So as long as Google's competitors remain in business, we'll probably at least have some alternatives that take privacy seriously.
And there's nothing preventing Google from leveraging Youtube/Gmail/Search to push out other browsers which have tracking protection. Youtube already plays less well with Firefox. Gmail isn't exactly snappy on Safari either.
In most other cases I could agree there may have been nefarious intent, but as someone who's followed web components for a while I think YouTube just made a bad technology bet -- that being rewriting their front-end in Polymer v1, which was based on Web Components v0. Jumping the gun on an unratified standard is risky, and this example shows why.
Mozilla's financial dependence on Google is still a major challenge, which they'll hopefully be able to fix before push comes to shove.
Microsoft unfortunately did not seem to be able to financially justify the maintenance of their own engine - though then again, their bet appears to be on Windows integration rather than tracking protection.
Plus @icloud.com email service
> Mozilla's financial dependence on Google is still a major challenge, which they'll hopefully be able to fix
I honestly do not see how. Sticking to Safari for now.
Their approach relies on acquisitions (Pocket) or partnerships/experiments (Scroll).
The language used by them when referring to Google has changed quite a lot in the past year or so.
The only ones I'd pay for is email hosting, search engine and paid clean browser app in iOS and Mac stores. Neither exists. Ahh, and paid uBlock Origin for Safari :)
Nothing except antitrust laws...
> Our current anti-tracking mitigations in WebKit are applied universally to all websites, or based on algorithmic, on-device classification.
> If a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice. These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention.
Is this trying to say that WebKit will now apply restrictions to specific parties that the project feels is circumventing tracking prevention? I'm all for these features, but only if they're applied evenly and in a clear way. The solution to circumvention should be mitigations against bypasses, not selective enforcement :/
This is in contrast to Mozilla and Edge tracking protections, which are based on block lists to a significant extent. The disconnect.me list is likely to be trustworthy, but ultimately it is manually curated. We've tried to stay away from using lists like that.
Knowing Apple is willing to protect my privacy is one of the main reason I stick to it and not to Android (despise the fact I love the unix/linux like ecosystem) or (f@ck@ng) Windows.
Even the browser vendor has to be held to the same high standard (or even higher) of being completely open and transparent about what they and when they do it.
Of course, you can disable auto-update, and then you're likely to be remote-controlled by someone you didn't choose.
The benefit of making the list public is that blocking tech is in some sense of the word censorship. The public needs to know who is being blocked to ensure transparency and to ensure that WebKit is not using their blocking technology nefariously.
I wonder how source incompatible these are? Is it difficult to backport? Because KHTML was LGPL the source must remain available. Or is it just that these are API incompatible?
Both groups still watch each other's changes, but it's very rare that a patch would apply cleanly.
A third party is any party that does not fall within the definition of first party above.
This policy doesn't distinguish between companies that own multiple top level domains. I understand that it may be technically hard to figure out but at the policy level are two domains owned by one company really third party to each other?
Are example.com and example.us really always different first parties? What about apple.com and iCloud.com? Or those redirect chains that happen after logging into google such that login cookies are set on youtube.com and whatnot?
It does say 'in practice' but I feel like this is mistaking a technical limitation that it's hard to know if two TLD's are controlled by the same legal entity for a policy.
Anyone choosing to mix and match also has the resources for some minor duplication of effort.
Or they could just do it all service side.
One conversation-starter folks are discussing is https://github.com/mikewest/first-party-sets
The same way with bosch.com and bosch.dev. One is a famous tools manufacturer, the other is a web developer.
It is impossible to guess the entity behind domain names by only the domain name.
For example, GitHub controls DNS for *.github.io so if they wanted to track people across all GitHub Pages, they could.
Also, the Public Suffix list isn't something that needs to be polled every time. It is reasonable for browsers to cache it for several days even.
If WebKit fully implements what they're describing here then GitHub should not be able to use their control of *.github.io to track people across those pages.
A: a browser visits both foo.github.io and bar.github.io
B: one browser visits foo.github.io, another visits bar.github.io
Both should look identical to github.io, client side and server side.
(This is not the case today, but my reading of the policy is that they consider all the ways in which it is not the case to need fixing.)
What are you thinking other than IPs? Everything else should be under the browser's control.
Also, there are also many people that are not behind a NAT. I've always had a public IP address at home, for example. Plus NAT may become less used because insert rant about NAT and IPv6.
