Pixel Envy

Written by Nick Heer.

RIP, the Outline

Leah Finnegan, the now-former executive editor at the Outline:

farewell @outline. we have all been laid off.

Rachel Hawley:

I cannot possibly stress how much The Outline changed the trajectory of my life. They were the first place to publish my writing. They were one of the last bastions of the off-the-wall mix of content that the Internet was made for. This is a huge loss.

Paul Blest, writing at Discourse:

This year, the coronavirus is going to join forces with longstanding, structural problems in the journalism business to wreck so many of the best websites and papers we read. Alt-weeklies, already dying, are going to be on life support by the end of this. Even the websites and papers that survive are going to be hit hard.

The Outline should be remembered as more than just an early casualty of the reckoning we’re about to face. I’m going to miss The Outline for selfish reasons; it gave my friends money, and it gave me money, and it gave writers I’d never heard of and now regularly read money, and now there’s one fewer website in the world that’s willing to give us money.

But I’m also going to miss it because, as Darren Rovell would say, the content was tremendous. The Outline was more than a survivor; it was a good website.

The Outline is one of those websites that I loved to the extent that it frustrated me on a nearly daily basis. It was a sort of extant limb of Gawker — another website that irritated as much as it delighted. But it was always for a good reason: these websites explored topics you might not expect from angles you would not see anywhere else. Sometimes, those angles were brilliant; other times, they made me roll my eyes. But the web is less good when it lacks venues for trying new, weird, earnest, and honest things. That, alone, is commendable. The Outline will be missed.

The NASA Worm Is Back — Sort Of

Far from just the best NASA logo, the “worm” has always been one of my favourite pieces of identity design. I welcome its return, but I wish it were not in such a limited capacity.

Zoom Responds

Eric Yuan, CEO of Zoom:

For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

[…]

Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:

  • Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.

I think this is a generally well-written, meaningful apology. The CEO of Zoom clearly feels awful about a week of previously undisclosed security and privacy vulnerabilities coming to the fore, and has a plan to address them. That’s promising.

But there’s still an air of defensiveness about this post. For example:

First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

According to Yuan, Zoom’s call volume grew by twenty times in just a couple of months. It is understandable that some features, like its LinkedIn integration, do not translate well to non-enterprise contexts. But Zoom’s bigger problems — its false claims of end-to-end encryption, its malware-like installer, the webcam security problem exposed last year, and its vulnerability to malicious links — have nothing to do with Zoom’s scale. They are technical debts incurred by years of sloppy work.

Thomas Brewster, Forbes:

Towards the end of March, three of the American government’s key coronavirus response organizations spent a collective $1.3 million on videoconferencing tech from Zoom, a Forbes review of government contracts has found. That was despite widespread criticism of the app’s privacy and security.

The orders – from Centers for Disease Control and Prevention (CDC), the Federal Emergency Management Agency (FEMA) and the National Institutes of Health (NIH) – were all made in just a few days from March 23 to 26. They ranged in cost, the highest being $750,000, which the CDC ordered for hosting webinars on COVID-19. FEMA spent $320,000 on 1,500 Zoom software licenses, whilst CDC spent another $160,000 on Zoom webinar tech. An NIH contract at $90,000 also specified some Zoom licenses. They weren’t delivered directly by Zoom, but by partner government contractors CDW Government and Carahsoft Technology.

I am glad that Zoom is serious about addressing these flaws anyhow, but particularly so after learning that it is being used by these government agencies.

More on In-App Purchases for Amazon Prime Video

John Gruber dug into yesterday’s confusing Amazon Prime Video situation and, predictably, has created the most comprehensive explanation I’ve seen yet:

Why would Apple agree to this? Financially, Apple now gets a cut of some Prime Video rentals and purchases, and a recurring cut of new Prime Video subscriptions made in-app. And Apple TV users get all the benefits from the Prime Video app supporting AirPlay 2, universal search, and integration with the TV app that Apple is trying to make the default interface for watching shows and movies. Prior to this deal, Apple made nothing from Prime Video — it was a free app with no in-app purchases, and there was no way to subscribe to Prime Video through iTunes.

[…]

It’s a win for Apple, a win for Amazon, and a win for users in the Apple TV ecosystem.

It does seem like an all-around win. However, the question remains why this policy is something that is seemingly only available through channels not generally available to providers of comparable services, and why it so far seems to apply to just three service providers.

