This only cements the power of US big tech like Google and Facebook.
And it sets the stage for the next big applications of the web all being build outside the EU as well.
Here in Germany, everyone is afraid to start a web startup. And if they do, they spend endless amounts of energy on agonizing over the GDPR and how to build useful international services without using international tools. We sanctioned ourselves by making the use of foreign SAAS illegal.
If you are in the EU, try out surfing the web via a non EU IP once. It is an eye-opening experience. No cookie banners! Only Europeans have to deal with those.
But it gets worse: Look at European websites from a US IP. You do get cookie banners. European companies deal with degraded user experience, slower build time and worse monetization. On a worldwide basis. While the rest of the world only applies these downsides to the European part of their business.
The legislation, at least the one coming from Brussels, is nearly always reasonable in scope, extent, impacts, penalties, and tends to strike a fair balance between specificity and vagueness as to allow the courts for some wiggle room for interpretation
As an example, with interoperability, the final legislation might stipulate something similar to this:
* once a software service reaches sufficient market size
* the core functionality of the service must be exposed for interoperability
* any breaking changes to core functionality must allow for sufficient period of backwards-compatibility and deprecation warnings. Exceptions for security breaches or other emergencies
So, for Youtube, this would mean logging in, viewing videos and history. It doesn't mean that every single feature of every single web site must be publicly exposed and be backwards-compatible for eternity
It is a similar death spiral to how we deal with the housing problem. People have a hard time finding affordable apartments in the city centers? Create more laws that limit rents! Does this create more apartments? No. It just send the local housing market further down the drain.
People like you love to complain about cookie banners but somehow fail to acknowledge that the reason cookie banners are a thing is that companies go out of their way to try and game the regulations instead of actually implementing them. Sure, you can't build the next Facebook in the EU but maybe not being able to build a business on intentionally abusing your users' trust is not a bad thing.
If you just want to get rich, there's still plenty of nigh-unregulated banking and speculative investment you can get involved in with narry a consequence. If you want to build software, I'm not very sorry you're inconvenienced by regulations that actually protect people from your overreach.
But you dont like that your users data is protected by GDPR, so that you cant take it without permission? Thats unnessesary regulation holding back business?
Does not sound like it has anything to do with regulation, it sounds like you want the fovernment to give you an advantage.
Intellectual property protection is opt-in. It requires the individual to enforce his rights before a court in the relevant jurisdiction. The government only facilitates registration and adjudication. Courts don't force individuals into global protection schemes against claimant's own will.
Whatever the expected merits were, GDPR's existence as a policy has been of little more use than a protectionist beating stick in service of the EU. It gave the EU the power to dictate how websites are to be designed. Non-Europeans with business interests inside the EU had no say or representation in the matter. Governments shouldn't claim universal jurisdiction over the Internet, whatever their reasoning for such claims might be.
US works with a "better ask forgiveness than permission" model, where you are pretty free to do what you want, but people can sue you.
EU works with the opposite: create rules and keep companies compliant with those rules.
It's pretty obvious to see that the 1st model is very beneficial for startups and bootstrappers.
The general pro-vs-anti regulation dimension of the argument over tech policy seems to lack the necessary nuance if it doesn't ask about antitrust. The lack of antitrust regulation in the US has meant that the SV pipeline which fifteen years ago supported a diverse tech landscape is at risk of degenerating into one that only aims to produce targets for monopolists to buyout. It's a possible future of your "1st model" I'd rather we were more worried about.
Also, cookie banners are mostly bad faith restriction implementation. You can have functional cookies with no banner. What you cant have are those tracking cookies which is what the whole thing is about.
I personally believe GDPR will never be properly enforced and most people will ignore it. The easy parts of GDPR (cookies, fonts, I guess CDNs now) are automatically detectable, and the hard parts (deletion of data, data processing agreements, necessary collection) are not. There is no way to automatically find out if someone is storing IP addresses in their access logs.
One of the really funny things I encountered in Germany is the emphasis on data privacy/protection...
But every single citizen has to inform the government where they live and their religion. You also have to inform your boss of your religion. If you make creative content, you have to publish your address as well (unless you can afford to start a business at another location).
You can find out where anyone in Germany lives for a small fee.
Those things have about 10x greater impact on my day-to-day life than Twitter finding out I watched a "cancer prognosis" video. I know they're not mutually exclusive, but it shows where priorities lie.
That depends on the religion. For a bit more context (read the full history in [1]): As part of the 1800s separation between state and church, the major ones (Catholic and Evangelic-Lutheran) got the right to a percentage of employed people's wages as a sort of "membership fee". This gets deducted by the employer out of your paycheck and collected by the tax office, then distributed to the church you're a member of. Over the years, the right to collect these taxes expanded by quite a number, although currently only the Roman Catholic, Old Catholic, Evangelic-Lutheran, Free Protestant and Jewish synagogues use that right.
In real life, no one but HR at onboarding cares which religion you specify.
Also note, this is not exclusive to Germany. Italy, Sweden, Austria, Finland, Denmark and Switzerland all have a similar system.
[1] https://de.wikipedia.org/wiki/Kirchensteuer_(Deutschland)
Second, cookie banners are unrelated to GDPR. They became mandatory years before the GDPR, and the level of intrusiveness is because websites don't follow the "spirit of the law". With time hopefully the cookie banners dark patterns will subdue (after a few more entities get fined).
In terms of EU startups, what I'm familiar with, is them getting bought by US corporations, and not failing under the pressure of EU pro-consumer bureaucracy.
A perfect counter-example to people rambling about EU legislation - Wikipedia.
Consistently in the top 10 sites in the world for 15 years, yet there's no cookie banner, no GDPR consent screen, no personal data hoarding, no dark patterns, etc.
> To determine whether a natural person is identifiable account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
https://arxiv.org/pdf/1904.06009.pdf
Turns out writing vague laws lets you turn entities you don't like into cash cows.
Au contraire. This regulation will force the big tech companies to open up their platforms, thus enabling innovation and competition.
The EU does actually have a variety of "internet" companies – and that includes Germany! There are certainly less of them; regulation could be one of the things that affects that, but it seems way more likely to be a wildly different environment for funding. Investors are more conservative and far less likely to throw dumb money at anything that moves, which means fewer successful unicorns. I'm not sure that's the best approach, but I'm not an investor.
they spend endless amounts of energy on agonizing over the GDPR
No they don't. GDPR compliance is generally fairly straightforward for any company which isn't trying to deliberately harvest and profit from your data—particularly a new company with no legacy—and in any case represents a set of practices that should be followed by any company dealing with private data in any case.
By the same token, those startups have to worry far less about the nonsense patent and IP environment in the US. So worst case we'll call it a wash.
We sanctioned ourselfes by making the use of foreign SAAS illegal.
This did not happen. Use of non-EU SaaS is legal, subject to it being compliant with local regulation.
I'm always a bit weirded out by strenuous objections to GDPR – it seems to me that the data privacy environment in Europe is broadly pretty sensible. You need to:
- know what data you are using
- have a good justification for using it
- take appropriate precautions to secure it
- make sure users are aware of what you are doing with it
- allow users to access and correct the data you hold on them
I find it hard to object to that.
Many of the most powerful web tools are not compatible with the GDPR. Google Analytics. Ad marketplaces. Free CDNs. And its all a moving target. I see small companies struggling for years now with these problems. And they will keep struggling for the forseeable future.
I also have experience from two start-up scale-ups that many clients are saying we won't work with you if you use a US Big Cloud. The EU alternatives are much worse and this causes lots of developer waste now ensuring the platform runs as well on the Big Cloud as it does with really terrible EU-cloud.
I'm in Qc, Canada and I see them very often. Is it only checking for a US IP, and everything else gets the banner?
Bollocks. The key difference between here and the US is the simple fact that we don't have enormous amounts of "dumb money" from pension and hedge funds screaming to be invested into anything that remotely smells like it could be worth money one time - remember Yo! which got 1M funding?! - and then founders making big money at IPO time, which many of them then choose to invest into new startups.
That means that you have to either rely on philantropic investors, family or borrow money from banks at ridiculous interest rates (and often requiring deposit of a car/house or other expensive assets to back the loan).
Navigating GDPR and the laws here is easy - one might say, life is even easier here than in the US for startups because you don't have to fear getting kicked in the nuts over bogus patent and other IP claims or absurd multi-million dollars civil damages lawsuits.
They will lose most of their users to small platforms if they provide too much interoperability - Not just in the EU but all over the world. Their monopoly over the bulk of the world's user accounts is their only real competitive advantage.
That said, in terms of social good, open APIs would be great.
