Hacker News new | past | comments | ask | show | jobs | submit login
Apple blocks Google from running its internal iOS apps (theverge.com)
882 points by rising-sky 49 days ago | hide | past | web | favorite | 641 comments

Let’s say you’re using a Google API like Maps, and you violate terms by snapshotting sections of their maps and storing them on your severs so you can serve static maps without making API calls. They’d shut down your API access immediately

Google and Facebook both knew the terms. They both knew that the Enterprise Distribution Program was for internal use only. They still put ads out in the wild to recruit regular consumers to use internal apps which is beyond the scope of the program. Why would the certificates not be revoked?

I don’t understand people who are acting offended that Apple is enforcing the clear terms of service it laid out.

Well put.

It is an interesting salvo in what I've started thinking of as the "data war." All three companies have a huge asset in data collection capability, and preventing the others from exploiting it is only the first skirmish among them.

It will be interesting to see if Google offers to pay additional monies to Apple in order to "restore" this pipeline, and whether or not Apple will agree. In one sense, Apple already gives up a data feed by sending search queries to Google.

Data wars is an understatement. Facebook is AMAZINGLY litigious on its data.

Do this. Create a fake company and say you wrote a spider to index Facebook public profile data and that you have like say 100GB ....

Watch how fast you get sued by Facebook.

Mind you this is public data that EVERYONE can see...

> public data that EVERYONE can see

The entire concept of law is based on the premise that not everything that is physically possible should be permitted.

The web makes things interesting in that OP's hypothetical company only has that data because Facebook willingly gives it to everyone who asks. It would be obviously wrong if they were using some exploit to trick Facebook's servers into divulging secrets.

> gives it to everyone who asks

Yeah nah, that's where the concept of agreements comes in. You walk up to Fes Boock and say:

― I want to have business with Fes Boock.

― Fes Boock will have business with you if you promise to not stab Fes Boock in the back.

― I give my word to not stab Fes Boock in the back.

Turns out, this thing is so valuable, it's supported by law everywhere that I know of, in multiple forms, including rather implicit ones such as “ToS.” Which is what allows Fes to sue the stabbing bastard.

To my knowledge making an HTTP GET request and then receiving a document does not involve agreeing to any TOS, implicitly or otherwise. If the server didn’t want to send the data over an authenticated channel, then why does it send the data?

My mailbox opens and closes for my mailman to collect outgoing mail and deposit incoming mail. But anyone can open it. That doesn't mean I want them to, or that they are allowed to. But if my mailbox doesn't want to allow access to private information, then why does it open for unauthorized individuals? Because physically securing it would be a pain in the ass, most people are honest, and if I can keep my mail safe through force of law and social contract, that's easier for everyone, including legitimate users of my mailbox (myself and my mailman).

Your argument holds for mailboxes because it is not a common use case of mailboxes that their owners want complete strangers to check as often as possible because they've left something they want taken.

A better real world analogy is a bulletin board on campus or a wooden power pole.

Lets suppose that it is super common that people staple flyers to power poles, with the expectation that people will read them as they pass by. Your analogy would claim that if I staple a letter to the power pole, expecting that only my friend that I told about the letter should read it, that passers-by are doing something unseemly by reading it, while being surrounded by want ads and for sale flyers that people do want read.

Websites are nothing like mailboxes. The vast majority of websites would prefer that as many people as possible read their contents as much as possible. Email would be a better analogy.

A request is communication with certain semantic content, which pulling on a mailbox handle lacks. There is no general understanding among people nor specific agreement between you and some other party that pulling on your mailbox handle is how to ask you for access to your correspondence.

This is not the case for HTTP. A network protocol is an agreement about the meaning of certain clusters of bytes sent over a network. When someone operates an HTTP server, a reasonable person could conclude that they take HTTP messages to mean what HTTP says they mean. A lot of cases get more interesting because there is also something generally understood to mean, "Please don't access the following resources by automated scraping, independently of whether my server decides to grant those requests."

I'm pretty sure that a server, being a stupid piece of inanimate junk, is unable to enter any agreements or disagreements. In contrast, people, being endowed with free will supported by the ability to reason, need to apply said will and reason when directing actions of pieces of junk, so as to follow the same procedures of inter-party conduct as in direct interaction.

Since a web server, by its primary mode of operation, does indeed more or less indiscriminately send replies to whomever makes a request, it follows that the duty of choice lies with the client. The person operating the client has to apply their reason and follow the inter-party conduct.

> Since a web server, by its primary mode of operation, does indeed more or less indiscriminately send replies to whomever makes a request, it follows that the duty of choice lies with the client.

Sorry, why isn't it the duty of choice the server owner, who chooses to put the server online in the first place? What exactly are these rules you think exist? This is the first time I've ever heard of them.

> Since a web server, by its primary mode of operation, does indeed more or less indiscriminately send replies to whomever makes a request,

This is completely false. The server owner can authenticate GET requests and return an unauthorized response if the client is not permitted to access the document. We are not talking about a situation where a hacker attempts to brute force a password or gain unauthorized access to a server. If the server is on the internet serving anonymous GET requests with no authentication the reasonable assumption is that anyone is permitted to access the data.

Well, if you think that it would be more reasonable and expedient to require users to read a contract beforehand and then authenticate themselves to the service before accessing any content―please, knock yourself out on your site.

It appears that the rest of the web gets by pretty well using the legal framework I've described. Because, you know, they tend to choose things to be pragmatical instead of those that “can be done.”

Sure, but web scraping is a thing, and one that shouldn't be illegal. Therefore if data is public, it should be assumed to be... well, publicly accessible.

> Do this ... get sued by Facebook.

"It's a bold strategy, Cotton, let's see if it pays off for him"

Apple actively avoids no anything - the primary difficulty in collecting nothing, and having no access to it, is users expect not to lose data. Even in that case where they’ve lost all of their devices (which could obviously be just a single one). Making that possible was the topic of Ivan Krstic’s talk at black hat a few years ago.

>> In one sense, Apple already gives up a data feed by sending search queries to Google.

Apple does this under protest. Their top search queries are served through siri lately, and the hope is siri will replace all search so they won't need to utilize google anymore.

Siri isn't a search engine, it is a front end to a search engine[1]. That used to be Bing but now it is Google (see: http://fortune.com/2017/09/25/google-bing-default-iphone/)

There was a time when the Siri folks approached Blekko (which was an actual search engine with its own index, crawler, and ranking Etc. to discuss partnering with Apple (personally I think they should have bought us :-)) But, according to people who should know, there was a cultural mental block at Apple about providing web services at the time. The biggest thing like that they had done was Apple Maps and it was a 'mixed' success. Apple didn't see itself as being a search company.

I used to point out that Microsoft had a phone (Nokia), an operating system (Windows Phone), and a search engine. Google had a phone (Nexus), an operating system (Android), and a search engine. Apple had a phone (iPhone) and an operating system (iOS).

Since that time Microsoft dropped the OS and phone, and Apple never did build a real search engine.

