Let’s say you’re using a Google API like Maps, and you violate terms by snapshotting sections of their maps and storing them on your severs so you can serve static maps without making API calls. They’d shut down your API access immediately
Google and Facebook both knew the terms. They both knew that the Enterprise Distribution Program was for internal use only. They still put ads out in the wild to recruit regular consumers to use internal apps which is beyond the scope of the program. Why would the certificates not be revoked?
I don’t understand people who are acting offended that Apple is enforcing the clear terms of service it laid out.
It is an interesting salvo in what I've started thinking of as the "data war." All three companies have a huge asset in data collection capability, and preventing the others from exploiting it is only the first skirmish among them.
It will be interesting to see if Google offers to pay additional monies to Apple in order to "restore" this pipeline, and whether or not Apple will agree. In one sense, Apple already gives up a data feed by sending search queries to Google.
The web makes things interesting in that OP's hypothetical company only has that data because Facebook willingly gives it to everyone who asks. It would be obviously wrong if they were using some exploit to trick Facebook's servers into divulging secrets.
Yeah nah, that's where the concept of agreements comes in. You walk up to Fes Boock and say:
― I want to have business with Fes Boock.
― Fes Boock will have business with you if you promise to not stab Fes Boock in the back.
― I give my word to not stab Fes Boock in the back.
Turns out, this thing is so valuable, it's supported by law everywhere that I know of, in multiple forms, including rather implicit ones such as “ToS.” Which is what allows Fes to sue the stabbing bastard.
To my knowledge making an HTTP GET request and then receiving a document does not involve agreeing to any TOS, implicitly or otherwise. If the server didn’t want to send the data over an authenticated channel, then why does it send the data?
My mailbox opens and closes for my mailman to collect outgoing mail and deposit incoming mail. But anyone can open it. That doesn't mean I want them to, or that they are allowed to. But if my mailbox doesn't want to allow access to private information, then why does it open for unauthorized individuals? Because physically securing it would be a pain in the ass, most people are honest, and if I can keep my mail safe through force of law and social contract, that's easier for everyone, including legitimate users of my mailbox (myself and my mailman).
Your argument holds for mailboxes because it is not a common use case of mailboxes that their owners want complete strangers to check as often as possible because they've left something they want taken.
A better real world analogy is a bulletin board on campus or a wooden power pole.
Lets suppose that it is super common that people staple flyers to power poles, with the expectation that people will read them as they pass by. Your analogy would claim that if I staple a letter to the power pole, expecting that only my friend that I told about the letter should read it, that passers-by are doing something unseemly by reading it, while being surrounded by want ads and for sale flyers that people do want read.
Websites are nothing like mailboxes. The vast majority of websites would prefer that as many people as possible read their contents as much as possible. Email would be a better analogy.
A request is communication with certain semantic content, which pulling on a mailbox handle lacks. There is no general understanding among people nor specific agreement between you and some other party that pulling on your mailbox handle is how to ask you for access to your correspondence.
This is not the case for HTTP. A network protocol is an agreement about the meaning of certain clusters of bytes sent over a network. When someone operates an HTTP server, a reasonable person could conclude that they take HTTP messages to mean what HTTP says they mean. A lot of cases get more interesting because there is also something generally understood to mean, "Please don't access the following resources by automated scraping, independently of whether my server decides to grant those requests."
I'm pretty sure that a server, being a stupid piece of inanimate junk, is unable to enter any agreements or disagreements. In contrast, people, being endowed with free will supported by the ability to reason, need to apply said will and reason when directing actions of pieces of junk, so as to follow the same procedures of inter-party conduct as in direct interaction.
Since a web server, by its primary mode of operation, does indeed more or less indiscriminately send replies to whomever makes a request, it follows that the duty of choice lies with the client. The person operating the client has to apply their reason and follow the inter-party conduct.
> Since a web server, by its primary mode of operation, does indeed more or less indiscriminately send replies to whomever makes a request, it follows that the duty of choice lies with the client.
Sorry, why isn't it the duty of choice the server owner, who chooses to put the server online in the first place? What exactly are these rules you think exist? This is the first time I've ever heard of them.
> Since a web server, by its primary mode of operation, does indeed more or less indiscriminately send replies to whomever makes a request,
This is completely false. The server owner can authenticate GET requests and return an unauthorized response if the client is not permitted to access the document. We are not talking about a situation where a hacker attempts to brute force a password or gain unauthorized access to a server. If the server is on the internet serving anonymous GET requests with no authentication the reasonable assumption is that anyone is permitted to access the data.
Well, if you think that it would be more reasonable and expedient to require users to read a contract beforehand and then authenticate themselves to the service before accessing any content―please, knock yourself out on your site.
It appears that the rest of the web gets by pretty well using the legal framework I've described. Because, you know, they tend to choose things to be pragmatical instead of those that “can be done.”
Sure, but web scraping is a thing, and one that shouldn't be illegal. Therefore if data is public, it should be assumed to be... well, publicly accessible.
Apple actively avoids no anything - the primary difficulty in collecting nothing, and having no access to it, is users expect not to lose data. Even in that case where they’ve lost all of their devices (which could obviously be just a single one). Making that possible was the topic of Ivan Krstic’s talk at black hat a few years ago.
>> In one sense, Apple already gives up a data feed by sending search queries to Google.
Apple does this under protest. Their top search queries are served through siri lately, and the hope is siri will replace all search so they won't need to utilize google anymore.
There was a time when the Siri folks approached Blekko (which was an actual search engine with its own index, crawler, and ranking Etc. to discuss partnering with Apple (personally I think they should have bought us :-)) But, according to people who should know, there was a cultural mental block at Apple about providing web services at the time. The biggest thing like that they had done was Apple Maps and it was a 'mixed' success. Apple didn't see itself as being a search company.
I used to point out that Microsoft had a phone (Nokia), an operating system (Windows Phone), and a search engine. Google had a phone (Nexus), an operating system (Android), and a search engine. Apple had a phone (iPhone) and an operating system (iOS).
Since that time Microsoft dropped the OS and phone, and Apple never did build a real search engine.
[1] More precisely it is a front end to a simple knowledge base, a local index of things on your device, and when those things are exhausted an internet search engine.
In safari, when you enter terms into the search bar, the "google suggestions" is separate from "siri knowledge" or "siri suggested website" which they surface at the top. It looks like Apple generates that independent of google
I really can't see how Apple can continue to competitive with Siri without entering the search business (or partnering with another)
I've noticed several times now where Google assistant has been able to answer questions about things in almost real time all thanks to Google's crawlers.
My friend asked it earlier whether USPS delivers mail during a polar vortex and Google assistant told them they didn't yesterday, at least in Chicago.
Here's what I wanna know: to what extent does Google actually "have a phone"?
I mean, when I think about Apple, I think of a company that designs the look, the internals, the case, the glass, the board layout, and even some of the chips. (Sure, they contract the manufacture out, but Apple is deeply involved with designing components on a low level -- not merely farming it all out to some device maker in Taiwan or China.)
But for Nexus/Pixel: how much is Google and how much is LG or Samsung or HTC (yes, I know they bought HTC). I mean, how deep do Google personnel in Mountain View really go? How much do they just hand off to outsiders? Is it comparable to what Apple does? Maybe so. I just can't quite see into it.
Its a fair question, when I was there Google was all over the design of the handsets (the original 'Dream' phone), they did the Nexus One with HTC, after I had left, they bought Motorola Mobility which did the Moto phones and that group mixed in with the Android handsets folks. Then Lenovo bought it from them.
Google's biggest challenge was customer support, they just didn't do the whole "someone to pick up the phone and talk to you" thing.
So I'd say, they have a core capability to do handset design (perhaps some of it residual) and they likely strongly influence the hardware they sell. Is their bench as deep as Apples? No.
Not under protest, but for profit. The current figures are not public, but Google pays billions annually to Apple to remain the default search engine on iOS.
Do you think aapl needs google's "billions"? No, they're making way more money selling "privacy" and building a solid search engine to replace google is high priority for them.
>and building a solid search engine to replace google is high priority for them.
What are you basing that on, exactly? Apple doesn't exist in a market simply to "be" in that market. That's why they jettisoned things like their Airport routers
No it's not. If anything it's a proxy for Bing, but that's one of many data sources[0] (another of which being DDG's own crawler[1]). I'm not aware of Google actually being one of those data sources; you might be thinking of StartPage, which is a proxy for Google.
You're not wrong, you're just in the wrong place. Apple is the sysadmin and the phone holders are the users. They WANT apple looking out for them. Anyone who says otherwise stupidly wasted $1000 when they could have bought any number of unlockable devices for that money.
I say this with an unlocked and de-googled android phone next to me, and several hacked arm devices at home. I OWN THEM, with no doubt, so I agree with you in a different world.
I mostly agree - except people want Apple products for other reasons too.
There are quite a few Apple users who like the hardware, the operating system, apps which are iOS-only, and the integration with other Apple devices - some of whom also want to run their own choice of software as well.
There's no alternative which has equivalent benefits, if that's what you're looking for.
No one is entitled to Apple’s operating system. If you want freedom, the price is Android or whatever. In fact, the restrictions that Apple imposes on iOS and MacOS are arguably what makes them desirable in terms of consistent user experience, robust default security, and lack of crapware. For some people, that’s a good trade off. For others, the allure of Apple’s walled garden is too tempting.
Is this true of people who voluntarily signed up to be paid for data collection? It's like saying that Nielsen panelists need to be protected from Nielsen by Vizio. (Insert standard caveat about the degree to which kids' autonomy is in the hands of their parents).
An important difference that Nielsen doesn't have an agreement with Vizio that they broke and the "protection" being Vizio terminating their end of that agreement as a response.
As much as I dislike Apple, its amorality, its attitude towards it users, its effect on the markets it's in, etc, I don't have any disagreements with Apple's actions here: Facebook/Google violated their license, so Apple revoked them.
But the terms of this license are by no means "protecting" users who voluntarily chose to install these apps for payment. A license can have multiple legitimate purposes, including protecting the business interests of the licenser. There's no need to pretend that Apple is protecting users in order to defend their actions here.
Indeed. The violation here really has nothing to do with protecting users, as you say, it's more of a positive side-effect. On the other hand, if it weren't for that aspect, the press-coverage that sparked Apple's revokal would most likely not have happened.
Apple found themselves in a position were doing "the good thing" aligned with business.
If you asked IOS users about all the restrictions Apple places on apps, I bet less than 10% could tell you any of them. I also bet the majority of them would disagree with Apple's policy on forbidding real alternatives to Safari instead skinned Webviews.
It's the golden cage that allowed them to do of course good things this time. This argument is the old one against a walled garden and it still stands.
The point may be valid, but it's not what this discussion is about. Apple didn't cut off a user for running unauthorized software on their iPhone. They cut off Google for using a paid enterprise service to distribute their software in violation of its TOS.
> paid enterprise service to distribute their software
that's the problem - why should this service exist in the first place? It's extortion to have to pay to distribute apps to people who want them, on devices they own themselves.
Yes, and more to the point, they cut off Facebook and Google for distributing unreviewed apps to the general public. So the violation was using the enterprise key to evade app review by Apple. Which Apple does to protect its customers. And so Apple is just protecting its customers.
I believe Apple will do everything they can to keep them from abusing the ToS, but I also believe Facebook will try to work around any and every restriction applied to them.
Yeah, well, but Apple can always reject apps that violate their ToS, or revoke keys used to work around that. So ultimately Facebook can't win.
Except if they force Apple to nuke all of their apps, which would put Apple in a difficult position. But perhaps Apple could sandbox apps, and prevent them from doing stuff that violates ToS.
No, they still needed to revoke the cert because the app was still hanging out on users' devices. The only way to ensure that those apps are dead, from Apple's perspective, is to revoke the cert
I 100% agree with you. I should be able to run any code on my device (after I flip a bit and it gets wiped). The first thing I've done with every Nexus or Pixel purpose is to wipe and root it.
But that's not what this is about. Apple has been enforcing these rules for years. F.lux tried to get around the App Store by reaching users how to sideload via Xcode. Apple killed it.
The big players should be subject to the same rules. If they want to run their own code, they can't just flagrantly ignore Apple's TOS.
I'm also onboard with the Nielsen metaphor but not for kids. And both were scummy in targeting kids (though FB was definitely worse judging from marketing materials).
> F.lux tried to get around the App Store by reaching users how to sideload via Xcode. Apple killed it.
Specifically, Apple killed it because f.lux decided to distribute their app in a really sketchy manner where they essentially pushed an opaque binary blob to the phone rather than compiling the app from source and installing the build product from that.
I don't understand: Do you expect to be able to run any programs you want on the micro-controller on your washing machine?
That's what Apple is doing here. Pushing iPhone as a commodity, not a replacement for your macbook. This way they get the benefits of controlling the experience as much as they want. (I am not saying it is right or wrong, just that many people are fine with commodity phones and don't care for the loss of configurability).
I'm not sure where you're getting the "legal responsibility" part from - I'm not advocating legislation, simply stating my personal preferences as a consumer. I do what I can to try and bring others to my point of view, but I am in no part trying to push this as a legal burden on manufacturers. Please don't bring strawman arguments into this, this topic is complex and nuanced enough as-is.
Regarding security, that very much depends on your threat model and definition of "secure". Indeed, I see this general trend of decreasing user control over increasingly complex and connected hardware as a massive security threat where I am forced to trust multiple 3rd parties who may arbitrarily disrupt my life anytime new "features" or "policies" get pushed out.
It is perfectly possible to securely implement a tamper-evident "I know what I'm doing" switch/fuse that enables advanced control by device owners. However, I'm well aware that I'm in the minority on this topic, so I'm not holding my breath for such features to be implemented.
I don't use a washing machine controller as a general purpose computing device. I don't install apps on a washing machine and would never buy one that had that feature. It's not a reasonable comparison.
That said, I doubt washing machine microcontrollers use signed code. It's easier to modify them than your phone which is completely backwards.
> Do you expect to be able to run any programs you want on the micro-controller on your washing machine?
Yes. It is within my full legal right to install whatever programs I want on my washing machine.
Apple lost a bunch of lawsuits, when it tried to sue people for doing this. The courts proved that yes, you do have a legal right to do whatever you want with hardware that you own.
Sure. And Apple aren’t going to sue you if manage to. It sounds like you’re confused between “I should be able to” and “Apple should make it easy for me to”.
However you could get a developer license and load anything you want on your phone. Granted it's not for everybody, but if you're so incline to sideload apps on your phone you can pretend to be a developer (Meaning you just need to know enough to use the tools available, not in a demeaning way).
The thing is: my mother bought an Apple device not to think about data, security, backups and all these "InternetS" things. She doesn't even know what hardware is. If she did, she might have bought an Android phone or something else :)
If the IPA is already built you just need the cross-platform Cydia Impactor. Jailbreak not required, but standard Developer Account for full features applies.
Does sideload still work? I recall they enabled the ability for anybody to load apps via Xcode around iOS 7, but haven't kept up to date with latest versions. Did this stop working on newer iOS versions?
