Hacker News new | past | comments | ask | show | jobs | submit login

> By not providing 3rd parties access to email, Apple makes themselves not only the controllers of the physical devices and also over the full identity of their users.

No they're not. They're preventing third parties from accessing your data. You can communicate with your customers just fine; it's just that if you sell their data (or get hacked) the email you get is useless.

> it's just that if you sell their data (or get hacked) the email you get is useless.

The parent commenter is correctly pointing out that Apple would be able to disable the email for other reasons as well.

Also, this is probably ment to further lock users into the Apple ecosystem.

It's not like you can ask Apple to forward emails to your own email server if you decide that you no longer want to use Apple.

Which is provably false. (1) AppleID email address doesn’t have to be iCloud mail; they’ll be forwarding to my mail server in the first place. (2) iCloud account is free, whether or not you decide to stop using Apple devices doesn’t affect that. (3) They said Sign in with Apple will be available on non-Apple platforms. (4) I doubt third parties can’t offer an option to decouple Apple entirely if you so choose.

You can also provide your own email address. The choice is yours. Which threat do you think is greater?

I think Apple shutting down your access is a legitimate concern. Yet Apple is the only one who has taken any steps to protect the customer here. The reality is we are unlikely to see other major competitors to Apple find a better alternative because their entire business is built on exploiting user data.

And 3rd parties who create a similar system are unlikely to be successful because they don’t have the clout to convince websites to incorporate them.

Until they remove the forward to your inbox?

Your gmail, Hotmail, yahoo inbox ! Who can disable your account for some undisclosed slight

If you can see the forwarding address, then you could probably somehow contact the company to switch your account. Not extremely secure and would require more validation than simply knowing the random bits of the address, but doable.

You can access iCloud email through IMAP/SMTP on any operating system you want, just like you can access the calendar through CalDAV and the address book through CardDAV. Apple isn’t Microsoft.

By that logic Apple can disable your iPhone for other reasons etc etc

They absolutely could technically. The more important questions are:

- Is there a big enough reason to motivate them to do so?

- If given a "legitimate" justification, would they?

If either of those are "yes" then the question we need to know is: "Is there any appeal, oversight, etc?"

This is how it starts.

I think the concern is that Apple could exert influence over third party apps/networks because they control access to all Apple users. That problem doesn’t really exist when it comes to Apple disabling entire iPhones of certain users.

This would be a customer action — it affects one person. Unless you’re implying they’d disable the phone of every user of a certain app or something to that effect.

With these emails they could trivially, and surgically, cut off a developer from every customer. It is a one-to-many action that also has no obvious other side effects (unlike bricking users phones).

Not sure where I stand with this, but wanting to point out that the added powers this gives Apple are very real and different from the ones they had before (again, maybe this is a good thing, but it’s undeniable that it is a different thing).

”it's just that if you sell their data (or get hacked) the email you get is useless.”

It’s just that whenever Apple decides so, the email you got becomes useless.

Apple is judge, jury and executioner, and it makes the laws. That is problematic.

Only if the customer wants them to be. If the customer wants to give you their real email address, they are free to do so. If they choose not to give that to you, but you want to contact them anyway because you think you know their desires better than they do, well... that’s exactly why this is needed.

If Apple decides to cut off a developer, it doesn't matter what their customers want. Unless they had the foresight to bypass the default and use their real e-mail, there is no way for users to prove their accounts belong to them without Apple's co-operation. Their access to their accounts is entirely at Apple's mercy and there is (by design) nothing the developers can do to avoid this.

Right, there’s nothing the developers can do to avoid this. Because it’s the users making the choice. They choose to give Apple this power, or not. You are essentially arguing that they will choose incorrectly, and that developers should be able to force them to choose correctly because users won’t think it through. By a strange coincidence, the “correct” choice is also the one that allows developers to track and spam users.

Here’s a crazy idea: if you don’t want your users giving you a private forwarding address, give them some reason to trust you with their real one, instead of saying they’re idiots who don’t know what’s best for themselves.

