Hacker News new | past | comments | ask | show | jobs | submit login

This sort of thing represents one of the true dangers of single-source App Stores on general purpose computers with no side-loading fallback, and is why we should be proactively working to make it illegal. It's not that Apple is malicious per se, or even that they're particularly slow at reviews or whatever (though that has been the case at times too), but the mere fact that they represent a single, easy to pressure choke point. Apple themselves have reacted to this appropriately when it comes to the hardware by removing more and more of their own ability to affect it once it's been sold and giving that power to the owners instead. That's not just a positive for owners' privacy and security (and in turn a selling point), it also reduces Apple's exposure and liability. If they don't hold a given set of data or power in the first place, then nobody can go after them for it.

Unfortunately on the software side they have not sought any of the better tradeoffs available between security and vetting vs owner power and decentralization, and in turn find themselves in the crosshairs for every single app. Not even just from governments though they're most coercive, but from any public cultural/religious interest group at all. Since Apple has to approve everything, Apple is also seen (correctly) as directly responsible for everything on the App Store. The result has been exactly as you'd expect: they're more conservative on average about what sort of content they'll allow, not merely about objective issues like security.

Perhaps negative PR from actions like this might be sufficient eventually to get Apple to change course on their own. They wouldn't actually need to do very much, even selling a one-time permanent single device signing cert might be sufficient [1], and could form the basis of alternate App Stores even. But if Apple (and others) won't move it should be legislated. Improving wearable displays will ultimately mean the merger of "mobile" and "PC", that is the next disruptive evolution in computers. We should not allow that to become the end of bazaars for software too.


1: Right now they have a free one, but it only lets apps run for 7 days, and the developer one is yearly and subscription based.

My take away from this is quite different. Or at least tangential.

I expect Apple and any other company to have to comply with local laws in various countries. It's unavoidable. What else could they do? Refuse and loose access to that population?

But right now, as regards device encryption and back doors, there is a sort of mutually assured destruction. A MAD that the US law enforcement (e.g. FBI et al) are constantly trying to undermine. Right now Apple claims the iPhone is designed such that they cannot unencrypt it. The FBI wants to force them to create a method.

Regardless of the technique used that then will make every similar device world wide subject to the whims of local law as regards allow that country access.

What would stop any country from then demanding blanket access to devices? But at the moment this doesn't seem happen because there's an unspoken detente among adversarial countries to not demand such back-doors.

This situation reminds me of that. Since it is possible for Apple and others to block things on their app stores, countries demand it.

It's a cautionary tale of why it's important for companies to design certain things from the bottom up to prevent bad behavior.

Microsoft's current CEO discusses this in a chapter of his new book "Refresh". Listening to him, I think the big companies are going to fight hard & have popular opinion on their side when it comes to securing data.

I believe Erlang creator Joe Armstrong has proposed some sort of split security. Something along the lines of securing the most important data from everyone & allowing government access to limited data that could help them catch bad guys. He wasn't very convincing in the podcast I listened to but maybe in written form he could provide a better argument.

> Listening to him, I think the big companies are going to fight hard & have popular opinion on their side when it comes to securing data.

I'm glad they are thinking this way. But over the past few years, Silicon Valley companies have also made themselves more hated and less trusted by the general public. This won't bode well for the "final fight" between them and the government, because they may be surprised to find out that people won't show up to support them anymore.

So tech companies, don't be Uber, is basically what I'm saying. Stop being so non-transparent with your data collection and your aggressive and shameless tracking, while also making it very hard for users to either know what you're doing or to disable your tracking.

If all companies would revert back to a "first, do no evil" mantra by default, I think they would find it much easier to have the support of the general public when it comes to big government fights.

I like that idea, Joe Armstrong's split security idea a lot.

Can you link the podcast? I'd like to hear what he said.

I'm a strong believer in privacy, in not trying to legislate backdoors into encryption, but I'm also a proponent of the idea that everything in society is a balancing act between the individual and society (and we see this play out in every aspect of life, so it's not a radical new idea); the question is finding the right balance.

Interesting, very interesting. Please, if you can, link that podcast.

