Let me explain why I think Apple’s decision to revoke Facebook’s developer certificate was a strategic err. Not just for Apple, but for tech in general.
First the background. For an app to run on an iPhone, it has to be signed by an Apple certificate. Apple provides app developers with both an enterprise certificate, with extra privileges for internal iOS app development, and a general certificate, for the app store. Facebook broke Apple’s rule in using the enterprise certificate to sign a Facebook VPN app (giving it more privileges) for an app going to the App Store for regular customers. This app could then collect information on which other apps were installed on user’s phones, and what data traffic was sent. This was a violation of the rules, a privacy breach, and was done knowingly. Make no mistake. Facebook was bad bad bad.
In response Apple revoked Facebook’s enterprise certificate, which in turn shut down all iOS development and testing inside Facebook. It’s the nuclear option. Then it turned out Google had done something not quite as bad but similar, so (to be fair), Apple shut down Google as well. And now it turns out there are other companies which violated the terms too. After a few days, Apple re-instated the certs for everyone, so now things are getting back to normal.
Here’s my point. As Ben Thompson noted: “I wouldn’t be surprised if, in the long run, the company comes to regret this move.” This is exactly correct. I believe Apple made a strategic err they will regret. Even though it’s popular right now. For example John Gruber “Give me a break. Everybody knows that Apple’s enterprise certificate program does not in any way permit distribution of this kind of software, which wouldn’t be allowed in the App Store. But that’s exactly how Facebook was using it. There are pros and cons to Apple’s iron-clad control over native apps on iOS. This incident with Facebook is one of the pros.”
Both can be true: 1) Facebook gets away with too much and absolutely deserves severe punishment, and 2) Apple going nuclear was a mistake. No matter how deliciously satisfying. No matter if the rules said they could revoke Facebook’s certificate. Rules should be enforced with an eye toward precedent, with an assumption bad actors will eventually latch on to those same precedents.
Here’s an analogy. Suppose back in the day when Netscape had just invented the web browser and was riding high, and Microsoft was the evil empire (think circa 1997), Microsoft shut down all Netscape windows development for a rules violation. It’s similar to what Apple (good company) did to punish Facebook (bad company). But in this hypothetical the villains are swapped. It’s Microsoft (bad company) punishing Netscape (good company). While this couldn’t happen back then, with cloud centralization it can now. As Apple just demonstrated.
The cold war between the Soviet Union and the US was very fraught, but the one thing both sides got right was showing restraint with nuclear weapons, either directly or in proxy wars. The cold war bomb threat was invoked all the time. Fine. But leaders showed restraint. Knowing if one side (the good side) used them, even if justified, then the other side (the bad side) would run with that precedent and also use them. Apple could have played the brinkmanship game, publicly threatening to revoke the cert in a Bay of Pigs style confrontation with Facebook, and gotten much the same result, but without actually firing nukes.
It’s unclear exactly how and when this may come back to bite. But as a hypothetical imagine a startup using modern centralized platforms such as Amazon AWS, Microsoft github, Google maps, etc etc. And Amazon, Microsoft, Google put in place complex developer rules on what’s not allowed. So it’s hard to comply. Then if that startup later competes against one of those companies, the platform owner has the temptation to stop that company dead by disallowing development on their platform on the pretext of a rules violation. Threatening may be enough. And I’m not saying Amazon, Microsoft or Google in particular will do this. Rather that in the cloud era all centralized cloud platforms face this temptation.
Apple set a precedent. Nukes are now allowed. Even if the letter of the law says you can do it, restraint is often a wiser choice. There will be increased temptation to create platform rules which are easy to violate. Laying a trap. Just in case. Then, if the mood strikes, bombs away.