Anyway, it's good that browsers make all they can to ensure privacy :).
The public suffix list historically has been opt-in. If you look at the (human readable) https://publicsuffix.org/list/public_suffix_list.dat you'll see:
// GitHub, Inc.
// Submitted by Patrick Toomey <email@example.com>
The main problem with a DNS-based system is just that you would need to get everyone to switch to it, and figure out what to do in the mean time. If ".io" or someone doesn't set the DNS flag then that's a major security issue for everyone under it.
I found .co.de, (co|com).cc, and .pro.aw missing after a minute of searching. Going to try to find more after work. Instead of having a nice free lunch break now I have to email some people...
In fact, this WebKit Tracking Prevention Policy explicitly states that third-party login is implied consent for the third party to identify the user as having the same identity in these multiple places.
(BTW requestAnimationFrame should give you precise callbacks at the screen's refresh rate, and is probably better than using timer-related APIs.)
Anyway, the reason I brought up timers is that things like getting the screen's refresh rate, or measuring how long a canvas render takes with a particular font, (etc.) are all data points that can be used in a fingerprinting profile. I worry about the negative impacts of mitigations against those kind of measurements. I don't think it's possible to catalog all the various routes by which data could be inferred by timing. If things like this are in the scope of what Webkit is trying to prevent, I'm fairly nervous.
Off topic, but just for some game industry perspective: often we don't want to sequence exactly at the refresh rate (especially if it's variable or frames are being dropped) in contexts like logic loops or physics simulations that need to happen at specific frequencies regardless of how quickly frames are drawn. For example, synchronizing a client "tick rate" with a game server's requires millisecond precision.
As for Spectre, we treat it primarily as a security threat. It can admittedly be privacy invasive but it would be awkward to use it for tracking.
It just seems somewhat wrong that a browser with a huge market share doesn’t use any standards / rfc process and invents new ways of blocking tracking / breaking agreed upon specifications from release to release in isolation.
We'll be doing more stuff in standards first / in parallel now that more browsers are actively engaged in reducing tracking.
A lot of the more extreme thing we'll only do for sites that we've classified as a tracker. Other browsers put identified trackers in all kinds of penalty boxes that aren't fully defined by standards yet. (We happen to do the identification using machine learning instead of a curated block list.)
If social.example links to blog.example, limit cookie storage to 24 hours, no matter what is in the link.
At the very minimum it aligns incentives better for developers to think about these things.
And with IPv6 privacy extensions IP addresses will also be less useful for server-side tracking.
But most will be OK with their servers running Google, Amazon, Oracle BlueKai and Facebook code, the scariest ones by amount of data.
I recall these extensions are just optional. How many implementations actually implement these extensions? I recall Windows 10 had this broken for a year and almost nobody noticed...
I'm currently imagining a future where publishers start to just redirect iOS traffic to install their app, where they can actually make money. Good news for the walled garden, I guess?
I mean, maybe the answer is that those ads were only profitable because of the novelty factor and now that we have metrics we know they don't work, or at least don't work anywhere close to how much they cost. But I do miss things like the webcomics running their own ad network, Google's textual ads based solely on the search query, even the text ads on Read The Docs from a few years ago, etc.
Also I assume / hope that iOS ads aren't tracking people either; third-party cookies simply have no equivalent in the iOS app sandbox design. (And in-app ads tend to be abysmally targeted in my experience, at best "You're playing a mobile game? Try this other mobile game with even more in-app purchases!") So why wouldn't similarly untargeted web ads work too?
Basically the print magazine model.
But as businesses wanted to advertise to larger populations (we want to do a $10million ad spend, how many little phpforums are we going to have to reach out to before spending all this money?) and websites grew larger audiences (how many companies are we going to have to reach out to before we start making a profit?) the overhead was too high.
The model now is, any company can fork over whatever budget they have to an ad network, and websites can serve as many ads as they want and everyone gets the reduced overhead of just dealing with the middle man.
So that's what I think happened.
And also TV, as it is still today. Oh, and every other form of advertising basically. If advertising without invading user privacy is so bad (as the perpetrators are rationalizing it), how come all other forms of advertising are still a billion (trillion?) dollar business worldwide? Just makes one wonder.
You're lucky to get a fraction of that now. Advertisers get a much lower cost through AdSense and a ton of metrics.
