The systems today really aren’t sufficiently robust to handle the contingencies.
Sad but true. This is a story about a one day outage. In the UK, the bank TSB has been having similar problems for over one month, due to what appears to have been a spectacular failure while trying to migrate to a new IT system.
I'm also in the camp that keeps a significant amount of cash in safe, always-accessible places these days, after seeing a few too many incidents where people were literally unable to get money out of bank accounts and the like in recent years. But even I would have run out of savings to live on by that point, I think.
A person's time is more valuable than a computer algorithm's
But that comparison only matters if they both get useful results. If your computer algorithm is generating lots of false positives and a few bad false negatives, you might have been better off getting a properly qualified human to do it anyway.
I've worked for smaller businesses where senior technical people personally examined the CVs for anyone who wasn't clearly ruled out. The admin staff in front were mostly there to avoid legal issues, clerical errors and time-wasting by CV-spamming agencies with their own keyword-driven junk process. Someone who knows what they're doing can probably average 2 candidates checked per minute for typical technical positions, so even if you have 100 applicants, one person who knows what they're doing can cut that down to a shortlist in an hour.
The key thing is that for the candidates who can't be put in or out almost instantly, you'll probably get much better results this way. If the alternative is to put the wrong people through, and then waste multiple senior technical people's time in chunks of several hours doing phone screens or on-site interviews, better accuracy early on is a big time-saver.
Well, apparently the new owners spent eight figures in cash to acquire Glassdoor for $1.2B, so if typical Glassdoor salary figures are off by only one order of magnitude, they're still an improvement...
But really, remember that ~3% is taken by the credit card companies.
There's no way Microsoft is paying anything close to 3% in card processing fees. At their scale, it's probably well under 1% plus a flat rate of a few cents on each payment.
That leaves MS with 2% for it's overhead in hosting and delivering the application and the store infrastructure.
Again, with storage and network capacity at their scale, that seems unlikely to be anything close to their actual running costs.
Again, look at the competition, where 30% is the norm.
By "competition", do you mean the iOS and Android app stores? I'm not sure areas that typically sell very cheap and simple apps of debatable quality should be the competition for a Windows app store (unless of course Microsoft really is trying to dumb Windows down to the same level now).
And 15% of some much, much larger number is still in absolute terms much larger than 30% of a much smaller number...
That is true, but is there any evidence that selling via Microsoft's store is likely to generate a much larger number of sales to offset the fee?
Book publishers have been making this argument for decades to try to hide their increasing irrelevance in the online era. Of course they're justified in paying the author who did most of the hard work $2 for each $40 book sale, just look at the valuable editing and marketing work they did! Except that actually plenty of publishers just phone it in on the editing side, and new authors wind up doing much of the hard work themselves for marketing as well, and if they'd gone with a different model they might have been keeping $20-30 for each $40 book sale after other costs. Those random but realistic numbers would mean a publisher had to generate 10-15x as many total sales just to break even.
Microsoft developers managed to eat for about four decades just by making software people wanted to buy and platforms that were easy to develop for, without taking any cut of the revenues from other software running on their platform.
In a world where so much everyday stuff is now done with mobile and web apps, any barrier to writing or distributing Windows-friendly desktop applications seems like a bad idea for Microsoft. I'm not sure it matters whether it's 15% or 5%. It's not 0%.
As I said, there are plenty of problems with the GDPR. The subjectivity and ambiguity around what is actually required or acceptable in practice and how regulators will interpret it is probably #1 on that list.
It's still a better situation than a US-style regime where mere threats of legal action can result in substantial but undeserved out of court settlements and there are legal firms who specialise in exploiting innocent people in that way.
That's lovely, but as someone who has run several small businesses in the EU and seen government departments and regulators make business-destroying mistakes, I hope you'll forgive me if I'm sceptical about what will or won't be used as a stick to beat small companies with. There is no need for vague statements about "including intent" within laws. Just set a limit on penalties that doesn't pose an existential threat to small companies, and give clear, concise, practical guidance on how the rules will be interpreted well in advance, instead of the endless empty rhetoric and last minute updates the EU and the national regulators have produced so far.
Also, 30 days is nowhere near enough time to retain access logs for some purposes. We routinely keep that sort of data for years, and we have multiple legitimate interests for doing so, including a demonstrable need to detect and block attempted fraud and other serious violations of our terms of service.
Well, arguably the central premise of this discussion is changing things so you do have more control over data and aren't just getting spied on by proxy all the time, without having to cut yourself off. So I'm not sure what point you're trying to make here. Yes, the situation has been bad. No-one is disputing that; it's why laws are starting to change to address the issue and why this subject is interesting right now.
If you're worried about Google snooping in your email, then don't use Google anymore.
Sorry, but you totally missed the point there. I don't use Google for my mail, but I have no way to determine whether anyone else I'm communicating with does. If I'm sending a message, it's for the intended recipient, not for Google to profile me without my knowledge or consent. But the third party spying doctrine says Google have the technical ability to profile me anyway.
If you're worried about your phone calls being listened in on
Again, I'm afraid you totally missed the point. It wasn't about phone calls being monitored. It was about people with apps that upload the contacts list from my friend's or colleague's phone, and in doing so get my details. Combine a few dozen cases of that happening, and someone can wind up with a disturbingly accurate picture of who you are just from your metadata and personal network.
You could drop it today for the most part, use it only for 'official' purposes (if necessary), and you'd get along just fine without it otherwise.
The trouble is, that's not really true, unless your definition of "official purposes" is so broad as to be almost meaningless. It is now assumed that everyone has Internet access and social media and smartphones, and you really can't live without them unless you are willing to become almost a hermit. My personal friends and family do understand why I choose not to participate in some of these things and do know how to reach me if they want to. But that doesn't help with all the government services I have to deal with personally and for my businesses. It doesn't let me park my car where the cash meters have been replaced by phone apps. It doesn't help me deal with professional services like lawyers and accountants who need electronic records. It doesn't help me respond to a customer who expects my business to be contactable by email or on social media.
You write as if you're the only person in the world who prefers not to be tracked and is willing to give up some convenience to avoid it, but you're not. I have similar views, and so do plenty of other people. But there is a cost, and sometimes it is unavoidable. IMNSHO, we shouldn't have to pay that cost or be trapped in a catch 22 situation just for the privilege of being able to communicate like normal human beings.
Part of the problem is that no-one can guarantee GDPR compliance in most cases, no matter how much you pay a lawyer or other specialist advisor. The law is vague and ambiguous on key points, and there aren't any magic eight balls to tell you which way they'll be interpreted. Even the official guidance is vague, often to the point of being completely useless! The only defence most of us within its scope have is that regulators might try to be constructive about enforcing it, particularly in the early days when no-one really knows where the boundaries are. That's not much comfort, though.
That means your Apache logs can't have any actual log data.
No, it doesn't. This is a myth.
It looks like organisations are tending to shift towards processing based on their legitimate interests rather than consent, because the moment consent is necessary under the new regulations, all the new subject rights activate. There do still have to be legitimate interests, obviously, and they still have to be balanced against the privacy of the data subject, which is a horribly ambiguous situation. But if you need to keep server logs for genuine and reasonable purposes like diagnosing faults or detecting security/fraud problems, that's OK as long as you treat that data sensibly.
Yes, and the GDPR really does have significant uncertainty and cause disproportionate overheads for a lot of smaller businesses, charities, etc.
This is the kind of thing that makes it difficult for you to pretend otherwise.
Well, yes and no. The article here isn't great: it perpetuates a lot of myths and exaggerations. The specific blocking service mentioned has been heavily criticised in other forums already for trying to cash in on the fear while providing questionable protection.
Anyone with two firing brain cells can anticipate that GPDR trolls will appear on day 1 to sue whomever has deep enough pockets to be worth suing.
Unless they'd actually used those brain cells to read, in which case they'd know that the GDPR is going to be enforced primarily through government regulators, not personal legal actions. There are plenty of problems with it, but attracting ambulance-chasing lawyers isn't likely to be one of them.
GDPR does indeed strengthen things though because you have more rights in saying how your data can be used, and as you say, you have to actively consent to it being handed over and used, and can withdraw permission for certain usage - you could for example agree to Google's over-reaching usage policy, then subsequently withdraw consent for use of your data for marketing for example, it's up to Google if they want to then refuse your custom at that point and wipe everything they've ever known about you from all their systems.
One of the curious things about the new law is that businesses might not be able to refuse your custom even if you withdraw consent. The choice to give consent has to be meaningful, and if it's fundamentally tied to getting something else then it's been coerced.
This is one of the controversial things about the GDPR, because some businesses -- including the likes of Google and Facebook -- rely on consent to process people's profiles for the purposes of targeting ads, and those ads are how they fund their business. Allowing people to withdraw consent for such processing is one thing, but requiring these businesses to continue providing substantial services with significant operating costs to those people anyway potentially undermines their whole business model.
How their lawyers are going to try and spin this as having some sort of legitimate interest basis for processing the data anyway and having that take precedence over data subjects' right to object will be interesting to watch, but it's possible that the law is simply unreasonable and unworkable in this situation and may have unintended and quite bad consequences.
You can encrypt your emails to solve the email issue.
Not if the person on the other end is reading it through GMail...
YOU actually had to pay money NOT to be in the BOOK.
I'm not in the phone book, and have never paid any money for that choice. You must be looking back a very long time if you had to pay to be removed.
Curiously, that's actually quite a good example of how data protection should ideally work, though. I wouldn't mind someone being able to look up my phone number if it's friends or family or work colleagues who are calling for legitimate purposes, but the books started getting abused by people who were cold-calling and the like. Same data, different purpose for processing. In the modern age where instead of a physical book we have databases and online access for everything, distinguishing having access to data from what you can do with it seems like an essential step.
It won't matter. EU data protection law distinguishes between data controllers and data processors. If you're pulling the strings, you're generally going to be a controller, even if you delegate the processing.
This is a big part of how the EU is trying to extend its authority extra-territorially. If you're a controller who is violating the GDPR and within the reach of EU authorities, you'll potentially be subject to some very expensive fines once the new regulations come into effect. One way you can be violating the GDPR is by working with a data processor who isn't compliant. And that means data processors outside the EU have to make sure they're compliant if they want business from data controllers inside the EU.
And how is that going to stop Google from reading half the emails I ever send, because although I have nothing to do with them, many people I communicate with are using Google mail services behind other domains and I have no way to even know it's happening? Should I just not send email any more?
How about phone calls? Any friend, family member or work colleague with my phone number in their phone has potentially uploaded it to the likes of Facebook, again without my knowledge or consent. Should I give up on using the phone as well?
None of this is actually new, of course. The Cambridge Analytica mess may have increased public awareness, but getting people to spy on each other has always been the thing that made the data-hoarding social networks most effective (and most dangerous), and plenty of us have been criticising it for a long time.
The recent change is that we're starting to see privacy laws, such as the GDPR in the EU, that either require active consent from the actual data subject or some sort of legitimate interests argument that is specifically balanced against the rights of data subjects, and if the data hoarders can't make that happen (which presumably they won't be able to in almost all cases of shadow profiles and the like) then this sort of collection-by-proxy is effectively going to be illegal.
There was a lot of concern about the "no antivirus" case when this first rolled out, exactly because it would apparently have prevented updates from installing.
This is supposed to have been fixed by a more recent update, but for those who install the monthly security-only roll-ups it still doesn't seem to be clear exactly what should be done and in what order even now.
Any of which can be changed in Windows 10 by the next update, which you can't stop from installing without jumping through extensive hoops at best.
Compare this with Windows 7, where I have no telemetry at all running by default (because I could choose never to install those updates) and I can install the monthly security-only roll-ups so I don't get all the other unwanted junk destabilising my system.
What the hell could be different? WHY would you make it different?
I don't know. Not working inside Apple, I have no special information to share on this subject. However, having worked inside various other places that make electronic devices of one kind of another, I am well aware that sometimes supposedly similar components turn out not to be as compatible as you might have expected.
Something could have been slightly out of spec in a certain production run. A special case might then have been added in the software to recognise that part and adjust accordingly, instead of writing off all of that stock or delaying production for several weeks while replacements were sourced.
Two components could both have been within spec, but at the same end of their specified range for something. When one was swapped out for a different component with the same theoretical spec but at the opposite end of the acceptable range in practice, maybe it exceeded some tolerance that hadn't been specified wide enough and again required some sort of adjustment to compensate.
These sorts of things happen all the time, sometimes due to mistakes not caught early enough, and sometimes even when no-one made a mistake. Manufacturing is not a perfectly consistent process. Testing of components before you include them in your product and ship them to customers isn't infallible and never can be.
There is plenty of scope for questionable, customer-hostile practices in this area, and some manufacturers use them while others don't. But we shouldn't be too quick to jump to the conclusion that anything like that is going on, because there are plenty of benign explanations that are entirely possible as well, and if we wind up with too much regulation and throw the baby out with the bathwater, that could make things worse rather than better for all concerned.
That's the key point. It could be something shady going on, that we might prefer to prevent. Or it could just be that the replacement part relied unwisely on undocumented behaviour that the third-party manufacturer didn't understand because they weren't the original manufacturer and made assumptions, in which case that's hardly the OEM's fault.
Slashdot Mirror
The systems today really aren’t sufficiently robust to handle the contingencies.
Sad but true. This is a story about a one day outage. In the UK, the bank TSB has been having similar problems for over one month, due to what appears to have been a spectacular failure while trying to migrate to a new IT system.
I'm also in the camp that keeps a significant amount of cash in safe, always-accessible places these days, after seeing a few too many incidents where people were literally unable to get money out of bank accounts and the like in recent years. But even I would have run out of savings to live on by that point, I think.
That's why I drive a tank. Now my cards and $200 cash are safe even from the likes of you. Ha, take that!
Sorry. I'll try not to let it happen again.
A person's time is more valuable than a computer algorithm's
But that comparison only matters if they both get useful results. If your computer algorithm is generating lots of false positives and a few bad false negatives, you might have been better off getting a properly qualified human to do it anyway.
I've worked for smaller businesses where senior technical people personally examined the CVs for anyone who wasn't clearly ruled out. The admin staff in front were mostly there to avoid legal issues, clerical errors and time-wasting by CV-spamming agencies with their own keyword-driven junk process. Someone who knows what they're doing can probably average 2 candidates checked per minute for typical technical positions, so even if you have 100 applicants, one person who knows what they're doing can cut that down to a shortlist in an hour.
The key thing is that for the candidates who can't be put in or out almost instantly, you'll probably get much better results this way. If the alternative is to put the wrong people through, and then waste multiple senior technical people's time in chunks of several hours doing phone screens or on-site interviews, better accuracy early on is a big time-saver.
In this context, "popularity" is often won by doing useful things that make people remember you later, so is that a problem?
Well, apparently the new owners spent eight figures in cash to acquire Glassdoor for $1.2B, so if typical Glassdoor salary figures are off by only one order of magnitude, they're still an improvement...
But really, remember that ~3% is taken by the credit card companies.
There's no way Microsoft is paying anything close to 3% in card processing fees. At their scale, it's probably well under 1% plus a flat rate of a few cents on each payment.
That leaves MS with 2% for it's overhead in hosting and delivering the application and the store infrastructure.
Again, with storage and network capacity at their scale, that seems unlikely to be anything close to their actual running costs.
Again, look at the competition, where 30% is the norm.
By "competition", do you mean the iOS and Android app stores? I'm not sure areas that typically sell very cheap and simple apps of debatable quality should be the competition for a Windows app store (unless of course Microsoft really is trying to dumb Windows down to the same level now).
And 15% of some much, much larger number is still in absolute terms much larger than 30% of a much smaller number...
That is true, but is there any evidence that selling via Microsoft's store is likely to generate a much larger number of sales to offset the fee?
Book publishers have been making this argument for decades to try to hide their increasing irrelevance in the online era. Of course they're justified in paying the author who did most of the hard work $2 for each $40 book sale, just look at the valuable editing and marketing work they did! Except that actually plenty of publishers just phone it in on the editing side, and new authors wind up doing much of the hard work themselves for marketing as well, and if they'd gone with a different model they might have been keeping $20-30 for each $40 book sale after other costs. Those random but realistic numbers would mean a publisher had to generate 10-15x as many total sales just to break even.
Microsoft developers managed to eat for about four decades just by making software people wanted to buy and platforms that were easy to develop for, without taking any cut of the revenues from other software running on their platform.
In a world where so much everyday stuff is now done with mobile and web apps, any barrier to writing or distributing Windows-friendly desktop applications seems like a bad idea for Microsoft. I'm not sure it matters whether it's 15% or 5%. It's not 0%.
As I said, there are plenty of problems with the GDPR. The subjectivity and ambiguity around what is actually required or acceptable in practice and how regulators will interpret it is probably #1 on that list.
It's still a better situation than a US-style regime where mere threats of legal action can result in substantial but undeserved out of court settlements and there are legal firms who specialise in exploiting innocent people in that way.
That's lovely, but as someone who has run several small businesses in the EU and seen government departments and regulators make business-destroying mistakes, I hope you'll forgive me if I'm sceptical about what will or won't be used as a stick to beat small companies with. There is no need for vague statements about "including intent" within laws. Just set a limit on penalties that doesn't pose an existential threat to small companies, and give clear, concise, practical guidance on how the rules will be interpreted well in advance, instead of the endless empty rhetoric and last minute updates the EU and the national regulators have produced so far.
Also, 30 days is nowhere near enough time to retain access logs for some purposes. We routinely keep that sort of data for years, and we have multiple legitimate interests for doing so, including a demonstrable need to detect and block attempted fraud and other serious violations of our terms of service.
Well, arguably the central premise of this discussion is changing things so you do have more control over data and aren't just getting spied on by proxy all the time, without having to cut yourself off. So I'm not sure what point you're trying to make here. Yes, the situation has been bad. No-one is disputing that; it's why laws are starting to change to address the issue and why this subject is interesting right now.
If you're worried about Google snooping in your email, then don't use Google anymore.
Sorry, but you totally missed the point there. I don't use Google for my mail, but I have no way to determine whether anyone else I'm communicating with does. If I'm sending a message, it's for the intended recipient, not for Google to profile me without my knowledge or consent. But the third party spying doctrine says Google have the technical ability to profile me anyway.
If you're worried about your phone calls being listened in on
Again, I'm afraid you totally missed the point. It wasn't about phone calls being monitored. It was about people with apps that upload the contacts list from my friend's or colleague's phone, and in doing so get my details. Combine a few dozen cases of that happening, and someone can wind up with a disturbingly accurate picture of who you are just from your metadata and personal network.
You could drop it today for the most part, use it only for 'official' purposes (if necessary), and you'd get along just fine without it otherwise.
The trouble is, that's not really true, unless your definition of "official purposes" is so broad as to be almost meaningless. It is now assumed that everyone has Internet access and social media and smartphones, and you really can't live without them unless you are willing to become almost a hermit. My personal friends and family do understand why I choose not to participate in some of these things and do know how to reach me if they want to. But that doesn't help with all the government services I have to deal with personally and for my businesses. It doesn't let me park my car where the cash meters have been replaced by phone apps. It doesn't help me deal with professional services like lawyers and accountants who need electronic records. It doesn't help me respond to a customer who expects my business to be contactable by email or on social media.
You write as if you're the only person in the world who prefers not to be tracked and is willing to give up some convenience to avoid it, but you're not. I have similar views, and so do plenty of other people. But there is a cost, and sometimes it is unavoidable. IMNSHO, we shouldn't have to pay that cost or be trapped in a catch 22 situation just for the privilege of being able to communicate like normal human beings.
Part of the problem is that no-one can guarantee GDPR compliance in most cases, no matter how much you pay a lawyer or other specialist advisor. The law is vague and ambiguous on key points, and there aren't any magic eight balls to tell you which way they'll be interpreted. Even the official guidance is vague, often to the point of being completely useless! The only defence most of us within its scope have is that regulators might try to be constructive about enforcing it, particularly in the early days when no-one really knows where the boundaries are. That's not much comfort, though.
That means your Apache logs can't have any actual log data.
No, it doesn't. This is a myth.
It looks like organisations are tending to shift towards processing based on their legitimate interests rather than consent, because the moment consent is necessary under the new regulations, all the new subject rights activate. There do still have to be legitimate interests, obviously, and they still have to be balanced against the privacy of the data subject, which is a horribly ambiguous situation. But if you need to keep server logs for genuine and reasonable purposes like diagnosing faults or detecting security/fraud problems, that's OK as long as you treat that data sensibly.
Regulations have consequences.
Yes, and the GDPR really does have significant uncertainty and cause disproportionate overheads for a lot of smaller businesses, charities, etc.
This is the kind of thing that makes it difficult for you to pretend otherwise.
Well, yes and no. The article here isn't great: it perpetuates a lot of myths and exaggerations. The specific blocking service mentioned has been heavily criticised in other forums already for trying to cash in on the fear while providing questionable protection.
Anyone with two firing brain cells can anticipate that GPDR trolls will appear on day 1 to sue whomever has deep enough pockets to be worth suing.
Unless they'd actually used those brain cells to read, in which case they'd know that the GDPR is going to be enforced primarily through government regulators, not personal legal actions. There are plenty of problems with it, but attracting ambulance-chasing lawyers isn't likely to be one of them.
GDPR does indeed strengthen things though because you have more rights in saying how your data can be used, and as you say, you have to actively consent to it being handed over and used, and can withdraw permission for certain usage - you could for example agree to Google's over-reaching usage policy, then subsequently withdraw consent for use of your data for marketing for example, it's up to Google if they want to then refuse your custom at that point and wipe everything they've ever known about you from all their systems.
One of the curious things about the new law is that businesses might not be able to refuse your custom even if you withdraw consent. The choice to give consent has to be meaningful, and if it's fundamentally tied to getting something else then it's been coerced.
This is one of the controversial things about the GDPR, because some businesses -- including the likes of Google and Facebook -- rely on consent to process people's profiles for the purposes of targeting ads, and those ads are how they fund their business. Allowing people to withdraw consent for such processing is one thing, but requiring these businesses to continue providing substantial services with significant operating costs to those people anyway potentially undermines their whole business model.
How their lawyers are going to try and spin this as having some sort of legitimate interest basis for processing the data anyway and having that take precedence over data subjects' right to object will be interesting to watch, but it's possible that the law is simply unreasonable and unworkable in this situation and may have unintended and quite bad consequences.
You can encrypt your emails to solve the email issue.
Not if the person on the other end is reading it through GMail...
YOU actually had to pay money NOT to be in the BOOK.
I'm not in the phone book, and have never paid any money for that choice. You must be looking back a very long time if you had to pay to be removed.
Curiously, that's actually quite a good example of how data protection should ideally work, though. I wouldn't mind someone being able to look up my phone number if it's friends or family or work colleagues who are calling for legitimate purposes, but the books started getting abused by people who were cold-calling and the like. Same data, different purpose for processing. In the modern age where instead of a physical book we have databases and online access for everything, distinguishing having access to data from what you can do with it seems like an essential step.
It won't matter. EU data protection law distinguishes between data controllers and data processors. If you're pulling the strings, you're generally going to be a controller, even if you delegate the processing.
This is a big part of how the EU is trying to extend its authority extra-territorially. If you're a controller who is violating the GDPR and within the reach of EU authorities, you'll potentially be subject to some very expensive fines once the new regulations come into effect. One way you can be violating the GDPR is by working with a data processor who isn't compliant. And that means data processors outside the EU have to make sure they're compliant if they want business from data controllers inside the EU.
And how is that going to stop Google from reading half the emails I ever send, because although I have nothing to do with them, many people I communicate with are using Google mail services behind other domains and I have no way to even know it's happening? Should I just not send email any more?
How about phone calls? Any friend, family member or work colleague with my phone number in their phone has potentially uploaded it to the likes of Facebook, again without my knowledge or consent. Should I give up on using the phone as well?
None of this is actually new, of course. The Cambridge Analytica mess may have increased public awareness, but getting people to spy on each other has always been the thing that made the data-hoarding social networks most effective (and most dangerous), and plenty of us have been criticising it for a long time.
The recent change is that we're starting to see privacy laws, such as the GDPR in the EU, that either require active consent from the actual data subject or some sort of legitimate interests argument that is specifically balanced against the rights of data subjects, and if the data hoarders can't make that happen (which presumably they won't be able to in almost all cases of shadow profiles and the like) then this sort of collection-by-proxy is effectively going to be illegal.
There was a lot of concern about the "no antivirus" case when this first rolled out, exactly because it would apparently have prevented updates from installing.
This is supposed to have been fixed by a more recent update, but for those who install the monthly security-only roll-ups it still doesn't seem to be clear exactly what should be done and in what order even now.
Any of which can be changed in Windows 10 by the next update, which you can't stop from installing without jumping through extensive hoops at best.
Compare this with Windows 7, where I have no telemetry at all running by default (because I could choose never to install those updates) and I can install the monthly security-only roll-ups so I don't get all the other unwanted junk destabilising my system.
Say what now? I'm typing this on a Windows 7 machine with DX11.
What the hell could be different? WHY would you make it different?
I don't know. Not working inside Apple, I have no special information to share on this subject. However, having worked inside various other places that make electronic devices of one kind of another, I am well aware that sometimes supposedly similar components turn out not to be as compatible as you might have expected.
Something could have been slightly out of spec in a certain production run. A special case might then have been added in the software to recognise that part and adjust accordingly, instead of writing off all of that stock or delaying production for several weeks while replacements were sourced.
Two components could both have been within spec, but at the same end of their specified range for something. When one was swapped out for a different component with the same theoretical spec but at the opposite end of the acceptable range in practice, maybe it exceeded some tolerance that hadn't been specified wide enough and again required some sort of adjustment to compensate.
These sorts of things happen all the time, sometimes due to mistakes not caught early enough, and sometimes even when no-one made a mistake. Manufacturing is not a perfectly consistent process. Testing of components before you include them in your product and ship them to customers isn't infallible and never can be.
There is plenty of scope for questionable, customer-hostile practices in this area, and some manufacturers use them while others don't. But we shouldn't be too quick to jump to the conclusion that anything like that is going on, because there are plenty of benign explanations that are entirely possible as well, and if we wind up with too much regulation and throw the baby out with the bathwater, that could make things worse rather than better for all concerned.
It's not proof, but it's cause for suspicion.
That's the key point. It could be something shady going on, that we might prefer to prevent. Or it could just be that the replacement part relied unwisely on undocumented behaviour that the third-party manufacturer didn't understand because they weren't the original manufacturer and made assumptions, in which case that's hardly the OEM's fault.