the end this also makes sure that EU has a hard time of building their own YouTube.
Anyway, I looked into it, and it seems possible for me to move my business abroad when we get that far.
But all this basically proves my point. It's easier to build a startup when you are outside of the EU.
As a caveat, I built business around the EUCD (Article 17, previously 13). It doesn't matter where the business is based. Up until you operate in EU you will have to be compliant. That said, for platforms below certain size the compliance is fairly simple which is the same you already have under the E-commerce directive.
For a context, I'm EU national that moved to US to build a business here. US does appear freer on its surface, but everything is much more convoluted. As an example, most states have at will employment rules. That means workers can leave any time they want and employers can fire them anytime they want. But then there are many other regulations and case laws that make this essentially impossible. There is a whole predatory industry that is built around this where fired workers sue for $80k because they know that a counsel for the employer will charge $100k and it's cheaper to settle.
I would much rather have clear rules of operations, even more strenuous ones than this.
That does not make US less regulated. It makes regulations unpredictable and unevenly enforced.
Also, cookie banners are mostly bad faith restriction implementation. You can have functional cookies with no banner. What you cant have are those tracking cookies which is what the whole thing is about.
I would say most people don't agonize over it because most people don't follow GDPR here in Germany. I think more and more people are slowly complying, but certainly in the last 3 years no one has cared.
I personally believe GDPR will never be properly enforced and most people will ignore it. The easy parts of GDPR (cookies, fonts, I guess CDNs now) are automatically detectable, and the hard parts (deletion of data, data processing agreements, necessary collection) are not. There is no way to automatically find out if someone is storing IP addresses in their access logs.
One of the really funny things I encountered in Germany is the emphasis on data privacy/protection...
But every single citizen has to inform the government where they live and their religion. You also have to inform your boss of your religion. If you make creative content, you have to publish your address as well (unless you can afford to start a business at another location).
You can find out where anyone in Germany lives for a small fee.
Those things have about 10x greater impact on my day-to-day life than Twitter finding out I watched a "cancer prognosis" video. I know they're not mutually exclusive, but it shows where priorities lie.
> But every single citizen has to inform the government where they live and their religion. You also have to inform your boss of your religion.
That depends on the religion. For a bit more context (read the full history in [1]): As part of the 1800s separation between state and church, the major ones (Catholic and Evangelic-Lutheran) got the right to a percentage of employed people's wages as a sort of "membership fee". This gets deducted by the employer out of your paycheck and collected by the tax office, then distributed to the church you're a member of. Over the years, the right to collect these taxes expanded by quite a number, although currently only the Roman Catholic, Old Catholic, Evangelic-Lutheran, Free Protestant and Jewish synagogues use that right.
In real life, no one but HR at onboarding cares which religion you specify.
Also note, this is not exclusive to Germany. Italy, Sweden, Austria, Finland, Denmark and Switzerland all have a similar system.
[1] https://de.wikipedia.org/wiki/Kirchensteuer_(Deutschland)
I understand that it's related to taxes and that it's not exclusive to Germany (that's just the one I'm most familiar with). But there are better ways to do this that don't involve the government or my employer. These things violate my personal privacy far beyond what an advertising company does, or at least have an actual effect on my life.
I also think you're massively underestimating how much people care, especially in an increasingly secular Europe, even in very liberal cities like Berlin. And in small companies, there is no HR.
Why are Germans ok with registering their religion with their government after the government rounded up everyone of a certain religion and killed them?
Because those religions wants to collect taxes, to do so they register their members so that they automatically can take a part of your paycheck. A bigger question is why Americans are fine with the state registering their race given how much history of racial abuse they have.
Every developer should try to understand GDPR to a basic level, as those basic principles are good enough of a baseline. Won't go into minutia, cause at the enterprise/large scale level you'll need a DPO (data protection officer) and follow stricter auditing practices (among other things).
Second, cookie banners are unrelated to GDPR. They became mandatory years before the GDPR, and the level of intrusiveness is because websites don't follow the "spirit of the law". With time hopefully the cookie banners dark patterns will subdue (after a few more entities get fined).
In terms of EU startups, what I'm familiar with, is them getting bought by US corporations, and not failing under the pressure of EU pro-consumer bureaucracy.
> websites don't follow the "spirit of the law"
A perfect counter-example to people rambling about EU legislation - Wikipedia.