[1] More precisely it is a front end to a simple knowledge base, a local index of things on your device, and when those things are exhausted an internet search engine.

In safari, when you enter terms into the search bar, the "google suggestions" is separate from "siri knowledge" or "siri suggested website" which they surface at the top. It looks like Apple generates that independent of google

Siri suggested website is based on what your device knows about you (that is never uploaded from your device).

and if you select a link through siri, google doesn't get your query (data).

I really can't see how Apple can continue to competitive with Siri without entering the search business (or partnering with another)

I've noticed several times now where Google assistant has been able to answer questions about things in almost real time all thanks to Google's crawlers.

My friend asked it earlier whether USPS delivers mail during a polar vortex and Google assistant told them they didn't yesterday, at least in Chicago.

Here's what I wanna know: to what extent does Google actually "have a phone"?

I mean, when I think about Apple, I think of a company that designs the look, the internals, the case, the glass, the board layout, and even some of the chips. (Sure, they contract the manufacture out, but Apple is deeply involved with designing components on a low level -- not merely farming it all out to some device maker in Taiwan or China.)

But for Nexus/Pixel: how much is Google and how much is LG or Samsung or HTC (yes, I know they bought HTC). I mean, how deep do Google personnel in Mountain View really go? How much do they just hand off to outsiders? Is it comparable to what Apple does? Maybe so. I just can't quite see into it.

Its a fair question, when I was there Google was all over the design of the handsets (the original 'Dream' phone), they did the Nexus One with HTC, after I had left, they bought Motorola Mobility which did the Moto phones and that group mixed in with the Android handsets folks. Then Lenovo bought it from them.

Google's biggest challenge was customer support, they just didn't do the whole "someone to pick up the phone and talk to you" thing.

So I'd say, they have a core capability to do handset design (perhaps some of it residual) and they likely strongly influence the hardware they sell. Is their bench as deep as Apples? No.

Not under protest, but for profit. The current figures are not public, but Google pays billions annually to Apple to remain the default search engine on iOS.

It's easy to change, and one of the default options is DuckDuckGo.

Do you think aapl needs google's "billions"? No, they're making way more money selling "privacy" and building a solid search engine to replace google is high priority for them.

>and building a solid search engine to replace google is high priority for them.

What are you basing that on, exactly? Apple doesn't exist in a market simply to "be" in that market. That's why they jettisoned things like their Airport routers

Why does apple exist in a market? Say phones or laptops? Not calling you out, genuinely curious to your opinion.

So they’re going to build their own search engine? Siri doesn’t do anything outside of your own data.

What if Apple bought Duckduckgo?

Then they still need to build a search engine, DuckDuckGo is just a proxy for google.

No it's not. If anything it's a proxy for Bing, but that's one of many data sources[0] (another of which being DDG's own crawler[1]). I'm not aware of Google actually being one of those data sources; you might be thinking of StartPage, which is a proxy for Google.

[0]: https://duck.co/help/results/sources

[1]: https://duckduckgo.com/duckduckbot

They also have their own crawler https://duckduckgo.com/duckduckbot and additionally use several hundred "sources" for their results https://duck.co/help/results/sources with the main source seeming to be bing. I don't think google is one of these sources.

> DuckDuckGo is just a proxy for google

Bing, I thought?

I know that Startpage uses Google. And Searx uses Bing.

But I think that DuckDuckGo uses multiple sources. Although it's easy to restrict that to Google.

It's a lot more than "just" a proxy.

It's called "siri suggested website" or "siri knowledge" when I search in Safari.

Because lots of people still think that if you own a piece of hardware, you should be able to run whatever code you want on it.

You're not wrong, you're just in the wrong place. Apple is the sysadmin and the phone holders are the users. They WANT apple looking out for them. Anyone who says otherwise stupidly wasted $1000 when they could have bought any number of unlockable devices for that money.

I say this with an unlocked and de-googled android phone next to me, and several hacked arm devices at home. I OWN THEM, with no doubt, so I agree with you in a different world.

I mostly agree - except people want Apple products for other reasons too.

There are quite a few Apple users who like the hardware, the operating system, apps which are iOS-only, and the integration with other Apple devices - some of whom also want to run their own choice of software as well.

There's no alternative which has equivalent benefits, if that's what you're looking for.

(NB, I don't use an Apple phone personally).

No one is entitled to Apple’s operating system. If you want freedom, the price is Android or whatever. In fact, the restrictions that Apple imposes on iOS and MacOS are arguably what makes them desirable in terms of consistent user experience, robust default security, and lack of crapware. For some people, that’s a good trade off. For others, the allure of Apple’s walled garden is too tempting.

Is this true of people who voluntarily signed up to be paid for data collection? It's like saying that Nielsen panelists need to be protected from Nielsen by Vizio. (Insert standard caveat about the degree to which kids' autonomy is in the hands of their parents).

It's funny you should mention Nielsen, I did a bit of digging and found these very familiar-looking installation instructions: http://www.arbitron.com/research/installhelp/install_ios9_en...

An important difference that Nielsen doesn't have an agreement with Vizio that they broke and the "protection" being Vizio terminating their end of that agreement as a response.

As much as I dislike Apple, its amorality, its attitude towards it users, its effect on the markets it's in, etc, I don't have any disagreements with Apple's actions here: Facebook/Google violated their license, so Apple revoked them.

But the terms of this license are by no means "protecting" users who voluntarily chose to install these apps for payment. A license can have multiple legitimate purposes, including protecting the business interests of the licenser. There's no need to pretend that Apple is protecting users in order to defend their actions here.

Indeed. The violation here really has nothing to do with protecting users, as you say, it's more of a positive side-effect. On the other hand, if it weren't for that aspect, the press-coverage that sparked Apple's revokal would most likely not have happened.

Apple found themselves in a position were doing "the good thing" aligned with business.

Nielsen is a white Knight compared to what Vizio is doing.

Users with spyware should be dealt with by their admins.

If you asked IOS users about all the restrictions Apple places on apps, I bet less than 10% could tell you any of them. I also bet the majority of them would disagree with Apple's policy on forbidding real alternatives to Safari instead skinned Webviews.

Do you run your own firmware on the baseband processor?

The question isn't "do you", but "could you"?

And atm, you couldn't on a locked down device.

> You can’t do that on any modern smartphone with the UX most have come to expect of their devices.


I play in firmware whenever I have the opportunity, absolutely. SPI is fun!

Do you?

I don't; but the world is a better place because of people that have that skillset.

Give it a try. The tools are a little primitive, but it's not black magic.

Never made this connection — genius

To downvoters: That point is valid.

It's the golden cage that allowed them to do of course good things this time. This argument is the old one against a walled garden and it still stands.

The point may be valid, but it's not what this discussion is about. Apple didn't cut off a user for running unauthorized software on their iPhone. They cut off Google for using a paid enterprise service to distribute their software in violation of its TOS.

> paid enterprise service to distribute their software

that's the problem - why should this service exist in the first place? It's extortion to have to pay to distribute apps to people who want them, on devices they own themselves.

