EU Probes Apple's Decision to Shut Down Epic's Developer Account
macrumors.comWhat's Apple's reasoning here?
An american subsidiary lied once and an american court said they didn't have to keep them around, so we kicked a european subsidiary out of the european mandated DMA.
Yeah, that's gonna go over great with the EU. Apple really deserves the 10% of global revenue fine to be brought down a peg.
A US judge ruled that Epic has a pattern of “malicious compliance”.
Epic created a new account in Sweden so they can create an App Store in the EU.
Apple used the judge’s reasoning of a pattern of malicious compliance to preemptively shut down Epic’s account. Because they believe Epic will not play by the rules.
So it’s a kind of pre-crime reasoning, they’re shutting down Epic’s account before they can do anything wrong. And probably also because Epic publicly criticized Apple’s malicious compliance around the EU rulings.
> Apple used the judge’s reasoning
Using an American court's decision as a basis to try and break EU law tends to very well over on our side of the pond. Good luck with that.
> A US judge ruled that Epic has a pattern of “malicious compliance”.
Seems like a great fit for Apple.
Isn't “malicious compliance” the business model of Apple and most successful companies?
Can you expand what Apple has done to count “malicious compliance”?
The DMA tax. It has the side effect of killing off open-source projects for the iOS with their egregious installation fee in Europe. Every time you install an open-source app, the developers are extorted by Apple with Core Technology Fee of €0.5 each and the Fee waiver guideline does not mention open-source to be a valid criterion for such exemption.
Limiting USB-C speed to USB2.0 for iDevices that are deemed "not pro", and not having Thunderbolt access despite the hardware could in theory allows it, limiting customers choice to buy the "pro" models for a full experience. And a slightly bigger Lightning cable is still being used in Apple Vision, which is clearly a flying middle finger to the USB-C change.
Apple are starting to commit on the adoption of RCS standard in 2024 too but they still won't support Google's E2E extensions, and instead working with GSMA to make their own encryption standard. The point of RCS is to make communications open, not by trying to make you feel special. Perhaps Apple is still trying to make a segregated market with different colored bubbles just like iMessages.
This might be controversial, but I think it counts: notarization hell (I would like to call it "notorization", combining both notarization and notorious). Starting from Catalina, Apple is forcing all Mac app to be notarized by Apple before use, making the experience of installing custom software other than downloaded from the App Store extremely difficult, in that you have to press a lot of buttons, buried deep in the settings and not as apparent as they should. This makes genuine open-source development for the Mac itself quite hard as it not only need to go through Apple's notarization service before publishing, which is sometimes flaky and not always available all the time, but it also means Apple have control over what apps are allowed simply by revoking your certification, unless you jailbroken your Mac to disable notarization (https://disable-gatekeeper.github.io). Interestingly, Apple could have totally banished checkra1n from running in Mac by revoking the notarization, but Apple doesn't.
> Every time you install an open-source app, the developers are extorted by Apple with Core Technology Fee of €0.5 each
I don't think this is true? AIUI a developer can choose to operating using the "old business terms" even in the EU, in which case they don't have to pay the fee. https://developer.apple.com/support/core-technology-fee/ backs this up by stating that the CTF is an element of the "new business terms".
Breaking PWAs is the most recent example but the most well known was their (now dead and buried) attempt to circumvent USB charging requirements.
Everything they've done around the right to repair
As far as I know, they ship a whole package of tools to customers who would like to repair their equipment. They also made the latest iPhone models easier to disassemble. What do you think they should have done in order to comply benevolently?
A non-exhaustive list:
- They don't allow repair shops to freely order parts, each part must be ordered on-demand, requiring repair shops to pass their customers' personal information to Apple. This adds significant delay to repairs which makes 3rd parties an unappealing option
- They implement digital pairing between parts that require Apple's authorization, which is inaccessible to third party repair shops. In practice this means that you could buy 2 identical brand new iPhones from the Apple store, and they wouldn't work when you swapped their screens.