Using Xcode 6? You can go back a little bit because Xcode 7 supported the current version of iOS along with iOS 9 beta, but I don't think this goes all the way to iOS 7.
So jailbreak it. Meanwhile, Apple should be able to ship whatever operating system it thinks its users want, and those users should be able to keep it if they want.
Well in this case, wouldn't most people be using Google owned phones? Or if they bring their own device, have explicitly allowed Google/FB to manage their device through an enterprise system. That enterprise system for some reason shared a cert with an application _not_ used for enterprise, so the cert is banned.
That's a misstatement of the principle here. I bought a thing. It's my thing, not someone else's thing. Things don't have "terms". I signed no contract. Let me use my thing.
I mean, yes, we shouldn't buy iOS devices. But we should accept that things have ad hoc vendor-controlled "rules" just because someone baked them into the things, either.
> what Apple allows you to run on your own device is actually a different story, not related to this news
How so? It's not like Facebook and Google were hacking their way in here. They asked users "please run this software" and users had the option to do so. Seriously how is that any different than "please run my great jailbreak environment" or "here's a new OS for your iPhone"?
It was the behavior and marketing of these spyware things that we shouldn't like, not their mechanism.
> Facebook and Google did sign it and distributed their software based on it.
I think we're talking past each other here. I'm not talking about how Facebook and Google's spy kits were licensed to the end users or about their compliance with Apple's own vendor license.
I was pointing out that the principle here is that I (and Facebook and Google) should have the ability to write and distribute software for you (and me, and Facebook and Google and even Apple) to use on your iPhone. And that the fact we don't have that ability is bad.
And more to the point the fact that Apple's control over their platform was used to benefit the public by disallowing spy kits still does not make that control a good thing.
Free speech doesn’t allow libel and slander. Free assembly doesn’t allow riots. Without a framework for meaningful justice, the high minded principle is just a race to the bottom.
I should be able to have the freedom to choose a platform where I have some protection against the various bad actors out there. Without Apple, the only options we have is non-participation, believing the lies, and arbritration.
> you entered in a contract with the app developer
... wat? No, I didn't. It's easy to imagine I "must have", but in fact there's no signature, no negotiation nor in many cases any consideration.
Ah, but you say: I must have signed a contract to use the app store that I downloaded the app from, and that must constrain me to honor the terms of the app that I downloaded, which is constrained by Apple's contract with the developer.
Except, no, I didn't do that either. The whole thing is a house of cards. There is absolutely no principle behind this regime, it's just something we've all come to accept because it's technically possible and because "usually" the power granted to hardware vendors hasn't been abused.
But it has bad side effects too, and it's really important that we as a community not lose sight of the fact that locked down devices are really, really bad.
>Ah, but you say: I must have signed a contract to use the app store... Except, no, I didn't do that either.
Do you have an Apple ID? You need an Apple ID to download apps from the App Store, and when you create the Apple ID, you accept their ToS. So, yeah, I think you did.
Though that ToS has absolutely nothing to do with anything we're discussing -- the ToS that matters here is the one between Apple and Google/Facebook.
> ...and that must constrain me to honor the terms of the app that I downloaded...
I don't think Apple's ToS with you constrains you to honors the terms of the app you downloaded. That seems strangely indirect. I think the app may or may not have their own ToS that they make you agree to at some point before permitting you to use their services.
Technically correct. But software running on "things" has terms. It's called a license. When you buy a movie, you don't own the film. You own the right to use that film in accordance with the license.
You're conflating things. Your example is about copyright, not licenses. Copyright doesn't constrain use, it constrains distribution (though there's a parallel argument there about DRM and things like DVD region codes, etc...).
The question you're sidestepping is whether a license can say "you can't run your own software on your own thing". Obviously it can be implemented to do so given the way computers work, but it's not at all clear why that should be so.
IBM has had contracts for decades that govern use of your software on the hardware you bought from them. You buy CPU hours or the right to use a certain amount of the computer for a specific timeframe. One place I worked at had a mainframe that they could not use for production workloads unless a disaster declaration was made.
Copyright can constrain use (although the actual extent varies a lot between jurisdictions). Most licenses (which are basically a way to manage copyrights) don't make use that, but some do (like a license that Apple uses for their SDKs, which disallows running it on non-Apple hardware).
BTW. I ignore that and even many large, respectable companies ignore that, but it's there ;)
Sure they do. You want a gun? That comes with certain restrictions on what you can do with it. You want a car? There are certain restrictions on what you can do with it. Jet? Restrictions. Schedule 1 drugs? Restrictions. Knives? Restrictions. Fireworks? Restrictions. Cameras? Restrictions. Hell, even when it comes to a 2x4, there are rules about what you can and can't do with it -- you can't hit someone with it, or you'll suffer consequences.
According to the story, Apple have stopped Google employees running Google's "Gbus app for transportation". So yes, it's about what Apple allows people to run on their own devices.
They can still run that app by signing it themselves with a developer account, although that's not a very convenient option. And no, this is still about what Google allows its employers to run on their corporate devices (and Apple now taking this right away from them), as users wouldn't be able to sign that app with enterprise certificate by themselves.
XX% of Google employees don't use Mac as their laptop platform
XX% of Google employees have a locked-down Mac that isn't allowed to run XCode or locally-compiled binaries because their job role isn't in Engineering
You can only sideload up to a certain number of apps (3 IIRC), only for seven days at a time, and only using certain APIs (cannot for example use notifications), all of which would pose serious limitations.
It's as central an example of mansplaining as I've ever seen; Mansplaining just means "I'm too stupid to understand your point, so I'm going to throw in a non sequitur gendered insult".
At least as I understand it, it more means explaining things to the person you're talking to as if they don't know anything about the conversation topic, even though you have no particular reason to do so.
It doesn't necessarily have to be done by a man or directed at a woman. That's just how it tends to go. And obvs is a bit more fraught when it is going that way.
Leaving aside whether that's something to reasonably get upset about (how are people supposed to know exactly which facts are known to every single reader of their comment?), the way you're describing it seems pretty identical to the now-mostly-anachronistic expression of being "jewed" out of some money. The fact that the target of the slur doesn't have to be Jewish doesn't make it better; in fact, it kind of makes it worse. Hell, at least my example has its roots in a time when casual racism/sexism were accepted _pro forma_, and the term is slowly dying out. It seems to me your example is even less excusable.
Meh, those aren't as well-defined as you think they are. Variously, market-dominant minorities have been labelled as "oppressors" throughout history, and "we can be as immoral as we want as long as the victims deserve it" has been cover for all sorts of horrible shit. You can do whatever you want under the aegis of "fighting the power" if you just define "the power" as the people you wanted to be vicious to anyway. It takes a pretty simple-minded view of the world to think that a one-dimensional oppressors/oppressed view of the world is anywhere close to reality, instead of just being convenient cover that can be targeted at pretty much anyone, so shitty people can be regressive and sexist and racist while sitting on their high horse.
With focus on privacy Apple successfully reducing users wanting freedom. The marketing now seems to indicate that if you want freedom then you loose privacy.
Yes. Because it is technically almost impossible, if not completely impossible, to build a system that gives your code absolute freedom while not giving other code running on the system absolute freedom as well.
There will always be the possibility that some company will ask users to their absolute freedom ability to give them absolute freedom. Which is basically exactly what happened in this case. The only difference is, in this case, Apple built in a mechanism where they can stop individual actors.
I've worked on enterprise iOS apps that were also shared to some of our customers. I've always felt super paranoid about it and thought Apple would shut us down...
Seeing what's going on with Facebook and Google I guess Apple didn't pay much attention to this.
If you're sharing your apps with customers for very benign purposes, I doubt they'd care. For instance, if you were giving customers access to your business's data or some sort of internal app that provides functionality that you wouldn't want to make public. That seems very reasonable, and might not even be outside the ToS (IANAL, and I haven't read them).
In both Google and Facebook's cases, they were using it to distribute apps to the public at large (i.e., users with whom they have no business relationship) simply because they couldn't get the apps into the app store to begin with because they would otherwise violate Apple's rules. So not only were they flagrantly disregarding the ToS of their enterprise certs, they were doing so in order to violate Apple's rules for app distribution. Less than great.
If anything I think the fact that this has gone under the radar for so long is a pretty good indication that Apple has no data about what apps are being run via this program. Although abuse like this will probably flare up some arguments internally over whether they should more aggressively track activity in iOS.
Mmmm, from everyone I've spoken to there, it's not something they don't pay attention to, there just hasn't been extreme violators like what Google and FB have done lately.
> The whole point of enterprise certificates was to allow creation of internal apps that even Apple shouldn't know about.
I think most/all of the companies in the program would say it's about controlling the distribution of their apps, since putting them on the App Store would expose them to the public, and less about hiding from Apple...
I scraped google API exactly like this in grad school, but sometimes when you're building, you take a calculated risk to build something better.
For my thesis, I was trying to load two Street View photos side by side in a browser to compare people's perceptions side-by-side. Google maps at the time required you to load a javascript viewer for each image you requested. Think Hot-or-Not for cities.
The experience needed to instantly load a new image after the user voted because I knew they were only going to be on the site for maybe 30 seconds before they got bored and went back to reddit. I needed to collect as many votes as possible within that time period.
So I knowingly broke Google's ToS and prefetched the images on my server so I could provide the user experience I wanted.
"I'm a small operation. Surely they won't know." I wrote a server side screen scraper to load the Street View images and exposed the scraped images with an API.
Now my site was faaaast. I could load Street View images instantly and in the end got over a million data points doing this.
But then one day soon after it stopped working. Then I got a cease and desist email from someone at google legal. They didn't respond to any requests for turning it back on or even to discuss. Radio silence. That was terrifying.
Since this was my thesis, I needed help getting my keys turned back on. Google in the end was very accommodating, but only after I used my nuclear option: asking lab director Joi Ito to bug Megan Smith while she was still at Google to help.
I was connected to some engineer and told them what I was doing and why. They said stop. But then a week or so later, they sent me a beta invite to their new Street View images api, where you can feed in a lat, lng, header to a query string and they'll just serve the image now. Pretty cool.
> "I'm a small operation. Surely they won't know." I wrote a server side screen scraper to load the Street View images and exposed the scraped images with an API.
I find the trick, when you're worried about this, is to use the regular API normally, but save the data that comes in from the normal usage of the API. i.e. Use the Google maps viewer and after the image is loaded, grab it however you have to, and post it to another API you've created that allows you to save the image. You're scraping their site, but you're not doing it in an automated way, and it should be undetectable.
After a while, you've got a good library of images from normal use. So you code up a switch that you can toggle that changes it from loading from the Google maps viewer to using your API to get images.
If you want to grow your image library, randomly assign some percentage of people to using the Google viewer (and save them they download), and the rest to your library of images you've accumulated. Or use a cookie or JS localStorage variable to track whether they are a returning person, and the first time always give them the quick library version, and if they return give them the Google maps viewer version (or just switch the percentages from 90/10 to 10/90, etc).
If they're willing to give you the data free within their ToS, there's very little technologically they can do to stop you from easily (or moderately easily, in the harder cases) storing the data. Worst case for someone looking to save it would be if they generate an image for the content and just serve the image, and that's not that hard to work around either, if the data is structured.
Somone handing you data does not remove any copyrights on this data. Which is where you can get in real trouble with your approach. That said, this kind of thing is detectable. If users of an application are far less likely to download common data it quickly looks odd.
And while that’s not conclusive, they can just look at how your application functions to see what’s going on.
> Somone handing you data does not remove any copyrights on this data.
Oh, I'm not making any claim that it's legal. I'm just noting that if you've decided you want to scrape and are disregarding the ToS, there are ways to make it less likely to get you blocked.
> That said, this kind of thing is detectable. If users of an application are far less likely to download common data it quickly looks odd.
In the approach I outlined, you either load the Google JS payload and use it entirely as normal (and just do something extra with the data it provides), or you don't load it at all and run entirely locally. There are things they can do, such as embed analytical code in their payload to test for certain things, but it's just a cat and mouse game at that point.
> And while that’s not conclusive, they can just look at how your application functions to see what’s going on.
Assuming it's a public application (in this case it is), and that they have reason to look at it. If it's just spiky load, where sometimes there is load and other times there isn't or it's less, that's not really indicative of something odd going on, especially if you're relatively small.
To add to your point, even if there were no such "term" governing that particular use of the "service," if I'm the owner of the API and I find out those API keys are being used to spy on my users, don't I treat this as the security breach that it is, and revoke those keys on that basis?
In general I agree with your point but I think these terms help Apple's case because it's easier to argue against definitions of spying, harder against terms of service. Especially when Google so strictly enforces all of their terms. I mean, good luck getting reinstated on just about any of Google's APIs.
I believe this is actually only true under very specific circumstances -- namely, enterprise certificates, which are used to distribute apps directly to employee devices, without going through the app store. If they decide to revoke a regular developer certificate, the apps already distributed through it are not affected in any way.
They can control which apps can and cannot run as long as those apps are intended for internal use by enterprises. That seems reasonable imo, given that these apps are also not subject to any approval process.
No, they can control what applications are allowed on their app store and control how the OS they distribute runs. Aside from those two things they can't really force anything that you haven't already allowed, or continue to operate.
Apple can't physically confiscate the phone or the data that you put onto it's hard drive (not talking about iCloud). It's yours. You can put linux on your iPhone if you want and there is nothing Apple can do about it.
On Android, one can sideload an app. Amazon has it's own app store. Chinese Android phones have their own. Android was initially designed with this kind of openness. In fact, Google didn't have an app store initially.
Now, there are pros and cons to these approach.
FB could be side loading Android apps all day long, doing who knows what, and there is not much Google can do about it.
Now, if they were a bit smarter, they could've used a shell company's throwaway certificates.
I cannot fathom why they would do something this shady using their own corporate certificates.
Yes it is, but if you're worried about that then this is a valuable lesson on why you should steer clear of apple products. Google knew this was the case and took the risk anyway, so they only have themselves to blame.
It's not just apple either. Using facebook, gmail, anything in the cloud and/or anything hosted, basically anything not under your control exposes you to the same risk. Most people don't care until it becomes a problem for them and by then it's too late.
Yes, google has no excuse not to know better. They did know better in fact, it's a selling point of their competing product. Corporations their size will typically run anything remotely important in house on their own machines so that they have control over it for exactly this sort of reason. Failing that they'll put contracts in place that specify notification periods and remediation steps so that the rug can't be pulled out from under them. Google knew this could happen and went ahead anyway, they accepted the risk and now they have to accept the consequences.
And let's not forget that google weren't working with apple, they were working around them.
I think you're mistaking what happened here. Google apparently broke the TOS which led to this issue.
This isn't a single person choosing differently. Employees and consumers buy and use iphones and Google has no choice in avoiding them. Doing so will only hurt their business, and they don't exactly have the leverage to demand whatever APIs and access they want.
