Marketing materials and documents obtained by ACLU affiliates in three states reveal a product that can be readily used to violate civil liberties and civil rights. Powered by artificial intelligence, Rekognition can identify, track, and analyze people in real time and recognize up to 100 people in a single image. It can quickly scan information it collects against databases featuring tens of millions of faces, according to Amazon.
Amazon is marketing Rekognition for government surveillance. According to its marketing materials, it views deployment by law enforcement agencies as a “common use case” for this technology. Among other features, the company’s materials describe “person tracking” as an “easy and accurate” way to investigate and monitor people. Amazon says Rekognition can be used to identify “people of interest” raising the possibility that those labeled suspicious by governments — such as undocumented immigrants or Black activists — will be seen as fair game for Rekognition surveillance. It also says Rekognition can monitor “all faces in group photos, crowded events, and public places such as airports” — at a time when Americans are joining public protests at unprecedented levels.
This isn’t a terrific report. It is pretty light on details, skimming over more technical aspects of Google’s dominance: Google Chrome isn’t mentioned even once, despite being the world’s most popular web browser, and neither was the company’s mischievous bypassing of iPhone users’ privacy settings. While that may be a function of its allotted running time, Google’s behaviours deserves a much deeper dive.
Nevertheless, I think this exchange is worth paying attention to:
Gary Reback: Google makes the internet work. The internet would not be accessible to us without a search engine
Steve Kroft: And they control it.
Gary Reback: They control access to it. That’s the important part. Google is the gatekeeper for— for the World Wide Web, for the internet as we know it. It is every bit as important today as petroleum was when John D. Rockefeller was monopolizing that.
While European antitrust regulators have reached to Google’s dominance, American regulators have been reluctant to do so while, even after Google’s acquisition of DoubleClick. What are they waiting for?
Yesterday, I linked to Joseph Cox’s report for Vice concerning Securus’ weak safeguards protecting access to its software that monitors the real-time location of cellphones. While I was writing it, I couldn’t help but think that there isn’t much worse it could get, right? Well, what about if a similar location tracking application had no security — at all?
LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.
There’s a lot about this that’s pretty outrageous, but I think the most alarming aspect of this is that a company most of you have probably only just heard of has access to your phone’s live location, and they’ve never asked you if that’s okay.
Dan Primack of Axios found Google’s demo of Duplex a little fishy:
When you call a business, the person picking up the phone almost always identifies the business itself (and sometimes gives their own name as well). But that didn’t happen when the Google assistant called these “real” businesses:
When the hair salon picks up, a woman says: “Hello, how can I help you?”
When the restaurant picks up, a woman says: “Hi, may I help you?”
Axios called over two dozen hair salons and restaurants — including some in Google’s hometown of Mountain View — and every one immediately gave the business name.
There also does not seem to be ambient noise in either recording, such as hair dryers or plates clattering. We heard that in most of the businesses we called, but not in all.
Google CEO Sundar Pichai insisted three times that these calls were real, but these discrepancies should be answered. If these calls were edited, even just to remove the business name to limit publicity, Google hasn’t said. Very strange.
Finally, neither the hair salon nor the restaurant ask for the customer’s phone number or any other contact information.
Primack also included this as a reason why the calls seemed suspicious, but I disagree. The hair salon asked for the customer name; I don’t usually book my haircuts, but when I do, they don’t ask for contact information. The restaurant didn’t need to ask for contact information because the staff member answering the phone said that no reservations would be accepted for Duplex’s party size.
Regardless of whether the Duplex demo was real or not, I keep wondering why Google didn’t target it to businesses first. People are used to talking to robots when calling businesses and some might even prefer it.
As a demo, it’s pretty cool, though somewhat less compelling to me as a recording rather than a live preview. But as an actual consumer service offering, I’m not sure I get it in its current guise. While Pichai said that 60% of American businesses don’t have an online booking system, that number has been dropping and, though I doubt it will hit zero, their pitch is to a temporary and shrinking market.
But as a business product, like Wellborn describes, it makes more sense to me. Why not have a robot handle reservations? As Sarah Jeong said on Twitter, this is only a product “because we treat service industry people like robots” anyway, unfortunately.
But that’s only if we feel like Duplex is limited to making bookings. Over time, it will of course become more capable. Like they do for the web, Google is already crawling the real world with things like Street View and AI-powered verification of business details. What’s next?
Yesterday’s announcement to API changes and pricing may have been foreshadowed six years ago, but it’s still hard to be facing what looks like the slow turning of the screw on third-party Twitter clients.
Speaking of the influence Twitter’s API changes are having on third parties, Tim Haines has announced that Favstar is shutting down:
Favstar started in May 2009, and in it’s early years was a huge hit with people new to Twitter, up-and-coming comedians, tech folk, reporters, celebrities, and people looking for a quick route to the best tweets. You could visit Favstar, and almost be guaranteed a laugh, whatever your sense of humor.
Favstar will go offline on June 19th 2018.
Haines’ announcement comes just shy of the two year anniversary of Stellar.io’s goodbye, which had a similar purpose. I miss Stellar, and I’ll miss Favstar greatly.
Twitter hasn’t cared about their ecosystem of third-party apps for ages. Unfortunately, they are often the best way to experience Twitter.
A hacker has broken into the servers of Securus, a company that allows law enforcement to easily track nearly any phone across the country, and which a US Senator has exhorted federal authorities to investigate. The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus’ law enforcement customers.