- They restrict Apple authorized repair shops from performing many useful repairs, I'm not completely up to date on the exact list, but you can watch videos from Louis Rossmann or read materials from other educators on the topic
- They gaslight users asking about data recovery options on their own forum, claiming that any repair shop which offers to recover data is scamming them, and ban actual experts who correct them to say that data recovery is possible
And, of course, all this is done under the guise of "security" or "protecting privacy" and the users are cheering for it. You never know when a 3rd party company is going to place a digital time bomb _somehow_ by putting a screen from iPhone A into iPhone B! Better let Apple fix it. Oh, the margins? What margins? It's not margins, it's the price of SECURITY!
Thank you. All of these sound valid criticisms to me.
Don’t be too quick to accept these criticisms. You have to compare to competitors in the industry to get a clearer picture.
Looking at screen repairs for Samsung Galaxy phones the same security issues arise and there are complaints about Samsung blocking third party repairs due to security concerns.
So are both Apple and Samsung just being greedy or is there more to the issue at hand? I’m inclined to believe a company unless they’ve demonstrated that I cannot trust them.
> You have to compare to competitors in the industry to get a clearer picture.
This tells you nothing. They each have the same incentives. They want you to pay a premium to the manufacturer for repairs, because they're the manufacturer, and because that causes more devices to be uneconomical to repair and so more people have to buy new ones.
I agree. I give Apple more benefit of the doubt than other tech giants. I see many knee-jerk reactions to what Apple does --- in my opinion --- rightfully. After all, many of these decisions are trade-offs, such as reusing parts from another iPhone being a measure against theft. I thanked the previous user I replied to because they were able to go beyond knee-jerk reactions and highlight issues in which Apple is pushing too hard on the trade-off scale.
> After all, many of these decisions are trade-offs, such as reusing parts from another iPhone being a measure against theft.
This is their stated justification, but it doesn't hold water. The device could refuse to accept a part if the part is from a device that has been reported stolen but they have it refusing to accept a part from a device that hasn't been stolen.
And such a system would have its own trade-offs, wouldn't it?
"Trade-offs" is a weasel word. It excuses nothing because it excuses anything.
Automatically bricking every device the second the warranty expires is a trade off, because you're "protecting" the user from out-of-warranty repairs. Does that mean it's justified?
Real trade-offs are the epitome of customer choice. Both of the alternatives are available and you choose the one you want. That choice is impaired when products are bound together, so that you can't make your choices independently.
Forcing people into these trade-offs is the evil to be prevented. It's the reason anti-trust laws prohibit tying.
> Does that mean it's justified?
I didn't say trade-offs justify Apple's behavior. But unless proposed alternatives are superior in every regard, we cannot claim that Apple should have done so, or that they have secret motives. Your proposed alternative for third-party repairs is likely to require trade-offs that Apple is not willing to make.
> It excuses nothing because it excuses anything.
We have a bigger problem that excuses anything: current economic model. Under this model, actors act the way they do, not because acting so is right, but because they can. Apple can afford to limit third-party repair options, so they do.
Regulations only make it a cat-and-mouse game. Actors now do whatever they can within the new limits. And, they are very clever in finding new ways of doing what they can, which people call “malicious compliance”.
> But unless proposed alternatives are superior in every regard, we cannot claim that Apple should have done so, or that they have secret motives.
This is what makes it a weasel word. Nothing is ever superior to something else in every regard. To use this as the standard is to assume that an ulterior motive is never possible, even when there is an unambiguous perverse incentive and the company's rationalization is weak and transparent.
> Your proposed alternative for third-party repairs is likely to require trade-offs that Apple is not willing to make.
Which is why it should be the customer and not Apple who chooses whether to make them that way, and the customer should not be forced to make such otherwise-independent choices together.
> Regulations only make it a cat-and-mouse game.
The premise of a cat-and-mouse game is that the cat is unwilling to eat the mouse.
If the law says that you have to allow competing stores and the company flaunts the law, the next law could say that the same company is not allowed to both make the device and exercise any control over any store, prohibiting the company from operating one themselves. Penalties don't have to be limited to money, they could require the release of internal documentation and source code to facilitate adversarial interoperability. They could simply break the company into a dozen smaller pieces.
