This would be great. I remember using pidgin back in the day and it was really convenient to have every messaging app in one interface.
Of course, some platforms ban you for using alternate clients.
Nice!
> Of course, some platforms ban you for using alternate clients.
Less nice... Doesn't seem like that list outlines which platforms will/could ban you either, which makes the entire list a no-go for me, and I'm sure others.
I am really loving this news, i was able to convince some of my old icq contacts back then to switch to jabber this way. And why wouldnt they if its all the same interface?
https://bugs.otr.im/otrv4/otrv4
The interface for Pidgin is exactly the same as it was back then (it still uses GTK2), modern users have much different interface tastes in 2022, so you might find it difficult to convince people to use Pidgin.
Who will be decrypting WA and Signal message to pass them to Facebook Messanger?
I don't think this is to be interpreted as "from now I need to be able to send messages from a Whatsapp client to a Signal client"
Of course any such app would be able to read all the messages in the clear and would be able to store them in the clear, leak them, sell them or whatever. As with any other case in which you choose to use a chat app you have to trust the chat app to read your messages if it wants to
I imagine if that's the case whatsapp or signal, when you do a first login from a different app, will flash a warning that you're using a third party client which might not be trustworthy
Even though it may not be the EU’s overtly stated main goal, it is nevertheless a goal of many aligned politicians there, and no doubt the perception among foolish politicians and bureaucrats that it will achieve that goal can account for some of their support, and if they don’t get what they want they will “fix” it until they do.
And if they are deliberately breaking existing third-party apps for no reason, well I'm sure EU courts would like to have a word.
Actually I expect the usual outrage about limiting innovation or threats to leave the EU but consider that this interoperability is also a moat especially if they agree on some complicated protocol with no previous implementation.
Moxie is strongly against it. Although the app and protocols are open, he doesn't tolerate third party clients on Signal official servers and he doesn't want federation. Even though I disagree, he has some good arguments.
And if WhatsApp has to interoperate, why not Signal?
I'm not sure what the current market cap for Signal is, but I'm fairly sure they don't have a turnover of 7+bn in the EU.
It is also one of these weird non-profit + for-profit company mix, to which I don't know the effect it has. Anyways, the numbers are simply not there.
Ironically, if the law works as intended, making all major messaging platforms interoperable, if can make smaller players who don't want to join the club (like Signal) less attractive.
Doing it by money seems like sour grapes. You succeeded in the free market so we’re going to hamper your progress.
makes no sense. you can already pull all your data out of those services and import it into whatever other service you want.
I mean, that's theoretically possible, but it's not the most convenient workflow, and you run the risk that any tooling designed to automate it is frequently broken by deliberately incompatible changes made by Facebook or Twitter (or whichever other services you are using, in the general case).
Fundamentally the data belongs to the users, not to the platforms, so it is right that governments mandate that the data be able to flow according to the users' wishes. All property rights are legal fictions, especially "intellectual property" rights, but at least in this case the property right being defined is a socially beneficial one.
The way i read it, they're calling for open standards, which can be a good thing.
Sadly, open standards also slow down the development of new features, as everybody needs to be "on board" for new features to roll out. Take email (SMTP, IMAP, etc) as an example, where no major progress has been made in 25+ years, despite the platform being hopelessly insecure.
There has been some unsuccesful attempts at security, like PGP and Protonmail/Tutanota, but as they're addons they haven't seen widespread adoption.
Feel free to replace email for TCPv4/v6. The only successful open standard i can think of would be HTTP.
Open standards, once they mature, usually mean "lowest common denominator".
No. They are asking for endpoints and public APIs. Nobody is forced to adopt a standard, that is a fallacy you have just built (and has powered a tangential thread of 20 messages and counting.. debating something that is not in the topic).
Services will be forced to provide public endpoints and public APIs. Nobody is forcing them to shape them in any way. Consumers can decide to interface with them, or not. The onus on implementing and interfacing with them lays on the consumers. You don't need an agreement between everybody.
How will they interface with the different APIs ? Or is it a single API defined by a standard ?
The first one means that most clients will play “whack a mole” with 20 APIs, trying to keep up with features. The second will be the lowest common denominator, limiting what can be sent between different clients. It would be the new “green bubble”.
Next, how do you identify people uniquely across different networks ? Phone number ? Email ? What happens if you’ve registered your Id in multiple places ? Or is it up to the sender to specify which network they wish to target ? Like someone@gmail.com@imessage ? The last one solves nothing. In case of multiple id registrations, should the network just keep trying round robin until it successfully delivers ? Or can I as a recipient register my preferred delivery network in case I never want Meta or Google to see my data ? Who maintains this central registry ? Will they do it for free ?
Now that we’ve established how to pass messages between networks, how do we secure them ? Do we use the iMessage model and use a central key repository ? Or do we implement a protocol (potentially per API) on how to acquire encryption keys ? Or do we simply skip encryption because security is hard ?
What about attachments ? Since most secure platforms use “per device” encryption, do we just send a 500GB attachment X times, one per device ? Do we limit the size of attachments ? iMessage solves this by encrypting it with a temporary key, and the attachment is then uploaded to Apples servers, and the temporary key is exchanged using normal messaging. Is that the way forward ? Will whoever handles it do it for free ? Do we trust them ?
What about Memoji/whatever the kids use ?
All of the above, and more, needs to be agreed on by all involved parties, which sets the lowest common denominator, either by a shared standard, or by reducing functionality for cross network messages. If it ends up complex enough to support all the features of modern instant messaging, it sets the bar rather high for new players. If it ends up simple, we have gained almost nothing over using SMS/MMS.