You're advocating for the users to make their choice at the worst possible time. There's no reason to give a new app special trust when you sign up with it.

But if you come to trust the app, and Apple excommunicates it, should you need to rely on Apple to help you reestablish your own contact with it? That won't work -- Apple already demonstrated that they don't like that app.

That's why makomk's complaint is

> there is no way for users to prove their accounts belong to them without Apple's co-operation

rather than "I should be able to get customer emails from Apple regardless of what the customers want".

You could always allow users to provide their real email address later on so they can establish ownership directly.

The authentication using OATH and the email forwarding of aliases are two separate but related services.

If Apple for some reason doesn’t allow the app maker to use the OATH service, I doubt very seriously that they will cancel the email forwarding without the user specifically turning off the forwarding.

At that point both the user and the app provider both have generated email address.

> I doubt very seriously that they will cancel the email forwarding without the user specifically turning off the forwarding.

Where's this confidence coming from? If Apple sees it fit to prevent you (the developer) from accessing your Apple specific userbase for any reason / violation, other people seem correct in their theorization that there's nothing you can really do as the developer.

Not implementing this new "Sign in with Apple" will also probably be interpreted as not being privacy friendly by the users, a developer can't really have that either.

Pretty much the definition of being stuck between a rock and a hard place.

How is this not completely true of every service?

If Facebook sees it fit to prevent you (the developer) from accessing your FB specific user base for any reason / violation there is nothing you can really do.

If Google sees it fit to prevent you (the developer) from accessing your Google specific user base for any reason / violation there is nothing you can really do.


If Gmail sees it fit to prevent you (the developer) from accessing your Gmail specific user base for any reason / violation there is nothing you can really do. Gmail already does this occasionally by quickly blacklisting non Gmail senders in their spam filters.

Not really a completely fair comparison. With FB / Google, most people at least have the hope of migrating away using setting the email / phone (Google provides this, FB doesn't) as username.

If Apple tells you to take a hike, and then subsequently disables the email redirect -- you're completely SOL. You'd have no way to reach out to the user anymore, unless you took other identifying bits of info. And if you did that anyway, that defeats the purpose of AppleID to begin with.

Most users will probably not even be tracking what autogenerated email they're using, hence you no longer have a way to reliably reconcile what user had which account.

Regarding the GMail specific case though, I fully agree. Being banned by GMail is a company ending thing.

Apple said that they are going to allow the user to disable an auto forwarding address. I’m assuming there would be some way for the user to see a list of app -> email address associations.

> Where's this confidence coming from?

Probably from the fact that disabling these email addresses would be a distinctly user-hostile move. If Apple determines that the developer is actually a malicious entity who slipped malware past the App Review process, then it might be reasonable for them to disable the forwarded emails as well as a malware vendor has no legitimate reason to talk to "users", but beyond that specific scenario, cutting off the email address harms the users who signed up for that service. For example, if the app actually represents a web service, and Apple determines that the app shouldn't be in the App Store for whatever reason, blocking "Sign In With Apple" (which is distinct from removing the app from the app store) and cutting off the email address means the user has no way to recover their account even though the service is still active, just without an app. There is no reason for Apple to take this step as it benefits nobody and only serves to harm Apple user.

I agree, the move is user hostile and the bad PR wouldn't likely be worth it for Apple. Social media shaming is a real thing, and I'm glad for that.

I'll even go one step further and say that I personally don't think Apple will do it unless under extreme circumstances.

The thing is though, business continuity assessment still points to adopting Apple login to be a bad idea. You never really know when you'll find yourself in hot water with one of your vendors, especially a vendor who's a LOT more powerful than you.

The aliased email address is assigned to the user. Saying that Apple would take away the users email address would be like saying that Apple would delete user data for an app it banned.

Whether Apple will exercise the power or not is another debate entirely.