Regulations are often terrible because they create inefficiencies which raise prices and, when applied to smaller entities, can destroy them and cause market consolidation. And regulators often pass rules without ever checking up on their actual effects. But "regulations are often wasteful and ineffective" absolutely does not mean that the regulators have no ability to mess up your business -- that is, in fact, the hardest thing to avoid because it happens so easily by accident. The last thing you want is to do anything to cause them to want to crawl inside you and lay eggs.
Core Technology Fee™ designed to render third party stores completely dead on arrival, for one.
The thing here is that the potential "crime" they were trying to prevent is opening an App Store in the EU, which EU literally forced Apple to allow. So if this was the reasoning, then Apple is the one breaking the law here.
If European judge would decide anything about European company operating in USA, do you honestly believe that American judge would even consider it?
> A US judge ruled that Epic has a pattern of “malicious compliance”.
What "pattern" are you referring to? There was one incident with Fortnite, and Apple banned Fortnite permanently immediately after that one incident.
Are you implying “Fortnite” is a legally distinct entity from epic games somehow?
Fortnite is the product, epic games is the legal entity.
> Are you implying “Fortnite” is a legally distinct entity from epic games somehow?
No? I'm saying that there was a single incident, not a "pattern".
> an american court said they didn't have to keep them around
They also said that they didn’t have to keep any subsidiaries around.
It’s not even _pretending_ to be an independent subsidiary.
US law does not apply in the EU, and having subsidiaries in the EU is common and almost required for GDPR compliance.
Exactly this - US law applies to the US only. In order for Apple and Epic to operate in the EU, they must abide by EU laws.
Didn't Epic Games violate the app store ToS a while back? I'm not a fan of Apple but it still seems reasonable to me to terminate a developer account for breaking ToS
You can't just use your ToS to circumvent the law of the market you operate in. If they have to allow Epic to operate in the EU under the DMA they can't kick them out unless it's in compliance with EU law. The EU law overpowers Apple's ToS.
It's not reasonable when Apple has set up artificial roadblocks whereby Epic can't compete with Apple in the iOS app store market without a developer account. As of yesterday, Apple is legally mandated to enable competition in that market, so using those roadblocks to aggressively block competition is a pretty big problem.
Apple could easily resolve this by just removing their their bogus constraints around the requirements for launching a competing app store on iOS. After that they could probably keep Epic banned all they want from the main App Store based on future ToS violations. (Though with the caveat that the ToS would need to be reasonable, and it seems clear that Apple has no intent of making a reasonable ToS unless forced).
But they're not going to do that, are they? None of Apple's restrictions were about security or user safety, they were always intended as an exclusionary measures, to make sure nobody can launch a viable competing store. When it looked like Epic was going to do it despite the ridiculous business terms, Apple reached for the next excuse in their toolbox.
Yes they did?
Violating some company's ToS is completely irrelevant when it comes to actual laws.
And more importantly, it makes no sense that Epic has to interact with Apple at all in order to sell software to owners of Apple products. Apple has implemented systems which makes this very hard or impossible for non-expert users. Which means Apple violates basic principles of ownership.
This might be fine if Apple allowed creating alternate App Stores and developing apps for that store to be done without a developer account. However, the alternate App Store is a right granted to Epic by an EU regulation, so Apple can't just block them from doing it because they didn't follow the ToS for APPLE's App Store.
Well it seems reasonable to me they terminate their developer account ONLY AND ONLY IF a developer account is not mandatory to be able to have a foot in the iOS market.
Apple has the responsibility to safeguard apps delivered by its own store, but it will be each third party store responsibility to do the same while also complying to EU laws.
My understanding is that they had to break the ToS to take it to court. I mean they could have taken it to court anyway but they wouldn't have had standing.
They don’t want a litigious bad mouthing customer onboard so they fired them. It’s a story as old as time that happens daily.
Things are different when you’re in antitrust crosshairs and have been designated a “gatekeeper” by new legislation that explicitly intends to force you to open your product to competitors.