Consistently in the top 10 sites in the world for 15 years, yet there's no cookie banner, no GDPR consent screen, no personal data hoarding, no dark patterns, etc.
Wikipedia doesn't need PII in order to operate so this is a terribly unfair comparison when you think of a service providing something more in depth than a wiki. They are also non-profit.
"Following the spirit of the law" is authoritarian non-sense. I can do whatever I want unless its illegal. If the law cannot or does not spell something out how is that the public's problem? We spend enough blood sweat and tears employing legislators and bureacrats. I am not going to also do their job for them.
A high level overview may be possible, but any amount of actionable detail is impossible for laymen and lawyers alike. The GDPR is intentionally vague; there are entire academic papers from respected researches dedicated to trying to parse individual sentences from the document. See e.g. Cohen and Nissim's 33 page article on intepreting the sentence
> To determine whether a natural person is identifiable account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
https://arxiv.org/pdf/1904.06009.pdf
Turns out writing vague laws lets you turn entities you don't like into cash cows.
I think actionable details are left vague as to not create legislation that's left behind by technological advances.
You're right, that personal identifiable information is a hot topic. Partly because you need immense foresight (a.k.a. impossible) to see how multiple data points can be correlated to identify someone, but also because you need to be aware of large-scale actors (e.g. state supported dragnet surveillance).
As an industry I don't think we have reached yet that discussion point, when we still have common basic practices we need to change. For example, I know that most small/medium companies don't even attempt to anonymize their database dumps. Those are the issues we have to focus on first, and those actions become clear to any developer that reads the GDPR for the first time. It's actionable insight without being explicitly stated.
I think that the GDPR is *incompatible with the web 2.0 model, and the internet as it exists today*, and I also think that is a good thing! It should push us to build services that in the end treat all users data as personal information, and lead to anonymous internet services by default.
I have my own laundry list of things I dislike about GDPR, which makes compliance harder than it should be. One such example is that IP addresses are "an exercise left to data controllers to anonymize", where I hold the belief that the legislature should have forced ISPs to be the ones to anonymize user IP addresses (anonymize things at the source). That way data protection agreements would not be even necessary when you use a CDN in front of your website (for example). By the same token, browsers should be forced to use generic User Agents, as those leak platform information like crazy.
I also disagree that "vague laws lets you turn entities you don't like into cash cows", because what I see most common is that companies get a slap on the wrist (so to speak) and fines are not always the first recourse, only affecting those that are majorly negligent and repeat offenders.
These laws are not draconian tools to suppress digital products, but to protect users from life affecting data leaks, automated decision making and profiling, which we've seen to be objectively bad in the past.
But as you can tell this is my highly subjective take on the issue. I might be completely wrong in my belief after all.
> This only cements the power of US big tech like Google and Facebook
Au contraire. This regulation will force the big tech companies to open up their platforms, thus enabling innovation and competition.
One reason the EU missed out on the internet… Here in Germany, everyone is afraid to start a web startup
The EU does actually have a variety of "internet" companies – and that includes Germany! There are certainly less of them; regulation could be one of the things that affects that, but it seems way more likely to be a wildly different environment for funding. Investors are more conservative and far less likely to throw dumb money at anything that moves, which means fewer successful unicorns. I'm not sure that's the best approach, but I'm not an investor.
they spend endless amounts of energy on agonizing over the GDPR
No they don't. GDPR compliance is generally fairly straightforward for any company which isn't trying to deliberately harvest and profit from your data—particularly a new company with no legacy—and in any case represents a set of practices that should be followed by any company dealing with private data in any case.
By the same token, those startups have to worry far less about the nonsense patent and IP environment in the US. So worst case we'll call it a wash.
We sanctioned ourselfes by making the use of foreign SAAS illegal.
This did not happen. Use of non-EU SaaS is legal, subject to it being compliant with local regulation.
I'm always a bit weirded out by strenuous objections to GDPR – it seems to me that the data privacy environment in Europe is broadly pretty sensible. You need to:
- know what data you are using
- have a good justification for using it
- take appropriate precautions to secure it
- make sure users are aware of what you are doing with it
- allow users to access and correct the data you hold on them
I find it hard to object to that.
Reading this is so entertaining. "It's not the regulation that has depressed the EU startup scene, it is depressed because we in the EU are too smart."
Well, that’s obviously not what I said - indeed, the point was that European investors can often be conservative to the point of stupidity and throwing around dumb money can be the smart move.
That sounds very theoretical. I witness the journey of several German startups for a while now and get a very different picture.
Many of the most powerful web tools are not compatible with the GDPR. Google Analytics. Ad marketplaces. Free CDNs. And its all a moving target. I see small companies struggling for years now with these problems. And they will keep struggling for the forseeable future.
It is the most powerful tools that I want restricted. the milli-second bidding auctions for ad placements and the tracking that goes on to enable that is unethical and illegal. There are perfectly good alternatives that don't abuse my personal data — companies should use those.
That’s great, but the question is about the second order effects.
Have you taken them fully into account when you declare that these regulations are what you want? Or do you want the first order effects only (who wouldn’t?!) and just stop your analysis there?
Declaring that there are “perfectly good alternatives” sounds like dismissal of the second order effects, which certainly makes supporting the regulations much easier to sit with.
It seems that I get hit with the negative first order effects, and VCs benefit from the putative positive second order ones. No, I'm happy to have the legal eagles stop this without-consent data sharing, and if the corporations lose a bit of money, then that's fine by me.
My experience says that this is pretty far from the truth, and nobody is really struggling with any of this stuff. It's all been "yeah I guess we have to pay attention to privacy, that's a bit annoying" and then getting on with it.
What you're saying basically boils down to "if we stop worrying about user data then we can make more money!" which… yeah, I guess. In the same way that companies could make more money if we let them pump effluent directly into rivers – but we don't do that.
You are declaring things as facts but my experience is yes startups do spend huge capital on ensuring GDPR compliance and neurotically worry over it.
I also have experience from two start-up scale-ups that many clients are saying we won't work with you if you use a US Big Cloud. The EU alternatives are much worse and this causes lots of developer waste now ensuring the platform runs as well on the Big Cloud as it does with really terrible EU-cloud.
Yes, I am declaring these things as facts based on my own experience with European startups – yours may vary. So far, the approach has been miles away from "spending huge capital" or "neurotically worrying", and much more "just following the regulations and getting on with it".
I also have experience from two start-up scale-ups that many clients are saying we won't work with you if you use a US Big Cloud
Yeah, I've not heard this from anyone – but if it's the case, it sounds like there's market pressure to use services that offer better protection of personal data. Sounds like you've found an opportunity to offer an EU-based cloud service that's better than the competition :)
I'm confused: your Hacker News blurb says you're the head of a UK based company. Where are you getting your direct experience from?
This is going to sound more aggressive than it is but it doesn't look like you're qualified to be declaring these kinds of facts on the realities faced by EU businesses.
I'm still working at one of the two companies I mentioned, in Denmark. It's a very real problem for us right now. And I think you're understating the effort required to launch a competitive cloud, especially given the regulatory hurdles of the EU.
Where are you getting your direct experience from? This is going to sound more aggressive than it is but it doesn't look like you're qualified to be declaring these kinds of facts on the realities faced by EU businesses.
I would suggest you focus on talking about the specific issues you face rather than questioning my background, but bear in mind that the UK was part of the GDPR pre-Brexit, is presently subject to much the same regime, our company is a recipient of Horizon 2020 funding, we have offices, customers and investors in the EU, and I have spent several years now dealing with the regulatory issues raised by GDPR and how they impact on our business. I am reasonably confident that I know what I'm talking about – you experience may vary, and I am way more interested in hearing what you feel your challenges are than I am in nitpicking your credentials.
>If you are in the EU, try out surfing the web via a non EU IP once. It is an eye-opening experience. No cookie banners! Only Europeans have to deal with those.
I'm in Qc, Canada and I see them very often. Is it only checking for a US IP, and everything else gets the banner?
In the U.S. and I'd seen so many of them that I have an extension installed specifically to hide them while browsing.
> One reason the EU missed out on the internet is our unlimited willingness to be regulated.
Bollocks. The key difference between here and the US is the simple fact that we don't have enormous amounts of "dumb money" from pension and hedge funds screaming to be invested into anything that remotely smells like it could be worth money one time - remember Yo! which got 1M funding?! - and then founders making big money at IPO time, which many of them then choose to invest into new startups.
That means that you have to either rely on philantropic investors, family or borrow money from banks at ridiculous interest rates (and often requiring deposit of a car/house or other expensive assets to back the loan).
