What about inmutable systems? My app (using scuttlebutt) creates an 'account' but it's located as crypto keys only within the app and apple keychain. So far the apple reviewers refused to believe that it works like. It's open source, they've got the code... but still....
Same is true for anything crypto. The account as it were exists on many devices, but it's not something you as the app creator can manage.
I think apple protecting privacy is good, but the effect on actually private systems is complicated.
This is why using the blockchain got user data is such a stupid idea. The immutability makes it impossible to redact or remove information, even if that information is encrypted. The same is true foor P2P services where there is no central accounting system.
Deleting the account shouldn't be a problem if all the "account" info is stored on the device itself, so if your reviewers aren't completely incompetent I don't see why this would be a problem.
KYC/audit regs aside, it's also because the account belongs to the bank. The money is held in trust on your behalf, but the amounts are a liability on the institution's balance sheet. This is also why an increase in the balance of your deposit account is referred to as a credit; the statement is written from the bank's perspective, not yours.
What you have is partial control of these funds, via instructions to your bank, electronic or otherwise, but since it is merely operated on your behalf, you can't unilaterally delete the account. What you can do, is terminate the relationship with your bank.
I think this way of framing it is perhaps misleading.
Yes, it's plainly true that the bank owns (or rents) the hardware, software, databases, etc. and that you're paying for a service through various fees.
But IP is much less clear, and the view that "it's my database so it's my data" is not actually universally legal when the data concerns humans.
> But IP is much less clear, and the view that "it's my database so it's my data" is not actually universally legal when the data concerns humans.
The whole notion that someone could have a legal property interest in personal data collected by others is exceedingly modern. Even the most abstract scholarly work presaging the concept can only be traced back a few decades. Similarly, privacy as a concrete, distinct legal concept is only slightly older. (Notwithstanding the historical narrative gymnastics legal and social policy advocates often perform in their attempts to appeal to tradition.)
Suffice it to say, modern concepts regarding privacy and personal data aren't very useful in understanding banking practices and property regimes that can be traced centuries, if not millennia, in nearly identical forms.
> apps that allow for account creation must also allow users to initiate deletion of their account from within the app
This is a relatively straight forward request that maybe doesn't go as far as most people imagine here. Pressing "delete" doesn't instantly delete all user data and it's not expected to. In some cases there may be subsequent steps and some data may be kept for legal reasons*.
The point is very sensible, if I can request the creation of an account or subscription easily in the app, the reverse process should be just as straight forward. If an app can give a one button "create-subscribe-pay" experience then when it comes to deletion you shouldn't suddenly fill out paper forms, or send letters at specific times in the month. And that's if you can even find the info on how to do it in the first place.
Now you can trigger the deletion and know that they have to do something about it, at the very least get clear instructions on how to proceed.
*When it comes to banks, they are subject to laws and regulation that many other companies/services don't have to deal with. Which is why Apples makes this provision:
> We encourage you to review any laws that may require you to maintain certain types of data, and to make sure your app clearly explains what data your app collects, how it collects that data, all uses of that data, your data retention/deletion policies, and more as described in the guideline
Couldn't you make that same argument for any online service? "I own the database and servers, its my account that I operate on the user's behalf. Therefore they cannot delete the account".
You can make that argument, and many do, and some courts may even be suckered into falling for it when push comes to shove. In a more jurisprudent analysis, however, it relies on a false parity between consumer and company in negotiating power.
Legislation like the GDPR is motivated in part to nullify such arguments.
The requirement only applies if one can create the account in the app. At least here in Finland that is not an option in any of the local banks apps I have used.
You might think that at first, but the distinction can be made for data as well. The argument goes, when is your data, not really your data? How about, when it's actually my records, of your use, of my system.
If you allow such a construct, then "deleting your account" could mean, your immediate personal details (or perhaps even just your access credentials) are erased in some fashion, but nothing else.
This is how legislation like the GDPR gets motivated, of course. The Apple guidelines reference "usage data" elsewhere, and I imagine that's for similar reasons. The deletion clause itself, rather notably, doesn't.
If the user is allowed according with their contract or law to delete their account they should be able to request that themselves from within the app. This is what I understand from what Apple is requiring the apps to do. It is very similar with GDPR "Right to erasure"/"right to be forgotten".
For your specific cases:
- if a user rented something then they should not be allowed legally to close their account until they return or pay the equipment. If that is in the contract then the delete my account button should be disabled until their contract is terminated/closed.
- if you're a dog kennel it is the same, the user should keep the account until the dog is returned.
- if you are a parole division of the police and the "customer" by law can have their records deleted they should be able to do so.
> If the user is allowed according with their contract or law to delete their account they should be able to request that themselves from within the app. This is what I understand from what Apple is requiring the apps to do.
But now you're exposing the huge problem. It goes from "everybody has to be able to cancel their account in the app" to having to be a contract lawyer steeped in the specifics of every business arrangement and know the law in a hundred different countries to be able to determine if you're allowed to cancel within the app.
Then the app reviewers would either have to be lawyers with plenty of time to make an accurate determination, or they'll be getting it wrong left and right. And it'll obviously be the second one. So now what does the dog kennel owner do, or the OP above, when the app reviewer rejects their excuse?
This is making a mountain out of a molehill. There's nothing to suggest any pre-conditions for deleting an account have to be removed, simply that it must be possible to "initiate deletion" from within the app.
Then you're defeating the purpose of the requirement, because the scummy scam service will let you "initiate" deletion but to actually carry it out you still have to call them and wait on hold for sixteen years or come show your ID in person at their offices in Northern Alaska.
Frankly, this would still be a good start compared to the norm today: You can't even find information about account deletion from most mobile apps, let alone initiate the process.
I agree that things can get complicated when taking into consideration multiple countries. But I think this is the cost of doing business and caring about users. If you do business in multiple countries then that is the cost to be paid.
I also think that the default should be that users should be able to delete their accounts and companies should provide evidence why they have that button disabled or removed.
So in case of review the rule maybe could be: if the user is creating an account in your app, then. the user should have the option to delete their account from the app, unless evidence is provided why the account cannot be deleted because of legal reasons.
The exact wording Apple have used is "initiate deletion", that's quite different from immediate deletion. For example, you should be able to request that your bank close your account, via the app - is that too much to ask a bank?
With distributed data centers it needs to be a quite sizable meteor though. The dinosaur killer asteroid may not be enough if your redundancy is on the other side of the globe.
You still likely have a limited window. Once their obligations to keep your info are up, they're likely to purge it. It's a waste of resources to keep that around and not much value. Plus they surely know it's a liability. PII is treated very carefully in regulated industries. The less of it they have, the better.
Can confirm, I worked at a fintech company previously with a large number of users. They had a "deleted_at" column on the user table in the database. It's not actually deleted.
Isn't this almost necessarily true for any system which needs an auditable history?
Just thinking out loud, of course cascading deletes will fail, so I guess you could avoid using true foreign keys to the user table for things which are truly related, and then you'd know what the user did but presumably no PII... Seems insanely sketchy though. Way cleaner to soft delete if you ever need to recover history, which the fintech context amongs many obviously requires
Regulated financial services must also store the documentation and results for how they verified a user's identity, too. This involves talking to third parties that can tell you if a given user's name matches their tax identifiers, street addresses, phone number, et cetera.
Anyone competent is storing both their requests to those external APIs, as well as those responses, for the entirety of the recordkeeping requirement period.
This is not just banks but (nearly) all companies who deal with payment data will not delete anything related to payment for many many years. In India this use to be 10 years. USA I think it is 5 years.
Ok, and? 7-10 years isn't forever, or at least certainly not long enough to negate GP's point about blockchain immutability being undesirable as far as account deletion is concerned.
Did I argue that point at all? Such immutable system will absolutely not be applicable to the EU and GDPR unless all the data is encrypted and the encryption keys are not part of the major chain.
A lot of firms that deal with personal data may even have snapshots of every single change, sort of immutable - just not global. Again destroying the keys solves the issue of the immediate erasure. The latter is often times impossible due to tape back ups.
This is different from not deleting your account. Having to keep a record of your purchases doesn't mean they can keep track of your hobbies or whatever.
GDPR solved this years ago: right to be forgotten does not apply to legal requirements to keep records. Companies must keep those records only for the minimum time though.
Well that's rather flippant. Where does it say that Apple is only talking about social media apps?
And what has it got to do with GDPR. Apple are not the GDPR police in my country. But now you mention it, are the app reviewers going to be trained in GDPR and document retention exemptions, or are they just going to hand out bans?
Getting sick of the down voting from the Apple fanbois of hn.
Revolut and many other apps allow creation of accounts from the app per local regulations. It may require SSN in the US to complete sign-up, but it's all done through the app and is immediate.
The account falls under all the regular retention and reporting requirements, although these companies mitigate some classes of issues with stricter limits, not paying any interest (even though that'd be miniscule), etc.
Any bank in America for the last 20 years. I opened my very first account at the branch cause I though they need to see me. Dozens of accounts at multiple financial institutions after that I never had to go to the branch. Most of my accounts held at places that don't have any branches within hundreds of miles.
In fact Wells Fargo is famous for opening account for you without you even thinking about it.
I signed up for Schwab (and numerous other financial institutions that were not "banks" per se) without having to go to a branch in person. You usually just submit photos of documents and, in some cases, have your picture taken at your computer.
They certainly don't scan and save images of your identifying documents when you go into the branch. They may store your DL and SSN number. This is a lot less than you volunteering up your identifying documents to a public webserver.
ANZ Bank, in Australia - and I'm assuming the others of the Big 4 do as well (CBA, NAB and Westpac, that is).
It's been added to the App for some account types over the past year or so.
It can just go through a manual review and delete the parts that they're are legally required to delete. While I don't agree with a lot of the money laundering/terror financing laws banks shouldn't have to delete your data if you're trying to avoid taxes or whatever.
INITIATION is the important part, if they fail to delete the parts they're required to delete, F them: get them off the app store.
> If I can make an account easily, then I should be able to delete an account easily.
Sure, if you can open an account easily, then you should be able to delete an account easily. So if we make opening an account difficult, then it is fine that deleting one would also be difficult.
Sounds like an invitation to make opening an account at a bank or a bunch of other services much more difficult aka impossible from the app.
And this is a major reason I'm personally wary about a lot of ideas around putting stuff onto a public blockchain. Once it's there it's never going away.