You forget to factor in the time you spent to build the e-mail list, write a nice e-mail and send it, and repeat that every once in a while when people cancel. And you have to track payments, see if someone's credit cards runs out so they fail to renew the subscription, etc.
And let's not forget the fact that there was almost no competition - for businesses who didn't want to spend the time to research the Internet, the decision was most likely between advertising on your website or not advertising online at all.
BTW, you can still do that. I still go out, research and get people to advertise directly. I split the ad space on my website into premium and "regular" sections depending on page traffic and actual place on the page (header, footer, etc.). Premium has banners manually checked and contracted, hosted on the same domain as the rest of website's content, so no ad blocking and content very relevant to the website. The rest of space is filled with Google Ads. Premium banners earn about 5x more than Google Ads, but require that I maintain it. Google Ads just run without me having to do anything.
Non-contextual advertising still exists, but it's perceived as less effective, so there's a lot less money in it. I don't know if that perception is correct, but I do remember back when a common complaint from people was that the ads they saw weren't relevant to them.
It's also not just targeted advertising that will be affected. Without any sort of user tracking, it will be even harder to prevent fraud. No one wants to spend money showing ads to bots.
> Also I assume / hope that iOS ads aren't tracking people either; third-party cookies simply have no equivalent in the iOS app sandbox design.
You might want to look into the Apple Advertising Identifier.
As far as I’m aware, the current state of advertising is people either being too creeped out by ad suggestions to buy anything or still feeling like they’re getting bad recommendations.
I never googled it searched or said anything in Facebook. Since the day after I requested this from the agent. I’ve had window restricters and grills show up in Facebook advertising.
I find it creepy that what’s app is meant to be private and encrypted when clearly it’s not.
Given the massive revenues that advertising generates, how could you think this judgement (which I'm sure accurately reflects how _you_ feel) applies universally?
It's entirely possible for most people to find advertising either useless or creepy and for significant amounts of advertising revenue to nonetheless exist. And even if ads work some small fraction of the time, they can still be genuinely profitable for the advertisers.
Bots can watch TV, somehow TV ads work. Newspapers have audited circulation, it wouldn’t be that hard to have a website visit audit company to verify “circulation.”
And to take the exercise one step further: "Didn't people make the internet worth being on before it was feasible to make money off of it? What happened to that?"
Why not just flip the model from eyeballs and clicks to actual ad effectiveness? Newspaper car ads have this down to a science. They don’t count “clicks” of their newspaper ad — they see how many customers come in asking about a car in the ad.
If I have an airplane website and someone wants to advertise to people who like airplanes. I can suggest a price of $1000 and if the advertiser wants to spend the money, they do. I might charge $1000 because I have a lot of visitors or just because I want to. That’s the price I set for whatever reason I set it. If an advertiser doesn’t want to spend that, they can choose not to. If they want to measure effectiveness, they can do it by offering viewers of that ad a discount code or something. When the code is used, they know they got that customer from my ad. Once they’ve validated that their ad “works” and the acquisition cost works, then they’ll keep paying my rate — no bot influence at all. No real chance of fraud because there wouldn’t be any money in it. Publishers would actually have an incentive to sell your product because they want to justify their ad rates. No need for tracking either.
Advertising works and it can be both more effective and privacy-respecting. Ad-tech has turned vast swaths of the Internet into a cesspool. It doesn’t have to be like that.
If you are a publisher and have actual content humans care about, ditch the ad networks and start selling your pixels directly to relevant advertisers.
The problem is that the incentives for fraudsters and publishers are aligned under the current model: more clicks equals more money, the actual advertiser who is selling something gets to pay that fraud tax. Perhaps advertisers should start seeking out relevant content and offering to buy space directly, refusing to deal with “networks.” Their acquisition costs would go down, that’s for sure. Harder to scale, but so what, you have a higher yield effort for a lot less money.
Good luck with direct ad sales, unless you are a large company with a large ad sales team and correspondingly large budget.
Yeah, the old web was in many ways better than the new web so I'd gladly lose ads and go back to the old web in the process.
A man can dream.
You want people to pay, make them pay. If you worry about ad-driven competitors, then maybe this should serve as a good argument to advocate instituting regulations against funding services with ads.
What else are they "tracking"? Does YouTube have tracking on other sites (like Facebook, Twitter etc)? I haven't seen anything like that.
You can switch the history off, I presume that would work even without Premium, but it never occurred to me to even try it since I definitely want history.
but the error here is conflating a tool with a legal person. Google will track me no matter how much I pay them for any of their services, including YouTube.
the situation at the moment is that no-one believes that a corporation who offers a free service is going to not track you because you pay for the premium version. so (a) I'm not going to pay Google or Facebook to get the premium version since it is not going to be untracked and (b) Google and Facebook aren't going to detrack their premium services since no-one believes that's going to happen anyway - the value add is removing ads/playing with the screen off/etc not the absence of tracking.
the best you can do is pay a third party to offer you some service Google or Facebook offers for free, thereby reducing your exposure. for instance, Google surely knows the content of many emails sent to me, but not all of them, since I pay for email from another provider; or I'm strongly considering paying for a substitute for Google docs, except that I don't like unpredictable monthly USD payments.
I personally think a better way to sell YouTube Premium wouldn't be to focus on just the ads, yes that should be a part of it, but consumers have shown they want certain things in particular (via Patreon):
1. A way to support their favourite creators (adblock whitelisting proves people care more about creators than the downsides of ads - I do for sure)
2. A way to get exclusive content in return, or maybe just a shoutout.
Super Chat is one of the best things YouTube has ever done in this regard. It's amazing how much money flows through to creators when they do live-streams & premiere events.
A lesson can be learned from Steam's fight with piracy wrt ad-free versions. You've either got to:
1. Make it an easier sell to purchase YouTube Premium than to get AdBlock (not-likely)
2. Make a significant value-add for the premium offering "be a better service than piracy".
The problem is that YouTube's not been doing too well with option two, and they're simultaneously making their advertising products a worse sell for business customers.
I'm very interested to see how they adapt to the changing market though.
And trust Google, Ad company, to erase it in its backend?
People are maybe less willing to pay for something they’ve been using for free (with ads) for years.
And yet, my eyeballs looking at text with less text than a tweet is worth 21 USD. It feels like Google disrupted, but it’s far away from being optimal for companies.
...unless you are magically immune from advertising?
I’m not saying ads don’t work. I’m saying Google Ads are ready to in turn be disrupted.
Especially with bots running amok...
Other users react differently to that advertiser and/or you may click once every few years to bring in $1,000 advertising revenue for them on a very high-margin item.
They are working on ways to do anonymized personalisation/attribution/etc. The current Safari Technology Preview has someting called Ad Click Attribution API, for example.
Then they start offering micropayments, and iOS users are such a gigantic market, who Apple already micro-charge for Apps, and who’ll pay good money, that every publisher jumps on board immediately.
Removing tracking will take some profitability off ads but eyeballs are always going to be valuable.
Some might? The situation has been getting worse for the past 1-2 years, so this is just another nail in the coffin. There are different strategies here: subscriptions, micropayments, premium/free content split, <stick anything that Guardian tried to do here...>
Less creepy, and genuinely useful forms of targeting exist (e.g. contextual targeting). There's just not enough momentum in the AdTech industry to shift. These could work just fine.
In other words, what WebKit is trying to achieve is good news for us.
Publishers so far seem to have given up on the higher CPMs coming from non-targeted ad calls on Safari. Additionally, they would be more than happy to skip ads completely if a different, stable source of revenue existed. There's a bunch of startups dealing with monetising publisher content without ads (Scroll, Blendle, etc...).
Is that what you want? Most of human culture behind app based paywalls? No more archive.org content to preserve. Micropayments everywhere?
Can you imagine the cognitive burden of continuously, always, purchasing stuff? Of the effect on the have-nots for whom deciding to pay money for commodity content vs immediate needs is a much more important decision?
Hit that ecosystem and you get a recession. However it doesn't stop at the recession. Most VCs are funding hundreds and thousands of startups with the hope that one of them is going to get sold to Google or Facebook or Amazon or any of the Advertising Cash Cow business. Dry that tap and you'll have VCs pulling money from Tech.
Now, there is glut of Programmer supply and a severe lack of investments. Not dissimilar to 2008.
A kid goes out and breaks random windows in people's home; as a result, a lot of economic activity ensues - the glass producers, the people who produce glass cutters and specialized tools, the people who install windows, the cleaners who specialize in cleaning broken glass, etc ...
The ad industry is breaking everyone's windows. It does indeed produce a lot of economic activity; But it is more likely than not "misallocation and waste of funds" when looked at in a broader context.
Again, HN will not understand the side effects of destroying a major ecosystem. They all think they are much smarter and can stand on their own and VC money has no effect on their livelihood and it's their superior linux skills that keep them making tons of money
That would cost a few pennies in engineering skill and we might even find cures to things that might kill us or our loved ones.
But no, we’re throwing these opportunities away trying to be the next overvalued IRC skin.
I am really curious what the web itself (outside of apps) will look like in a world where the quality of content and services implodes because of the inability of publishers to generate revenue to pay for it. You may have your privacy, but you may also not have much left to do on the web. This is definitely a “be careful what you wish for” scenario.
Noone begged those companies to try to turn the Internet into a profit center, or to chew up enormous bandwidth and energy costs after being sold a foolish dream about targeting adverts.
The quality of the content was already being shared by millions of talented and thoughtful people. Because that's where the talent arises. Then your investors did for the internet what the music business did for music.
Oh, but that wasn't enough. After the ads, collecting and selling personal data to anyone came along. Regardless of millions of voices saying stop. Now the stream was not just full of trash, but flowed with multiple toxins.
A pox on all of them. I'd like to see all commercial interests limited to a very short list of TLDs. Then let's watch and see the mass migration. Let's call it 'choice'.
What about the independent blogs?
It’s everyone else who makes click bait ad spam that will suffer; and frankly, why should we care?
Gmail isn’t going to disappear.
Kotaku or TechCrunch might... or maybe some of those spam cooking sites. ...but, seriously? The whole internet exist because of personalised tracking > big marketing spend?
You’re vastly overstating the case here: yes, there would be some impact, no it wouldn’t really make a big difference at this point.
Maybe if you go back in time, it would, but you can’t, so it’s a mute point.
What’s important is where we want to go from here, and personalised ad tracking driving content farms of fake cooking videos isn’t really the ideal “endstate” for the internet imo.
...even if some spammy companies I don’t like end up going out of business, along with some companies I do like.
You're joking about the "quality content" part, right?
What would fail is the likes of the fashion industry, such as Instagram influencers peddling Nike sneakers and cosmetics.
This blog explains how to get Windows builds from the WebKit Build Archives on S3 that require Apple Application Support.
 7-zip the iTunes installer to extract & install just AppleApplicationSupport.msi https://www.apple.com/itunes/download/win64
We've worked really hard to implement a embedded experience via an iframe, but it's becoming increasingly difficult for our software to walk on egg shells as to not trigger it being labelled as a tracker (as it is definitely not, we only utilize localstorage for storing authentication details). Combine that with the fact that without using cookies, there isn't any way for us to support AMP sites, which often incorrectly labels us as a third party tracker.
edit: I do realize that the WebKit Tracking Prevention Policy essentially is a guide of how it works, I'm mostly interested in a "this is how to work within these defined walls to not be flagged as harmful"
What makes me even more happy is that this helps to eliminate the argument stating that 3p cookies can be replaced with heuristics/non-deterministic targeting.
So, instead of assigning resources to just another way of targeting users (e.g. hacks, fingerprinting) a developer/PM can already say that these approaches will be prevented in the exact same way. Any further work in this direction would be pointless.
Ideally, we'd put more focus on contextual targeting, which is arguably more useful, significantly less creepy and less dubious from the ethical point of view.
I just wish Microsoft moved in the same direction with IE. So far they've been more quiet on that subject than Google. That's wishful thinking, I know.
There are ways to make GA work around these limitations, but it requires more work than just dropping it in.
Really makes you think what really drives the underlying narrative for such initiatives at corporates if not sabotaging competitors? OpenDNS founder, u/davidu, pointed out that DNS over HTTPS, something that takes aim at trackers and advocates privacy, also, in fact, had support of BigAdTech .
The content blocker ecosystem has been fighting the dragnet for a long time without expecting anything in return save for examples like Brave and Adblock. It'd be a shame to see those subject to embrace, extend, extinguish.
> And we will create new web technologies to re-enable specific non-harmful practices without reintroducing tracking capabilities.
I wonder what this means. Another standard that AdTech can rally behind? Or, Apple's way of wrestling control away from AdTech? Remember, not long ago Apple disallowed 3p browsers for a long time, on AppStore...and they are likely going to act as gate-keepers here, as well?