Things are never as simple as just exposing an API.
But lets say you are right, and all that the affected messaging services have to do is provide an API- will the regulators require them to document this API (and if so, what standards will the documentation have to follow?) Will they complain if the API changes too rapidly? Will the API have to support tall of the same features as the messaging service?
As they say, the devils in the details, and right now I'm not seeing any details.
A more successful example of open standards would be the various standards that browsers use. Would you say that browser innovation has slowed down? The model adopted there is less "Wait for everyone to adopt this new standard we wrote" and more "If you have a feature you found many people are using, suggest it as a standard and we'll get all browsers to implement it".
This model could be replicated to messaging solutions as well, without slowing down any innovation as companies can add new features, as long as they get standardized over time.
For a long time it was, everyone was stuck on HTML4 while W3C was playing with XHTML. That only really changed when browser vendors came together and collectively decided to ignore start ignoring W3C and made WhatWG. Although IE6 was also a major factor here.
Capability negotiation is a thing. It's perfectly fine to support some baseline feature set (one-to-one text messages) and build more optional features on top of it. But, yes, it's important that the protocol is designed to be extensible in the first place.
So keep the status quo (SMS/MMS) and build more features on top of that ?
It's a big thing. And it's a great thing.
Already in email you have some cool features that only work Gmail to Gmail but you can still send basic emails to people outside of Gmail.
Businesses will not need business accounts on 6 different platforms just so thay can have a simple chat with all their customers.
It was my understanding that we already have a (fairly old) standard that does just that, which also currently works as a lowest common denominator for texting between at least android and iOS.
Nothing prevents people from releasing a new RFC describing their feature and how to implement it. See: EMail attachments (RFC 1521) which came after the original EMail definition (in RFC 822). And what you describe as "email insecurity" is just a common disagreement which encryption method to use in your MIME attachment (defined in RFC 989) - your argument sounds a bit like protesting that not everyone is using Word files when sending text attachments.
(Note: EMail metadata is deeply "insecure" and can theoretically be used to glean information about communication - but if that's your concern, maybe email is just the wrong format for you and something like encrypted messages over a network of Kafka-style message streams, ideally with lots of noise in it, would be better suited).
How long before the instant message formats of today becomes “the wrong format” ?
Email is an open standard, and as such it should be easy to push out a new RFC that secures metadata, yet that hasn’t happened in 25+ years.
I essentially agree that communication should be done over open, secure standards, but I’m not sure legislation is the right way of getting there. We will see how it all plays out.
Email is a totally different problem because it's a suite of a multitude of different standards used across countless different platforms. At least with proprietary messaging services Facebook et al will still be the implementation standard that most people will use (given that habit has already been well established) but lesser used 3rd party clients wont have to worry as much about Facebook breaking the protocol to intentionally break support for 3rd party clients. However I'd wager you will still see new proprietary features added that will not function in 3rd party clients if just to convince users that the 1st party app is the better client.
Btw, does anyone here remember off hand what happened to the "concern" the banking industry had with TLS 1.3?
My understanding is someone just came in at the last moment and basically wanted to change the entire design of TLS 1.3 because their workflow would no longer work because of forward secrecy.
On one hand, that is not right: open standards mean no walled garden, rather than each garden equally ugly.
On the other hand, that is exactly the point: no new feature can be used to buy the users' freedom to interact with customers of other services.
so the point is a degraded experience? how can that be the point?
So if I'm whatsapp I have to allow third party clients, but I can also change my API as needs change, as long as I don't lock it.
Close standards is not inherently different (people who work in telecom can likely attest to that), but closed standards has a higher probability to be owned by a single entity. A single entity has a much easier time to coordinated a switch with themselves, or align their own incentives with their own incentives. If you are alone or don't need to work with others, cooperation is trivial. Obviously, having everything owned by the same entity also has its drawback. If you don't like the new price, features, tracking and forced advertisements, well tough luck. While spam is an issue with email, I am not forced to wait 3 seconds and click "skip add" every time I read an email. I also don't need to pay per email, in contrast to sms. Email could had been much worse if it was a closed standard owned by a single entity.
The usual answer for avoiding the need for everybody being "on board" with the changes is capability negotiation. Unfortunately, that doesn't work for email since it's a unidirectional, store-and-forward protocol: the sender has no way to negotiate capabilities with the recipient (or recipients, in case of a mailing list). If for instance I invent a new rich-text format for email, I have to include a fallback format on every message, since I cannot know whether the recipient can read my new format.
> Feel free to replace email for TCPv4/v6.
With TCP, there's another issue: middleboxes. While TCP does have working capability negotiation, unrelated third parties (which were not part of the negotiation) interfere with things they don't understand. If for instance I introduce a new TCP option which when negotiated changes the meaning of the sequence number field, a stateful firewall would drop the data packets even though they're valid for both endpoints. Due to the large amount of middleboxes in the wild, the design of TCP has been effectively "frozen", in that any enhancement will break unexpectedly for a large subset of users.
> The only successful open standard i can think of would be HTTP.
What saved HTTP was SSL/TLS. By making it hard for middleboxes to interfere without actually acting as an endpoint (with negotiation), it allowed the protocol to evolve. The best example is HTTP2: while there is a cleartext version of HTTP2, nobody uses it because it would get broken by middleboxes.
Stop repeating this talking point of big tech. This is FUD. Sure, developing the standard further requires more work and is slower if just one person alone developed it, but the upsides clearly overweigh.
Furthemore, everonye is free to build their own features in their own app that are not part of an open protocol (good examples are snooze or send later features in email).
