alias_neo
6 hours ago
Just to add some balance to the conversation; this silliness isn't limited to Apple; we've had Play Store reject our app several times for doing something it literally doesn't do; they required us to add a data-protection policy to explain why we did it, and wouldn't accept that it (our app) literally doesn't (the app connects to a self-hosted server the user runs themselves, so it can easily be checked). In the end, we gave up and just added the DPP text anyway and it got approved.
Edit to add: This was for an update, over half a decade after release, not the initial release, and nothing had changed in how it functioned in this regard in that time.
Edit 2: Typo + clarification
isodev
6 hours ago
In this case, they were correct to request that you add data protection policy. Your app may still process personal data locally and then you're still subject to data protection regulations.
pjc50
5 hours ago
You're going to have to cite a data protection authority case for me to believe that.
Edit: no, the more I think about it the more this interpretation is completely nuts. It implies that every single software vendor needs to secure consent from every single end user of software they ship through any client.
e.g. if SAP provide CRM software to Contoso, and Jim is a customer of Contoso, even though all the data is processed on Contoso premises, SAP still need to be in communication with Jim?
user
2 hours ago
isodev
4 hours ago
Well, certainly don't rely on forums to get your legal info. Feel free to consult someone versed with data protection regulations in countries where your app is available.
izacus
5 hours ago
You misunderstood the post I think.
Arnt
5 hours ago
No, it's true. On-device actions count in the eyes of the law. "This app processes the user's data on-device, does not allow other apps to access the data, and optionally copies it to a server that the user provides" is a description.
cyanydeez
3 hours ago
Righy, isny it easy to understand, esepcially if your app allows http?
The data protection policy would explicitly state such a exposure.
"No ezposure" is a state.
Any app that allows a user to put in a endpoint that transfers the user data should have a data policy, since a malactor could convince the user to change thta endpoint, leading to a breach.
I think that it seems benign only in theory.
alias_neo
6 hours ago
It doesn't.
tempfile
6 hours ago
Are you? If the user processes their own data on their own device using your software, you're the data processor?
District5524
4 hours ago
No. Data processor has a special meaning (at least under GDPR) and requires you to be a separate entity from the data controller (article 4(8) of GDPR). Just because you process data, will not make you a data processor. A software developer is neither a controller, nor a data processor per se, but the question is why the software processes any personal data. If there is no third person on whose behalf you process data, you might still easily be a data controller and all the privacy related obligations primarily rest on this role. Controllership does not depend on sending any data to remote locations/other apps outside the phone etc., but more on whether there is any personal data processed in the app at all and if there is, the reason for that processing. If you're not processing any personal data, you'll not be a controller, but if you do, you'll be unlikely to be able to skip this responsibility altogether. Considering you'll be the only one knowing exactly what your software can and cannot do with what kind of personal data, you'd better at least explain that to the user. Surely, developers of some software (e.g. compilers) will never be data controllers even if the software can compile software to process personal data... But for many frontend software, like apps, there is no such easy way out unless not processing any personal data at all, including usage data, which is also not an easy thing to do. But that doesn't mean you can just skip the obligation towards the store manageer who says you HAVE to provide a privacy policy even if you don't process any personal data. Similarly, processing for "purely personal or household activity", even by automated means is outside the scope of GDPR in EU, but that will not save you from the privacy policy obligation towards Apple or whomever.
cyanydeez
3 hours ago
If you have tge user enter a arbitrary endpoint, you are explicitly shipping user data off tge device and a foreign actor could use your app to maliciously MITM that arbitrary endpoint.
It doesnt mattet if you good faith assume he user of your app is smart wnough to keep the app and that endpoint secure, you are providing a meansnto exfiltrate your app data
dcow
4 hours ago
What’s the 1 sentence version of your point?
refulgentis
3 hours ago
Yes, unless someone spells out to you that they're the data controller and taking legal responsibility (think Google Analytics)
I know that's the opposite of what they led with, I'm not trying to be cheeky. It's just shorter if you invert the premise and avoid technicalities.
In general, on HN, I see people struggling to wrap their mind around that everyone who takes in data has to take it seriously, at least, that's how the app stores view it.
isodev
5 hours ago
As the app developer you clearly control the means of processing, you are the data controller. You may have opted for “offline processing” which simplifies your compliance, but it is still processing under your control (and subject to change in future updates, which needs to come with a change to your data processing policy with informed user consent).
tempfile
2 hours ago
It is certainly not processing under your control. You don't do anything with the data - none of your computers are involved, you never see or read or copy anyone's data whatsoever. The data subject is processing their own data, using a tool they perhaps don't understand (if the source code is unavailable, for example). The user is at liberty to start or stop the processing at any time.
I don't even think this would apply in the pathological case where a bug in the app causes the personal data to be leaked. You didn't leak it, the user did.
mordae
5 hours ago
Uh-huh. Are we getting privacy policy for sed and grep next?
EDIT: meant to reply lower.
refulgentis
5 hours ago
Correct. They are using my software to process their input.
htek
5 hours ago
You would think for a 30% cut of all your [insert eStore name]-related business, it would include at least basic developer support explaining their decisions.
kyleee
4 hours ago
Product opportunity: Apple Store platinum plan for just 60% of your revenue. State of the art AI account managers will be happy to answer all of your questions.
echelon
5 hours ago
Google and Apple should not control what happens on mobile. They're too big and they've monopolized computing as a platform.
Why do these companies get to say what you do with your camera, how you order food, or who you date? Their App Store dictatorship lets them control all of this.
The DOJ needs to mandate web installs for both platforms. Sandboxing, permissions dialogues, behavioural heuristics, and signature detection are all we need to keep us safe. The App Store concept is just a grift to earn Apple and Google margin on all transactions.
KeplerBoy
5 hours ago
You know that Google never had that dictatorship on Android?
Apple might lose its monopoly, at least if other legislations follow the EU.
echelon
5 hours ago
Google (knowingly?) benefits from the current posture of defaults.
You can't one click install a web app, nor is it the expected user behavior.
The "might be harmful" and buried system dialogues mean that 0.001% of users will ever do this. It's completely unviable.
In a sense this might be worse behavior. Google gets to skirt regulatory scrutiny, yet functionally enables zero companies and users to leverage this path.
KeplerBoy
5 hours ago
There are entire product lines of android devices out there which ship with different default stores.
Think of Amazon or chinese huawei devices, even samsung ships it's own app store. Google's App Store is not that dominant.
ewoodrich
4 hours ago
Amazon even lets you buy books on the Android Kindle app if installed via the Samsung/Galaxy Store vs the Play Store.
notavalleyman
5 hours ago
>Why do these companies get to say what you do with your camera, how you order food, or who you date? Their App Store dictatorship lets them control all of this.
Can you share some examples of when this happened to you?
pjc50
4 hours ago
The app store controls what food ordering and dating apps are allowed to exist. So it's not a "to this person specifically" situation, but certain things don't make it to the market.
(personally I'm in the middle on this: some quality control is valuable, and probably essential for anything with access to user data or payment services. But the store is also anti-competitive.)
echelon
4 hours ago
Moreover, what if I don't want Google or Apple to know about my {Islamic LGBT app, Chinese Democracy app, etc.} ?
Why do they have to know or control me or my audience?
KPGv2
4 hours ago
> Moreover, what if I don't want Google or Apple to know about my {Islamic LGBT app, Chinese Democracy app, etc.} ?
I admit that I don't know about Apple's ecosystem, but if you don't want Google to know about your Islamic LGBT app, you don't have to tell them. Android users can download your app off your personally-owned .com and install it to their phone no problem.
kyleee
2 hours ago
I am sure though Google gets metadata and usage data from Google play services and other system software on android that reveals app usage, though
resource_waste
5 hours ago
I have been using Fdroid on my devices and am quite happy.
All of my apps don't get 'upgraded' with new microtransactions, no SEO spam, and the apps do the job.