Not really. Give me your code, and I can upload it on to any iPhone I want, without paying a cent to Apple.

Not without violating the ToS and jailbreaking (voiding warranty).

Yes, and more to the point, they cut off Facebook and Google for distributing unreviewed apps to the general public. So the violation was using the enterprise key to evade app review by Apple. Which Apple does to protect its customers. And so Apple is just protecting its customers.

Facebook already got their access back, I assume the block on Google won't last all that long, either.

Presumably FB got it back after signing in blood that they were only going to use this for internal, non-public releases

I believe Apple will do everything they can to keep them from abusing the ToS, but I also believe Facebook will try to work around any and every restriction applied to them.

Yeah, well, but Apple can always reject apps that violate their ToS, or revoke keys used to work around that. So ultimately Facebook can't win.

Except if they force Apple to nuke all of their apps, which would put Apple in a difficult position. But perhaps Apple could sandbox apps, and prevent them from doing stuff that violates ToS.

Yes, and revoking the enterprise key wasn't punitive. It was the only way to reliably kill the violating apps.

That loses a bit of the nuance. Apple cut off Google distributing software within apple's TOS after Google had already stopped breaking the TOS.

But Google already broke Apple's TOS, so it seems like Apple still has grounds to revoke their license.

Right, I'm not saying this isn't warranted necessarily, just that it's punitive not preventative.

No, they still needed to revoke the cert because the app was still hanging out on users' devices. The only way to ensure that those apps are dead, from Apple's perspective, is to revoke the cert

Of course you should. It's my device, I should be able to do what I want with it. The default should be protected but root should be available.

I 100% agree with you. I should be able to run any code on my device (after I flip a bit and it gets wiped). The first thing I've done with every Nexus or Pixel purpose is to wipe and root it.

But that's not what this is about. Apple has been enforcing these rules for years. F.lux tried to get around the App Store by reaching users how to sideload via Xcode. Apple killed it.

The big players should be subject to the same rules. If they want to run their own code, they can't just flagrantly ignore Apple's TOS.

I'm also onboard with the Nielsen metaphor but not for kids. And both were scummy in targeting kids (though FB was definitely worse judging from marketing materials).

> F.lux tried to get around the App Store by reaching users how to sideload via Xcode. Apple killed it.

Specifically, Apple killed it because f.lux decided to distribute their app in a really sketchy manner where they essentially pushed an opaque binary blob to the phone rather than compiling the app from source and installing the build product from that.

I don't understand: Do you expect to be able to run any programs you want on the micro-controller on your washing machine?

That's what Apple is doing here. Pushing iPhone as a commodity, not a replacement for your macbook. This way they get the benefits of controlling the experience as much as they want. (I am not saying it is right or wrong, just that many people are fine with commodity phones and don't care for the loss of configurability).

If the washing machine was internet connected, then yes. If not, I'd still like the JTAG interface intact.

Now, _will_ I do that? Probably not, but my opinion is that as the owner of the device, I should have the ability to do so if I so choose.

> I should have the ability to do so if I so choose.

And what about the manufacturer? Why should it be their legal responsibility to satisfy your whims for programmable interfaces?

Not to mention what you're mentioning that what you're suggesting will make the iPhone incredibly insecure.

I'm not sure where you're getting the "legal responsibility" part from - I'm not advocating legislation, simply stating my personal preferences as a consumer. I do what I can to try and bring others to my point of view, but I am in no part trying to push this as a legal burden on manufacturers. Please don't bring strawman arguments into this, this topic is complex and nuanced enough as-is.

Regarding security, that very much depends on your threat model and definition of "secure". Indeed, I see this general trend of decreasing user control over increasingly complex and connected hardware as a massive security threat where I am forced to trust multiple 3rd parties who may arbitrarily disrupt my life anytime new "features" or "policies" get pushed out.

It is perfectly possible to securely implement a tamper-evident "I know what I'm doing" switch/fuse that enables advanced control by device owners. However, I'm well aware that I'm in the minority on this topic, so I'm not holding my breath for such features to be implemented.

how does connectivity matter in relation to ability to custom program?

On second thought, it doesn't. I just wanted a easy way to distinguish complex IoT devices from simpler ones.

I don't use a washing machine controller as a general purpose computing device. I don't install apps on a washing machine and would never buy one that had that feature. It's not a reasonable comparison.

That said, I doubt washing machine microcontrollers use signed code. It's easier to modify them than your phone which is completely backwards.

You haven't seen Apple's commercials? "what's a computer"? This is the ONLY experience they want everybody expect

Except, you know, they still sell Macs.

> Do you expect to be able to run any programs you want on the micro-controller on your washing machine?

Yes. It is within my full legal right to install whatever programs I want on my washing machine.

Apple lost a bunch of lawsuits, when it tried to sue people for doing this. The courts proved that yes, you do have a legal right to do whatever you want with hardware that you own.

JTAG interfaces on washing machines are not that uncommon, so this is absolutely a thing.

Sure. And Apple aren’t going to sue you if manage to. It sounds like you’re confused between “I should be able to” and “Apple should make it easy for me to”.

And you can. You just can’t do what you want with your _customer’s_ device, according to Apple’s TOS.

However you could get a developer license and load anything you want on your phone. Granted it's not for everybody, but if you're so incline to sideload apps on your phone you can pretend to be a developer (Meaning you just need to know enough to use the tools available, not in a demeaning way).

I don't think you even need a developer license. IIRC, I think if you just plug your iPhone into Xcode, you can load whatever code you want on to it.

You don't have to pay but you do have to register to get to the tools download.

> The default should be protected but root should be available.

How do you protect against that backdoor being used by hostiles?

The thing is: my mother bought an Apple device not to think about data, security, backups and all these "InternetS" things. She doesn't even know what hardware is. If she did, she might have bought an Android phone or something else :)

You are still able to sideload apps, just not at an enterprise level.

You need a mac with Xcode to sideload apps for iOS (unless you want to deal with jailbreaking)

If the IPA is already built you just need the cross-platform Cydia Impactor. Jailbreak not required, but standard Developer Account for full features applies.

Not necessarily, though it can get rather annoying depending on which one you drop.

Does sideload still work? I recall they enabled the ability for anybody to load apps via Xcode around iOS 7, but haven't kept up to date with latest versions. Did this stop working on newer iOS versions?

I sideload stuff on my phone quite frequently.

> I recall they enabled the ability for anybody to load apps via Xcode around iOS 7

Xcode 7 and iOS 9, and yes, you can still do this.

I do it on iOS 8. Can't recall the Xcode version.

You sure about that? IIRC this came as part of the combined developer program in 2015.

Yup. I side loaded an app yesterday onto my phone running iOS 8.4.1.

Using Xcode 6? You can go back a little bit because Xcode 7 supported the current version of iOS along with iOS 9 beta, but I don't think this goes all the way to iOS 7.

So jailbreak it. Meanwhile, Apple should be able to ship whatever operating system it thinks its users want, and those users should be able to keep it if they want.