PS: As a sister comment pointed out, open standard is not even in the scope of this new EU act. It's only about opening up their APIs. They are not foced to use an open protocol.
Specifically:
- article 7: Compliance with obligations for gatekeepers
- article 10: Updating obligations for gatekeepers and
- article 11: Anti-circumvention
Fines are up to 10% of annual global turnover, or daily fines up to 5% of average daily annual global turnover.
In more detail:
Article 11, Anti-circumvention
1. A gatekeeper shall ensure that the obligations of Articles 5 and 6 are fully and effectively complied with. While the obligations of Articles 5 and 6 apply in respect of core platform services designated pursuant to Article 3, their implementation shall not be undermined by any behaviour of the undertaking to which the gatekeeper belongs, regardless of whether this behaviour is of a contractual, commercial, technical or any other nature.
2. Where consent for collecting and processing of personal data is required to ensure compliance with this Regulation, a gatekeeper shall take the necessary steps to either enable business users to directly obtain the required consent to their processing, where required under Regulation (EU) 2016/679 and Directive 2002/58/EC, or to comply with Union data protection and privacy rules and principles in other ways including by providing business users with duly anonymised data where appropriate. The gatekeeper shall not make the obtaining of this consent by the business user more burdensome than for its own services.
3. A gatekeeper shall not degrade the conditions or quality of any of the core platform services provided to business users or end users who avail themselves of the rights or choices laid down in Articles 5 and 6, or make the exercise of those rights or choices unduly difficult.
“at least” would be serious
But that would require for politicians to actually want to do something to benefit the people, not just themselves and their bribers/lobbyists.
Some people at Apple are getting a headache right now. Other companies that have been dabbling with the idea to lock down their OS probably too.
If this happens my next phone might even be an iPhone.
Money quote:
> The checks made during the audits conducted by current application stores owned by operating system developers are indeed all reproducible by third parties.
[1]: https://www.peren.gouv.fr/rapports/2022-02-18%20-%20Eclairag...
Masterful communication on top of solid analysis. I’m going to keep a copy just to review when I’m writing my own reports to stakeholders.
I expect they employ enough smart people that they prepared for this moment of reckoning despite the hubris of their leadership.
I very much want this to happen now. However I would not have wanted this 15 years ago when the platform was a baby and little was known on how to move it forward. Last thing you wanted at that time was layers of regulation and laws that would hinder the speed of development.
15 years is probably too long and this could have happened 5-10 years ago.
At that time, Apple's system needed to attract developers, so instead of a walled garden, the company did what they could to encourage interoperability.
[1] http://apple1.chez.com/Apple1project/Docs/pdf/AppleI_Manual....
Apple makes great hardware and the main thing that was holding me back from getting one was their heavy handed approach on what applications I am allowed to install on my device and from what source.
If this works I would probably go for it.
They could have allowed third-party payments through vetted providers. They could have reduced their rates to match those providers and no one would be so keen to use them anyway. They could mandate subscriptions must be cancellable with one click and even mandate using an api to make these all appear in the settings app. They could have ensured that their review staff were better trained to prevent capricious rejections.
They instead decided to ride the wave of the apple tax for as long as they possibly could and then deal with whatever that caused later. And this is what it's caused.
I think you underestimate the talent at Apple. The reason things are locked down isn't just that it makes them secure, spam free, etc. That's true of course, but it's not the only way to do it. It is however, the easiest way and in absence of external force, there is little reason to complicate it.
If EU succeeds in forcing Apple to open somethings up, then the brilliant folks at Apple will rise to the challenge and will innovate to either keep the quality as is or even make things better.
If you really want some nasty stuff on your phone for some reason you can always write it yourself or find something open source and install it with Xcode. You are free to do this; the idea that you are not is a myth regurgitated by haters who don’t think for themselves. Just good luck doing it on someone else’s iPhone without their permission.
It's a feature that can be implemented, with similar if not better effectiveness, in various ways that doesn't completely lock down a platform. Don't ask me how because I'm no match for brains at Apple but if EU succeeds in forcing Apple to open things up, Apple will rise to the challenge and will figure it out, just the same way they figure out how to roll out an ECG monitor that complies with local regulations of multiple countries. In other words, Apple already works under large amount of constraints of existing laws and regulations when creating products and that requires a lot of constant innovation in itself. This will just be another constraint they have to follow.
Where there is a King that charge a tax and then there is smaller and smaller nesting of feudal lords that charge other taxes.
KING US Government charging 20-45% income tax
DUKE Apple charging 30% App Store tax
DUKE Google charging 30% Google Play Store tax
DUKE Microsoft charging X% Microsoft Store tax
MARQUEES Spotify/Netflix/Airbnb charging a fee for their platform
> DUKE Apple charging 30% App Store tax
Note that Income tax is in reality earnings tax (as expenditures are generally subtracted), while Apple/Google fee is based on just income.
https://en.wikipedia.org/wiki/Marquess
In Italian, which is my native language, it would be MARCHESE.
Fun fact, there is a whole Italian region called Marche: https://en.wikipedia.org/wiki/Marche
I can barely believe it. It looks monumental in terms of competition potential.
The first one sounds very damaging to adtech, but might not be enforced.
This will slow down development by being forced to implement interop where they shouldn't be forced to IMO, and will confuse less savvy users (e.g. "Why can't I send this $platform_native_content to Bob but can send perfectly to Alice in the same app?").
Controlling entities' presence within the public (the Internet) is one thing, forcing to do things within their own platform/domain is another.
Sadly, EU picked the latter.
They have lots of devs and project management experience. If they don't want to do interop it's just fair that customers are complaining.