I'm sure entrepreneurs in the EU are salivating at the thought of that happening.
You're right, that personal identifiable information is a hot topic. Partly because you need immense foresight (a.k.a. impossible) to see how multiple data points can be correlated to identify someone, but also because you need to be aware of large-scale actors (e.g. state supported dragnet surveillance).
As an industry I don't think we have reached yet that discussion point, when we still have common basic practices we need to change. For example, I know that most small/medium companies don't even attempt to anonymize their database dumps. Those are the issues we have to focus on first, and those actions become clear to any developer that reads the GDPR for the first time. It's actionable insight without being explicitly stated.
I think that the GDPR is *incompatible with the web 2.0 model, and the internet as it exists today*, and I also think that is a good thing! It should push us to build services that in the end treat all users data as personal information, and lead to anonymous internet services by default.
I have my own laundry list of things I dislike about GDPR, which makes compliance harder than it should be. One such example is that IP addresses are "an exercise left to data controllers to anonymize", where I hold the belief that the legislature should have forced ISPs to be the ones to anonymize user IP addresses (anonymize things at the source). That way data protection agreements would not be even necessary when you use a CDN in front of your website (for example). By the same token, browsers should be forced to use generic User Agents, as those leak platform information like crazy.
I also disagree that "vague laws lets you turn entities you don't like into cash cows", because what I see most common is that companies get a slap on the wrist (so to speak) and fines are not always the first recourse, only affecting those that are majorly negligent and repeat offenders.
These laws are not draconian tools to suppress digital products, but to protect users from life affecting data leaks, automated decision making and profiling, which we've seen to be objectively bad in the past.
But as you can tell this is my highly subjective take on the issue. I might be completely wrong in my belief after all.
"Following the spirit of the law" is authoritarian non-sense. I can do whatever I want unless its illegal. If the law cannot or does not spell something out how is that the public's problem? We spend enough blood sweat and tears employing legislators and bureacrats. I am not going to also do their job for them.
For example, EU article 13 has a direct impact on my product (my users can upload custom resources). Good thing that Belgium didn't implement it yet. But when they do, I probably need to move my business to Delaware or something.
They claim that article 13 is to reign in the big companies like YouTube. But in the end this also makes sure that EU has a hard time of building their own YouTube.
Anyway, I looked into it, and it seems possible for me to move my business abroad when we get that far.
But all this basically proves my point. It's easier to build a startup when you are outside of the EU.
For a context, I'm EU national that moved to US to build a business here. US does appear freer on its surface, but everything is much more convoluted. As an example, most states have at will employment rules. That means workers can leave any time they want and employers can fire them anytime they want. But then there are many other regulations and case laws that make this essentially impossible. There is a whole predatory industry that is built around this where fired workers sue for $80k because they know that a counsel for the employer will charge $100k and it's cheaper to settle.
I would much rather have clear rules of operations, even more strenuous ones than this.
I also think you're massively underestimating how much people care, especially in an increasingly secular Europe, even in very liberal cities like Berlin. And in small companies, there is no HR.
Yes in that people already have that agency to sue. I'm sure you've heard of a class action lawsuits.
No in that I don't approve of the GDPR prescribing what constitutes a privacy violation rather than leaving such deliberations to contracts and courts.
EU privacy law is so vague that people routinely 'discover' new impacts of the rules only when some judge pulls them out of thin air. The fate of EU tech firms is pretty much well described above: endless agonizing over how these rules might be interpreted, followed by maximally damaging interpretations, because the nature of such law making is that enforcement is arbitrary.
If there is any remaining problem it is that the rules are not enforced strictly enough on tech giants.
An indie dev in New York does not care about the GDPR. The just build cool shit and put it online. Look at all the Show HNs here.
In the EU, the situation is very different. Indie devs are super afraid and work hard to make their stuff less useful to please the GDPR.
Now about larger players:
EU companies agonize their worldwide users with cookie banners. Because that is what the GDPR tells them to do.
Non EU companies dont do that. Because why should they? Will a lone Italian traveller in the USA sue them for using Google fonts? Probably not. And if they do - they can handle it. So they only agonize their EU users with cookie banners.
That is it - as a startup, GDPR is not a massive prohlem. You know what is a real problem? The fact that you can raise 10x more investment in the US with the same slide deck.
If your business model depends on creating undesirable externalities for your "users" then you don't have my sympathy. The only shame is that we still need to enforce GDPR properly on large players, but that's a political and social thing, not per se a problem with the law itself.
And the oh so horrible cookie banners: the solution would be to not track people. If you aren't fully acting in the users interest, the cookie banner is easy to implement, or maybe not even required. So whenever you are annoyed by a cookie banner, it should be directed at the company, not the law.
It's funny you think deregulating housing would solve the housing crisis. If you think rent limits are a disincentive to build more affordable housing, how about we just subsidize loans for non-commercial home ownership instead of expecting investors who want a ROI to either make their luxury apartments more affordable for no good reason or adhere to health and safety standards in their barely profitable social housing projects? After all, if tenants can cough up the money to regularly pay ever-increasing rents they can surely pay back loans with similar rates.
It's not, but it's the basis of ad-driven, surveillance-ware, and user engagement optimized companies that drive the ludicrously high profits and wages in the US tech sector.
Do you see US tech workers lining up to work for Canonical? Yeah, I thought so too.
Hiring in tech is broken regardless, so most candidates optimize for compensation as that way at least the end result justifies the effort of going through those several stages of various hazing rituals each company has lined up.
And like the Canonical employee said in that thread, they receive 80% quality applications despite all of those shitty hoops Canonical makes you jump through even before they talk to you. So yeah, there seems to be no shortage of devs regardless of how bad a company's hiring practices are, as long as they're an established name and/or pay great.
I also have experience from two start-up scale-ups that many clients are saying we won't work with you if you use a US Big Cloud
Yeah, I've not heard this from anyone – but if it's the case, it sounds like there's market pressure to use services that offer better protection of personal data. Sounds like you've found an opportunity to offer an EU-based cloud service that's better than the competition :)
This is going to sound more aggressive than it is but it doesn't look like you're qualified to be declaring these kinds of facts on the realities faced by EU businesses.
I'm still working at one of the two companies I mentioned, in Denmark. It's a very real problem for us right now. And I think you're understating the effort required to launch a competitive cloud, especially given the regulatory hurdles of the EU.
I would suggest you focus on talking about the specific issues you face rather than questioning my background, but bear in mind that the UK was part of the GDPR pre-Brexit, is presently subject to much the same regime, our company is a recipient of Horizon 2020 funding, we have offices, customers and investors in the EU, and I have spent several years now dealing with the regulatory issues raised by GDPR and how they impact on our business. I am reasonably confident that I know what I'm talking about – you experience may vary, and I am way more interested in hearing what you feel your challenges are than I am in nitpicking your credentials.
Have you taken them fully into account when you declare that these regulations are what you want? Or do you want the first order effects only (who wouldn’t?!) and just stop your analysis there?
Declaring that there are “perfectly good alternatives” sounds like dismissal of the second order effects, which certainly makes supporting the regulations much easier to sit with.
What you're saying basically boils down to "if we stop worrying about user data then we can make more money!" which… yeah, I guess. In the same way that companies could make more money if we let them pump effluent directly into rivers – but we don't do that.
The GDPR, on the other hand, presupposes a global positive right to privacy irrespective of national sovereignty or contractual agreement to the contrary and that any alleged violation from any point on the planet carries with it a presumption of guilt. A regular complaint on this forum is that the US regularly oversteps it's bounds via legislation like the CLOUD ACT. I don't see why it's any less of a concern when the EU does it.
If your app is literally about self quantification and the user pays you to collect that data and keep it private? You might not even need to state it anywhere, although the safe thing is of course to list all the ways you do or do not collect data.
If your app is about self quantification and you monetize by selling user data or its aggregates... GDPR. If you use a third party data provider instead of hosting the data yourself: GDPR etc. Because user data might not be important to you, but it is to your users, so you probably shouldn't be allowed to YOLO handling it
Exactly. If a company doesn't care enough about its users to even tell them what they are doing with their data (or in some cases even know what they are doing with it) then the user can't expect that company to secure it or to provide a valuable service with it.
That's not the case for the EU. Money gets reasonable returns in energy sector, industry, any investment in Eastern Europe, tourism, PPP infrastructure projects, etc.
You are literally describing the opposite of the truth.
Nothing, not even the Londongrad bubble, is as excessive as the US housing crisis.