Amazon Prime Video Now Allows In-App Purchases and Rentals With Its Own Payment Method Thanks to Special Apple Entitlement

Nick Statt, the Verge:

Amazon’s Prime Video iOS and Apple TV apps now let customers make in-app purchases, including renting and buying films and TV shows. The change marks a huge shift in Amazon’s approach to the App Store, which mandates a 30 percent cut on all in-app purchases. Prior to the change, Amazon would not allow you to rent or buy content on the Prime Video app, instead, directing users to a web browser to avoid the App Store fee.

Now, when users log in to the Prime Video app, there should be a message reading, “Browse, rent, or buy new release movies, popular TV shows, and more — now within the app.” (Big thanks to George Watson, who tipped us off to this change.)

Ryan Jones:

Amazon Prime Video now avoids Apple’s payment system and ostensibly the 30% fee. You pay directly to Amazon.

Change was made server-side without an app update. This is huge news either way.

Guilherme Rambo:

The Prime Video app has a special “com.apple.storekit.request-data” entitlement. This reminds me of the “requestData” property on SKPayment, which has been “Reserved for future use” for a long time. Hmmmm…

Rambo isn’t kidding — that entitlement has been around since iOS 3.

Apple’s statement, as posted by Benjamin Mayo:

Apple has an established program for premium subscription video entertainment providers to offer a variety of customer benefits — including integration with the Apple TV app, AirPlay 2 support, tvOS apps, universal search, Siri support and, where applicable, single or zero sign-on. On qualifying premium video entertainment apps such as Prime Video, Altice One and Canal+, customers have the option to buy or rent movies and TV shows using the payment method tied to their existing video subscription.

This is bizarre, undocumented, and, as far as I can figure out, has never previously been acknowledged.

Apple’s statement does not seem to fully reflect exactly what is going on here. The features described as being part of an “established program for premium subscription video entertainment providers” — a phrase that, I think, needs more words — do not appear to be unique to apps that are allowed to bypass Apple’s in-app purchase mechanism. The Netflix app on tvOS, for instance, is part of universal search; CBC’s Gem app integrates with the Apple TV app but uses standard iOS in-app purchases, not its own. So those “benefits” are not unique to the listed apps: Prime Video, Altice One, and Canal+.

What does appear to be entirely unique to those apps is that they are allowed to bypass Apple’s in-app purchase regime, contrary to the App Store rules:

If you want to unlock features or functionality within your app, (by way of example: subscriptions, in-game currencies, game levels, access to premium content, or unlocking a full version), you must use in-app purchase. Apps may not use their own mechanisms to unlock content or functionality, such as license keys, augmented reality markers, QR codes, etc. Apps and their metadata may not include buttons, external links, or other calls to action that direct customers to purchasing mechanisms other than in-app purchase.

Why is Amazon Prime Video allowed to use a non-Apple payment method for its movie purchases and rentals, but not for subscriptions? Why is this entirely undocumented? Why did it take until today to enable this for Amazon Prime Video, and not something that has been available all along for the app?

Most of all, why has this notoriously immutable App Store rule turned out to be something that can be bypassed, if only by an invitation offered to a few apps?

Update: Apple provided a slightly different statement to the Verge stating that this new policy only applies to individual purchases, not subscriptions. No clarification was provided on how a developer would go about joining this program, though it seems like the “benefits” that Apple described in its statement — AirPlay support, universal search, and the like — are something a developer has to agree to integrate in order to get this special entitlement.

Among the Myriad Industries Harrowed by Coronavirus Effects, Journalism Is Uniquely Impacted

Todd Spangler, Variety:

Ad spending is falling off a cliff amid the COVID-19 pandemic — and Facebook and Google, the two heavyweights in digital advertising, are expected to bear the brunt of the downturn in terms of sheer dollars lost.

The two internet giants together could see more than $44 billion in worldwide ad revenue evaporate in 2020, Cowen & Co. analysts estimate. That said, both Google and Facebook will continue to be massively profitable even with double-digit revenue drops.

Craig Silverman, Buzzfeed News:

Many advertisers use lists of sensitive or controversial keywords to avoid placing ads — and spending their ad dollars — adjacent to content they consider unsafe for their brands. But the addition of coronavirus-related terms to these keyword blacklists has choked off revenue as publishers struggle to capitalize on soaring audiences amid catastrophic revenue declines.

