Comment by philistine
5 years ago
I’ve heard so many people complain on HN about Safari’s lack of support for APIs. Before now, we didn’t have a public justification why Apple refused to implement them. Now we know.
The price of a Safari user in the ad market is going down, and it’s exactly what should be happening. I’m very happy with Apple.
https://9to5mac.com/2019/12/09/apple-safari-privacy-feature-...
Except "privacy" as a justification is BS.
You can implement these APIs while at the same time requiring explicit permission from the user before a web application can use them. This preserves privacy while also giving users the option to have much more powerful web applications.
Apple doesn't want to implement these APIs because currently if you want access to these things on iOS, you need to go through their walled garden App Store, where they get a big chunk of any revenue you might make on such a service and can nerf competitors and all the other anti-competitive stuff they're doing.
> requiring explicit permission
Except on the long term that would have no effect in empowering users. We all know that when faced with a deluge of permission requests, or pressured by the fact that enough people have already accepted and it's the entry price to collaborate, people will just hit accept and be done with it.
They only need to get the foot in the door and then you'll find that plenty of stuff ends up conditioned on you giving them access. Every one of these APIs is a Trojan horse. Past experience just proves that they will be hijacked for purposes that don't do the user any favors.
Look no further than JS which is there to enrich the web to benefit users but 99% of it is garbage slid under the door to benefit site owners. That's because plenty of things that should work just fine without it are now tied into it, disable JS and the site experience breaks.
> Except on the long term that would have no effect in empowering users. We all know that when faced with a deluge of permission requests, or pressured by the fact that enough people have already accepted and it's the entry price to collaborate, people will just hit accept and be done with it.
How is that any different from apps on the App Store?
3 replies →
My opinion is informed by my experience with JS.
I love the web that actual dynamic logic on the frontend has allowed. I want more of that, not less.
The alternative to web apps that can do these things is native apps that can do these things. If you don't think native apps are tracking your behavior, you are sorely mistaken.
10 replies →
Those EU "accepts cookies" boxes have done an amazing job at making people ignore every popup on the internet.
By this logic, permission prompts shouldn't exist at all. I think you're gonna have to provide proof for your "we all know" assertion, because I do not know that users will individually grant dozens of permissions on each site they visit.
I don't want random web sites I open (and their ads) to ask permission to scan bluetooth in my area and use usb devices connected to my computer. A website has no business doing any of that. There is no justification for these API to exist.
I don't want _most_ websites doing this. There are some websites (especially PWA) where they are definitely useful and can replace a heavy client.
Maybe it shouldn't "asking for permission" but "giving your permission" explicitly. If you don't need such an API, you would never be bothered by it if the model is opt-in without notification/popups.
I understand the problem you have with websites asking for permissions, especially push notifications permissions, as they keep showing up. And I do definitely agree that having a website that does not need any of these permissions ask for it would be even more annoying but there are definitely cases where I'm glad a website can help me out (and I don't have to download a heavy client that might or might not have tracking and analytics in it)
7 replies →
> I don't want random web sites I open (and their ads) to ask permission to scan bluetooth in my area and use usb devices connected to my computer.
Why not? It makes complete sense for something like a website that backs up the photos stored on your camera. What's even the counter argument, that if people want to back up their data they should have to pay Apple?
If you've granted a website access to a restricted API, the browser can just paint a flashing red border around the website or whatever, similar to how people configure their terminals when they're SSH'd into prod.
2 replies →
I’m tired of websites asking if I want to enable push notifications from them. The answer is, and will always be, GTFO.
2 replies →
I disagree. I want that. Therefore a website does have business asking for those things.
16 replies →
Same argument could be made for JS in general. The justification for those APIs to exist is because developers want to implement features using them, same as with JS in general too.
I've seen Apple get away with this bad monopolistic behavior through hypocrisy more and more.
Apple is denying people their real rights to install whatever they want in their own machines, forcing everything to go through their app store, where they have the last word of who can or cannot distribute software to the platforms they have created.
They know that if they use the common "we are thinking of your well being" their customers and fans will just believe they are a good-willing company with no other interests than their users safety and well being.
I don't know why the majority of the crowd here in HN, who use to be so harsh in pointing out this kind of behavior in companies like Google and Microsoft, have this blindness with everything that has to do with Apple.
It will worth nothing, if after have defeated this beast with GNU, Linux, the Web, open software revolution, etc.. we end up not protecting what we have achieved so far, because somehow one company trying to secure their profits and its position in the market, get away with behaviors that can ultimately destroy the culture of freedom, open-source software and ultimately, digital rights, which our legislators are not prepared to defend, really understanding the threats and the dire future they represent if we dont uncover the true intentions behind this BS.
Recently I’ve seen a jump in the number of random sites popping up a “this site wants to access VR hardware” dialogs in FireFox; news articles nothing to do with VR or visualisation. I don’t have any VR devices.
How do you do this bit “requiring explicit permission from the user before a web application can use them” without the fallout of “its just a hundred thousand popups and you’re done!” on every page?
Easy. You don't have them in popups, you have them in a dropdown that the user selects themselves. Websites then need to learn to fail gracefully if not given certain permissions, otherwise consumers need to stop using those websites.
The solution to privacy concerns is not "nuke functionality", it's "don't let websites abuse functionality for tracking purposes".
Just like how with native apps on iOS, the solution is not "don't let apps ever access GPS data", it's provide a UX that makes it fairly easy to choose and don't provide permissions to apps that don't need them.
1 reply →
I'd argue that what Firefox do with the tilting icon for Push Notification is not that bad. I'm surprised they do not do the same for other type of permission as they are these request popups are equally annoying.
However, I have to admit that displaying one icon per permission would not scale great when having a dozen of them.
Just the constant "this website would like to send you push notifications" on every last damn site.
