1. 14
  1. 16

    “ If we try to contact a customer using their iCloud email address, they may never see our message”

    Then give them an option to provide an email address that you may contact them at, should they wish to be contacted by email.

    Sign In with Apple is there so that services can maintain a link to a person over multiple sessions. This doesn’t have to have anything to do with email, and the assumption that an email address will be available for contact is one that should be broken - and thankfully is.

    I have ‘accounts’ for countless services, websites, etc. all over the web, but really do not trust any of them to keep my personal information secure, including my password. When Google claimed to do no evil, I would sign in using Google, to avoid this problem, but more recently I’ve been handing over passwords again, like it’s the early 2000s, and at least resting a bit easier due to them being per-service, generated by my password manager.

    Yes customers not knowing what they signed in with can be a support headache. But this is about better security and privacy for those signing up to such services (and possibly also an overreach by Apple, depending how you view it).

    As a potential user/member/customer of whatever this service is, do I trust you or Apple with the security of my credentials and privacy of my personal information?

    1. 7

      Actually, Sign in with Apple asks the user which email to use. They can choose between their iCloud and an anonymised address. There is (or will be in iOS14 - I can’t remember) also a flow to change the address from an anonymous to a real one.

      1. 3

        True, but just the option of using a relay address means

        the assumption that an email address will be available for contact

        is no longer something an app developer can take for granted under third party auth.

      2. 3

        Then give them an option to provide an email address that you may contact them at, should they wish to be contacted by email.

        I think that doesn’t work. They will not use this extra step, even if they would benefit from it later. I would argue if you do not want to share your email address with anylist, you probably should not use it.

        I already see with smart, non - IT friends that they do not really think about the implications of their sign in method. I think what matters most is what the default is. People will use that.

      3. 11

        That’s why we’re also announcing that we’ll be removing Facebook Login from AnyList.

        The “support no third party login” option is attractive! We have made similar moves on products my company builds for clients, removing Facebook and Google login. Honestly it’s all thanks to Apple making it too expensive for our clients to want to support all these extra login methods. Sign In with Apple is the most complex of them to implement on your backend, is required on iOS when any others are offered, and if you think it through, must be implemented on all your supported platforms if it’s implemented on iOS (how else would you keep a user who switches phone platforms?).

        If Apple is going to strongarm developers (a matter of opinion, it’s all good y’all), I’m glad they at least do so in ways that have positive consequences for user privacy.

        1. 4

          It’s a shame that the big companies are usually ruining their “sign in with our auth/id” after some time, either by stopping to provide it (Persona) or by doing this thing Apple does or Facebook’s APIs which have been a major pain all the time when I used them like 9 years ago..

          Too bad this is such a hard problem to solve, and maybe using a simple email address is actually the best we can do. At least until all the other “federated” things work as seamlessly.

          1. 3

            I couldn’t find their privacy policy linked on their site so I had to google it: https://www.anylist.com/privacy

            1. 3

              this page was auto generated by privacy generator service. it seems they deeply care about the users privacy! 😅

              1. 6

                Hmm… then I think their issue with Sign In with Apple is more that they can’t get a real email address to sell than customer service issues.

            2. 3

              “Apple reserves the right to disable Sign in with Apple on a website or app for any reason at any time.”

              That’s just bad and exploitation of their monopoly over their ecosystem. Who else could get away with this stuff except other huge corps like Google or Facebook?

              1. 1

                Sign In with Apple doesn’t use their iCloud email, it uses their account email - which is where all receipts and Apple communication go. That might be an iCloud address, but it’s much more likely that it will be whatever address the user actually uses for normal email.

                There’s a clear an obvious problem for Sign In with Apple vs non-Apple platforms, but I would assume a person using Sign In with Apple isn’t using those other platforms with your app.

                Most other complaints they have are kind of meh because you can’t reasonably say “we value privacy” and then turn around and only support google and Facebook single sign on. You’re basically saying “either give us your information and hope we’re capable of securing it properly” or “make it even easier for notorious anti-privacy companies to track you”.

                So no, I don’t think they’ve got reasonable excuses here. I feel these are closer to the excuses used to hide a desire to harvest user data.