As far as I can tell this basically means that all apps must be approved by Apple to follow their “platform policies for security and privacy” even if publishing on a third party app store. They will also disable updating apps from third party app stores if you stay outside the EU for too long (even if you are a citizen of an EU country, with an Apple account set to the EU region).
The idea that preventing app updates is in line with their claims of protecting security is utterly absurd. “Never attibute to malice what can be explained with stupidity,” but Apple isn’t stupid.
Well, the EU will probably make them actually comply, as this is obviously not complying.
People, if this is important to you and you’re of voting age in Europe, the elections are in June! Register and vote for a party that wants to shove their middle fingers into big corpos faces.
You think a multi trillion dollar company is just winging it from a legal standpoint? Or do you think they have worked with the EU to develop the policy within a hair of what they are actually required to do?
they were just fined with 1.8B because of their anti steering practices. so clearly they don’t always comply
That’s equivalent to a parking fine for regular people. I know many people who would risk a parking fine if it means that they save a few minutes of searching for a parking spot.
1.8B was the fine they got for anticompetitive behaviour with regards to Apple Music, which is not an insignificant amount for that business unit.
The fines for DMA-violations go up to 10% of global revenue for first-time violations and 20% of global revenue for repeat violations. I would love to see Apple continue fucking around and letting Apple find out in the form of a fine of that magnitude. It would be so damn sweet.
For the first violation, they chose to go for 0.5% instead of the 10%. I’m not holding my breath.
Sure, but it would be illogical to think that a company with seemingly unlimited resources would get fined, and then introduce new that didn’t exactly comply with what was required… I mean, I would think they are working with the EU to ensure it is within a millimeter of what they are allowed. It seems you just don’t like it.
I think it’s a safe bet they had their legal teams sifting through the whole DMA to find a way to comply while making it as obnoxious as possible to the user, the third party providers, and everyone else pretty much.
Though it’s also pretty evident that this is bad faith compliance and not in the spirit of the DMA, so the EU legislators will hopefully slap them with another fine.
Apple will put up with fines if it judges that if they manage to avoid the fine, the financial benefit will outweigh the fine.
If there’s a 50% chance that I stand to make $100m, and a 50% chance to be fined $20m, it makes sense (if I’m unethical, like corporations are) to take that gamble. Even more so if I think I can use lawyers to shift the chances in my favor.
If you’re to make $100m, and there’s a 99% chance to be fined $100m… it still makes sense to risk it, worst case scenario you end up as you were.
The beauty of EU’s laws, is that the fines are set as a % of “global revenue”, not just of revenue in the EU, nor in terms of profits, so large multinational corporations stand to lose way more than what they are likely to gain by not complying.
The former.
This is what’s somewhat surprising. If they followed most of the rules, and went a bit off on a few, no one would be as upset and it might even work. Now, I have a feeling the EU is going to be VERY clear about the rules and they aren’t going to be in Apple’s favour at all.
What boggles my mind is that the level of sandboxing displayed in Apple’s App Store is not really interpretable to me.
I also see something like “the developers indicated they do not collect sensitive information.” Yeah, but why would they indicate otherwise if they were malicious parties?
Probably, the only way to get sort of assurance is to choose an open source project, but App Store doesn’t guarantee that the code on Github matches the app in the Store.
You upload the binary to the App Store, and as a part of the release process they may inspect the binary to figure out what it’s doing.
They of course don’t do that for everything as it’s a bit complicated to do for everything, but it can be an effective means to for example figure out when an app is calling an API in a prohibited manner.
but App Store doesn’t guarantee that the code on Github matches the app in the Store
This is why I like fdroid. They insist on building the app themselves, ensuring that it does indeed match what’s on github. Now you need to trust only fdroid to do the right thing. Then again, if they do something bad, someone will recognize it.
@brie for whoever thought that App Store was just something to keep Apple users safe.
Malicious compliance. I hope the EU stomps on them hard.
if staying outside EU
I’m pretty sure this is explicitly not allowed because most of the EU laws apply to EU citizens and residents. So if an EU citizen stays outside the EU they aren’t allowed to stop following the EU rules.
“Never attibute to malice what can be explained with stupidity,”
With corporations I feel like the opposite should apply.
Hate that phrase. Great way to excuse malice.
A lot of people don’t like to think about just how much malice is involved in everyday life.
Not so much, it’s more about how desperately stupid people (and companies) can be
There is an ‘adequately’ missing. It somewhat counters the excuse of maluce.
If you can’t adequately attribute it to stupidity it has to be malice (or at least negligence).
Yeah, that’s the more thorough version. My interpretation of the quote was to first search for stupidity, if only to confirm it is not in fact stupidity (but malice).
For corporations it is, “Never attribute to malice what can be explained by greed.”
For a lot of corporations, malice and greed are pretty much the same thing. When a business decision is justified by “Who cares? Do it anyway.” the distinction is a matter of words, not actions.
The corporation doesn’t love you, nor does it hate you. But you possess economic value, which could be made to belong to the corporation’s shareholders.