In any case at least YC does invest into European companies [1] - the key thing is you have to get far enough to have a meaningful product that VC funds can invest in, and unlike the US we don't have a lot of billionaire former founders who go around throwing a couple thousand dollars left and right for promising ideas they hear in an elevator.
Not "miss out" per se, rather a "prioritize companies in close proximity". There's a reason why a lot of the former startup turned unicorns are all concentrated around the Silicon Valley.
> Your wild edge case is someone else's life and living.
Yes, the person whose name is mangled by a shitty bank's IT systems. Or the people who can see what a shitty data vacuuming company has on them( that now has to ask for consent beforehand).
Regulations are there to protect people like that, not just for fun.
The article you've linked is obviously biased ( why does it make a point of talking about totalitarian communist regimes and their death toll and not any other totalitarian regimes'? Some of the most infamous and deadly totalitarian regimes aren't communist - Iran's Islamic one, Saddam in Iraq, Hitler, Mussolini). And the argument that totalitarian regimes are bad because they wage war and that democracies can't even execute serial killers falls apart when the US is brought in. I won't even bother with the rest.
This would be great. I remember using pidgin back in the day and it was really convenient to have every messaging app in one interface.
Of course, some platforms ban you for using alternate clients.
Nice!
> Of course, some platforms ban you for using alternate clients.
Less nice... Doesn't seem like that list outlines which platforms will/could ban you either, which makes the entire list a no-go for me, and I'm sure others.
I am really loving this news, i was able to convince some of my old icq contacts back then to switch to jabber this way. And why wouldnt they if its all the same interface?
Who will be decrypting WA and Signal message to pass them to Facebook Messanger?
I don't think this is to be interpreted as "from now I need to be able to send messages from a Whatsapp client to a Signal client"
Of course any such app would be able to read all the messages in the clear and would be able to store them in the clear, leak them, sell them or whatever. As with any other case in which you choose to use a chat app you have to trust the chat app to read your messages if it wants to
I imagine if that's the case whatsapp or signal, when you do a first login from a different app, will flash a warning that you're using a third party client which might not be trustworthy
And if they are deliberately breaking existing third-party apps for no reason, well I'm sure EU courts would like to have a word.
Actually I expect the usual outrage about limiting innovation or threats to leave the EU but consider that this interoperability is also a moat especially if they agree on some complicated protocol with no previous implementation.
Moxie is strongly against it. Although the app and protocols are open, he doesn't tolerate third party clients on Signal official servers and he doesn't want federation. Even though I disagree, he has some good arguments.
And if WhatsApp has to interoperate, why not Signal?
I'm not sure what the current market cap for Signal is, but I'm fairly sure they don't have a turnover of 7+bn in the EU.
makes no sense. you can already pull all your data out of those services and import it into whatever other service you want.
The way i read it, they're calling for open standards, which can be a good thing.
Sadly, open standards also slow down the development of new features, as everybody needs to be "on board" for new features to roll out. Take email (SMTP, IMAP, etc) as an example, where no major progress has been made in 25+ years, despite the platform being hopelessly insecure.
There has been some unsuccesful attempts at security, like PGP and Protonmail/Tutanota, but as they're addons they haven't seen widespread adoption.
Feel free to replace email for TCPv4/v6. The only successful open standard i can think of would be HTTP.
Open standards, once they mature, usually mean "lowest common denominator".
No. They are asking for endpoints and public APIs. Nobody is forced to adopt a standard, that is a fallacy you have just built (and has powered a tangential thread of 20 messages and counting.. debating something that is not in the topic).
Services will be forced to provide public endpoints and public APIs. Nobody is forcing them to shape them in any way. Consumers can decide to interface with them, or not. The onus on implementing and interfacing with them lays on the consumers. You don't need an agreement between everybody.
A more successful example of open standards would be the various standards that browsers use. Would you say that browser innovation has slowed down? The model adopted there is less "Wait for everyone to adopt this new standard we wrote" and more "If you have a feature you found many people are using, suggest it as a standard and we'll get all browsers to implement it".
This model could be replicated to messaging solutions as well, without slowing down any innovation as companies can add new features, as long as they get standardized over time.
Capability negotiation is a thing. It's perfectly fine to support some baseline feature set (one-to-one text messages) and build more optional features on top of it. But, yes, it's important that the protocol is designed to be extensible in the first place.
It's a big thing. And it's a great thing.
Already in email you have some cool features that only work Gmail to Gmail but you can still send basic emails to people outside of Gmail.
Businesses will not need business accounts on 6 different platforms just so thay can have a simple chat with all their customers.
Nothing prevents people from releasing a new RFC describing their feature and how to implement it. See: EMail attachments (RFC 1521) which came after the original EMail definition (in RFC 822). And what you describe as "email insecurity" is just a common disagreement which encryption method to use in your MIME attachment (defined in RFC 989) - your argument sounds a bit like protesting that not everyone is using Word files when sending text attachments.
(Note: EMail metadata is deeply "insecure" and can theoretically be used to glean information about communication - but if that's your concern, maybe email is just the wrong format for you and something like encrypted messages over a network of Kafka-style message streams, ideally with lots of noise in it, would be better suited).
Email is a totally different problem because it's a suite of a multitude of different standards used across countless different platforms. At least with proprietary messaging services Facebook et al will still be the implementation standard that most people will use (given that habit has already been well established) but lesser used 3rd party clients wont have to worry as much about Facebook breaking the protocol to intentionally break support for 3rd party clients. However I'd wager you will still see new proprietary features added that will not function in 3rd party clients if just to convince users that the 1st party app is the better client.
Btw, does anyone here remember off hand what happened to the "concern" the banking industry had with TLS 1.3?
My understanding is someone just came in at the last moment and basically wanted to change the entire design of TLS 1.3 because their workflow would no longer work because of forward secrecy.
On one hand, that is not right: open standards mean no walled garden, rather than each garden equally ugly.
On the other hand, that is exactly the point: no new feature can be used to buy the users' freedom to interact with customers of other services.
So if I'm whatsapp I have to allow third party clients, but I can also change my API as needs change, as long as I don't lock it.
Close standards is not inherently different (people who work in telecom can likely attest to that), but closed standards has a higher probability to be owned by a single entity. A single entity has a much easier time to coordinated a switch with themselves, or align their own incentives with their own incentives. If you are alone or don't need to work with others, cooperation is trivial. Obviously, having everything owned by the same entity also has its drawback. If you don't like the new price, features, tracking and forced advertisements, well tough luck. While spam is an issue with email, I am not forced to wait 3 seconds and click "skip add" every time I read an email. I also don't need to pay per email, in contrast to sms. Email could had been much worse if it was a closed standard owned by a single entity.
The usual answer for avoiding the need for everybody being "on board" with the changes is capability negotiation. Unfortunately, that doesn't work for email since it's a unidirectional, store-and-forward protocol: the sender has no way to negotiate capabilities with the recipient (or recipients, in case of a mailing list). If for instance I invent a new rich-text format for email, I have to include a fallback format on every message, since I cannot know whether the recipient can read my new format.
> Feel free to replace email for TCPv4/v6.
With TCP, there's another issue: middleboxes. While TCP does have working capability negotiation, unrelated third parties (which were not part of the negotiation) interfere with things they don't understand. If for instance I introduce a new TCP option which when negotiated changes the meaning of the sequence number field, a stateful firewall would drop the data packets even though they're valid for both endpoints. Due to the large amount of middleboxes in the wild, the design of TCP has been effectively "frozen", in that any enhancement will break unexpectedly for a large subset of users.
> The only successful open standard i can think of would be HTTP.
What saved HTTP was SSL/TLS. By making it hard for middleboxes to interfere without actually acting as an endpoint (with negotiation), it allowed the protocol to evolve. The best example is HTTP2: while there is a cleartext version of HTTP2, nobody uses it because it would get broken by middleboxes.
Stop repeating this talking point of big tech. This is FUD. Sure, developing the standard further requires more work and is slower if just one person alone developed it, but the upsides clearly overweigh.
Furthemore, everonye is free to build their own features in their own app that are not part of an open protocol (good examples are snooze or send later features in email).
PS: As a sister comment pointed out, open standard is not even in the scope of this new EU act. It's only about opening up their APIs. They are not foced to use an open protocol.
Some people at Apple are getting a headache right now. Other companies that have been dabbling with the idea to lock down their OS probably too.
If this happens my next phone might even be an iPhone.
Where there is a King that charge a tax and then there is smaller and smaller nesting of feudal lords that charge other taxes.
