Apple Appeals EU Digital Markets Act Interoperability Rules
Apple has appealed parts of the Digital Markets Act law citing user privacy concerns. Specifically, Apple is contesting the interoperability requirements that say data like notification content and WiFi networks should be made available to third-parties.
Apple says the DMA as written allows others to “access personal information that even Apple doesn’t see”. This is because features like notification rendering and WiFi network data are currently handled on-device and stored in an encrypted fashion, so Apple cannot see that stuff. However, the DMA does not necessarily require third-party agents who would be able to access this same data to commit to the same standards of privacy and security.
The implication is that, say, Garmin wants your personal information and Apple doesn’t. But I think Apple’s framing of this is all wrong. The companies don’t necessarily want your information either, and it’s not as if it would be shared without your consent. The real issue is that Apple is trying to lock people in by preventing them from even choosing to share their own data. If you could opt into sharing notifications of iMessages with third-parties, it would “hand data-hungry companies sensitive information.” But, in contrast, if Apple by default backs up actual iMessages and attachments to their server, not E2EE, somehow that’s “even Apple doesn’t see”? I’m sure there are aspects of the EU requirements that merit criticism, but I have little sympathy given how disingenuous Apple is being.
To cite just one example, the Commission’s March ruling requires Apple to make AirDrop available to third-party devices, as though AirDrop was an open standard. (It also requires Apple to allow AirDrop to be replaced on iOS devices, like an interchangeable component, with third-party file sharing software.)
The part I saw was not saying that Apple has to open up AirDrop but that it has to allow third parties to build their own wireless fire transfer solutions and that they shouldn’t be put at an API disadvantage vs. AirDrop. As with Tile, I don’t really see how such a non-built-in system would get enough traction, so enabling AirDrop competitors hardly seems like it should be a priority, but I don’t see it as harmful, either. I want to be able to install interesting third-party apps on my phone. “Something only Apple could do” should be about the amazing things that Apple can design and build, not about how it actively blocks others from competing and innovating.
The EC’s March mandate basically says that third-party devices must be permitted to do everything Apple’s own devices do when it comes to communicating or interoperating with iPhones and iPads, even if that requires allowing those third-party companies to install and run system-level background processes with broad privileges on iOS. In fact, as Mayo alludes to above, in order to have the same capabilities as Apple’s own devices do, third-party system software extensions might need broader privileges.
I’ve long seen that there are two ways Apple can comply with this mandate, if the EU court declines Apple’s appeal. The first is what most people are thinking, and surely what the European Commission’s bureaucrats are thinking: that Apple will somehow make all third-party devices as capable as Apple’s own when it comes to pairing with and communicating with iPhones and iPads. (And that when Apple is set to unveil new devices, they’ll share the details with third parties in advance so they can do the same things.) The second, though, is that Apple will limit its own devices in the EU and only in the EU to the same features available to third-party devices through open standards like Bluetooth. New features and entire devices will either come late, or never, to the EU.
Considering I use [AirDrop] almost every day and that there are zero alternatives that actually work (remember when we had to use Bluetooth?), I am hardly amused.
I am even less amused by the fact that the EU has pretty much ignored more widely rampant abuses (off the top of my head, the way TVs are sending out advertising data or the way ISPs do traffic shaping and sell your data) while focusing on a feature that is actually useful and works well.
Previously:
- EU Fines Apple and Meta Over DMA Violations
- Apple Restricts Pebble From Being Awesome With iPhones
- DMA Compliance: Watch and Headphone Interoperability
- No Apple Intelligence or iPhone Mirroring in EU at Launch
- Can Anyone But a Tech Giant Build the Next Big Thing?
22 Comments RSS · Twitter · Mastodon
> remember when we had to use Bluetooth?
I actually do, and I don't remember any particular issues with that. Everything was slow and all that, but that's rooted in the hardware capabilities at the time. Software wise it's from a time when Apple embraced standards and iSync could and would want to sync all kinds of data w/ like Nokia phones.