Well in this case, wouldn't most people be using Google owned phones? Or if they bring their own device, have explicitly allowed Google/FB to manage their device through an enterprise system. That enterprise system for some reason shared a cert with an application _not_ used for enterprise, so the cert is banned.

That's right. That's why you shouldn't buy iOS devices. If you do, you agree to Apple's terms.

(also, what Apple allows you to run on your own device is actually a different story, not related to this news)

>If you do, you agree to Apple’s terms.

And know that Apple has your back when it comes to holding developers of the apps you use to their commitments.

There’s a clear benefit to the reputation of a vendor being on the line for the security and quality of their product and the services offered on it.

That's a misstatement of the principle here. I bought a thing. It's my thing, not someone else's thing. Things don't have "terms". I signed no contract. Let me use my thing.

I mean, yes, we shouldn't buy iOS devices. But we should accept that things have ad hoc vendor-controlled "rules" just because someone baked them into the things, either.

> what Apple allows you to run on your own device is actually a different story, not related to this news

How so? It's not like Facebook and Google were hacking their way in here. They asked users "please run this software" and users had the option to do so. Seriously how is that any different than "please run my great jailbreak environment" or "here's a new OS for your iPhone"?

It was the behavior and marketing of these spyware things that we shouldn't like, not their mechanism.

> I signed no contract.

Facebook and Google did sign it and distributed their software based on it.

> It's not like Facebook and Google were hacking their way in here.

They literally did (in the legal sense).

But of course, it's a battle of two evils here. Both sides can just nuke each other if you ask me, I won't miss them ;)

> Facebook and Google did sign it and distributed their software based on it.

I think we're talking past each other here. I'm not talking about how Facebook and Google's spy kits were licensed to the end users or about their compliance with Apple's own vendor license.

I was pointing out that the principle here is that I (and Facebook and Google) should have the ability to write and distribute software for you (and me, and Facebook and Google and even Apple) to use on your iPhone. And that the fact we don't have that ability is bad.

And more to the point the fact that Apple's control over their platform was used to benefit the public by disallowing spy kits still does not make that control a good thing.

What kind of principle is that it without rules?

Free speech doesn’t allow libel and slander. Free assembly doesn’t allow riots. Without a framework for meaningful justice, the high minded principle is just a race to the bottom.

I should be able to have the freedom to choose a platform where I have some protection against the various bad actors out there. Without Apple, the only options we have is non-participation, believing the lies, and arbritration.

> Free speech doesn’t allow libel and slander

What? Very absolutely it does. It just doesn't protect from the consequences.

It's not "without rules". The rules are just democratically determined (i.e. laws).

You can. Just give people the code, and they can load it on their device.

> I signed no contract.

True, but you entered in a contract with the app developer and they are bound by one with Apple.

Apple’s right to act on iOS devices is in virtue of them being a service provider to google more than the company that sold you your phone

> you entered in a contract with the app developer

... wat? No, I didn't. It's easy to imagine I "must have", but in fact there's no signature, no negotiation nor in many cases any consideration.

Ah, but you say: I must have signed a contract to use the app store that I downloaded the app from, and that must constrain me to honor the terms of the app that I downloaded, which is constrained by Apple's contract with the developer.

Except, no, I didn't do that either. The whole thing is a house of cards. There is absolutely no principle behind this regime, it's just something we've all come to accept because it's technically possible and because "usually" the power granted to hardware vendors hasn't been abused.

But it has bad side effects too, and it's really important that we as a community not lose sight of the fact that locked down devices are really, really bad.

You didn't, but the users of apps discussed here did. There's no App Store involved.

>Ah, but you say: I must have signed a contract to use the app store... Except, no, I didn't do that either.

Do you have an Apple ID? You need an Apple ID to download apps from the App Store, and when you create the Apple ID, you accept their ToS. So, yeah, I think you did.

Though that ToS has absolutely nothing to do with anything we're discussing -- the ToS that matters here is the one between Apple and Google/Facebook.

> ...and that must constrain me to honor the terms of the app that I downloaded...

I don't think Apple's ToS with you constrains you to honors the terms of the app you downloaded. That seems strangely indirect. I think the app may or may not have their own ToS that they make you agree to at some point before permitting you to use their services.

Go to the app store, search for “youtube”, scroll down, click on “license agreement”.

Electronic signatures are a thing. You absolutely are bound by contract.

> Things don't have "terms".

Technically correct. But software running on "things" has terms. It's called a license. When you buy a movie, you don't own the film. You own the right to use that film in accordance with the license.

You're conflating things. Your example is about copyright, not licenses. Copyright doesn't constrain use, it constrains distribution (though there's a parallel argument there about DRM and things like DVD region codes, etc...).

The question you're sidestepping is whether a license can say "you can't run your own software on your own thing". Obviously it can be implemented to do so given the way computers work, but it's not at all clear why that should be so.

It can.

IBM has had contracts for decades that govern use of your software on the hardware you bought from them. You buy CPU hours or the right to use a certain amount of the computer for a specific timeframe. One place I worked at had a mainframe that they could not use for production workloads unless a disaster declaration was made.

They’ve been litigated and are valid.

Copyright can constrain use (although the actual extent varies a lot between jurisdictions). Most licenses (which are basically a way to manage copyrights) don't make use that, but some do (like a license that Apple uses for their SDKs, which disallows running it on non-Apple hardware).

BTW. I ignore that and even many large, respectable companies ignore that, but it's there ;)

> Things don't have "terms".

Sure they do. You want a gun? That comes with certain restrictions on what you can do with it. You want a car? There are certain restrictions on what you can do with it. Jet? Restrictions. Schedule 1 drugs? Restrictions. Knives? Restrictions. Fireworks? Restrictions. Cameras? Restrictions. Hell, even when it comes to a 2x4, there are rules about what you can and can't do with it -- you can't hit someone with it, or you'll suffer consequences.

According to the story, Apple have stopped Google employees running Google's "Gbus app for transportation". So yes, it's about what Apple allows people to run on their own devices.

They can still run that app by signing it themselves with a developer account, although that's not a very convenient option. And no, this is still about what Google allows its employers to run on their corporate devices (and Apple now taking this right away from them), as users wouldn't be able to sign that app with enterprise certificate by themselves.

Google can make that app public.

Or stop abusing the terms of the enterprise certificates.

Since Gbus is presumably developed internally, what prevents the employees from installing the program via Xcode?

Not everyone at Google has a Mac? Nobody wants to reinstall GBus every 3 days?

Seven days.

Why would you have to reinstall it every 3 days?

IIRC dev certs expire quickly, by design

Free certificates expire after a week. Standard certificates obtained from a developer program membership last for a year.

Yup. However, at least you don't really need a Mac for that, as there are external tools to resign and install ipa files.

Probably something like this:

XX% of Google employees are non-technical

XX% of Google employees don't use Mac as their laptop platform

XX% of Google employees have a locked-down Mac that isn't allowed to run XCode or locally-compiled binaries because their job role isn't in Engineering

The employees would each have to spend $100 on a developer membership (sharing them is a good way to get more revokes).