KING US Government charging 20-45% income tax
DUKE Apple charging 30% App Store tax
DUKE Google charging 30% Google Play Store tax
DUKE Microsoft charging X% Microsoft Store tax
MARQUEES Spotify/Netflix/Airbnb charging a fee for their platform
> DUKE Apple charging 30% App Store tax
Note that Income tax is in reality earnings tax (as expenditures are generally subtracted), while Apple/Google fee is based on just income.
I can barely believe it. It looks monumental in terms of competition potential.
The first one sounds very damaging to adtech, but might not be enforced.
This will slow down development by being forced to implement interop where they shouldn't be forced to IMO, and will confuse less savvy users (e.g. "Why can't I send this $platform_native_content to Bob but can send perfectly to Alice in the same app?").
Controlling entities' presence within the public (the Internet) is one thing, forcing to do things within their own platform/domain is another.
Sadly, EU picked the latter.
We are in danger of creating Big Monsters that will devour everything until there won't be founders anymore...only employees. Once there will be only employees in truth there will be only servants.
We need a lot of small/medium tech companies to maintain freedom and competition instead of 2-5 mega corps.
The entrepreneurs, though, continue on with the next idea.
Looking at the google lawyer privilege drama it sure seems like big tech needs a firmer hand
I'm not sure what this means in terms of the timeline. Will it be voted for in European Parliament and if yes, when? To what extent this may be changed in the final edition? And if it's adopted as a law, how much of a grace period will the companies have?
They only missed one: must provide human support for any and all products and supported services.
Google/MS/Apple have 0 user support for account/app suspension/removal and we have seen many stories here on how final those things are, and without any recourse possible
The algorithms maximize content view / platform usage diregarding mental health and addiction. Further there is no regulation that the content from recomendations are from reliable truthful sources.
Sure this time we all support the sanction, next time it might be us.
You use Zoom, Teams, Facebook or whatever you like, I'll use my Jitsi or home grown WebRTC solution. Fairness can be that simple.
But interoperability legislation can only go so far to fixing things because we also need to tackle:
- Regulator and institutional capture by vendor lobbying (bribes)
- "Preferred solution" impositions masquerading as fake security "policy"
- Lack of skills in organisations.
- Poor education about the risks of technological mono-cultures
- Technical lock-in measures, DRM, TPM enclaves
BigTech domination has been going on for 10-15 years now, and it has become more than just than just a set of facts around market shares and network effects. It's gotten soaked into our culture and the marrow of our institutions and will take a good deal of pain to chase out.
https://oeil.secure.europarl.europa.eu/oeil/popups/ficheproc...
"The Digital Markets Act: ensuring fair and open digital markets"
https://ec.europa.eu/info/strategy/priorities-2019-2024/euro...
From here:
https://news.ycombinator.com/item?id=30777016
"...The legislation is now expected to target companies that have a market capitalisation of at least €75bn and run one core online “platform” service such as a social network or web browser, according to two people directly involved in the deal..." "...To qualify as a “gatekeeper” — the powerful internet groups that are the focus of the new law — a company will also have to have at least 45,000 active users, the same people said..."
"...Google, Amazon, Facebook, Apple and Microsoft all meet this standard, but it is likely to also include far more groups than previously thought such as accommodations site Booking.com and ecommerce group Alibaba..."
----------------------------------------
Examples of the “do’s” - Gatekeeper platforms will have to:
- Allow third parties to inter-operate with the gatekeeper’s own services in certain specific situations
- Allow their business users to access the data that they - generate in their use of the gatekeeper’s platform
- Provide companies advertising on their platform with the tools and information necessary for advertisers and publishers to carry out their own independent verification of their advertisements hosted by the gatekeeper
- Allow their business users to promote their offer and conclude contracts with their customers outside the gatekeeper’s platform
Example of the “don’ts” - Gatekeeper platforms may no longer:
- Don't treat services and products offered by the gatekeeper itself more favourably in ranking than similar services or products offered by third parties on the gatekeeper's platform
- Don't prevent consumers from linking up to businesses outside their platforms
- Don't prevent users from un-installing any pre-installed software or app if they wish so
----------------------------------------
The EU is choosing to favor acting on behalf of their people, rather than some sector. If that sector can't make money in ways that are not immoral with regards to the people, so be it.
For example: Why shouldn't a 30%-fee walled garden be destroyed?
A moral question would be "how much should governments control voluntary interactions between customers, platforms and products?" The immoral answer might well be "As much as it will help them gain short-term votes", not the moral one.
- the sector
- who has nothing to lose
- and what could be lost
I think I understand who/what you imply but I don't want to misunderstand you.
* The EU
* Tech sector
Specifically:
- article 7: Compliance with obligations for gatekeepers
- article 10: Updating obligations for gatekeepers and
- article 11: Anti-circumvention
Fines are up to 10% of annual global turnover, or daily fines up to 5% of average daily annual global turnover.
In more detail:
Article 11, Anti-circumvention
1. A gatekeeper shall ensure that the obligations of Articles 5 and 6 are fully and effectively complied with. While the obligations of Articles 5 and 6 apply in respect of core platform services designated pursuant to Article 3, their implementation shall not be undermined by any behaviour of the undertaking to which the gatekeeper belongs, regardless of whether this behaviour is of a contractual, commercial, technical or any other nature.
2. Where consent for collecting and processing of personal data is required to ensure compliance with this Regulation, a gatekeeper shall take the necessary steps to either enable business users to directly obtain the required consent to their processing, where required under Regulation (EU) 2016/679 and Directive 2002/58/EC, or to comply with Union data protection and privacy rules and principles in other ways including by providing business users with duly anonymised data where appropriate. The gatekeeper shall not make the obtaining of this consent by the business user more burdensome than for its own services.
3. A gatekeeper shall not degrade the conditions or quality of any of the core platform services provided to business users or end users who avail themselves of the rights or choices laid down in Articles 5 and 6, or make the exercise of those rights or choices unduly difficult.
“at least” would be serious
But that would require for politicians to actually want to do something to benefit the people, not just themselves and their bribers/lobbyists.
Money quote:
> The checks made during the audits conducted by current application stores owned by operating system developers are indeed all reproducible by third parties.
[1]: https://www.peren.gouv.fr/rapports/2022-02-18%20-%20Eclairag...
Masterful communication on top of solid analysis. I’m going to keep a copy just to review when I’m writing my own reports to stakeholders.
I expect they employ enough smart people that they prepared for this moment of reckoning despite the hubris of their leadership.
I very much want this to happen now. However I would not have wanted this 15 years ago when the platform was a baby and little was known on how to move it forward. Last thing you wanted at that time was layers of regulation and laws that would hinder the speed of development.
15 years is probably too long and this could have happened 5-10 years ago.
Apple makes great hardware and the main thing that was holding me back from getting one was their heavy handed approach on what applications I am allowed to install on my device and from what source.
If this works I would probably go for it.
If you really want some nasty stuff on your phone for some reason you can always write it yourself or find something open source and install it with Xcode. You are free to do this; the idea that you are not is a myth regurgitated by haters who don’t think for themselves. Just good luck doing it on someone else’s iPhone without their permission.
They have lots of devs and project management experience. If they don't want to do interop it's just fair that customers are complaining.
Nothing a typical chat group on WhatsApp uses is particularly innovative or unique. Text, Voice, Images, Video, map links and attachments probably cover roughly 99% of the use case and everyone supports that.
They are free to compete on additional features.
The right thing here would be making a standard, modern way of communication that supersedes SMS/MMS with a push for global adoption that has all the necessary features of sending videos/images/links/locations etc. with E2EE that is part of GSM technology suite which is either super cheap or free, to offer a sensible alternative to free but closed down services offered by giant companies. That would be much more fair play for a free market.
The bigger issue is malicious compliance. I can see companies deliberately making the experience horrible.
If there is an inconsistency introduced (e.g. I can send something to one user but can't to another) it will just confuse the users more.
About malicious compliance, yup, it will probably happen. If I were a company with my platform and someone comes to me and says that I have to open up my own private platform, I probably would implement the bare minimums to not get fined, and cripple that part in every conceivable way, while still "complying" with the law. I'm a private company and want people on my platform, simple as that.
Not saying that it couldn't happen in other setting, but innovation definitely did happen in the current fragmentation of silos.
I didn't read this as the EU forcing the apps to actually implement interop. I read it as forcing them to publish the details of their protocols and not ban people for using 3rd party clients.
Now, will market forces force them to implement interop? Maybe, but based on my reading an app that doesn't talk to other apps is still legal.*
*Do not base your entire business strategy off of a single HN post from someone who is not a lawyer.
Next each chamber will vote on it but this is usually just a formality since they gave the negotiators a mandate beforehand.