[…]

In March, Integral Ad Science, an ad verification company that works with the brand to improve the quality of its ad placements, automatically blocked 309,726 — roughly 36% — of ads the brand attempted to place on the New York Times’ website. In January, only 3% were blocked, and in February, 6%. Thirty-four percent of the ads the company attempted to place on USA Today’s website were blocked in March, as were 45% of those on the Washington Post’s website, and 29% on CNN’s website. In total, nearly 2.2 million ads for the brand were blocked from appearing.

Daniel Bernhard, the Star:

Even before the COVID-19 crisis struck, private media outlets were so beleaguered that they required special tax assistance just to stay afloat. Despite this support, Postmedia and Torstar, Canada’s largest producers of daily newspapers, are in dire financial straits. As of Thursday, you could buy all Torstar stock for just $21 million. As the economic downturn intensifies and businesses of all sizes suffer horrendous financial consequences, the few advertising dollars that remain are drying up overnight.

For its part, the CBC is so underfinanced that it cancelled all local TV news broadcasts last week. In a video town hall with CBC employees, Barb Williams, executive vice-president of English services, said the move was necessary to keep the network from “fading to black.”

The bleak irony of the coronavirus pandemic is that it is necessary for frequent and comprehensive coverage at all levels — local media is just as important as national media. But those articles are not being supported by big advertisers, many of which are resistant to their new products being promoted alongside articles about a global pandemic.

This effect is compounded by an overall spending pullback by advertisers, largely because the entire economy is, technically, in the shitter.

Drew Curtis of Fark:

Late last week, a fellow Farker who is CTO of an adtech company we’ve been working with closely hit me up with a warning. He said that as of last Thursday, they’re seeing industry-wide cancellations. Companies aren’t waiting until the 2nd quarter — they’re pulling ads -now- on existing deals. Understandable given the current situation, but it doesn’t help Fark at all.

Curtis, in a second post:

However, there’s more bad news — also last week the IAB, which is the primary trade group for online advertising among other things, released the results of a survey of ad buyers to try to figure out what effect the lockdown will have on ad revenues. The short version is it’ll be worse than 2008, which is pretty dire because in 2008, Fark’s revenue dropped to near zero. There’s more info and data from the IAB survey here.

It has become a cliché to say that we need great journalism now more than ever, and it is also untrue: we have always needed great journalism.

We desperately need local press that can tell us what is happening at city and regional levels, but the publications that are best positioned to cover this have long been dangling by a financial thread. Big and comparatively wealthy national publications, on the other hand, are necessary to see the broader scope of this pandemic, but stumble at effective reporting.

Practically every industry is going to suffer due to this pandemic. I cannot imagine ranking which organizations are more deserving of financial assistance than others. But it would be a horrific loss if media organizations were not a focus of some kind of help, plus a long-term plan to try to stabilize the industry.

U.S. Government Websites Give Bad Security Advice

Brian Krebs:

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.

[…]

The text I have a beef with is the bit on the right, beneath the “This site is secure” statement. Specifically, it says, “The https:// ensures that you are connecting to the official website….”

Here’s the deal: The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

However, the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

This is probably obvious to technically-literate readers like yourself, but I think this poor advice would make sense to many people. It’s exacerbated by browsers’ interfaces that emphasize the difference between HTTP and HTTPS connections. Visiting scripting.com, a staunch HTTP-only website, in Chrome and Safari will show a “Not Secure” badge in the address field. Visiting my HTTPS site, on the other hand, will show a nice little padlock instead that, when clicked in either browser, indicates that the connection is “secure” and “encrypted”.

Krebs:

Other federal sites — like dhs.gov, irs.gov and epa.gov — simply have the “An official website of the United States government” declaration at the top, without offering any tips about how to feel better about that statement.

There’s nothing preventing just anyone from claiming that they, too, operate an “official website of the United States government”. It is not helped by the U.S. government’s mixed use of .gov, .mil, .us, and .org domains, not to mention the many GitHub demos I found. Conversely, there are plenty of official U.S. government websites that do not display that notice: the FAA, OSHA, the Small Business Administration, and Recreation.gov, to name just a few.

Finally, I can’t work out why there are three different domains associated with the census: census.gov is fine, but 2020census.gov is kind of sketchy looking, and my2020census.gov — the actual website of the survey — is very sketchy looking. None of those websites share the same design language, and only the survey URL has the aforementioned “official website” notice. What a mess.

Update: It was possible to upload just about any file to fcc.gov as late as 2017, a capability which was predictably abused.