AirDrop is great, but I don't think it is something that couldn't be done using open standards, or making one if required. Standards are harder, but they are good for the users. Apple once knew that.
Re: Mr. Carmo’s claim that there are no high-quality AirDrop alternatives, I can’t recommend LocalSend enough:
Completely cross-platform, works incredibly well.
Is it really fair to say Apple ‘sees’ your iCloud backups in any meaningful way?
Based on their privacy rules/policy, to ‘see’ anything, do they they actually see anything in your encrypted backups unless there’s a court order/warrant, at which point I’ll betcha they just decrypt and hand the entire thing to law enforcement.
Apple probably doesn’t even look at the decrypted files unless paid to or forced to by the court (why would they? Why take on that risk and responsibility without an offsetting profit motive?)
That, in contrast to someone ‘seeing’ your nearby Wi-Fi and Bluetooth, notifications and their decrypted contents, etc. which would be amazing data for an ad targeting platform.
That’s not to say that the privacy stack is not also a barrier to smartwatch, etc. competition, but a platform sharing decrypted notifications vs apple’s very restricted level of access to your iMessages is quite different.
@Someone else Apple’s code (running on your phone) already sees all the information at issue here. And on top of that, they store even more information on their servers (in the backup, which they can decrypt). This is supposed to be good because Apple probably chooses not to look at it, or they hand it all to a third party to look at? And they’re assumed to have good motives and not have an info-revealing bug or data breach?
But when Garmin’s code (also running on your device) sees even less data, after you’ve opted in, they’re assumed to have bad motives and it’s a “massive privacy and security risk”?
This is like when Apple made their own definition of “tracking” so that it doesn’t count if the owner of the App Store does it.
Gruber complaining that Apple would have to allow third parties to access Airdrop etc, as if that's a bad thing, rather than "don't threaten me with a good time".
Example, I need TouchID biometrics on my phone. FaceID is non-viable for me, for mask / sunglasses / art studio PPE reasons. So as of now, I have no iPhone in Apple's range that I can buy after my 2023 SE expires (sometime around 2030 if my last two iPhone lifespans are consistent).
I'd happily but a android phone that has fingerprint biometrics, except I rely on iMessage, and Airdrop.
Personally, I think Apple should be structurally separated, and forced to licence their operating systems on a FRAND basis to any hardware company.
> I don’t really see how such a non-built-in system would get enough traction
I’d say probably with Windows users that also own an iPhone, iPad and maybe a Mac.
There is a large chunk of functionality missing when Windows is involved.
"As with Tile, I don’t really see how such a non-built-in system would get enough traction"
In the same way WhatsApp gained traction: be cross-platform. That's all I want from this type of feature.
"The second, though, is that Apple will limit its own devices in the EU and only in the EU"
That would achieve the same result from the end-user's point of view: more people would switch to Android, making the issue of interoperability with Apple's devices less of a problem.
There are apps that are cross platform and do file sharing. So it is weird that EU would go after Apple for not opening up Airdrop.
If I remember correctly Jobs offered to make FaceTime open source so that everyone could use it but Google rebuffed that offer and look at the state of video calling on Google’s platforms today.
So making AirDrop open source because Google is dysfunctional does not really ring good does it? Especially when third party apps exist to solve the problem.
If the EU really wants to ensure Apple is competitive then they should look at things like why can’t iPad batteries be replaced and why does iPadOS not support multiple user login?
@Hardik That’s not what happened with FaceTime. Steve Jobs surprised his own team by announcing it would be an open standard when they actually had no intention or ability to do that.
"So making AirDrop open source because Google is dysfunctional"
I don't think anyone is asking for Apple to make AirDrop open source. Instead, they're asking that third-party tools like LocalSend be allowed to integrate into the OS so they can be as convenient to end-users as AirDrop is.
However, even if the intention were to provide third-party developers with options for interoperability with AirDrop, that would still not require open-sourcing AirDrop; it would require actions such as publishing protocol specifications.