This is the key sentiment I feel is missing from much of the discussions (and in some cases, reporting) taking place surrounding these events this week. Thank you for posting it.
It's useful to discuss the philosophical implications of any tech company having too much power. To add the most to that discussion, it's helpful to understand that these actions are not directly affecting customers (aside from those who were using these enterprise apps outside their intended scope).
Random iPhone-using Google employees who use Google's internal cafe app are Apple customers, and they're directly affected.
Clearly that's not a terribly big deal, and you'd imagine that Google has a lower proportion of iPhone users than many companies, but it's not nothing.
They're professionally affected (they can't run internal apps as part of their job) as is good and appropriate (their company violated the rules and got cut).
They are not personally affected as they still have access to public versions of the apps like every other person in America.
I am a bit offended that google has a phone number and means of communications to resolve the issue with a real human at Apple. Nobody has that at google.
Things are obviously getting a bit ridiculous. Part of me thinks that something awful is going to have to happen before society stops these companies from pursuing everything they feel they need to.
Hopefully it won't be too late when that realisation becomes crystal clear to the majority.
This is what I think as well. Every day we hear about these companies doing scummy stuff to get more and more user data.
I am hoping for a massive leak/scandal/Snowden moment when they finally cross the line and something happens that the lobotomized masses actually care about and cannot ignore.
Hopefully we end up with some sane legislation about how much mass surveillance of citizens by private companies is ok.
I agree that Google & FB violated the terms of the agreement they had with Apple.
I think an interesting question is: What is Apple's best move from here?
I would suggest that Apple should leave Google/ FB blocked for ~1-2 weeks, to remind them who's boss on the iOS platform. However, I would argue it'd be smart for them to switch them back on after that- there's a chance that this looks anticompetitive to regulators at some point, which isn't something Apple wants to mess around with.
I imagine they're going to have a pow-wow with Google/FB execs and/or legal where they will all agree that the rules really are the rules and Google/FB will promise not to break them again, and Apple will restore the certs. Probably in less than a week. Apple has made their point, and there are good reasons to maintain a cordial relationship.
That sounds right- they may also ask for other PR concessions, like very publicly admitting they violated the terms of the agreement and re-committing to being good citizens of the iOS developer community.
One sort of "rubbing their nose in it" term could be something like a large donation to some sort of privacy advocacy group or similar.
From a practical standpoint, it’s hard to picture apple permanently preventing google from e.g. dogfooding Google Maps for iOS. I suppose it’s within the realm of possibility, but I don’t see it as likely.
I wouldn’t even look at it from an anticompetitive angle or anything like that. This is a matter of what’s best for apple and its users. They should absolutely do what’s needed to ensure that their terms are obeyed. But permanently banning google is not “what’s needed.” What’s needed is merely to demonstrate that the behavior will not be tolerated going forward. I imagine discussions between corporate lawyers and perhaps a reasonably sized bond would be sufficient to demonstrate google’s sincerity in not repeating the error.
Dogfooding is possible via TestFlight, and Apple moderates it to ensure they aren't breaking the rules before the builds go out, I believe. Enterprise certificates are for pushing applications written for internal use only, like the Facebook lunch app or Google's bus schedule.
Anything that smells anticompetitive is kind of a dangerous dance- by preventing two of their largest competitors from developing on their platform I think they'd be inviting some regulatory scrutiny (even though FB/ Goog DID violate the agreement).
The reality, though, is that this sort of behavior in VERY large, VERY influential companies is going to draw way more scrutiny than a small company getting crushed by one of the big guys.
"Competition" doesn't have to be narrowly defined.
In general, Apple, Google, and Facebook are 3 of the largest technology companies in the world. In general, they have areas where their interests overlap (messaging as one good example of this).
Hindering the ability of Google/ FB to develop on iOS could absolutely be seen as an anticompetitive measure by Apple.
No, Facebook/Google internal apps fall into two categories:
- Utilities that are only useful to employees of those companies (cafeteria menus, shuttle schedules, resources for salespeople on the go, etc.).
- Pre-release/testing (aka dogfood) versions of the apps they distribute to the public, for employees to use and find bugs on before they make it out to normal users.
Neither of those are pools that Apple wants to play in.
...and I guess there's a third category:
- Apps used gain "competitive intelligence" and spy on users.
By making this problem last long they aren't doing anything useful either.
- Bad case, they never restore certificates to G/FB and they end up losing all their employees to Android, with likely ripple effects in their tech sphere of influence.
- Worst case, G/FB retaliate by removing their apps from iOS and it's all out war with everyone losing.
- Best case, they restore them tomorrow with some fanfare and handshakes, but thousands of smaller companies now have been reminded Apple may actually shut them down if they misbehave.
Apple completely forbidding the availability of certain types of software on their devices from third party developers? Not anticompetitive? Although sure, in this particular case it wasn't because of the type of app, but it still has the same effect because certain apps ARE forbidden from the store, and this does indeed mean that nobody can effectively offer such apps because of Apple's rules
There's no actual legal requirement that your company offers the same service that you use your market control to prevent your competitors from offering.
This is especially relevant in the markets where Apple has a significant market share (USA).
It’s not a legal thing. If you think it is at least try to cite the general area of law.
You can create devices and sell them and not make them compatible with other companies products if you want. It’s true from printer ink to PlayStations.
The only issue would be market share and monopoly problems, which given that Google’s alternative platform has 54% of the market is totally irrelevant here.
I don't think it's about remind them who's boss. Apple will revoke the certs for as long as is necessary to protect their users, but I don't think they'll stay revoked for punitive purposes. I expect it'll be a period measured in double-digit hours, not weeks.
I don’t object to them doing it, but I do object to the fact that they have the ability to do it.
IMO, it is very, very wrong that Apple is judge, jury, and executioner in this case.
Also, in today’s world, this potentially could be disastrous, not only for the company affected, but also for the world at large, for example if Google depends on internal apps for informing employees about emergencies such as “hacking like activity on our servers or even “data center on fire”.
Google (or any company) wouldn't have a single point of failure for alerts like that. :P Those alerts would hit email, phone, etc. all at the same time.
> I don’t understand people who are acting offended
Once the reasoning boils down to offense I know I am dealing with either intentional hostility or stupidity. Regardless of which of those is the problem I stop wasting energy thinking about it.
For people confused or further offended by this sentiment I suggest reading Principles by Ray Dalio.
I do remember apple giving uber a second chance though on user privacy [1]. Maybe they've learned maybe they're trying harder, maybe they just see the goodwill benefit from being seen as the good on privacy company. I'm not sure
Let's say you're using a Google API like Maps, and you snapshot sections of their maps and store them on your computer so you can access them anytime without making API calls.
This would sure save a lot of unnecessary network usage and bandwidth charges, not to mention it would be useful when you do not have network connectivity.
What is the reason if any why users should be prohibited from doing this?
The question is why every time the user wants to look at a map she needs to let Google know, using computer network access for which the user must pay.
Paper maps or maps stored on physical media do not have this requirement. The map company may "own the map" but the purchaser can look at the map anytime she wants, without any ongoing expense to keep the map company abreast of her travel plans.
I do not not use an "account" or "log in" to view free maps, so I just take screenshots as a quick workaround.
Users wouldn't be prohibited from doing this for much the same reason people aren't prohibited from making personal copies of pages from books they own.
If you take a picture of Google Maps and then host it on your website without approval/paying Google and get caught you'll be hearing from their copyright lawyer.
I could take a picture of a map and share it on my LAN via httpd so all my computers can access it. I am the only user on the LAN.
It is not the "website" aspect that would implicate copyright, it is the redistribution, e.g., via a website on the public internet.
My original question is being misunderstood. It is not about copyright or what rights Google has in maps. It is a question about why Google attempts to force users to contact them every time the user looks at a map.
Good for the goose, good for the gander. AND, there's a huge difference from banning a small time developer that might tripped the wire accidentally, and banning Google and FB, full of lawyers. Frankly, FB and GOOG cannot do well at all in the privacy-caring ecosystem that Apple claims to want to build. Buh Buh Bye...
Did they get w2s and 1099s? Did FB did employment authorization verification? Did fb verify that the contracts were in fact signed by authorized guardians? A minor signing a contract has no meaning - so no “employment” contract would be valid.
Facebook was paying 13 year olds to use the app, so that argument isn't really available to them unless they want some pretty significant civil penalties straight from the US Government. (I strongly doubt it'd fly either way, but "we hired underage contractors" really won't.)
Yeah, this is pretty clear cut. Apple has rule. Facebook and Google agree to rule. Facebook and Google violate rule. Apple enforces rule.
This isn't some grey area where the details are difficult to ascertain. Everything is pretty clear; the enterprise app distribution service is most assuredly not for distributing apps that break the App Store rules to customers. This isn't difficult to understand, so I'm struggling to see where people are trying to find some sort of detail to exonerate two well-known, repeated rule breakers, violators of personal privacy, and altogether companies who think their size puts them above reproach.
I mean, when Apple makes a big screw up, everybody leaps on it, even when it's just based on unconfirmed (and sometimes fabricated, like the journalist reporting on conditions in the Foxconn factories) reports; but if it's Facebook or Google, somehow they're underdogs with clean records, deserving of the benefit of the doubt? I don't swallow it.
How about we all just pass judgement equally upon the big companies, Apple included, for their foibles? But let's also take into account when these companies have been caught red-handed before, and if the best punishment we could muster was a slap with a wet bus ticket, let's not umm and ahh about why they think they can get away with their behaviour, and not be at all surprised when finally someone takes a stand on their own territory.
If you're Facebook or Google you're used to being able to dictate terms to others. But there's always a bigger fish and in this case it's Apple.
They're outraged because they have no recourse. What they usually do to users or partners, dictate take-it-or-leave-it terms, is being done to them. They can't even complain to antitrust regulators because Apple is only lord of its own kingdom (which doesn't have market dominance).
If anything Google should be grateful Apple's support isn't as deliberately-shit as their own fake support system, they may yet resolve this instead of being banned for life.
Company-on-company support is an entirely different thing from customer support. These are developers with direct lines to one another. Google isn't filing a support ticket at an Apple Store.
I think our support that we get is probably quite different than the support Apple gives to the developers of Google and Facebook, who make most of the top 10 apps downloaded from the App Store.
There's plenty of recourse - politics-like fights in the court of public opinion. Nice vulnerability you've got there, it'd be a shame if it started to go to the press instead of being disclosed to you first.
Such an action would result extraordinary liability for a company. Public discovery would likely lead to consumer lawsuits, shareholders suits, replacement of the CEO, and shuffling of the board of directors. Not to mention possible criminal/civil penalties that pierce the corporate veil.
Merely leaking it would be of no consequence. They could even do it directly as a blog post from their security team. Attempting blackmail would be the trouble.
Its not blackmail. All you have to do is to get people to think there's no difference and that everyone is bad (just like "all politicians are bad" and "all cable companies are bad"). Then you don't have to have good service at all.
I worked for a small startup that abused the enterprise program in the same way. Originally it was to get around the tiny (at the time) number of beta testers allowed which then was only 100 unique devices. They did this at my suggestion- we needed a lot of testers but we were capped. Over time the CEO started sending out enterprise builds to all sorts of randoms such as potential investors, journalists, family and friends. I warned the CEO that this technically was not allowed, but I could not find a single instance where anyone had been caught violating the program. CEO brushed me off and continued breaking the rules, even after Test Flight was acquired by Apple and the tester cap increased. The enterprise builds were simply way more convenient.
I have since left the startup, but as far as I’m aware they are still continuing with this practice.
Google immediately admitted that they were aware that what they had done violated those terms.
>A Google spokesperson told The Verge, “The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize.
It's hard to tell exactly how long the iOS app has been available, but I found version 7.x of the Android app all the way back in 2015 on APKmirror (it's archive only goes back so far). So presumably the mobile app strategy has been around a long time.
How is that "terribly abusive"? People are getting paid to participate, to me that seems like a higher level of informed consent and more ethical than other forms of user tracking.
I believe the parent was referring to Google having "abused" Apple's Enterprise Cert program - which is the central crux of both this article and the majority of commentary here on HN.
I don't think so, the article linked talks about the other ways the program worked. That specific one refers to the free router they would send users. That has nothing to do with Apple whatsoever.
I feel less vengeful satisfaction from this one, but I respect that they're applying their rules consistently. I just hope it doesn't backfire. On a totally personal level, I'd rather Facebook feel the hurt for its audacity than Apple be forced to backtrack because they made too many enemies.
It's worth bearing in mind that Google pay Apple billions of dollars a year to be the default search engine on iOS. To my eyes, Apple clearly have the upper hand in this relationship.
Doesn't seem that clear to me who has the upper hand. Maybe Apple likes getting those billions? What if Google doesn't mind losing it's primo spot on Safari?
let’s not be naives... apple is happy getting billions of dollars from google, who use this data for exactly the same thing than facebook, and it is much less transparent to the user that the opt in from the facebok app. There are no saints here even if apple has a privacy stance far better for us users than the other two parties.
That seems to be cynicism of the rather unhelpful variant.
If, as you admit yourself, Apple is far better in terms of privacy, would it not be helpful, even if they are not perfect, to praise their (relative) sainthood and bury them with money?
That way, they would be reward for their strategy, might double-down on it (maybe even achieving perfection in your very smart and perpetually critical eyes), and inspire others to follow their lead.
It's a mixed bag, but those fees from Google have been the primary source of revenue and supported the Mozilla Foundation for a some time. Ultimately I think the Mozilla Foundation is in a better position with those revenues then without.
Today, the majority of Mozilla Corporation revenue is generated from global browser search partnerships, including the deal negotiated with Google in 2017 following Mozilla’s termination of its search agreement with Yahoo/Oath which required ongoing payments to Mozilla that remain the subject of litigation.
Android has 85% of the worldwide smartphone market. Apple doesn't exactly have the upper hand in the relationship, but they have enough leverage to make it sting if they decide not to cooperate and to force a reasonable settlement.
In my mind, a reasonable settlement includes not installing spyware on users' iPhones through the enterprise development program, so it looks like they're doing precisely that.
Something like 90%+ of the profit from smartphones goes to Apple — if that’s not the upper hand then I don’t know what is. Apple makes profit. Google has a legion of devices with incentives to keep insecure so they can monitor and harvest the data to both serve and sell ads.
That's not the upper hand. The upper hand is having the installed base needed to be able to push through product changes that undermine your competitors' strategic position. Things like being able to continuously track the location of each of your ~2B customers so that you know who is hanging out with whom and can build the social graph that another one of your primary competitors spent a decade curating - or, for that matter, that the KGB causes major diplomatic incidents trying to build.
I think that in this particular case, Google overreached, it's an inconvenience to them, and they'll roll it back. In the general case, though, Google's got way more power than Apple (and more than most nation-states) and they just haven't been called on it yet.
It's the upper hand in certain regions. Last I checked Apple has majority market share in Japan, think it was 60% or more. Google definitely stand to lose something and clearly its worthwhile if they are paying billions per year.