If it passes, the text will become a EU directive which needs to be incorporated into national law by the member states.
After that it becomes enforceable.
The DMA is a Regulation, not a Directive. It doesn't need to be transposed in to national law in member states.
Regulations become law across the whole EU (and usually the EEA as well) as soon as they are published in the Official Journal.
> Will it be voted for in European Parliament and if yes, when?
the European Parliament only votes on a text. It cannot take decisions by itself. it can only present a voted upon text to the EU Council. and even then it's not a given it will become a directive.
> And if it's adopted as a law
There is no such thing as a "law" in the European Union. (Simplified) The EU has directives and regulations. Text is drafted by the EU Commission, which is then sent to the EU Parliament which is then sent to the EU Council. And the same text can bounce between those institutions for some time. Finally, if all goes well, it becomes an EU Directive. After this member states have a few years to put the Directive into national law.
This process is extremely cumbersome, full of gotcha's, and overall, inefficient, but it's the best thing these politicians came up with. Most likely the next level of simplification would normally involve some sort of federal union.
The DMA is a regulation, not a directive btw.
That's why I'm asking these questions.
I still don't quite understand on which stage this initiative is at the moment and how long until it is enforced.
Let's first clear up why this is: spam control. Google along with the rest of the industry has essentially killed email spam through the many additions to classical email standards. From reputation based delivery, to spam databases, crypto signatures and more. This isn't just to reduce an eye sore in your inbox. Spam does real damage, financial and otherwise.
Despite the complexity needed to run a reliable email system, it's still possible to do and many do. It also allows for innovation without a lot of capital (e.g. licensing fees paid to walled garden owners). Without open interoperability, it's either impossible (e.g. general iMessage), limiting (e.g. iMessage, WhatsApp for business) or expensive to do.
I'm running my own mail server. The problem with regards to spam is not that it's hard for me not to be inundated by spam: I'm just running spamassassin and qpsmtpd with mostly standard configuration and my account on my own server is rather better at catching spam and not ham than my Gmail account. The problem I've always been fighting with (it's better lately) is that Google (and to a lesser degree Yahoo and Microsoft) tends to put my mails into the recipients' spam folders.
It's understandable that a minimal level of centralisation is necessary with email so as to build up server reputation. I think that level is already satisfied with just a few dozen or maybe hundreds of emails sent per day. If there are many installations of that size, companies like Google are forced to accept mails from them, and there's no need for further centralisation.
> Google along with the rest of the industry has essentially killed email spam through the many additions to classical email standards. From reputation based delivery, to spam databases, crypto signatures and more.
I don't see Google having had an exceptional role in "killing" email spam that way. Spam databases (both server reputation as well as content fingerprints) existed before Gmail started, DomainKeys was designed by Yahoo[1], the DKIM (the current way to add cryptographic signatures) RFC[2] does not list anyone from Google as its authors, bayesian learning was published by PG[3] in 2002. Gmail launched 2004[4]. Giving reputation much weight was something easy for them to do and it does tend to come at the cost of small legit servers.
They had a solid implementation early on (both the spam filter and, for the time, a top notch HTML UI), had of course a good name, and were free, so they were a default choice for anyone who was with an email provider that didn't do well (like many (most?) ISPs). There are reasons for people to flock to a strong, large company, that's not different here, but I contest that spam necessitated this.
That said, any new protocol would do well to take the problem of handling spam seriously and learn from and improve upon the past.
TL,DR: my argument is that spam is (somewhat) easier to handle in a centralised way, just like most problems are, but handling spam doesn't inherently require centralisation.
[1] https://en.wikipedia.org/wiki/DomainKeys [2] https://www.rfc-editor.org/rfc/rfc6376.txt [3] http://paulgraham.com/spam.html [4] https://en.wikipedia.org/wiki/Gmail
that's naive. the problem is that we moved away as an industry from that model for 2 specific reasons:
- widely used standards take decades to change just slightly, or never (see SMS, email)
- interoperability means either lowest common denominator or a huge cost to keep things interoperable
both are horrible for innovation, both are a killer for funding, both pull money away from other things.
all for giving "jitsi" or your "home grown webrtc solution" a reason to exist.
meanwhile apps like zoom simply took everyone by storm during covid even thou lots and lots of others (including webrtc and jitsi) existed for a long time.
Zoom illegally sold users' personal data [1] and Teams unsurprisingly turned out yo have all the security features we'd expect from Microsoft [2]. Jit.si comes out looking pretty good.
It's hard to hold up as paragons of good tech products that required a global pandemic to do their marketing and still couldn't deliver the goods without getting caught with their hands in the cookie jar.
[1] https://www.cbsnews.com/news/zoom-app-personal-data-selling-...
[2] https://www.forbes.com/sites/thomasbrewster/2020/04/27/your-...
Please attack my arguments, don't make aspersions as to my disposition.
> the problem is that we moved away as an industry
Please don't try to define the narrative from a parochial viewpoint. No. we didn't. Some of us did. And those few have arguably done a great deal of damage to "the industry".
> widely used standards take decades to change just slightly, or never (see SMS, email)
It's arguable that they _should_ take a long time to adapt, because stability is also a value. That doesn't preclude the emergence of new and better standards which have a fair chance of adoption in the market for protocols. Interoperability would be a key factor in their success of course.
> interoperability means either lowest common denominator
I see no justification for this statement. There are many factors that portend lowest-common outcomes, like efficiency, reckless engineering in pursuit of fast time to market... but interoperability isn't one of them.
> or a huge cost to keep things interoperable
This is what you're really shooting at isn't it? Less profit for people who want to "move fast and break things" and get out when they're done extracting. I prefer to build lasting things and treat technology as a part of long-term culture. It's just a personality type thing.
> horrible for innovation
Advancing dichotomy between standards and innovation is simply disingenuous. The entire existence of the internet is a counterexample.
> killer for funding, both pull money away from other things.
Money.
> all for giving "jit.si" or your "home grown WebRTC solution" a reason to exist.
No. Everything else you've said is about differences of value and philosophy. Fair enough. But on this point you are missing some fundamental understanding of technology.
It is not "all for" my choice. Choice is a means not an ends. Choice is what underpins the drive for innovation, but ultimately there is telos (purpose) in technology beyond making profit. Those ends include resilience, opportunity, reliability, hybrid vigor of hetrogenous systems to name a few. Naivety is having a partial or immature understanding of a bigger picture, though I would not accuse you of that of course.
respects
Even though it may not be the EU’s overtly stated main goal, it is nevertheless a goal of many aligned politicians there, and no doubt the perception among foolish politicians and bureaucrats that it will achieve that goal can account for some of their support, and if they don’t get what they want they will “fix” it until they do.
I mean, that's theoretically possible, but it's not the most convenient workflow, and you run the risk that any tooling designed to automate it is frequently broken by deliberately incompatible changes made by Facebook or Twitter (or whichever other services you are using, in the general case).
Fundamentally the data belongs to the users, not to the platforms, so it is right that governments mandate that the data be able to flow according to the users' wishes. All property rights are legal fictions, especially "intellectual property" rights, but at least in this case the property right being defined is a socially beneficial one.
How long before the instant message formats of today becomes “the wrong format” ?
Email is an open standard, and as such it should be easy to push out a new RFC that secures metadata, yet that hasn’t happened in 25+ years.
I essentially agree that communication should be done over open, secure standards, but I’m not sure legislation is the right way of getting there. We will see how it all plays out.
Free market isn't really free if you have no competition due to network effects and lock-in.
I do. Apple repeatedly discriminates against sexual minorities in the App Store, and it's appropriate for a government to step in and stop that.
https://bugs.otr.im/otrv4/otrv4
The interface for Pidgin is exactly the same as it was back then (it still uses GTK2), modern users have much different interface tastes in 2022, so you might find it difficult to convince people to use Pidgin.
https://en.wikipedia.org/wiki/Directive_%28European_Union%29...
Regulations can built upon the foundations laid down by directives and they apply directly.
For some reason I thought it was a directive...
Too late to edit my comment.
The formal process of EU approval for directives and regulations resulted in certain practical norms. Basically, representatives for the three main organs (EUParliament, EUCouncil - i.e. national ministers - and EUCommission) sooner or later have to sit down and bang together a compromise on texts put forward by one or more of them. This is where we are today, this is what's been reported - that step has been completed.
Now the text gets put through the formal process, and it should be guaranteed to pass (bar surprising developments or upsets, like a country switching government and hence reneging on their position or EUParliament being particularly angry about specific bits of the text).