I agree with the group that's (rightfully, imo) concerned about handing over this amount of power over their business to any 3rd party. There's a real potential for abuse.

And handing over your users data to known privacy hostile companies like Facebook and Google who have abused their power isn’t?

How is that different from signin with FB or Google?

FB and Google allow the app to request the user's email. If the user is happy to provide it, then they can then tie the user's account to that email, and allow the user to log in with that email even if FB or Google cuts the application off.

How is this any different from Google or Facebook or Twitter cutting off access to any site/application? Do you believe the developers in those cases would have a much better chance of resolving the issue than with Apple?

That sounds like a great feature. I would love for the ability to make an email address inactive after I sign up.

The percent of times I want to recieve email communication from something I have to sign up for is very close to 0.

Get your own domain through someone that has an email service that supports aliases. Every sign up can have a different address. It's like $10 per year and you're email is not at the mercy of whatever mega-corporation owns your email.

Any suggestions on which provider to use?

IMO, it depends on how many mailboxes and aliases you need. Providers like Fastmail charge by the mailbox (with up to 600 aliases for each). Same with Runbox, Mailbox.org, etc. (the number of aliases varies). Migadu provides unlimited domains, mailboxes and aliases for a fixed price that decides how many outgoing mails you can send everyday from all mailboxes in that account.

I use FastMail like this. They support both catch-all (comapny@domain.com) and user-specific forwards (company@user.domain.com -> user+company@domain.com) for domains with multiple users.

As the people above mentioned, look for one that supports a catch-all address. It makes it very easy to manage. You can even respond using a real "DoNotReply" account and the alias as the "replyto" address for the rare occasions you do want to reply. Yes, Google Apps does this well, but there must be others.

Google Apps works great for this. You can also setup a catch-all account and not need to pre-configure the aliases in advance.

What about resetting your password?

Every big company has their own laws. G,F are abusing and Apple is providing the solution and I think it is far better than what we have.

I think the question is, is it more problematic than the current situation, whereby users wholly distrust companies with their data, because those companies have shown again and again that they can not be trusted with it? I’d say no.

That’s one possible question. Another is whether an even better remedy exists.

For example, do we need the ability for Apple to delete the link between a company and all their users in one sweep, or is it sufficient to make it easy for individual users to cut such ties?

If the latter, could we remove that giant master switch, or move control of it to a third party?

(I haven’t watched the video, so, possibly, that giant switch doesn’t exist. Skimming https://developer.apple.com/sign-in-with-apple/get-started/ didn’t tell me that, either)

> That’s one possible question. Another is whether an even better remedy exists.

There is, it's called IM2000 where email becomes a pull-based system instead of push-based (so users would have to consent to spam, and spammers have to store their spam to send it in bulk). Unfortunately, despite many attempts to switch over we're still stuck on the current incarnation of SMTP.

Looking it up, it removes so many advantages of email, such as I don’t lose old mail when your now defunct IM2000 ISP goes out of business.

There also isn’t an easy transition from now — I can see exactly why we’re “stuck” with what’s actually a pretty great last bastion of decentralization on the Internet, for all its warts.

You could always use IMAP to sync your email as normal. The advantage of IM2000 is that it just changes the server-to-server protocol (with some changes for how clients send emails).

But yes, the transition would require replacing SMTP so once again we're stuck on a system that is terrible enough to grumble about but not terrible enough to change.

(I would also argue that Matrix is becoming a new decentralised system for the internet, as well as ActivityPub depending on who you ask.)

If a better remedy exists someone else can build it. Nobody is forcing us to use Apple products/services.

The commenter is saying that Apple controls the email address and forwarding too, so you cant actually communicate with your customer if they don't want you to.

If you trusted the company enough to give them your email address directly, I'm sure you would've done that. This is a great move. I get so much spam and I'd like to be able to not get it if I don't want it. Long after I've moved on from a service they are still sending me emails to get me back or to do some other transactions with them.