> we will typically prioritize user benefits over preserving current website practices. We believe that that is the role of a web browser, also known as the user agent.
Where have I heard that before? 
And now... what about apps on AppStore? When do we get anti-tracking measures there? Pretty soon, would be really great, because that's a present and clear danger, in my eyes, wrt privacy... but one that hurts Apple's bottomline?
I'd wish Apple encouraged a secure plugin based ecosystem to flourish in the AppStore, so that folks could write content blockers that block apps from doing as they please . I understand the security implications (for healthcare and financial apps, for instance) and the ability to get this right in face of spyware but in my own naïve way I feel this a decisive way to signal the intent that Apple is a privacy-first company.
 With VPNs a lot of content can be blocked already, but that's at the network level. It'd be great to have something at the runtime level, like WebKit here is trying to do.
> Apple has been aggressively pursuing each avenue and closing them off.
That is key. It is all Apple.
VPNs can be a powerful mechanism too, and you can see third party VPNs come up with solutions that are way more aggressive at blocking trackers than Apple . And from what I know, Apple makes it hard for such VPN apps to flourish. Not long ago, they kicked Adguard and Malwarebytes out  (though they now let them back in).
It’s a tough problem because there’s no way to verify what’s happening on the other end of the VPN during the app review process, and even if there were its too easy to change how the VPN operates to pass review and then flip it back afterwards.
Website analytics should not rely on cross-site tracking. Breaking any cross-site tracking ability of GA is unambiguously good for users.
> Google Ads conversion tracking
Apple already proposed a mechanism of privacy-protecting click attribution. If Google doesn't want to use that, it's because they don't respect your privacy. Again, unambiguously good for users.
> Using same login across different sites like Gmail & YouTube
The only way this is "broken" that I can see is the user has to log in separately to each site. Which seems fine to me. In fact, this is a good thing; just because I log into Gmail with one account doesn't mean that's what I want to use for YouTube.
Interactions with other parties are considered third-party, even if the user is transiently informed in context (for example, in the form of a redirect). Merely hovering over, muting, pausing, or closing a given piece of content does not constitute an intention to interact.
Navigational tracking is tracking through information controlled by the source of a top-level navigation or a subresource load, transferred to the destination.
It sure sounds to me like Apple intends to block YouTube’s trick. Transiently redirecting to a domain to install a first-party cookie seems like an unambiguous attempt to circumvent third-party cookie restrictions.
If I want Google ad tracking on my phone, I have a bewilderingly large selection of Android phones to choose from, all of which run on the same mobile networks as my iPhone, work with the same Internet, and all of the apps I consider part of my mobile workflow, like my PagerDuty and my banking app, are available on Android as well as iOS.
I’d say it’s hard to use the words “monopoly” and “Apple” in the same sentence. They don’t have a monopoly in phones, tablets, laptops, desktops, wearables, streaming music, data storage, messaging, calendars, productivity apps, or anything else that I can think of.
Monopolies abuse their power. Apple abuses its power. This doesn't make Apple a monopoly but it isn't any less of a problem.
Apple has been consistently making it harder to make money off iOS users without sharing that revenue with apple.
Furthermore, they don't allow side loading of apps, their own apps have special api's that their competitors can't use, etc.
I could go on and on.
> The exclusive possession or control of the supply of or trade in a commodity or service
Since Apple has, at most, below 50% market share in developed countries (and a much lower market share in developing countries), they do not possess a monopoly on the smartphone market.
If we compare Google's marketshare in end user email, video hosting and search, we can see Google is a lot stronger in many markets, than apple is in their best market.
(I wish I could use an iPhone, but having to use Mac OS for development is a real turn off, considering how sucky Mac OS, in my view, has ever been.)
Buying a mobile for your personal use means you have to develop for it?
The chances of anti-trust law returning to an interpretation that protects competition under the current judiciary are nil.
Apple doesn’t have an “ad network”.
But let’s not be overly idealistic, the vast majority of revenue in either App Store is from games and most of that is from in app purchases of coins, gyms, loot boxes etc.
But what you say is correct having another store would dent apple revenue would be loss of investors.
Individually, I support Apple's decisions around enforcing privacy on the web. However, Apple's decisions when taken as a whole is making it incredibly difficult for a company to generate revenue from iOS users without sharing some of that revenue with Apple. Whether this makes Apple a monolopy I do not know, but it's certainly less clear of a good thing than their privacy efforts.