In terms of speed of approval this can be as short as a week, for the urgent stuff, but this will probably take a bit more as lobbyists will now go in overdrive trying to delay the cut-off enforcement dates that the text will contain.
In terms of distance from enforcement, this sort of world-changing rule typically gets put into force on 1 January of some future year. I reckon 1 January 2023 looks good, but we'll have to see the actual text to know for sure.
It is also one of these weird non-profit + for-profit company mix, to which I don't know the effect it has. Anyways, the numbers are simply not there.
Ironically, if the law works as intended, making all major messaging platforms interoperable, if can make smaller players who don't want to join the club (like Signal) less attractive.
Doing it by money seems like sour grapes. You succeeded in the free market so we’re going to hamper your progress.
(a) somewhat tricky to define with legislative-grade rigour, and much more importantly:
(b) only measurable by the very same entities who would be subject to this regulation
Were it not for the problem of measurement, I would agree that it would be a better proxy for "needs regulation" than market cap.
EDIT: On second thought, I don't even think that's true. Imagine a networking app that absolutely dominates a small but highly profitable and societally / strategically important sector, such as medicine or law.
That company could have relatively few users as a % of the population, but still have enough of a warchest to hobble most potential competitors, and to have undue influence in wider society thanks to its control of critical sectors. Going by market cap doesn't measure a company's pervasiveness, but it measures its sheer economic power.
https://en.wikipedia.org/wiki/Marquess
In Italian, which is my native language, it would be MARCHESE.
Fun fact, there is a whole Italian region called Marche: https://en.wikipedia.org/wiki/Marche
<MARQUEE>, instead, is an ancient HTML abomination.
It's a feature that can be implemented, with similar if not better effectiveness, in various ways that doesn't completely lock down a platform. Don't ask me how because I'm no match for brains at Apple but if EU succeeds in forcing Apple to open things up, Apple will rise to the challenge and will figure it out, just the same way they figure out how to roll out an ECG monitor that complies with local regulations of multiple countries. In other words, Apple already works under large amount of constraints of existing laws and regulations when creating products and that requires a lot of constant innovation in itself. This will just be another constraint they have to follow.
At that time, Apple's system needed to attract developers, so instead of a walled garden, the company did what they could to encourage interoperability.
[1] http://apple1.chez.com/Apple1project/Docs/pdf/AppleI_Manual....
You are confusing the "norm" at the time, with Apple specific decision to open up their hardware. At the time, a lot of consumer electronics shipped with their schematics, including TVs, Radios, etc. You cannot find a single TV today that ships with how to talk over its diagnostics port let alone schematics.
The Apple computer you're referencing was more like an of IC of today, both in complexity (many $1 ICs today are orders of magnitude more complex than that entire computer), and the skills expected of the user of the computer. Both of which would require one to have intimate knowledge of the inner working of the device to be able to operate and maintain it. Users of that computer were like hobbyist of today, buying an electronics kit and rest assured, electronics kits come with detailed manuals, schematics and more.
Almost all of WhatsApp, Telegram, Apple ecosystem, Discord, Slack etc. have almost all of it.
Which public standard that's available on phones do we have that provides these features worldwide?
Universal suffrage is great idealism, but it doesn't matter unless women vote for it.
That's to say, the means by which change might occur are also the goal of that change. That's a hard place to get out of.
> idealism doesn’t matter without users.
It absolutely does, because "idealism" is precisely that force in the world that exists despite and in hope for better things than the status-quo. It's the engine of all progress, and is almost always a minority concern in the face of a herd mentality. I'm glad you like my idealism though, because some (fake pragmatists with narrow horizons and fear of losing the privilege) treat idealism as a fault, whereas we see it as a badge of honour.
> the majority of users have repeatedly chosen
For very small values of "chosen". People accept what they're given. Not even the "consumers" themselves believe in the myth of demand driven markets now. They mostly adopt stuff to fit in and be like their friends. If pressed, they'll rationalise. Today, digital literacy does not extend to social, economic and political awareness of why choice might even matter. Some of us are trying to fix that (see [1]), and I am happy that in Europe we are gaining greater strength.
Number of users matters for making money. I get that. And I can see why many people here fixate on that. Making money is nice. But one shouldn't let it distort ones better judgement. And one should know when enough is enough and when greed is working against our future capacity to make money.
> choose UX innovations over things like standards and interoperability.
That's a false dichotomy. Those things aren't even on the same axis. It is the sloth of companies wanting to lock-in users that gives motive to break interoperability standards. That doing so is necessary for innovation is a blatant falsehood peddled in so many of the comments I've read here today. You say yourself, that it's a thin veneer over standards. Not to recognise the value of foundations paid for with generations of public money and the role of government in maintaining the very conditions that allowed tech firms to prosper is ungrateful and parochial. I'm getting downvoted because that hurts to hear.
It was my understanding that we already have a (fairly old) standard that does just that, which also currently works as a lowest common denominator for texting between at least android and iOS.
In GSM it’s a IMEI ID / phone number, in TCP/IP it’s a MAC/IP address. Internet also requires a subscription, subscriber and more.
And how would you implement a messaging service with “anonymous” endpoints ? Can’t send messages without a unique identifier for the recipient.
Especially when you make it all but impossible for third parties to operate outside of that walled garden.
I don’t think third parties really add value either. It’s just going to result in a bunch of spam and scams, with us losing out on privacy features and convenience.
The real reason they do this is they perceive it as a free source of income, which they can then use to buy off states to keep them in the EU itself. Note how the rules only apply to really big companies (i.e. US companies), and the fines are really big, and the rules are vague. It'll be a cash cow that avoids upsetting any local interests, the fact they can drape it in pro-consumer clothes is just a bonus from their perspective.
How will they interface with the different APIs ? Or is it a single API defined by a standard ?
The first one means that most clients will play “whack a mole” with 20 APIs, trying to keep up with features. The second will be the lowest common denominator, limiting what can be sent between different clients. It would be the new “green bubble”.
Next, how do you identify people uniquely across different networks ? Phone number ? Email ? What happens if you’ve registered your Id in multiple places ? Or is it up to the sender to specify which network they wish to target ? Like someone@gmail.com@imessage ? The last one solves nothing. In case of multiple id registrations, should the network just keep trying round robin until it successfully delivers ? Or can I as a recipient register my preferred delivery network in case I never want Meta or Google to see my data ? Who maintains this central registry ? Will they do it for free ?
Now that we’ve established how to pass messages between networks, how do we secure them ? Do we use the iMessage model and use a central key repository ? Or do we implement a protocol (potentially per API) on how to acquire encryption keys ? Or do we simply skip encryption because security is hard ?
What about attachments ? Since most secure platforms use “per device” encryption, do we just send a 500GB attachment X times, one per device ? Do we limit the size of attachments ? iMessage solves this by encrypting it with a temporary key, and the attachment is then uploaded to Apples servers, and the temporary key is exchanged using normal messaging. Is that the way forward ? Will whoever handles it do it for free ? Do we trust them ?
What about Memoji/whatever the kids use ?
All of the above, and more, needs to be agreed on by all involved parties, which sets the lowest common denominator, either by a shared standard, or by reducing functionality for cross network messages. If it ends up complex enough to support all the features of modern instant messaging, it sets the bar rather high for new players. If it ends up simple, we have gained almost nothing over using SMS/MMS.
Things are never as simple as just exposing an API.
If you want to solve all those problems, you can use and push for Matrix for example.
It applying only to ~7 billion capitalization only increases the chance that somebody uses their network, and as is already evident today, that is where the majority of conversations happen. It also increases the risk that my messages will be routed to somebody I don’t want poking through my messages, even if it’s metadata only, like Meta and Google.
It also increases the risk that I have registered the same ID with multiple providers.
I am not interested in solving the problem, and especially not interested in using Matrix. My only interest in this is I want to have functional instant messaging between people I know. Matrix does not solve that (for me).
My point was/is, that either the legislation solves nothing (open APIs, native “own network only” clients), or it creates a lot of problems (unified API, shared standard, cross platform messaging for all).
Also, imagine the spam you’ll receive if every email you’ve ever registered with some ~7 billion provider suddenly routes messages.
But lets say you are right, and all that the affected messaging services have to do is provide an API- will the regulators require them to document this API (and if so, what standards will the documentation have to follow?) Will they complain if the API changes too rapidly? Will the API have to support tall of the same features as the messaging service?
As they say, the devils in the details, and right now I'm not seeing any details.
That is not true. there are many things corporations cannot do even if they want to. There's lots of different regulations that impose restrictions and obligations on companies against "what they want".
So now it's just defining where that line is, which is what law-making is.