Each big company should open its own app store in the EU making the use of iPhone impossible there. People will switch to Android pretty quickly.
If people want Facebook, they need to install the meta store and then install Facebook. A Google product? Install the Google store and then the app. Want Spotify? Install the Spotify store and then Spotify. TikTok? TikTok store and then TikTok…
Apple users will accept anything Apple does to them. In their eyes, Apple can do no wrong. They will defend this all the mental hoops they have available.
I’d like to see Apple hurt, but somehow, I want to see its users hurt even more. They willingly buy these products and even defend them. Things should just get so bad that even the most devout Apple user questions Apple. No idea how bad it has to get, but I’d be very curious to find out.
You care too much about this. Let people enjoy things.
Sure, enjoy aiding an $EvilCorp 👍 You do you. Have fun, babe.
I run GrapheneOS. I’m also not a dick about it.
The problem is that Apple doesn’t accept the responsibility. it’s the DMA that’s doing this to their customers, not Apple. By vilifying the DMA as harmful to privacy and security, Apple gets to make themselves out to be the good guy. When things get worse, Apple can just blame the DMA again.
The DMA was written in good faith. Apple is acting in bad faith. And yes, their customers are too simple minded to think for themselves, which is exactly why Apple can say stuff like “DMA bad” and have millions of people agree after sabotaging the implementation. It’s not a surprise the EU wants to curtail that (we’ll see if that still stays the case after the elections, when the Apple voters show up at the urns).
It’s these kinds of sweeping generalizations about apple users that lack any nuance at all that spike any meaningful conversation. It just becomes apple-bashing to make everyone not using apple (or who uses it “but it’s different I have good reasons” and separated themselves from “the fanboys”) feel holier than thou. To make them feel better than “those dumb apple fanboys.”
I don’t love Apple. I am not a fanboy. I use it because in my field it is pretty damn standard. I also run Linux on a separate computer.
Nobody talks about Windows users like this because they all used to be or currently are one. They assume there is a good reason someone is still on Windows despite the absurd shitshow that is the W11 transition. But for some reason no one is as charitable to apple users on that front. They just recall images from 2007 of people lined up outside the apple store for a new iphone, make a crack about overpriced hardware, and decide “every one of them is a dumb sheep who will die for Tim Apple.” It gets really old.
Are you having trouble with the “users” part? Would you like an
s/user/fanboy/g
?
I’m generally ok with them requiring basic security and privacy protections through the notarization.
yes but I want the option to judge software myself. If I want software that has been looked over by Apple I can go to the Apple Appstore. If I want something that doesn’t fit their requirements I want the option to go somewhere else.
They can ask users if they want that, I’m sure many of their users do. What they shouldn’t do is force people to accept their version of “security and privacy”.
They don’t force anyone; plenty of non-Apple devices out there to choose from.
It gets a bit more complicated than that when it comes to antitrust law.
Apple has less than 30% mobile maket share in the EU, antitrust laws usually kick in above 66%, and very rarely above 50%.
There are other laws being worked on to combat shrinkflation, and others to curb all the tricks of removing features after the sale, but they’re not here yet, and it remains to be seen whether they’d apply.
I don’t think that’s how to look at it. There’s clearly something less than optimal about having these huge gatekeepers (as I believe is the term used) and the EU is trying to limit their power.
As long as the signatures exist purely for security reasons and do not require following any other requirements, like payments or ethical guidelines (i.e. “no porn”, “no emulators”), maybe.
However, Apple seems to use notarization to enforce their rules regarding apps sold on third party stores (charging 50 cents per first install). I can’t really recall notarization stopping any malware in the past. Even their own App Store has hosted malware and fake crypto apps for ages without being taken down.
It’s hard to take Apple’s word for any of this because of how they’re behaving. If they had just complied with EU laws instead of trying to find workarounds and loopholes every step along the way, I could probably trust the concept of notarization. In this case, I don’t trust them at all.
I would prefer a system like Android, but with a better implementation. On Android, every app is signed the same way apps are signed, with a certificate that can belong to a certificate chain. Apps can only be updated if they’re signed by the same developer, but that’s about it in terms of validation these days. I theory, Google could make it so that you can trust specific certificates (say, Google Play’s certificate, or F-Droid’s certificate, or the certificate of a specific developer) or show a security prompt in all other cases. Any developer can generate certificates for free, and apps can theoretically be signed by multiple certificates (though I’m not sure about the practical implementation here). If certificate authorities would set up their signature in the form of store->dev account->dev, stores could retract trust in case of malware automatically.
This approach would add the option to notarize with Apple to avoid annoying security warnings, or for someone else to set up an alternative notarization service. Unfortunately, Google abandoned all practical decentralisation of their certificate system and I don’t think Apple’s notarization will ever be independent of Apple’s servers. Apple does have certificates (“profiles”) but they’re a “0 trust or maximum trust” kind of deal that also affects other security systems, like browser traffic.
Signing doesn’t provide security of privacy protections. It just means you paid apple a fee.