It’s not a great look when your first action in that gatekeeper role is to block access to a competitor because of actions the competitor’s parent company took years ago in another country and a different jurisdiction.
I would add that nobody asked them to create the need to have a business relation with the external appstore.
Although I don’t necessarily think it’s a good thing to allow external appstores, this is the law now and they have to comply with it.
> this is the law now and they have to comply with it.
lol ugh, it’s the law to wear a seatbelt, I can choose to ignore it. One ironic part I like to mention about this is that tractors tell you not to wear a seat belt. That lets you bail if it’s tipping over. The thing is, it’s still technically illegal not wearing a seat belt. Ironically, riding a motorbike requires no seatbelt… and overall is more unsafe, but totally fine apparently.
The point I’m making is laws aren’t hard constraints, they’re human constructs and you can choose to ignore them. There may be consequences to ignoring them. But the calculus for Apple is that it’s worth it to them and to ignore.
Much like the farmer with the tractor, minimal risk to ignore. High risk to follow law.
The farmer do whatever he wants within its field, the road laws don't apply there. But he has to follow the laws when he is on the road where a tractor has no reason to tip over.
Your analogy is not relevant here.
> laws aren’t hard constraints, they’re human constructs
As is Apple, the company. It only exists on paper. It can be barred from existing in a jurisdiction by another human construct, a court ruling. It can choose to ignore EU laws, but there would be consequences.
> The thing is, it’s still technically illegal not wearing a seat belt
Check if the law in your state actually applies to a tractor. Some states explicitly list which motor vehicles the law applies to.
Last action, they terminated Epic one day before the DMA went into effect (today).
It's clearly meant to stall the creation of Epic's own App Store. All the processes still require an Apple developer account. This is malicious enough that I hope the EU regulators pull all strings to make Apple's fine for this not just aedequate to the money they're saving, but also to account for the disregard of the law itself.
The EU isn't the boring cyberpunk future where corporations can do whatever they want Apple thinks it is.
> Last action, they terminated Epic one day before the DMA went into effect (today).
The law went into effect november 1st 2022[0]. Until yesterday has been a grace period to allow big companies time to implement the law - I must say that 1 year and 4 months is generous.
Sure, if you want to be pedantic about it. Though this is pretty normal for EU law to give a lot of preparation time. The GDPR had 2 entire years - and I still got some emergency compliance tickets in the week before (worked at the eCommerce arm of a major German retailer).
This is not being pedantic? Apple is currently fully liable under the DMA. Especially for new initiatives, which what happened yesterday indeed was.
Epic is not a customer of Apple.
Many of Apple's customers are also customers of Epic.
Apple is trying to prevent those shared customers from accessing Epic.
I think very few developers wish to be customers of Apple. But Apple gatekeeps the platform developers need to publish on.
It is this relations that is the core of DMA, and which DMA seeks to change.
They do not need, they want and they don't want to pay Apple.
This is ridiculous. If you develop a game that needs to be available on all major platforms, Apple devices are a part of them.
Are you also one of the people, who would argue, that you can build you own road network, if you don't like the terms on the current road network?
Luckily it is not you who are going to work on these regulations, but people who actually care about free markets (how ironic that the EU is the progressive one on the question of freedom).
There is such a thing as a private road. This is not about access. This is about money, and to think the EU - the geniuses who gave us all GDPR pop ups - don't have a intrinsic interest in devaluing Apples ecosystem is delusional.
The GDPR didn't "give you" pop ups, it just made it mandatory for companies to seek our consent before they abuse our personal data. Many companies chose to be as obnoxious as possible about it to annoy you into agreeing. You need to rethink who you're directing your anger at.
As a matter of practical advice, there are optional filter lists for uBlock Origin that block the vast majority of consent popups. I barely see any these days.
And there's Consent-o-Matic for the rest.
> he geniuses who gave us all GDPR pop ups
It was not part of GDPR, GDPR also says that giving and removing consent should be equally easy and not remove functionality (like disabling the whole website with a transparent black background) hence the vast majority of the cookie banners are illegal.