Zoom Video Calls Are Not End-to-End Encrypted, Contrary to Its Public Claims

Micah Lee and Yael Grauer, the Intercept:

In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it.

But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

[…]

“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the Zoom spokesperson wrote, apparently referring to Zoom servers as “end points” even though they sit between Zoom clients. “The content is not decrypted as it transfers across the Zoom cloud” through the networking between these machines.

Dan Moren, Six Colors:

In and of itself, this situation is raising a lot of questions, but what’s worse is that it’s part of a clear pattern with Zoom. Just this past week, the company’s iOS app was discovered to be sending information to Facebook without disclosing that in its privacy policy. Others have pointed out that its macOS installer also seems to have some shady behavior. And, of course, last year the company was found to be installing a secret local web server to bypass an Apple security restriction.

Lacking end-to-end encryption for video chat is not uncommon. What is unique to Zoom is that they’re lying about it in marketing materials by redefining “end-to-end encryption” to fit their needs.

Stuff like this — and the installer that runs on the preflight step instead of the correct installation step — are things that are so easy to get right. Zoom’s repeated failures would ordinarily only seem sloppy, but the web server that it installed last year created a massive security vulnerability which the company did not address for months. Zoom’s problems point to an entirely avoidable reckless culture.

Update: Oded Gal of Zoom:

In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it. This blog is intended to rectify that discrepancy and clarify exactly how we encrypt the content that moves across our network.

Zoom continues to market its product as having “end-to-end encryption for all meetings”, which simply isn’t true.

Dark Sky Has Been Acquired by Apple, Announces Discontinuation of Widely-Used API

Adam Grossman of Dark Sky:

Today we have some important and exciting news to share: Dark Sky has joined Apple.

[…]

Our API service for existing customers is not changing today, but we will no longer accept new signups. The API will continue to function through the end of 2021.

Dark Sky’s API is used by loads of apps you know — Carrot, Weather Line, and Hello Weather are just a few examples — but also organizations like conEdison, NASA’s Jet Propulsion Laboratory, and JCDecaux for its outdoor advertisement installations.

Via John Voorhees at MacStories:

Dark Sky’s announcement comes as a surprise, but it certainly makes sense from Apple’s perspective. Weather data is notoriously expensive and Dark Sky has some of the most accurate forecast data for many parts of the world, which undoubtedly made it an attractive acquisition. It will be a shame to see their data disappear from third party apps.

It’s not just expensive — weather data is a privacy concern as well. Last year, the city attorney of Los Angeles sued IBM, accusing their Weather Channel app of surreptitiously mining user data for purposes other than the app stated. Apple’s own Weather iOS app and MacOS widget also rely on Weather Channel data, which wasn’t implicated in the lawsuit. But it remains unclear if any data provided by users of either the app or widget was subject to the same privacy violations as the company’s own app.

Even though the Dark Sky API will be shutting down, it is possible that iOS and MacOS apps will soon have a native weather API.

It’s All So Premiocre

Amanda Mull, the Atlantic:

As with many aesthetically pleasing food trends that have thrived in the era of constant internet access, the value of a deluxe cupcake isn’t necessarily in its physical consumption. Instead, it’s more like an edible Gucci logo belt, or a sprinkle-topped boutique hotel with a beautifully decorated lobby bar and painfully cramped showers. These goods are the least expensive way to gain temporary entry to a particular consumer class — for example, Gucci belts cost $450, while one of the brand’s bags could easily set you back $3,500. The brand’s belts are not any better at belting than many far less expensive options, but they provide a conduit for a person of middling means to transport herself into the lavish life she wants, if only within the highly edited confines of a carefully staged Instagram photo.

Crumbs Bake Shop expanded to 79 locations in the United States before it went out of business in 2014, but the value system that enabled it remains: A plethora of subpar options is the foundation of modern shopping. Most Millennials were too young to get a foothold in the economy before it fell out from under them, and now, confronted with the precariousness of working- and middle-class life in the decade after the Great Recession, the most many can do is playact modern success for as long as possible while hoping the real thing happens eventually.

All of the faux-Eames chairs the internet tried to sell me are props for this Kabuki theater: things you buy because they’re masquerading as more exceptional than they are. Some of these products are perfectly good at fulfilling their function, but they paper over a problem of class mobility that consumer choices can’t change. The market has looked upon the people it serves and said, “Let them eat cupcakes.”