Nothing a typical chat group on WhatsApp uses is particularly innovative or unique. Text, Voice, Images, Video, map links and attachments probably cover roughly 99% of the use case and everyone supports that.
They are free to compete on additional features.
The right thing here would be making a standard, modern way of communication that supersedes SMS/MMS with a push for global adoption that has all the necessary features of sending videos/images/links/locations etc. with E2EE that is part of GSM technology suite which is either super cheap or free, to offer a sensible alternative to free but closed down services offered by giant companies. That would be much more fair play for a free market.
When elected officials decide that a Plattform/network is now part of the public space the owners loose out.
It happened to railways, telephone grids and all in all was an improvement.
The bigger issue is malicious compliance. I can see companies deliberately making the experience horrible.
If there is an inconsistency introduced (e.g. I can send something to one user but can't to another) it will just confuse the users more.
About malicious compliance, yup, it will probably happen. If I were a company with my platform and someone comes to me and says that I have to open up my own private platform, I probably would implement the bare minimums to not get fined, and cripple that part in every conceivable way, while still "complying" with the law. I'm a private company and want people on my platform, simple as that.
Not saying that it couldn't happen in other setting, but innovation definitely did happen in the current fragmentation of silos.
I didn't read this as the EU forcing the apps to actually implement interop. I read it as forcing them to publish the details of their protocols and not ban people for using 3rd party clients.
Now, will market forces force them to implement interop? Maybe, but based on my reading an app that doesn't talk to other apps is still legal.*
*Do not base your entire business strategy off of a single HN post from someone who is not a lawyer.
We are in danger of creating Big Monsters that will devour everything until there won't be founders anymore...only employees. Once there will be only employees in truth there will be only servants.
We need a lot of small/medium tech companies to maintain freedom and competition instead of 2-5 mega corps.
The entrepreneurs, though, continue on with the next idea.
Looking at the google lawyer privilege drama it sure seems like big tech needs a firmer hand
I'm not sure what this means in terms of the timeline. Will it be voted for in European Parliament and if yes, when? To what extent this may be changed in the final edition? And if it's adopted as a law, how much of a grace period will the companies have?
Next each chamber will vote on it but this is usually just a formality since they gave the negotiators a mandate beforehand.
If it passes, the text will become a EU directive which needs to be incorporated into national law by the member states.
After that it becomes enforceable.
The DMA is a Regulation, not a Directive. It doesn't need to be transposed in to national law in member states.
Regulations become law across the whole EU (and usually the EEA as well) as soon as they are published in the Official Journal.
For some reason I thought it was a directive...
Too late to edit my comment.
https://en.wikipedia.org/wiki/Directive_%28European_Union%29...
Regulations can built upon the foundations laid down by directives and they apply directly.
> Will it be voted for in European Parliament and if yes, when?
the European Parliament only votes on a text. It cannot take decisions by itself. it can only present a voted upon text to the EU Council. and even then it's not a given it will become a directive.
> And if it's adopted as a law
There is no such thing as a "law" in the European Union. (Simplified) The EU has directives and regulations. Text is drafted by the EU Commission, which is then sent to the EU Parliament which is then sent to the EU Council. And the same text can bounce between those institutions for some time. Finally, if all goes well, it becomes an EU Directive. After this member states have a few years to put the Directive into national law.
This process is extremely cumbersome, full of gotcha's, and overall, inefficient, but it's the best thing these politicians came up with. Most likely the next level of simplification would normally involve some sort of federal union.
The DMA is a regulation, not a directive btw.
That's why I'm asking these questions.
I still don't quite understand on which stage this initiative is at the moment and how long until it is enforced.
The formal process of EU approval for directives and regulations resulted in certain practical norms. Basically, representatives for the three main organs (EUParliament, EUCouncil - i.e. national ministers - and EUCommission) sooner or later have to sit down and bang together a compromise on texts put forward by one or more of them. This is where we are today, this is what's been reported - that step has been completed.
Now the text gets put through the formal process, and it should be guaranteed to pass (bar surprising developments or upsets, like a country switching government and hence reneging on their position or EUParliament being particularly angry about specific bits of the text).
In terms of speed of approval this can be as short as a week, for the urgent stuff, but this will probably take a bit more as lobbyists will now go in overdrive trying to delay the cut-off enforcement dates that the text will contain.
In terms of distance from enforcement, this sort of world-changing rule typically gets put into force on 1 January of some future year. I reckon 1 January 2023 looks good, but we'll have to see the actual text to know for sure.
They only missed one: must provide human support for any and all products and supported services.
Google/MS/Apple have 0 user support for account/app suspension/removal and we have seen many stories here on how final those things are, and without any recourse possible
The algorithms maximize content view / platform usage diregarding mental health and addiction. Further there is no regulation that the content from recomendations are from reliable truthful sources.
Sure this time we all support the sanction, next time it might be us.
Let's first clear up why this is: spam control. Google along with the rest of the industry has essentially killed email spam through the many additions to classical email standards. From reputation based delivery, to spam databases, crypto signatures and more. This isn't just to reduce an eye sore in your inbox. Spam does real damage, financial and otherwise.
Despite the complexity needed to run a reliable email system, it's still possible to do and many do. It also allows for innovation without a lot of capital (e.g. licensing fees paid to walled garden owners). Without open interoperability, it's either impossible (e.g. general iMessage), limiting (e.g. iMessage, WhatsApp for business) or expensive to do.
I'm running my own mail server. The problem with regards to spam is not that it's hard for me not to be inundated by spam: I'm just running spamassassin and qpsmtpd with mostly standard configuration and my account on my own server is rather better at catching spam and not ham than my Gmail account. The problem I've always been fighting with (it's better lately) is that Google (and to a lesser degree Yahoo and Microsoft) tends to put my mails into the recipients' spam folders.