This is like saying a state-mandated ISP/Gas company wouldn't be a monopoly since you can just move to another country.
You might wanna push the argument that nobody is forcing you to use iOS, but I think the problem runs deeper. In many fields and even just everyday life, you are now required to run a modern phone OS (eg. the option for not having the official COVID green pass app here in Italy is to find an authorized place that will print you a green pass on paper, and it's hard to find one, let alone schedule everything and get there without a pre-existing pass) and we're barely lucky that Google is playing by laxer rules than Apple is. If not punishing existing bad actors, these rules are a nice framework to prevent them for taking over in the future.
Apple's pseudomonopoly does not strike me as the root cause issue here, developing processes and using tech to solve a people problem does.
Also, it's the country's duty to protect citizens from themselves using laws and regulations. For an example of what kind of "far west" digital tech is living right now, I point you back to before TV was regulated as heavily as today, where companies used cartoons to advertise smoking cigarettes to children (https://www.youtube.com/watch?v=NAExoSozc2c).
No, they can't do whatever they want with it. Consumer protection laws are an obvious example for how corporate interests can be limited.
> because it's far from a monopoly since there are alternatives.
It's a duopoly. iOS and Android together represent about 98% of mobile devices.
so the point is a degraded experience? how can that be the point?
The problems were that:
- unlike modern compiled code for the web - WASM and transpiled JavaScript - Java and ActiveX got executed with host privileges which made both an incredible entry point for malware such as "dialers" and early viruses.
- many corporations and governments (e.g. Korea [1]) built their stuff in ActiveX or mandated its use in actual laws and regulations, while only MS Internet Explorer ever implemented ActiveX out of said security reasons.
- many corporations and governments only ever coded and tested against IE6 which meant that their sites and products were dependent on IE6-specific quirks
[1] https://www.forbes.com/sites/elaineramirez/2016/11/30/south-...
When elected officials decide that a Plattform/network is now part of the public space the owners loose out.
It happened to railways, telephone grids and all in all was an improvement.
If they implement a public service, freemarketers not unlike yourself will accuse them of unfair competition and spend their lives sabotaging them, like Murdoch does with the BBC in the UK.
The reality is that your position is effectively that nothing should change, and everything in this space is as good as it can be. The public at large clearly disagrees, and this is a step in the direction of addressing some problems that are extremely hard to deny.
Besides, nationalisation would be nothing new. There are laws in your country, whichever it may be, for the state to confiscate your land for the public interest. That's not trespassing, that's the power of the collective trumping other rights. This is not it anyway - this is mandating standards, like the size of your electrical plugs.
Food is necessary for the public, but there aren't a lot of governments running their own farms. Or construction companies, power generators, or really anything else. The best possible system is where people create goods and provide services to each other, and the government ensures a system where this exchange can be fair and thrive. This is exactly what they are doing with this law.
Messaging apps have evolved in very pro-user ways over the years. Reactions, threads, voice/video/screenshare, and more are all popular with users. Stuff that we didn't have at all in the AIM era, or maybe only had on one chat platform.
And under the hood, I read that an important reason everyone left XMPP is it fundamentally requires an active connection, but that means your phone's radio can never enter low power mode, hurting battery life.
I miss Pidgin. I really liked having all my chats in one place. I sort of have that now with Beeper.
But it's also clear that we're not done evolving the medium, and standardized protocols, for all their upsides, often crystalize a platform in whatever state it's in when the standard is written.
This problem has been solved by https://xmpp.org/extensions/xep-0352.html
For a long time it was, everyone was stuck on HTML4 while W3C was playing with XHTML. That only really changed when browser vendors came together and collectively decided to ignore start ignoring W3C and made WhatWG. Although IE6 was also a major factor here.
>Included in the rules' scope will be platforms with a market capitalization of €75 billion or turnover in the European Economic Area equal to or above €7.5 billion
So the rules are meant to target only the TOP part of the Tech Sector. Not the Whole Tech Sector. There could be backfires on everyone though.
I do feel though that the Apple/Facebook/Microsoft/Google/Amazon are innovating less and less and are going into cash squeeze mode. There has been a lot of talk on Hacker News on how Google search quality is decreasing.
All the privacy laws containing Facebook push them to bet on something new Meta/Oculus. So I think here the effort is to allow smaller tech to thrive and grow.
I have a lot more faith in a viable competitor coming out of California than I do in EU regulations improving search results.
Only some "2fa" and notification systems use them. Actual people don't.
So yeah, market regulation is necessary here, I’d rather roll back useless regulation later than continue with the status quo.
So keep the status quo (SMS/MMS) and build more features on top of that ?
There are countries that aren't the US. I honestly don't remember when was the last time I've actually sent an SMS. 99% of SMS messages I receive are notifications and 2fa codes. If anything, "status quo" over here is Telegram and VKontakte.
Besides, the issue with SMS/MMS is that it's a closed system tightly controlled by carriers. The internet is an open system.
what you are describing can be called "iMessage" :)
--------
This is what my group chats look like when texting with iMessage users.
and this is just one small reason why the industry decided against moving forward with this decades ago. it simply didn't make any sense then, certainly doesn't make sense now.
Other than that, it can be death by a thousand cuts. If the rendering of a particular phrase relies on a specific custom feature, the other side might not see it properly. That can be multiplied by many times and make people frustrated, and worse, misunderstand each other.
Once Apple has to allow third-party app stores, many major software companies will either create their own App Store (great now I have to download 15 different stores) or move to a third-party store where these rules are non-existent.
So what will happen is that there will be a major exodus of software from the Apple App Store and on to third-party stores, which for me means a rollback of all of the momentum and progress Apple has made by collectively bargaining on behalf of users against developers.
In addition, this will fracture things that are easy and convenient, like Apple Pay, or Sign-in With Apple being a privacy-focused mandatory alternative to other SSO options.
It’ll also long-term enable more dark patterns. Oh you signed up for this $14.99/month app? Well gotta call if you want to unsubscribe. Hell maybe even have to send a letter!
For some completely asinine reason people think that “allow third party stores” means “I get all the same stuff now but stuff will be cheaper and ‘more innovative’ because developers won’t have to pay the ‘Apple Tax’” but the reality is you’ll just get the same stuff, at the same prices, but it’ll be less convenient and you’ll lose any benefits that we previously had when Apple was able to collectively bargain for users. Companies will not lower prices.
> “This hasn’t happened on Android”
Yes. Because when companies start enacting these rules, users will flee to iOS. You need to be able to launch your store and dark patterns on both platforms simultaneously. Otherwise users have options.
> “I disagree, this won’t happen”.
Ok sure. What assurances do I have? What are you doing to make me feel better that my experience won’t get worse? Until then I’m firmly against third-party stores.
> “Apple enables oppression and a single point of failure for regulation - China for example can ‘control’ what’s on the store”
Any third-party App Store that’s not a complete scam will be forced to comply with any exact rules that Apple has to. There’s no difference.
The same EU legislation explicitly bans this.
> Any third-party App Store that’s not a complete scam will be forced to comply with any exact rules that Apple has to. There’s no difference.
This is a misrepresentation. China's worst fear is the lack of choke points for application distribution. Once peer to peer distribution of applications happens without central distributors then their ability to lock down protests will take a significant hit.
And that's why I choose not to be on Android.
Note though that in the EU they have to ask for permission to track their location and tell users what info they gather, thanks to the GDPR.
Regardless, I am in favor of this legislation. The iOS and Android ecosystems have become crucial infrastructure in modern life. So either Apple and Google act more like they are a utilities companies with lower fees and a more fair, equal market [1] or they should be regulated.
Though I would have preferred if they EU had just set upper bounds for the commissions, etc. The result would have been less messy.
[1] No more private APIs that only they can use, etc.
Also you can just buy a different phone if you want third-party stores.
They could have allowed third-party payments through vetted providers. They could have reduced their rates to match those providers and no one would be so keen to use them anyway. They could mandate subscriptions must be cancellable with one click and even mandate using an api to make these all appear in the settings app. They could have ensured that their review staff were better trained to prevent capricious rejections.
They instead decided to ride the wave of the apple tax for as long as they possibly could and then deal with whatever that caused later. And this is what it's caused.
I think you underestimate the talent at Apple. The reason things are locked down isn't just that it makes them secure, spam free, etc. That's true of course, but it's not the only way to do it. It is however, the easiest way and in absence of external force, there is little reason to complicate it.
If EU succeeds in forcing Apple to open somethings up, then the brilliant folks at Apple will rise to the challenge and will innovate to either keep the quality as is or even make things better.