Blame companies for illegal behaviour, the EU's rules are supposed to give you the information about how/where your private information is being shared. That's genius, and you should be grateful that now you know how much your personal information leaks.
> There is such a thing as a private road.
Yep, but not interstate roads. You can also buy a pocket calculator, which in your analogy is the private road.
You go with you conspiracy theories.
The explicit goal of the DMA is to open up the market. I can only recommend you to read a bit more about it: https://digital-markets-act.ec.europa.eu/index_en
You can call Apple a customer or supplier of Epic, but it's just semantics they do have a business relationship.
The deeper point is companies get rid of litigious business partners whenever possible. It's one reason why you end up regulating utilities, nobody wants the electric company to have excessive control over the local economy. Where exactly digital platforms sit on this spectrum is probably a question for legislators not the courts.
That might work if you're a local plumber, but not if you're a massive global firm with a de-facto monopoly.
Enabling adverse risk interoperability is a main point of the Digital Markets Act.
Really interesting to see how hard Apple is fighting with everything they have to keep their profits and not open up. This is a fight Apple can't win because the EU will strike back again and again. It's Apple trying to win time and thus bank profits. But I believe the strategy will fail hard: high fines and even tighter regulations that will break up Apple's monopoly completely, much broader than intented before. The more actions like this one Apple takes to squash competition, the stronger the rules will be that will be forced upon them.
At this point I'm wondering what happens if the EU invokes their malicious compliance clause, and tells Apple outright what to do. Will they just refuse and hope they don't lose the EU market?
I think one point lost in most of these conversations is that the existence of an open iOS will spawn a lot of "change your region to Europe" how-to articles in the rest of the world, creating an escape hatch from the walled garden (and finally a good reason to use a VPN), similar to what Apple keeps attacking sideloading for. Maybe they'd rather keep control of their other markets than be in the EU one.
Refusing is moot. They make $3bn profit every month in the EU. Shareholders would certainly send Cook off if Apple loses access to the EU market. Apple will play this game until the EU takes the gloves off, and they will.
There is zero chance of Apple abandoning the EU market. It is simply too large.
I agree, but it is Apple's perogative if they want to go that way, that's an alternative to DMA compliance.
I don't understand what Apple executives are even thinking to keep engaging in these actions. How do they justify continuing to burn bridges with developers and tarnish their reputation in the public eye?
Their market share makes them arrogant. They are very much like Microsoft in the 90s.
Microsoft did not suffer much as a result. They mostly got away with anti-competitive behaviour.
They got a very stiff warning that they would be allowed a major role in shaping the Web, but that strangling it outright would be the end of them.
Imperfect, but enough.
Honestly they had it easy because of inertia and because they managed to build a successful business with cloud technology.
Had they failed with Gaming, Office365 + Azure the same way they failed in the mobile market, Microsoft would not be the same company as it is today and as it was 20 years ago.
Despots and bullies are the same everywhere. They bully while they can.
Thankfully EU legislation has very severe penalties built-in that are mostly deterrants (think the 4% turnover maximum GDPR fine), but if anyone deserves to be hit with the full force of the law, it's Apple.
Even Meta, who are also happy to rack up fines instead of fixing their privacy issues, aren't this reckless.
I’ve had my disagreements with Meta’s leadership (I quit after all) but they do try hard to comply with the law on privacy. It’s a hard, hard problem that they spend a lot of money on.
The results have been mixed: they should probably spend even more.
In general these are some of the “least evil” people in the valley. I have personal disputes with some of them, some mutually pretty unpleasant. But that increases, not decreases my responsibility to be fair.
Bosworth in particular is about as close to a good guy as you can be in a job like that.
I don’t think very highly about how I’ve been treated personally, but that’s irrelevant to the broader point: Meta’s team is playing at the “least rough” end of the field. They’re great on open models and research, their lobbying is at the low, low end of shady (by the dismal standards of the day), employees have historically been treated well, it’s less bad.
If you want to get on them about something, the availability of Reels to minors needs to change.
