[edko]

This whole thing has taught me a lesson. I initially sided with the weaker side because I own a copy of Dash, and it is great software, and because one tends to side with the underdog.

After listening to the recording of the conversation, my feeling is that Apple is handling this in a very fair and professional way, and that I was too quick to take sides. I think it is not unreasonable to assume that: same credit card + same hardware = same developer.

[gshulegaard]

I generally agree with you but wanted to point out that:

> same credit card + same hardware = same developer

is fine as a pseudo-identifier for fraud detection...but I don't think is actually an identifier. It's kind of like someone knowing my social security number and birthday but not actually being me.

IMO, Apple should have immediately reinstated the account once contacted about a potential edge case rather than insist that, "they did nothing wrong" because the implication of that is that the above two pieces of information is legally acceptable as personal identification and that the developer _did_ do something wrong.

I may not believe Kapeli 100% and his reputation is tarnished some in my eyes, but I don't agree with Apple standing on the notion that CC + device identifiers together are sufficient PII. Fine for fraud detection in a "pseudo-" context...sure...but not enough to deny immediate reinstatement.

[cocktailpeanuts]

Even though they only mentioned credit card and device identifiers, I'm sure Apple has much more information behind the scenes they don't make public, such as the account behavior, etc.

For example they could just look at the IP from which each account holder signed in, and may have found that they were coming from the same IP. In fact, it is very likely that they would have tried this, and if they did and found that the IP were different they probably wouldn't have been as confident about how they dealt with this case in my opinion.

[eridius]

Why should Apple have immediately reinstated the account? Remember, in all of this, we still have no proof that he doesn't actually control the second account. All we have is his claim that this account belongs to a relative and that he doesn't control it (and even if that's completely true, I think he still bears some responsibility for it since he set up the account and provided the hardware). The fact that Apple was willing to believe him and offer him a way to unlink his account was a gesture of good faith by Apple, nothing more.

[edko]

My point was that it is not unreasonable to assume same credit card + same hardware = same developer, not that it is an infallible method.

Apple offered some flexibility, to account for the remote possibility of an unfortunate misunderstanding, and offered a way forward that, in my view, was pretty reasonable, and that allowed both sides to safe face, and continue to do business together.

[djrogers]

> I generally agree with you but wanted to point out that: > same credit card + same hardware = same developer is fine as a pseudo-identifier for fraud detection...but I don't think is actually an identifier. It's kind of like someone knowing my social security number and birthday but not actually being me.

No, actually it's not. Someone knowing your SSN is completely different form someone having possession of your hardware. Even if the story were different and the CC# had been stolen, iOS hardware identifiers are cryptographically validated on development devices. You can't just go around 'stealing' device IDs without having possession of said devices - ergo it's about as solid an identifier as one can get.

[CodeWriter23]

You probably use less information to uniquely identify users in apps that you write. Assuming you write apps in the first place.

[gshulegaard]

Generally, I uniquely identify users by PK sequences on a table with UNIQUE constraints on various pieces of User data.

So if Apple had made credit cards and/or test devices UNIQUE to a given account then sure...but that's not what they did here did they?

[CodeWriter23]

So yes, you use a single token. Apple used a token and a credit card number. That's two pieces of identifying information.

[Hydraulix989]

If I had to guess, the combination of matching CCs + matching test devices (i.e. when _both_ are the same) has a fairly low false positive rate for identifying fraudulently-linked accounts.

This type of probabilistic inference is how fraud detection works in everything from Apple to Paypal to world banks.

I would even go so far as to call that aforementioned combination a smoking gun.

[pkamb]

The phone conversation was reasonable. Kapeli thought it was reasonable. He sent a draft blog post in for review.

THEN, after this phone conversation, they go to the press with a PR release that paints him as a scammer (and doesn't mention any of the circumstances from the phone call). This happens while Kapeli is waiting for his blog post to be reviewed.