I can see why Apple might want to request an 18 month exemption, there's clearly extra work required to comply with EU regulations. But on the other hand it also feels like a straightforward play for consumer sympathy: let them get used to using it every day for 18 months, then pressure the EU to let it continue or you rip the feature away and anger users (who you then point to the EU as the problem)
It's not as if Apple doesn't have the money to dedicate a team to matching the EU's requirements on a deadline. They just choose not to.
Exactly, that's actually why I LIKE this decision so much. I'm not on Apple's side, but I REALLY like the idea that a company just says, "Fine, we'll comply by not even offering this product." It's a perfectly legitimate choice, and it FORCED Apple to evaluate the pros and cons.
I want more companies to not get exemptions and thus not offer law-breaking products. I LIKE that the government is saying, "fix it or don't bring it here" and Apple just has to live with it. I like that Apple also is refusing to just bend over to the EU. We need more of these types of conflicts so we can work out good regulations, and not just always bend over and take it from whatever party won.
While I like a lot of Euro regulations, some of the privacy ones go too far with the whole "we're going to enforce this on the whole world" crap. I like California's method of "to sell it here you have to have this but we're not going to sue you for selling a noncompliant product elsewhere."
I think the worst is hugely impactful laws for which exceptions are constantly carved out so nobody can truly evaluate whether the law/reg is a good one or not.
It's been a while since I left Europe, and I'm rusty on that particular layer of civics. Do EU voters actually have a say in this kind of regulation? Or is it all decided on the executive side which is only accountable to member states and not to individual citizens?
Instead of banning plastic bottles or unrecyclable plastic-lined paper cups (or, as you mention, apple blister packs...what?) where the vast majority of plastic resides, we now have paper straws to deride. Each time you peel your lips off a dry paper tube, you're reminded of your personal culpability in the global waste shell game.
The only viable solution seems to be to stop consuming (see 'fantasy' in the opening line). I'm guilty as charged, BTW, but will politely decline paper straws (I have my own stash of plastic straw contraband).
To make matters worse the expected environmental impact is miniscule and the entire thing is predicated on a popular misconception that gained virality. It's a perfect example of the government failing to function well.
Bet you can think of a better “perfect” example of a government failing to function well. It all depends on which government you are referring to but the best example to me would probably be a government needlessly bombing another country. Not a ban on plastic straws.
Yes, I think it's a particularly good example of government dysfunction. The issue itself is simple enough to easily make sense of and it's clear that it's a suboptimal outcome. The regulator should obviously not be getting caught up in nonsensical hype.
Don't confuse impact of the described action with quality as an example. The best examples of mathematical concepts are usually not particularly useful for anything in the real world.
That is cleary advocating for something as small straws being worthy of a direct vote.
Is there a reasonable expectation for government to be mathematically optimal in any possible way? Why should I not confuse your example as an example?
Not the user you were replying to, but they clearly asked why it was done at high-level, and without a vote; you are completely focusing on the latter, and ignoring the former.
I am not sure I agree with that comment, but you shouldn't straw-man it.
Well... your government certainly has a say in Brussels. Often enough, national politicians use "Brussels" as a scapegoat... nothing can happen in Brussels if national governments (or the Commission) don't propose it first, the Parliament has no right to initiative.
If people would stop electing dumb fucks to national governments or to at least hold their dumb fucks in national governments accountable (yes, it is possible, even Hungary managed to do so), you'd get a lot less "Brussels" bullshit.
(And yes, I am aware, this statement is particularly ironic given I'm German and we were utterly infamous for shipping off utter wastes of space to Brussels)
> and in countries with a "green" profiles, such as Netherlands it seems impossible to just buy one or two apples - you have to buy a emplastered six pack of apples (lots of waste if I just wanted one apple).
That's a Dutch specialty. Here in Germany, I can buy single apples, pears, bananas or whatever just fine if I want - although I don't because apples suck.
If I were to guess, it's a logistics thing. Sixpacks of apples are easier to handle and transport than a bunch of loose apples.
Barely.
>Or is it all decided on the executive side which is only accountable to member states and not to individual citizens?
It's decided by a mix of unelected bureucrats and opaque procedures people track even less than their national politics.
= We don’t have a say. We voted NO to the new EU treaties in 2008 and the new president decided that electing him meant that we approved the same treaties.
They only let us vote when we agree, anyway.
Where do you get 4th level of deriviation exactly?
And the unelected bureucracy, careerists, and 2-3 big country interests pressuring others under the table, are driving the show...
