Pixel Envy

Written by Nick Heer.

WaPo Reporter Emphasizes Nondisclosure Agreements in Article About Apple’s ‘Find My’ Spec

Reed Albergotti, Washington Post:

During Apple’s annual developers conference last month, it announced that smaller developers would finally have access to its Find My app, a move that on the surface could appease developers who have asserted that Apple has too much power.

It turns out the announcement was not what it seemed, according to a secret Apple document obtained by The Washington Post.

Apple is notorious for its control over disclosure of materials, even internally, but there is nothing especially secretive about the Find My spec. Just about all materials provided to developers are subject to a nondisclosure agreement; by that standard, they are all “secret”. Albergotti seems to find that surprising and maybe nefarious:

But the details of the announcement — kept secret by a confidentiality agreement all developers were required to sign — tell a different story. A 50-page PDF obtained by The Post shows Apple has placed strict restrictions on how consumers will be able to use the app. Apple customers who use Find My to locate a device will be barred from using other competing services simultaneously, the document says.

[…]

Before doing so, developers had to sign an additional document called the “Limited License to Find My Network Accessory Spec,” which prevented them from sharing details about the new specification. The document threatened legal action by Apple against individual developers for speaking about it, according to a developer who downloaded the document. The developer shared the details of the document and spoke on the condition of anonymity for fear of being sued by Apple.

That developer said the confidentiality agreement was stricter than the ones Apple sometimes distributes along with prerelease software.

If you are an Apple developer, you can find both the nondisclosure agreement and Find My spec on the developer website. And, as an Apple developer, you will likely recognize the format of the NDA as being almost identical to that of any other Apple NDA you have previously signed. Neither are marked “Apple confidential” unlike, for example, a Made for Apple contract. This arrangement is not unique to Apple, either, and Albergotti’s obsession with it has led to shocked and misleading headlines.

It also has nothing to do with the main story:

A 50-page PDF obtained by The Post shows Apple has placed strict restrictions on how consumers will be able to use the app. Apple customers who use Find My to locate a device will be barred from using other competing services simultaneously, the document says.

In the interest of accuracy, the document does not say that customers won’t be able to use competing services. As it is a developer-focused document, it says that devices made for the Find My network may not use other device finding networks. A user is able to use a Find My locating device alongside a locator supported by another service.

But that does seem limiting. It means that Tile, for example, cannot integrate with the Find My app and also use its proprietary spec. Products that do not adopt Apple’s Find My spec also do not get to take advantage of its more permissive access to background location activity. One reason for this could be that there is no reason why a third-party service could not piggyback on the always-running Find My service to get a person’s live location, creating an obvious privacy vulnerability. That’s why third-party services have restrictions on Bluetooth and location access in the first place.

Albergotti does not explore any of these avenues, opting instead to connect these restrictions to the ongoing pandemic:

The Bluetooth antenna limitation became a major issue for countries and states trying to build “contact-tracing” apps to follow the spread of the coronavirus. Because of Apple’s limitations on Bluetooth antenna use, the apps, which were meant to track when people were potentially exposed to the virus, did not work properly. Countries and states pleaded with Apple to allow full access to Bluetooth, but the company refused.

That link points readers to Albergotti’s previous reporting for the Post that misrepresented the restrictions placed on third-party users of location and Bluetooth access in Android and iOS. Perhaps it should have linked to this other Post article that explains how many contact tracing apps built outside of the framework developed jointly by Apple and Google often lack basic security protections and are sharing users’ location data without their consent. Given that, I find it much less mysterious why Apple is so strenuously guarding the use of its other always-on location-based service. Does it have a knock-on effect of disadvantaging third parties like Tile? I guess, though an Apple spokesperson told Albergotti that it offers a means of developing a locator product without having to build out a dedicated network.

This is yet another reason why strict privacy legislation is so badly needed. I don’t know that Apple would offer live location access to developers if it were confident that it wouldn’t be used in ways abusive to user privacy. I think it would; a more cynical person might think it would not. But if private user data were more strictly regulated, Apple would not have to make that choice; instead, users could decide, with less compromise.