Power companies are being created while there are rules so they know what they're dealing with.
What's happening here is someone created a platform, spent years building things, and now EU is coming and saying oh you HAVE TO open it up. Not even mentioning the mess about having different rules at different places (e.g. I can't send many things to people in the EU in Instagram DM).
This is plain wrong.
Their government decided what is allowed in their country.
If the companies don't like it, then they should have won the election, or they should leave and go do business elsewhere
Group chats over SMS? What kind of madness is that?
I do not trust GDPR to handle this effectively. It’ll be like a lion trying to squash ants, and now there’s no single company that the EU can go to and say “fix this”. Apple will say “not my problem”.
Companies will find work-arounds as they always do.
> This is a misrepresentation.
It's an opinion, not a misrepresentation. I'm not misrepresenting anything.
> China's worst fear is the lack of choke points for application distribution. Once peer to peer distribution of applications happens without central distributors then their ability to lock down protests will take a significant hit.
Practically speaking though, who will create app stores that will be "safe", and functional? Most people will use a few major app stores (maybe as many as 6, as few as 2) because they are positive feedback loops. Any major company operating one of these will have enough exposure to China that they'll comply with local laws, as they do now. If a company doesn't have exposure that the CCP can leverage, they'll just ban the app store from ever entering the market. Unless of course you think that we'll wind up with hundreds of app stores, like "Bob's Great Apps", but then you have a much worse problem which is the entire ecosystem has turned into a pile of dogshit. Maybe globally there could be 50-100 app stores, but they'll be localized.
If what you're saying is true, that China wants choke points, then why is the Great Firewall so successful? Wouldn't the distributed Internet, and VPNs, and other web-based peer-to-peer applications win out?
Glad to see it's being addressed, but:
- The proposal is stable, but not finalized
- 13 years is a long time to wait for a solution (iPhone debuted in 2007, got apps in 2008)
- Plus however long it takes for implementations to adopt this
- Plus whether they adopt it at all, since this is a protocol extension and not a protocol requirement. The XEP requires client-server cooperation, which means the clients and all servers the user connects to have to implement this to see the benefit.
Is "stable" now a negative thing? I don't understand. If you are referring to the "document lifecycle" at the side of the XEP, and the "Final" status there... "Stable" is the "widespread adoption" stage. "Final" is a dead-end status that means the extension is frozen. It's rarely used for extensions that are actively in use until they are beyond updating.
> "13 years is a long time to wait for a solution (iPhone debuted in 2007, got apps in 2008)"
This extension was created in 2014, and implementations were already performing traffic optimizations (using other non-standard methods) before then (which is why we decided to standardize it).
> "Plus however long it takes for implementations to adopt this"
It's already adopted, implemented and deployed. You can see deployment stats at https://compliance.conversations.im/test/xep0352 - as for the handful of servers there that don't implement it, on investigation these tend to be private, abandoned or special-purpose servers.
> "Plus whether they adopt it at all, since this is a protocol extension and not a protocol requirement. The XEP requires client-server cooperation, which means the clients and all servers the user connects to have to implement this to see the benefit."
As I said, it's already implemented and adopted in clients and servers. It has been a requirement in the XMPP compliance suites for years (for reference, latest is here: https://xmpp.org/extensions/xep-0459.html#mobile ).
All in all, your comment seems to contain a lot of unfounded scepticism and negativity. This problem is solved, since a long time :)
The XEP page indicates the proposal is still subject to change ("some changes to the protocol are possible before it becomes a Final Standard.)". That kind of thing sometimes holds up adoption of standards, creates incompatible implementations. But you've demonstrated it clearly doesn't in this case.
> This problem is solved, since a long time :)
I stand corrected! Thank you for your instructive reply.
Mandating size of plugs is a good thing for anyone to build things that can operate with electricity, mandating some private entity with a perfectly functional ecosystem without any interest to open its system to provide a certain type of socket, is not.
Genuine question, why?
You either pay for their hardware (Apple) or be okay with some data harvesting (others) and get a free chat service in return. It's a fair game. And no one forces you to use anything: all my friends, literally every single person here uses WhatsApp for primary communication, and I've deleted my WhatsApp account 2 years ago and still communicate with anyone without issues.
Uhhh yes? That's the point? The alternative to this degraded experience is no experience at all.
The answer to that is: It depends.
For example, HTTP2 is basically an invisible upgrade which is faster (sometimes). If either end doesn't support it, falling back to a prior version is transparent to the user.
On the other hand, if you want to update IRC to be more like Slack/Discord, with features like oauth2 login? Well then clients that don't support it won't be able to connect.
so basically it's either degraded experience but w/ interoperability or great experience but w/o interoperability?
that doesn't really make sense. why not a third way with great experience and great interoperability?
i'm asking because i can guarantee that no one will use clients that provide a degraded experience when you've got the established players providing a great experience.
Somehow, ICQ worked wonderfully despite everyone I knew using an unofficial client. The official client (at least Windows one) was a terrible mess. It had ads and all those features no one ever asked for, like games and and news and an entire picture-based language (I'm not joking). But QIP, the client I used, only did the things I needed an ICQ client to do, and nothing more. It also had no ads.
Equally, when someone is considering buying a phone, they are unlikely to compare the lists of apps available for each platform when making their decision, just as car buyers don't look at the levels of tailpipe emissions when comparing possible cars. In such situations we accept that the government can intervene to prevent socially negative outcomes, even if it means increasing the costs (or decreasing the profit margins) for companies.
In any case, the problem isn't just the switching costs for users who discover their platform is limiting their app choices (or increasing their app charges), it's that companies trying to sell apps to users can't choose to simply "Don't use an iPhone", as Apple is preventing commerce between iPhone users and those companies, which is again not socially beneficial.
-edit-
As a general shareholder I care. But in that area I think Apple will figure out a solution that keeps the status quo. They're #1 for a reason.
For the people building them, yes. For the people using them, they are basically a massive con. "We will help you communicate!" Yeah, because this will allow you to harvest my data and sell me more shit. "We have these great features!" Yeah, that other networks had 20 years ago and you killed to enable the beforementioned con and monopolistic practices.
> I've deleted my WhatsApp account 2 years ago and still communicate with anyone without issues.
Well, good for you. I have WA groups that provide information about my kids' whereabout, schoolbus info, all sorts. Can I leave them? Yeah, in the same way I could walk out of civilization to go live on Jakku.
- You can download Facebook and WhatsApp from the Meta Store
- You can get Google software from the Google Store, except Gmail and Maps which are available in the Apple App Store too, but YouTube is a Google Store exclusive. Or and Authenticator is only available on the Google App Store with a valid company login. So you'll have to switch accounts depending on if you are logging in as a user for yourself or your company.
- You can get Netflix from the App Store, Google Store, or Facebook store but each requires that you log in to the respective store with an account before logging in to your Netflix account and the pricing is different depending on the cut each of the stores takes. Google is interested in finding what Netflix shows you are watching so they can adjust your YouTube algorithms.
- You can download Twitter from the Apple App Store and Google, but not Facebook.
And you can download the MLB App if you have a Prime subscription because of a new partnership, but only if you have the Amazon Prime App.
Can't wait!
You're right that there are other bills in the pipeline. I think the user experience will be worse off because of them and we'll lose lots of ground on privacy and convenience, but it's inevitable because small, vocal minorities usually win even when they make everything worse for everyone else.
It'll be interesting to see the fallout though. It won't take long for others to connect the dots and start filing lawsuits for any store or platform with any sort of standards. Obvious first targets are companies like Sony, Nintendo, and Microsoft for consoles. But other non-obvious targets will start being platforms. Take Chrome - why can I only use (and maybe I can't and I don't know) Google's Chrome Store to install third-party software? Or rather, why can't I install another "App Store" on Chrome and replace Google's? Maybe you can (and I'd argue it has to be identical in terms of convenience and ease of use to qualify) but there will definitely be other, similar targets for lawsuits.
Two points
1. User experience is already bed. No access to game streaming services and many valid open source apps not available on iOS
2. User experience is not be the only matrix that matters. What about poor indie developer whose app is banned due to opaque App store rules. What about having control over device you bought with your own money
> What about poor indie developer whose app is banned due to opaque App store rules
They'll just have the opportunity to get banned from more than one store I guess. Then once this indie developer decides its profitable to scam their customers they'll create their own app store and just install their software that way, bypassing any legitimate bans too.
1. More app store will compete with each other to provide better app delivery service to developers.
2. Host the app on a website and install it from there. No need for app stores. There I solved it for you
I'm not going to reply to you anymore as your arguments lack depth and seriousness