[rawrmaan]

That's pretty epic. Apple continues to make big, brave moral gestures (like when they yanked Facebook and Google's enterprise certs earlier this year, or killed long-term tracking cookies in Safari overnight).

Makes me happy to be a customer. Hope they keep enforcing their own rules and protecting their users' privacy and security in this fearless manner.

[Deimorz]

I don't think disabling the enterprise certs was particularly moral, Facebook and Google were flagrantly violating the terms of the enterprise program. Apple also apparently didn't even notice (or didn't care) until articles about it started getting a lot of attention.

Apple definitely does make some commendable decisions, but I think it's also important to distinguish between bravery and what Ben Thompson calls "Strategy Credits" (https://stratechery.com/2013/strategy-credit/):

> Strategy Credit: An uncomplicated decision that makes a company look good relative to other companies who face much more significant trade-offs.

[judge2020]

> Apple also apparently didn't even notice

Do they have any information about enterprise apps? As I understand it, Apple never phones home with app info (such as the identifier, name, etc) when verifying or installing enterprise-signed apps, so the only thing they know is probably the IP address requesting to verify the enterprise-signed app and the frequency of how often Apple devices do this certificate verification.

Considering FB and Google have many employees in all different parts of the world, it wouldn't be too suspicious to see a good amount of diversity between GeoIP regions.

Correct me if i'm wrong about what info Apple collects about enterprise apps.

[spsful]

As far as I can see this is correct. Even if devices are enrolled In Apple's Enterprise MDM program, the administration staff are the ones who get to see which applications are installed on the iDevice, not Apple. And I really do not think they are so preoccupied with this that they want to actively scan IP addresses for suspicious behavior (of which there probably isn't any to begin with).

Anyway I wholehartedly agree with you here and I think Apple genuinely had no knowledge of this activity until news outlets reported on it. Or if they did, it did not make its way to the higher-ups that revoke developer certs.

[saagarjha]

Going forwards, Apple will require that companies provide their enterprise apps to be audited.

[judge2020]

I see them adding something like the macOS "notarization" requirement to iOS enterprise apps.

[curt15]

Indeed a company's "morals" are better exposed when it has to make inconvenient choices.

[wwright]

I would say true morals lead to structuring your company in such a way that you don’t have to rely on business people making ethical decisions moment to moment, because they won’t.

[duncanawoods]

As nice as that sounds, I think it requires an impossibly perfect prediction of future events. You face ethical decisions whenever you have power or limited resources.

[erikpukinskis]

No. You can bend your business model towards transactions you are comfortable with, without perfect future vision, or even a clear strategic understanding of how that might happen.

In fact, the world around you will bend to meet your values whether you’re even aware of it. And that includes any companies you run.

The world does extend beyond your knowledge of it.

[ljm]

You really need to build a company that values that right down to its core. It has to be embedded so deep into the hiring process that you only select for people who share that value, and it has to be easy to let go of people who don’t fit.

Otherwise, it only takes one person to short-circuit that value to set the ball rolling on a shift towards lower standards.

You need to run a super tight ship, which I think is not as hard as it sounds until you put VC, investment, and shareholders into the mix. You at least need to be super diligent about those people you bring in who are not accountable to you, but you are accountable to them.

Basecamp is an amazing example of a company that has succeeded without compromising itself a jot. They do all kinds of things that we might consider unthinkable because they won’t budge on their values. Probably the one company I’d drop everything to work for if I had a chance at getting through their hiring process.

[Retric]

The same forces that require several levels of management make it increasingly difficult to enforce ethical decisions. Basically, when no one person can keep track of all the moving pieces you get splits around what individuals think is acceptable behavior. The larger organizations grows the more things tend to diverge, with different branches often having wildly different perspectives.

This tends to further degrade as new employees are added and any whatever original vision was going on continues to degrade over time. Especially as both the times and even business models change.

[wwright]

Yeah, I agree, but I think that is just a way of stating that morals are impossible to perfect.

[duncanawoods]

Hmm maybe - what I have in mind is that you could run something undeniably good e.g. a hospital, and you will still face hard ethical decisions about how you handle uncertainty, apply power or allocate your resources. Doing good things just isn’t easy!

[lmm]

You can certainly form a company whose line of business minimizes how many ethical questions it will face; I'd consider that to be ducking out and ultimately less moral than entering a business where there are genuinely tough ethical questions that you will need to take positions on (and inevitably sometimes get wrong).

[philwelch]

How is that even possible?