It's understandable that a minimal level of centralisation is necessary with email so as to build up server reputation. I think that level is already satisfied with just a few dozen or maybe hundreds of emails sent per day. If there are many installations of that size, companies like Google are forced to accept mails from them, and there's no need for further centralisation.
> Google along with the rest of the industry has essentially killed email spam through the many additions to classical email standards. From reputation based delivery, to spam databases, crypto signatures and more.
I don't see Google having had an exceptional role in "killing" email spam that way. Spam databases (both server reputation as well as content fingerprints) existed before Gmail started, DomainKeys was designed by Yahoo[1], the DKIM (the current way to add cryptographic signatures) RFC[2] does not list anyone from Google as its authors, bayesian learning was published by PG[3] in 2002. Gmail launched 2004[4]. Giving reputation much weight was something easy for them to do and it does tend to come at the cost of small legit servers.
They had a solid implementation early on (both the spam filter and, for the time, a top notch HTML UI), had of course a good name, and were free, so they were a default choice for anyone who was with an email provider that didn't do well (like many (most?) ISPs). There are reasons for people to flock to a strong, large company, that's not different here, but I contest that spam necessitated this.
That said, any new protocol would do well to take the problem of handling spam seriously and learn from and improve upon the past.
TL,DR: my argument is that spam is (somewhat) easier to handle in a centralised way, just like most problems are, but handling spam doesn't inherently require centralisation.
[1] https://en.wikipedia.org/wiki/DomainKeys [2] https://www.rfc-editor.org/rfc/rfc6376.txt [3] http://paulgraham.com/spam.html [4] https://en.wikipedia.org/wiki/Gmail
You use Zoom, Teams, Facebook or whatever you like, I'll use my Jitsi or home grown WebRTC solution. Fairness can be that simple.
But interoperability legislation can only go so far to fixing things because we also need to tackle:
- Regulator and institutional capture by vendor lobbying (bribes)
- "Preferred solution" impositions masquerading as fake security "policy"
- Lack of skills in organisations.
- Poor education about the risks of technological mono-cultures
- Technical lock-in measures, DRM, TPM enclaves
BigTech domination has been going on for 10-15 years now, and it has become more than just than just a set of facts around market shares and network effects. It's gotten soaked into our culture and the marrow of our institutions and will take a good deal of pain to chase out.
that's naive. the problem is that we moved away as an industry from that model for 2 specific reasons:
- widely used standards take decades to change just slightly, or never (see SMS, email)
- interoperability means either lowest common denominator or a huge cost to keep things interoperable
both are horrible for innovation, both are a killer for funding, both pull money away from other things.
all for giving "jitsi" or your "home grown webrtc solution" a reason to exist.
meanwhile apps like zoom simply took everyone by storm during covid even thou lots and lots of others (including webrtc and jitsi) existed for a long time.
Zoom illegally sold users' personal data [1] and Teams unsurprisingly turned out yo have all the security features we'd expect from Microsoft [2]. Jit.si comes out looking pretty good.
It's hard to hold up as paragons of good tech products that required a global pandemic to do their marketing and still couldn't deliver the goods without getting caught with their hands in the cookie jar.
[1] https://www.cbsnews.com/news/zoom-app-personal-data-selling-...
[2] https://www.forbes.com/sites/thomasbrewster/2020/04/27/your-...
Please attack my arguments, don't make aspersions as to my disposition.
> the problem is that we moved away as an industry
Please don't try to define the narrative from a parochial viewpoint. No. we didn't. Some of us did. And those few have arguably done a great deal of damage to "the industry".
> widely used standards take decades to change just slightly, or never (see SMS, email)
It's arguable that they _should_ take a long time to adapt, because stability is also a value. That doesn't preclude the emergence of new and better standards which have a fair chance of adoption in the market for protocols. Interoperability would be a key factor in their success of course.
> interoperability means either lowest common denominator
I see no justification for this statement. There are many factors that portend lowest-common outcomes, like efficiency, reckless engineering in pursuit of fast time to market... but interoperability isn't one of them.
> or a huge cost to keep things interoperable
This is what you're really shooting at isn't it? Less profit for people who want to "move fast and break things" and get out when they're done extracting. I prefer to build lasting things and treat technology as a part of long-term culture. It's just a personality type thing.
> horrible for innovation
Advancing dichotomy between standards and innovation is simply disingenuous. The entire existence of the internet is a counterexample.
> killer for funding, both pull money away from other things.
Money.
> all for giving "jit.si" or your "home grown WebRTC solution" a reason to exist.
No. Everything else you've said is about differences of value and philosophy. Fair enough. But on this point you are missing some fundamental understanding of technology.
It is not "all for" my choice. Choice is a means not an ends. Choice is what underpins the drive for innovation, but ultimately there is telos (purpose) in technology beyond making profit. Those ends include resilience, opportunity, reliability, hybrid vigor of hetrogenous systems to name a few. Naivety is having a partial or immature understanding of a bigger picture, though I would not accuse you of that of course.
respects
https://oeil.secure.europarl.europa.eu/oeil/popups/ficheproc...
"The Digital Markets Act: ensuring fair and open digital markets"
https://ec.europa.eu/info/strategy/priorities-2019-2024/euro...
From here:
https://news.ycombinator.com/item?id=30777016
"...The legislation is now expected to target companies that have a market capitalisation of at least €75bn and run one core online “platform” service such as a social network or web browser, according to two people directly involved in the deal..." "...To qualify as a “gatekeeper” — the powerful internet groups that are the focus of the new law — a company will also have to have at least 45,000 active users, the same people said..."