No, that's not necessarily for loading an app on to your device. It's only necessary for broader distribution.

You can only sideload up to a certain number of apps (3 IIRC), only for seven days at a time, and only using certain APIs (cannot for example use notifications), all of which would pose serious limitations.

60,000+ employees makes this unrealistic.


Sounds like somebody learned a new word but couldn't be bothered to learn what it means.

how is this possibly mansplaining

It's as central an example of mansplaining as I've ever seen; Mansplaining just means "I'm too stupid to understand your point, so I'm going to throw in a non sequitur gendered insult".

At least as I understand it, it more means explaining things to the person you're talking to as if they don't know anything about the conversation topic, even though you have no particular reason to do so.

It doesn't necessarily have to be done by a man or directed at a woman. That's just how it tends to go. And obvs is a bit more fraught when it is going that way.

Leaving aside whether that's something to reasonably get upset about (how are people supposed to know exactly which facts are known to every single reader of their comment?), the way you're describing it seems pretty identical to the now-mostly-anachronistic expression of being "jewed" out of some money. The fact that the target of the slur doesn't have to be Jewish doesn't make it better; in fact, it kind of makes it worse. Hell, at least my example has its roots in a time when casual racism/sexism were accepted _pro forma_, and the term is slowly dying out. It seems to me your example is even less excusable.

It's the difference between punching up and punching down.

Meh, those aren't as well-defined as you think they are. Variously, market-dominant minorities have been labelled as "oppressors" throughout history, and "we can be as immoral as we want as long as the victims deserve it" has been cover for all sorts of horrible shit. You can do whatever you want under the aegis of "fighting the power" if you just define "the power" as the people you wanted to be vicious to anyway. It takes a pretty simple-minded view of the world to think that a one-dimensional oppressors/oppressed view of the world is anywhere close to reality, instead of just being convenient cover that can be targeted at pretty much anyone, so shitty people can be regressive and sexist and racist while sitting on their high horse.

Maybe you’re replying to a woman?

With focus on privacy Apple successfully reducing users wanting freedom. The marketing now seems to indicate that if you want freedom then you loose privacy.

Yes. Because it is technically almost impossible, if not completely impossible, to build a system that gives your code absolute freedom while not giving other code running on the system absolute freedom as well.

There will always be the possibility that some company will ask users to their absolute freedom ability to give them absolute freedom. Which is basically exactly what happened in this case. The only difference is, in this case, Apple built in a mechanism where they can stop individual actors.

And, to protect their users, they used it.

Protecting the users is marketing speech. The users had given consent. This was Apple using its control over app distribution.

Correct. Unfortunately for this argument, Google also disagrees with those people, so there's a certain degree of difficulty inherent to it.

If you want to sell your privacy, buy an Android I guess.

This is Apple, where people pay more to have LESS features.

They are anti consumer and anti developer, buying from them is bad capitalism.

I've worked on enterprise iOS apps that were also shared to some of our customers. I've always felt super paranoid about it and thought Apple would shut us down...

Seeing what's going on with Facebook and Google I guess Apple didn't pay much attention to this.

If you're sharing your apps with customers for very benign purposes, I doubt they'd care. For instance, if you were giving customers access to your business's data or some sort of internal app that provides functionality that you wouldn't want to make public. That seems very reasonable, and might not even be outside the ToS (IANAL, and I haven't read them).

In both Google and Facebook's cases, they were using it to distribute apps to the public at large (i.e., users with whom they have no business relationship) simply because they couldn't get the apps into the app store to begin with because they would otherwise violate Apple's rules. So not only were they flagrantly disregarding the ToS of their enterprise certs, they were doing so in order to violate Apple's rules for app distribution. Less than great.

If anything I think the fact that this has gone under the radar for so long is a pretty good indication that Apple has no data about what apps are being run via this program. Although abuse like this will probably flare up some arguments internally over whether they should more aggressively track activity in iOS.

Mmmm, from everyone I've spoken to there, it's not something they don't pay attention to, there just hasn't been extreme violators like what Google and FB have done lately.

I mean, the program exists for a reason.

Apple can't pay attention to it though.

The whole point of enterprise certificates was to allow creation of internal apps that even Apple shouldn't know about.

> The whole point of enterprise certificates was to allow creation of internal apps that even Apple shouldn't know about.

I think most/all of the companies in the program would say it's about controlling the distribution of their apps, since putting them on the App Store would expose them to the public, and less about hiding from Apple...

I think it’s just a case that they didn’t know. Unless they get complaints or reports, it’s not necessarily going to be obvious to them.

I scraped google API exactly like this in grad school, but sometimes when you're building, you take a calculated risk to build something better.

For my thesis, I was trying to load two Street View photos side by side in a browser to compare people's perceptions side-by-side. Google maps at the time required you to load a javascript viewer for each image you requested. Think Hot-or-Not for cities.

The experience needed to instantly load a new image after the user voted because I knew they were only going to be on the site for maybe 30 seconds before they got bored and went back to reddit. I needed to collect as many votes as possible within that time period.

So I knowingly broke Google's ToS and prefetched the images on my server so I could provide the user experience I wanted. "I'm a small operation. Surely they won't know." I wrote a server side screen scraper to load the Street View images and exposed the scraped images with an API.

Now my site was faaaast. I could load Street View images instantly and in the end got over a million data points doing this.

But then one day soon after it stopped working. Then I got a cease and desist email from someone at google legal. They didn't respond to any requests for turning it back on or even to discuss. Radio silence. That was terrifying.

Since this was my thesis, I needed help getting my keys turned back on. Google in the end was very accommodating, but only after I used my nuclear option: asking lab director Joi Ito to bug Megan Smith while she was still at Google to help.

I was connected to some engineer and told them what I was doing and why. They said stop. But then a week or so later, they sent me a beta invite to their new Street View images api, where you can feed in a lat, lng, header to a query string and they'll just serve the image now. Pretty cool.

Offending site for the interested: http://pulse.media.mit.edu/

> "I'm a small operation. Surely they won't know." I wrote a server side screen scraper to load the Street View images and exposed the scraped images with an API.

I find the trick, when you're worried about this, is to use the regular API normally, but save the data that comes in from the normal usage of the API. i.e. Use the Google maps viewer and after the image is loaded, grab it however you have to, and post it to another API you've created that allows you to save the image. You're scraping their site, but you're not doing it in an automated way, and it should be undetectable.

After a while, you've got a good library of images from normal use. So you code up a switch that you can toggle that changes it from loading from the Google maps viewer to using your API to get images.

If you want to grow your image library, randomly assign some percentage of people to using the Google viewer (and save them they download), and the rest to your library of images you've accumulated. Or use a cookie or JS localStorage variable to track whether they are a returning person, and the first time always give them the quick library version, and if they return give them the Google maps viewer version (or just switch the percentages from 90/10 to 10/90, etc).

If they're willing to give you the data free within their ToS, there's very little technologically they can do to stop you from easily (or moderately easily, in the harder cases) storing the data. Worst case for someone looking to save it would be if they generate an image for the content and just serve the image, and that's not that hard to work around either, if the data is structured.