[dvfjsdhgfv]

For example between easily upgradeable environment-friendly product and a box of glued components with no-user replaceable parts so that they need to buy a new item in the line sooner.

[jonfw]

I'm not convinced that morality and self-interest are mutually exclusive. Very often the best decision for a given entity to make is a moral one.

We should still reward/praise companies who make decisions that are morally superior to their competitors, regardless of whether the morality itself was a primary motivation.

[psandersen]

I personally believe morality and self interest strongly overlap over the long term, but short term they are largely independent conditional on the probability of getting caught...

Humans might have too short lifespans, memories and limited rationality for the long term benefit of morality to be strongly in our individual self interest though... one of the possible benefits of anti-aging and cognitive enhancement tech is it might incentivize us to be more moral all other things equal as a side effect.

[joejerryronnie]

Yeah, I'm not sure I attribute Apple and Tim Cook's latest stances to strong moral fortitude. I think it's more corporate 101:

1) Public sentiment is hammering companies for perceived privacy violations

2) Our business model does not rely heavily on selling user data

3) Make public statements about how much we value privacy at literally no cost to us

4) Get in a good dig at our competition at the same time

[peteretep]

Perhaps. But I also find it easy to buy that a guy who grew up gay in Alabama could think privacy is of fundamental importance.

[okintheory]

Indeed. But I also think that Zuckerberg, Bezos, Page & Brin all value their own privacy. They just don't value your privacy that much.

[zjaffee]

Zuckerberg definitely does, there are pictures of him with tape over his webcam, microphones taped, ect.

[0xADEADBEE]

I would be reticent to praise them quite so effusively, though I do think they're the best of of the big tech companies currently. I'll be watching the development of this suit with great interest: https://time.com/5596033/lawsuit-apple-selling-itunes-listen...

[elliekelly]

I think that case is kind of a stretch. I read the complaint and there are two arguments:

1. Lists of people who have purchased [music genre] from iTunes & listened on Pandora is for sale by data brokers, and

2. App developers (they specifically call out Pandora) who use the MediaFramework API have access to iTunes library metadata that they can then collect.

I haven’t looked at Apple’s Developer Agreement recently but I suspect Pandora (and potentially others) hasn’t complied with the terms.

[danso]

I do appreciate Apple's overall stance and actions regarding privacy, but I see this as a very practical action for their own self-interest. Apple has staked its reputation on privacy. The headline-level summary of this incident is that Mac users are exclusively affected by Zoom's bug/security hole. Among consumers, unauthorized access to the webcam is the epitome of modern invasion of privacy. All it takes is one Apple user to be victimized for Apple's reputation on privacy to be as much of an ongoing punchline as Samsung's exploding phones.

[madeofpalk]

Why not both?

[1290cc]

Glad to see that Cook hasn't altered this as Apple always had security as focus. It was one of the reasons I got my wife into using macs years ago, I never had to support her or worry about what website has managed to install ad malware.

We recently went back to PC's and it was immediately obvious we needed wall to wall antivirus protection which was not always the case on macs.

[acolumb]

Never forget PRISM.

[ma2rten]

I don't think killing those enterprise cert was a moral gesture. They were just enforcing their walled garden.

[earenndil]

From what I hear from people in the ad business, safari is still 100% trackable even without those cookies; it's just a bit harder to set up.

[harry8]

Wouldn't it be EPIC if apple produced a statement saying

"We are not going to keep any data at all about you unless we are forced to do so legally. We are bound by that contract with you when you purchase our device."

Then followed that with

"We're going to make it as hard as humanly possible for anyone else to collect and keep data about you if you own one of our devices. Including both legal and technical solutions and we will sue them for breach."

As it is, we're praising "least worse" which is effing awful. Apple's excrement stinks less than some others, eat it up!

[harry8]

Well that's what Apple might do if they really were in the business of being paid by customers to serve those paying customers and nobody else.

But of course Apple literally wrote the book on selling their customers as product to third parties. They've been wildly successful at it. Microsoft, IBM look on in envy at how they've managed to get away with it.

Since it has been massively profitable for them to turn their customers into their product, they see no reason to change and I guess why should they? Profit maximisation is their business, yours and my health and welfare is only of interest in service to maximising profit. If they did anything else they might be guilty of securities fraud(!) So yeah, they can be completely horrific and still win the PR battle because others seem even worse.

