Pixel Envy

Written by Nick Heer.

Archive for September 10th, 2021

An Open Letter to Tim Cook on Why Apple Should Compromise With Antitrust Regulators

Roger McNamee, in an open letter in Time:

At this point, antitrust intervention in Europe, the U.S., or both is almost certain. By refusing to engage with the legitimate concerns of policymakers, Apple is risking its core security and privacy brand to protect business practices that are not essential to its future.

[…]

It is a strategic error for Apple’s lobbyists and surrogates in Washington to argue against every new antitrust law targeting the tech industry. Apple has made itself a target by being incredibly successful and by adopting communications strategies that mimic tech giants whose anticompetitive behavior is substantially more damaging. Apple is almost certain to lose something, but there is still room to protect your most valuable assets. There may also be an opportunity to gain competitive advantage. Google’s Android operating system has roughly 85% global share in smartphones and smart devices, so robust antitrust intervention against Google may give Apple an opportunity to gain market share in its most important business.

This was published yesterday; even though the judgement in Epic Games v. Apple was handed down today, I think it holds up well.

If there is some ambiguity as to what rules the permanent injunction permits Apple to create around in-app purchases, my hope is that the company uses this as an opportunity to ease off a little. I am not saying that I expect this to happen — today’s judgement indicates that Apple has little reason to stop pursuing its existing App Store strategy, with only the aforementioned exception. But a world in which Apple is not in an antagonistic role with developers is a better one for everyone, assuming that Apple can maintain or improve upon iOS’ privacy and security reputation. These fights are just noise.

Judgement Issued in Epic Games v. Apple

A couple of weeks before WWDC this year, arguments wrapped in Epic Games v. Apple. Judge Yvonne Gonzalez Rogers took the summer to sort through the mountain of testimony, emails, and contracts and now, just a few days before Apple is set to launch new models of iPhone, Apple Watch, and AirPods, the judgement has been handed down.

You know what the weirdest thing about it is? The nearly two hundred page order is very readable and well-written, but the injunction ordering Apple to scrap the last sentence of the first bullet in App Store rule 3.1.1 leaves plenty of ambiguity over what developers can do and what Apple must allow. This will undoubtably be clarified with time, but it is the only part of the result that creates more questions than it answers. Apple is apparently interpreting it as requiring the company to, in effect, apply its settlement with the Japan Fair Trade Commission to all apps, not just Apple’s “reader” app category. That means the anti-steering App Store policies will be removed within three months. But it may not mean that Apple must permit alternative in-app purchase options.

It is strange to see many stories framing this result as a win for Epic Games, too. It is undoubtably big news that Apple’s anti-steering rules are going away, but that seems like a moderate sacrifice for the company to retain the vast majority of its App Store model— a real cut off the nose to spite the face result. Apple is calling it an affirmation of the App Store’s success.

Sara Morrison, Recode:

As for Epic’s other claims, Gonzalez Rogers said the company “overreached” and couldn’t prove that Apple was a monopolist. That doesn’t necessarily mean that Apple isn’t a monopoly, nor that another plaintiff couldn’t make a better argument that it is. Gonzalez Rogers added: “The trial record was not as fulsome with respect to antitrust conduct in the relevant market as it could have been.” The 30 percent commission Apple takes on most subscriptions and in-app purchases, she said, “appears inflated” and was “potentially anticompetitive.” But, since Epic wasn’t challenging the amount of the commission (only the fact that there was one), she wasn’t able to rule on it.

I will repeat what I wrote in May: Epic was a bad plaintiff. It did what plaintiffs do: go for the biggest plausible case and hope to settle somewhere in the middle. But Epic did not gamble well, and is unsatisfied with this ruling — understandably, as it now owes Apple several million dollars. I understand there are many developers who were hoping for an outcome more favourable to them, but a better case needs to be made.

The judge’s order shows the limitations in how competition law is currently interpreted by the courts. Apple may be operating almost entirely within those laws, but lawmakers seem increasingly keen to reduce the power of companies like Apple and Google. Expect more on this front, and not just because Epic will appeal this ruling.

WhatsApp Encryption Hullabaloo

Earlier this week, ProPublica caught some flak for an article it published about WhatsApp’s message flagging processes. In summary, ProPublica argued that WhatsApp’s marketing promises about end-to-end encryption were misleading because messages are forwarded to contract moderators when users report a chat. That obviously does not require encryption to be broken or undermine the promises of it being “end-to-end”, but the muddy messaging travelled.

After publications as respected as the Daily Mail picked up the poor interpretation, ProPublica issued what it deemed an “update” but which some Twitter users demanded be called a “retraction” of the original article. I had not read the original story at that point — I have a day job, you know — so I had to wonder how significant the differences were. Using FileMerge, I compared the earliest version in the Wayback Machine to the latest.

I think ProPublica is accurate in calling this a clarification and not a retraction. Most of its original story remains intact, and the little that did change only emphasizes that the moderators only see and review messages that are reported. That detail was present in the original, but it was buried in a longer paragraph.

That is one of the problems with the story as a whole, in fact: it is, in the words of Ted Han, “trying to do too much”. Almost none of the story is about the encrypted contents of messages; instead, it is about their unencrypted metadata:

WhatsApp metadata was pivotal in the arrest and conviction of Natalie “May” Edwards, a former Treasury Department official with the Financial Crimes Enforcement Network, for leaking confidential banking reports about suspicious transactions to BuzzFeed News. The FBI’s criminal complaint detailed hundreds of messages between Edwards and a BuzzFeed reporter using an “encrypted application,” which interviews and court records confirmed was WhatsApp. “On or about August 1, 2018, within approximately six hours of the Edwards pen becoming operative — and the day after the July 2018 Buzzfeed article was published — the Edwards cellphone exchanged approximately 70 messages via the encrypted application with the Reporter-1 cellphone during an approximately 20-minute time span between 12:33 a.m. and 12:54 a.m.,” FBI Special Agent Emily Eckstut wrote in her October 2018 complaint. Edwards and the reporter used WhatsApp because Edwards believed the platform to be secure, according to a person familiar with the matter.

But that is just one of the many stories in this rather dense article. ProPublica’s reporters on this story — Peter Elkind, Jack Gillum, and Craig Silverman — seek to tie together: WhatsApp’s moderation practices, including detecting child exploitation; the company’s privacy policy changes since it was acquired by Facebook; Gen. Michael Hayden’s statement that the U.S. government “kill[s] people based on metadata”; Apple’s CSAM detection efforts; and Facebook’s attempts to improve the privacy of its other services while also expanding its WhatsApp business possibilities. That is a lot to cover in a single article and, predictably, nothing really sticks.

The strange thing is that there has long been a glaring privacy loophole in WhatsApp’s systems that these reporters could have touched on: chat backups are not encrypted. While an investigator with a search warrant may not be able to see the contents of WhatsApp messages from Facebook, they can absolutely gain access through Apple or Google. But that is changing soon with some news Facebook announced today.

Manish Singh and Zack Whittaker, TechCrunch:

In the “coming weeks,” users on WhatsApp will see an option to generate a 64-digit encryption key to lock their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that backs up their encryption key in a cloud-based “backup key vault” that WhatsApp has developed. The cloud-stored encryption key can’t be used without the user’s password, which isn’t known by WhatsApp.

A reminder that iMessages may be end-to-end encrypted, but iCloud Backups contain the key to decrypt stored messages. A good rule of thumb remains that cloud storage should not be treated the same way you treat a local hard drive. If you have reason to be concerned that your cloud backups might be compromised — this does not have to be for illegal or nefarious reasons — use local backups only.