"...Google, Amazon, Facebook, Apple and Microsoft all meet this standard, but it is likely to also include far more groups than previously thought such as accommodations site Booking.com and ecommerce group Alibaba..."
----------------------------------------
Examples of the “do’s” - Gatekeeper platforms will have to:
- Allow third parties to inter-operate with the gatekeeper’s own services in certain specific situations
- Allow their business users to access the data that they - generate in their use of the gatekeeper’s platform
- Provide companies advertising on their platform with the tools and information necessary for advertisers and publishers to carry out their own independent verification of their advertisements hosted by the gatekeeper
- Allow their business users to promote their offer and conclude contracts with their customers outside the gatekeeper’s platform
Example of the “don’ts” - Gatekeeper platforms may no longer:
- Don't treat services and products offered by the gatekeeper itself more favourably in ranking than similar services or products offered by third parties on the gatekeeper's platform
- Don't prevent consumers from linking up to businesses outside their platforms
- Don't prevent users from un-installing any pre-installed software or app if they wish so
----------------------------------------
The EU is choosing to favor acting on behalf of their people, rather than some sector. If that sector can't make money in ways that are not immoral with regards to the people, so be it.
For example: Why shouldn't a 30%-fee walled garden be destroyed?
Free market isn't really free if you have no competition due to network effects and lock-in.
I do. Apple repeatedly discriminates against sexual minorities in the App Store, and it's appropriate for a government to step in and stop that.
A moral question would be "how much should governments control voluntary interactions between customers, platforms and products?" The immoral answer might well be "As much as it will help them gain short-term votes", not the moral one.
Especially when you make it all but impossible for third parties to operate outside of that walled garden.
The real reason they do this is they perceive it as a free source of income, which they can then use to buy off states to keep them in the EU itself. Note how the rules only apply to really big companies (i.e. US companies), and the fines are really big, and the rules are vague. It'll be a cash cow that avoids upsetting any local interests, the fact they can drape it in pro-consumer clothes is just a bonus from their perspective.
That is not true. there are many things corporations cannot do even if they want to. There's lots of different regulations that impose restrictions and obligations on companies against "what they want".
So now it's just defining where that line is, which is what law-making is.
This is like saying a state-mandated ISP/Gas company wouldn't be a monopoly since you can just move to another country.
You might wanna push the argument that nobody is forcing you to use iOS, but I think the problem runs deeper. In many fields and even just everyday life, you are now required to run a modern phone OS (eg. the option for not having the official COVID green pass app here in Italy is to find an authorized place that will print you a green pass on paper, and it's hard to find one, let alone schedule everything and get there without a pre-existing pass) and we're barely lucky that Google is playing by laxer rules than Apple is. If not punishing existing bad actors, these rules are a nice framework to prevent them for taking over in the future.
No, they can't do whatever they want with it. Consumer protection laws are an obvious example for how corporate interests can be limited.
> because it's far from a monopoly since there are alternatives.
It's a duopoly. iOS and Android together represent about 98% of mobile devices.
- the sector
- who has nothing to lose
- and what could be lost
I think I understand who/what you imply but I don't want to misunderstand you.
* The EU
* Tech sector
>Included in the rules' scope will be platforms with a market capitalization of €75 billion or turnover in the European Economic Area equal to or above €7.5 billion
So the rules are meant to target only the TOP part of the Tech Sector. Not the Whole Tech Sector. There could be backfires on everyone though.
I do feel though that the Apple/Facebook/Microsoft/Google/Amazon are innovating less and less and are going into cash squeeze mode. There has been a lot of talk on Hacker News on how Google search quality is decreasing.
All the privacy laws containing Facebook push them to bet on something new Meta/Oculus. So I think here the effort is to allow smaller tech to thrive and grow.
This only cements the power of US big tech like Google and Facebook.
And it sets the stage for the next big applications of the web all being build outside the EU as well.
Here in Germany, everyone is afraid to start a web startup. And if they do, they spend endless amounts of energy on agonizing over the GDPR and how to build useful international services without using international tools. We sanctioned ourselves by making the use of foreign SAAS illegal.
If you are in the EU, try out surfing the web via a non EU IP once. It is an eye-opening experience. No cookie banners! Only Europeans have to deal with those.
But it gets worse: Look at European websites from a US IP. You do get cookie banners. European companies deal with degraded user experience, slower build time and worse monetization. On a worldwide basis. While the rest of the world only applies these downsides to the European part of their business.
The legislation, at least the one coming from Brussels, is nearly always reasonable in scope, extent, impacts, penalties, and tends to strike a fair balance between specificity and vagueness as to allow the courts for some wiggle room for interpretation
As an example, with interoperability, the final legislation might stipulate something similar to this:
* once a software service reaches sufficient market size
* the core functionality of the service must be exposed for interoperability
* any breaking changes to core functionality must allow for sufficient period of backwards-compatibility and deprecation warnings. Exceptions for security breaches or other emergencies
So, for Youtube, this would mean logging in, viewing videos and history. It doesn't mean that every single feature of every single web site must be publicly exposed and be backwards-compatible for eternity
It is a similar death spiral to how we deal with the housing problem. People have a hard time finding affordable apartments in the city centers? Create more laws that limit rents! Does this create more apartments? No. It just send the local housing market further down the drain.
If there is any remaining problem it is that the rules are not enforced strictly enough on tech giants.