If google was so confident it had the “upper hand” with android and its 2B users why would it pay an estimated 9 billion to Apple [1] to remain the default search engine on iOS? That screams desperation to me.
[1]https://www.google.com/amp/s/9to5mac.com/2018/09/28/google-p...
Publicly, Apple will say that it doesn't care about Android market share for all the usual reasons John Gruber repeats. But privately, if there was one thing that would keep me up at night as an Apple executive, that number would be it.
I don't know, I think China is more on their mind at the moment. It was Steve's crusade to destroy Google; I don't think that really exists in the same capacity anymore. Right now, Apple still make the most money, they're quite happy.
More likely it’s about margins and business model.
Apple’s business model is selling high margin products. More share requires lower costs, which increases operational risk and reduces profitability. That’s why Apple stock is cheap compared to other big tech companies... a problem with execution today has a bigger impact than a company like Google that has a stream of revenue from ads on every platform.
You’re going to see changes in the model as they are hitting a growth ceiling, but they’ll probably take a different services path than Google.
> In fact, one could reasonably say Apple actively tries not to obtain too large of a market percentage to avoid laws affecting monopolies.
I would say rather to avoid laws it's to avoid appearing as a commodity and losing its "fashion" or "hip" status. If everyone has an iPhone suddenly it is less desirable to own an iPhone.
Their entire locked-in software model around OS, dev tooling, browser engine, app store, etc would be subject to legal challenges. True it may not be the primary reason they keep a low market share, but it's definitely a benefit and discourages shooting too high.
Worldwide, sure, but look at developed countries where most of the profit comes from. In the US in 2018 63% were iPhones and 36% were Android[1]. Android usage is even going down in some places, such as Canada where it went from 46% to 39% between 2017 and 2018.
strikethrough rich people and whales, and replace with people who are willing to spend their disposable income on apps and micro-transactions, of which in that segment contain rich people and whales, but also sometimes people in debt up to their eyeballs and low-income individuals as well.
Similar concerns. I think this might, in the long term, be detrimental to Apple if companies begin to revolt against their overarching, seemingly totalitarian power regardless of if the intent is noble.
As mentioned in a separate Verge article-
"One giant platform declared another giant platform’s market research program inappropriate, then disappeared it with a Thanos-style finger snap"
also from same article, attributed to Nilay Patel
"Hi, I’m the nagging voice in the back of your head pointing out that it’s pretty intense that Apple can simply decide to prevent people from running code on their phones."
Yeah, I read that article. It was a pretty bad take. Apple isn't "Thanos-snapping", it's enforcing its own terms of use which are very clearly laid out. Both Facebook and Google knowingly breached those terms, and they got caught. That's all there is to it.
Since terms of use are something Apple makes up, I don't really see the difference.
Google can make the terms of use "None of our services and any kind of services deployed on Google Cloud may ever be displayed on an Apple device" and it will have the same legitimancy.
I don't know why there's so many people who think putting something in a bullet point as a policy/law just makes it somehow different.
Google will have explicitly accepted very specific terms at a corporate, much-reviewed-by-legal level when they got their enterprise certificate. It's not a "visiting this site means you're bound by the TOS" sort of situation.
>Google can make the terms of use "None of our services and any kind of services deployed on Google Cloud may ever be displayed on an Apple device" and it will have the same legitimancy.
Heh. They already have, to Amazon though. See all the petty fights Google and Amazon have engaged in over youtube, chromecast etc. This is a good PR move by Apple though, especially when game studios are clawing out of the 30% cut and people are beginning to ask for the right to repair or the ability to side load apps. Apple saves the day yet again by providing value through the app store.
If you think they're "very clearly laid out", can you quote the relevant sections, and definitions, from the terms that make it so? I've been searching, and asking, and not seen them yet.
The very first paragraph of "Apple Developer Enterprise Program License Agreement":
"Your company, organization or educational institution would like to use the Apple Software (as defined below) to develop one or more Internal Use Applications (as defined below) for Apple- branded products running iOS, watchOS, tvOS, and/or macOS, and to deploy these Applications only for internal use within Your company, organization or educational institution or for limited use as expressly set forth herein."
While I've seen other potentially-applicable sections quoted elsewhere, a traffic-research app used by paid contractors of a company would seem to meet both the "Internal Use Application" definition, and the "Permitted Users" definition.
Further everyone's points about a form 1099 and how paying consumers doesn't make them a contractor, I also want to add that people as young as 13 were being targeted by these programs. Everyone under 18 is unable to sign a contract and therefore can't be a contractor, anyway.
Do you have a source for these stories you keep reporting happened? Because I haven't seen a single link supporting this narrative.
Additionally, the minimum age for non-agricultural workers is 14 anyway, so even then they're in the wrong and can't legally hire 13-year olds as contractors or employees. There's also several other rules in the FLSA pertaining to workers under 18 including minimum wage. I have a sneaky suspicion $20 per whatever period it is (unless said period is a few hours) is going to be under that wage.
Not to mention there's a whole lot more can of worms being opened specifically around minimum wage and recording hours that I highly doubt either Facebook or Google were actively managing.
They're not even producing goods or services for Google. They're selling access to data. They're selling rights.
I've never seen that relationship result in anyone being called a contractor and I've signed too many film contracts. I don't know where OP is getting this notion.
A contractor can be paid for piecework: compare Mechanical Turk. (And, the actual labor required to install the app, and answer any questionnaires, was probably on the order of "minutes" rather than "hours" – and thus compensated at far above "minimum wage".)
Here you can see a VentureBeat reporter – and one who is actually a member of the California State Bar of Attorneys – raise some of the same questions as I have:
Facebook's statement: "Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms."
1099s are only required if more than $600 is paid in a year.
You are a "contractor" if you are providing services under a contract. A contract exists whenever there is a definitive agreement to exchange valuable considerations – even in the absence of a written, signed contract.
But the sign-up for these apps might have included an explicit "signing" phase! (It's even possible that FB/Google asked for participants' SSNs, just in case any payments went over $600.)
Apply some common sense here. A contractor charges money for their time. $20/mth is what I’ve read they were paid. That means anything more than 2 hours of work is breaking minimum wage laws.
And it could easily be less than 2 hours of effort per month to install/update the app and answer occasional questionnaires. But even if, outlandishly, a minimum wage violation, if they’re being paid under a contract, they’re ‘contractors’.
(And if they’re under any sort of confidentiality agreement or other conditions on their app usage, they fit under the Apple terms’ concepts of “Permitted Users” and “Internal Use” even better.)
Because that's a contrived interpretation, especially when the data wouldn't even exist unless the monitoring software was there to create it.
The panelists are selling their effort in installing/maintaining the software, and renting out their devices' processor-time/memory/bandwidth to run the monitoring app, and being compensated for any risks/delays such monitoring introduces. In some cases, they're also spending time answering questionnaires! That is, being paid to provide a service – where the delivery of the end-product of that service happens to be data.
But even if they were selling rights to data that they normally generate in private, they're still doing it under the terms of a contract, in return for payment, which makes them a contractor for the duration of the time they're delivering the data.
For comparison, consider a services company which installs phone-trackers & cameras in a retail location, then provides the resulting data about customer paths/visits to the retailer. That company isn't primarily "selling rights to data". They're selling a service, requiring their equipment and time, where that data is created and delivered. And they're doing it under a contract, and they too are a contractor, not a mere "data vendor". And it's the same with natural persons who enter a legal agreement with FB/Google to run FB/Google's software on their own devices, occasionally answer questions & update that software, obey the other terms of the legal agreement, and report back the resulting data to the corporate contractee.
> especially when the data wouldn't even exist unless the monitoring software was there to create it.
The data does exist, in transit. It's google's own code which creates new metadata from it; that's not anything each individual vendor/user is doing other than providing access to the data for google to collect. You're a developer; this should be apparent to you.
I'm not really here to debate the legal merits with someone when neither of us are qualified to do so (you're not a lawyer, I'm not a lawyer, and existing lawyers have already commented on this to no end and disputed endlessly the idea that anyone in this arena would be considered a contractor). I'm just seeing how much you're willing to flesh out your novel legal theory in association with your public name on the internet.
Which lawyers have said they're not contractors? (I haven't noticed anyone responding to my queries who's reported legal expertise – but I have quoted a legally-trained reporter who advances the same interpretation.)
In what way does a person under contract to perform certain duties, on their own devices, being compensated, in accordance with a legally-enforceable contract not fit this dictionary definition of a 'contractor'?
Compensated research panelists meet all these definitions.
Did you know that Nielsen restructured its payments to its similarly monitored panelists, because it knew it'd otherwise have to 1099 them, like any other natural person receiving compensation for services under a contract?
You realize the debate is whether all counterparties to a contract are considered "internal" to Google, right? You're still missing that.
Vendors, Contractors, etc. are all counterparties to Google in their agreements. Vendors are not considered internal to any company unless explicitly stated.
It's so fascinating watching the machinations in your mind trying to justify that all of these folks are somehow internal to Google.
-------
Anyway, it's settled. Google agrees with the notion that the app should not have been operated under Apple's program, which itself is a tacit agreement with the premise that this app is not an internal app by any stretch of the imagination.
> "The Screenwise Meter iOS app should not have operated under Apple's developer enterprise program. This was a mistake, and we apologize."
You claimed: "existing lawyers have already commented on this to no end and disputed endlessly the idea that anyone in this arena would be considered a contractor"
But now there are... none? So you hallucinated their comments?
And you can't identify any way the panelists don't meet the multiple 'contractor' definitions I've provided?
And you've apparently forgotten that the Apple terms explicitly allow the enterprise's contractors, as part of the definition of "Permitted Users".
I've stated elsewhere that the apps may have violated another aspect of the Enterprise Terms, about the use of the "Network Extension Framework". And further that even if the use was OK by the current terms, Apple has the power to change them.
And both Apple and Google would rather this go away, so Google isn't going to go-to-the-legal-mat with their best arguments unless this platform cold war gets a lot hotter. (In particular, some of the best anti-competition arguments that could be made about Apple's behavior are arguments Google wouldn't want made against its own behaviors elsewhere.)
So no, Google's admission of error is strategic kiss-and-make-nice rather than dispositive on the terms, and especially doesn't hinge on your insistence that these contracted workers aren't 'contractors'.
"A Vendor, in contrast, is just a contractor who provides goods and/`or services to the recipient so the recipient can accomplish the project’s purposes. Selected terms and conditions might be passed through to the vendor."
It's an inappropriate reference, anyway, since it's specifically talking about the lingo of federal grants, not more general agreements. But if you're imagining lawyers-in-the-conversation who aren't here, and supplying links that explicitly refute your claim of a bright-line vendor/contractor distinction, I think we're done. Good day, sir!
> But now there are... none? So you hallucinated their comments?
I linked one on the open web. I've linked others in my past comments...
> And you've apparently forgotten that the Apple terms explicitly allow the enterprise's contractors, as part of the definition of "Permitted Users".
It actually doesn't. The constraint is employees or persons who are obligated to protect the internal use application from unauthorized use. Screenwise Meter has no NDA or other substantive clause (from what I can google) binding its users to protect it from unauthorized use per the definition of Permitted Users apple put down on paper. Should be noted that this is also one of the general distinctions between most vendors v. most contractors producing work for hire.
---
Google admitted to a mistake you're still saying they didn't make, in contradiction to "go-to-the-legal-mat with their best arguments unless this platform cold war gets a lot hotter." They just went on the record saying what they were doing was wrong. Which gives them a mighty hard time in the public arena trying to repeat it.
> I think we're done. Good day, sir!
So you're right, we're quite done. I still wouldn't have taken the position you took up with your name attached to it on the open internet, but you do you.
You're looking for the "Apple Developer Enterprise Program License Agreement" — I found it in ten seconds. The only production applications allowed on the cert are internal applications ("Internal Use Applications developed for macOS can be distributed under this Agreement using an Apple Certificate or may be separately distributed.") Or applications under development (2.1 Permitted Uses and Restrictions, Program Services). Also outlined are explicit unpermitted uses and a general declaration that anything outside of 2.1 won't fly (2.6 No Other Permitted Uses, specifically "You may not use the Apple Software, Apple Certificates, or any Services provided hereunder for any purpose not expressly permitted by this Agreement,").
Edit: for anyone who wants to spare themselves the chain, OP is missing the distinction between vendors, contractors, and other service providers and is interpreting the presence of any contract as rendering a person as a contractor. In this case, it's likely (IANAL) that each individual user of the service would be described as a vendor selling access to their data. The data itself is not created for Google's (or Facebook's in that previous case) consumption.
The link to the developer agreement is helpful, thanks. (The previous link someone had sent me couldn't be viewed by me, even as a paid-up member of the Developer program.) But none of what you quoted specifically restricts use by a company's contracted research panels.
--
Added in response to edit: The links to Quora/StackExchange, however, miss the point. Anyone who's entered a contract to provide a service in return for compensation is a 'contractor', both in legal terms, and in layman's terms. Facebook's description of their on-boarding, especially, suggests there was sufficient "meeting of the minds", mutual agreement, and exchange-of-valuable-considerations as required for a contract to exist:
"Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms."
> Google’s private app was designed to monitor how people use their iPhones, similar to Facebook’s research app.
Googling this, I don't see references to 1099, W2, or Corp to Corp contracts which might help anyone say it's "internal." Paying someone for a service does not make them a part of internal operations of a company.
It's this Screenwise Meter app which got the certificate nixed, and with it, any other apps on that cert were shattered. The aforementioned app was a non-internal app used in a production capacity, which falls out of the bounds of test/dev/internal apps enforced by the contract.
Tl;Dr: Google had in service a production application using a developer/internal cert. This caused the cert to fall in scope for revocation.
I know that's the fuzzy reasoning that's being reported. But the actual terms of Apple's agreement seem to allow "Permitted Users" who are "contractors". Contractors aren't just those issued 1099's: it's anyone "under contract".
If the mechanism for bringing participants into "Screenwise Meter" involved a contracted payment, it plausibly matches some of the expressly permitted uses, in the Apple Enterprise terms. (If it included an express written contract that limited the participants' use of the app, it further matches certain explicit requirements of the Apple terms.)
(There's another clause about using a specific "Network Extension Framework" that seems like a bigger problem for Facebook/Google, depending on what they likely did with that API and the info retrieved. But these clauses, about "internal use" and "permitted users", seem fully compatible with an internal-research-program using a panel of compensated research-subjects.)
That's false: minors can enter a contract with parental permission, and some of the coverage has Facebook saying they had parental permission for all underage participants.
But further, even if it was a violation if minors were involved, that'd leave open the question of whether use by contracted adults was compliant under the terms. (And supposedly the Google app wasn't offered to minors.)
And, paid research subjects meet the legal definition of contractor, as outlined here or elsewhere:
In this case, it's likely (IANAL, nor are you) that each individual user of the service would be described as a vendor selling access to their data. The data itself is not created for Google's (or Facebook's in that previous case) consumption. The users of the service were selling rights and were not producing anything for hire.