One comedian: LOL they only killed them to make you think it was valuable.
The Internet: (sagely) What a wise assessment by a wise man of wisdom.
EU voters don't have any saying in any EU level regulation. The EU regime do basically what they want.
Besides given the amount of lobbying in the EU institutions, it's obvious that citizens don't have a chance against corpos with infinite money.
MPs can't therefore repeal laws; they can at most ask the Commission to set themes on the program. The Commission is therefore strongly dominant, as it is composed of career unelected officials who can wait for a compliant Parliament to pass the laws they want and target MPs in negotiations. This is what they do with ChatControl.
Of course there are no checks and balances for the Commission officials, who are bureaucrats with an opaque agenda. The EU is a weak form of democracy, which is geared toward bureaucratic capture and legal inflation.
If it werent for the EU, the companies would get away with all sorts of shit.
Is as if people forget companies are evil by nature and will fuck you any chance they get.
Yeah, like those blasted cookies!!! Thankfully, now we have banners on every website, I have never felt more protected!
That's been true from day one. So the question is, did you come up with the FUD yourself, or did you believe someone else?
But I agree, that's probably not what OP meant.
This OP article doesn't really go into it, but they did actually propose a solution to the divide, they just needed more time to develop it. The Reuters article is reporting on one person's response to the proceedings, which involve more details than this particular article covers.
For instance:
> To address those concerns, Apple designed a system called Trusted System Agent, an intermediary that would let competing virtual assistants safely access the same features and capabilities as Siri AI on EU devices. Apple also proposed launching Siri AI in Europe while rolling out the Trusted System Agent gradually over 18 months. The European Commission rejected both proposals, and according to Apple, did not agree to any alternative.
https://thenextweb.com/news/apple-siri-ai-eu-dma-delay-ios-2...
Care to explain? EU is also a jurisdiction, so why would EU law be legal in other areas than EU?
Imagine there is a law in your jurisdiction saying if you hire a person there are rules A, B, C which are a bit inconvenient to you, the employer. What if you incorporate in a different jurisdiction where the salaries are higher but there are no rules B and C, but there are rules B and D. Then this incorporated entity offers to hire people in your jurisdiction, but not offer the higher salaries of the other one.
Which rules should apply? The answer, as usual, is -- "it depends".
If the law makes sense, that I cannot judge in this case.
As a citizen, I find it both fascinating and disturbing that this is even a thing. Of course companies have to follow the law. Why is this even a thing? If the product fills a real need and the externalities are acceptable, that will be a demonstration that the law needs an update.
The idea that there is such a thing as "law-breaking products" when consumers ACTIVELY CHOOSE TO SPEND THEIR MONEY ON THEM is insane to me. This is authoritarian nonsense.
It is not the state's place to tell people what they should or should not be allowed to buy.
You will always find people willing to spend money on anything. The whole point of politics is that we have to draw a line between what people want to do and the effect that it can have on other people. To put it simply, if your freedom affects mine, then someone needs to decide how far you can go and how much I have to accept.
We commonly accept that scams are bad, even though someone might participate willingly, just because it is much more likely that someone is taken advantage of in a way that most people find immoral, for example. Even in bastions of free speech such as the US. That someone somewhere knowingly gave money to someone else is neither here nor there.
The most extreme example could be the legislation on weapons. A less extreme example could be legislation on food additives or PFAS.
Those numbers make withholding "risky" products a no-brainer strategy. Also, those numbers put a hard limit of how much Apple will want reevaluate their general strategy of tightly integrated first-party software.
> The Digital Millennium Copyright Act is a 1998 United States copyright law
The DMCA is a law in the United States, it's not related in any way to Apple's decision to not roll out Siri in the EU.
Edit: 26% of their net sales comes from Europe for Q1: https://www.apple.com/newsroom/pdfs/fy2026-q1/FY26_Q1_Consol...
The 7% probably comes from a Daring Fireball article, based on misunderstanding some Apple communications, and which Gruber later had to backtrack
https://medium.com/luminasticity/when-smart-people-cant-reas...
Sure, there's a messaging component to this. However, any company that isn't trying to just skirt the law will aim to do this sort of thing correctly, and it's an enormous effort.
I know it’s not quite as simple as that but I do think it shows Apple are more interested in blaming the EU than reducing the potential issues ahead of time.
This slows down deploying the system globally. Particularly if the target is moving, it may make sense to build lightly so one can pivot, and then build in the compliance stuff after you know you have a winning configuration.
The EU has its laws. Apple has its strategy. The only thing I fault anyone on is the public bickering.
The EU has rules that are expensive to implement correctly, so if you want early feedback from users, you release elsewhere first. It's a very rational way to approach it.
Those are not equivalent statements. You're assuming that privacy is a one-dimensional quantity, so that anything that complies with "the strictest international privacy laws" automatically also complies with any other privacy laws. But this is not actually true. It can easily be the case that every national law allows some set of behavior (different sets for different legal systems), at the same time that the intersection of all those sets is empty.
But this is solvable. The problem is the work it takes to solve it isn’t worth the hit to time to market. (And possibly even the cost.)
That's the crux of my point; Apple could have solved this on day zero if they had a consumer-centered threat-model and/or considered user data to be a liability rather than a hook for service subscriptions.
> The problem is the work it takes to solve it isn’t worth the hit to time to market. (And possibly even the cost.)
I don't consider this to be a problem, but the DMA working as intended and preventing gatekeepers from competing unfairly.
Consumer-centered threat model is perfectly well served with on-device models and Private Cloud. What isn’t is interoperability.
> the DMA working as intended and preventing gatekeepers from competing unfairly
I agree. And at the end of the day, Apple is following the law. I am sympathetic to their position, however, that this isn’t something worth building and optimizing for at launch. If we wanted to be rose tinted, EU consumers will get a fully-baked product. (EU developers get somewhat screwed, but I suppose their offshore offices could start.)
I think that's uncharitable. Apple prefers not to have the data either, hence the preference for on-device processing.
I could almost feel sympathy if it were something to do with some contract that Apple signed with their AI provider. Who's that, Google?
Ahh, a "competitor"? Yeah... cry me a river.
This kind of approach is how startups justify everything, however for established companies this would be backward.
I get a feeling that Apple never wanted to do it. They already knew the compliance requirements existed and if they would have wanted to test things then the narrative could have that they are rolling out in other markets first and would roll out with compliance in EU later. Asking for exemption was a bet they tried to play here, they lost and now spinning the narrative.
Just imagine a European bank publishing a press release about how onerous the US credit card consumer protection laws are, or a Japanese car maker publicly whining about European car safety testing protocols delaying the market release of some of their models. Apple really is behaving in a very unusual way here.
And even though I don't like the implication of this (the law should not disadvantage anyone purely for being critical of it), I can't help but wonder how many fewer pages the DMA would be if Apple had engaged with its predecessors in good faith instead.
Both of these happen. European banks complain about American securities law. And all manner of car makers delay releasing vehicles in America and the EU.
Maybe China is easier to work with - perhaps their rules are made clearer?
DMA was designed to be a comprehensive regulatory suite. Lawmakers knew it would be onerous; that’s why it only applies to large companies.
Also, the DMA’s interoperability requirement creates external partners. Let’s face it, Apple’s track record with Siri sucks. If they launch a system and it is crap again, they may not now want an entire ecosystem of folks who will cry foul if they dump the API and start over.
> Do what you have to do to comply with the law and release, as always
Just follow the law. If that means not releasing in a jurisdiction, do that and then don’t tweet snotty things about it. (Siri AI isn’t launching in China, either. I don’t see PMs complaining about that in public.)
Skipping the EU makes sense if the company doesn't want to comply with regulations aimed directly at it.
> complying with the DMA from the outset could mean having to launch a year later everywhere.
Oh no! Anyway...
Once upon a time, companies delayed launches specifically so they'd launch a better product. That seems to be gone these days and end-users have garbage products as a result.
It makes sense if you’re prioritizing time to market and agility. Once you’ve nailed down your product, you can make it compliant for more-onerous jurisdictions. You see this in finance all the time, where the U.S. tends to have the tightest rules around e.g. betting and crypto.
> Once upon a time, companies delayed launches specifically so they'd launch a better product
Because software shipped in a box. Also, compliance is orthogonal to how good a product is. Siri AI might be crap. It might be great. It might be almost perfect and then made great on second release. Everything slows down if the entire development process has to deal with open APIs and lawyers at every turn.
It’s perfectly legitimate to say we’ll develop this in other markets and ship it to the EU when it’s fully baked.
It's also perfectly legitimate to legally require business to slow the fuck down and consider how the thing will be used or abused, to make the product not crash for even just basic usages, and to put real safeguards in place against problematic scenarios.
But no, move fast and break things wins the day every day in the US.
Besides that, Google has shipped many (not all) similar features to Pixels in the EU and have been for years.
Whatever Apple is cooking and however long its taken them, the DMA is not a surprise and they could well have been taking it into account from the very beginning.
I suppose if you think these rules are reasonable, you’d be happy to not have this functionality. The rest of the world will be happy to not allow third parties access to our data.
As a small developer, the cost to support something like this would be so overwhelming I wouldn’t consider supporting the EU officially.
As a small developer, you wouldn't fall under the DMA.
If it were the case, Apple would just say it (with receipts).
> I suppose if you think these rules are reasonable, you’d be happy to not have this functionality.
As a European Apple user I am absolutely OK with not having these functionalities, which I am 100% sure would not even work as advertised given the company track record.
The DMA was substantially finalised by 2020, and came into force in 2023. Apple's AI thing was developed with the full knowledge that it existed. The issue isn't personal data here (that'd be the GDPR, and maybe to some extent the AI Act). The DMA is about _competition_. The EU's issue here is that Apple is giving its own AI thing a level of access unavailable to other vendors' AI things, I'd assume.
> As a small developer
You are not covered by the DMA. You'd need an EEA turnover of 7.5bn and/or a market cap of 75bn, for a start. And you'd also need to be a _platform_. The DMA only really applies to a few companies.
Would you consider supporting US laws?
At what cost? This is Apple’s second bite at AI. Giannandrea fucked up the first time. I’m honestly with Cupertino on not over complicating it the second time around. If they found the right mix of features and architecture, great, then work to port it to high-bar jurisdictions.
I totally agree with you in principle here, but Apple have a pretty large vested interest in not supporting interoperability here (and in the other cases, like Mac mirroring) so I honestly don't see that happening at all.
This is purely a lobbying move against the EU to get EU citizens/politicians to complain about the laws and get an exemption.
And to be fair, Apple's business model is currently structurally incompatible with a lot of the DMA (which I personally think is a good thing), so they kinda have to fight it for a while.
Yeah that needs to stop. This is kinda why the DMA was created in the first place...
It can be more than one thing. It’s a lobbying move, to be sure. But it’s also almost certainly a time-to-market and potentially cost-mitigation play, too.
So it becomes a purely business decision: Do we risk a 10% global revenue penalty to release this globally, do we release this everywhere the DMA does not apply, or do we simply not build it? And make no mistake, even if Apple moved heaven and earth to try to comply with DMA they are STILL RISKING the full 10% penalty if the EU decides against them.
Yes, there’s a risk to releasing a product whenever you can be held accountable for that product. I understand that Apple seeks to be as unaccountable as possible.
So we ultimately agree with one another: Apple can do it, but doesn’t want to, for various reasons.
Maybe the phrasing is unfortunate, but if compliance to the law requires a “redoing”, launching in that market was never a priority in the first place. That’s a completely legitimate choice, but usually companies whining about regulations are making a financial decision rather than an ethical one.
Does this put them stupidly behind schedule? Yes, and bummer for them, but I highly doubt that a company as politically savvy, legally savvy, and wealthy as Apple would do this "by mistake".
So Google chose to be evil, now they have to rip all the evil out and redo it from scratch. Can't say I have any sympathy. Should have done the right thing from the start.
Laws vary from country to country, state to state, and they vary tremendously. Laws are also changing all the time. There's literally no way to predict what rules will be in place at any given time.
Also, adding code to meet some government regulation takes time and effort that (form the company's perspective) could be better spent building a product and making money. No one would "choose" to implement some random compliance rule unless they're forced to.
It would be good for US companies to know that EU laws are not "guidelines", just as US enforces their laws on companies from outside.
This looks to me like yet another bet from Apple: "they'll buy iPhones anyway, let them wait".
Bad comparison. Launching with GDPR compliance isn’t particularly taxing if you’re already complying with California’s CCPA. (You need your twenty-eight EU law firms on retainer, but the big firms package that conveniently.)
Copyright theft in AI, on the other hand, is a global phenomenon.
DMA is most akin to the U.S. system of designating financial institutions SIFIs and then putting a bunch of extra requirements on them. Almost intentionally onerous. Hence ringfenced to select large companies.
What if I tell you that there's a surprisingly simple, straightforward and above all very cheap solution: don't implement privacy-invading or anti-competitive features in the first place ;)
Yes, but also its much cheaper to build it in at the very start.
When we built pervert glasses research platform, if we'd just ignored the data privacy laws we could have built it much quicker. But, the only reason it took extra time is because
1) we had no idea what we were doing and
2) the lawyers had even less idea, so we had to do a bunch of reading and make a best guess.
Turns out the guesses were right, but it was painful getting the lawyers to understand.
As a European I'm conflicted because I think this particular set of privacy laws are overreaching bordering on stupid; but "exemptions" for one of the richest corporations on earth would be beyond absurd and infinitely worse.
Let's call it how it is: Android phones allow every competitor to run their chatbot in place of Gemini. Want Perplexity instead of Gemini? You can have it. Samsung launches with Perplexity as of late.
Apple? As always, went into "ay mate, too integrated, can't give the same APIs to competitors" lame excuse.
Weird to say it but the only assistant with any guarantee for privacy by design is Siri at the moment.
The code is open source: https://github.com/apple/security-pcc
That's not how the deal was announced. You don't pay Bs / year for a licence to gemini to send them your data. You pay that to run it on your own hardware, in your own garden, so the data stays put.
I know the internet is always anti big companies, but this is likely a "not worth it for now, we'll eventually do it" effort from Apple. The EU AI act is a mess, and the effort to simply know what they have to do to comply with it is likely going to take armies of people (not devs) and a lot of time, as the OOP said.
And the saddest part about it, is that Apple has the money and resources to sink into this. Think about all the small players that don't. This is yet again a miss for the commission, with the end result being an insidious form of regulatory capture. It sucks for those of us running small companies. Oh well.
https://www.business-standard.com/technology/tech-news/googl...
I run Perplexity in place of Gemini, but I can also run Claude and others.
[1] https://i.imgur.com/BgvxqQQ.png
Apple is just being the usual Apple being both an hardware vendor and giving it's own software advantages that competitors don't have and using the security bogus argument as always.
And yet, people believe that crap and jump into defending Apple as if being an Apple user is their identity, sad.
Or never. Like the majority of Pixel 10 on device AI features (image editing, magic cue).
I have not been able to switch language in Sheets since 2018, and I've changed any possible setting (even account language).
All guides are in English and I'm stuck with Sheets in Italian.
Then you should have done it right the first time.
Especially in the case of apple or Google. Look at the app store situation. It is very straightforward to do the work for the whole thing to be open to any competitor. But it is hard to try to design and implement a solution to try to not break any regulations but still manage to keep users captive the maximum without having competitor entering our walled garden.
And yet Apple had no major issues complying to the draconical demands of the CCP to sell and operate there. Weird.
Also, it's not like Apple can't afford the manpower for this. They're not a hole in the wall mon & pop shop.
They can only do so much at once. And Apple is not a “hire an extra 30,000 people“ kind of company.
Apple usually rolls stuff out in stages. This is just an extremely high profile example.
I’m sure Apple doesn’t want to cave and give OpenAI free access to the spotlight semantic db, the ability see what’s on your screen at all times, etc.
No. Interoperability doesn't require Apple relax their privacy and security postures. It could instead require third parties to improve theirs.
Apple made it sound like their proposal for that was rejected by the EU. And it would be consistent with previous regulatory decisions by the EU for them to not want Apple to be setting the rules for how third-party interoperability partners/competitors ensure privacy.
It seems to me that the EU has a preference for protecting privacy with legal mechanisms, and generally doesn't approve of Apple's attempts to protect privacy with technical mechanisms because that inevitably limits interoperability with systems that aren't designed around the same restrictions and assumptions.
</s>
For example, with Copilot, you get a contractual pinky promise that they cannot access your data.
Can engineers really not access ? Can the police really not access ?
It's like AirTag for example. Apple cannot access it because it's scientifically "impossible" by design, but if they sign-in to your account, well it's over.
Once Apple fills the right audit / certification / paperwork they will be able to enable that feature. It could also be a negotiation lever.
Isn’t this less about privacy than competition?
Which should IMO be the basic principle worldwide. But unfortunately in many countries, companies are more powerful than governments/regulators, so they get to grab everything they can get their hands on.
At the same time, this potentially opens up the entire worldwide market (imagine EU iPhones being imported into US to use with OpenAI or Claude Cowork), and they probably made the estimation that keeping EU out is still better value (70% of the market all to themselves) than fair competition in the 100% of the market (I guess they estimate they might get less than 70% in that case).
Or they are hoping that EU customers will want Siri AI enough to campaign for a change, but I'd find that highly unlikely.
That's not the case. it's merely software (exactly like my iPhone 16 lacking the promised AI features claimed at WWDC24).
Anyway as I'm now within the EU with phone I bought before moving to the EU, regional features (or restrictions) depends on the logged in account and device regional settings. Except physical considerations (eSIM design, actual radio transceivers). The hardware is the same thank god.
If Siri wants to be seen as anything it should first support every EU language and they can work from there.
The issue I have with that approach is that I don’t agree with that approach to governance. I believe it’s incumbent on the regulator to define what is acceptable vs. disallowed in unambiguous terms.
The only difference that I can see here is that the standards layer hasn't solidified yet.
I don’t think it makes sense to create an accountability framework for a company that requires the cooperation of the market, because I think companies should be in a position to either comply or be held accountable on their own merits
This is true of most things that involve legal. Laws are not code, in basically any jurisdiction they are subject to interpretation, and just because you've dotted your Is and crossed your Ts, doesn't mean an enterprising enforcement agency won't still come after you
"They really don't try to fuck you over if you engage with them in good faith?"
"Yes, really."
The intent matters, not the letter of the law. No loopholes, no bad faith interpretation. Just do what the law wants from you, if you make a mistake in good faith, you'll be given leeway to fix it.
> When interpreting EU law, the CJEU pays particular attention to the aim and purpose of EU law (teleological interpretation), rather than focusing exclusively on the wording of the provisions (linguistic interpretation). This is explained by numerous factors, in particular the open-ended and policy-oriented rules of the EU Treaties, as well as by EU legal multilingualism. Under the latter principle, all EU law is equally authentic in all language versions. Hence, the Court cannot rely on the wording of a single version, as a national court can, in order to give an interpretation of the legal provision under consideration. Therefore, in order to decode the meaning of a legal rule, the Court analyses it especially in the light of its purpose (teleological interpretation) as well as its context (systemic interpretation).
https://www.europarl.europa.eu/RegData/etudes/BRIE/2017/5993...
The endless cookie banners would beg to differ.
But Apple's position here is actually really wild: Apple claims to protect user privacy all the time. But they can't offer a product in a major jurisdiction that has actually meaningful privacy laws? Didn't they consider that while designing the product?
This is quite the contradiction.
Complying with complex privacy laws is surprisingly orthogonal to making a product with good privacy.
In another regulatory area (not privacy, but something more historically regulated) we ran into strange situations where complying with the letter of the law would require us to walk back things that we had done in a better way. The laws are not simple and they're not written by engineers or even people who understand what future product needs look like.
Maybe it's more because the privacy is largely marketing and helps with continuously shutting out competitors under the guise of privacy?
If they really cared about privacy, they would end-to-end encrypt iCloud backups [1] by default and not just when ADP is enabled, which only a small subset of users do. In fact, many technical people I know don't even realize that iCloud backups are not end-to-end encrypted. At any rate, this large hole opens a lot of data (including iMesssage) open to Apple, law enforcement, etc.
https://support.apple.com/en-us/102651
[1] And iCloud Drive, and photos, and notes, and voice memos, and wallet passes, and contacts, and reminders, and...
Ironically the gaps you point to are things they have had to do to appease the European Union.
If regulators suck at understanding tech, they are making poorly thought out laws for corporations just as much as they are for you.
Tax laws are also quite easy, tax lawyers are only needed if you want to NOT pay what the country you're operating in is owed.
There's entire industries of experts who work on these tasks, and they don't just work for people trying to skirt the rules. I've hired people for both tasks and the reason was specifically to comply.
NIST, MS, and the security community all recommend against forcing people to change their passwords on fixed intervals. They should only be changed when there is an indication they have been compromised.
PCI requirements demand mandatory 30 day rotation intervals on user passwords for users with administrative privileges, IORC. Something like that.
They haven’t kept up. So until they change the rules you can either be PCI compliant or implement the current best practice. Not both.
The best practice was to rotate your passwords, but we discovered that this led users to picking less secure and easier to remember passwords and patterns.
Once technology offered up solutions to problems like password managers and breach notifications, that recommendation changed.
PCI used to mandate password changes for in-scope accounts (meaning they have access to credit card flows). Now that MFA is widely deployed that requirement only remains for accounts that do not have a second factor for authentication.
If you were ahead of the curve and implemented strong password policies that did not conform the the PCI baseline, all you had to do was explain to the auditor why. Assuming what you were doing genuinely increased your security posture it would be approved.
> They haven’t kept up.
Other standards all used to recommend password rotation. Most have amended it to deprecate or even prohibit password rotation.
> Once technology offered up solutions to problems like password managers and breach notifications, that recommendation changed
It wasn’t just that.
The original recommendation for password expiration failed to take into account the human practices that resulted.
Everyone has worked in an office with passwords on post-it notes, or seen passwords numbered with sequentially incremented integers at the end. Password rotation isn’t merely a baseline level of assurance, it has a negative impact on security because of the effect it has on password hygiene. In practice, passwords that expire can be easily guessed by appending something to the end of the prior password. And they are more likely to be written down in plaintext.
Permanent, non-expiring passwords without MFA are stronger in practice than expiring passwords.
Someone has to understand the codes and how they might be applied to a specific project, and direct a project such that the outcome will comply.
Codes dont provide a blueprint for a house or a bridge. They stipulate features and properties that it must have. Design resides with the firm.
Privacy isn’t complex, compliance is.
> Tax laws are also quite easy
Yet audits are still a pain.
> tax lawyers are only needed if you want to NOT pay
This is nonsense. Tax lawyers are sometimes used to skirt the law. They’re much more often there to help prove you followed it.
Here's their argument in their own words: https://www.apple.com/newsroom/2026/06/due-to-dma-siri-ai-de...
The smartphone is probably the most sensitive device most people own. It knows your location always. It has your banking apps. Your password manager. Your instant messages, and social media chats, it knows whether you’re walking, or driving, or talking on the phone, and to whom.
Once Apple allows any other vendor to vacuum all of that intensively private information out of an iPhone, Apple becomes indirectly responsible for potentially massive privacy breaches.
That doesn't necessarily mean it's a bad idea from a competition point of view, but good ideas can be discussed w/ an honest view of the quite real downsides.
Legally, maybe not, practically it becomes their problem.
Besides that, the law is the law and the DMA/DSA has been around for years. Why should they get an exception is one part of a duopoly?
The DMA isn't a privacy law. In this case, the DMA would appear to require Apple to open up all user data to any AI agent. That removes the ability to provide privacy protections.
You can argue Apple should do that, but you can't in the same breathe argue for privacy.
EU wants Apple to open 'Siri AI', with access to a personal context, open to other model/AI providers.
Apple says "We can't do this in a privacy preserving way".
You can definitely question what their true motivations are, but it seems pretty plausible that there is a moral case for this system to not be opened up to other providers who may do a worse job at privacy than Apple (especially when you are Apple and you trust yourself).
I think there is a place in these sorts of ecosystems for privileged players. If you buy an iPhone you implicitly must trust Apple to some degree.
Not sure this is the case. My understanding is what the EU wants is that users can use Siri AI or a third party AI service from, say, Anthropic or OpenAI, at the same level of capabilities, just as you can switch default browsers. It's not about the underlying LLM (that would be the huge privacy concern), it's about the product built on top. Of course how a third party AI gets its data from the device would need to be approved by the user and that third party AI provider would have to justify what it's doing with that personal data to the EU watchdogs, just as Apple would need to do.
Lemma 2: you are obliged by other regulation to offer equal access to user data to third parties, so others can build equivalent functionality (DMA).
Lemma 3: malicious third parties will absolutely try to abuse the access and trick the user into sharing their data by all means possible. You will be held responsible in court of public opinion at minimum and legally at maximum if/when a malicious third party abuses said access.
This is a hard, possibly technically unsolvable problem no matter how much money you might have, because the root issue is not technical, it's the fact that you legally have to give third parties access and no way to control what they do with it - and as others have mentioned in the threads, it's exacerbated by the fact that the regulation doesn't say "this is okay and this is not", it is vague and judges things "by outcome", so you may spend all the time in the world implementing a solution you think will work, and then get hit by fines/lawsuits because the implementation is judged as not sufficient after the fact.
According to GDPR, the app developer is the "data controller" and thus ultimately responsible. Only in the case where Apple knowingly participated in unlawful behavior is it likely to be held accountable, and even then, in addition to the app developer. Obviously, if we are not talking about leaks from the actual App Store system (eg. Apple account logins and user data).
So while it sounds plausible, the legal framework is exactly not what you describe here — Apple can claim to want better protection for customers by not allowing third party apps, but EU rejects that (it can similarly extend to app store itself) and pushes for competitive landscape with DMA instead.
Couldn’t someone argue that they “knowingly participated“? Do you think they want that risk?
Nothing holds them from having designed this as an API that others can use where the user has permission toggles of what data they want to share with the LLM provider.
This would be unprecedented access to user data, enabling the most complete user profiling ever.
Ad companies, like Meta and Google, are going to spend huge amounts of money getting agents ready, because there will be a ridiculous amount of money behind all the data they're going slurp up, and the profiles they'll build for you.
Unless, Apple can figure out how to keep the leaches, that have consistently proven to be so, with court cases for receipts, at bay.
The DMA and the GDPR are laws that at their core make each other more difficult. the stated outcome of the DMA - allowing any vendor/user full access to your device - is not easily supported when solving for privacy.
The requirements are not onerous, it is the basic preemption of monopolist behavior.
Qualifying "random apps" is something that is a true challenge, but that holds regardless of the API being offered — the problem is that Apple saves some programming API only for themselves, instead of introducing acceptable & objective market terms to be met (if deemed unsafe, they could require companies to demonstrate compliance with things like CRA to get access to these APIs).
Many Europeans are upset that Apple blames Europe that they cannot implement this because it would sacrifice privacy. (Which is kind of ironic, because the EU has nearly the best privacy protection worldwide.)
Apple doesn't care about privacy. By default (without ADP), your (i)Messages, Drive files, contacts, calendars, backups of data from third-party apps are not end-to-end encrypted [1]. US law enforcement can request it. EU citizens are not protected because the US can use the CLOUD Act to demand the data. If Apple really cared about privacy, they would have closed that hole long ago.
Thus the people that are mad at Apple for saying the EU is trying to stop them releasing this feature don't have much ground to stand on.
Do you never install software on your desktop computer?
100% - just like Apple making such a grandiose show of "privacy". "Privacy" for Apple eventually led to Apple specific and Apple-only allowed ads in first party apps and now Siri connecting to Google servers.
I don't think you can call the process unrelated to the mother or the baby, they're both pretty important throughout the whole thing.
The one legacy in Apple that Steve Jobs left behind is their distaste for taking risks that lose them money (ChatGPT was going to be their AI core... but then they had Altman ousted, so they backed away and partnered with Google instead), and spending money. I think they're still the only company with a kitchen in the valley that still makes employees pay for their own lunch, and the reason is the most BS reason that Steve Jobs pulled out of his rear end. It's so the employees appreciate the lunch, really?
I’m not saying I believe that’s the real reason here. But it is broadly true. Ask any company that offers a free tier where most of the complaints and problematic customers come from.
People can also appreciate things they get for free though. I'd appreciate a free lunch, most places I've worked at, actually nowhere I've ever worked, EVER has given me a free lunch. Now if its a difference of paying for a quality lunch at a reasonable price, and not paying for lunch but its mediocre, then yeah, seems like a no-brainer.
I wouldn't be surprised if Steve Jobs implemented was a way to get them back into the green.
Also, TIL:
> Jobs, who notoriously took a salary of only $1 a year, used to "scam" Apple out of free lunches by scanning his badge alongside colleagues and insisting on paying for everyone, knowing the charges would just default back to Apple.
And you’re saying that consumers would be incorrect in thinking that?
This can lead to absolute insanity as companies try to satisfy both privacy and market conditions. It's not simple. How many years did google waste with Sandbox?
That's disingenuous. It's not about money, it's literally about engineering velocity. The amount of planning and engineering required for an entire interoperability layer that also ensures security and privacy is absolutely going to be something like a year-long engineering effort minimum. You can't speed that up by adding more money.
So it's either try to get an exemption to deliver this feature to Europeans while that work gets done, or wait 12-18 months for the work to be done -- work that isn't required to launch in the rest of the world.
Apple just wants consumers to be happy and be able to use their features. But the EU is requiring a ton of additional interop engineering, so consumers will just have to keep waiting and get features 1 or 2 years after the rest of the world, or never.
You cannot accept the concept of consequences. You are entitled to Siri AI? I highly doubt it.
You sound like a totalitarian: a state can come up with any law and everyone has to comply.
I think you should be reminded of the fact that you can go your own way with something state sponsored like the EU Chip Act, AI, Cloud. Let’s add “Siri” to the list.
I love the fact, that EU is getting a lesson, even though people obviously don’t get it.
seems a bit simplistic.
This is the bit that's likely hard, because generally keeping safety and privacy guarantees as data flows through the system is extremely hard, and Apple would not be able to guarantee it for other products without large review investment.
But ultimately, they probably just do not want to do it until Siri AI gets a decent marketshare first, so competing agents would have to both build new solutions for the platform once open, but also deal with an incumbent dominant player already on people's phones.