Maya Kosoff, Marker:

Until a few weeks ago, when a very different picture emerged of Outdoor Voices. The Business of Fashion reported that for all of the startup’s apparent growth and cachet — including 11 stores in cities like Los Angeles and Nashville — the company “continues to lose money on customer acquisition.” According to BoF, Outdoor Voices was hemorrhaging up to $2 million per month last year on annual sales of around $40 million. Its executives also seemed to be bailing out on a company in a tailspin. The new president Haney had managed to lure last year from Nike lasted only a few months, and Drexler left the board. The startup was able to get a new cash infusion from the company’s investors, but at a lower valuation than previous rounds. On February 25, CEO Haney sent a Slack message to her hundreds of employees: “with heartbreak, I have tendered my resignation,” BuzzFeed News reported. In the wake of her departure, she wrote, there would also be layoffs, and Cliff Moskowitz, the president of a fashion-oriented private-equity firm, would take over as interim CEO.

The news could be interpreted simply as an unfortunate isolated incident — an inexperienced founder who mismanaged her way into overspending. But for anyone familiar with the harsh realities of the [direct to consumer] model, it’s an affirmation of something much more fundamental: Once you get past all the shiny objects in the DTC category — the plump VC rounds, the sleek sans serif designs, the experiential storefronts in hot retail locations, the podcast ad blitzes — it turns out it’s extremely difficult to actually make the economics work.

I remember when DTC startups were touting that their lack of a physical storefront is one reason they were able to offer their products for less. It turns out that people want to try mattresses and clothing in person. Who knew?

Getting a Copy of Your Clearview AI Profile

Thomas Smith, OneZero:

What does a Clearview profile contain? Up until recently, it would have been almost impossible to find out. Companies like Clearview were not required to share their data, and could easily build massive databases of personal information in secret.

Thanks to two landmark pieces of legislation, though, that is changing. In 2018, the European Union began enforcing the General Data Protection Regulation (GDPR). And on January 1, 2020, an equivalent piece of legislation, the California Consumer Privacy Act (CCPA), went into effect in my home state.

[…]

Within a week of the Times’ expose, I submitted my own CCPA request to Clearview. For about a month, I got no reply. The company then asked me to fill out a web form, which I did. Another several weeks passed. I finally received a message from Clearview asking for a copy of my driver’s license and a clear photo of myself.

I provided these. In minutes, they sent back my profile.

Companies like Clearview AI are the next level in the kind of “data enrichment” firms of the type that suffered a massive data breach last year. After that breach, I submitted requests to every big data enrichment company I could find to see what they had on me. Many had nothing, but a few had built extremely accurate profiles of me based solely on whatever they could scrape. I had never heard of these companies; I had to ask them, individually, to delete anything they had on me.

Safari and Progressive Web Apps

Aral Balkan is one of many developers who have raised concerns about Apple’s just-released update to Safari:

Block all third-party cookies, yes, by all means. But deleting all local storage (including Indexed DB, etc.) after 7 days effectively blocks any future decentralised apps using the browser (client side) as a trusted replication node in a peer-to-peer network. And that’s a huge blow to the future of privacy.

Ignoring the whataboutism that Balkan invokes with regards to Apple News — which, as far as I can tell, is not a fair representation — and the App Store, this is a reasonable question: are web apps that use local storage now impossible to build?

John Wilander of Apple’s WebKit team updated the announcement to clarify:

As mentioned, the seven-day cap on script-writable storage is gated on “after seven days of Safari use without user interaction on the site.” That is the case in Safari. Web applications added to the home screen are not part of Safari and thus have their own counter of days of use. Their days of use will match actual use of the web application which resets the timer. We do not expect the first-party in such a web application to have its website data deleted.

This change effectively creates a distinction between web apps that users run by typing in a URL, and web apps that users run by tapping an icon pinned to their home screen.

I get why this [upsets some developers], and that progressive web app technologies are used on websites that are not web apps. But I suspect that the real-world impact of this will be felt little by users compared to the frequent misuse of these technologies for tracking purposes.

John Bergmayer:

Amazing the number of developers who think “Oh yeah, of course every web page you visit should be a full-fledged app that has permanent storage on your computer”.

I still think it’s remarkable that you can visit a webpage and somehow your web browser will dumbly execute literally every valid command written by the developer. It is often magical; it is also indicative of developer hubris to decide that everything they do is right and just.