Except as set forth in Section 2.1, You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers or to any third parties in any way (excluding Your Internal Use Application that is for use on macOS)
Thanks! But note that section 2.1 expressly allows deployment to "Permitted Users", and "Permitted Users" is defined to include "contractors... who have written and binding agreements with You or Your Permitted Entity to protect Your Internal Use Application from unauthorized use".
Compensated members of these apps' research panels are quite literally "contractors" of FB/Google, and possibly even under written contracts that explicitly limit the apps' use as Apple requires. So what you've quoted doesn't demonstrate a violation.
"Internal Use Applications or Passes shall not be . . . distributed or made available to . . . contractors (except for contractors who are developing the Internal Use Application or Pass for You on a custom basis and therefore need to use or have access to such Internal Use Application or Pass)"
But that "shall not" is prefixed by "Except as expressly set forth herein", and other sections clearly mark many "contractors" as "Permitted Users" who are expressly allowed to use such Apps/Passes.
The only provision I see that's close to what you're talking about is the definitions section, which provides that Permitted Users include "contractors . . . who have written and binding agreements with You . . . to protect Your Internal Use Application from unauthorized use"
It's quite the stretch to say that this language, which by its text limits contractors to authorized uses, somehow expands the scope of authorized use. Even if you could get to that conclusion, it would not be "expressly set forth."
"Internal Use Applications or Passes developed using the Apple Software may only be deployed to and used by Your Employees or Permitted Users for internal use purposes or for limited use by Customers on Deployment Devices on Your (or Your Permitted Entity’s) physical premises or in other locations
when the use is under Your (or Your Permitted Entity’s) direct supervision and physical control as set forth in Section 2.1(f)."
Is it being used by "Permitted Users", which is elsewhere defined as including "contractors"? Yes.
Is it for "internal use purposes"? An internal customer research program, which is a cost-center and involves compensated research subjects, where the data is kept internal-confidential – and where perhaps even the research-subjects are under various kinds of NDA – is pretty "internal use" from my perspective. So, yes.
There's the "express authorization" that the following sentence doesn't revoke.
(Even the 2.1(f) allowance for customer use might be satisfied if the app has a central monitoring/disabling switch that counts as "direct supervision and physical control". But that's a little murkier, and the 2.1(f) allowance isn't strictly necessary for this use by compensated research subjects.)
> "Is it being used by 'Permitted Users', which is elsewhere defined as including 'contractors'?"
It is not defined elsewhere as including contractors. It is defined elsewhere as including contractors who use it for authorized purposes. The bootstrapping you're attempting here is circular reasoning.
Here's Apple's Enterprise terms definition of "Permitted Users":
“Permitted Users” means employees and contractors of Your Permitted Entity who have written
and binding agreements with You or Your Permitted Entity to protect Your Internal Use
Application from unauthorized use in accordance with the terms of this Agreement.
If the research panel subjects were under a written agreement to only use the app in the manner it was intended – such as keeping aspects of its use confidential, or disabling it when other non-compensated others were using their devices – doesn't that match the definition? Or are you claiming some other "circular" bootstrapping of extra fuzzy limitations on what "Permitted Users" are?
Look you're welcome to continue arguing this but ultimately this is a Terms of Service, not a contract. Apple can clarify this point at their discretion and even Google has now admitted in the wrong.
The Apple Developer Enterprise Program License
Agreement, linked from https://developer.apple.com/terms/ (Apple ID login required), makes it VERY clear that the Enterprise Program is intended "for in-house, internal use applications". This point is reiterated multiple times throughout the introduction, and is later made more explicit:
> "Internal Use Application" means a software program (including extensions, media, and Libraries that are enclosed in a single software bundle) that is developed by You on a custom basis for Your own business purposes (e.g., an inventory app specific to Your business) for specific use with an Apple-branded product running iOS, watchOS, tvOS, and/or macOS, as applicable, and solely for internal use by Your Employees or Permitted Users, or as otherwise expressly permitted in Section 2.1(f). Except as otherwise expressly permitted herein, specifically excluded from Internal Use Applications are any programs or applications that may be used, distributed, or otherwise made available to other companies, contractors (except for contractors who are developing the Internal Use Application for You on a custom basis and therefore need to use or have access to such Application), distributors, vendors, resellers, endusers or members of the general public. For the sake of clarity, Internal Use Applications do not include third-party applications even if some customization has been done.
There's other damning bits later in the license agreement, including:
> You must provide clear and complete information to users regarding Your collection, use and disclosure of user or device data, e.g., a description of Your use of user and device data in the Your Internal Use Application.
and
> Notwithstanding anything to the contrary in Section 3.3.9, You and Your Internal Use Application may not use the Network Extension Framework, or any data or information obtained through the Network Extension Framework, for any purpose other than providing networking capabilities in connection with Your Internal Use Application (e.g., not for using an end-user's Internet traffic to serve advertising or to otherwise build user profiles for advertising).
I don't see the definition of "Internal Use Application" as clearly prohibiting app usage by these research panels – paid contractors of FB/Google. And, the disclosures to panel members may have met the "clear and complete information" clause.
But the limits on the "Network Extension Framework" usage might be a violation. I suspect FB/Google were effectively building "user profiles for advertising" with this data... though perhaps they could make a case that these specific networking hooks were walled away to a separate, non-prohibited purpose.
> specifically excluded from Internal Use Applications are any programs or applications that may be used, distributed, or otherwise made available to other companies, contractors (except for contractors who are developing the Internal Use Application for You on a custom basis and therefore need to use or have access to such Application), distributors, vendors, resellers, endusers or members of the general public.
Even if you make the argument that the users of this app are paid contractors of FB/Google, they are not contractors who are "developing the Internal Use Application for You on a custom basis and therefore need to use or have access to such Application", so it still seems pretty clear cut.
The "specifically excluded from..." section you quote is preceded by "Except as otherwise expressly permitted herein".
And, other sections of the terms (just before that) expressly enable "a software program… for Your own business purposes… and solely for internal use by Your Employees or Permitted Users" – where, as noted, "Permitted Users" also was defined to include "contractors".
What makes them a contractor here? You seem pretty fixed on this point.
They're being paid for a product (their data). By what I'm gathering, I could define Netflix as my contractor for delivering my team streamed movies for $n per month... which isn't true unless a more specific relationship e.g. a c2c is put in place.
A person who enters an agreement to provide something of value (here, data) for something else of value (here, a small monthly payment, perhaps as gift cards) has entered a contract, and is a contractor.
(Yes, when Netflix agrees to provide you with something in return for your payment, you've entered a contract with them, and they are your contractor. If somehow you were an US entity with 50+ netflix subscriptions for different offices, and thus paid them more than $600/year, you technically might be on the hook to file a 1099.)
> (Yes, when Netflix agrees to provide you with something in return for your payment, you've entered a contract with them, and they are your contractor. If somehow you were an US entity with 50+ netflix subscriptions for different offices, and thus paid them more than $600/year, you technically might be on the hook to file a 1099.)
Source. Now. Because I highly doubt this is accurate. I have never heard of someone having to file a 1099 for purchasing services, of any kind. Hell, half of everyone's time would be spent filing 1099s because as a society we spend far more than 600 dollars with any one company over the course of a year literally all the time.
I forgot that all payments to C-Corps or S-Corps are exempt from 1099 filings, so yes, as long as Netflix remains a C-Corp, there's no need to file. (That's a matter of 1099 tax law, though - it's still a contracted relationship. And so while it is uncommon to think of them as a 'contractor', that's what Netflix is, when delivering a service for payments under the terms of a contract.)
I don't know how many people have to keep explaining this to you. "Contractor" is a term of art that has specific meaning with regard to employment and contract law.
You're using what is known as a "cute trick".
Judges are rarely amused by "cute tricks". Like a Sovereign Citizen believer you can keep claiming to be correct all the way to a loss in court, followed by denied appeal after denied appeal.
Separate from tax and employment regulation, ‘contractor’ is also plain language meaning “someone under contract”. If these people weren’t paid what they were promised, they could sue for breach-of-contract.
There’s no trickery here: that’s the ordinary legal meaning, and it is those who insist on only the far narrower regulatory/tax ‘contractor’ category who are playing semantic tricks.
It doesn't matter how many people "explain" falsehoods, like the idea that minors can't enter contracts (even with parental permissiion), or that a person being paid by a company under the terms of a contract is not a 'contractor'. They're wrong despite their multitudes.
Compare this account from a reporter at VentureBeat – who also happens to be a member of the California State Bar – who makes similar points as I have, about how compensated panelists are “arguably limited purpose ‘contractors’ providing data solely for the developer’s research purposes “:
Not really disingenuous; from looking at his resume, I hadn't noticed his bar membership had expired. (And, it's interesting that his resume reports him as active through 2017.)
But still, a legal degree, one-time certification, and some legal practice are kind of relevant, compared to anonymous commenters who are just insisting by repetition "but that's not a 'contractor'!"
Is it your reasoned argument that an individual receiving payment for services rendered to a corporation, under the terms of a mutually-agreed contract, is not a "contractor" in the eyes of the law?
> Not really disingenuous; from looking at his resume, I hadn't noticed his bar membership had expired.
Ok, I'll remove you from the disingenuous. He stays though because he should definitely mention it on his CV.
> a legal degree, one-time certification, and some legal practice are kind of relevant
Yep, he's definitely probably got more standing than anonymous commenters. But that's a low bar. He didn't practice contract law (it was transactional IP) and it was 14 years ago - it's an almost certainty he isn't au fait with current contract or employment law.
> Is it your reasoned argument
I don't have one knowing nothing about US contract or employment law. My layperson viewpoint is that it's quite clear they weren't Facebook contractors in the terms of the Apple agreement.
"Quite clear" is not an argument, it's an empty assertion.
IANAL, but I know the rough outlines of US contract and employment law as a frequent party to contracts, occasionally to disputes, and as a US person who has both contracted others and been a contract worker.
If you have a contract (which doesn't even have to be written), you're a contractor. Full stop. And, an agreement to provide payment in return for performing certain actions (like installing an app, leaving it running, answering questionnaires, maintaining confidentiality, etc) is a contract, even if it's a clickthrough agreement. Ergo, compensated research panelists are 'contractors' in the eyes of the law.
Yes, and I explicitly said I didn't have an argument but only my "layperson viewpoint".
> IANAL, but I know the rough outlines of US contract
Great. I don't care. Argue with other people about that. All I wanted to do was correct the perception that the journalist was a member of the bar and had some kind of legal standing.
There's a lot more in the program agreement I didn't include. These are just a few of the highlights I happened to notice.
> ...though perhaps they could make a case that these specific networking hooks were walled away to a separate, non-prohibited purpose.
They could not. The primary purpose of the Facebook and Google research apps was not to provide a VPN service; as such, using VPN services was a violation of the program terms. The use cases mentioned -- "to serve advertising or to otherwise build user profiles for advertising" -- are examples of prohibited use cases, not the full extent of the prohibitions.
The terms are very clear. Apple wants to control distribution of apps, the enterprise program is only supposed to be for employees or for end users using under the direct personal supervision of an employee as part of an in office test. The conditions are clearly defined.
They could, but that would be even dumber than the stupid crap they've already pulled. "Oh, you're a contractor, but we don't have a 1099 on you, oh and you're too young to work in your state"
Ah yes, but at what point does paying someone for work make them an employee?
Given that the users of the app in question were being paid by Google, one could argue they are employed... or at least are contractors.
On the other hand, given the users did not have the rights generally associated with being an employee or a contractor... and they were not even getting minimum wage...
But at that point IANAL and courts would need to decide
Google or FB isn't going to touch that with a 10 foot pole, and no there is no need for courts to decide, they don't want these users considered employees or contractors in any way. Also monetary compensation is very common in some research industries without said people being contractors or employees. Simply put Google and FB F*up big time in violating the TOS.
On the Apple Developer Enterprise Program webpage [1], the first big feature (of four) is "Deploy In-house Apps" -- "within your organization", "to your employees' devices".
I'm not sure how it could be much clearer that this is not intended to be used to distribute apps to customers.
But the people using these research apps are not, in their role as app-users, "customers". They're contractors, being paid for a service rendered. And other provisos of the agreement specifically define "Permitted Users" to include "contractors".
I'm fairly sure that neither Google nor Facebook actually want to consider them contractors, as that would likely mean that Apple ToS isn't the only thing they broke.
Apple should not have the right to enforce those conditions to begin with. Same as they should not be allowed to kick out apps from their whole platform on a whim.
Inacceptable. Such a company should not be allowed to do business in EU. Much worse than what happened with Microsoft in the 90ties.
>> Apple should not have the right to enforce those conditions to begin with
Apple is not a state-owned company. They can do whatever they like, and you can choose to support them by purchasing their stock and/or their products. You can choose not to support them by purchasing neither their stock or their products.
There are several federal and state laws that define what they "can not do", and this isn't one of them. Why should a business owner(s) "not have the right" to run their business any way they see fit, so long as they do not violate the law?
Your analogy to MS doesn't hold water - MS was told not to do something by a governing authority, and they did it anyway. The governing authority stepped in and enforced their rules - nothing out of the ordinary there.
Thats not really true. There are a multitude of anti monopoly laws and consumer protections that may apply to Apple's actions.
> Why should a business owner(s) "not have the right" to run their business any way they see fit
Because one company having too much market power, and being in an oligopoly type situation is bad.
Because we have consumer protection laws for a reason.
Because when a consumer buys a device, they have the legal right to do whatever the heck they want with it, and Apple tried, and failed, to sue consumers for doing things to devices that the consumer owns.
The courts have sided quite a few times in favor of consumers, regarding how they have the legal right to do what they want with devices that they own.
And if the current laws don't 100% cover this situation that we are in right now, then hopefully the law will be reinterpreted to apply to it.
But even beyond that, it makes perfect sense to criticize, and retaliate against, companies that hurt consumers, and try to take away their rights.
Apple is a chief offending, in just how many bad things that they have done, to try to take away consumer's legal rights to doing what they want with devices that the consumer owns. They tried, and failed, to sue people. This deserves to be criticized, and retailiated against.
Laws can be changed. I argued that they should be changed in order to limit Apples power. I mentioned Microsoft b/c of their importance then, Android/Apple is the same (but duopoly) now.
We limit what business owners can do for 'greater good' in quite some areas. I think it is necessary here too. Apple: enforce access, Android: limit data snooping.
Why should they not have the right to enforce the terms of their own service? They own it, the operate it. It's theirs to do with as they wish.
Your comment might make sense of Apple were some sort of government entity, but it isn't; it was completely Facebook and Google's decision to abide by Apple's terms and conditions, something that will have been pored over by legal team upon legal team. This is not something Facebook or Google will have entered into lightly, and yet they explicitly chose to break the terms and conditions.
If I run a restaurant and one of the house rules is that you're not allowed to harass my staff and make the dining experience unpleasant for other customers, and you do that, of course I'm well within my rights to throw you out.
The difference is that Apple are controlling what software individuals can run on their own phones that they paid good money for.
The problem isn't that Apple are allowed to throw Google out of the enterprise program; the problem is that Apple users aren't allowed to install Google's apps without Apple's permission.
It's fair enough to say that Google can't complain because they knew the terms of the enterprise agreement. But I'm not sure it's fair to say that Apple phone purchasers are clearly told when they buy a phone that Apple can disable their employer's internal apps.
> The difference is that Apple are controlling what software individuals can run on their own phones that they paid good money for.
Maybe, except that the enterprise app distribution system is a service provided by Apple. It has associated terms and conditions.
I'm not saying you're wrong, but I don't think it's the argument to be making right now; if the topic were jailbreaking, sure. As it is, it's about abusing a service. The enterprise app distribution system is not sideloading in the same sense as it is on Android; it is a service for a specific purpose.
> But I'm not sure it's fair to say that Apple phone purchasers are clearly told when they buy a phone that Apple can disable their employer's internal apps
For the individual employees, no, they probably don't know this. However, they have no real need to know; this is an implementation detail on the employer's end.
The employers 100% know about this, or else they wouldn't agree to the terms and conditions of the enterprise app distribution system. Legal teams will have pored over this. Nobody is ignorant of the implications of their actions; it just happened to be that two high-profile companies made the mistake of thinking they were immune to punishment.
But no, any company involved in the enterprise app distribution system knows 100% what getting that certificate revoked means. Especially a tech company!
> Why should they not have the right to enforce the terms of their own service? They own it, the operate it. It's theirs to do with as they wish.
Because they became too big. It's the right of e.g. the EU to allow them to operate. Or better said, the law could be changed to disallow operation if certainy conditions are not met. Apple then has the choice to either adapt or leave the EU market.
You're talking like the EU has one set of rules for companies from its members and another for others, but that isn't the case. The EU treats all monopolies equally; Apple isn't close to a monopoly.
Of the actors involved here, Google is the one that the EU is most concerned about.
Apple is only acting on their own turf, their services. Their reach is not far spread outside of the iOS landscape, heavily dwarfed by Google's Android at something like 85% share.
There are not only monopoly rules. It seems plausible to me that there could be a rule that mobile phone/computer ecosystems above a certain threshold must grant access to the platform (under reasonable conditions).
That would be the EU going beyond their reach, invading into private business practices, something more akin to the Soviet Union than the EU. Apart from that, "size" means nothing and is completely arbitrary; the EU has only ever really chased monopolies and companies that flout EU regulations and taxation. Let's stop injecting our own ideologies into what we'd like some state or other to do; we should never want any kind of government to regulate that heavily.
This is a pretty poor argument. I can think of multiple reasons they should be able to immediately revoke a certificate (or an app)
1. It finds the certificate has been compromised
2. it finds a publisher introduced malware in an update to their app
If some app decides to include a crypto-miner, that burns up your battery, your sure going to want apple to yank that from all the phones, as quick as possible, not sit there an hope your pocket doesn't melt before you can figure out which app to uninstall.
I didn't argue this specific case. I said in general, Apple should not be allowed to have such power. (Laws need to be adapted/modernized to cover the current mobile ecosystems)
It's my device, if I am fully informed and decide to run a crypto-miner application I should be able to do so. If I want to run 'In A Permanent Save State' [1], Apple shouldn't be allowed to censor this (not that I would agree with the subsumptions in that app, but that is not relevant here).
"Apple can simply decide to prevent people from running code on their phones."
no - you are free to run any code on YOUR phones with the enterprise program - you are clearly not free to run any code on OTHERS phones using this program..
Yep yep yep. I can see how, as a developer, it would be galling to face artificial barriers to what you can do on a device that you own. But I don't develop for phones, and as a "dumb" user in this case, I'm really happy that someone is trying to keep it secure for me...
On the other hand: screw them both. They knew the terms, they have the same ones in their own ToS/Rules/etc.
I'd rather Facebook feel the hurt for its audacity than Apple be forced to backtrack because they made too many enemies.
In what way does Apple have anything to fear from FB or Google, or even depend on either of them at all? Where is the "force" going to come from, their users threatening to switch to Android? I don't think these incidents would be enough to lend that eventuality any weight.
Apple does not have any obligation to enforce rules consistently from the standpoint of those it enforces against. Apple should enforce when and where will sell the most hardware. Apple is a phone manufacturer, not a government. They can and should selectively enforce to promote their brand values—some of which are security and privacy.
For me, this is just another reason to be unhappy with the Apple distribution model. I work with IOT devices and we have enough trouble getting Apple to approve our app store releases. We need Enterprise Certs from time to time as a release valve for the inconsistent review policies that stop us from getting into the app store in a predictable manner.
Can someone explain how Facebook or Google hiring testers willing to expose 100% of their personal usage via an opt-in, paid program impacts consumers? Why should we 'applaud' Apple for this? Isn't it perfectly reasonable for companies like Google and Facebook to run deep user testing?
Apple have different distribution methods for different use cases. Enterprise distribution is meant for internal company apps. Testflight is meant for test customers. Use any of these in a way that Apple doesn't approve of and you'll deal with the consequences.
Because Apple has frivolous restrictions on what users can do on their phones, and the violators knew this ahead of time. Rules are rules.
Apple is likely shooting themselves in the foot here. These companies' IT departments will no longer be able to support iOS devices for accessing intranet resources, which means no engineers will be using iOS devices as daily drivers, which means their iOS apps will fall further behind their Android apps in quality.
If you agree that privacy has a certain value (and Google and Facebook obviously do which is why they paid for invading it) then it’s just a matter of degree from this to selling your kidney.
The argument is somewhat moot, anyway. Apple has simply decided that privacy is a tenet of their value proposition, that value is reflected in their contacts granting in-house certificates, and these companies broke the terms of these contracts.
> Apple has simply decided that privacy is a tenet of their value proposition,
Yeah, that's just marketing. If they really cared, they wouldn't accept a 9 billion dollar payout per year to make Google the default search engine for IOS.
These aren't testers. They are end users. Plus as mentioned above the terms of the contract forbid giving enterprise certified apps to contractors anyway.
I don't want to pass judgment on whether Google (or in the previous case, Facebook) was in the wrong, but it doesn't sit well with me that Apple wields so much power on what software their phones can run after it sells them. You may very well think that they're using their power sparingly and benevolently, but who is to say that will be the case next time around?
I used to feel that way, and I used Android for years for that reason. But since switching to an iPhone, I've found that what I really want from my phone is not a totally open platform, but a tool that's simple, secure, and effective. Something I don't have to mess with, something I can trust to do its job and respect my privacy and be pleasant to interact with. They tried going that direction a bit with macOS when they launched its App Store, and there's a reason that pretty much failed. Workstations need to be totally user-controlled, but phones don't.
I'm not sure I quite understand your complaint about the Mac's App Store. I want to have free reign on my workstation, but part of that is I want to be able to limit the amount of access that programs have. The big difference with the App Store, from my perspective, is that I know that the applications are sandboxed, signed, and someone out there can revoke the code signing certificate.
This is basically what I want, most of the time, and it's hard to achieve it outside the App Store.
Fun fact: not all apps on the App Store are sandboxed. Some older apps, that were released before sandboxing was a requirement, were "grandfathered" in.
Things that run on your mac are not required to go through the App Store. I think what the OP means is that the adoption rate has been lower than what they wanted/expected.
It briefly looked like they would move towards requiring software to come from the App Store. They did add the warning you see the first time you open any application that you downloaded from the internet, which is still there. That alone isn't problematic, but if they'd truly locked down macOS they would have alienated all of the programmers who use Macs. Thankfully, they seem to have dropped that idea.
Honestly that's my feeling as well, but even for workstations, it has begun to dawn on me that spending time configuring the minutiae of various settings and flags and plists etc just isn't worth my time. I just want a workstation that's simple, secure, and effective in getting things done.
That pretty much sums up my journey. I used to run Windows 2000 at home and decided to switch to Linux (Slackware) when it was rumoured that XP would have "phone home telemetry". Then after a few years of spending way too many hours on various different distros, decided I wanted a *nix machine that just worked and switched to Apple.
Those are fine defaults, but why is it bad to allow people to explicitly opt out of this and do what they want? Other people being allowed to hack on their machine doesn't stop yours from being locked down.
To a point. I use a Mac for work because it has many of the desirable qualities of Linux, without the hassle. But at the same time I know that if I ever need to just get in there and change something, which does happen occasionally, I can still do that.
Android isn't a "totally open platform". By default you can only install apps from the Play Store and Google exercices a fair amount of editorial control over apps.
On the latest android its a huge pain to install fdroid. The only way I could find was installing the system fdroid package through the recovery thing because android doesn't just allow you to install 3rd party apps, you have to get an existing app to request permission to install 3rd party apps and none of the default ones do so unless you already have fdroid you can't install it. Really unethical.
On my Pixel 3: Settings / Apps & Notifications / Advanced / Special app access. From there you can whitelist, e.g., Chrome to allow the installation of 3rd party apps.
IIRC Chrome even asks you if you want to enable that setting once you download an APK file.
I didn't have chrome on my phone and the default android browser doesn't request permissions. I used to install it from the downloads app thing but that doesn't seem to work anymore because of these new changes.
You can run stock Android without any Play Store and no/minimal/neutered Google services by installing custom ROMs. Apple doesn't allow this with its hardware. More importantly, you can bypass any centralized app store and install your own APKs, such as from repositories like F-Droid. IOS doesn't allow you any such freedom.
There was a point around the iphone 5/galaxy s4 era I really wondered what the hell Apple was doing releasing only a 4" phone, with an os roughly equivalent to androids, with less flexibility in what you could do with the device, at marked up prices. Nowadays I appreciate the things like the relative privacy, far superior OS support, and the more locked down security. I still buy Android but that's largely for value reasons. If cost was no object I would buy iPhone.
>Workstations need to be totally user-controlled,
I believe chromeOS is a good example of a stripped down less tunable OS that works great and is perfect for inexpensive Atom based machines that still have good build quality, battery life, and displays while being simple to use.
I believe trying to push the "store" model to desktops smacks of a solution that generates a lot of $$$ for M$ and Apple in search of a problem.
> I used to feel that way, and I used Android for years for that reason. But since switching to an iPhone, I've found that what I really want from my phone is not a totally open platform, but a tool that's simple, secure, and effective
The problem with that is that the nature of the issue is that it doesn't matter to you ... until it does. Like freedom of speech - you will never notice that your government is censoring you until you have a controversial viewpoint. And then it will matter. But all the people without those viewpoints will still wander around saying they can't see what all the fuss is about freedom of speech. This is intrinsically a problem you have to care about in advance of when you need it.
> Workstations need to be totally user-controlled, but phones don't
And why this extreme generalization, exactly? Don't you suppose you could have privacy, security, and perhaps even simplicity and ease-of-use with a totally free and open phone that grants control to the user? You really don't explain how "a totally open platform" is mutually exclusive, nor how your own personal needs require the inverse of freedom. Further, the distinction between computer and mobile device are irrelevant given so many people depend on the later as their main computing device. They should be offered the same degree of control as someone with a computer has.
Ultimately, you cannot have privacy and security in a closed-source restricted platform, even if it's backed by good intentions. You're at the mercy of a few companies and as soon as they abandon the device, or make a mistake, you're exposed. And as a consumer, you're forced to buy into their ecosystem instead of having the choice to provide your own solutions. This is already true for the hardware, such as the black-box baseband required to connect to cellular networks.
The two forces are, generally, at odds. Apple screens apps for me to see if they're malicious or snoop my data. They ensure the things on the App Store are of a certain quality and safety. If they discover one that got through, I'm glad they can remove it from my device without waiting on my action. I've effectively outsourced my configuration and security to a company that has strong financial incentives to do a good job at those tasks - certainly a better job than I would do if I had to keep tabs on it all myself. They also do far less "abandoning of devices" than most of their competitors, for what it's worth.
While this kind of support doesn't technically preclude open-source code, it's hard to find both in one. Red Hat is one rare exception to this - providing a comprehensive, supported solution that also happens to be open-source. But the economics tend to push it to be one or the other. In this case, I'm perfectly fine making that trade.
At the same time, maintaining that level of control seems to be a central feature of iOS's security and privacy model. It's not just about ensuring that only trusted software can be installed in the first place, it's also about having some sort of mechanism for fixing the problem when software that had previously been approved proves to be malware, or when a publisher who had previously been approved turns out to be a bad player.
For an example of what's possible in environment where you aren't limited to running trusted software, earlier this week I had a conversation with an acquaintance who had recently paid hundreds of dollars to a ransomware scammer. To me, the value of being able to prevent those kinds of abuse is pretty straightforward.
What Apple's doing with Facebook and Google is grayer, but I can see where they're coming from. They have strict privacy rules that they expect to be followed on all apps released to the public, and Facebook and Google were using the enterprise program to circumvent those rules. In light of that, you could argue that they had to follow through on their terms of service in order to demonstrate good faith to their customers who rely on them to enforce those privacy rules.
> it doesn't sit well with me that Apple yields so much power on what software their phones can run after it sells them
At the end of the day, you can compile and run anything on your machine. This is just regulating distribution. Given the specific breaches at hand by Facebook and Google, a balance seems to have been found (acceptable to most users) between freedom and security.
I dont see how you can make this claim when installing whatever you want on your android phone is as easy as tapping the setting for installing from unknown sources.
Google does a decent job w/ non-standard app stores. They have permissions that allow other apps to act as a trusted app store without opening the system up entirely.
I agree that Google Play Services is not competition friendly, but that is a different topic.
It's pretty true. Unless you manage to jailbreak your phone the only way to get it to run code (except for javascript) is by having, at some point up the chain, a certificate that's signed by Apple.
It's free to get one though, but it only lasts for a week or so. You can pay to become a developer and I think you get one that lasts a year instead.
The parent is correct if you're not using the Developer Certificate, but relying on the Free Provisioning Profile - as the name implies, it is free, but it only lasts for 7 days instead of the 1 year you get with a paid developer account / Developer Certificate.
The advantage of the Free Profile is that (afaik) it can't be revoked or censored. Disadvantage is 7 day lifespan.
If you also happen to have a Mac to run XCode, sure. I don’t believe there’s a way to compile and load iOS apps from any other platform? (And you certainly can’t do it from the device itself.)
You can technically compile iOS apps on any platform, but you won't be able to link against the iOS SDK without Xcode. So in practice it's a bit annoying. Loading iOS apps is pretty simple on any platform with Cydia Impactor.
Please correct me if I’m wrong but didn’t this change retroactively prevent installed apps signed with the enterprise license from running on iOS devices?
If the article is correct, you are correct. The article seems quite clear this was about already installed apps that stopped working because Apple revoked their certificate.
Not using any installation mechanism provided by Apple. If you want to crack open the phone and begin trying to pin out the storage controller: then maybe.
The installer is a piece of software made by Apple, to install things that meet certain criteria(ie signed packages). It's not that you can't technically "install" other things, but there doesn't exist a mechanism to do so.