Even just transaction info on a public blockchain is odd to me. It's possible to remain anonymous, but all it takes is one slip-up and then anyone can perform blockchain analysis to trace all sorts of stuff back to me.
On the other hand, if all currency was on a blockchain it would be possible to perform block chain analysis to determine each individual’s wealth and income making taxes much easier.
On some blockchains it's easy to map the account to the user, on others it's impossible. There are solutions which are completely secret with regards to transfers, so blockchain doesn't solve the taxes. (a specific blockchain may in theory)
Assuming that information is only visible to the owner of the key anyways, then disposing of the key effectively renders that encrypted data as garbage. Not being able to delete it only enables some unknown future attack that can decrypt any data without the key.
We invade the privacy of people from a few hundred years ago all the time and it's considered fine. Do you think there will be a breakthrough in encryprion breaking soon enough for it to matter?
Browsers have to frequently deprecate cryptosystems that have become insecure. That's not possible with data frozen inside the blockchain.
Also, we're at a point where quantom computers are just starting to become practically usable. So yes, I think the point of a "cryptographic breakthrough" that will crack some configurations is quite likely.
If all of AES, then yes. But a particular choice of algorithm parameters can become insecure much earlier.
> If AES is broken in your lifetime, you're going to have _way_ bigger problems than somebody decrypting your blockchain ciphertext.
I'm not so sure about that. Not a lot of encrypted data is simply lying around at rest, available for everyone to run attacks against. Most encrypted data is either ephemeral (encrypted data connections) or secured by additional measures (e.g. to even get the raw bytes of an encrypted partition, you need access to the machine, appropriate permissions, etc)
That gives the data owners various opportunities to react and mitigate the risks: Stop processes that send sensitive data, unmount sensitive partitions, detete data, etc.
You can't do a lot to protect data on the blockchain - it's literally out there for everyone to access.
AES being broken doesn't mean someone managed to brute force a key. It means someone found a flaw that enables them to break any key in much less time than you'd expect a brute force attack to take. In other words, if AES is broken people would be able to read that ephemeral data quickly enough for it to be useful.
I know - and the ephemeral data that attackers were able to capture would of course be at risk.
My point was that data owners have options to limit damage - e.g. immediately stopping any data transmission and not producing any future ephemeral data.
And just to nitpick about blockchains, ledgers, etc.: they don’t need to be world-readable. You can protect them the same as you would a regular database.
> You can protect them the same as you would a regular database.
Then you'll need some central entity to manage access to the chain. If you already have a central entity, you can just use a regular database instead of a blockchain and save yourself all the energy waste.
The key aspect of a blockchain is that each block contains the hash of the previous block. That provides integrity guarantees that you don't get simply by using a central entity.
I'd say the "each block contains the hash of a previous block" property is the implementation but not the key aspect. (Unless you count a git repo as a blockchain too)
I think the key aspect is that it is a database that no single person or organisation can delete or alter - not even the developers or operators of the database themselves. The only operation possible is append.
But this property requires that the majority of nodes participating in the chain are not under your control. When the nodes are under your control, you could just order them to swap out the current chain with one you just made up. (Which is effectively how git's "history rewriting" features work)
This doesn't provide any more integrity than an ordinary database.
On the other hand, if you want an append-only database and you already have a central gatekeeper that you trust (as required for access enforcement), you also can use an ordinary database and have the gatekeeper enforce the append-only property. No blockchain required.
That part is very easy to implement without all the extra cruft that a blockchain also brings with it. Git manages to do that same thing without burning a ton of coal every time you make a commit.
But it doesn’t though right? If there’s a database breach 10 years from now and I’m able to crack pki with like a quantum computer or something then I have that data… I think.
You don't need the breach, the DB is already public (in encrypted form).
So yeah, all you need is either a currently unknown mathematic weakness in the encryption scheme, or bug in implementation, or as you suggest some future quantum or other technical advance that defeats the encryption.
Likely the encryption key (per user) should be split between central and distributed (device) system. That way the operator can remove any identifiable user from the chain. Leaks of the central system won't have an immediate effect, either. Still quite a bizarre case.
Except it shouldn’t be up to the device makers to delete your “account”. It should be up to you. What’s stupid is the current system, where you bought an e-book and they can delete it from under your nose at any time.
There are three pieces, in fact:
1) The device keys - they should never leave the device
2) YOUR private keys - which you should be accessing and managing from multiple devices, and you can have many of these
3) User accounts on networks. This is where you actually authenticated some sessions, and they shouldn’t contain most of your personal info, only info necessary to operate the service.
For example at our company, we have a way for websites to display your name and friends back to yourself, while having no idea what they are. You can manage multiple identities across many services, and choose which to share with friends, and which not, and everything is automated so the Web turns into a social network:
You can have decentralized p2p systems that respect users (allow deletes). One example would be Gun which allows you to “tombstone” your data. Just overwrite it with a blank.
A new version of Scuttlebutt allows tombstoning too.
I think mutable should be the default. Make it all ephemeral with optional permanence.
I think this is an interesting hypothetical. If you never sync up, though, are you still part of the app developers aura of responsibility? Deletion of the data has been initialized per requirement, and will propagate through the system at the rate the system is able to propagate data.
If someone changes their system to avoid the data being deleted, presumably that would then have to accept the liability / responsibility for deletion. But that’s already moot anyway, because we’re not talking about a court of law, but a court of App Store publication, which it would already no-longer be a part of.
I just need versioned file system. or make copies, or well anythting. Te entire idea of deleting public information and all players are well-behaved, etc. is beyond futile.
No, you can’t. But you also can’t stop someone from screenshotting everything you do online.
The reality is that most people don’t have hardcore enemies that go out of their way to do things like that. And if you do, you ideally would have them blocked anyway.
Regardless, not posting totally publicly is becoming the norm now anyway. Posting in some kind of context limits the danger of this level of malicious snooping.
Key management is how many comply with GDPR today. They encrypt the PII and associate it with the user. Then, when someone requests their info to be "deleted", they zero out the encryption key.
This should continue to work as long as you use systems that do not fall to pieces under quantum attacks.
AES is considered "resistant" in that quantum does an effective square-rooting of the brute forcing effort (or if you prefer, halving of the binary key length). So, do not use anything under AES 256.
Asymmetric algorithms fall apart though, which is why NIST has had a multi-year effort to select new standardized asymmetric algorithms.
There are select bits of info we should protect, but can't. If you're in the US, your SSN is one of those.
It never ceases to make me chuckle that it says that it's not a form of ID on front, and yet everyone considers it a form of ID. Even state governments. It's usually listed under one of the documents they accept to prove ID.
The best way to do user data on-chain is to commit to hashes of the data over time as it changes, and have users provide the data for the latest hash when it's needed.
You could probably get away with signing an “implode” message and appending it to the tree, instructing any conforming client to wipe the account upon receipt (or at least cease to retransmit). That would give users the option to request their data be removed.
In event sourced systems, where the state of an application is stored as a sequence of immutable events, one way of solving the "delete" problem (e.g: GDPR) is to have all the events encrypted to begin with.
The deletion (without performing a rewriting of the events) can be considered executed by simply "deleting" the key used to decrypt the events.
The information is not deleted per se, but it is not usable anymore. Now, if you have access to new means that allow you to break the encryption, then yeah it could be a problem.
You're just hating on crypto and finding reasons for it. Crypto has uses cases that people are using at the moment and it's not up to you to decide how people should decide to use systems. If they want to own some NFTs because it's part of a game or simply to hold some generative art, that is their choice.
> It probably could be fine for public user data that you want to spread out and be somewhat resistant to censor from governments.
Can you give an example? “spread out and be somewhat resistant to censorship from governments” is just a description of blockchain's strengths¹.
> why do you talk about it if it isn't relevant?
If I didn't mention it, I'd be lying by omission. In order for this discussion to make sense, I have to make the implicit assumption that blockchain is good for anything. I have never, in my life, encountered a situation where blockchain is better than alternatives. Heck, I'm half-convinced that Bitcoin would've been better off with a block-graph (like Git); it models the dependencies better, and means attempted double-spend attacks have a lower impact on the rest of the ledger. (51% attacks would be a little easier, but only for very recent transactions, assuming even distribution of wealth² and a free market economy³.)
¹: though it isn't particularly good at either of those things in practice
²: this is a bad assumption, but it would only affect wealth hoarders so I don't care
³: this is a really bad assumption, but it wouldn't take much improvement to the world to make it a sufficiently reasonable assumption
it is very easy to find an example of censorship, not sure why you need one but let's say: "World marks 32 years since Tiananmen massacre as China censors all mention of it"
There is also daily examples of censorship on this website.
I mean an example for when you'd want to put user data on the blockchain – rather than a description of the general category. (It's a mistake many mathematicians make at one time or other: declaring a property on all members of a certain set without first checking whether it's the empty set.)
Your app is incompatible with the Apple App Store.
There’s a lot of arguments that people will make about whether this is justified or not, but from a plain rules standpoint, that’s not a permissible data management strategy if you want to publish an iOS app through Apple’s store.
If your app implements account creation, then it will likely be taken down unless either your app removes create-account support or the API and your app implement delete-account support, as a user would reasonably expect that you're able to delete the accounts that you create.
If you do not implement account creation, then you're unlikely to be held responsible for account deletion, as a user would reasonably understand that your app is not responsible for creation or deletion of accounts.
EDIT: Elsethread, someone asked "What if I create accounts on the blockchain?", and since it's possible you'll come around to that idea next — the app would have to interact directly with the blockchain, so you'd probably get rejected for a whole array of reasons, such as but not limited to that you're storing account data on the blockchain. And I wouldn't envy you trying to explain why you shouldn't be continuously fined for GDPR violation in the EU, either.
> And I wouldn't envy you trying to explain why you shouldn't be continuously fined for GDPR violation in the EU, either
This is kind of a bizarre thought to me. You think anyone who provides software that - without involving any services hosted by that person - should be liable for what users do with this software? If this were to hold up in court (which I'm confident it wouldn't), then open-source software would be done.
Or is this a problem of terminology? In the scuttlebutt case, there is no actual "account" - just a key. Maybe one should simply replace the string "Create account" (if there is such a string) with "Generate key/identity".
I don't see why that would be any different. If it was, then companies who find enough value in not providing a deletion option could pay someone to submit an app on their behalf. There's no way for Apple to know whether or not an app submitted by a third party is actually full independent of the service.