Sorry for the late reply.. Here's the link - https://soundcloud.com/elixirfountain/episode-058-actors-and...

It was actually Carl Hewitt & not Joe Armstrong. Though the Joe Armstrong episode after this one is also interesting.

> What else could they do? Refuse and loose access to that population?

... yes ? that would require putting human rights above profits, though.

I'm partial to the idea that companies should put human decency above profits, for sure. But let's talk specifics.

Making a principled stand is often important, and can make a big difference in the world. That said, I often see an assumption that China would bend if companies would just stand their ground. History suggests that this is not the case at all. China would be perfectly happy for all non-Chinese companies to withdraw and leave WeChat to stand alone. WeChat which happens to give the Chinese government access to any and every message they want. So other companies might be able to feel better about themselves, or not, but we can assume it will have no bearing on China's actions.

So, how does it benefit humans or the cause of human rights for Apple to completely withdraw from China over this? Chinese users would lose access to secure iMessage and a device with a secure enclave, but would gain... what?

...or even just an assessment that the long-term profits are greater in a world where human rights are absolute.

Why do you assume that this is the case? China itself is a great example that absolute human rights are not really a requirement for a great economy, growth, and profits for those involved.

But then they would have to be able to prove that in a court of law.

What people don't understand here is that the principle of fiduciary duty binds the hands of a lot of these companies. If you don't hold the controlling voting interest in the company... you really have very limited room to maneuver legally speaking.

Now if Apple could count on its shareholders not to sue them...

THEN they could operate in the fashion that you postulate.

Ugh, this is most definitely not true at all. Apple has repeatedly refused to bend to shareholder's demands, and has suggested that shareholders unhappy with Apple's focus on environmental conservation (at the expense of greater short-term profits) should buy a different stock.

Tim Cook has shown that Apple has no problem telling people to ditch their shares when the interests truly don't align. [0]

[0] https://www.theguardian.com/environment/2014/mar/03/tim-cook...

When is the last time that a jury found for a plaintiff who sued a company for being too friendly to human rights?

What does that achieve? May be it's ethically better, but what does it actually do that is a net positive to the consumer?

I agree. Yes. Perhaps I should have said I have zero expectation that most corporations would say yes. They will decide they just cannot ignore a chunk of the world population that big.

iOS is probably, on the whole, better for human rights than the alternative (Android, especially from a Chinese-native company). Better to compromise than leave them with nothing.

> What else could they do? Refuse and loose access to that population?

Yes! And go even further: actively assist in aiding dissent and revolution in nations whose disrespect for human rights is so flagrant as to threaten their business model.

I don't understand why the state is held in such regard as to casually gloss over the possibility that private entities, especially those as massive as Apple, might help to smash it.

Apple is an incredibly powerful entity in the world today. There is no reason for them to sit on the sidelines rather than to aid in bringing China down. It's inevitable; the only question is whether it takes 60 years and happens on the backs of the poor and nameless or whether giants like Apple flex their muscle to help.

No offense intended here...

but I think you, at once, overestimate the power of Apple...

and underestimate the power of "nations... [that]... disrespect... human rights". (The US, China etc etc I suppose).

China doesn't need the FBI to get its way in order for China to get its way.

Right. But there is an apparent balance at the moment where because no government has demanded and received back doors, no country mandates it. It's a precarious spot to be sure. But it would be bad for the US to step off the line first.

It's only a matter of time before China feels they can do it. They will, if they haven't yet. Not defending U.S. politicos and bureaucrats who also want it. Just saying that the U.S. asking or not asking for backdoors will soon make no difference.

Perhaps but at that point the US (or whoever) can counter with their own rules/laws. Might lead to manufacturing balkanization but I'd prefer the US not the one to step over the line first in the same way I'd prefer the US not be the first to use nukes (although I guess that's a bit hyperbolic).

This has nothing to do with centralisation. Every (even decentralised) shops need to comply with local laws. You can debate the laws, but not the compliance of shops. It's the same reason you can't just buy weed from 7-Eleven.

If you care to read the article, Microsoft says they are working with the government and the app will soon get reinstated.

>This has nothing to do with centralisation.

This has everything to do with centralization precisely because decentralization makes it easier to break the law. I thought it went without saying when discussing bypassing censorship in China, but to be clear I am actively advocating for the ability for end users to more easily defy the law in the setting of software performing as expected that they choose to utilize on their own devices.

>(Every (even decentralised) shops need to comply with local laws.*

1: "need" and 2: LOCAL laws. Which in the case of shops based outside of a jurisdiction means only their own jurisdiction, not anyone else's. Apple is a multinational, so it cannot avoid this. But other shops absolutely could, just as they do in the PC market right now.

And again, this applies to every polity, not just China. I (and probably most of Americans on HN) am absolutely a computer law breaker. I have ripped my own DVDs and Blu-rays, which has put me in direct violation of the DMCA. I have utilized open source software like x264 (or, back in the day, gif encoders) without negotiating or paying a license fee, which puts me in violation of software patents.

In the real world, entities like RIAA and the MPAA have had to play whack-a-mole and could do nothing about places based in jurisdictions where evil laws like patenting of ideas/math are not in place, and thus there was freedom to go around them and change the course of public expectations beyond those with central power, which in turn affects the law too (which is an organic entity). If we instead imagine an alternate world where in the 90s Microsoft and Apple and so forth had iOS level hardware full stack control and central stores, would we ever have had anything like DeCSS? Hell, would open source platforms have been possible at all? Law and morality are not the same thing, not even in the most egalitarian and democratic countries. There needs to be some give at the edges for experimentation and evolution over time.

> and is why we should be proactively working to make it illegal.

Absolutely, it should be outlawed now! Do you have an address for the person in the Chinese legislature that I should be writing to, to pass the relevant law?

You didn't understand what he was saying. He's saying that iOS is the problem because it's vulnerable to censorship. This is unlike platforms (Android, Windows, Linux...) that allow side loading, which makes censorship harder.

I'm arguing with the underlying problem. I'm suggesting that passing laws against app stores is not a practical solution.

>Do you have an address for the person in the Chinese legislature that I should be writing to, to pass the relevant law?

In a global market and considering a universal hardware platform, cooperation from any specific polity is entirely unnecessary. It is sufficient merely to convince one single polity that cannot be abandoned. America or the EU would do it. Both are markets that Apple absolutely cannot give up, and of course the former also has direct legal jurisdiction over the majority of Apple.

You also seem to be extremely confused about what I actually suggested should be legislated:

>I'm arguing with the underlying problem. I'm suggesting that passing laws against app stores is not a practical solution.

I never suggested that "App Stores should be banned", that's ridiculous. What I said is that Apple (or any other entity) should be required to offer (for free or at a reasonable fee [1]) owners a cert/key they can use to sign arbitrary software to run on their device indefinitely. That's it, though it might make sense to require that developers be offered that as well. That alone could be sufficient to serve as a foundation for various non-Apple implementations of side loading, up to and including full 3rd party App Stores. The point isn't that Apple wouldn't still have their own App Store, nor even that it wouldn't still be by far the preeminent choice. It's merely that there'd be a core level steam release valve available.

So in that scenario the actions of the Chinese (or any other) government would revert to the same as any standard computer: within their own borders they could pursue all legal and technical avenues their government wished, but people could try to go around it. A bypass of the great firewall (or merely a tourist visit outside of the country) would be sufficient to gain a key which could then be used on an iDevice within China (or anywhere else). Apple would simply not be involved in that, instead it'd be between a government and its people again.

The same would apply even beyond government, for example Apple doesn't allow certain content that is perfectly legal but not family-friendly enough on the App Store anywhere. A legal requirement that owners may sign software to run on their own devices would create an alternative.


1: which can be a thing in law, no "of course you can do it on your $500 device for $1 million" stuff.

The title clearly states that it disappeared from multiple app stores not just apple's. At least for Android China has multiple app stores not just Google Play.

This impacts Android and Windows too.

Nothing to do with Apple.

You can't sell telephony software in China as a Western company directly anymore. Not matter how.

Those platforms can download the software from other sources trivially, so the lack of presence in an app store isn't nearly the problem it is on iOS.

I imagine they're blocked at the GFW level so download away, it still won't work.

While I agree with your point and distributed App Stores sound like a proper way for users to be independent from various risks. But what makes me paranoid is that decentralised stores would be another source of malware, where even Google as a central entity fails miserably.

>But what makes me paranoid is that decentralised stores would be another source of malware

Yes, some additional risk comes of certain avenues of malware [1] comes with decentralization. However I really want to emphasize that the risk in an optional-non-central-source scenario is not at all the same as what exists on the PC, and in turn any risk must be weighed against the direct harm that centralized censorship is already doing. First, in the scenario I'm describing everything is still signed, potentially even with an Apple-based PKI type cert. Allowing owners to have their individual cert signing for their devices isn't the same thing as giving them root or jailbreaking, while certain restrictions of Apple's are non-technical (like private API usage) a lot of jailing can be enforced by the OS. With trusted authorization and data input paths going through an HSM in iOS, an owner key does not mean any software can run willy-nilly, and the scope for malware is limited outside of security vulnerabilities that may exist anyway [2]. There is still a trust infrastructure available, and in turn the ability for alternate App Stores to have reputations of their own (and for owners to get extra warnings, do revocations, etc). Apple could still themselves issue blacklists against malware (with user control). Etc etc. Ubiquitous hardware backed signing infrastructure required for running software throughout the device offers a lot of anti-malware options regardless of whether Apple alone owns the device keys.

Users would also simply face a much higher barrier of entry to running malware. If it costs money, any money, to get an owner cert and requires any hoops then social engineering becomes significantly harder. Apple does in fact cover most of the needs in their App Store, so going outside of it would still be something unusual. With the right UX and possible dual requirement for developer signing as well, users might simply themselves (or with a technical friend) side load one single app like Skype and otherwise not bother. Apple has a number of levers to better push non-technical users in that direction too.

FWIW you didn't mention it but I will touch on piracy since that's a material concern for Apple and devs too: without getting into the weeds on effectiveness of DRM and specifics of implementation, I don't see why a device that allows running non-App Store software couldn't still effectively deny running something that's available directly in the local regional App Store itself (options for official/unofficial non-App Store offerings would be possible too, that'd be a business decision for Apple).

In short I don't discount that, amongst the entirety of Apple's user base, there might well be some users who'd experience some level of harm from a decentralized option, no matter how it's implemented. But at the same time there are definitely a lot of owners who are experiencing harm from present situation right now. Theoretical maybe harm shouldn't entirely distract from existing proven harm. I think the tradeoff of Apple giving up some control (and in turn responsibility) there would be worth it for all involved (except oppressive governments).


1: In a discussion of government actors it's worth considering whether in a centralized scenario could Apple be ever be pressured/legally ordered to deploy malware directly, but that doesn't diminish the primary threat of malware being from private/foreign sources.

2: If anything I'd expect vulnerabilities appearing in general malware would accelerate their patching vs the present 0-day market where they're sold for a lot of money for use mainly in APTs.

Centralization hasn't stopped the iTunes App Store from infecting a greater percentage of users with malware (Xcodeghost) than any competing mobile platform.

Except basically every Android phone is infected with malware:


How is that malware? Just like when iPhones collected even more sensitive data (https://www.google.com/amp/s/amp.theguardian.com/technology/...), the data wasn't saved by the company logging the data. Xcodeghost is actual malware.

You might not like Apple’s walled garden, but it’s pretty much irrelevant to this story.

In fact Skype has been removed from the Android stores as well so the non-walled gardens aren’t faring better. Also, since this class of apps is about communication, the app stores are just a side-skirmish in the war for control. The real power is in controlling the network, which the Chinese government does (and Apple does not).

That brings us back to the real problem here: the repressive control of speech and communication by the Chinese government.

The relative openess of tech ecosystems means little in an environment of a repressive, controlling government.

They only put “Apple” in the headline for the clicks.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact