In this follow-up to last week's post on Apple's approach to software and services, we discuss Apple's macOS privacy scandal and the new App Store policy.
In November 11’s inaugural State of Hardware post, I detailed how Apple’s approach to software and services is strangling innovation and stifling human creativity. This includes how Apple restricts default apps, cripples competing technologies, prohibits desktop-class features, curtails personalization, and offers false promises of privacy. You can read last week’s post here.
A new issue of State of Hardware will be published every Sunday. This week’s post is an add-on to Part 1. In the last several days, two significant events have occurred that are worth discussing immediately. Therefore, I’ve delayed Part 2 of the series until next week!
On November 12, virtually all modern Mac users found themselves unable to open third party applications for a few hours. This was troublesome, as macOS delivered no error messages – apps just kept jumping up and down in the Dock, attempting to open. Some users restarted their computers, expecting that the problem was occurring locally. It was not.
Savvy users quickly determined what was causing the problem. Apple computers were communicating to a centralized Apple server, sending a small amount of data about the programs that users were attempting to open. The server was not functioning properly, and Apple computers were patiently waiting for a response.
I, and the majority of Apple users, was unaware of this behavior – I did not expect that Apple would be checking with a centralized server before allowing me to open an app on my Mac.
It was quickly determined that users could employ a firewall tool called Little Snitch to deny the connection to ocsp.apple.com. This worked because if macOS cannot connect to the server, it allows the app to open. Similarly, turning off WiFi, opening the app, and re-enabling WiFi was also quickly identified as a workaround.
In last week’s post, I focused on issues with iOS. But this macOS scandal raises important concerns about privacy and freedom in the macOS ecosystem.
The Privacy Angle
Security researcher Jeffrey Paul wrote a fantastic, widely-shared post detailing the implications of Apple’s server failure. If you have not yet read it, please do so here.
Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings:
Date, Time, Computer, ISP, City, State, Application Hash
Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.
This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.
“Who cares?” I hear you asking.
Well, it’s not just Apple. This information doesn’t stay with them:
1. These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables.
2. These requests go to a third-party CDN run by another company, Akamai.
3. Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.
This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns. For some people, this can even pose a physical danger to them.
This is a privacy nightmare that has further shaken my faith in Apple. As a Mac user, when I opt out of analytics and data collection, I expect that my actions on my computer are private. I understand that on most actions on the Internet, my data is being collected. But I expect that a purely local task – like opening an app on my desktop – would be private! Launching a VPN, for example. Or a Bitcoin wallet.
Even worse, this personal data is being transmitted to Apple unencrypted. This means that my ISP, and any government agency snooping, knows exactly what applications I am opening on my Mac.
Apple has subtly responded (in a new section buried at the bottom of a support article) by promising to encrypt the data, stop logging IP addresses, delete existing logged IPs, and offer a way for users to opt-out of this reporting. I’d like to see a more professional, candid response from Tim Cook addressing these privacy concerns.
The Freedom Angle
As Paul Graham aptly pointed out in 2005, Macs made a comeback because they combined great design with an open, Unix-based OS.
If you want to attract hackers to write software that will sell your hardware, you have to make it something that they themselves use. It's not enough to make it "open." It has to be open and good.
And open and good is what Macs are again, finally. The intervening years have created a situation that is, as far as I know, without precedent: Apple is popular at the low end and the high end, but not in the middle. My seventy year old mother has a Mac laptop. My friends with PhDs in computer science have Mac laptops. And yet Apple's overall market share is still small.
– Paul Graham, Return of the Mac, November 2009
Sure, Apple places a huge restriction on macOS – it can only run on Apple-made hardware. But unlike in iOS, Apple largely did not restrict what users can do with their Macs. I believe this is slowly changing.
In the new macOS Big Sur, for example, Apple has changed how VPNs work. Security reacher Patrick Wardle detailed how some Apple-native apps and services – those shipped with the OS – can bypass most VPN and firewall apps, including Little Snitch.
Ars Technica posted a good overview here.
In addition to harming privacy and opening the OS to exploits, Apple is clearly beginning to (1) restrict how apps can run on macOS and (2) give its own applications special treatment. This is a slippery slope.
The Mac is becoming more closed. Over the next few years, will Apple force macOS apps onto the App Store? Will Apple prevent unsigned apps to be installed from third party developers? (It already makes this difficult.) Will running macOS require constant communication with Apple’s servers? Luckily we are not there yet, but I am worried about this long-term trend.
App Store Changes
Thursday’s bombshell news was Apple’s introduction of its Small Business Program, which halves the Apple Tax to 15% for the first $1M of developer revenue. This NYTarticle by Jack Nikas gives an excellent summary. Tweet thread below:
Famed Apple critic and Basecamp CTO David Heinemeier Hansson responded on Twitter. I recommend clicking on the Tweet below to read through his entire thread.
I don’t have much to add. I think it’s clear that Apple is separating the developer ecosystem into two groups, largely for PR reasons:
- Very small businesses that represent 98% of all developers but only 5% of App Store revenue.
- Larger businesses that represent only 2% of developers but 95% of App Store revenue.
By helping the little guys, Apple is attempting to claim the moral high ground and appease the vast majority of its developer ecosystem, while attempting to dismantle arguments from Epic Games, Basecamp, and so many many others.
I believe this new Small Business Program is just a distraction. It is clever PR but it’s virtually meaningless from a revenue perspective. It will have no impact on Apple’s bottom line, nor will it impact successful iOS app developers. It amusingly creates perverse incentives, smacking app developers that achieve $1M in revenue with a 100% fee hike. And it’s complicated and confusing, requiring that developers apply to the program instead of automatically reducing fees for the first $1M.
This Apple tax stuff is simply a major distraction from more important issues. As I wrote last week:
Apple’s 30% App Store tax is well documented and discussed. Coalition for App Fairness estimates that Apple generates over $15B per year in revenue from fees on app purchases and in-app payments. We can argue that this fee is too high and we can argue that developers should be allowed to implement alternative purchase methods. We can file antitrust cases against Apple and we can publicly pressure them to reduce this fee. Some of these efforts may be successful. But does this address the true problem?
I believe the Apple tax distracts us from the major issue: the harsh technical restrictions that Apple places on third party apps and services. These restrictions make it difficult for entrepreneurs to compete with Apple’s native offerings, ensuring that their apps will always be handicapped.
Last week’s post, therefore, still stands! Next Sunday we will dive into an exciting topic: hardware and accessories in the Apple ecosystem. See you soon!