I see these statements of fact are always jarring for people to notice for the first time, especially if they quite like the machines (I do), and quite like liberal democracy and free market economics (again I do!) and more so that this utter hideousness is our best option right now because there is no option even remotely on the same planet as good. It is thoroughly depressing all round.

[jacobwilliamroy]

I still think Apple products are built on human rights abuses. I am currently trying to parse their most recent conflict minerals disclosure. It doesn't explicitly say "yes" but also doesn't clearly say "conflict-free" either.

[Vinnl]

Note that conflict-free at this time is so hard to be practically impossible. Fairphone, a company and phone founded explicitly with the goal of producing a phone without conflict minerals, still isn't conflict-free, and it's not for lack of trying.

Sure, Apple has more leverage, considering their size, but that also comes with its own set of problems. Plus, their customers have nowhere to go to in protest - all other phones are full of conflict minerals too.

[jacobwilliamroy]

I understand it's hard to make conflict-free computers.

I feel sick when apple says they are deeply committed to upholding human rights, while they continue manufacturing electronics, because I need authenticity. I would like Apple to use more of their resources to figure out how to do conflict-free consumer electronics.

[Vinnl]

> I would like Apple to use more of their resources to figure out how to do conflict-free consumer electronics.

I would like that as well, but I understand how that's difficult for them to do, too: making public that you're working on that, is also making public the deficiencies you have in that area currently - something many consumers are not aware of, and of which they may think it applies only to you.

That's why initiatives like Fairphone's are good. That said, I've followed their blog [1] for a while, and occasionally they've been part of initiatives of which other phone manufacturers have been part as well (I recall something about Nokia and Congo). I think they just don't publicise that for the reasons I outlined above.

[1] https://www.fairphone.com/en/blog/

[tinus_hn]

I’m sure you also love to complain about the problems at the Foxconn ‘Apple factory’. Which in reality builds products for all manufacturers.

[jacobwilliamroy]

I just wanted to express to rawrmaan that I felt disturbed about his calling apple brave and moral when many aspects of their supply chain don't appeal to my sense of justice.

[efaref]

So "everyone else does it" is a valid defense?

Apple charges $1k for their monitor stands. I think they can afford to build their stuff at a factory that doesn't use modern slavery.

[gurkendoktor]

I agree that Apple is incredibly greedy and hypocritical, but in the end, working at Foxconn is just another underpaid job. I think the term "modern slavery" should be reserved for people whose passport has been taken away, who are trapped on a fishing boat or in a brothel for life, who have been tricked into accepting debt etc.

[tinus_hn]

So “selling your items for cheap” is a valid defense?

[Digital-Citizen]

According to the article, "Apple said the update does not require any user interaction and is deployed automatically.". There's nothing moral about using "silent updates" (updates the user has no opportunity to decide whether to adopt).

Apple certainly wasn't looking out for their users' privacy and security when they let an iTunes bug go unfixed for 3 years (see http://www.telegraph.co.uk/technology/apple/8912714/Apple-iT... for more). That bug was said to allowed government spying. Apple's iPhone back door lets Apple delete a user's apps (per http://www.telegraph.co.uk/technology/3358134/Apples-Jobs-co...) but Steve Jobs said it was okay because we can trust Apple ("Hopefully we never have to pull that lever, but we would be irresponsible not to have a lever like that to pull."). Back doors aren't moral, they exist to grant another party over the device the user bought and should own.

The root of all of this is the power of proprietary software (software the user can't inspect, share, or modify, and in some particularly restrictive cases can't always run). Proprietary software is unjust power over the user. There's nothing moral about proprietary software.

[jakobegger]

Requiring user confirmation for updating malware signatures would make them a lot less effective.

And in any case, there is a checkbox in the software update preferences labelled "Install system data files and security updates" which presumably allows you to opt out of these critical security updates.

And if you really wanted to have the zoom backdoor server run on your system, you could probably just strip the code signature and run it manually. Apple isn't stopping you from running whatever software you want on the Mac. Apple is helping all those users that don't follow Hacker News to keep their Mac safe.

[pbhjpbhj]

>Requiring user confirmation for updating malware signatures would make them a lot less effective.

That seems highly unlikely to me. Do you have evidence to support that assertion.

On first use "Do you want us to automatically remove apps we think might damage your system: Y/n."

Don't users need a notification, at least, to inform their choices when installing software.

I guess Apple Computers would rather you just mindlessly relied on them, however, so anything that lets users know that Apple's system exposed them from risk is going to be avoided.

[jakobegger]

> Do you have evidence to support that assertion.