Yes, and that's simply not true (if you want to be communicated with). You can communicate with the address just fine if you configure your email properly. The only "issue" is that there's a shortlist of valid from emails that you as a company need to configure before sending me an email. Dunno about you but insofar as I'm concerned: please f'ing sign me up for the same everywhere else! And just for clarity in case anyone reading thinks I'm some privacy concerned lunatic: I'm a marketer.

This is not about configuration. Apple provides a proxied email and controls the forwarding. They can disable that and prevent the company from sending anything to a customer. What part of that is not true?

It’s not true in that this is not mandatory. Users are free to provide a non-private or even a non-Apple email. Apple only has as much control as your users give them. If you think that’s bad, maybe you should consider why those users don’t trust you.

As a user I value this debate because it highlights a pitfall I had not considered. I suspect many people will not not immediately think of the downside to going through apple

Almost anything is better than getting spammed by whatever service of the week you signed up for.

By that logic, Google controls Gmail and they can control access to your email.

As I understand the original commenter's position it is that:

1. when your business is on the app store it can be difficult not doing whatever Apple wants you to do because not doing what they want you to do can come close to destroying your business. This has often been compared to being a hostage of Apple.

2. If you suddenly decide to stop paying the Apple tax or if Apple decides to ban you - cutting you off from new business - it can certainly be problematic and can kill many businesses but you could theoretically keep going because you could have a customer base you inform of your decision and tell them to download your app from your homepage instead of the app store etc. In short - in the event of Apple not liking you anymore you can communicate with your customers.

3. In this new setup if Apple does not like you anymore you cannot tell your customers hey Apple doesn't like me anymore.

Thus Apple increases its ability to hold your company hostage and thus I do not believe it is the same logic as Google controls Gmail unless when selling an Android app Google only allows you to do so if your customer has a Gmail account.

Yes, that's also a problem that people have brought up several times in other stories. Google/Gmail has outsized control, is a major source of spam, and changes or breaks email standards whenever they want.

Centralization of communications is not a good thing and it's worth discussing whether we're going in the right direction.

Not the same:

Google does not have a mapping between an application and email address the customer used in that application. Also Google is not really enticing a customer not to provide the service provider any email address other than the ones in the mapping.

FastMail, ProtonMail, or an AWS server upon which your run your own email can also be disabled by the owner of that service. Unless you run your own on-premise server, that risk always exists. And even then, your ISP could block your server. There comes a point when the paranoia gets unreasonable.

You can switch your DNS and move your mailbox, but you have no control over Apple's proxying service.

I suspect that GP originally wrote "so you cant actually communicate with your customer", to which I answered in the next minute, and later added "if they don't want you to." (If not, my mistake for misreading.)

This version is deplatforming is going to be oh so much fun.

Is that true? If the only email address that a company has for a user is a forwarding address created through Sign In, wouldn't Apple banning the company from the App Store presumably also cause them to get rid of the email forward, meaning that nothing the company sends will actually reach the customer?

If a company is abusing Apple's users I'm sure that they could?

But you're right, it does give Apple power, just the same power that has already ceded to Facebook and Google through their logins.

The reality is that companies need to understand that user's are sick and tired of being spammed, and are rightly annoyed by needing to provide every company with their email address for no good [to the user] reason.

I think the difference is that with a Facebook or Google login, companies could also easily just require that they get permission to see the user's email address (which isn't super uncommon to see with OAuth logins), so they wouldn't need continual access to OAuth after the first login (unless a user switched to a new email address and stopped checking the old one, which I think is somewhat rare).

I totally agree with your point that this is arguably a good thing, though; although I don't personally own or use any Apple products, there are fairly few services I'd want to sign up for that I'd want to ensure that they had my real email, and I'd be happy to make sharing my email address an opt-in choice rather than the default.

Or, you host a video site like YouTube, you’re not aggressive enough in controlling “hate speech,” and Apple boots you from the platform. How, as a user of this app, am I supposed to re-establish control over my account?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact