Day: 8 March 2018

In Defence of Surfing the Insecure Web

Dave Winer opposes Google’s plan to effectively deprecate HTTP by discriminating against non-HTTPS websites in Chrome:

I don’t think the explosion is over. I want to make it easier and easier for people to run their own web servers. Google is doing what the programming priesthood always does, building the barrier to entry higher, making things more complicated, giving themselves an exclusive. This means only super nerds will be able to put up sites. And we will lose a lot of sites that were quickly posted on a whim, over the 25 years the web has existed, by people that didn’t fully understand what they were doing. That’s also the glory of the web. Fumbling around in the dark actually gets you somewhere. In worlds created by corporate programmers, it’s often impossible to find your way around, by design.

The web is a social agreement not to break things. It’s served us for 25 years. I don’t want to give it up because a bunch of nerds at Google think they know best.

Mozilla has indicated that they are doing the same. But Eric Mill wrote a piece a couple of years ago about this very topic, and he appreciates the deprecation of HTTP:

I understand the fear of raising the barriers to entry. As a child, I too fell in love with an internet made by everyone, and have spent my career, my volunteer work, and my hobbies trying to share what that love has taught me. I want children everywhere in the world to grow up feeling like the internet that permeates their lives is also in their service — a lego set in real life that you can buy with a week’s allowance.

Yet as an adult, I also understand that power for ordinary people is hard to come by and hard to keep. The path of least resistance for human society is for money to buy more money, and might to demand more might. Democracy is designed not so much to expand freedom as it is to give people tools to desperately hold onto the freedom they have.

Put another way: power has a way of flowing away from the varied, strange, beautiful little leaf nodes on the outer edges and into the unaccountable, unimaginative, ever-hungry center.

Mill actually uses the enforcement of HTTPS by browser vendors as a knock against big companies like Verizon and Comcast that inject ads into HTTP-served websites, and spy agencies like the NSA and the GCHQ:

What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.

As Mill points out in his article, there are great reasons to add an HTTPS certificate to a website that has no interactive elements beyond links. It makes sense to me to generally prefer HTTPS going forward, but I have concerns about two browser vendors working to effectively eliminate the non-HTTPS web; or, at least, to put barriers between it and users.

I like the way Firefox attempts to educate users directly adjacent to insecure password fields; I also don’t mind the way Chrome handles notifications of HTTP-only webpages today. But the changes coming in July that will mark all HTTP webpages as “not secure”, and that will make a large — if hardly-trafficked — part of the web feel like it’s diseased. And what will Google do in the future, I wonder? If they’re going to progressively increase their warnings on HTTP webpages, what’s next?

I also agree with Winer on another key point: enforcing a pseudo-mandatory policy on HTTPS makes it that much harder for someone new to this stuff to even begin to understand it. As Frank Chimero recently wrote, building stuff for the web has become vastly more complicated since even five years ago. I’m happy to keep learning new skills and growing my understanding of what the web can do, but I don’t know where to begin on this modern web. I don’t intend to hold myself up as a barometer of the complexities of modern web programming or anything — I just don’t know what’s going on any more. I’ve been doing this stuff for nearly twenty years. I don’t know how someone who is eight years old could start digging into React, or Node.js, or any of the other modern JavaScript-based ways of writing <h1>hello world</h1>.

I’m sure the kids will figure it out — they always do. However, I worry that introducing more requirements, even something as simple as HTTPS, can be discouraging. That’s the last thing HTTP/HTML web should be: discouraging. It is one of the greatest enablers of communication in human history. Let’s not allow its future to be dictated by browser vendors.

Or, in Mill’s language: let’s make sure we encourage building more leaf nodes by making their creation easier and more fun, instead of allowing a much stronger centre to form.

The Ways in Which Facebook Builds User Data Profiles for Targeted Advertising t.co

Joanna Stern, Wall Street Journal:

A conspiracy theory has spread among Facebook and Instagram users: The company is tapping our microphones to target ads. It’s not.

[…]

I believe them, but for another reason: Facebook is now so good at watching what we do online — and even offline, wandering around the physical world — it doesn’t need to hear us. After digging into the various bits of info Facebook and its advertisers collect and the bits I’ve actually handed over myself, I can now explain why I got each of those eerily relevant ads. (Facebook ads themselves offer limited explanations when you click “Why am I seeing this?”)

Advertising is an important staple of the free internet, but the companies buying and selling ads are turning into stalkers. We need to understand what they’re doing, and what we can — or can’t — do to limit them.

Think about how quickly we’ve accepted this as the new normal, and why. Do we really prefer highly-specific advertising, as Facebook and Google say we do, or is it simply very creepy? Even if you don’t have a Facebook or Google account, you’re using Safari — which limits ad tracking by default — and have all sorts of silly settings to limit your exposure to trackers, there are still an extraordinary number of ways that your information can be acquired for highly-targeted advertising, almost always without your explicit permission.

California Becomes Eighteenth State to Introduce ‘Right to Repair’ Legislation motherboard.vice.com

Jason Koebler, Vice:

“The Right to Repair Act will provide consumers with the freedom to have their electronic products and appliances fixed by a repair shop or service provider of their choice, a practice that was taken for granted a generation ago but is now becoming increasingly rare in a world of planned obsolescence,” Susan Talamantes Eggman, a Democrat from Stockton who introduced the bill said in a statement.

The announcement had been rumored for about a week but became official Wednesday. The bill would require electronics manufacturers to make repair guides and repair parts available to the public and independent repair professionals and would also would make diagnostic software and tools that are available to authorized and first-party repair technicians available to independent companies.

I’m intrigued by this wave of “right to repair” legislation — much of which has been pushed by Repair.org, a repair industry trade group — but I’m curious about what parts must be repairable, especially in consumer electronics. The full text of the California bill hasn’t been posted publicly, as far as I can see, but Minnesota’s has and it’s fairly nonspecific. I’m all for batteries being designed to be more replaceable, even if it takes popping a few screws out, but what about trickier components, like chips that are soldered to the board? Would a manufacturer be required to provide full board component repairability, or just the ability to replace the board itself?

Selfishly, I hope this legislation leads to more upgradable MacBooks, especially the Pro. I don’t think a professional notebook designed to last several years should have its internal storage capacity capped at time of purchase.

Notes on Analytics and Tracking in Onavo Protect for iOS medium.com

Will Strafach:

Recent media coverage of Onavo Protect encouraged me to investigate the code for the iOS version of their app. I wanted to determine what types of data is collected in addition to the alleged per-app-MAU tracking performed server-side.

I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day:

  • When user’s mobile device screen is turned on and turned off

  • Total daily Wi-Fi data usage in bytes (Even when VPN is turned off)

  • Total daily cellular data usage in bytes (Even when VPN is turned off)

  • Periodic beacon containing an “uptime” to indicate how long the VPN has been connected

If I’m reading this right, Strafach hasn’t found indications — yet? — that Onavo sends app usage data to graph.facebook.com, but we know Onavo collects that data.

What he has found so far doesn’t appear to be nearly that intrusive, but it’s also bizarre. For example, why does Facebook need to know when your phone’s display is on?

Tangentially, Onavo’s behaviour is the kind of thing I wish App Review was more strict towards. There’s perhaps a thin line between analytics packages that developers sometimes use and what Onavo does; similarly, there’s a thin line between Onavo’s data collection and Facebook’s entire business model. But this app is just skeevy — it buries its Facebook affiliation1 and data gathering behind a different brand and the promise of protecting you from phishing.

  1. The only mention of Facebook on their website is on the about page, and in the App Store, the Facebook affiliation is in a large paragraph of text in the initially hidden area of the app description. ↥︎