What does Apple’s latest security feature mean for devs, advertisers and consumers?
Another year has passed, and another Apple WWDC has flown by. Among the unveiling of the new iOS13, Apple Watch, iPad and Mac Pro, what stood out was Apple’s latest privacy innovation, Sign in with Apple.
Privacy has been at the forefront of Silicon Valley’s mind lately, with the high-profile Cambridge Analytica/Facebook data breach, the subsequent GDPR rollout last year, and, most recently, Nevada’s new privacy law which comes into effect on 1st October, giving consumers the right to opt out of their personal information being sold. Since the development of the iPhone, Apple has been pretty on the ball when it comes to device privacy and security, but more recently the tech giant been looking at web and app privacy.
Enter the Sign in with Apple feature, which, on the surface, you’ll be forgiven for thinking doesn’t look any different to any other sign-in feature which already exists, a little like Facebook Connect or Google Sign In; but scratch below the surface and you’ll see that what has been announced is a very different animal. As a consumer, the primary difference between Sign in with Apple versus other providers is that they'll have the option as to whether or not they share their email address with the publisher/developer, a huge step forward in consumer privacy.
If consumers opt to not share their email address, Apple will generate a unique, random ‘private relay’ address that will forward any emails sent to the consumer’s real one. Consumers won’t notice any difference, as all of the communications they’ll traditionally receive from said company will come directly to their inbox.
Further to this, each app/site a consumer signs up to will have it’s own random email address for them, so if they ever decide to close their account they can disable any email comms - in turn, closing off the association with their personal email address.
But the main factor, a bonus for consumers and a drawback for advertisers, is this: each developer will only be able to register ten domain names and email addresses that they’ll be able to send emails from. Therefore, if a private relay email address gets compromised/sold to other companies and they attempt to send the consumer an email, it won’t be received unless it comes from one of these pre-defined domains/addresses.
What does this mean for consumers?
For consumers, having a privacy-focused SSO can only be a positive; unless something happens at Apple’s end, their personal email address will never be in jeopardy, even in a data breach. Other companies also won’t be able to contact them on this ‘private relay’ address, unless they have been registered as one of the ten domains, in which case, it should be easy to trace the offending party if a consumer didn’t agree for their details to be passed on in the first place. This should, in theory, mean a reduction in the number of spam emails everyone receives.
It’s also going to be mandatory to include within your product’s iOS app if you also offer Facebook or Google log-in SSO options. Plus, Apple’s Human Interface Guidelines state that the Sign in with Apple button should ideally exist above the other options. Overall, it’s a pretty great improvement in consumer experience and will likely drive consumers to sign in with Apple over other options.
And for publishers and developers?
For publishers/developers, it’s a bit of a mixed bag. The positives are that you can still communicate with your client base without issue, so no-one loses out there. As a company, you’ll become associated with offering your users a privacy-focused alternative to other SSO options, a huge bonus considering in the near future individuals may decide not to sign up for an app/site unless you can sign-in with Apple. It's certainly worth considering as part of your product road map.
The negative side is that additional work will need to be carried out (although it does seem like a fairly lightweight integration process); in addition to this, the marketing team and app developers will need to collaborate consistently in case the outbound address/domain changes but is not registered with Apple. Additionally, an extra link in the chain has been added that could be prone to failure.
What about advertisers?
From the advertiser’s side, it’s a struggle to see any positives. The main issue is the usage of a customer’s email address for the purposes of creating custom/lookalike audiences and remarketing e.g. if a user signs in with Apple and gets associated with a random email address this, as of time of writing, won’t be any use on platforms such as Facebook for advertising purposes.
Apple will likely have a hard time convincing both Facebook and Google to integrate this service within their apps, but as a product, it’s certainly something everyone should be keeping an eye on. For established advertisers, there shouldn’t be too many issues in the short term, but these will undoubtedly arise in the long term once users start signing up for new services, leading to a reduced overall reach.
We need to look at this as both the consumer and the developer. As a consumer, is Apple’s new sign-in something that you would use over the ones provided by Facebook and Google? And as an iOS developer, are you going to integrate the sign in service within your app, or will you be looking at getting rid of SSOs altogether? It’s a complicated issue with a plethora of pros and cons, but ultimately, it’s Apple’s bid to prove they’re trustworthy with consumer data amid the current privacy crisis. And it’s a pretty successful one at that.