Or just stop buying Apple devices? That way the duopoly can shift from iOS/Android to Android/<Linux phones, or some other open alternative>.
I realize many people are heavily invested in the Apple ecosystem, especially since Apple encourages that with the proprietary integrations between their different devices, but there's a point when one should realize they have a choice. It's a walled garden not a prison.
Blockchain wallets are an interesting case. I would argue that for example an Ethereum wallet that generates an address for you in the Ethereum system is not required to provide a way to delete that account again. Similarly, the Chrome app is not required to allow you to delete your hackernews account even though you created it using the Chrome app. Generally, if an app enables you to create an account in a system controlled by someone else, the account deletion rule shouldn’t be applicable.
I do not believe Apple will make a distinction based on corporate structure - if you support creating an account, you need to support deleting it. If you can't support deleting it, you can't support creating it in-app.
That said, I would argue that there is no Ethereum "account" - it's just a crypto key. In that sense, use on Ethereum is similar to someone using an email address to sign up for mailing lists and to post on forums.
The counter-argument is that your wallet app likely provides the interfaces to do that functionality, which makes the Ethereum blockchains a proper system under consideration.
Safari enables me to create accounts on lots of services controlled by third parties and, for some of these, Safari does not symmetrically enable me to initiate a deletion in-app.
(I’ll give you that Safari isn’t in the App Store but many other browsers are. It would viewed as anti-competitive for Apple to remove all competing browsers.)
Safari enables me to create accounts on lots of services controlled by third parties and, for some of these, Safari does not symmetrically enable me to initiate a deletion in-app.
This might be the weakest strawman argument I've ever seen. Well done.
It's very nearly the literal sentence that preceded the text you quoted upthread. It's exactly what we're talking about here and what you seem to be agreeing that Apple is intending to (and right to) enforce.
Defining account will be interesting. One definition might be:
The 'account' consists of the credentials required to add or modify data associated with a human.
In that case, the person deleting their private key would suffice for deleting an account.
There are plenty of things this doesn't cover, or even backfires. Just interested in what other perspectives people may have.
---
Scuttlebutt actually could allow for 'deletion' in the sense that a 'compliant' scuttlebutt client could choose to interpret a 'delete this account' message as a filter for any messages that match said public key. Many client's UX understand that the state of messages may be incomplete due to the P2P nature, so thats kinda nice too.
I’m writing an app that has an account on a server. A user with no account can send a POST form (through the app), requesting that we create an account for them. We do so, through an admin dashboard. It’s easy to completely delete the account through the same dashboard, and I don’t think we have any legal obligations to retain the account.
I’m planning to add a “delete my account” POST form, in the logged-in app.
Why not just automatically create/delete the account? What's the purpose of manually transcribing their information to an admin panel? Also, does this mean you have humans copying over and potentially looking at (even if only on accident) people's passwords?
It’s an app that is aimed at a specific demographic. It’s fairly important that we do our best to avoid giving accounts to “just anybody.”
If we ever get to the kind of scale that would require us to have automatic account creation, we’ll see. We certainly have the technical means to do it. Until then, we’ll have volunteer admins creating accounts.
I know that most services do everything they can, to push for massive scale, but we’re different. It’s an NPO, serving a fairly small subset of the population, and we need to be careful not to sacrifice quality for scale (heresy, I know).
The temp passwords are auto-generated and sent to the user, and stored in the traditional one-way hash. The dashboard can reset passwords, but we pretty much let the user do what they want, once the account is set up.
Can you just delete the key and local data? Is the requirement to push that deletion to all other SSB instances?
Seems like a case where in 2021 this rule is good, but blocks the creation of new business/product/tools that don't confirm with the 2020 way of thinking... which is good for apple.
> Is the requirement to push that deletion to all other SSB instances?
Well if you follow the GDPR: yes. Article 17.2
> Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
If the personal data is encrypted and you destroy the only key that can be used to decrypt it, is it still personal data? Or is it now simply some random bytes?
I had this exact question for our privacy legal team and the answer I got was that deleting the keys to encrypted data is legally equivalent to deleting the data itself.
We built a system that creates backups of PII using that mechanism; throw away the key after data is supposed to be deleted. That is legal under EU GDPR.
> taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
This is just not possible for a lot of data like SSB.
How would you do this if someone asked github to delete all their commits across repos?
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Are you certain that an app developer for a client would qualify as a Data Controller here? As long as the relevant data never passes through their or other third-party servers and it's strictly local account setup interfacing with SSB I think they are not?
I personally don’t think it’s a good idea for lay people to be using systems where they can’t delete their user data. Maybe Apples isn’t the right platform for such things.
Nobody is asking you to actually delete the information. I suppose that with a proper design it should be possible to mark an account as inactive, make the associated profile data as inaccessible (if it's accessible via the web, for instance), and, most importantly, stop requiring this account when using the app.
Putting PII or UGC into immutable storage is poor design, unfortunately, both users and laws want this information destroyable.
Maybe a tombstone record in your immutable system? It is technically marking the account as deleted and the data is unrecoverable if the only encryption keys have been safely purged...
It’s the same as trying adhering to RTBF/GDPR with a blockchain or any other immutable data store… Your design decisions need to match the regulatory or other commercial / situational requirements.
But in your case I’m not sure what exactly is the problem other than Apple doesn’t believe you… you can still delete the account it’s just deleted locally.
And you may be required to delete any server side identifiers if such exist.
For "actually private" systems like this the solution should be cryptoshredding. If this is not possible (f.e. because you believe information published once should be available forever), then the app is bad and should not exist. People have a right to be forgotten.
my guess would be to just delete all local data, instruct the user to destroy all private keys, and consider the data delete it. I think in this situation, best effort to "delete" the data is all you can do. IN this case, if all keys are deleted, the data effectively becomes meaningless bits.
You must provide a way to undo first party and third party data retention of personal data at the same level as the initial retention.
If such data exists in an app under control of the user, then uninstallation is fine.
If you persist that data in your own systems, you must provide a way to withdraw that consent. Same with data shared with third parties.
If you create an account in first party systems, you must provide a way to delete that account.
If the account is created outside the app (say via your website), thats fine, but you may get the same regulatory pressures directly (from GDPR, from California, etc) to support deletion in the same context.
I heard you can change your address to California, which then gives the option to cancel online (due to state law). It is absolutely ridiculous that NYT will happily take your card info online, but require you to be on hold to speak with their "customer care" to cancel. Maybe it is time to use virtual CC's a la privacy.com.
Yep - and these are the SAME places posting LONG articles about how terrible Apple's store policies are. Uh, folks spend a lot on the apple store for a reason.
The problem is how Apple both profits from the app store and sets rules on the app store. It’s incentivized to create rules that make it money without helping users. Apple needs to either stop making money from the app store or to create a separate body that can set rules without being incentivized by profit.
Laws are good, but the lawmakers shouldn’t profit from them.
Walmart profits from their store and sets the rules from their store. The incentive is to make the store a place people want to spend money. This is the same as almost any other store isn't it?
You do that by making it safe and comfortable for users (or in androids case maybe by doing deals with phone companies to pre-load their apps and make money off users there ).
Apple is only partly successful, they have 15% market share in phones or so. But one area they've been good at is trust - users on an iphone probably spend a lot more (it's also harder to pirate, so what developers give up in profits they make back in lack of pirating).
Except, as a seller, I have multiple avenues to deliver my product to customers other than Walmart. On top of that, Walmart charges a fee per sale [1], and doesn't get to double dip into additional services rendered on top of that product. As soon as the sale is done through Walmart, they're cut out of the picture. Could you imagine Walmart demanding a 30% cut of profits if I sell a video game with in-game purchases--just because they performed the task of stocking it on the shelf?
In California the New York Times still requires you to chat with a customer support person on their website. You still have to wait in queue, then wait for the person (or maybe it's a bot at this point) paste in several attempts at retaining your subscription.
The law needs to be that you can cancel all recurring payments through a standard interface. It's ludicrous that my online banking account doesn't just show me all subscriptions and allow me to cancel all future payments of any of them.
I should be able to tell my credit card company that I'm ending a subscription, and have them be in charge of notifying the provider that the subscription has been terminated
Yes for recurring subscriptions the control should be firmly under the consumers control. Perhaps there should be a special recurring transaction type on credit cards akin to those in PayPal.
Startup idea? I would totally pay for / use a service that managed and paid all of my subscriptions to various things that also made it so that I could cancel any of them at any time with a single click (okay maybe 2 clicks) on their website and hear nothing more about that account.
I've done this using my credit card company (not the bank) and they were very helpful. I explained why I wanted them to stop the recurring payment and they asked if I wanted to dispute any of the older charges, took less than 5 minutes. I call the 'fraud/disputes' phone number on the back of my card for this and I think that is not the bank, I think it's Visa / Mastercard themselves.
A gym is not a recurring payment, it's a facility access contract defined for a period of time. You agreed upon price for the year, broken down into monthly payments. You are obligated to pay that full amount b/c you agreed to it when you signed the contract at the beginning of the membership.
You don't have such contracts with recurring payment products.
No, quite a few gyms advertise “no contract” month-to-month payment schemes that still require a specific cancellation process.
For example, Planet Fitness has “no commitment” memberships, but you still have to explicitly cancel.
> You may cancel according to our policy: Per the agreement, in order to cancel a membership, one must either go to your home club in person to fill out a cancellation form, or send a letter (preferably via certified mail) to the club, requesting cancellation. Please note: Memberships cannot be cancelled via fax, phone, or email.
You can kind of get close to this using merchant-specific card numbers from privacy.com (not affiliated). If you want to cancel a subscription, you just deactivate the number associated with that subscription.
I doubt the bank is going to be happy with you disputing charges if you haven’t followed whatever process the company makes you follow in order to cancel.
I love privacy.com for this, and I’ll never sign up for a trial or something recurring without using it again.
I signed up for a trial for another service which shall remain unnamed, and of course I couldn’t find anywhere on the site to cancel my trial once I wanted to. No problem, I just disabled the card. They’ve probably tried to bill me a dozen times since.
That's my biggest use case for Privacy.com. I care less about the privacy aspect and more about the convenience. I've already had once instance where a single-use card I created for 1 specific vendor started getting fraudulent hits (declines) and all I had to do was delete that card.
Careful. If you didn’t properly terminate the contract, you still owe that money. I have a friend whose credit got hit because a service sold his debt to a collector.
I dunno. I cancelled the other day now that I no longer care about the pandemic data and it was basically just three minutes of politely stonewalling in a chat box saying “No Thanks, please cancel my subscription.” a couple of times.
I live in California and would have tried cancelling online but actually couldn’t find the option. I can’t say it was difficult to cancel though once I picked a process and initiated it. Maybe that was the online option now that I think about it? I was expecting a button or link.
I did the same a few years ago and it was relatively painless, however there are many people that do not like confrontation and "stonewalling" is not an easy task. NY Times understands this and preys on a specific segment of the population.
I don’t know. It’s 6 words and you don’t even have to be rude about it or get annoyed at the offers they throw at you. Then you get the confirmation email and you’re set.
I hate talking in the phone to people I don't know so intensely that I have wasted hundreds of dollars on various things because I procrastinated calling to cancel.
This effect is real, and companies know it, and design their cancellation processes to extract extra money from people.
Mate, I mentioned up above that the process by which I cancelled was a chat box that intermittently ate maybe three minutes. Not mentioned was I did it while cooking breakfast.
The best experience would have been no human intervention necessary, but for a process where someone was involved, it was incredibly straightforward. They gave me an offer, I refused it, and nobody had to be a dick about it and no phone calls were made.
Someone informed me in a different part of the thread that this apparently is the California cancellation experience from the New York Times, which I wasn’t sure of. Like I said above, I was expecting a button or link because that is more akin to how I actually signed up, but there you go.
Unfortunately that leaves the phone option as the remaining option for everyone else.
They don't have the right to my attention. If they were to cancel my service due to lack of payment (for example), do you think they would engage me in a dialogue to discuss it or just send me a notice in the mail?
If you have a credit card with capital one, they provide a browser extension for generating and managing virtual numbers which works like a charm. I’ve been happily using it for all online purchases for the past couple of years. No need to worry about merchants charging for cancelled subscriptions, and if a service has implemented any dark patterns in their unsubscribe process, I just kill the virtual number and let it resolve itself, rather than needing to worry about it.
The Globe and Mail operates similarly. I spent some time while cancelling a few years ago informing them that making me call them to cancel is a crime in California. The person on the line cancelling my account was genuinely surprised.
Canada was the first to require simple unsubscribe for email lists... I'm surprised it still does not have a law to require online unsubscribe for media subscriptions.
> I'm surprised it still does not have a law to require online unsubscribe for media subscriptions.
Newspaper editorial endorsements are still a big thing in Canada.
> The Globe and Mail operates similarly.
But this is good to know. I was considering swapping another newspaper subscription for a Globe and Mail subscription, but after looking into it, the eventual unsubscribe hassle isn't worth it.
I used a Privacy card and NYT did a “force post” [0] after they got a decline. I contacted Privacy and this is apparently a per se violation of the Visa rules, so they opened a dispute and I won. But NYT actually tried to charge me despite me trying to cancel, and I live in CA, and the card was blocked in Privacy.
As a side note, I got a subscription to the online edition of the NY Times included with my local newspaper. When I cancelled my local newspaper subscription, the NY Times access was never removed, meaning I have free access to the Times. I've told them about this issue several times, and they acknowledged it, and yet, I still have free access to everything. My account says I'm a "subscriber." So, apparently , it is sometimes just as hard to stop getting something for free.
I signed up to NYT using a virtual CC, knowing how much of a pain it was to unsubscribe (I'm not in California). When I was through with it, I just paused the card. And I was amazed at how many times they tried charging it before giving up and actually cancelling the account. 13 times, now that I'm looking at it. The Gray Lady isn't as well-mannered as one might think.
Do any banks do a good job offering this feature for debit?
Back in one of the days, the PayPal TOOLBAR used to offer this feature, it was really convenient since you were essentially direct drawing from your bank account with it.
This raises one notable benefit of going through Apple for all payments -- as a customer, it buffers me from dark billing patterns of any random company. Companies like 37signals don't like it and claim it hampered their relationship with customers, and that might be true in some cases, but overall it seems like a benefit for customers to have a consistency process of buying, refunding, cancelling everything they use digitally.
Yes, to both. Gov could do better, and in the meantime until if/when that happens, may be worth it to use a trusted source (Apple) to manage that for you.
Likelihood of Gov doing better seems tied to how much they can get away from Wall St. funding/defunding their re-election campaigns.
Do you think government could actually keep up with technology to regulate it? And if they did regulate it would it actually help people or the companies that are buying them?
But if the price of that benefit is 30% off the top for Apple for all payments, it's a high price to pay. Perhaps better consumer protection laws would be a better way to fight the dark patterns.
As a consumer, I have effectively no control over laws. I do have control over which payment system I use. So if you as an app developer don't want to give a 30% cut to Apple, maybe push for better consumer protection laws so IAP doesn't have that incredible benefit for me.
You can believe that dark billing patterns are bad and this change is good, while at the same time also believing Apple should charge developers less -- these are not mutually exclusive.
The judge in the Epic case did rule Apple was entitled to payment even if it didn't go through their payment system. No ruling was made about if the 30 % was too high or not.
When you start an app trial, and cancel right away, your trial stays active for it‘s duration. When you do the same with an Apple service like Music or Arcade, the service stops right away.
This keeps you from pre cancelling a subscription while you trial in peace. I can’t imagine any technical reason for this and I‘m sure other developers would like to do the same thing.
That is bad. They should give you the trial for the remainder of the period. I use this pattern all the time. Cancelling earlier removes the burden of having to remember to cancel later. Thanks for sharing I had no idea they did this.
Here’s one: they advertise “family” accounts: you buy an app and your purchase also covers your spouse.
But your spouse has to know you (or which family member) bought it and click on their name in “family sharing” to get it for free. Else spouse will pay for it again.
That’s simply not true. My spouse and I buy apps all the time from the App Store and when you try to pay for it, it pops up a message that a family member already has and proceeds to the download.
It doesn't quite work like that. When someone in your family goes to hit the purchase button, it pops up a window saying that someone else has already purchased it. I'm not sure why you have to hit the button first, maybe for some measure of privacy from your family members?
Subscribing through the NY Times iOS app already solves that problem I think, there’s no need to delete your account, just go to the Apple subscriptions management page and end the subscription.
Yep, can confirm, did that myself earlier this year. Canceling the subscription for NYT that I had originally subscribed to through iOS was painless and took all 10 seconds that it took me to open the "my subscriptions" panel in the App Store and clicking "cancel" on the NYT one.
I was going to say the same thing! They are the WORST. I had to cancel my subscription and the process was like a legal battle with the customer representative. He fought me so hard and it took so long. I lost all respect for the times after that.
SiriusXM is like this as well, you subscribe/upgrade online but you have to argue with a support person for 30-40mins to cancel, at least you can do it on a chat on their website.
Honestly if you can subscribe with a button you should be able to
unsubscribe with a button.
It's outrageous that you can't cancel online as easily as you signed up, and we do need legislation to correct that. But when you have to talk to them on the phone, just say, "I sold the car." End of conversation. What are you telling them that gives them the hook needed for a 30-40 minute conversation?
If all else fails, "I was just diagnosed with a terminal illness" or "I am required to report to the state penitentiary on Monday" will work.
They say “well we have the online streaming you can use” or “we can txfer it to your new car” they’re just stubborn and incitvized to try to keep
you. Whats worked the best for me is “i haven’t used it in 6months and dont want it”. theres nothing they can say to that.
If you buy your subscription as an in-app purchase, you can cancel it easily from your phone. Say what you will about the app store and in-app purchases, but when it comes to cancelling subscriptions they've eliminated the dark patterns.
And they'll notify you of the subscription's upcoming renewal (about a month in advance). Which is very nice when you have a subscription that you forgot about or for an app/service you realize (with the reminder) you no longer need or use.
People need to learn to just use registered mail. Yes, it's ridiculous that it's necessary, but the postage and hassle is probably less than dealing with those intentional hurdles.
Alternatively, if the US legal system allows it and you can find a number: Fax. This has the advantage that it can be automated on your end so it's not much more hassle than a quick e-mail, and the delivery receipt (yes, trivially spoofable in theory, but I would assume it's widely accepted in practice) also shows what the content of the message was.
That's been so bad that there are now gyms which have 'easy cancel' as a selling point. Pure Gym (UK) allows you to cancel by just stopping the payment (they call this "No contract" which is legally illiterate, but whatever). Ironically my bank was suspicious about me when I did it.
They also let you cancel on their app or talking to the counter. The only "catch" is you have to do it at least 4 days ahead of the next payment or it will still go through one more time. I cancelled in person, they asked if I'd consider freezing the membership instead, I said no, they printed me a receipt for the cancellation on the spot and that was it.
Not a big fan of the gym itself, but I can't fault their cancellation process.
Nah, it was. Much less stressful than some salesman trying to string it out until I give in. Bank guy asked 1 question then actioned it. With another bank it would probably be 2 clicks.
Maybe. You can't generally unsubscribe without the demons offering you temptations and otherwise stealing your time. Except that one case back in 2016, but that's just a legend.
There's probably a startup idea around unsubscribing from difficult companies but legislation and rules in general are likely more effective.
I've tried using this form several times. They send me an email afterward telling me they won't delete my account. (This is despite me living in a jurisdiction where deleting my account is legally non-optional.)
I think the problem is that it requires chatting live with someone who's job it is to prevent you from cancelling in the first place. If you can sign up in two clicks you should be able to cancel in two clicks.
I didn't realize it was because I live in California that this is never a problem for me. I thought businesses just stopped doing that shady practice in general, not that it was outlawed here. How very interesting.
I remember that roughly 5 or 6 years ago, when I wanted them to delete my apple id, I had to call them. On the phone. And the guy told me, "if we delete your apple id, you will not be able to sign up with this mail again".
I only realized after hanging up how little sense this makes.
It makes perfect sense, in order to prevent someone else from registering your old @icloud.com email address and impersonating you or performing password resets.
That does make sense, but I remember him talking about my gmail address. Not even sure I had an icloud email. But I could very well remember that wrong.
The point is that you don't want someone re-registering on iCloud with that gmail address because then they could impersonate you when interacting with Apple.
I still don't get it. You cancel the account, it should be gone like it never happened. Poof. If you make a new account with the same email, it should be a new account with no relation at all to the old account since that one has been deleted and is gone forever and there would be nothing to impersonate here.
Let's say you have the account johndoe@icloud.com. You use that email as your backup email at your bank. You cancel the account. Now someone else opens a new icloud account with johndoe@icloud.com. They can now access your account by "recovering" your password with the backup email.
But the GP is saying they registered their apple id with a non apple email. Why can't your delete the apple id associated with that email, then create another apple id using the same email?
This makes total sense, and good of them to warn you.
MANY people tie things like password resets to your email, not to you and may not have a retail store presence you can get to for a password reset.
He's telling you - once this email is gone, it is gone and no one, including you will get it again. That is good in the sense that no one can impersonate you, but bad if you have an "ooops" moment and want to do a password reset that needs that email.
It makes total sense to me. There’s no way to really know the next person signing up is really you (even if it’s 99% unlikely it isn’t). The safest option is to create a brand new account with a different email. Maybe I’m wrong but that’s how I do my own app signups.. it seems safe to me.
A lot seems to be riding on the definition of delete.
Apple's announcement says:
must also allow users to initiate deletion of their account from within the app.
It's only "initiate" deletion, so if we treat that as Step #1, then if Step #2 is, as in the NYT example, to ring support to confirm your intention to delete you account, then this may not deter much user-hostile behavior. It just kind of smears it to a different part of the tablecloth.
It also specifically says 'deletion' rather than cancellation or disablement, but I doubt Apple are going to follow up on this eventual deletion (or alternative watered-down definition) of account past this "initiate" step.
Will users have recourse through Apple if their "initiated" account deletion request goes no further than step #1?
I’ve had people try do use credential stuffing on my accounts after major breaches. It happened on a deleted instagram account and I’m glad they blocked it.
I’d rather it work the way Apple does it than have someone try to recreate a deleted account.
As much as I like the change, the 3-month window seems unreasonable. I don't currently have AppStore apps, and these kinds of whiplash changes are part of the reason.
Microsoft, for all its faults, is much better than Apple or Google here.
Businesses take planning and strategy, and these things lead to drop-everything fires.
To be fair, it's closer to 4 months, and it would appear that they won't yank you immediately. It's only for new submissions:
> This requirement applies to all app submissions starting January 31, 2022.
Unsure if this means new apps, or includes updates to existing apps. But I bet there'll be a bit more of a grace period if you don't have a new update to push.
Plus, “initiate deletion of their account from within the app” sounds like the app can simply link to whatever account deletion functionality you have on your website.
I don't think that's right, but the policy and the article doesn't answer these questions particularly well, so it's very much up to interpretation... The problem with linking to a website is that it doesn't make anything better for the user, since that could be either directing to a form, a support phone number or mail. Neither which improve the situation because the user is not in control.
if you provide a good and easy sign in functionality from your app, through native UI and the like, then you should be able to provide the same functionality for deleting that same account. That is at least what we have recommended one of our clients, but that client is also a public transport company, so they can't afford to be in gray area where the app is either rejected or taken down.
I remember that change. I wondered at the time why people were not more concerned about what that change meant. I guess people either didn't fully apprehend the implications, or maybe they thought Apple wouldn't follow through?
Apple considers 3 months their standard level of advance notice, with WWDC serving as your warning and the release of iOS in September as the go-live date.
However, in this case, they have ended up giving you 6 months and a courtesy reminder.
If you aren’t interested in maintaining your app annually, don’t publish apps on Apple’s store.
Whether or not their level of notice is enough, they’ve been consistent for years in this practice of 3 months notice for significant and breaking changes, and they seem comfortable compelling annual updates from developers. I would not expect them to care that 3 months is difficult in your circumstances, as they assume you’re prepared to maintain your app and proactively keep up with policy changes over time. It sounds like you did not attend to this year’s policy updates and may well have been out of compliance for months now. Fortunately, they offered a grace period rather than just refusing your next bugfix update. Lucky you!
(I am not sympathetic to your situation, because as a user of apps, I am exhausted of crappy apps and bottom-of-the-barrel behaviors from developers. I understand that others may feel otherwise, and that’s fine too, just as long as those feelings do not get in the way of being a responsive app developer.)
> If you aren’t interested in maintaining your app annually, don’t publish apps on Apple’s store.
That's exactly what I do. I avoid the app stores like the plaque.
> (I am not sympathetic to your situation, because as a user of apps, I am exhausted of crappy apps and bottom-of-the-barrel behaviors from developers. I understand that others may feel otherwise, and that’s fine too, just as long as those feelings do not get in the way of being a responsive app developer.)
I think the word here is 'entitled.' There are a few different groups here:
- Bottom-of-the-barrel scammers, whom I have no sympathy to
- Little kids and amateurs, who might want to put something out and move on
- Graduate students and research projects
- Little not-for-profits
- Internal-use small businesses and enterprise apps, where a they might be developed once and forgotten about for decades (yes, plural)
In my case, I don't need to have an app on the app store, and I don't care for Apple's behavior, so I don't have an app there. That hurts Apple (and you, if you're an iPhone user) more than it does me.
You're also confusing strictness with timelines. I'm all for super-strict policies. Just with:
- Backwards compatibility (e.g. grandfathering) of older apps
If you think requiring the ability to delete your account is "developer hostile", you're exactly why this provision needs to exist. Apple is giving you six months to stop fucking your users. Sorry not sorry :\
> You have to be crazy to stake your company on apple's goodwill at this point
My company has an app on the app store. We do a few hundred million dollars in sales via the app. Are we crazy?
If you could make an extra hundred million dollars by fucking over users, some would say you are crazy not to, yes. Opinions vary, but that's sort of the essence of it.
Nah, I think being forced to implement it within 3 months is hostile. I think Apple refusing to send announcements through the mail is hostile.
Apps are just a single frontend to a larger system, and Apple thinks they can dictate the workings of that entire system just because you want to let users access your system from an Apple device. It's bonkers.
Imagine microsoft going: "Microsoft edge will refuse to render your website unless there is a "delete account button". How would that make you feel?
I feel like they should be a lot more up front and plainly spoken about the maintenance burden of publishing on the app store.
But I don't think it's particularly hostile. I think it's just that their focus on user experience requires them to accept the punishing annual cycle for developers.
You’re also responsible for supporting new hardware and responding to security problems and other bugs. If you can’t be bothered to implement a rather straightforward feature like account deletion in three months I don’t really have a problem with you being excluded from the App Store
User accounts tend to be a central part of any application that stores data somewhere, and is prone to custom logic and assumptions. From experimental todo list apps to POS management software.
I can’t imagine account deletion is straightforward for most of the implementation, even just from a legal standpoint when money changing hands is involved.
I think it’s a complicated enough issue that it should be tackled from the start (which is usually the case) and kept track of as the product/service evolves.
If you've been based in the EU or offering services to EU customers you should already have the possibility to delete accounts as that's a requirement of the GDPR, so 3 months to expose the existing functionality to the user sounds more than enough.
This is great news. I've struggled so many times with websites that either don't offer a deletion option in the account/profile settings or where customer support never responds to requests. My hope is that deletion in this case really means deletion: The user data will not remain in their database to then eventually be accidentally leaked or hacked.
Legal liability is the only way to combat this bullshit. Severely harm these companies if they don't delete the data unless there is legal reason for time-limited retention (e.g. banks).
Let's say you're building a product like Slack where you have to balance company vs. individual account deletion rights. For instance, if I join an open Slack such as Kubernetes developers vs. a company slack as an employee vs. a company slack as a guest - I believe Slack doesn't differentiate and requires the company to manage data deletion requests. How are they able to do this?
It only applies to apps that let you create an account from within the app, so third-party client apps like this could just not handle the account signup. (I think they already tend not to handle it.)
My apps for HN do allow account creation. I guess I will have to wait for some developers to complain to Apple to figure out how to handle third party clients.
Not sure which reply to post this under, so I'll just reply under GP - it took me about 3 minutes to locate a popular HN client which specifically advertises account creation in the overview. https://apps.apple.com/us/app/octal/id1308885491
From the perspective of Apple and their users, does it really matter whether the backend an app relies on is owned by the developers of said app or not? The experience around and ramifications of account creation and deletion are the same regardless. Which obviously can be a pain for third-party devs.
Great point! It's definitely a step in the right direction, but my immediate thought was "what about all the sites that don't actually delete anything?"
Hopefully apple makes a more user-friendly announcement about this that will introduce people of the concept of data retention and how "deleting" an account isn't really deleting anything.
My point was that not all “delete account” buttons are created equal. Some sites just have an “is_deleted” column in their user table, and will continue to use your data after you “delete” your account. I don’t think apple has any way to check for this, but hopefully they at least touch on this topic in their announcement of the new requirement to the non-developer public.
It's illegal under GDPR and european data protection rights anyway. You have a right to have your account and data deleted if there aren't any important reasons not to (like finance stuff).
I hope third-party clients are not forced to, because making the delete API private would be a great opportunity to indirectly ban them.
Edit: it's only for apps that allow account creation. If you expose the API for account management to third-parties, it would make sense to include account deletion.
Feels to me like public pressure is on Apple to actually justify their argument that their App Store policies are for the benefit of their customers. If that results in more policies like this that really do improve customer experiences, that's not the worst outcome.
Most of their policies are ones CONSUMERS have liked but BUSINESSES have hated.
The litigation / cases / govt intervention has been on behalf of businesses not consumers. A lot of folks in the "alliance for app fairness" have just horrible billing practices. Understandably, if they can get out of the app store, they can stop you from being able to do things like delete your account or unsubscribe with a few clicks.
A lot of the newspapers make it easy to sign up, but then you have to call to cancel, the same papers that go on and on about how terrible the app store is. There is a REASON people spend fortunes, particularly in the apple app store - it's damn safe to do so in most cases.
Apple killed valve's steam link app because they couldn't get a cut of games consumers had purchased on a different platform. Hardly pro consumer behavior.
> Most of their policies are ones CONSUMERS have liked but BUSINESSES have hated.
I'd agree here, the majority of the policies are likable by consumers.
> The litigation / cases / govt intervention has been on behalf of businesses not consumers.
Consumers don't have millions to throw around on litigation against Apple so it's no surprise the litigation is focused around business cases. On the government intervention side I disagree though, of the very little intervention there has been it has been consumer focused IMO.
In either case there is also some overlap of "business interest" and "consumer interest" even if the vast majority of the time there isn't so blanketing that all litigation has been on behalf of businesses does not imply all litigation is about policies not in consumer interest. And I think the courts have been very conservative on which points are actually acted upon even if there is a bit of a "throw it at the wall and see what sticks" approach to many of the cases.
> A lot of the newspapers make it easy to sign up, but then you have to call to cancel, the same papers that go on and on about how terrible the app store is. There is a REASON people spend fortunes, particularly in the apple app store - it's damn safe to do so in most cases.
If people are truly buying Apple devices because they only want to purchase things from the controlled app store then the availability of alternative app stores wouldn't be a concern, they would simply go unused. The truth is most people don't actually buy the devices for this reason which is why Apple is so afraid to give that singular point of control up.
So the case for this practice is that Apple is the only corporation that can be trusted with billing - consumers are just being protected from all those evil corporations that aren’t Apple. Seems like a straw man.
> The litigation / cases / govt intervention has been on behalf of businesses not consumers.
There is actually a class action suit against Apple regarding anti-trust brought by consumers. Unfortunately, while the suit was filed in 2011, it wasn't until 2019 that the Supreme Court ruled that consumers even do business with Apple in the App Store [0]. So, a lawsuit filed in 2011 was allowed to go forward in 2019. I don't know what methods Apple had used to hold up the case since then.
Don't you think that is something apple should have thought of before doing what they did to cause outcry?
Apple wanted to be the gatekeeper blocking out harmful apps, fine by me.
Apple then wanting to use that gatekeeper status to steal money from app developers, block apps that compete with apple internal apps, and enforce moral choices on what kinds of apps you can install on your phone, evil by me.
They could have done the former without doing the latter, but they fucked it up, and have to pay the piper.
Bad billing practices like the NYT's impossible-to-unsubscribe bullshit is not Apple's responsibility to fix: it's the market's first, the government's second. A corporation having the power to control/regulate society to such an extent is like textbook dystopian hell-hole stuff.
The App Store policies were always for the benefit of customers (and Apple). These policies will keep happening because the basic incentive of Apple's business model has been unchanged since 2008.
Indeed many people do not remember that Android ecosystem at the beginning deliberately was on the side of the developer (and Google) as opposed to the user with its lax permissions and liberal access to the system and took its leisurely time to add more useful permission controls for years (location access was install time and you could not opt out of that specific permission unless you chose not to install the app at all).
Priorities matter.
P.S. I do see Apple business model changing to services bringing in some bad behavior associated with that: for instance, push notifications now are used as a spam/marketing mechanism for Apple services similar to Android; iCloud Storage nag is another example.
100% this, folks do not remember that it was really apple leading on a TON of this stuff.
The storage and other nags I hate, it's a real ethos breaker for me. Get that crap off my iphone. That's why I pay extra - for less crap (I like that they somehow can also block the carriers from installing unremovable apps, for some reason android phones sometimes come with weird apps from your carrier when you get them).
> leisurely time to add more useful permission controls for years
I remember when I discovered my Android phone wasn’t encrypted, and it had lasted for years. I suddenly stopped using it, changed my passwords/tokens and bought an iPhone. Never came back.
Yeah, like the inability for the user to install an app after an authoritarian government decided that their subjects should not be using it, and Apple subserviently obeyed and removed said app from the Appstore.
An extremely beneficial policy for the customers, right.
You’re talking about something else. Do we expect money-making companies to be the ones to war against authoritarian regimes? Do we not also expect companies to obey the laws of the lands in which they conduct business? You can’t just say screw it to GDPR and expect to continue to be able to conduct business in the EU.
I do expect the company that sells hardware to their users to allow users to decide which apps to run on sold devices. Currently, Apple is behaving as if still owns those devices and decides which apps to run. Precisely this lock-in created by apple is actively exploited by authoritarian regimes.
If Apple will allow third-party app stores or direct installation of applications on devices, dictatorships will lose this capability to harm Apple's customers.
But of course we all know that this policy was never intended to protect users, it was to protect Apple and their appstore monopoly, which also allows Apple to extort developers of 30% of all of their revenues by forcing them into Apple's payment services. Finally, the world has had enough of this and starts to fight back against it.
> If Apple will allow third-party app stores or direct installation of applications on devices, dictatorships will lose this capability to harm Apple's customers.
As someone who switched from the Samsung note line to iPhone, the only freedom I felt from the ability to install other apps was the freedom to deal with all the unrecoverable crap ware.
There’s other phones out there with greater freedom than the iPhone, people are aware of them, and are still choosing the iPhone.
The curation is a benefit in that I have a corporation with thousands of employees working to prevent the other corporations from making my user experience worse. If the curation goes away I’d probably switch to a cheaper phone next upgrade and I’m sure apples aware of that
You are not living in an authoritarian country. That's why you think that the shiny chains that you wear are just a nice decoration, because they were never used to strangle you.
Apple didn't have to lock users out of installing "unapproved" apps on their own. That isn't for the user's benefit and isn't necessary for apple to have a curated app store.
What would the alternative be - the method of installation is the App Store, and Apple's compliance was removing the public and private presence from the App Store within that country.
Just allow sideloading. It's not hard to not block that. But apple is hell-bent on collecting every cent they can, so of course all app installations must go through their walled garden where they can take their 30%. Anti-consumer behavior at its finest.
Not really. You also need a computer running XCode (i.e. a mac), you'll need to follow the instructions out of 9 rather not obvious pounts and you'll also need to build be app you want to install.
Oh, and of course you won't be able to use push notifications, because Apple.
How? There must be some restrictions or this would be HUGE news and Epic would rejoice.
edit: the apps expire after 1 week and need to be constantly reinstalled. This is abusing an exploit in apple's walled garden that will surely be "fixed".
They’re not abusing an exploit. You might be able to argue that they’re abusing a policy.
The fact is that you are allowed to sign apps with a free dev account, the cert will just expire after a week.
AltStore’s been around since 2019, so they’ve had ample time to “fix” it.
Edit: they do not need to be reinstalled. With AltStore the cert update is automatic and wireless (your computer handles it and sends the updated cert to your phone). You will never notice their expiration, and never need to reinstall, unless you’re away from your computer for more than a week.
You are changing the goalposts here. You don’t just want sideloading. You also want an easy way to do that at scale. However that’s not an obviously beneficial trade-off for the average user.
The point is as the device owner you have the ability to run code on your own device outside App Store without paying Apple. To be able to effectively distribute such code to the average iOS user who may not understand how to deploy unsigned app and the potential implications of it is a different story and one that you could argue is designed to protect the layperson against themselves (contrast this with users running random .exe from emails on Windows).
How does the app store searching and filtering work now? I had last contact with Apple devices around iPhone 4S. What I remember from that time (maybe wrongly) is that the experience was practically limited to a name search (as on Android). You can't filter for example for open source apps. I know that the example is not useful at its face value even if power users could show their less technical peers "this one simple trick". But it is just an example. From what I remember searching things in app stores is a lesson in frustration, because it is mainly there to input a well known brand or app name and quickly install it instead of helping with app discovery.
Nowadays on Android I try to search for apps on F-Droid first or search on Github as a shortcut to find open source apps. Why open source? They are often a barebones version, that will probably not sell me out and will not use dark patterns (I know it can still happen). I have nothing against paying for apps, I do have a couple I bought, but sometimes I have simple itch, that I know for sure someone else already scratched for everyone else and I do donate sometimes. This lousy state of app stores leads me often to search for some simple web apps on github.io. At the same time I sold whole open source category to Microsoft. In the end it seems that all I want is a smartphone shell scripting equivalent, but that is a totally different point.
> You can't filter for example for open source apps.
There isn't metadata for this, as it is not part of Apple's relationship.
They are a seller of software, and the creator of the software is responsible for making sure the software can be compatible with the licensing and copyright terms of both Apple and any dependencies.
A semantic link to grab the source code for an app would be neat, but a pretty niche feature. That Apple can't verify that it is the same code (or that the separately hosted build process doesn't have malicious logic within it) probably quickly pushed them over the edge in terms of not supporting such a feature.
I'd question if their policies benefit consumers overall.
In theory Apple sign-in is great. In reality, many apps now show several login options (Google, FB, Apple, e-mail) and I can't remember which one I used.
I've had many instances of trying to login with Apple, the app silently throws an error, and the app won't proceed. E-mail pw reset doesn't work. Did I use Apple Sign-In with my real e-mail or a forwarded (private) e-mail? Apple has made logins more complex and confusing.
IMO the most recent spike of Apple pressure came from the Epic lawsuit, but these App store changes were communicated about 6 months ago, which is slightly before the Epic lawsuit came to light. I would also imagine that Apple discussed these changes internally for at least a month before announcing it.
Feels like a celebration of "Apple sticks it to the stupid app developers, hooray!"
Except app developers are mostly small shops and startups. One-person operations.
How would we like it if the web were forced to behave according to some governing body? It feels like some North Korean 1984 dystopia and we've all got explosive collars around our necks.
It's anti-freedom, anti-American, anti-ownership, anti-Stallman. And I own five iPhones and an iMac.
I just want my stupid software on the stupid fucking software execution device. No tap dancing bear rules. No praise to Apple or forced induction to the Church of Jobs.
Steve Jobs made this artificial, ceremonious bullshit to make money. There is no other reason.
I curse history that his authoritarianism won. It's become pervasive throughout the industry now. It should be illegal.
I'll gladly charge 3x the price to Apple users for having to put up with this malarky.
Why don’t you just use pro-everything devices. Even top quality ones exist now, which can be reprogrammed to function as you wish. Apple is not the only option anyone has.
So you’re an app developer, the part “want to run my software” confused me. As an apple user, I’m afraid that I’m with apple here, because I’ve been experimenting with other platforms before and didn’t like it when people just ran their software without any rules on my phone. That big market share is partially the result of the rules that protect the consumer, and that is a good thing. (Btw, I’m okay with 3x price idea, I think it isn’t criticized by apple and would be not)
why's this being downvoted, even? I mean, (personally "Anti-american" means nothing to me and) while I've developed for OSX plenty, I've got no stake in this game...but this post is not wrong lol. In fact, this sentiment is precisely why I've long-refused to ever own an apple product for anything save for devices from employers.
Don't they maintain shadow accounts and not actually delete the account in the background. That was my understanding from prior discussions around it. Basically they hide the account, not actually delete the account and all data associated with your use.
They absolutely delete the account and data associated with it, however the shadow accounts thing is... separate. Their line of reasoning is: well, I uploaded your phone number, so it's "my" data and not "yours", so "you" can't delete it...
There's no reason Facebook will delete your account as opposed to soft-deleting it, or maybe will "comply" by literally deleting your username & password but keeping the rest of the data. It's Facebook after all.
The press release sounds more flexible than the actual guidelines:
Press release (emphasis mine):
"all apps that allow for account creation must also allow users to _initiate_ deletion of their account from within the app."
Guidelines:
"If your app supports account creation, you must also offer account deletion within the app."
Has anyone seen any clarification on what options might be acceptable? e.g. I'm wondering about something simple, like opening an email composer with the app support email address and a pre-filled message body requesting account deletion which would be performed async.
Why would you want to make manual work for someone who just wants their account deleted? You're possibly better off offering an option in the delete flow for them to "talk with you to see if you can work something out" versus manually processing deletion requests.
Effort on those requests might recover some users which may be especially valuable if you are a subscription business. If you can't benefit from interaction then immediately imitating deletion from an API seems the only thing that would pass muster.
I think different use cases will call for different solutions. My use case is a relatively tiny number of users and any manual work they would generate for account deletion would be nil, or very close to it.
It's not necessarily about recovering users who want to leave but rather minimizing the effort required to implement a more complex deletion flow that has a high probability of never being used by real users (in my case).
This is great news, and again evidence of Apple pushing the privacy envelope forward for their customers. For many users, deleting an account by visiting an obscure flow on a web property is simply a bridge too far (assuming the service even offers an automated way of account deletion, which often is not the case).
Earlier this year, I went through an attempt to purge myself from some internet services that I wasn't using.
Many of the SaaS-type services I tried to remove myself from didn't make account deletion obvious at all. All of them had an email address to contact in their Privacy Policies, but whether you got a response back or not was a different matter.
In practice, I could imagine apps just telling their users that their account deletion "will be processed in 24-48 hours" with a 50/50 chance of it getting processed.
"Apple gives you the ability to permanently delete your Apple ID account at any time and for any reason."
That said, it's a pretty massive wipe.
Photos, videos, documents, and other content that you stored in iCloud are permanently deleted; you can't receive any messages or calls sent to your account via iMessage, FaceTime, or iCloud Mail; and you can't sign in to or use services such as iCloud, the App Store, iTunes Store, Apple Books, Apple Pay, iMessage, FaceTime, and Find My iPhone. In addition, any Apple Store appointments and AppleCare support cases are canceled.
Deleting your Apple ID is permanent. After your account is deleted, Apple can't reopen or reactivate your account or restore your data.
You lose all your credits with apple (if any) app updates will stop working even for apps already downloaded and more.
"Manage Your Data and Privacy." On the following page, select "Get started" under "Delete your account."
The point is they enforce that third parties have to allow it from within the app itself rather than a website. But Apple's account deletion process is only available on their website.
Apple also says apps aren't allowed to use notifications for advertising (3.1.7 Advertising) but routinely uses notifications to advertise Apple Music, Apple TV, and their other various Apple+ services ¯\_(ツ)_/¯
That's an interesting corner case. Even if turnabout is fair play I wonder if it's even a good idea. If you have two devices, and you delete your Apple ID from one of them, do you brick the second device? I think there are dragons there.
I feel like this is an objectively good thing. On Android, there are many times I signed up for something just to try it out only to decide it wasn't for me and have no way to delete my account. Currently the only thing you can do is just throw in some dummy information and leave it in the wind.
One of the first steps in setting up an iOS device is a great big screen telling you what data is collected and allowing opt-out. There’s several of them for each feature you’re setting up. There’s then another of those for each first party Apple app on the device. I’m really not sure how much clearer they could be.
When setting up your phone or accessing any apple apps for the first time, there's a (labeled) data collection icon at the bottom of the screen that you can touch for information about what data is collected by each app/process. For the apps, this information is also available in the App Store (just like any other app).
You can also view any collected system analytics in Settings -> Privacy- > Analytics & Improvements. Seems relatively fair to me.
"Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data."
My first question before looking into it was, "What an auth tenant or some other service that stores user data?" or, "what about like a banking or healthcare app that is just a portal for another system?" And, "What does deleted even mean? IsDeleted=1?"
It would appear Apple's stance on those answers is a shrug emoji. I'm no appstore developer but I got a kick out of reading a lot this for the first time. This rule bearing no exception to a trend that for most part seems intended to give Apple the license to eliminate bad actors.
I got a new one for Apple.
"Like, do what you gotta do but don't be a jerk."
Deleted means removing as much PII as you reasonably have authority to do so. It means purging all that data from all databases with a guarantee that you will be removed completely from all snapshots in a reasonable amount of time.
This should be the default, normal understanding of what it means to delete your account.
It doesn't mean set a flag in a database so when your company gets acquired in a few years your new owner has a nice little trove of data to mine of people that explicitly opted out.
I mean... There are a zillion reasons this isn't trivial.
Imagine I have an app that pays you, and it has to report taxes on it. It can't just delete your info.
Imagine an app that sells alcohol, maybe it needs to make sure it has confirmation of your age/info in case of legal action.
Imagine a chat application, if you chatted with someone and they deleted their account, would you lose the chat information (or even the name/record of who you chatted with?), no, that's 'your' information too, somehow.
A solution I use for this is to keep 2 sets of data, one operational for the application and one for legal/financial requirements.
When an action such as a payment is taken, or the customer provides certain info that needs to be kept for legal purposes, two records are created. The former can be deleted at will by the user, the latter is completely separate and is kept for as long as needed to comply with laws/regulations.
The right to be forgotten is just that - the right to be forgotten. Your issues or needs, whatever they may be (tax info retention, age info retention, etc), take a backseat to the user's rights.
In other words: if there is overlap, the right of one person's data to be forgotten supersedes the right of the other person's data to be remembered.
I know you wrote this 8 days ago and I dunno if you'll even see my response but deleted has always been a vague term. There are a ton of reasons not to hard-delete data before you arrive at data mining. I know a lot of concerns regarding GDPR and data mining would contend for the hard delete, but a couple people gave you good examples. I just wanted to share one I am looking at right now. Our users have the ability to perform an action over a large set of their own data. Sometimes they do things like deleting relations they didn't realize would have a larger impact. Luckily the code in question doesn't hard-delete the entities, because I just got a ticket today asking if a huge list of IDs could be restored.
I think looking at deletion as the solution to privacy concerns is the wrong way to go about it. Really, the problem is app developers think, "possession is 9/10ths of the law" when it comes to data, when in reality their relationship with the user never captured use of that data for purposes not related to the application. Just because you give your data to the bank when you make an account doesn't mean you consent to them selling it on the dark web. The same concept applies but it is much harder to police and you can even say you're going to misuse the data in the EULAs that nobody reads. In my opinion using user data for purposes unrelated to the application should straight up require explicit consent from every user, lest the seller and recipient be subjected to a fine.
One thing that is confusing about the concept of "deleted" is how do you minimize fraud on a social platform without retaining PII (indefinitely?) of your users.
If there is a known fraudster and you have their selfie image, email address, and ML face vectors, the fraudster requests their account to be deleted. What should the company delete? Maybe the company can keep a one-way hashed email and face vectors, but what about hash-collisions or false positives?
If there is a user that wants their account deleted, but then they come back to the platform (maybe abusing a referral bonus or first-time-only coupon), how do you stop this fraud?
It sounds like you’d like to work at Apple and help them improve their guidelines process. They don’t offer what-if examples, and they note that it’s by design that the guidelines are not detailed to the level you’re asking, so that they have the flexibility to make judgment calls and prevent rules-lawyering problems that crop up with the more detailed approach you seek.
1. Auth tenant. Common sense says that if the auth provider is operated by you, it’s your problem to handle deletions appropriately, either by removing their account or by warning the user that you’re only deleting the specific site account and providing a link to delete the SSO account at your website or whatever. If you do not operate the identity provider, such as Facebook, then you need do nothing about it at deletion time. Apple would likely approve any of those paths without comment, but to defend against rules lawyering and loophole seeking, there’s no way to be perfectly certain until it’s approved.
2. Banking or healthcare app. If you can sign up in-app, you’ll need to let people close/delete in-app, except where prohibited by contract or law. For corporate healthcare, you would pop a dialog that says “This account can only be closed through your employer”, which would be absolutely sufficient. Ditto for a banking account with non-zero balances or a safety deposit box or whatever. It seems likely Apple will not have cause to enforce the deletion clause against brick and mortar banks, since they all have help/faqs on how to close accounts already. App-only banks will be held to the more strict standard of having some way to initiate deletion, being app-only, though of course they’ll retain financial audit records as required by law.
3. Deleted means that all information not essential to compliance with financial and other auditing laws has been removed from your systems. Exceptions are understood to exist for recording that someone requested deletion, but you can’t use those records for marketing or training AI or any other purpose beyond managing your deletions. If you can’t explain in plain simple English how you handle deletions, they’re likely to reject your submission until you can.
All of this is obvious. It isn’t comfortable to consider that you’re at the mercy of human beings to evaluate your compliance — human beings that see a thousand scams a minute trying to hack loopholes in the guidelines. But that’s how it is today.
The sad truth is you're at the whims of some random app store reviewer and it depends completely on their mood of the day. It's honestly insane and impossible to work with. One day everything is fine, the next they have a list of issues that you are forced to spend dozens of developer hours on, just so apple will grace you with the permission to push an unrelated localization fix.
I don't make Apple apps but I think this is a good idea.
I don't provide a way for a user to delete their data in my app but that's because I don't want to have to deal with having to tell them "You shouldn't have pressed that button". But I'll gladly delete it they request I do.
That's a tough one to balance though. It's been very rare but I've had users call me a few years after their account expired asking if I still had their data, and in all those cases I did, and that saved their butts because they needed it.
In my case storing user data is very inexpensive so unless they ask me to delete it I'll let it sit for long time.
What's happened more often is I'll have users try to login and then renew their accounts after they've sat for over a year.
I think the right to be forgotten is spelled out in plain terms. If you have my data, and I don't want you to have it, that's the line in the sand. With a few exceptions (such as data decentralization), data is trivial to delete. The problem is that businesses and governments don't want to delete data, because data is knowledge, and knowledge is power.
Example: You are a typical business. A fire completely destroys all of your data, including financial data. If the IRS comes knocking for financial records, you have an excellent reason for why you cannot provide it - force majeure. A law protecting the right of a human to be forgotten should be treated the same as a fire. You do not question it, and should forcefully comply.
Good, I recently had the displeasure of trying to find a specific Audiobook while on my phone on holiday. Every Audiobook app/service games the system with Google keywords when you do a Google search for the Audiobook indicating that they have the book when they either don't or don't in the specific region you're in. So I ended up with 3 or 4 of these apps and accounts with no Audiobook and no way to delete my account from within the app, you have to then figure out for each one which hoops to jump through on their website or contacting support to have your info removed.
While this is great news for B2C users/apps, I'm not sure this is ideal for B2B users/apps. I guess you don't want an employee to be able to delete his pro account without any checks.
The page doesn’t say that users have to be able to delete their account within the app, it says that companies “must also allow users to initiate deletion of their account from within the app”. Checks are totally fine.
Does no one else see these things as flailing attempts to maintain their app store revenue?
They will throw the end-users (not actual end users but businesses who pay for phone app development) to the wolves in terms of forcing them to rewrite apps so that they can have a few blog posts about "user data security," despite the fact that we know there was at least one CIA backdoor in OSX in the early 2000s until ~2015 or so.
At some point all phone apps are going to be javascript web apps, Apple is just desperately trying to prolong the inevitable here.
From a users perspective this sounds entirely positive, but I guess there may be ambiguities around the definitions of "account" and "deletion" and "account deletion".
"Confirm that any third party with whom an app shares user data (in compliance with these Guidelines)—such as analytics tools, advertising networks and third-party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data—will provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines."
I call to all smart knowing license people of Hacker News.
Is this a copy-left license attached to a person's data?
This is basically GDPR. You, as the creator of an app or service is the sole entity responsible for people's data. It's on you to make sure to not spill that data to third-party services.
can i buy a bunch of stuff and then charge back my credit card? then when they ban me can i then ask them to delete my account? so that i can make a new one and do it again?
How is this supposed to work for insurance or banking apps? I would think those companies separate your "online account" from your actual account with them or something like that. I guess more generally how will this affect apps where "deleting your account" is a complicated affair (insurance, banking, mobile service, utilities, etc).
All mobile banking apps that allow signup seem to also allow account closure, so there isn’t exactly a problem there.
If I sign up for insurance in an app, I expect (and Apple will enforce) that I can cancel it in an app. Setting aside certain health insurance scenarios where I have no legal authority to terminate my insurance, I expect that Apple will absolutely start enforcing that insurance account management apps need to have a way to terminate coverage. But I think this isn’t the kind of business they’re concerned about, so they might focus on other business categories first.
If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism.
So is this what often happens in a field with large players … only the current social networks can exist, no new ones may ever be launched in the App Store?
I am the developer of HACK (Hacker News client for iOS, MacOS and Android) and have no idea what happens in my case since HN doesn't seem to offer account deletions. The guidelines doesn't seem to specify what happens with third party clients.
An app may not store credentials or tokens to social networks off of the device and may only use such credentials or tokens to directly connect to the social network from the app itself while the app is in use.
Bye bye Hootsuite and other apps for automating Facebook and Twitter posts.
Does directing you to go their website to create the account then count as the app offering account creation?
I guess the precedent would be that they didn’t used to allow redirecting to a website with the purpose of avoid in-app charges. Although I think that’s over with now.
Of all the edicts Apple forces upon app developers, this is about the only one I agree with. I allow users to do this on my webapp, quixical.com. I wish more companies respected the 'right to be forgotten'.
Couldn’t you have a signed token for ever capability that they’ve purchased? The app could easily check the signature without exposing the private key.
Can't imagine choosing to actually involve yourself in the apple ecosystem. Such a weirdly centralised authoritarian sphere of tech, with this creepy thin veil of individualism.
Just yuck. All of it. Over and over again we see these antideveloper and anticonsumer moves - which always happen to be set in just the right way to take power and give it to apple under the guise of security or privacy.
I guess it's authoritarian in the same like that governments enforcing minimum wage or workplace safety are forcing companies to give up autonomy for someone else's benefit - but, of course, that benefit is usually in the name of human rights/not dying on the job/not exploiting workers.
As a user I quite like it. It self selects away the user hostile devs who put malicious dark patterns in their apps. If a company does not want to allow me to delete my account, I don't want to use it and I'm glad it's removed from the store.
The same company that allows you to opt-in to tracking (as opposed to an opt-out that would rarely be used) and evidently now requires that other companies not do the anti-consumer thing where they make sign up easy but cancelation hard?
what happens with credit card apps ? because once u create a bank account - u cant just delete the credit card. the history is still maintained and the credit bureau pushes still happen.
This one sounds like it will be good for users, but I really don't like how Apple gets to regulate such a large part of the Internet. Why do governments devolve so much power to them?
> (v) Account Sign-In: If your app doesn’t include significant account-based features, let people use it without a login. If your app supports account creation, you must also offer account deletion within the app. Apps may not require users to enter personal information to function, except when directly relevant to the core functionality of the app or required by law. If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism. Pulling basic profile information, sharing to the social network, or inviting friends to use the app are not considered core app functionality. The app must also include a mechanism to revoke social network credentials and disable data access between the app and social network from within the app. An app may not store credentials or tokens to social networks off of the device and may only use such credentials or tokens to directly connect to the social network from the app itself while the app is in use.
Also interesting:
> (viii) Apps that compile personal information from any source that is not directly from the user or without the user’s explicit consent, even public databases, are not permitted on the App Store.
So why is Facebook still allowed? It still creates shadow profiles without permissions as far as I know.
>So why is Facebook still allowed? It still creates shadow profiles without permissions as far as I know.
Maybe because the app itself isn't doing it? I'm not sure what "apps that" vs using the information the app gives you are really different but in technical detail it might be.
> Apps that compile personal information from any source... without the user’s explicit consent
i wonder how far they will enforce this...
for example, will they tolerate apps that refuse to function without said consent?
what about an eula and just tapping "ok i read it"?
just my bias maybe, but "free to use" but requiring "user consent" seems like a nice avenue for getting around restriction and rules designed to protect them
Because apple applies one set of policies to you and me, and another set of policies to the bigcorps. See the leaked messages from the epic lawsuit where apple execs talk about netflix's iap cut.
Thanks for sharing a great article.
You are providing wonderful information, it is very useful to us.
Keep posting like this informative articles.
Thank you.
Apple shouldn’t be interfering with other businesses and their users like this. It’s sad to see people here celebrating their inability to run unapproved software.
This is the cost of gaining access to users in iPhone.
This also has nothing to do with unapproved software. The idea that a user can actually delete their data from your servers should not be a controversial topic. But of course it is for businesses and developers, which is why Apple has to make a policy like this.
You're not going to find support in a forum with 60+% Apple users. A lot of these people work for or have stock in this company.
They don't see how this is a roadblock to competition and that this device is now in the critical path of 50+% of commerce. (Maybe they'll care more when they have to compete.)
Meh. I don't own Apple devices, am always arguing they shouldn't force apps to go through the app store and at the same time find this a very reasonable restriction for the app store to have.
>>A lot of these people work for or have stock in this company
You wouldn't happen to work or have stock in a company negatively impacted by this change?
I don't have any interest in apple and don't use their products, but I'm really struggling to see how preventing the scummy strat of making sign up easy but deletion/deactivation difficult is some how a 'roadblock to competition'.
You're gonna have to make a much stronger argument to get any traction.
The problem is that Apple has absolutely no way to enforce the deletion. An app can say "your account is deleted" but not actually delete any data off their servers.
What would really give users the control they deserve is the ability to restrict what data can be sent off the device by an app in the first place.
Apple should make it possible to deny internet access to an app entirely, and they should provide an API that allows apps to upload very specific kinds of data that a user has approved of, but nothing else. Of course, some apps need to be able to request unrestricted internet access.
Permitting apps to collect private data and have unrestricted internet access, by default, was always a terrible decision in terms of user privacy. Apple owes it to their users to fix the problem they created.
A good system would probably have tiered permissions, something like:
1. No internet apps: store data locally on the device only, no upload or download.
2. Partial internet apps: store data locally, and only download data through an Apple proxy service that hides the user's IP address and any identifying info.
3. Full internet apps: store in the cloud, uploaded/downloaded through an Apple proxy that logs/filters everything. Or even stored in Apple's cloud.
4. Unrestricted internet apps: VPNs and web browsers, and whatever else actually needs arbitrary access to the internet.
There's no reason my bluetooth scale app needs #4 (which it has today) when I would much prefer it have #1.
The entire request can be logged, displayed to advanced users (so they can report it), inspected by Apple's review teams and automated systems. Any app violating the rules, by uploading user data as GET query parameters (for example) could be detected and banned fairly easily.
> No, it could not. Cryptography can make it as difficult as necessary.
This is just a failure of imagination. The API could be as restrictive as necessary to ensure privacy.
For example, maybe an app is only authorized to upload specific fields of data and a maximum rate.
How does an app only allowed to upload 10 int32 metrics per day going to secretly upload even a single photo?
> Not even going to touch how unacceptable it would be for Apple to require that it be able to inspect all internet traffic from a person's phone.
There are lots of options for how to implement things so that Apple isn't getting copies of private photos or chat messages. Apple is certainly more trustworthy and accountable than a random app developer from a random foreign country.
Personally, I want a smartphone/app ecosystem that is completely free of any centralization. I'm just talking about how Apple could improve their proprietary/centralized system, which actually does make some of these kinds of things simpler.
Do you really think it's a good idea to lie to Apple and to the public about your data deletion policies? Do you really think bad actors won't be found out eventually? Is it worth the risk to your business?
I think there is a point there. “Soft” deletions are relatively common in relational databases. Do we know that Apple means a “hard” deletion of data? Apple says to include your retention and deletion policies in the App description, so maybe that’s where people would need to come clean on soft deletions?
If you want to delete your account, and your primary goal is to prevent future data going to the owner of the app from your device, why not just delete the app?
My goal would be to keep my data on my device and in my control. It's crazy that giving an app access to your Photos or Health data means it can just start randomly uploading to anywhere on the internet without asking you.
People in the future will be amazed we lived like this...
The test for that problem will be seeing what happens when one of these apps get breached. Unless Apple is willing to terminate developer accounts when it comes out that app makers are not actually deleting anything, this is completely toothless.
Same is true for anything crypto. The account as it were exists on many devices, but it's not something you as the app creator can manage.
I think apple protecting privacy is good, but the effect on actually private systems is complicated.