It's funny you think deregulating housing would solve the housing crisis. If you think rent limits are a disincentive to build more affordable housing, how about we just subsidize loans for non-commercial home ownership instead of expecting investors who want a ROI to either make their luxury apartments more affordable for no good reason or adhere to health and safety standards in their barely profitable social housing projects? After all, if tenants can cough up the money to regularly pay ever-increasing rents they can surely pay back loans with similar rates.
People like you love to complain about cookie banners but somehow fail to acknowledge that the reason cookie banners are a thing is that companies go out of their way to try and game the regulations instead of actually implementing them. Sure, you can't build the next Facebook in the EU but maybe not being able to build a business on intentionally abusing your users' trust is not a bad thing.
If you just want to get rich, there's still plenty of nigh-unregulated banking and speculative investment you can get involved in with narry a consequence. If you want to build software, I'm not very sorry you're inconvenienced by regulations that actually protect people from your overreach.
But you dont like that your users data is protected by GDPR, so that you cant take it without permission? Thats unnessesary regulation holding back business?
Does not sound like it has anything to do with regulation, it sounds like you want the fovernment to give you an advantage.
Intellectual property protection is opt-in. It requires the individual to enforce his rights before a court in the relevant jurisdiction. The government only facilitates registration and adjudication. Courts don't force individuals into global protection schemes against claimant's own will.
Whatever the expected merits were, GDPR's existence as a policy has been of little more use than a protectionist beating stick in service of the EU. It gave the EU the power to dictate how websites are to be designed. Non-Europeans with business interests inside the EU had no say or representation in the matter. Governments shouldn't claim universal jurisdiction over the Internet, whatever their reasoning for such claims might be.
US works with a "better ask forgiveness than permission" model, where you are pretty free to do what you want, but people can sue you.
EU works with the opposite: create rules and keep companies compliant with those rules.
It's pretty obvious to see that the 1st model is very beneficial for startups and bootstrappers.
The general pro-vs-anti regulation dimension of the argument over tech policy seems to lack the necessary nuance if it doesn't ask about antitrust. The lack of antitrust regulation in the US has meant that the SV pipeline which fifteen years ago supported a diverse tech landscape is at risk of degenerating into one that only aims to produce targets for monopolists to buyout. It's a possible future of your "1st model" I'd rather we were more worried about.
For example, EU article 13 has a direct impact on my product (my users can upload custom resources). Good thing that Belgium didn't implement it yet. But when they do, I probably need to move my business to Delaware or something.
They claim that article 13 is to reign in the big companies like YouTube. But in the end this also makes sure that EU has a hard time of building their own YouTube.
Anyway, I looked into it, and it seems possible for me to move my business abroad when we get that far.
But all this basically proves my point. It's easier to build a startup when you are outside of the EU.
Also, cookie banners are mostly bad faith restriction implementation. You can have functional cookies with no banner. What you cant have are those tracking cookies which is what the whole thing is about.
I personally believe GDPR will never be properly enforced and most people will ignore it. The easy parts of GDPR (cookies, fonts, I guess CDNs now) are automatically detectable, and the hard parts (deletion of data, data processing agreements, necessary collection) are not. There is no way to automatically find out if someone is storing IP addresses in their access logs.
One of the really funny things I encountered in Germany is the emphasis on data privacy/protection...
But every single citizen has to inform the government where they live and their religion. You also have to inform your boss of your religion. If you make creative content, you have to publish your address as well (unless you can afford to start a business at another location).
You can find out where anyone in Germany lives for a small fee.
Those things have about 10x greater impact on my day-to-day life than Twitter finding out I watched a "cancer prognosis" video. I know they're not mutually exclusive, but it shows where priorities lie.
That depends on the religion. For a bit more context (read the full history in [1]): As part of the 1800s separation between state and church, the major ones (Catholic and Evangelic-Lutheran) got the right to a percentage of employed people's wages as a sort of "membership fee". This gets deducted by the employer out of your paycheck and collected by the tax office, then distributed to the church you're a member of. Over the years, the right to collect these taxes expanded by quite a number, although currently only the Roman Catholic, Old Catholic, Evangelic-Lutheran, Free Protestant and Jewish synagogues use that right.
In real life, no one but HR at onboarding cares which religion you specify.
Also note, this is not exclusive to Germany. Italy, Sweden, Austria, Finland, Denmark and Switzerland all have a similar system.
[1] https://de.wikipedia.org/wiki/Kirchensteuer_(Deutschland)
I also think you're massively underestimating how much people care, especially in an increasingly secular Europe, even in very liberal cities like Berlin. And in small companies, there is no HR.
Second, cookie banners are unrelated to GDPR. They became mandatory years before the GDPR, and the level of intrusiveness is because websites don't follow the "spirit of the law". With time hopefully the cookie banners dark patterns will subdue (after a few more entities get fined).
In terms of EU startups, what I'm familiar with, is them getting bought by US corporations, and not failing under the pressure of EU pro-consumer bureaucracy.
A perfect counter-example to people rambling about EU legislation - Wikipedia.
Consistently in the top 10 sites in the world for 15 years, yet there's no cookie banner, no GDPR consent screen, no personal data hoarding, no dark patterns, etc.
"Following the spirit of the law" is authoritarian non-sense. I can do whatever I want unless its illegal. If the law cannot or does not spell something out how is that the public's problem? We spend enough blood sweat and tears employing legislators and bureacrats. I am not going to also do their job for them.
> To determine whether a natural person is identifiable account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
https://arxiv.org/pdf/1904.06009.pdf
Turns out writing vague laws lets you turn entities you don't like into cash cows.
