Tuesday, November 22, 2022

Independent analysis debunks Apple's privacy and security pretexts--latest finding is that Apple's analytics data come with unique ID for each iCloud account, making users personally identifiable

In my recent analysis of the rule-of-reason balancing question in Epic Games v. Apple, I devoted a section to the correct definition of the term "pretext." Here's a paragraph from that section:

Of course, the most extreme case of a pretext--based on the example I gave--is indeed that it may be totally fictitious. But that's hard to come by in an antitrust context. Normally, it's just that the positive aspects of something are blown out of proportion and the downside is grossly understated, which distorts the ratio between good and bad.

When Apple claims that its tyrannical and extortionate strangehold on app developers is ultimately a good thing because of the overarching goals of privacy and security, and wants Epic's antitrust lawsuit thrown out and the Open App Markets Act (OAMA) not to be passed into law by United States Congress, there are different bases on which one can beg to disagree with Apple's position even if one doesn't doubt that certain rules are conducive to privacy and security:

  1. Balancing: The narrowest kind of disagreement is to accept Apple's privacy and security claims as true (and as relevant), but to conclude that the downside of restricting competition in mobile app distribution outweighs the upside.

  2. Competition is healthy: The balancing result in favor of open app markets may, in particular, be based on the conviction that at the end of the day, competition among app stores will incentivize improvements to the benefit of consumers (as Judge Gonzalez Rogers appeared to recognize during last year's trial), implicitly or explicitly rejecting Apple's paternalistic position that no one other than Apple--not even a company like Microsoft, which stands ready to compete and whose entry would be viewed favorably even by the King of Apple Bloggers, John Gruber--can take good care of consumers, and consumers are so stupid compared to Apple that only Apple's infinite wisdom can save them from the perils of the world.

  3. Irrelevance: One doesn't have to take any position on Apple's privacy and security claims if one simply determines that those attempted justifications are not procompetitive justifications (i.e., arguments that restrictions of competition in one area will lead to more competition in another). That angle was the one Epic's counsel emphasized at last week's appellate hearing ("you don't get to squash competition in order to differentiate your product"). He argued that Apple could still offer consumers a walled garden if those consumers elect to use only Apple's App Store and only Apple's in-app payments system.

    The illogicality of Apple's and some of its die-hard fans' arguments is that they believe Apple's restriction of choice means more choice, just like you could check in your human rights at an entrance and the fact that you can do so means more consumer choice. Apple and its fans argue that if Apple had to allow alternative app stores and direct installs (which it will have to--the question is just when it will happen in a given jurisdiction), some app developers would then choose distribution methods that do not subject them to Apple's rules. But that is competition, and if Apple could convince enough consumers to decline to use apps that are not made available on the App Store subject to Apple's rules, then the market itself would force app makers to meet those standards (if all else fails, by offering a second version of each app that conforms to Apple's rules, which is by the way a compromise I've advocated before).

    I continue to believe that the very best next step for Epic v. Apple is a remand to get the market definition right. Apple wants the district court's judgment affirmed, and Epic wants an entry of liability without a remand on the merits. I can see why either party wants what it wants, but still think the district court made its worst--and really inexcusable--mistakes in connection with market definition, which Circuit Judge Milan D. Smith, Jr. appears to have clearly identified as a fundamental problem.

  4. Self-preferencing and hypocrisy: This is the "rules for thee, not for me" issue. Apple subjects app developers to certain rules such as App Tracking Transparency (ATT), but applies double standards. And in this regard, Apple is losing a lot of credibility...

I've been following Apple closely for about 12 years now, and in my observation 2022 is by far the worst year in history for Apple's credibility. The eviction of Fortnite from the App Store in 2020 triggered some debate, and some of what came out as a result of the Epic v. Apple trial in 2021 was unfavorable, but this year--2022--is the one in which Apple has been exposed as exceedingly hypocritical.

It is not "par for the course" in lobbying, but an utter disgrace that Apple pays some lobbyists to falsely claim to represent the interests of small app developers while actually just echoing Apple's talking points, including the ones on privacy and security. That revelation may be the beginning of the end of ACT | The App(le) Association. Maybe that organization will silently shut down in the not too distant future. No policy maker will take ACT seriously anymore, and no litigant will find it difficult to get an amicus brief by ACT thrown out.

The Heritage Foundation also feels that enough is enough, and published a report last month on Big Tech's National Security Red Herring:

"Policymakers should reject specious Big Tech–funded national security appeals and instead consider antirust reforms on their merits."

To be fair, Apple is not alone in that: Google and Amazon are also called out.

Then, Kosta Eleftheriou, an indie app developer from California, has repeatedly exposed scam apps that passed Apple's App Store review. He continues to do so despite a recent settlement of his own case against Apple.

And now a Canadian-German development team named Mysk--Tommy Mysk and Talal Haj Bakry--has done more than anyone else to expose Apple's privacy pretext.

Mysk's Twitter account has become a "must follow" for anyone interested in mobile app store regulatory issues.

In October, @mysk__co showed that iOS 16 does communicate with Apple services outside an active Virtual Private Network (VPN) tunnel:

On November 4, @mysk_co provided strong indications that the App Store app on iOS 14.6 sends every tap that a user makes to Apple:

Four days later, Gizmodo picked up this story, as did other websites thereafter.

Another two days later, a class action lawsuit over privacy violations, specifically citing Gizmodo's coverage of Mysk's research, was filed against Apple in the Northern District of California as TechCrunch, Gizmodo, and others reported (this post continues below the document):

Case 5:22-cv-07069 by TechCrunch

Now @mysk_co has doubled down on this issue with new--potentially really damning--revelations, according to which Apple's analytics date come with an ID that uniquely identifies an iCloud account, which means Apple's analytics can personally identify users:

Here are some articles that covered Mysk's latest strike against hypocrisy--tracking users even when their privacy settings supposedly prevent it from happening--and I wonder how long it will take before the existing privacy lawsuit against Apple will be amended on this basis or one or more new cases brought):

As various commentators have said, the problem is exacerbated by Apple advertising privacy ("Privacy. It's Apple."), to lull users into believing that if they just rely on Apple, their privacy is ensured.

One can reasonably advocate the OAMA, and the Ninth Circuit could decide Epic's case against Apple, even without doubting Apple's privacy and security claims. But it's becoming increasingly difficult not to doubt Apple's claims in the first place.