1 reply →
next headline: "Apple devices won't display any video other than those from tv+"
Apple bros on HN: "Good! finally someone standing up to the BigTech abuse of privacy"
I sympathise with the walled garden App Store argument. I hate it that Apple keep such a tight grip on the application distribution channel. At the same time, I really hate the trend where browsers are operating systems and I use native apps whenever possible.
Apple has the ability to put every submitted app through rigorous analysis before publication on the App Store to look for forbidden behavior, in order to protect their customers. They don't have that ability with arbitrary websites.
So you trust a third-party, a company, to define what is 'forbidden' for you to install, if they say they do this "to protect our customers"?
At least in democracy we can elect the people who define whats allowed or forbidden to us, and they can only do it, in the constraints of a constitution.
If we let companies get away with it, we are allowing them to create shadow states, a sort of new digital feudalism, where our digital overlords can control a big part of our lives. (Remember that we are going to a process of digitalization of our lives and experience, with IOT, AI, smart gadgets, to take into account how powerful a entity who can control all of this can be)
Today, its just Apple. But with people normalizing this kind of behavior, it will be more and more over time, til its too late for all of us.
By enforcing other browsers to use their implementation of Web platform, for instance, they knew they could control the Web from being a good contender to their exclusive application platform.
This kind of action alone, should be outlawed, because is pure uncompetitive behavior, not to say its hurting their customers freedom to choose whats best for them, and that actually have nothing to do with the privacy or safety of their users.
4 replies →
You made the same point before but again, how did tiktok, facebook and all the other crap gets past it? What about all the other chinese spyware?
> Apple has the ability to put every submitted app through rigorous analysis before publication on the App Store to look for forbidden behavior, in order to protect their customers.
Note that Apple does not regularly exercise that ability…
Firefox doesn't support them either. Most of these are implemented on Chromium, for Google's ChromeOS primarily.
They're kinda useless for web browsers, but people see them in Chromium and believe they must be there for a reason other than ChromeOS. Apple and Firefox are doing it right. These things don't have a place in browsers.
They didn’t mention the biggest one that people (including me) complain about, which is the push notification API. That’s intellectually honest of them (it inherently requires explicit permission before activating for a particular origin), but pointing to these far less likely to be used APIs is not making a good case for neutering PWAs on privacy grounds.
Safari already implements API that leaks enough information to uniquely fingerprint a device.
For instance, the Audio API. You can test it using OpenWPM [1][2] and you will get the same ID in both normal and incognito mode. And this is only one of many things not blocked by default. ETAG tracking is pretty popular on pixels.
I'm not saying they aren't right, I'm just saying that they are somehow doing more PR than anything else. And as other comments are calling out, this makes it even harder to compete on IOS using PWA (How is a website asking for permission different from an app? Can't we have a permission framework just like apps?).
[1] https://audiofingerprint.openwpm.com/
[2] https://github.com/mozilla/OpenWPM
Safari already implements API that leaks enough information to uniquely fingerprint a device.
What's your point? Because one API can be used for something, Apple should let Safari be a free-for-all?
Native apps are much, much more privacy-invasive.
Apple forces you to use those. You have no choice, like on other platforms.
I agree, with a caveat - Apple can and does remove apps which are caught stealing data permanently. The App Store and Apple's policies act as a safeguard for users. As far as I know, there is no reliable way to do that for web apps.
Don't fool yourself, Apple will never remove killer apps, only small insignificant apps. Instagram for example "steals" way too much data than necessary, yet apple does not remove them. TikTok just got caught for some stuff - still there.
So they might catch some rogue apps, but far from reliable or trustworthy. They protect their platform image, nothing more.
With webapps at least I can take some measures like ad and tracking blocking myself. I don't have to give access to the system unless some case really warrants it.
Outside this list Safari's support is limited or nor for many other APIs. MediaRecorder and many WebRTC APIs have no clear roadmap for support.
Many APIs including getUserMedia and all of WebRTC are not supported in WkWebView (only way Firefox/Chrome works on iOS due to Apple policy blocking them from building their own browser) Means some apps will only work in iOS-Safari and not in iOS-Chrome/Firefox.
None of this has to do with privacy, being able to record media locally without sending to STUN/TURN server increases privacy not reduce it.
There's an unintended consequence in this, though. Which is that if you don't use an ad blocker you'll see the lowest cost, and thus lowest quality of ads. So in addition to keeping a private presence you're required to use an ad blocker. And services which have built their business around being ad-supported will see you as a deadbeat. Which motivates them to be more aggressive in upselling you, or denying service if you don't whitelist their ads.
Which is that if you don't use an ad blocker you'll see the lowest cost, and thus lowest quality of ads
I haven't worked with web ads in a while, but from what I remember when I did, people with little data on file with the advertising networks got more ads, and better ads, because there was no record of them having seen the high-paying ads already.
The longer you surfed, and the longer you were tracked, the lower quality the ads became.
Again, I haven't been in this arena for a while, but that was true at the time, as told to me by the president of one of the larger non-FAANG advertising networks, over coffee.
But it's all a red herring anyway, isn't it? Are there any people out there saying, "I wish there was a way to give Google more information about me so that I can see better quality ads!"
> Which is that if you don't use an ad blocker you'll see the lowest cost, and thus lowest quality of ads.
Is this a thing? Do people in demographics which are less appealing to advertisers also see more intrusive ads?
To me, intrusive ads mean ads which intrude on my privacy. So if you use Safari, no, you will not see more intrusive ads, quite the contrary.
Those ads might be terrible chum bucket stuff, but they would not be intruding into your privacy.
"privacy" the new excuse for monopolistic practices.
Apple users hate to hear they believe the marketing, but it doesn't get more clear cut than twisting these things to be positive.