Somone handing you data does not remove any copyrights on this data. Which is where you can get in real trouble with your approach. That said, this kind of thing is detectable. If users of an application are far less likely to download common data it quickly looks odd.

And while that’s not conclusive, they can just look at how your application functions to see what’s going on.

> Somone handing you data does not remove any copyrights on this data.

Oh, I'm not making any claim that it's legal. I'm just noting that if you've decided you want to scrape and are disregarding the ToS, there are ways to make it less likely to get you blocked.

> That said, this kind of thing is detectable. If users of an application are far less likely to download common data it quickly looks odd.

In the approach I outlined, you either load the Google JS payload and use it entirely as normal (and just do something extra with the data it provides), or you don't load it at all and run entirely locally. There are things they can do, such as embed analytical code in their payload to test for certain things, but it's just a cat and mouse game at that point.

> And while that’s not conclusive, they can just look at how your application functions to see what’s going on.

Assuming it's a public application (in this case it is), and that they have reason to look at it. If it's just spiky load, where sometimes there is load and other times there isn't or it's less, that's not really indicative of something odd going on, especially if you're relatively small.

You're story is absolutely amazing...and relateable... Also love your app. Will be sharing that.

To add to your point, even if there were no such "term" governing that particular use of the "service," if I'm the owner of the API and I find out those API keys are being used to spy on my users, don't I treat this as the security breach that it is, and revoke those keys on that basis?

In general I agree with your point but I think these terms help Apple's case because it's easier to argue against definitions of spying, harder against terms of service. Especially when Google so strictly enforces all of their terms. I mean, good luck getting reinstated on just about any of Google's APIs.

It’s more about a single massive company having such in-depth control over billions of personal mobile devices. That’s a worrisome situation.

Not sure what kind of "in-depth control" you're referencing.

This change did nothing to individual phones.

This simply prevents two organizations from deploying applications to phones with specific certificates. That's all.

They can control what happens on your phones and affect what apps can and cannot run. That's rather invasive.

I believe this is actually only true under very specific circumstances -- namely, enterprise certificates, which are used to distribute apps directly to employee devices, without going through the app store. If they decide to revoke a regular developer certificate, the apps already distributed through it are not affected in any way.

They can control which apps can and cannot run as long as those apps are intended for internal use by enterprises. That seems reasonable imo, given that these apps are also not subject to any approval process.

No, they can control what applications are allowed on their app store and control how the OS they distribute runs. Aside from those two things they can't really force anything that you haven't already allowed, or continue to operate.

Apple can't physically confiscate the phone or the data that you put onto it's hard drive (not talking about iCloud). It's yours. You can put linux on your iPhone if you want and there is nothing Apple can do about it.

There are 2 massive companies, not a single one and Google has far more marketshare globally with Android.

Details matter. Don’t leave them out.

Google blocking this kind of thing in android would be quite hard to near impossible...

On Android, one can sideload an app. Amazon has it's own app store. Chinese Android phones have their own. Android was initially designed with this kind of openness. In fact, Google didn't have an app store initially. Now, there are pros and cons to these approach. FB could be side loading Android apps all day long, doing who knows what, and there is not much Google can do about it. Now, if they were a bit smarter, they could've used a shell company's throwaway certificates. I cannot fathom why they would do something this shady using their own corporate certificates.

Yes it is, but if you're worried about that then this is a valuable lesson on why you should steer clear of apple products. Google knew this was the case and took the risk anyway, so they only have themselves to blame.

It's not just apple either. Using facebook, gmail, anything in the cloud and/or anything hosted, basically anything not under your control exposes you to the same risk. Most people don't care until it becomes a problem for them and by then it's too late.

You don't think there's a difference between a person buying an Apple device and Google working with Apple to run software on their devices?

Yes, google has no excuse not to know better. They did know better in fact, it's a selling point of their competing product. Corporations their size will typically run anything remotely important in house on their own machines so that they have control over it for exactly this sort of reason. Failing that they'll put contracts in place that specify notification periods and remediation steps so that the rug can't be pulled out from under them. Google knew this could happen and went ahead anyway, they accepted the risk and now they have to accept the consequences.

And let's not forget that google weren't working with apple, they were working around them.

I think you're mistaking what happened here. Google apparently broke the TOS which led to this issue.

This isn't a single person choosing differently. Employees and consumers buy and use iphones and Google has no choice in avoiding them. Doing so will only hurt their business, and they don't exactly have the leverage to demand whatever APIs and access they want.

Sure, and Facebook solely controls the messaging ability and photo storage for a significant percentage of their 2B+ users.

This is the key sentiment I feel is missing from much of the discussions (and in some cases, reporting) taking place surrounding these events this week. Thank you for posting it.

It's useful to discuss the philosophical implications of any tech company having too much power. To add the most to that discussion, it's helpful to understand that these actions are not directly affecting customers (aside from those who were using these enterprise apps outside their intended scope).

Random iPhone-using Google employees who use Google's internal cafe app are Apple customers, and they're directly affected.

Clearly that's not a terribly big deal, and you'd imagine that Google has a lower proportion of iPhone users than many companies, but it's not nothing.

They're professionally affected (they can't run internal apps as part of their job) as is good and appropriate (their company violated the rules and got cut).

They are not personally affected as they still have access to public versions of the apps like every other person in America.

I am a bit offended that google has a phone number and means of communications to resolve the issue with a real human at Apple. Nobody has that at google.

That's clearly not true. You'd have a phone number if you are a customer. Even with Gmail — GSuite offers decent phone support.

The fact that you cant reach a human if you are a "user" tells a lot about values at Google.

Play Store publishers don't have a phone number to call.

They’d shut down your API access immediately

This is not true for major consumers of the API. They will call you and work it out. I know this from personal experience.

All is fair in love and war?

Things are obviously getting a bit ridiculous. Part of me thinks that something awful is going to have to happen before society stops these companies from pursuing everything they feel they need to.

Hopefully it won't be too late when that realisation becomes crystal clear to the majority.

This is what I think as well. Every day we hear about these companies doing scummy stuff to get more and more user data.

I am hoping for a massive leak/scandal/Snowden moment when they finally cross the line and something happens that the lobotomized masses actually care about and cannot ignore.

Hopefully we end up with some sane legislation about how much mass surveillance of citizens by private companies is ok.

I agree that Google & FB violated the terms of the agreement they had with Apple.

I think an interesting question is: What is Apple's best move from here?

I would suggest that Apple should leave Google/ FB blocked for ~1-2 weeks, to remind them who's boss on the iOS platform. However, I would argue it'd be smart for them to switch them back on after that- there's a chance that this looks anticompetitive to regulators at some point, which isn't something Apple wants to mess around with.

I imagine they're going to have a pow-wow with Google/FB execs and/or legal where they will all agree that the rules really are the rules and Google/FB will promise not to break them again, and Apple will restore the certs. Probably in less than a week. Apple has made their point, and there are good reasons to maintain a cordial relationship.