I wouldn't say they are the least evil, but they are working hard to lose that "bad actor" reputation they have been given over the year regarding privacy.
Fair enough I guess from a terminology point of view.
If you try to lose your bad actor reputation hard enough, at some point you’re “reforming”.
Apple’s recent behavior in Europe sure is perplexing to me. The arrogance suggests a kind of legal naïveté that a $2.6T multinational can’t possibly have. It must be a calculation. Do they figure Washington will pull strings to bail them out of their predicament?
Much like the usb charging situation, it's a delaying tactic. Of course they're aware that this isn't something they can win but they can fight and delay it for as long as possible in order to both have some profits from it while it lasts and to weaken the competitor's (in this case Epic) position by delaying their entry in the market.
If so, I hope Europe prices the fines high enough to make the strategy backfire.
Just a few days ago the EU fined apple for 40 million over a different issue. And then tacked 1.8 billion onto the basic fine as a deterrent.
Time for the fines to start accumulating. I am all for making an example out of Apple. Monopolistic behavior needs to be punished.
Apple must have realised this would provide direct evidence of their control over the iOS app market, regardless of their apparent compliance with the DMA. The loss of a developer account means that epic cant even release their own app store on apple devices, undermining apples responsibility to open up to competition. Cant wait to see how big the next fine is *grabs popcorn*
Yeah it could even lead the EU to mandate that no business relation to Apple is required to operate your store and Apple has no saying whatsoever over you and may not charge you for installs, updates etc. Also, no penalties or changes may be applied to Apps choosing to use other stores. Play stupid games, win stupid prizes.
This might lead to a complete opening-up of the iPhone as a result for the EU market.
This is why their petulant behavior, as brazen as it is, doesn't really bother me. Every action they take just provides further evidence and support for further anti-trust action that will affect the entire big tech industry. Now it's up to the regulators to deliver on enforcement and take a bite out of the poisoned apple.
I am not so confident. Apple has a lot of Senators and Members of Congress on its payroll. This could easily lead to the U.S. government putting considerable pressure on the EU to ease-off on Apple and the regulators de-clawed. This might likely be accompanied with lots of media articles and talking points about terrible EU regulations that are suppressing good & successful U.S. companies.
Think Apple's argument about Epic having previously flouted the rules openly might be good enough. For a third party app store, Apple is pretty much giving the keys to your phone to the said app store. If there is a company which has demonstrated they won't play by the rules, it's not a huge stretch to say that it may harm the security of the model. While the EU wants the company/iphone to be more open, it also puts the onus of keeping it secure on the company itself.
Another reason I believe they are on sure footing is that they got the rejection from the law firm, which I presume knows what they are doing, just as they did during the 2020 shenanigans from Epic.
If Apple's security model really is that weak, it sure sounds like they should pull their products off the market until they fix it.
There shouldn't be rules from the manufacturer about what a third party app store can do. If so, this scheme is already a complete failure.
How do you ensure security of a device without rules from a manufacturer?
Through security enhancing features in the operating system, like not allowing processes to access other's memory spaces. Or prompting users to allow an application to use potentially harmful api's. What do you think is the role of an operating system?
I combined both OS and manufacturers since in this case they are from the same company.
Given one of the things you can get on an app store is a replacement keyboard, "security" is, in addition to all the things you listed, "make sure there are no installable key-loggers".
And for web browsers, which are basically an inner-OS, making sure that plug-ins can't read arbitrary content from the pages you visit.
And given that "phone" is an app, that it can't wiretap all your calls.
Also, one of the fights between Apple and Facebook was basically stuff which, by my reading, was stuff Facebook wanted to do which was illegal under GDPR: https://www.cnbc.com/2022/02/02/facebook-says-apple-ios-priv...
There's also stuff which is bad for the device, but I'm not sure if it really ought to be Apple's responsibility to prevent, like crypto miner libraries running on-device as an income stream for the developer.
> Given one of the things you can get on an app store is a replacement keyboard, "security" is, in addition to all the things you listed, "make sure there are no installable key-loggers".
"This keyboard app requires access to network resources, do you want to allow this?" Or better yet, let the operating system block apps from using both network resources and keyboard api's.