>I don't want to pass judgment on whether Google (or in the previous case, Facebook) was in the wrong
I'll do it for you: both Facebook and Google were crystal clear violations. Like, not anywhere close to the intended use case for Enterprise distribution
There is nothing new about this model, of selling a device with optional software bought later from the vendor. It’s how games consoles have worked, from the Atari 2600 to the Nintendo Switch, even cars work this way with optional after market ‘performance packs’ that are just software tweaks. VTech used sell toys like mini laptops for children, with little software ‘disks’ you could buy with educational games on them.
True, but to be fair, phones are a way bigger market and 1 of the practically only 2 operating systems is doing it which is why it is such a huge complaint.
I don't complain about my Xbox because I can buy a computer that can run most the same games where I can do anything I want (not to say I don't want to be able to do anything but phones are a much bigger market with only 1 real competitor which does allow you to side load apps)
There have been many, many other competitors, some of which had huge market share to start with. The market decided this, not Apple. There has been plenty to choose from over the years. Consumers chose the options that won, because those are the ones they want.
I don’t want to put words in your mouth, but to paraphrase in saying there is ‘only one’ choice in the market that is truly open you seem to be arguing that any second option ought to be too. That competition on openness is more important that there even being a closed option at all. Surely that would give consumers less choice though, not more?
But as I have pointed out, there have been plenty of other options and every now and then a ‘truly’ open phone comes out again.
You buy an iPhone knowing full well that Apple has this control, and for many people is the reason they buy their iPhone.
So far they have used the power sparingly, at the end of the day it could have been a cute cat app and did nothing wrong but it still broke Apple's terms that these companies agreed to and Apple acted accordingly.
I would bet good money that the large majority of iPhone users don't know that Apple has this much control (ie, that they can decide whether you're allowed to install custom apps provided by your employer).
Yes. And for tech savvy people, such as Facebook developers, the fact that you need to install a special certificate before you can use internal company apps should give you a clue about what’s going on.
Operationally, every major tech company has some sort of mechanism for removing software it doesn't like from end-users' devices. Apple, Google (with Google Play Protect), and Microsoft (with Windows Update).
If you don't, we end up going back to the Blaster worm days of 2003, where software gets installed and regular people don't know how to get rid of it.
In the case of Facebook, there's no judgement or moral side to take. They broke the rules Apple set when allowing Facebook to be in the App Store and use internal enterprise certificates. Objectively, Apple's behavior was fair.
I'm wondering if either Apple is in the wrong, or FB needs a better legal team. By FB legal team I mean those people that should point out when things are not legal.
The legal team at FB, at least back when I was there, was meant to prevent us from doing illegal things. So, this means that either Apple is wrong, or FB is wrong - as in their legal team is wrong, so they need a better one
Honestly, as bad as the situation is (having to choose between several profit-focused tech giants) I'm glad that at least one of the players is not dependent on data collection as their way of survival. If I have to side with one of them it's going to be apple.
Everyone on HN seems to be opposed to government mandated backdoors, but want Apple to install one anyway for the sake of some hand-wavey notion that Apple has undue “power”.
This control is a feature and one of the reasons I use iOS. I value a system I can trust to be free of malware. I know that when I recommend iPhone to friends and family, I will never have to field a support call involving a mountain of malware that was installed because they were tricked into clicking “ok”.
I trust my iPhone way more than my desktop, laptop, or any SaaS. Same with my iPad. I can’t wait for the end of the era of bad-guys-win-by-default.
It will cost $500 to ditch Apple and replace them; there’s a 10% chance I will have to switch before I’d make my next purchase anyway; and Apple has to date saved me over $50 in frustration via their control of the ecosystem.
So I’m willing to ride it out and see what happens.
There is really nothing to ride out. I think it's rather refreshing that Apple followed the rules they set forth even when it was large companies breaking them. I would have more issue if Apple shutdown the lone developer, and then did nothing when FB/Google did the exact same thing.
With the above said, we can certainly discuss if Apple should use/have this ability at all. But, IMO it is a different discussion.
> I think it's rather refreshing that Apple followed the rules they set forth even when it was large companies breaking them.
This kind of behavior from executives[0] is precisely why I invested in Apple products in the first place — why I took the risk at all.
I meant that I don’t see this as any reason to get out, from a pure “well, what if they abuse their power?” perspective: the risk is low, given the way they’ve acted until now, and the total possible cost is reasonably bounded — I’ve already had enough upside to eclipse the risk weighted cost, this was a good investment.
So why would I even worry about it until something bad did happen? The homo economis answer is to let your bet ride, until the point you were going to re-evaluate anyway, when buying a new phone.
[0] There is approximately 0% chance Google and Facebook were kicked out of dev programs without running it by senior executives.
With Apple's devices, and to a lesser extent Google's, there isn't a software distribution channel apart from the one sanctioned from up high.
That being said, the official channels are sanctioned and sponsored by Apple (or Google) and so it is their reputation on the line when it comes to malicious or questionable Apps.
So I can completely understand Apple (or Google) removing certs or banning companies for violating the terms of their platform.
And I think this exertion of power might be a bad thing as it demonstrates that users do not really own their devices and are only allowed to do with them what Apple (or Google) permits.
My device is little more to me than something to run a web browser. I despise native apps. Facebook and Googles apps can - and should IMO - be run from a browser without crossing over into my personal contacts and photos.
Apple has zero authority over who I contact or what content I access over the web.
With any luck, this drives development back towards the web. I haven't had Facebook on my phone in years because their mobile layout is unbearable and their apps are invasive.
> there isn't a software distribution channel apart from the one sanctioned from up high.
I'm disagreeing with the premise that you have to develop for their platforms and distribute for it. That's not a fact. That's an opinion. While there may be some apps that _couldnt_ operate on the web, 99% of apps don't fall into this.
Facebook. Instagram. WhatsApp. Gmail. Google maps. Pinterest. These can all be done in a mobile friendly way in browser. They're intentionally not done because of "performance" and the fact that apps want deeper access to the device.
I don't want any or those apps getting access to my GPS. Or my files. Or my contacts. Id rather take additional steps to upload a picture, or type in my "from" address rather than auto-GPS.
I was speaking in specifically about native applications and not Web Browser based applications. Taking what I said out of context to get on your soap box and expose the dangers native applications is disingenuous and doesn't add credence to your opinion.
You're setting your argument up for failure before you even present it when it's foundation is a clear and intentional misinterpretation of someone else's words.
Again, I disagree. You're beginning with the assumption that native is the only, and best solution. As a user, this is simply not true. You may _prefer_ to develop for native, but that doesn't mean its the best choice for the user.
Very, very few apps need to be developed natively.
The vast, vast majority would be better if developed for the browser.
This obviously depends on exactly what you're talking about, I concede there are some specific applications that require it. Maybe _your_ specific app requires in, in which case, _you_ have to live with the trade-off of the gatekeepers.
> You're beginning with the assumption that native is the only, and best solution.
I never said anything of the sort, you're again manipulating what was said to give you an opportunity to stand on your soap box. I said Apple and Google control the distribution channel and have an interest in protecting it.
Web Apps are at a distinct disadvantage on both platforms because Apple and Google control the channel to dissuade them from reaching mass adoption.
If anything I said that these actions might actually help Web Apps.
Drains batteries. Consumes storage space. Requests unnecessary access to my personal files and contacts. Difficult to shut down. Push notifications. I want NONE of this.
The last straw for me was when Facebook messenger pocket dialed a "friend" I hadn't talked to in 7 years. Not only was it something I had no use for, it was outright invasive.
This case has gotten a lot of attention only because of who’s involved, but the Apple App Store is a headache for many businesses. Last year I was working with a company that had a white label app design studio as part of its product. Apple said they had to discontinue it, and that they were only allowed to produce one app for all of their customers to share. The company bit the bullet and spent months re-engineering and redesigning their product, it’s competitors did nothing and just spent months complaining to Apple. Apple eventually caved and reversed the rule, that company had six months of two engineering teams time wasted, their competitors wasted no resources on it at all. On top of that, the rule was already being applied completely arbitrarily by industry. Most of the worlds banking apps are white label, but didn’t receive any problems from Apple.
Extremely happy with my decision to get an iPhone. Events like these are what is going to keep me as a customer moving forward, too.
I unplugged[0] from Google Last year - went DDG for search, went to iOS, dropped gmail for fastmail, etc. As time goes on I’m continually reaffirmed that I made the right decisions.
[0] I still use some Google services, like YouTube, frequently, some of my mail still goes through Gmail, albeit forwarded to my Fastmail account, and I occasionally use Maps.
Same. I switched recently after an increasing distaste for how Google makes money and have been fairly blown away by how much better privacy is on iOS. Nearly every app that has asked for permissions has explained exactly what they're used for. I don't know if that's required, but it certainly seems prevalent. Then I can do things like only give the app permission to location data when I'm actively using it. These settings aren't buried - they are in your face when the permissions are requested.
Some parts of the walled garden are annoying - having to go to the browser to buy Kindle books for example - but I think the tradeoffs of the Apple ecosystem are more than worth the benefits.
Is getting an iPhone the only reasonable path? I tried this briefly on Android, but various other apps started complaining that Play was not installed.
It's not the only reasonable path, of course. There are heavily de-Googled versions of Android out there as well.
In this case I'm voting with my dollars and paying a premium for a device made by a company that is, at least overtly, pushing for a bare minimum level of support for their customers.
It certainly doesn't hurt that they're nice phones too, though.
There are ways to do it without going to iPhone but they require a decent time commitment and some technical chops. For people who just expect their phone to work, switching to iOS is the simplest answer.
I very much doubt it was a PM in charge of reading the TOS for the enterprise certificate program. When you need to sign a contract on behalf of your (multinational, FAANG) company, you get your legal team to go over it.
The legal team would have reviewed the TOS but they probably weren’t looped in when some PM got the idea to use the certificate for this purpose.
In my own experience people often avoid consulting legal when they think they can get away with it (or don’t realize they need to), although I’m sure it varies a LOT based on company culture.
It's better to ask forgiveness than to ask permission.
And, on top of that, Facebook and Google have retaliatory power, so they know that Apple's response will be measured in a way that it wouldn't be with smaller developers.
Someone decided (probably correctly) that the benefits of the app while it was distributed were greater than the potential penalties that would come way down the line.
It isn't relevant here if Apple is justified or not, if Google is trustworthy or not or if terms of service are enforceable or not.
This is what might be called a classic Stallman effect, where it has been pointed out since the mid-90s that if you don't have a few basic freedoms [0] then at some point an external party will shut you down for reasons you don't like. Google is in a lousy strategic position on this one because they gave up software freedom because Apple didn't seem like a threat at the time. They are lucky their internal apps were not being particularly targeted, I suppose.
This is why a good military plans on capabilities, not intents.
One thing is to break the rules Apple put down to keep iOS users safe and secure which is what Apple is targeting here, but another thing is just being stupid and unethical.
Regardless of their (FB+G) cries of "they consented to it", who really thinks a 13 year old understand the technical implications of installing a root certificate on their iPhone?
No root cert was involved. Apps built with an enterprise distribution profile, once correctly signed, can be installed on any device. The limit is that it must be an employee’s device. This last rule, broken by GOOG and FB, is exclusively enforced through legal actions.
More than that, I think this will result in Apple being a bit less laissez faire about what companies do with their certificates. I think they may even look to change the system, maybe make it so that enterprise certificates have to register the devices they are installed on.
I expect in future you'll need to push these apps to the official app store, but have the ability to restrict who downloads them (to registered devices, or accounts - like with the Play Store beta program).
IF you really want to get scared about content theft, you should read the terms of service for Grammerly. Their plug in scans everything data input window and by using the service you agree to the following:
"By uploading or entering any User Content, you give Grammarly (and those it works with) a nonexclusive, worldwide, royalty-free and fully-paid, transferable and sublicensable, perpetual, and irrevocable license to copy, store and use your User Content (and, if you are an Authorized User, your Enterprise Subscriber’s User Content) in connection with the provision of the Software and the Services and to improve the algorithms underlying the Software and the Services."
If you were to write a book online using Grammerly they would have the full rights to what you wrote, and they could sell it themselves and not pay you a cent.
If you work for a company that uses Grammerly any IP typed into a windowd monitored by Grammerly also becomes their property.
Two years ago I looked into an enterprise license because I had so many employees using it, after reading the terms of service and speaking with their General Counsesl where he essentially gave the "my way or the highway speech","we own it all, and we can do what we want with it" I scrubbed the software and plugins from all our company computers.
There are over 100,000 Google and Facebook employees, just a small percentage of them with good old fashion loyalty to their companies could explain the amount offended here.
As a googler, I’m not offended. “Abide by the terms of your agreements,” or, as Stranger Things would put it, “friends don’t lie.” That being said, I am in popcorn mode to see what act of contrition apple will demand.
I would also loooove to know how this clusterfuck came about. But I guess we will never know that. I doubt this crosses Sundar’s desk, but I would be curious to know where the buck did stop. Was counsel involved or did a couple of teams just adopt a better to seek forgiveness stance?
I haven't seen any people offended by it. I know some people are disappointed because of internal apps that are no longer accessible, e.g. dogfood builds, transportation app, apps to contact security, identification app, etc.
I shocked and surprised that Apple went this route. At least they’re enforcing the rules consistently. My company uses enterprise certs for internal beta/QA builds and I’d hate to see Apple change this program to make things harder for those who have been following the rules.
Still, no story or commenter is quoting the exact terms that Facebook/Google are alleged to have violated. (There's an attempt here – https://news.ycombinator.com/item?id=19044643 – but without necessary definitions of key terms which would make all the difference.)
Of course, Apple has immense discretion here. Even if FB/Google lawyers can make a good case that their usage was technically compliant, Apple can still just unilaterally change the terms in short order. Public & regulatory sentiment would support them.
But I'd really like to know if Facebook's and Google's actions were plausibly compliant, under the actual language of the Enterprise agreement, at the time Facebook and Google (and likely others) pursued this strategy.
They weren’t. See the terms at https://apple.stackexchange.com/a/193060 “solely for internal use by Your Employees or Permitted Users, or as otherwise expressly permitted in Section 2.1(f).”
2.1(f) Allow Your Customers to use Your Internal Use Applications on Deployment Devices, but only
(i) on Your physical premises and/or on Your Permitted Entity’s physical premises, or (ii) in other
locations, provided all such use is under the direct supervision and physical control of Your
Employees or Permitted Users (e.g., a sales presentation to a Customer); and
Thank you for a link to a readable version of the agreement!
It looks to me like "Permitted Users" includes "contractors" like those in a compensated research panel, and thus the Facebook/Google uses are plausibly enabled under the program.
That depends on whether they entered into a contract, doesn't it?
And technically, entering a contract doesn't even require a signature – just a "meeting of the minds" to exchange considerations of value, like "my data" or "cash value gift cards". (And, these programs may have included actual signed agreements – I haven't seen strong reporting either way on that.)