Improvements to Tracking Prevention in Safari 13.1 on MacOS, and Safari on iOS and iPadOS 13.4

Reading through these release notes indicate the many ways providers of analytics and tracking scripts attempt to evade the restrictions of Intelligent Tracking Prevention. It is an arrogant and disrespectful practice — an assumption that the browsers that default to allowing tracking everywhere are correct, and that browsers that choose different defaults are wrong. It is, after all, an option in Safari: users who want to allow cross-site tracking can disable ITP.

John Wilander of Apple’s WebKit team provides just one example:

Some trackers have started to delay their navigational redirects, probably to evade ITP’s bounce tracking detection. This manifests as the webpage disappearing and reloading shortly after you land on it. We’ve added logic to cover such delayed bounce tracking and detect them just like instant bounces.

The workaround that these trackers invented is detrimental to users’ browsing experience — nobody wants a page to load twice — all just to make it a little bit easier to track users across the web against their will.

The only comparison I can think of, in terms of software that is constantly changed to fight against attempts to detect and eradicate it, is malware.

The New iPad Pro Models Are Iterative Updates on the Last Generation, and Everybody Really Wants to Try the New Magic Keyboard

Joe Rossignol, MacRumors:

The first reviews of the new iPad Pro have hit the web and we’ve rounded them up below.

Given that trackpad support is coming to all modern iPad models with iPadOS 13.4, set to be released later today, the actual hardware changes to the 2020 iPad Pro are rather minor. Reviews confirm that the device’s new A12Z Bionic chip has very similar CPU performance as the previous A12X chip, and beyond that, the only additions are an Ultra Wide camera, LiDAR scanner, and better sounding microphones.

John Gruber:

In short, if you’re an AR junkie, you should jump all over the new iPad Pro. If you’re not an AR junkie — which is to say the overwhelming majority of you — well, it’s not that big a deal. I don’t mean to be dismissive of AR and ARKit. I think an AR revolution is coming, and the whole “use your iPhone and iPad as ARKit devices” effort on Apple’s part — and it’s a massive effort — is laying the groundwork for an AR-first device to hit the ground running with developer support from day one. But are there really people for whom ARKit-powered apps are so important right now that they’ll upgrade to a new iPad just for lidar support? I suppose the answer is yes — for example, developers working on ARKit apps and games. But for most people the answer is clearly no.

Off the top of my head, I can’t think of another time when new camera hardware or features from Apple debuted on a non-iPhone device.

In his review for the Verge, Dieter Bohn says that lidar is cool, but it’s one more piece of hardware for a software world that doesn’t exist yet. The new iPads also maybe possibly have 6 GB of RAM apiece, too — not just the high-end models. Both of these things continue a years-long narrative about the iPad as a product category: the hardware outpaces the software by years. There’s a good argument to be made that, because people will be using these things for a very long time, it makes sense to give them hardware that will allow for plenty of growth. But it also means that there’s little to try this new stuff out of the box, and its future viability depends on developer support.

That includes Apple. It has released an updated version of ARKit that allows developers to take advantage of the special qualities of the lidar sensor in these new iPads. Presumably, some new iPhones released later this year will have the same capabilities, and it looks like it makes a huge difference in the accuracy and reliability of augmented reality software.

Matthew Panzarino, TechCrunch:

Currently, iPadOS is still too closely tethered to the sacred cow of simplicity. In a strange bout of irony, the efforts on behalf of the iPad software team to keep things simple (same icons, same grid, same app switching paradigms) and true to their original intent have instead caused a sort of complexity to creep into the arrangement.

The current system of inscrutable gestures and indeterminate window focus reads, to me, like a lack of confidence in the iPad’s ability to grow and change. I don’t know that Panzarino’s ideas are the correct solution, but they are an idea that helps solve multitasking on the iPad for its unique context.

The trackpad and mouse support in iPadOS 13.4 is, similarly, a change that shows renewed confidence in the iPad as a discrete platform. It is a welcome upgrade to a project that began as an accessibility feature that combines references to traditional computer interfaces with a smart reconsideration of how it ought to behave in a touch environment. I don’t think I would want an iPad-style cursor in MacOS, but I also would not want to see a Mac-style cursor on an iPad. Neither makes sense outside of its context.

