No they're not. They're preventing third parties from accessing your data. You can communicate with your customers just fine; it's just that if you sell their data (or get hacked) the email you get is useless.
The parent commenter is correctly pointing out that Apple would be able to disable the email for other reasons as well.
It's not like you can ask Apple to forward emails to your own email server if you decide that you no longer want to use Apple.
I think Apple shutting down your access is a legitimate concern. Yet Apple is the only one who has taken any steps to protect the customer here. The reality is we are unlikely to see other major competitors to Apple find a better alternative because their entire business is built on exploiting user data.
And 3rd parties who create a similar system are unlikely to be successful because they don’t have the clout to convince websites to incorporate them.
- Is there a big enough reason to motivate them to do so?
- If given a "legitimate" justification, would they?
If either of those are "yes" then the question we need to know is: "Is there any appeal, oversight, etc?"
With these emails they could trivially, and surgically, cut off a developer from every customer. It is a one-to-many action that also has no obvious other side effects (unlike bricking users phones).
Not sure where I stand with this, but wanting to point out that the added powers this gives Apple are very real and different from the ones they had before (again, maybe this is a good thing, but it’s undeniable that it is a different thing).
It’s just that whenever Apple decides so, the email you got becomes useless.
Apple is judge, jury and executioner, and it makes the laws. That is problematic.
Here’s a crazy idea: if you don’t want your users giving you a private forwarding address, give them some reason to trust you with their real one, instead of saying they’re idiots who don’t know what’s best for themselves.
But if you come to trust the app, and Apple excommunicates it, should you need to rely on Apple to help you reestablish your own contact with it? That won't work -- Apple already demonstrated that they don't like that app.
That's why makomk's complaint is
> there is no way for users to prove their accounts belong to them without Apple's co-operation
rather than "I should be able to get customer emails from Apple regardless of what the customers want".
If Apple for some reason doesn’t allow the app maker to use the OATH service, I doubt very seriously that they will cancel the email forwarding without the user specifically turning off the forwarding.
At that point both the user and the app provider both have generated email address.
Where's this confidence coming from? If Apple sees it fit to prevent you (the developer) from accessing your Apple specific userbase for any reason / violation, other people seem correct in their theorization that there's nothing you can really do as the developer.
Not implementing this new "Sign in with Apple" will also probably be interpreted as not being privacy friendly by the users, a developer can't really have that either.
Pretty much the definition of being stuck between a rock and a hard place.
If Facebook sees it fit to prevent you (the developer) from accessing your FB specific user base for any reason / violation there is nothing you can really do.
If Google sees it fit to prevent you (the developer) from accessing your Google specific user base for any reason / violation there is nothing you can really do.
If Gmail sees it fit to prevent you (the developer) from accessing your Gmail specific user base for any reason / violation there is nothing you can really do. Gmail already does this occasionally by quickly blacklisting non Gmail senders in their spam filters.
If Apple tells you to take a hike, and then subsequently disables the email redirect -- you're completely SOL. You'd have no way to reach out to the user anymore, unless you took other identifying bits of info. And if you did that anyway, that defeats the purpose of AppleID to begin with.
Most users will probably not even be tracking what autogenerated email they're using, hence you no longer have a way to reliably reconcile what user had which account.
Regarding the GMail specific case though, I fully agree. Being banned by GMail is a company ending thing.
Probably from the fact that disabling these email addresses would be a distinctly user-hostile move. If Apple determines that the developer is actually a malicious entity who slipped malware past the App Review process, then it might be reasonable for them to disable the forwarded emails as well as a malware vendor has no legitimate reason to talk to "users", but beyond that specific scenario, cutting off the email address harms the users who signed up for that service. For example, if the app actually represents a web service, and Apple determines that the app shouldn't be in the App Store for whatever reason, blocking "Sign In With Apple" (which is distinct from removing the app from the app store) and cutting off the email address means the user has no way to recover their account even though the service is still active, just without an app. There is no reason for Apple to take this step as it benefits nobody and only serves to harm Apple user.
I'll even go one step further and say that I personally don't think Apple will do it unless under extreme circumstances.
The thing is though, business continuity assessment still points to adopting Apple login to be a bad idea. You never really know when you'll find yourself in hot water with one of your vendors, especially a vendor who's a LOT more powerful than you.
I agree with the group that's (rightfully, imo) concerned about handing over this amount of power over their business to any 3rd party. There's a real potential for abuse.
The percent of times I want to recieve email communication from something I have to sign up for is very close to 0.
For example, do we need the ability for Apple to delete the link between a company and all their users in one sweep, or is it sufficient to make it easy for individual users to cut such ties?
If the latter, could we remove that giant master switch, or move control of it to a third party?
(I haven’t watched the video, so, possibly, that giant switch doesn’t exist. Skimming https://developer.apple.com/sign-in-with-apple/get-started/ didn’t tell me that, either)
There is, it's called IM2000 where email becomes a pull-based system instead of push-based (so users would have to consent to spam, and spammers have to store their spam to send it in bulk). Unfortunately, despite many attempts to switch over we're still stuck on the current incarnation of SMTP.
There also isn’t an easy transition from now — I can see exactly why we’re “stuck” with what’s actually a pretty great last bastion of decentralization on the Internet, for all its warts.
But yes, the transition would require replacing SMTP so once again we're stuck on a system that is terrible enough to grumble about but not terrible enough to change.
(I would also argue that Matrix is becoming a new decentralised system for the internet, as well as ActivityPub depending on who you ask.)
1. when your business is on the app store it can be difficult not doing whatever Apple wants you to do because not doing what they want you to do can come close to destroying your business. This has often been compared to being a hostage of Apple.
2. If you suddenly decide to stop paying the Apple tax or if Apple decides to ban you - cutting you off from new business - it can certainly be problematic and can kill many businesses but you could theoretically keep going because you could have a customer base you inform of your decision and tell them to download your app from your homepage instead of the app store etc.
In short - in the event of Apple not liking you anymore you can communicate with your customers.
3. In this new setup if Apple does not like you anymore you cannot tell your customers hey Apple doesn't like me anymore.
Thus Apple increases its ability to hold your company hostage and thus I do not believe it is the same logic as Google controls Gmail unless when selling an Android app Google only allows you to do so if your customer has a Gmail account.
Centralization of communications is not a good thing and it's worth discussing whether we're going in the right direction.
Google does not have a mapping between an application and email address the customer used in that application. Also Google is not really enticing a customer not to provide the service provider any email address other than the ones in the mapping.
But you're right, it does give Apple power, just the same power that has already ceded to Facebook and Google through their logins.
The reality is that companies need to understand that user's are sick and tired of being spammed, and are rightly annoyed by needing to provide every company with their email address for no good [to the user] reason.
I totally agree with your point that this is arguably a good thing, though; although I don't personally own or use any Apple products, there are fairly few services I'd want to sign up for that I'd want to ensure that they had my real email, and I'd be happy to make sharing my email address an opt-in choice rather than the default.