That sounds right- they may also ask for other PR concessions, like very publicly admitting they violated the terms of the agreement and re-committing to being good citizens of the iOS developer community.

One sort of "rubbing their nose in it" term could be something like a large donation to some sort of privacy advocacy group or similar.

> they will all agree that the rules really are

You mean like the terms of the Enterprise agreement? The terms that were already agreed to?

Yea. That's exactly their point. The rules are the rules.

Why would Apple enforce its rules for only 1-2 weeks? The rules are the rules; they aren’t doing anything bad here.

From a practical standpoint, it’s hard to picture apple permanently preventing google from e.g. dogfooding Google Maps for iOS. I suppose it’s within the realm of possibility, but I don’t see it as likely.

I wouldn’t even look at it from an anticompetitive angle or anything like that. This is a matter of what’s best for apple and its users. They should absolutely do what’s needed to ensure that their terms are obeyed. But permanently banning google is not “what’s needed.” What’s needed is merely to demonstrate that the behavior will not be tolerated going forward. I imagine discussions between corporate lawyers and perhaps a reasonably sized bond would be sufficient to demonstrate google’s sincerity in not repeating the error.

Dogfooding is possible via TestFlight, and Apple moderates it to ensure they aren't breaking the rules before the builds go out, I believe. Enterprise certificates are for pushing applications written for internal use only, like the Facebook lunch app or Google's bus schedule.

Anything that smells anticompetitive is kind of a dangerous dance- by preventing two of their largest competitors from developing on their platform I think they'd be inviting some regulatory scrutiny (even though FB/ Goog DID violate the agreement).

Isn't it anti-competetive in general then that big players get more protection from consequences via this logic?

It's not anti-competitive, but it is unfair.

The reality, though, is that this sort of behavior in VERY large, VERY influential companies is going to draw way more scrutiny than a small company getting crushed by one of the big guys.

Do the internal apps at Facebook compete with the internal apps at Apple?

"Competition" doesn't have to be narrowly defined.

In general, Apple, Google, and Facebook are 3 of the largest technology companies in the world. In general, they have areas where their interests overlap (messaging as one good example of this).

Hindering the ability of Google/ FB to develop on iOS could absolutely be seen as an anticompetitive measure by Apple.

No, Facebook/Google internal apps fall into two categories:

- Utilities that are only useful to employees of those companies (cafeteria menus, shuttle schedules, resources for salespeople on the go, etc.).

- Pre-release/testing (aka dogfood) versions of the apps they distribute to the public, for employees to use and find bugs on before they make it out to normal users.

Neither of those are pools that Apple wants to play in.

...and I guess there's a third category:

- Apps used gain "competitive intelligence" and spy on users.

> they aren’t doing anything bad here

By making this problem last long they aren't doing anything useful either.

- Bad case, they never restore certificates to G/FB and they end up losing all their employees to Android, with likely ripple effects in their tech sphere of influence.

- Worst case, G/FB retaliate by removing their apps from iOS and it's all out war with everyone losing.

- Best case, they restore them tomorrow with some fanfare and handshakes, but thousands of smaller companies now have been reminded Apple may actually shut them down if they misbehave.

There's absolutely nothing anti-competitive about this from a legal standpoint whatsoever.

Apple completely forbidding the availability of certain types of software on their devices from third party developers? Not anticompetitive? Although sure, in this particular case it wasn't because of the type of app, but it still has the same effect because certain apps ARE forbidden from the store, and this does indeed mean that nobody can effectively offer such apps because of Apple's rules

There's no actual legal requirement that your company offers the same service that you use your market control to prevent your competitors from offering.

This is especially relevant in the markets where Apple has a significant market share (USA).

It’s not a legal thing. If you think it is at least try to cite the general area of law.

You can create devices and sell them and not make them compatible with other companies products if you want. It’s true from printer ink to PlayStations.

The only issue would be market share and monopoly problems, which given that Google’s alternative platform has 54% of the market is totally irrelevant here.

Nothing about this maneuver has caused people to be forbidden from installing apps on their own devices.

A convenient and inexpensive mechanism for installing apps to lots of other people’s devices has, however, been revoked.

> I would suggest that Apple should leave Google/ FB blocked for ~1-2 weeks

Perhaps Google should shut down ever one of the servers that Apple is renting from them, for a couple weeks?

Or just block everyone on apple's campus/IP addresses from having access to any google services, search engines, ect?

The 2nd one probably wouldn't violate any contracts, so I don't see a problem with it.

I don't think it's about remind them who's boss. Apple will revoke the certs for as long as is necessary to protect their users, but I don't think they'll stay revoked for punitive purposes. I expect it'll be a period measured in double-digit hours, not weeks.

> remind them who's boss on the iOS platform

This sounds counterproductive, as opposed to enforcing rules consistently.

I don’t object to them doing it, but I do object to the fact that they have the ability to do it.

IMO, it is very, very wrong that Apple is judge, jury, and executioner in this case.

Also, in today’s world, this potentially could be disastrous, not only for the company affected, but also for the world at large, for example if Google depends on internal apps for informing employees about emergencies such as “hacking like activity on our servers or even “data center on fire”.

> if Google depends on internal apps

If Google depends on internal apps then they shouldn't have violated the terms of internal apps.

Google (or any company) wouldn't have a single point of failure for alerts like that. :P Those alerts would hit email, phone, etc. all at the same time.

> I don’t understand people who are acting offended

Once the reasoning boils down to offense I know I am dealing with either intentional hostility or stupidity. Regardless of which of those is the problem I stop wasting energy thinking about it.

For people confused or further offended by this sentiment I suggest reading Principles by Ray Dalio.

I don’t understand people who are acting offended that Apple is enforcing the clear terms of service it laid out.

Because of two related points:

1) The apps in question would not be allowed into the app store by Apple in the first place.

2) People believe that Apple abuses its dictatorial power over the app store and that it should be a more open platform.

Who is acting offended? The article didn't mention anybody balking, where have you seen this?

>I don’t understand people who are acting offended that Apple is enforcing the clear terms of service it laid out.

I don't understand why they were so happy when this happened to Facebook but now they are offended because it happened to Google.

Oh wait, yes I do understand why. o:-)

I for one welcome the consistency that Apple shows. And I hope that people recognise how these walled gardens have their own laws, judges and prisons.

I do remember apple giving uber a second chance though on user privacy [1]. Maybe they've learned maybe they're trying harder, maybe they just see the goodwill benefit from being seen as the good on privacy company. I'm not sure

[1] https://www.dailymail.co.uk/news/article-4438800/Uber-s-CEO-...

And this is one of the reasons why I pay a “premium” for my phone, I expect Apple to work harder for me to protect me from actors like these.

Let's say you're using a Google API like Maps, and you snapshot sections of their maps and store them on your computer so you can access them anytime without making API calls.

This would sure save a lot of unnecessary network usage and bandwidth charges, not to mention it would be useful when you do not have network connectivity.