You're right, that personal identifiable information is a hot topic. Partly because you need immense foresight (a.k.a. impossible) to see how multiple data points can be correlated to identify someone, but also because you need to be aware of large-scale actors (e.g. state supported dragnet surveillance).
As an industry I don't think we have reached yet that discussion point, when we still have common basic practices we need to change. For example, I know that most small/medium companies don't even attempt to anonymize their database dumps. Those are the issues we have to focus on first, and those actions become clear to any developer that reads the GDPR for the first time. It's actionable insight without being explicitly stated.
I think that the GDPR is *incompatible with the web 2.0 model, and the internet as it exists today*, and I also think that is a good thing! It should push us to build services that in the end treat all users data as personal information, and lead to anonymous internet services by default.
I have my own laundry list of things I dislike about GDPR, which makes compliance harder than it should be. One such example is that IP addresses are "an exercise left to data controllers to anonymize", where I hold the belief that the legislature should have forced ISPs to be the ones to anonymize user IP addresses (anonymize things at the source). That way data protection agreements would not be even necessary when you use a CDN in front of your website (for example). By the same token, browsers should be forced to use generic User Agents, as those leak platform information like crazy.
I also disagree that "vague laws lets you turn entities you don't like into cash cows", because what I see most common is that companies get a slap on the wrist (so to speak) and fines are not always the first recourse, only affecting those that are majorly negligent and repeat offenders.
These laws are not draconian tools to suppress digital products, but to protect users from life affecting data leaks, automated decision making and profiling, which we've seen to be objectively bad in the past.
But as you can tell this is my highly subjective take on the issue. I might be completely wrong in my belief after all.
Au contraire. This regulation will force the big tech companies to open up their platforms, thus enabling innovation and competition.
The EU does actually have a variety of "internet" companies – and that includes Germany! There are certainly less of them; regulation could be one of the things that affects that, but it seems way more likely to be a wildly different environment for funding. Investors are more conservative and far less likely to throw dumb money at anything that moves, which means fewer successful unicorns. I'm not sure that's the best approach, but I'm not an investor.
they spend endless amounts of energy on agonizing over the GDPR
No they don't. GDPR compliance is generally fairly straightforward for any company which isn't trying to deliberately harvest and profit from your data—particularly a new company with no legacy—and in any case represents a set of practices that should be followed by any company dealing with private data in any case.
By the same token, those startups have to worry far less about the nonsense patent and IP environment in the US. So worst case we'll call it a wash.
We sanctioned ourselfes by making the use of foreign SAAS illegal.
This did not happen. Use of non-EU SaaS is legal, subject to it being compliant with local regulation.
I'm always a bit weirded out by strenuous objections to GDPR – it seems to me that the data privacy environment in Europe is broadly pretty sensible. You need to:
- know what data you are using
- have a good justification for using it
- take appropriate precautions to secure it
- make sure users are aware of what you are doing with it
- allow users to access and correct the data you hold on them
I find it hard to object to that.
Many of the most powerful web tools are not compatible with the GDPR. Google Analytics. Ad marketplaces. Free CDNs. And its all a moving target. I see small companies struggling for years now with these problems. And they will keep struggling for the forseeable future.
What you're saying basically boils down to "if we stop worrying about user data then we can make more money!" which… yeah, I guess. In the same way that companies could make more money if we let them pump effluent directly into rivers – but we don't do that.
I also have experience from two start-up scale-ups that many clients are saying we won't work with you if you use a US Big Cloud. The EU alternatives are much worse and this causes lots of developer waste now ensuring the platform runs as well on the Big Cloud as it does with really terrible EU-cloud.
I also have experience from two start-up scale-ups that many clients are saying we won't work with you if you use a US Big Cloud
Yeah, I've not heard this from anyone – but if it's the case, it sounds like there's market pressure to use services that offer better protection of personal data. Sounds like you've found an opportunity to offer an EU-based cloud service that's better than the competition :)
I'm in Qc, Canada and I see them very often. Is it only checking for a US IP, and everything else gets the banner?
Bollocks. The key difference between here and the US is the simple fact that we don't have enormous amounts of "dumb money" from pension and hedge funds screaming to be invested into anything that remotely smells like it could be worth money one time - remember Yo! which got 1M funding?! - and then founders making big money at IPO time, which many of them then choose to invest into new startups.
That means that you have to either rely on philantropic investors, family or borrow money from banks at ridiculous interest rates (and often requiring deposit of a car/house or other expensive assets to back the loan).
Navigating GDPR and the laws here is easy - one might say, life is even easier here than in the US for startups because you don't have to fear getting kicked in the nuts over bogus patent and other IP claims or absurd multi-million dollars civil damages lawsuits.
Look at where we are communicating here. On a US website built by a single person.
It's not, but it's the basis of ad-driven, surveillance-ware, and user engagement optimized companies that drive the ludicrously high profits and wages in the US tech sector.
Do you see US tech workers lining up to work for Canonical? Yeah, I thought so too.
That's not the case for the EU. Money gets reasonable returns in energy sector, industry, any investment in Eastern Europe, tourism, PPP infrastructure projects, etc.
In any case at least YC does invest into European companies [1] - the key thing is you have to get far enough to have a meaningful product that VC funds can invest in, and unlike the US we don't have a lot of billionaire former founders who go around throwing a couple thousand dollars left and right for promising ideas they hear in an elevator.
They will lose most of their users to small platforms if they provide too much interoperability - Not just in the EU but all over the world. Their monopoly over the bulk of the world's user accounts is their only real competitive advantage.
That said, in terms of social good, open APIs would be great.
I'm sure entrepreneurs in the EU are salivating at the thought of that happening.