It still baffles me that Apple can be compelled to do all of this. The message is clear: You can be successful, but not *too* successful, lest some government(s) will regulate your success. Be innovative, but not *too* innovative, lest you be forced to share your innovations with your competitors.
I still maintain that almost no one cares about this. I provide tech support to a building full of engineers (100-ish), and probably 70% of them have iPhones. None of them care, at least not enough to mention it. In my mother's branch of our family tree (so her + me and my siblings and below), there are 20 people who have iPhones, and I guarantee that I'm the only one who even knows about this.
"It still baffles me that Apple can be compelled to do all of this"
Probably because they are a corporation operating inside countries that have laws.
"You can be successful, but not *too* successful"
The problem isn't Apple's success.
"None of them care"
I don't care if somebody steals your money, but you're still entitled to legal protection.
@ Michael Tsai
They hand over the decrypted data to a third party (our law enforcement authorities) with a legal demand — as any company would be required to do. Yes. Are they handing that data to a marketing firm? That seems to be what you’re implying?
More to the point: Are you expecting us to homebrew our smartphones?
I don’t see how you can use a device and use encrypted anything without Apple’s code seeing some of it. So I think that at the end of the day, yes, the (privacy) policy is everything. Apple CAN technically decrypt our stuff but they choose not to. Don’t want that? Use the advanced data protection privacy option (which didn’t exist until recently, but no doubt to satisfy people with your needs, journalists, activists, politicians who demand a higher-level of privacy. But the OS is still going to see your stuff at the display layer, right?)
Apple saying they don’t do something publicly, in their contracts, in their advertising, and most importantly, in their actions — yes, that’s how things work, legally speaking. And if they break those promises, then tort action: lawsuit. That’s how things work.
Other companies certainly don’t make that promise. I think that’s perfectly okay for Apple and others to point out.
This is not a binary.
There are plenty of greys between
- “I literally wrote my own OS (without relying on black-box code from third parties nor any open-source third party libraries that I neither have time nor ability to review for security) and have total end to end encryption security” and
- “E2E but then it’s displayed on the screen by someone else’s (Apple’s) OS” and
- “E2E in transit but multiple third parties, some of whom are shady in their privacy practices, are going to read all your decoded messages and log it in their marketing database” or even “
- E2E in transit but my AI can watch my entire screen at all times (and I can log it into my personal AI marketing profile that makes me vulnerable to more subtle marketing techniques via my AI chats”
I think a good question to ask yourself: What has Apple done with all this data it supposedly has access to? Have they marketed using the contents of our emails? Our text messages? How about the contents of our photos? Our purchases? Our AI chats?
Other companies certainly have. Apple *may* do that in the future (it certainly could make a lot of money doing so)
I don’t get why we’re putting Apple with those other companies.
And like I said, Garmin and Pebble or whoever — yes, some people will willingly and with full understanding of the consent they’re giving, will give them access. Some people even do it with Google, Gmail, Google Search, Google Maps.
But I think there’s it’s completely fair to point out there there’s less privacy when additional multiple people dip their toes into our data and behaviors, especially when Apple markets its products and people buy their products for their stance and practices on privacy.
The Airdrop issue is, I suspect, that for other companies to provide Airdrop-like functions at the OS level, that they’d also need to be able to scan, detect, and respond anytime to nearby bluetooth devices.
So that’d be: (at least)
- ability to any-time scan for nearby bluetooth devices (get their MAC ID bluetooth equivalent), get their distance/signal strength
- ability to any-time respond to pings from other devices asking to make a connection
- ability to create background processes to do the response — probably a battery-drain risk.
- Create ad-hoc connections over wi-fi (since bluetooth is too narrow and unreliable a pipe for big data transfers)
Those are actually pretty significant requests.
This is all quite similar to AirTags. There’s nothing special about AirTags’s bluetooth detection… any app can detect bluetooth devices (with permission)
What’s special is that it’s happening all the time in the background by devices that are even in an ‘off’ state (a Mac laptop with very low battery that’s still broadcasting a bluetooth ID).