What is the reason if any why users should be prohibited from doing this?

Because they don't own the pictures, plain and simple.

I don't follow your reasoning.

The question is why every time the user wants to look at a map she needs to let Google know, using computer network access for which the user must pay.

Paper maps or maps stored on physical media do not have this requirement. The map company may "own the map" but the purchaser can look at the map anytime she wants, without any ongoing expense to keep the map company abreast of her travel plans.

I do not not use an "account" or "log in" to view free maps, so I just take screenshots as a quick workaround.

Users wouldn't be prohibited from doing this for much the same reason people aren't prohibited from making personal copies of pages from books they own.

If you take a picture of Google Maps and then host it on your website without approval/paying Google and get caught you'll be hearing from their copyright lawyer.

If the website can be accessed by others.

I could take a picture of a map and share it on my LAN via httpd so all my computers can access it. I am the only user on the LAN.

It is not the "website" aspect that would implicate copyright, it is the redistribution, e.g., via a website on the public internet.

My original question is being misunderstood. It is not about copyright or what rights Google has in maps. It is a question about why Google attempts to force users to contact them every time the user looks at a map.

Good for the goose, good for the gander. AND, there's a huge difference from banning a small time developer that might tripped the wire accidentally, and banning Google and FB, full of lawyers. Frankly, FB and GOOG cannot do well at all in the privacy-caring ecosystem that Apple claims to want to build. Buh Buh Bye...

Is it really clear? Are the people they were paying technically Google and Facebook employees / contractors?

Can you pay 13 year olds in $20 gift cards and call them a contractor?

Did they get w2s and 1099s? Did FB did employment authorization verification? Did fb verify that the contracts were in fact signed by authorized guardians? A minor signing a contract has no meaning - so no “employment” contract would be valid.

> A minor signing a contract has no meaning - so no “employment” contract would be valid

This is generally false. Minors generally can make valid contracts, though such contracts are usually voidable by the minor prior to execution. [0]

[0] without otherwise endorsing the site as an authority, the discussion here provides a good general coverage of the issue: https://contracts.uslegal.com/contract-by-a-minor/

No, they were random consumers. That's the whole point of market research.

When you are paid to take a survey, do you magically become an employee of the company conducting the survey?

Facebook was paying 13 year olds to use the app, so that argument isn't really available to them unless they want some pretty significant civil penalties straight from the US Government. (I strongly doubt it'd fly either way, but "we hired underage contractors" really won't.)

13 year olds cannot enter into contracts.

Child labor?

"I don’t understand people who are acting offended that Apple is enforcing the clear terms of service it laid out."

Because there should be no 'terms' as to what software you can install on your devices.

BMW can make 'terms' so that if you mess with your audio system, it's not under warranty, but otherwise it's your car.

Also - 'the terms' are never very clear, and they can change on a dime.

Apple feeling some competitive heat? 'Just change the terms'!

Consider the collusion opportunities:

You want to use an Android - you have to give everything to Google. Don't like the terms? Apple colludes and does the same!

All of this is starting to get very close to anti-competitive kind of stuff, both between the big powers - and among consumers.

Would you be ok if Google blacklisted your domain in the Chrome browser for violating those mapping API terms?

Google blocks domains from Chrome all the time, for the same reason as Apple blocked Google: it was deemed malicious.


No, because it wasn't a violation of the Chrome ToS.

Yeah, this is pretty clear cut. Apple has rule. Facebook and Google agree to rule. Facebook and Google violate rule. Apple enforces rule.

This isn't some grey area where the details are difficult to ascertain. Everything is pretty clear; the enterprise app distribution service is most assuredly not for distributing apps that break the App Store rules to customers. This isn't difficult to understand, so I'm struggling to see where people are trying to find some sort of detail to exonerate two well-known, repeated rule breakers, violators of personal privacy, and altogether companies who think their size puts them above reproach.

I mean, when Apple makes a big screw up, everybody leaps on it, even when it's just based on unconfirmed (and sometimes fabricated, like the journalist reporting on conditions in the Foxconn factories) reports; but if it's Facebook or Google, somehow they're underdogs with clean records, deserving of the benefit of the doubt? I don't swallow it.

How about we all just pass judgement equally upon the big companies, Apple included, for their foibles? But let's also take into account when these companies have been caught red-handed before, and if the best punishment we could muster was a slap with a wet bus ticket, let's not umm and ahh about why they think they can get away with their behaviour, and not be at all surprised when finally someone takes a stand on their own territory.

If you're Facebook or Google you're used to being able to dictate terms to others. But there's always a bigger fish and in this case it's Apple.

They're outraged because they have no recourse. What they usually do to users or partners, dictate take-it-or-leave-it terms, is being done to them. They can't even complain to antitrust regulators because Apple is only lord of its own kingdom (which doesn't have market dominance).

If anything Google should be grateful Apple's support isn't as deliberately-shit as their own fake support system, they may yet resolve this instead of being banned for life.

Company-on-company support is an entirely different thing from customer support. These are developers with direct lines to one another. Google isn't filing a support ticket at an Apple Store.

Tell that to GSuite customers. The service can be... spotty.

I am one of said customers.

I think our support that we get is probably quite different than the support Apple gives to the developers of Google and Facebook, who make most of the top 10 apps downloaded from the App Store.

There's plenty of recourse - politics-like fights in the court of public opinion. Nice vulnerability you've got there, it'd be a shame if it started to go to the press instead of being disclosed to you first.

Such an action would result extraordinary liability for a company. Public discovery would likely lead to consumer lawsuits, shareholders suits, replacement of the CEO, and shuffling of the board of directors. Not to mention possible criminal/civil penalties that pierce the corporate veil.

This would never be a direct action. But they don't have to go out of their way to inform either.

Do you think Facebook's right wing oppo research firm would balk about leaking a story that a competitor's phone is vulnerable? Absolutely not.

Merely leaking it would be of no consequence. They could even do it directly as a blog post from their security team. Attempting blackmail would be the trouble.

Its not blackmail. All you have to do is to get people to think there's no difference and that everyone is bad (just like "all politicians are bad" and "all cable companies are bad"). Then you don't have to have good service at all.

> Attempting blackmail would be the trouble.

The point being made is that the blackmail is unsaid and implicit.

I’m not an expert, but unsaid blackmail seems like a contradiction.

I worked for a small startup that abused the enterprise program in the same way. Originally it was to get around the tiny (at the time) number of beta testers allowed which then was only 100 unique devices. They did this at my suggestion- we needed a lot of testers but we were capped. Over time the CEO started sending out enterprise builds to all sorts of randoms such as potential investors, journalists, family and friends. I warned the CEO that this technically was not allowed, but I could not find a single instance where anyone had been caught violating the program. CEO brushed me off and continued breaking the rules, even after Test Flight was acquired by Apple and the tester cap increased. The enterprise builds were simply way more convenient.

I have since left the startup, but as far as I’m aware they are still continuing with this practice.

Insider demos are still demos, so its less of a big deal, and they're not doing something with the intention to circumvent app store rules.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact