What analysts should ask Apple

For Apple, the 2010 fiscal year began on September 27, 2009. The first quarter of “2010” ended on or about December 26, 2009, and it’s now time for Apple to report its results. That happens on Monday, at around 1:30 PM PT, followed at the top of the hour by the regular conference call between Apple’s executives and Wall Street financial analysts.

You can listen to the conference call live on the Internet via the magic of QuickTime. Better yet, join me as part of Macworld’s live blogging coverage.

The QuickTime stream is obviously a listen-only experience, but as far as the press is concerned, so is the “conference call.” Reporters can call and listen live without fighting the Internet’s myriad bad moods, but Apple hasn’t taken a question from reporters during a quarterly conference call in well over a decade. Only financial analysts are allowed to query the company’s executives.

That can be a darned shame, because a few times each year, well-meaning analysts let loose with giant stink bombs of questions. It’s not always the analysts’ fault—most of them are “tech sector” analysts who are supposed to be conversant on the capabilities and financial success of products ranging from the Amazon Kindle to the Microsoft Zune. Apple is but one company in their oft-shifting portfolios, and the analysts themselves change companies or areas of expertise every now and then.

For every Charles Wolf (Needham & Company), David Bailey (Goldman Sachs), or Richard Gardner (Citigroup) who’s been following Apple for a decade, there’s at least one analyst whose company recently initiated Apple coverage because, you know, “the kids seem to like those eye-phones and whatever that thing they’re about to release, the touchy fun-pad or whatever, so we should pay attention.”

These analysts may be experts in their own fields, but if they don’t realize that Apple is (let’s be nice and say) “not quite like other companies,” they’ll likely ask questions that other companies’ executives would freely answer: What is your product roadmap? Do you intend to cut prices this year? Will you add DVR functionality to Apple TV? Are you going to compete with Google?

Most companies are in boring and predictable businesses (Exclusive: Intel’s working on faster, smaller, cheaper microprocessors!) and don’t mind answering these questions, at least to some degree. Apple relies on innovation and execution, and does not want its competitors to get to claim, “We did it first.” Just this month, at the Consumer Electronics Show in Las Vegas, the press went crazy for about two days over the idea that Microsoft and HP would introduce a tablet computer “before” Apple. (They did: It was an entirely ordinary single-screen tablet running Windows 7, but with multitouch.)

Think about it. It’s been three years since Steve Jobs first demonstrated the iPhone at Macworld Expo 2007. Today, it’s almost crazy to think about a “smartphone” that doesn’t have Wi-Fi; a touch screen (hopefully multitouch)’ extensive synchronization with your computer for personal data like addresses, events, and music; and third-party apps to extend the device’s functionality. When Jobs took the stage that morning, none of those assumptions were true. Can you imagine how many dozens of cheap iPhone-like knock-offs would have beaten the real thing to market if Apple had been transparent about its plans?

The point is that Apple isn’t just being contrary when it fights to keep its plans secret. If you announce a good idea a year before you can implement it, you had better be the only company in the world that could implement something that customers will think is a “good enough” version of what you promise. “Good enough” plus “cheaper” or “for sale sooner” is how the world got stuck with Windows. Apple has some precedent here. Enough said.

While new analysts may mistake Apple for an “ordinary” company, even the experienced ones struggle trying to get information out of the Cerberus-like trio of chief financial officer Peter Oppenheimer, chief operating officer and CEO-in-waiting Tim Cook, and corporate treasurer Gary Wipfler. SEC regulations in the post-Enron era mean that Apple is no longer allowed to hold “analyst-only” meetings where the company divulged information to the financial chosen. By law, all such information from a publicly-traded company must now be made available to all investors—that’s one reason Apple live-streams the conference call’s audio.

The analysts use the same sources for information that you do—news reports and rumors. Oh, are there rumors! You’ve probably heard that Apple may be releasing that touchy fun-pad soon. The analysts are supposed to tell their clients what this currently-non-existent product means for Apple’s bottom line throughout the rest of this fiscal year, and they have no more clue than you do about whether it exists or what it does. They have better sources than you do (reporters, executives at lots of companies, manufacturing contacts in east Asia), but most of them aren’t trained as investigative journalists. They’re biz whizzes. They like the numbers, not the detective work.

The quarterly call is one of their only chances to try to get any molecule of information out of Apple about what may be coming, and sometimes even the most experienced risk a question that touches on forbidden topics. That usually just results in a refusal to answer and moving on to the next questioner in the queue.

Analysts: you may only get one shot at asking questions, so I'm here to help you with the do’s and don’ts of the conference call. I don’t have all the answers, but I haven’t missed one of these calls in nearly 14 years, so I have some experience. Our interests are temporarily aligned here—we all want more information from Apple, without spooking the executives so they run away from your questions. Here’s the basic map for the January 2010 conference call.

Don’t ask about future products

Apple will be happy to talk about future products... at its January 27 product event two days after it announces earnings.

Honest to God, don’t even think about it. Smarter people than you have tried and failed. Apple’s executives are really good at refusing to answer questions that even tangentially touch on anything the company has not announced. They don’t “duck” the questions—they flat-out say they’re not going to answer them.

Apple has a special product introduction event planned to start around 40 hours after the conference call ends. Whatever comes on that day, the company has been planning its announcement for some time. Apple is really, truly, honestly not going to tip its hand two days early because you used some clever wording. It’s not going to happen.

Since you’re analysts, you might think you could sneak something in by asking about how the January 27 announcements—whatever they turn out to be—will affect Apple’s bottom line in the March 2010 quarter. Nice try, but I can tell you right now what Peter Oppenheimer and Tim Cook will say to that: “Our announcements on Wednesday have been factored into the guidance we gave you for the March quarter.” Apple will drop some hints during the conference call, like about “product transitions” or “ramping up production of new products,” but the execs will not say more on the subject than what Oppenheimer says in his prepared statement at the beginning of the call. Don’t waste your time trying.

And it’s not just about the tablet. Don’t ask about the next iPhone. Don’t ask about the next Apple TV, or when Apple plans to use new Intel microprocessor, or if it intends to use its own chips developed after its April 2008 acquisition of PA Semi. They won’t tell you when the next version of iLife, iWork, Final Cut Studio, or even Xcode is coming. You might get them to talk about component directions, like how they view OLED screens or SSD storage, but not to the point where they’ll say anything about what products might use those technologies. If you ask a component question that could only possibly refer to a specific product, they’ll shut you down. Stay away from individual products if you want answers.

Possible exception

However, I think there’s one “future products” tangent that’s both relevant and important, and yet can be answered because it doesn’t ask anything about specific products: ask Oppenheimer and Cook how the meta-subject of rumors affects the company. Without confirming or denying the existence or even development of anything remotely like a tablet, no rational person can deny that the “irrational exuberance” from the unending stream of stories about a potential Apple tablet has caused the company’s stock price to skyrocket, from around $150 per share six months ago to around $210 per share today. In that timespan, Apple has released nothing but evolutionary products—Snow Leopard, new MacBooks, bigger iMacs, Magic Mouse, a revised iPod touch, and an iPod nano with a video camera.

That doesn’t justify a 40 percent rise in the company’s valuation, and everyone on that call knows it. Even if you thought Apple stock had been undervalued (and I’m talking in terms of equity, not in terms of what investors might be willing to pay for it—P/E ratios, all that stuff you analysts are so good at), nothing happened to trigger a 40 percent increase in the stock price, except rumors about a magical tablet that will save every industry except paper mills.

Such volatility has to affect Apple in some way—investment strategy? How it pays for acquisitions, even though Apple has more cash in the bank than Jay Leno? Compensation of key engineers and managers below the executive suites? The company obviously is not changing its position about announcing future products, and that’s the only thing that might reduce such volatility, so it would be good to hear how Apple plans for such events and how it protects itself against huge swings in the stock price prodded by unsourced rumors and wishful thinking.

More don’ts

Everyone knows you want to understand more about Apple’s revenue model for the iPhone, but don’t ask about carrier revenue splits, unless Oppenheimer gives some indication that he’s now willing to talk about such revenue-sharing arrangements. The company has refused to answer any questions on that subject for more than two years, so unless you see a change, go for more productive questions.

Don’t ask about sales or profits on individual products. Apple stopped distinguishing sales of computers in professional vs. consumer categories a few years ago because its competitors weren’t making that distinction, so Apple was giving away more of its internal data than other companies. It doesn’t do that anymore. The company will not tell you how many of the desktop sales were iMacs vs. Mac Pro or Mac Mini machines unless there’s some talking point in there that makes Apple look good—and if there is, Oppenheimer will mention it upfront, or at least allude to it. Absent such information or hints, you’ll hit the wall.

Apple also won’t tell you how many iPod units were iPod touch, iPod nano, or iPod shuffle units—although if the iPod touch continues to gain market share, Oppenheimer will be sure to mention that, because some of you think people won’t pay iPod touch prices for an “iPhone without the phone.” Nor will Apple tell you how many iPhone sales were iPhone 3GS units compared to older iPhone 3G units sold at Wal-Mart. Even so, do ask how the low-end iPhone sales experiment is going. Apple’s executives may not tell you much, but they’re likely to answer the question if they have enough data available.

Don’t ask how specific models are selling in specific geographic areas, but you can ask in general whether any individual product is doing unexpectedly well (or poorly) in any specific geographic area. As policy, Apple doesn’t disclose how many units of a given product sell in a given region unless doing so makes the company look stronger. If Apple’s executives have such a story to tell, a general question opens the door for it—but honestly, if you’re reading this, they are too, and they’re likely to include such successes in Oppenheimer’s preamble. If they do, feel free to ask if there are any surprising underperforming products in some regions—in that case, they opened the door for such a question. Keep in mind that the answers “no” and “we’re not getting into that” have very different meanings.

Unexplored areas

Despite the long list of untouchable areas, there are still subjects on which Apple should be quizzed, even if to make the executives understand that you’re asking about real problems, not theoretical ones. If I had a voice on the conference call, I’d be sure to ask some of these questions.

Security: One ripped-from-the-headlines topic that Apple should address is simple: “Was Apple targeted by the same attack disclosed recently by Google and Adobe, or by a similar attack? Are the MobileMe mail servers at least as secure as Gmail? Have there been any significant attacks on the iTunes Store?” To our knowledge, Apple is not required to disclose any of these things by law, but Apple is attempting to grow in China just like Google has been, and you’re all well-aware of competition (both real and imagined) between Apple and Google in browsers, phones, and online services. If Google is having problems in China, is Apple? If not, why not?

That’s a bit abstract for our taste, but I know such information is important to analysts as they construct their predictive models. I would ask a much more specific question: “Does Apple ever intend to demonstrate the ability to effectively respond to a zero-day security vulnerability in its products?” This past week, Apple released Security Update 2010-001 for Mac OS X 10.5.8 and 10.6.2 systems, including a change to OpenSSL, the open-source library that provides the SSL security used to encrypt just about everything you do on the Internet, from shopping to secure E-mail to MobileMe servers. iTunes store transactions are secured by SSL, too.

As it turns out, just about every SSLv3 implementation was vulnerable to a man-in-the-middle attack during renegotiation of a secure connection. Security expert Thierry Zoller explains the problem in a paper, but there is too much to explain here.

To sum up: When your computer opens a secure connection to a server, the attacker sits in the middle, pretending to be the server in question. This normally does not work because SSL connections are encrypted with a certificate that verifies the responding server’s identity. SSL uses public key encryption, which pairs a public key and a private key in such a way that only one can decrypt messages encrypted with the other part.

The server side of an SSL connection makes available its public key. The client gets this key, and then generates its own public-private key pair. The client includes its public key with the data it wants to send, encrypts the whole mess with the server’s public key, and sends the encrypted data to the server. The server has sole possession of the private key, the only way to decrypt the data in less than several years of CPU time. The server decrypts the incoming data, getting both the data sent by the client and the client’s public key. The server then encrypts all responses to the client with the client’s public key, and voilá! A secure connection, just like that.

In the attack described here, the attacker sits in the middle between the client and the server. It gets the client’s initial request for a handshake, but holds onto it and doesn’t forward it to the server. The attacker then starts its own encrypted session with the server. Once that’s started, the attacker triggers the server to renegotiate the secured connection (basically exchange keys again, though that’s oversimplified).

The vulnerability in the SSLv3 implementations is that the servers were not necessarily matching renegotiation requests to existing secure sessions. When the server started to renegotiate its session with the attacker, the attacker could then forward the original client’s request (held by the attacker all this time), and jam that into the attacker’s renegotiated connection. The result is that the client talks to the attacker, and the attacker talks to the server, and neither end knows that the attacker is in the middle.

It’s not quite that easy, of course—the data that the client sends to the server is encrypted with the server’s private key (the attacker never responded to the client with its own set of keys), so the attacker cannot read the data the client is sending to the server. However, the attacker can prefix his own data to the client’s packets, and that opens up a bunch of reasonably easy exploits. (Zoller theorizes that an attacker could use a secure banking connection to prefix data with a command that says “pay this much money from my account to the attacker and then ignore all this other data to follow,” ignoring the client’s actual commands. Oops.)

It’s a difficult conceptual problem, and the quick fix is simply to disable renegotiation altogether. If the client and server can’t renegotiate a connection, the connection simply gets dropped and the client tries again, so the attack never finishes. In a worst-case scenario, an attacker prevents you from completing any secure sessions, but the attacker never gets his data into your secure connection that way. There are some side effects (I told you I was oversimplifying—in reality, clients don’t send a private key with their data, the server asks for it via renegotiation), but most connections still work, especially since just about everyone in the world has had to disable renegotiation for now.

This problem was revealed around September 11, 2009, and had exploits before the OpenSSL Project disabled renegotiation in version 0.9.8l on November 5, 2009. It took Apple an additional 75 days—nearly 11 weeks—to get this fix out to its customers, leaving them vulnerable to the exploit for more than four months.

Sadly, this is par for the course at Apple. The company overhauled its security apparatus in 2004 after a simple AppleScript and disk mounting hack allowed attackers to run arbitrary code on Mac OS X systems just by getting people to open a Web page—but not until it came out that the person who discovered the vulnerability reported it to Apple and met with silence until he went public with it three months later.

Even today, Apple has yet to demonstrate, even once, that it can respond to a vulnerability with zero-day exploits in a timely fashion. In the best cases, Apple has released fixes for huge vulnerabilities within about three weeks. 75 days is a little on the long side, but by no means abnormal.

With the Mac growing in market share and iPhones using secure Internet connections in dozens of countries, it’s going to be a huge problem if Apple can’t patch these things faster—but no one ever asks the executives about these things in a public form. I think it’s time one of you did.

By the way, the last iPhone update with any documented security fixes was iPhone OS 3.1 (and iPhone OS 3.1.1 for iPod Touch), on September 9, 2009—before the OpenSSL vulnerability was published. Apple did not disclose whether any vulnerabilities were fixed in iPhone OS 3.1.2, released on October 8. For all anyone knows, each of the tens of millions of iPhones in operation is vulnerable to this attack right now and has been for over four months. You might ask, “Is iPhone OS 3.1.2 vulnerable to the OpenSSL bug fixed in Security Update 2010-001, and if not, why didn’t you disclose when you fixed it?”

Real Estate: With around 200 retail stores in the United States, Apple is not immune to the problems plaguing the commercial real estate (CRE) market. Apple has targeted all of its mall stores for high-performance, high-traffic malls, and that helps it avoid the problem of individually failing malls where closed or bankrupt anchor stores bring that mall down. Individually failing malls get caught in a spiral of more and more store vacancies until basically they become giant playgrounds for trouble—no place where Apple wants to be with its glass walls and high-end products.

How might swings in the commercial real estate market impact Apple's mall-based retail outlets?

Even ignoring that, however, in 2009 the second-largest U.S. mall owner filed for bankruptcy protection, although some money managers believe the company will come out of it well enough. The company, General Growth Properties, owns malls where Apple has stores (such as Fashion Show in Las Vegas). In fact, a search of GGP’s Web site appears to show that the company owns malls holding nearly 60 of Apple’s retail stores in the U.S., or around 40 percent of all U.S. Apple retail locations. Apple probably doesn’t have much exposure to GGP’s problems, but since Apple tends to sign longer-term (five years or longer) leases for retail properties, it would behoove Apple to answer the simple question, “Is your retail operation exposed to any of the CRE problems, including GGP’s bankruptcy?”

Closer to home, it’s been almost four years since Apple revealed that it had purchased land from HP and others to build a second Cupertino campus, about one mile east of Infinite Loop, between Homestead Road and Interstate 280 west of Wolfe Road. There’s been no update on that in quite some time, even though in 2006 we were told it should be in use by 2011. Has the real estate bust (especially in California) led to problems with its construction, or the significant devaluation of the property? What’s the status on construction of the second campus?

The iTunes Store: Apple will not reveal profit margins on the iTunes Store, saying only (repeatedly) that they intend to and are running it at about a break-even level. It’s there to sell iPods, Macs, iPhones, and Apple TV units. This may change significantly with the Lala acquisition, or with whatever Apple announces on 2010.01.27, but the executives will not talk about such things during the Monday conference call. Don’t waste your breath.

Nonetheless, someone needs to ask those executives, point blank, “How long do you believe the filter-and-review model for every application on your worldwide mobile platform is sustainable?” It is long past the stage where Apple can rationally claim that delays in reviewing apps for inclusion in the iTunes Store is just “growing pains.” Hiring more reviewers is a patch, a temporary relief but the wrong solution. Expansion has its limits: there are only so many rooms you can tack onto even the tackiest house before it comes tumbling down.

No one wants to use the word censorship because it’s ugly. It’s also correct. Can you imagine a market dominated by a single bookseller that demanded to read and review all books before they went on sale? The very concept is ridiculous. Even if you could hire enough readers to keep up with the flow of words, different reviewers would invariably differ on whether certain topics fit the criteria for inclusion or not. One reviewer would approve a book; another would refuse the same book, because everyone has a different concept of what even the strictest guidelines mean. (Ask a professional referee or umpire sometime if the rules can be written to remove “judgment calls.” Be prepared for laughter.)

The iTunes Store is a noble goal for iPhone and iPod touch users—one-stop shopping, easy installation, no headaches dealing with different merchants. It might work if Apple accepted all applications regardless of content, requiring only that developers accurately identify adult content clearly so it could be filtered out where desired or required by law, presuming that the filtering actually worked as it should.

We know that this model is barely holding together today, with more than 100,000 apps in the App Store. What happens when it’s 250,00 apps? Or a million? What happens when twice as many developers are submitting new or revised apps every day, never getting the same reviewer for this revision as for the last one? As was pointed out last August, if Apple’s claims in August of receiving 8,500 submissions every week for “more than 40 full-time trained reviewers,” when “at least two different reviewers study each application,” then presuming an eight-hour work day, it works out to somewhere in the neighborhood of five to seven minutes per reviewer per app. If Apple could double its trained review staff before it reached 17,000 submissions per week, they’d still have only 5-7 minutes per reviewer per app.

Apple doesn’t want to talk too much about this, but a big part of the company’s insistence on controlling the iPhone software pipe is to ban “bad” software. Not just malware, but software that accesses parts of the phone that carriers want to restrict. “Jailbroken” iPhones can use any carrier, which obviously interferes with the model of carriers subsidizing iPhone purchases and offsetting it with long service contracts. But since jailbroken phones have opened up the security model on the iPhone, such phones can theoretically access the cellular radio, allowing for mischief that Apple definitely wants to prohibit. You can understand that.

But then Apple started rejecting applications that may infringe on Apple’s intellectual property, that use forbidden APIs, or that try to replace Apple’s own built-in applications. To date, Apple has incorrectly rejected applications on all three grounds because different reviewers disagree on what does and doesn’t violate Apple’s guidelines. Some developers are publicly abandoning Apple’s mobile platform because developers don’t even know what those guidelines are, giving them almost no way to write to the guidelines, or even to argue that their applications don’t violate them.

There is no historical precedent for any long-term content creation and delivery model succeeding when all content must pass through a central clearinghouse, unless you want to call the repressed media in totalitarian countries “successful.” And don’t try to use Motion Picture Association of America movie ratings as your counter-example: you can still easily see, rent, or buy unrated movies even if larger theater chains won’t exhibit them. There is no legitimate way to install iPhone apps outside of the App Store, whose model cannot hold in the future. The review process is a Brobdingnagian pile of fail. Making the pile bigger will not make it better.

Everyone knows this, but Apple executives are never held to the hot seat over it. Ask them how this can possibly work in the long term, and don’t take “we think it will” for an answer. If there’s any historical precedent for how filtered content can succeed worldwide, Apple’s executives should be able to come up with it. If not, they can flatly state they’re trying to create such precedent and aren’t backing down from examining every single application that iPhone users are allowed to install, as ridiculous as that is on its face.

Building on guidelines

As I noted earlier, if analysts are reading this, then Apple’s executives probably are as well, so they may be prepared for the specific questions I propose. That’s great—if they give answers before anyone even asks them, it frees you analysts to ask other questions. Just follow the guidelines here. Avoid unannounced products and sales information about specific products; they’re not going to tell you. Don’t ask about future plans, with the exception of number of retail stores and any new planned flagship locations (but Peter Oppenheimer will probably tell you those before you can ask).

Do ask difficult questions about security, sustainable App Store growth, the effect of any widespread rumor on the company, and any real estate exposure. Do ask questions about numbers that are important to your models, as long as they’re not about individual product mixes, products by geography, or individual product margins. Apple’s execs will be happy to tell you what percentage of sales were direct sales to consumers (honestly, I’m not sure why Oppenheimer doesn’t include this in his preamble, as someone always asks), what factors into the company’s projections for gross margins in the next quarter, how the prices of components (both in the December and March quarters) affect the bottom line, and similar questions.

Apple loves to talk about iPod market share in countries around the world (as reported by third-party market research firms; the company never shares Apple’s internal data), or about what trends it saw in its retail stores with first-time buyers and sales per store. In fact, Apple is generally pleased to answer any question about the numbers in the results, as long as it doesn’t involve individual product mixes or margins, future products, or product sales by geography. And probably a couple of other exceptions I’m forgetting.

Be sure to ask if Apple has any update on its plans to change the “subscription accounting” used for iPhone and Apple TV revenues now that FASB guidelines allow (mandate, actually) a more straightforward accounting system that still allows Apple to deliver free software updates to owners of those products. Apple will adopt the new rules no later than the December 2010 quarter, and the sooner we all understand that, the sooner we can all avoid the quarterly dance with pro forma results showing what the numbers would be like if the company recognized all revenue during the quarter from iPhones sold during the quarter.

Apple’s execs have a story to tell with their results, and they’re more than willing to amplify the story with any data you need to understand it, as long as you don’t cross the line of “too specific about individual products or regions” or its twin line of “talking about future products.” Within those guidelines, be as tough as you want to be. Chances are good they’ll have extensive and comprehensive answers about markets, cash flow, cash position, and tons of other stuff that you analysts really want to know. Don’t be shy— just avoid the electrified rails.

Adapted with permission from the 2010.01.21 issue of MDJ, published by Copyright 2010, GCSF Incorporated. For a free trial to MDJ, visit the MacJournals Web site.

Subscribe to the Help Desk Newsletter