Reasons I won’t Signing in with Apple

I’ll start with an anecdote from my Web 2.0 past. Back then I had an Yahoo account to manage my Yahoo Pipes. Cloud storage of photos was messy: Dropbox only offered 2GB for free, Google Photos was not revamped yet (it was still Picasa Web Albums). That’s why I rejoiced when Flickr announced their 1 TB for free plan. I could use my existing Yahoo ID which was very comfortable.

Yahoo wasn’t really sure what to do with its assets, the company went on downwards and closed Pipes as collateral damage. The second time after the Google Reader debacle that I felt betrayed.

When a while after that the security breach went public, I closed my Yahoo ID and Flickr account in panic reaction mode — because I thought I didn’t need it anymore.

Tough luck, by deleting he Yahoo ID I lost access to my Flickr account which lived on in a sort of limbo state. It was there for everyone to see, but I couldn’t login and therefore edit anything. The account recovery mode was dependant on the Yahoo Mail address (which was deleted with the account). I tried a lot, but human support wasn’t to be found either. So imagine having a few of your photos public without the option to remove them for ever. No earth-shattering embarassing stuff, but still.

On to yesterdays Apple Keynote. Introducing a Single-Sign-On from a party that isn’t data-hungry (or are they?) was greated with lots of applause.

My lesson from the Flickr anecdote: Web services and the human mind are definetly not failproof. Even the most competent companies experience outages. By using one of those SSO services you combine the risks from each actor: Only one factor needs to fail to prohibit you from accessing your content.

The thing that bugs me about the Apple solution is that they aren’t a horizontally aligned services company. Why does this matter in this case? It makes accessing their side of the SSO even riskier. Other SSO providers such as Google and Facebook are on every platform — for their business model to work they have to be. On the crontrary “Sign in with Apple” is only available on Apple devices: Given I registered with Apple and now lost my device, how do I get into that account? (Developers could use Sign in with Apple on the web as well, but why should they if they aren’t forced to?)

My other gripe is how this feature was presented: Just as I don’t like parties that want to gain votes by stoking fears about other people, I don’t like companies that want to gain customers by stoking fears about other companies.

For example this slide suggests that all those infos are shared without optionality behind your back. While in fact it’s easy to see what is getting shared and to “edit the info you provide”. (And you don’t need temporary mail aliases if you revoke access.)

Of course, there are bad actors in Ad Tech. But there are legitimate reasons for tracking, too. In my role as Product Owner data is an important indication what works for the user and what needs to be improved. Apple seems to think the same….oh wait.

Another thing: Apple doesn’t use some magic sauce that makes them safer in storing personal data. In fact, they rely on AWS as their storage provider. A breach in AWS could expose Apple user data, too. Security and privacy are different things, but they have yet to prove that they act more sensible than others:

there are some indicators that Apple is not set up perfectly to protect customers’ data: A recent Washington Post investigation showed that thousands of trackers within iOS apps pinged an iPhone while its user slept. The story highlights how Apple may not have any firmer of a grasp on user data than Facebook did with its third party apps.

If Apple were dead serious about putting customer privacy above all else, why not using a decentralized identity provider or trusted 3rd party? Even without downtimes or breaches, you make yourself dependent on that SSO provider. Nurturing Apple’s walled garden.

Or, even better, why does Apple gather so much data in the first place?

Bottom line: It feels like Apple is creating their privacy roadmap not by looking at what could be made better in terms of privacy of its customers — it feels more like “how can we cripple the business model of our dear rivals the most”.