Every relative who never installs updates. I ask them why they are on an old version with major security holes that were on the news, but they just don't care. They always click "later".

[jki275]

You can turn it off if you don't like it. If one doesn't know enough to turn it off, one probably shouldn't be turning it off.

[matkoniecz]

> There's nothing moral about using "silent updates"

Sorry, but this is absurd. Automatic security updates are necessity. And no user read through all changelogs of all updated software (except extremely critical systems).

Maybe you wanted to argue for ability to downgrade and disable updates?

[Digital-Citizen]

There's no call to write in such patronizing ways.

It should be up to the user to decide whether to take on updates, regardless of what you think because that's their computer and not yours and you each deserve control over the computers you own. Just as freedom of speech means sometimes people will say things you disagree with, free software computers means not everyone will keep up with the updates. But not offering software freedom is unethical and neither Zoom nor Apple are distributing software freedom. Apple has a clear record of using the power of a proprietor to expose their users to harm (more examples at https://www.gnu.org/proprietary/malware-apple.html ) and this story is an example of how Zoom apparently does as well.

What you and other posters are tellingly refusing to address is the immorality of software nonfreedom. As I wrote before, this is the core of the issue.

[mrmanner]

> It should be up to the user to decide whether to take on updates, regardless of what you think because that's their computer and not yours and you each deserve control over the computers you own.

Which is why the user can CHOOSE to have automatic updates. Or not to. The default when buying a new Mac is that automatic updates are enabled, because that’s the product Apple wants to sell and that they believe most of their users want to buy. It’s secure, it’s practical, it’s fun.

If you want to be your own IT department you simply deactivate all or some automatic updates. If you want a secure computer and trust Apple you leave it on.

I don’t see how this is a big moral question at all. Let people organize their computing needs in a way that’s safe and practical for them, not in the way that’s safe and practical for you.

[GeekyBear]

>There's nothing moral about using "silent updates" (updates the user has no opportunity to decide whether to adopt).

There's nothing accurate about this description.

The user can turn off all update checking, or use the granular permissions to just turn off silent security updates.

>To allow macOS to update automatically, go to System Preferences > Software Update, then check Automatically keep my Mac up to date. The Mac offers some more granular update options than iOS. If you click Advanced…, you see a number of options:

https://www.intego.com/mac-security-blog/everything-you-need...

If you only want to turn off silent security updates, the option to uncheck is "Install system data files and security updates".

[6nf]

Every browser and most other important software now does auto-updates with no user interaction. ESPECIALLY for security issues.

[vinay_ys]

Apple or anyone cannot silently pushing changes to my computer without my explicit consent – especially on unrelated things.

What Apple did here is also a dark pattern. We cannot commend them and normalize this behavior.

This is a dictatorial one-sided decision by Apple. What else can they do? Can nation state governments compel Apple to push stuff silently? Can this system be abused by hackers?

Why are we dependent on the good moral behavior of Apple business decision makers for the well-being of our digital lives? Haven't we learnt anything at all from all the incidents in the recent past w.r.t trust in corporate benevolence?

[vitorfs]

It's also on macOS license agreement:

"By using the Apple Software, you agree that Apple may download and install automatic updates onto your computer and your peripheral devices. You can turn off automatic updates altogether at any time by changing the automatic updates settings found within System Preferences."

[nixgeek]

It is enabled by default and if you don’t like that you can disable this behavior.

https://support.apple.com/en-us/HT204536

[vinay_ys]

We still have not heard anything officially from Apple. Based on other comments here, this removal happened via Malware Removal Tool (MRT) which itself is a hidden tool. If yes, then Apple needs to declare Zoom as Malware. For reference, Apple defines Malware here - https://support.apple.com/en-in/guide/mac-help/mh27449/10.14....

On the other hand, Apple itself is guilty of not addressing gatekeeper vulnerability in time (is still yet to fix this bug): https://9to5mac.com/2019/05/25/macos-gatekeeper-vulnerabilit...

[cerberusss]

> We cannot commend them > Why are we dependent

Why are you using "we"? I for one am quite happy how Apple manages Gatekeeper.

[la_barba]

That boat sailed when google chrome launched 10+ years ago. Users don't care that applications come built-in with the ability to download a binary and execute it without the users permission. The market has chosen convenience over security. Yes, its a dark pattern, and Apple uses dark patterns themselves (for e.g. to trick you into updating iOS). Its going to be a monumental uphill battle to change this trend..