Navigating GDPR and the laws here is easy - one might say, life is even easier here than in the US for startups because you don't have to fear getting kicked in the nuts over bogus patent and other IP claims or absurd multi-million dollars civil damages lawsuits.
Dumb money is not the basis for the web as we know it.
Look at where we are communicating here. On a US website built by a single person.
>Dumb money is not the basis for the web as we know it.
It's not, but it's the basis of ad-driven, surveillance-ware, and user engagement optimized companies that drive the ludicrously high profits and wages in the US tech sector.
Do you see US tech workers lining up to work for Canonical? Yeah, I thought so too.
Well once I saw their application, I wasn't interested in working at Canonical either. And I'm currently looking for work, for what it's worth.
I know that thread, that's why I used it as an example.
Hiring in tech is broken regardless, so most candidates optimize for compensation as that way at least the end result justifies the effort of going through those several stages of various hazing rituals each company has lined up.
And like the Canonical employee said in that thread, they receive 80% quality applications despite all of those shitty hoops Canonical makes you jump through even before they talk to you. So yeah, there seems to be no shortage of devs regardless of how bad a company's hiring practices are, as long as they're an established name and/or pay great.
Here being the news portal of Y Combinator? Y Combinator being a startup fund? The combined valuation of YC companies being over $600B?
For the web itself, yes. But for a lot of the services we use daily - Google, Facebook, Twitter, Reddit, Uber, AirBnB - lots of "dumb money" for cheap/free services or to outright price-dump the legitimate competition were the basis of their success.
Why aren't they investing their "dumb money" in EU web start ups then?
Because in the US, money has nowhere else to go. Stocks? Wildly overpriced. Real estate? Wildly overpriced. Bonds? Zero returns. Mineral extraction? Risky outlook. Energy sector? Subsidies are likely on the horizon, better to wait. Infrastructure? NIMBYs
That's not the case for the EU. Money gets reasonable returns in energy sector, industry, any investment in Eastern Europe, tourism, PPP infrastructure projects, etc.
Is this a joke? European banks are much much more yield starved than their American counterparts. Your bonds have negative yield and pretty much every type of investment is more profitable in the US than in Europe. That's why big EU banks like Deutsche Bank or Credit Suisse have been severely underperforming, and thats why housing bubbles in Europe are much more severe (Spain, Greece, Portugal, etc)
You are literally describing the opposite of the truth.
> and thats why housing bubbles in Europe are much more severe (Spain, Greece, Portugal, etc)
Nothing, not even the Londongrad bubble, is as excessive as the US housing crisis.
Easier to invest into something if you only have a short car drive to the company you're investing in; additionally everything cross-border involves a lot more effort with coordinating taxes.
In any case at least YC does invest into European companies [1] - the key thing is you have to get far enough to have a meaningful product that VC funds can invest in, and unlike the US we don't have a lot of billionaire former founders who go around throwing a couple thousand dollars left and right for promising ideas they hear in an elevator.
Are you saying they'll miss out on a multi billion dollar profit opportunity because "it's not a short drive". Many VC firms have European offices, there's Zoom or a plane flight. Cross border investment is not a new or alien thing so dealing with taxes or regulation isn't something they can't cope with. So money not being available isn't a convincing reason.
> Are you saying they'll miss out on a multi billion dollar profit opportunity because "it's not a short drive".
Not "miss out" per se, rather a "prioritize companies in close proximity". There's a reason why a lot of the former startup turned unicorns are all concentrated around the Silicon Valley.
IMO, based on their current business models, big US tech companies would be better off financially by pulling out of the EU entirely than by allowing interoperability via public APIs.
They will lose most of their users to small platforms if they provide too much interoperability - Not just in the EU but all over the world. Their monopoly over the bulk of the world's user accounts is their only real competitive advantage.
That said, in terms of social good, open APIs would be great.
If they did pull out, that would be probably the largest business opportunity in human history, with a $16 trillion economy suddenly having no large competitors in many sectors.
I'm sure entrepreneurs in the EU are salivating at the thought of that happening.
If that's really the case then they'll pull out of the EU market rather than comply with this law. Let's see if that happens or not.
They can (and likely will) produce a layer of bureaucracy that could keep out any non-EU player if they wish, stuff like having to register with them with EU-based company information before they give you an API key (this is just an example).