On that note, a consistent thread in all of these reviews is that the new Magic Keyboard accessory is the real news in iPad World. But, because it won’t be shipping for several weeks, and there is no way to do a remote hands-on area for equally remote press briefings, nobody has tried it yet. The good news is that, unless you need lidar hardware, there are few changes over the 2018 iPad Pro models, which you can pick up for a significant discount. And the Magic Keyboard is compatible with those models as well.

Magic Mailboxes

Chris Hynes:

I worked on the Mail team from just before Public Beta thru Tiger. One of my proudest achievements on the team (and at Apple) was brainstorming with my team members and pushing an idea we internally called Magic Mailboxes and eventually became called Combined Mailboxes.

[…]

For this example, I’m going to presume that a novice user has one account, probably a POP account. Here’s what it looked like in Mail.

[…]

As you add more and more accounts, this model falls apart. With three accounts, you have 3 inboxes, 3 drafts, 3 trashes, and so on.

I’ve tried probably half a dozen alternative email clients over the years, but I keep coming back to Apple’s on MacOS and iOS. One reason has been its long-time support for unified mailboxes. I have an indefensible number of email addresses and this is essential for my use.

This is a typically great piece from Hynes. If you haven’t subscribed to Tech Reflect yet, you’re missing out an insightful behind-the-scenes look at some of the software you use daily.

We Could Just Ban Targeted Advertising

Gilad Edelman, Wired:

The thinking goes like this. Google and Facebook, including their subsidiaries like Instagram and YouTube, make about 83 percent and 99 percent of their respective revenue from one thing: selling ads. It’s the same story with Twitter and other free sites and apps. More to the point, these companies are in the business of what’s called behavioral advertising, which allows companies to aim their marketing based on everything from users’ sexual orientations to their moods and menstrual cycles, as revealed by everything they do on their devices and every place they take them. It follows that most of the unsavory things the platforms do — boost inflammatory content, track our whereabouts, enable election manipulation, crush the news industry — stem from the goal of boosting ad revenues. Instead of trying to clean up all these messes one by one, the logic goes, why not just remove the underlying financial incentive? Targeting ads based on individual user data didn’t even really exist until the past decade. (Indeed, Google still makes many billions of dollars from ads tied to search terms, which aren’t user-specific.) What if companies simply weren’t allowed to do it anymore?

Don’t think of this as a flip-a-switch instant fix for all that ails the web; think of it as cutting out the junk food and taking up jogging.

This piece is deeply researched and well worth your time. One thing that stood out to me is the vehement defence by advertising types of personalization, as though they cannot envision an effective ad that does not depend on creepy targeting. Any time they have been questioned about personalization, ad industry representatives love to threaten that it will financially cripple the web. But, as Edelman notes, targeted advertising is a recent invention, and there’s little indication that non-personalized ads are less effective or lucrative.

A New ‘Get Up’ Weekly Playlist Is Available in Apple Music

Igor Bonifacic, Engadget:

Apple is trying something new to keep people’s spirits up during the coronavirus pandemic. In Apple Music, it’s introducing a new algorithmic playlist called the Get Up! Mix that the company says is full of “happy-making, smile-finding, sing-alonging music.” With the help of human editors, it will update the playlist each week with new songs. Think: Discovery Weekly, but with a focus on playing tunes that will encourage good vibes — though there’s the promise of discovering new music as well.

Mine is chock full of the “happy-making” tunes of Death Grips and Show Me the Body, and the “smile-finding” sound of Radiohead and Joy Division. Your mileage may vary. Good vibes only.

Zoom’s Attention-Tracking Feature Is Ripe for Misuse

Mehreen Kasana, Input:

With bosses increasingly requiring their workers to turn to remote conferencing, Zoom gives administrators full power to track attendees’ attention with an indicator that points out when a participant doesn’t have the app “in focus” for more than 30 seconds. Privacy organizations like EPIC have previously criticized this tool in an official complaint to the Federal Trade Commission, noting that it bypasses browser security and gives access to users’ web cameras without their knowledge.

D’Arcy Norman has an excellent walkthrough of Zoom’s preferences, including how to turn this feature off. It’s possible to turn it off organization-wide — slip your IT department a pack of decent beer and I’m sure that can happen.

Samantha Cole, Vice:

On Twitter, people are finding ways to use the Zoom Rooms custom background feature to slap an image of themselves in their frames. You can record a short, looping video as your background, or take a photo of yourself looking particularly attentive, depending on the level of believability you’re going for. Zoom says it isn’t using any kind of video or audio analysis to track attention, so this is mostly for your human coworkers and boss’ sake. With one of these images on your background, you’re free to leave your seat and go make a sandwich while your boss thinks you’re still there paying attention.

It’s like the security camera trick from every heist movie. Just be careful not to walk back into the frame.

Harnessing Our Existing Surveillance Capitalist Infrastructure for Good Instead of Evil

Natasha Singer and Choe Sang-Hun, New York Times:

As countries around the world race to contain the pandemic, many are deploying digital surveillance tools as a means to exert social control, even turning security agency technologies on their own civilians. Health and law enforcement authorities are understandably eager to employ every tool at their disposal to try to hinder the virus — even as the surveillance efforts threaten to alter the precarious balance between public safety and personal privacy on a global scale.

Yet ratcheting up surveillance to combat the pandemic now could permanently open the doors to more invasive forms of snooping later. It is a lesson Americans learned after the terrorist attacks of Sept. 11, 2001, civil liberties experts say.

Maciej Cegłowski:

The most troubling change this project entails is giving access to sensitive location data across the entire population to a government agency. Of course that is scary, especially given the track record of the Trump administration. The data collection would also need to be coercive (that is, no one should be able to opt out of it, short of refusing to carry a cell phone). As with any government surveillance program, there would be the danger of a ratchet effect, where what is intended as an emergency measure becomes the permanent state of affairs, like happened in the United States in the wake of the 2001 terrorist attacks.

But the public health potential of commandeering surveillance advertising is so great that we can’t dismiss it out of hand. I am a privacy activist, typing this through gritted teeth, but I am also a human being like you, watching a global calamity unfold around us. What is the point of building this surveillance architecture if we can’t use it to save lives in a scary emergency like this one?

The lack of legal separation of the widely useful attributes of the universal tracking we all endure from its usual implementation in targeted advertising — or its potential in powering a dystopian police state — is a massively consequential failure. It may have been possible to gain acceptance for this moderate intrusion of privacy if there were some framework of trust.

Alas, no such assurance is in place and users’ trust has badly been abused, so it’s understandable why so many are treating this as a horrible idea.

The Great Empty

I am sure many of us are feeling the effects of being encouraged to self-isolate, but there’s nothing quite like seeing a dearth of people in usually packed spaces. Haunting as they are, these pictures also indicate the effectiveness of the isolation strategy.

Counterweighting a Cantilever

I really liked this piece by Dr. Drang:

I’m sure the new iPad Pro will be great, but what every iPad Pro user is eager learn more about are the pointer control enhancements in iPadOS 13.4 and the new Magic Keyboard with its “floating cantilever” design. What I’m most interested in is the stability of iPad when it’s mounted on the Magic Keyboard and how much weight Apple added to the keyboard to achieve that stability.

One thing seems clear: the Magic Keyboard will weigh significantly less than the Brydge Pro+. We would have guessed that anyway, based on Apple’s longstanding obsession with thickness and weight, but the images of the Magic Keyboard show us conceptually how Apple is solving the stability problem.

I can’t wait to try one of these things in person.

What About the 13-Inch MacBook Pro?

Chance Miller, 9to5Mac:

At this point, the 13-inch MacBook Pro is the only Apple laptop still sold brand-new with the butterfly keyboard. The 15-inch MacBook Pro was updated in November to become the 16-inch MacBook Pro with the new Magic Keyboard. The 12-inch MacBook was discontinued last year as well.

With the MacBook Air’s transition to Magic Keyboard now out of the way, the 13-inch MacBook Pro is surely next on the docket. Reliable Apple analyst Ming-Chi Kuo has said that Apple is accelerating its MacBook refresh plans, and that we should expect a new 13-inch MacBook Pro with the Magic Keyboard during the first half of this year.

I tend to think that the MacBook Pro range is comprised of laptops of similar purpose, available in two different sizes — but that’s not the case. The 13-inch model has long been a junior version of its bigger sibling in more ways than just size. It has never been offered with dedicated graphics memory, for example, and the first two generations of the Touch Bar model had two slower Thunderbolt ports. By that standard, it makes some sense that the 13-inch MacBook Pro was not updated at the same time as the 16-inch.

But, on the other hand, it now stands out as the Mac model nobody should buy. It is now the One With the Bad Keyboard — the only one that is sold, brand new, with automatic coverage from the company’s keyboard service program. There is certainly an update in this Mac’s near future, but it is awkward that it was not released alongside either of the new MacBook models.