I am responsible for maintaining an app for a client who has an Apple Enterprise certificate. I am a contractor so I realize that I am allowed to use the client's certificate to install the app on one or more of my devices while developing and testing. Should I need more testers, I am authorized to get other users to test the app, subject to them signing NDAs and having them under my direct supervision.
That is the extent of my allowed use of that certificate. Anyone with any sort of ethics at Facebook/Google should have realized the same. Passing out gift cards and calling users "contractors" is against the spirit and letter of the contract.
My personal belief is FB/Google would much rather take the loss of their enterprise cert rather than consider the end user contractors. For example child labor laws might come back to bite them in the ass. Also non-vetting of contractors. Some portion of these 'contractors' are going to be rather terrible people and now they have a business association with them, possibly within violation of state laws.
Yeah, agree here that I am baffled Apple just cut the cord here after reading this...this will create a backlash thats gonna hurt Apple...just thinking anti-trust
Google apologized for violating the terms earlier today - given how careful they are to isolate contractors from employees with vacation pay it seems unlikely the devs thought there was nothing wrong with random people using tools made in that program, everything else they make within that program is for their workforce.
Apple is likely going to be sued by FB and Google and eventually they will lose the control over their platform. Yes the terms are in the TOS. Those terms should be illegal. Same as say non-competes are illegal in some places. No company should have that kind of power.
And, before you say it's the same as some company turning off your net based account, no it is not. For example if you upload porn to flickr and they delete your account in that case you're using flickr's servers. In this case Google is using phones owned by Googlers and other customers to run software by Google. Apple is not involved at all here unlike the example flickr case above. Apple should not be allowed to reach into another company and kill it.
AFAICT Google and FB did nothing wrong here. Those apps were test apps. How else are you supposed to beta test something? Tons of software does this. You build an app, you offer beta program. You had out codes for the beta users. Beta testing with direct employees is not useful because employees are no representative of actual users.
What I want to know is why these companies are using the same cert to sign apps with widely differing uses and security profiles. It seems to me that they should have a number of enterprise signing certs for each use case such as internal beta, external beta, internal utility, external utility, whatever.
If the companies are signing all of their apps under the same cert then it's kind of on them for being stupid to sign critical internal apps with the same cert they use to sign these privacy violating apps; but if Apple is globally disabling all enterprise distribution certificates under the guise that the companies violated their developer agreements and NOT disabling their user-facing apps then it still seems to me they are engaging in selective enforcement.
Regardless of how I feel about the ethical questions involved, I don't think this skirmish will end well.
There are terms and conditions that apply to the enterprise cert which are different than those of the standard developer cert. Some of the conditions are relaxed (e.g. wrt the lack of oversight on what you are pushing to your enterprise users) but your enterprise only gets one cert that covers all apps you distribute with these relaxed terms and conditions. If one of your developers pisses in the pool by using the cert to distribute an app outside of the enterprise, particularly an app that violates app store policies and therefore could only be distributed via the enterprise cert, then your cert gets yanked.
This revocation only applies to the apps that are signed with the enterprise cert, so, for example, the Facebook app or Google Maps app in the app store are not affected.
OK I did not understand they only issued one cert.
Still, with a company the size of Google you'd still think they would have multiple certs under different legal entities even if they werent doing anything wrong.
That was probably on purpose: the scrutiny for a Facebook enterprise account with maybe dozens of internal apps will be much lower than for a weird account which has only one or two apps but a lot of installs.
Easier to hide the rule-breaking app in a swarm of legitimate ones.
> It seems to me that they should have a number of enterprise signing certs for each use case such as internal beta, external beta, internal utility, external utility, whatever.
Apple does not normally give these out (and why would they?)
To my understanding, FB is using the enterprise cert to sign internal apps (which pointed me to my last replies on this thread) and another cert to sign things for general population. I think Google does the same.
> It seems to me that they should have a number of enterprise signing certs for each use case such as internal beta, external beta, internal utility, external utility, whatever.
For actual enterprise users you probably have a distribution profile set up and are pushing them out anyway. For outside users, they would selectively install the cert for the app they use one by one. Anyway it still strikes me as poor operational practices whether or not they were going to do anything nefarious.
So now it comes out that Apple is working to “quickly reinstate Google’s enterprise certificates” but won’t work with Facebook?
By now it should be fairly obvious that Apple hates Facebook for a very good reason- Facebook is Apple’s single biggest threat. I’m completely convinced this has nothing to do with privacy or protecting users, it just makes for a convenient excuse.
If people slowly start replacing iMessage with WhatsApp or messenger, that creates a bridge to leave iOS for Android since Apple’s software is one of the main features of the phone. If you become less reliant on the software the hardware suddenly becomes a commodity.
This whole episode is giving me pause about staying in the iOS ecosystem. Beyond that I think some antitrust litigation is going to hit Apple soon.
I doubt Apple sees Facebook as any kind of threat. There is already a far more plausible messaging bridge from iOS to Android called Hangouts and it hasn't really been effective for that. People aren't staying with iPhone because they're trapped by imessage.
Agree to disagree. Messenger and WhatsApp are more advanced and combine the social dynamic to chats. They’ve also made a lot of headway in competing with FaceTime. Which apps would Apple have a distinct advantage of it loses iMessage and FaceTime?
Edit: to elaborate I don’t mean a direct bridge to android, rather a substitute for iMessage that’s available on iOS and Android which makes switching relatively painless.
In my experience, it is not a tech problem. Equivalents absolutely exist. They may even be superior, although us tech folk tend to focus on features and not usability, and then we are surprised why regular folk don't like what we've built. In any case, when I switch out of the iPhone world, a solid half my contacts are unavailable to chat with except by old-school texts, and no equivalent for FaceTime. Some family members I switched over to Hangouts, but since they only use it for me, they forget about it, or how it works.
Every iPhone can do iMessage and FaceTime out of the box. That is a meaningful advantage for Apple, I think. Making something good enough that your users don't want to go find something 'better' and then making it 100% universal makes a strong ecosystem.
No question that iMessage and FaceTime are advantages for Apple out of the box.
But what happens when Facebook continues to enhance its messaging platform and people slowly find themselves in a hybrid situation where they are communicating with a mixture of WhatsApp, iMessage, and Instagram?
Anecdotally, I probably use iMessage for 80% of my texts with my girlfriend but we still regularly use Instagram and WhatsApp for chatting, depending on the situation. I could foresee us ending up swinging the other way and using Whatsapp for texting and then getting used to it. Sound unlikely?
Suppose we are discussing what we want to order for dinner and WhatsApp has our favorite delivery places and their menus available and we can order and pay through the app. Now instead of texting back and forth and then opening Grubhub to look at a menu and order and pay we can do it all in one place. Pretty soon we are using WhatsApp to communicate and haven’t used iMessage in months. I find myself using WhatsApp so much I replace iMessage in the dock with WhatsApp.
Six months later I’m in the market for a new phone. Since I use third party software for just about everything now, all these devices are on a level playing field and maybe I try a Pixel this time and find I like it just as much as my iPhone. This may sound far fetched but this is how disruption happens and is pretty much how Facebook destroyed MySpace- users finding themselves using two services for the same purpose and eventually scrapping the one they use the least.
> Maybe they'll yank the Apple Music app from the Android app store or something.
There are contractual obligations for both parties. Taking retaliatory action that is not permitted by the terms of the contract will result in a lawsuit.
"The rules" were not given by God, government or the people. The rules were written by the same company that enforces them and Google, Facebook or anyone else can make the same type of "Rules".
The rules were mutually agreed upon in their enterprise account legal contract someone signed. That legal structure is acknowledged by the government and implicitly the people.
If you've done business with Google or Facebook, they behave _exactly_ the same way.
"What they're saying: Google confirmed it is being impacted: "We're working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon."
In a statement, Apple said "We are working together with Google to help them reinstate their enterprise certificates very quickly."
"Banning spree" is a bit much, isn't it? If two instances of something constitute a spree, I guess I went on a "handwashing spree" on my last trip to the bathroom earlier.
I wouldn't be surprised if Apple gave Google a heads up to let them know they have to be consistent. Especially given that Google basically apologized.
„Google is correct, there does not appear to be any Root Certificate install for their app. pretty substantial difference. I also notice a phrase completely absent from Facebook’s replies: ‚We apologize‘“
> Apple’s move to block Google’s developer certificate comes just a day after Google disabled its Screenwise Meter app following press coverage
So Apple got to know it's terms are being violated after the press attention? Did they already know/is there a way they can detect this is happening? If not, then there could certainly be smaller players who have been routinely abusing this contract? I am trying to understand if Apple knew of this beforehand and are trying to avoid a PR disaster, or were caught off guard(which is scarier imo).
Good question. I use an Apple agreement like this to push apps via MDM, and I don't remember seeing anything about Apple monitoring for this. At the same time what would apple monitor for? How would they know if iPhone serial #75346345346 doesn't belong to an employee and how would they know what BusinessApp401 is, that doesn't get sent to their headquarters.
If these internal apps use a corporate certificate, I would imagine their Apple ID needs to be on a company domain email in order to download/use the app?
On the one hand it sounds like it was legitimate enforcement of their policies. On the other hand, it might be stupid for Apple to do it because it highlights that they are running a walled garden and any fortune 500 could - rightly or wrongly - find their line of business application shut down arbitrarily by Apple on any given day. Who wants to be in that position?
Ah ok. I don't do iOS development so I don't know how it works.
So if I just write an app for myself I can run it for my own phone indefinitely without going through the app store is that right? Seems like if you could do that, Facebook and Google could just do that for their internal apps?
UPDATE: "Facebook’s internal iOS apps have since resumed functioning, as the social network said this afternoon that Apple had restored its enterprise certificate. Similarly, both Apple and Google’s statements make it clear that the companies are working together to fix Google’s issues."
They revoked Google's certificate after they'd already taken down their app. This was supposed to be punishment for crossing the line; apparently it was just a fluffy PR move.
Revoking the certificate deals with the apps that have already been signed with that certificate. Google taking it down doesn't remove it from the devices where it has already been installed or prevent it being distributed by other means. Revoking the certificate does.
In both cases Apple has reached an agreement to issue new enterprise certs for both companies. They can now use those certs for their approved purposes. If Apple finds that those certs are being used for disallowed activity they can revoke them again.
i think the moment Apple moves beyond stopping the violation to "punishing offenders" is the moment anti trust suits become likely. they need to tread lightly and they know it.
FB, G clearly violated the ToS of the Enterprise Acc (no public distribution of such Apps) and Apple has rightly suspended their enterprise distribution cert.
But Apple has been selective in enforcing this rule. If I recall, for many years Uber's driver App was distributed as an enterprise app. Uber has always claimed that drivers are not employees and so this was in clear violation of the ToS.
Imo, Uber's use case was legit. During early days Uber probably did not wish to have 2 Apps in the App Store to avoid customer confusion. Or maybe they were actively updating the Driver App and did not want to add days of App review holding up every update.
Apple should change their ToS and allow such use cases in some form. At times this would get misused (like FB/G) but opening up the walled garden to enable such "private" apps to be easily distributed can make iOS a more interesting platform. In any case they always have the final kill switch of revoking an Enterprise Cert for malicious use.
Thinking back on history, interesting that Apple's old nemesis MS is not one of the names involved here. Not a 'friend' of any of them, but on my intuitive ethic-ometer Apple (barely) retains the top position.
Apple and Microsoft are practically buddies in this stuff, they both make money primarily by selling products and services to customers, and have relatively less overlap in their target markets than they ever have. Meanwhile FB and Google make money by mining users for data and selling ads. It’s a pretty different business.
I've never published an iOS app before. What exactly does a "developer certificate" do and why does it affect their ability to distribute internal apps in particular?
There are two certificates that are important here, with different requirements and capabilities. First, you have normal developer certificates, which you can use to submit apps to the App Store. On the other hand, you have enterprise certificates, which can be used to distribute apps outside of the App Store (and without Apple's review), and these are supposed to only be used for company use (such as internal beta testing or apps). Google and Facebook used their enterprise certificate to distribute an app to external users, most likely because the app would be rejected from the App Store, so Apple revoked their enterprise certificate.
Regardless of the reason behind the move, the fact that Apple is MAKING the moves against the 2 largest ad companies seems a bit like a war declaration. They could have told Google "Get rid of this app or we kill your cert" but the fact that they did so without any negotiations means its past a shot across the bow, its a full attack.
I expect we'll see a LOT of Apple Vs Google/FB in the near future - Google/FB's business model is what is under attack here, and I'd bet it'll be fought in terms of public privacy breaches, bugs, and other embarrassments rather than direct marketing. Welcome to politics silicon valley, its gonna suck.
I have a hard time seeing the distinction between people paid by Google or Facebook to share their phone usage data vs people paid by DoorDash to deliver food. You're probably right though.
I think contractors working for your company is exactly what the enterprise program is for. Basically the public at large can’t get the app, but your company has a lot more control over its distribution. IIRC they can push updates and of course deactivate it on devices of people who are terminated, that kind of thing.
A friend of mine suggested this might have been something they were saving for a PR boost, for example offsetting the FaceTime passive surveillance bug they had this week.
Rumor has it that Google's subsequent requests for clarification to Apple have gone entirely unanswered, save for automated messages stating that Apple's decision on this matter should be regarded as "final" and "binding", and that no further statement from Apple should be expected.
Um, yea that's exactly what I would expect in this case. If Google wants to know they can have their legal department send a certified letter (or whatever official legal channels they have). I wouldn't talk to Google as an Apple employee without a written statement from the executive level.
While I derive a certain satisfaction from this thought, I am certain that these companies have actual human contacts that they can reach out to in cases like this.
Another horror story of Apple's totalitarian control. Some people say that what Big Apple is doing is necessary for their security and privacy needs. This sort of blind trust, while incurable, waits for a major scandal to kill itself.
Indeed. The authoritarianism in the comments here is rather disturbing. I am baffled at how everyone seems to be so keen on putting Apple's nooses around their own necks.
A real show of power would be Apple disabling all of Facebook and Google's public apps, and then bricking all of Facebook and Google's employees' phones.
What I really like about both the Facebook and Google scenarios here is that Apple's response causes inconvenience for the developers (the party at fault) but not for end users. Facebook's app still works fine, it's just Facebook employees who are affected.
Before Apple's response, it seemed like Facebook might get away with it because their app is so big and important -- blocking the app would hurt a large fraction of Apple's own customers.
But Apple's response is a clever way to show that, hey, they're big and important too! A large fraction of Facebook's employees use iPhones, not just for developing the iPhone app, but for general work purposes, because the iPhone is a great product. (I wonder how many of those employees will now switch to Android, though...)
Google and Facebook both knew the terms. They both knew that the Enterprise Distribution Program was for internal use only. They still put ads out in the wild to recruit regular consumers to use internal apps which is beyond the scope of the program. Why would the certificates not be revoked?
I don’t understand people who are acting offended that Apple is enforcing the clear terms of service it laid out.