So that’s why Apple created a system-level app for generic tags, but not giving ability to create their own background processes, and probably also denying detection of non-tag devices (that’s what I’d do).
Tile used to do the app-only version when they first launched. (Something to note: I believe Google’s implementation of bluetooth device tracking is actually more private than Apple’s — second-mover advantage, perhaps).
Similarly, Airdrop functionality can be done at the app level — I believe I’ve seen many apps that do this — but you and someone else need to be running the app so you can detect each other (after you give the app the permission to scan for nearby bluetooth and network devices) — but it can’t be ‘always on’ the way Apple does it (same with the AirTags detection network).
So the issue here is, I think, accurately: privacy, battery, which is also gatekeeping at some level (gatekeeping to prevent third party apps from using up the battery, for sure).
Apple rarely explains this technical stuff in the public, though. It’d probably a losing strategy. Perhaps they explain it to the regulators. Job’s open letter on Flash was probably as close as I’ve ever seen to a technical explanation that made sense to the public. I can’t imagine them doing that for each smaller issue. (also better to be vague and vision-oriented than to get caught contradicting yourself with unnecessary details)
@Someone else I don’t think Apple is selling the data to marketing firms, but they really don’t have a lot of credibility here. They have a long history of secretly collecting data, opt-out switches that don’t work, VPNs that don’t work, broken privacy promises, on-device scanning, hiding government requests from customers, weasel definitions, etc. And, yes, they have lost in court on some of these issues. But they have good privacy marketing…
Are you expecting us to homebrew our smartphones?
No, my point is that Apple’s statement was ridiculous given that their code does see everything. It’s a double standard that they can say they don’t look and they get to ignore the documented cases where they violated their own policies. Yet when it comes to another company, we don’t get to see at their privacy policy and assess their track record; it’s preemptively assumed that they’re a bad actor and so customers should be forbidden from trusting them.
* And Apple’s gatekeeping can also absolutely benefit itself. At the very least, opening up APIs and supporting/defending angainst external non-trusted developers takes time and money — a cost-center, not a profit-one.
I’d also argue though that Privacy and User-desire-for-safety-of-a-managed-environment are their strongest arguments right now
Likewise, encouraging-smaller-but-still-quite-large-businesses is Europe’s tech companies’ strongest argument.
@ Michael Tsai
The other big companies are Google and Meta. We know their track record and they’re both marketing companies. I hope we can agree that their privacy record and business model is in stark contrast to Apple’s.
@Someone else There are billions of people who choose to use Google and Meta’s products. Apple’s argument is that we should overrule all those customers and also throw the baby out with the bathwater and block all the other companies, too.
Meta’s record is worse, but I kind of have less of a problem with them because it’s no secret what they are. They don’t act all high and mighty about privacy and fail to back up their words.
@Plume I have used LocalSend and it seems quite well designed to me. Shows up in the share sheet and all, seems just as convenient as airdrop. Can you kindly explain how it could be made better?
@Michael I did not know Jobs comment on FaceTime was off the cuff. What would he have done if Google had said yes? Tricky situation that.
"Can you kindly explain how it could be made better?"
As far as I know, AirDrop can wake up nearby devices, and devices are discoverable even when the screen is turned off. AirDrop can also directly manage WiFi networks to establish peer-to-peer WiFi connections between devices.
"I did not know Jobs comment on FaceTime was off the cuff. What would he have done if Google had said yes?"
Said yes to what? That had nothing to do with Google. What Jobs said was:
"Now, FaceTime is based on a lot of open standards, H.264 video, AAC audio and a bunch of alphabet soup acronyms, and we're gonna take it all the way. We're going to go to the standards bodies, starting tomorrow, and we're gonna make FaceTime an open industry standard."
He said nothing about open-source, and Google had absolutely nothing to do with this at all.
@Plume I have never seen Aidrop do peer to peer wifi. I thought it piggybacked on mobile data if wifi was not available. Anyways, it’s need with everyone for 10 minutes after the China thing. Having a 3rd party app be more powerful than the built in feature is better for us.