> And for web browsers, which are basically an inner-OS, making sure that plug-ins can't read arbitrary content from the pages you visit.
My web browser allows me to choose when I want an extension to have access to a web page.
> "And given that "phone" is an app, that it can't wiretap all your calls."
I'm gonna guess it does this with a man-in-the-middle attack. "The operating system has detected that this phone app always calls the same number. We have disabled it for security reasons." Also if you buy a phone, it might be reasonable to let there only be one phone app.
I'm kind of tired of people claiming the hand-holding argument, that apple helps people who do not understand technology. My sister uses apple devices exclusively, but at her work, her employer regularly does tests for phishing and she always fails. It is time people get educated about how to use their computing devices. These devices have been around long enough that people who fall for obvious scams should be considered incompetent.
> "This keyboard app requires access to network resources, do you want to allow this?" Or better yet, let the operating system block apps from using both network resources and keyboard api's.
So, either a "we want this for analytics" message on the popup for fakers, or no analytics for legit developers.
Now sure, I personally don't think app development benefits all that much from analytics and would be happy if analytics were outlawed in entirety by the EU, but 95% of websites have been howling about how important they are since they were forced to request consent for that with the GDPR.
> My web browser allows me to choose when I want an extension to have access to a web page.
So does mine. Why do you think this is a counter-argument? It's a well-known security issue, it's still on the HN front page: https://news.ycombinator.com/item?id=39620060
And every time I set up a new computer, I have to check very carefully to make sure I'm installing a well-recognised ad blocker rather than one of the huge number of look-alike scams — I have to be right every time, the scammers only have to fool me once.
> I'm gonna guess it does this with a man-in-the-middle attack. "The operating system has detected that this phone app always calls the same number.
Why? I was thinking "record message, upload to website". Same deal as with keyboard, except the permission popup can also say "VoIP".
> I'm kind of tired of people claiming the hand-holding argument, that apple helps people who do not understand technology. My sister uses apple devices exclusively, but at her work, her employer regularly does tests for phishing and she always fails. It is time people get educated about how to use their computing devices. These devices have been around long enough that people who fall for obvious scams should be considered incompetent.
Congratulations, that's at least 94.6% of the population you've just described there: https://www.weforum.org/agenda/2017/02/a-quarter-of-adults-c...
To put it another way, your standards are too high. I don't know much chemistry, so I need the chemicals in my daily life to be regulated; I don't know much law, so I need governments to deem that certain contractual clauses are invalid on my behalf; I don't know much biology, so I need the government to prevent snake oil salesmen selling snake oil for all potential ills.
Should private companies be the regulator? Sometimes the law requires it, sometimes the law forbids it. I'm comfortable (if not happy) letting the governments decide what Apple must and must not do, for the exact same reason that I have been comfortable (if not happy) letting Apple decide what developers can do.
I do know computers, and I like messing around with them much as StyroPyro likes messing with terrifyingly high powered lasers[0], much as The Thought Emporium likes messing with terrifying man-made horrors beyond comprehension[1], much as Colin Furze liked making a hoverbike with "no steering, it has no brakes, it's got two accelerators and not even a seat"[2]… asking everyone to take on that responsibility just because I'd like more freedom, isn't as good as you think it is.
[0] https://www.youtube.com/watch?v=xNmbvaUzC8Q
> asking everyone to take on that responsibility just because I'd like more freedom, isn't as good as you think it is.
That's news to me. I haven't yet told my mom how to enable developer settings on her Android device, but apparently she's at risk because an optional setting exists on her phone.
While we're at it, let's remove all the potential scam-vectors on iOS. Like you said, it's just not good to ask people to accept the responsibility for more freedom. First we have to remove the App Store, to prevent stuff like fake LastPass apps from being accidentally installed on your phone. Next we have to remove SMS and calling capabilities - both are hot-spots for social engineering attacks, and cannot be trusted without direct supervision. Gotta axe Safari too, can't have people randomly sharing information over the internet without exposing them to risk. Apple Music too, can you imagine how dangerous it is letting your child use a platform filled with expletives and free speech?
Soon enough we'll have it, the perfect phone. It's featureset? Oh, I though we were designing jewelry.
> Given one of the things you can get on an app store is a replacement keyboard, "security" is, in addition to all the things you listed, "make sure there are no installable key-loggers".
And what makes you think Apple can stop these apps on their own app store before they cause harm?
I sense this pervasive belief on HN that Apple's reviews are infallible, or that they magically catch malware, when in reality it's just some low ranking person installing the app and navigating through it to spot obvious flaws, usability issues, rule breaches, and ensure that the developer doesn't try to direct users to their website to purchase a subscription for cheaper, the usual anti-competitive stuff.
Unless you can point out a step in the review process where a security expert sits down and reverse engineers the app, and every subsequent update, to verify that it doesn't steal user data?
It's only when someone raises the suspicion that things get looked into, reported and taken off the store. At least web extensions have the benefit of being written in Javascript which is easier to inspect. At no point does Apple ask you to hand over source code.
> I sense this pervasive belief on HN that Apple's reviews are infallible
Our language makes booleans easier to communicate than nuances.
For example, I absolutely do not consider their reviews infallible, I just didn't think it would come across that way when I wrote the comment you're responding to.
None of the things you mention is the responsibility of Apple to decide. They are all choices I get to make as the device owner. Apple can decide what ships on the device, and what is for sale in their very reputable store, but not outside of it.
The thing you are missing is that once third party stores is allowed, the responsibility and security burden is also shared with those third party stores who have to comply the same way to EU rules or risk being fined and lose reputation the same way.
It is not Apple's job to protect its customers from third party stores malware. They just have to build a secure OS with a safe apple store while allowing third parties to provide stores.
> It is not Apple's job to protect its customers from third party stores malware. They just have to build a secure OS with a safe apple store while allowing third parties to provide stores.
Yes... it is.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A... (section 64 paragraph 3)
> In all cases, the gatekeeper and the requesting provider should ensure that interoperability does not undermine a high level of security and data protection in line with their obligations laid down in this Regulation and applicable Union law, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. The obligation related to interoperability should be without prejudice to the information and choices to be made available to end users of the number-independent interpersonal communication services of the gatekeeper and the requesting provider under this Regulation and other Union law, in particular Regulation (EU) 2016/679.
"the gatekeeper and the requesting provider"
Apple is still on the hook in combination with the requesting provider that doesn't intentionally deploy malware.
Apple is likely claiming that Epic has in the past demonstrated clear and willful circumvention of their own security and rules. Apple would be putting itself at risk by allowing Epic to deploy applications given Epic's past history of intentionally trying to harm Apple's reputation and would compromise Apple's high level of security in data protection that it is required to follow under Union law. Apple would likely state that Epic has shown that it would intentionally break the law to harm Apple - and that's a believable concern.
EU mandates that gatekeepers work towards privacy and safety of the customers as a requirement in the DMA/DSA.
From this link[1]:
> Obligations for very large platforms that reach more than 10% of the EU’s population to prevent abuse of their systems by taking risk-based action and through independent audits of their risk management systems.
They have a mandate to prevent abuse of their platforms from other apps or third party app store. This is in conjunction with opening up the same ecosystem for everyone else.
[1]:https://commission.europa.eu/strategy-and-policy/priorities-...
I doubt that Apple would accept to be responsible and liable for the security of software from other companies. Epic would ensure the security of their software in the same or similar ways as Apple does it for their software. The operating system provides the security framework, the makers of applications are responsible for the security of their software within that framework.
You don't, it's up to the device owner.
The problem with that argument is that Apple is demonstrably incapable or unwilling of securing their devices, despite the walled garden. Pegasus and a dozen other spyware exploit iOS vulnerabilities which have remained open for at least a couple of _years_ and Apple seemingly doesn't care.
The only way to secure a device is to actually give control of the device to the user. But that would imply no more Apple tax, so Apple would rather die on that hill than follow the DMA. Add to that their psychopathic need for control.