Although it’s not clear how many of these customers are using Securus’s phone geolocation service, the news still signals the incredibly lax security of a company that is granting law enforcement exceptional power to surveil individuals.
Cox reports that users’ passwords were hashed using MD5 which, as of a decade ago, was considered by the U.S. Office of Cybersecurity and Communications to be “cryptographically broken and unsuitable for further use”. I disagree with the notion that a private company can offer this sort of software with little legal oversight or scrutiny, but even if you think that’s totally okay, surely tracking the live location of hundreds of millions of people should be guarded with more than an email address and a badly-encrypted password.
Third-party Twitter app developers will be required to purchase a Premium or Enterprise Account Activity API package to access a full set of activities related to a Twitter account including Tweets, @mentions, Replies, Retweets, Quote Tweets, Retweets of Quoted Tweets, Likes, Direct Messages Sent, Direct Messages Received, Follows, Blocks, Mutes, typing indicators, and read receipts.
Premium API access, which provides access to up to 250 accounts, is priced at $2,899 per month, while enterprise access is more expensive, with pricing quotes available from Twitter following an application for an enterprise account.
That is a huge lump of money: over $10 per user per month from developers for real-time activity if they have just 250 users; can you imagine the rate for tens of thousands of users? Let’s be generous and assume that they’ll give third-party developers operating at that scale a remarkable deal of $1 per user per month. At $12 per user per year, that’s probably unsustainable for developers like Tapbots and the Iconfactory to be charging a flat rate.
I know lots of people — myself included — who have proposed paying a monthly fee to continue using third-party clients. Loathe as I am to suggest it, perhaps a subscription model is one way for these apps to stay afloat. Given the choice, I’d rather pay five bucks per month to continue to use Tweetbot than use the official Twitter app, especially as there isn’t a first-party Mac client.
I bet I’m in the minority, though; I bet this is Twitter’s way of slowly turning the taps off for third-party apps that replicate the consumer Twitter experience. What a pisser.
There’s no streaming connection capability as is used by only 1% of monthly active apps. Also there’s no home timeline data. We have no plans to add that data to Account Activity API or create a new streaming service. However, home timeline data remains accessible via REST API.
The 1% of monthly active apps that make use of streaming could represent hundreds of thousands of users, maybe even millions. Only Twitter knows that for certain, but they’re not sharing it, because it would give away an approximate number of users who reject Twitter’s own apps while still using the platform.
Even before the public beta of version 9.0 landed this week, Android’s system of notifications was far superior to Apple’s. As someone who regularly bounces between the two platforms, I actively ignore the iOS Notification Center, but on Android, I use it regularly to catch up on things I might have missed. The Android notification shade isn’t just for messages and alerts; it’s an information center for your entire digital life.
As it stands, I have far fewer complaints about notifications on Android Oreo than I do on iOS 11, but the system has its kinks and annoyances just like it did on previous Android version, Nougat and Marshmallow. But in Android P, notifications are nearly perfect. Google hasn’t overhauled the notification system in Android P, but it has implemented a series of meaningful tweaks that work to make notifications useful, whether you want to interact with them, control what you see, or just keep them at bay.
And I hope someone on Apple’s iOS team is taking notes.
Making notifications the centre of my phone sounds like my idea of hell, but I certainly hope iOS 12 includes significant refinements to the notification system. It’s messy, it’s astonishingly interruptive, notifications cover app controls and a mis-tap can send you to a completely different app, and there isn’t always something you can do from the notification so you end up having to launch the app anyway. Notifications may necessarily be an interruption, but they shouldn’t be quite so intrusive.
I’ve been watching this tremendous Twitter thread started by Marcin Wichary since yesterday:
Fascinated by UIs that accidentally amass memories. One of them is the wi-fi “preferred networks” pane – unexpected reminders of business trips, vacations, accidental detours, once frequented and now closed cafés.
Another? The alarm page and its history of painful negotiations with early mornings. (One of these, I’m sure, was for a lunar eclipse; another for sending a friend in Europe a “good luck” text.)
I like that both of these places require you to coax your memory a bit to remember.
What else like this is out there?
People replying have suggested logs of completed reminders, weather app, and composing a new iMessage to an infrequent contact as more memory-laden UIs. Another two suggestions, from me: open tabs, and web browser history. I have a hard time with remembering to close tabs on Safari for iOS, and there’s an animation bug where, sometimes, opening a new tab will scroll through the entire list, giving me glimpses of articles and websites I opened weeks prior. Also, Safari on the Mac defaults to keeping history items for a year, and trudging through those can be a trip down memory lane — again, articles that I was reading, recipes, job hunting, trying to find a new apartment, and the like are all in there.
I love all of those suggestions, but the one I keep coming back to is WiFi history, especially because it’s collected almost passively. I hadn’t checked my own history in a while and found it absolutely full of memories: the network I set up for my parents in my childhood home, which they’ve since sold; there’s a hotspot for a Gloria Jean’s Coffee location, which I could have connected to in Kuta when I got lost there, or it could have been from another time in Los Angeles. Wonderful.
This is an important point, and one we’ve tried to make a few times in the past, highlighting that all of the metrics you hear about concerning audience side are complete bullshit, but everyone in the ecosystem has strong incentives to keep up the charade. At least they do while they’re pitching advertisers. When the actual hard subscription numbers come down, it can be a real wake up call. I’m reminded, of course, of the newspaper Newsday that implemented a paywall with great fanfare… and three months later had a grand total of 35 subscribers. Thirty. Five.
I’ve been thinking about this a lot lately. What follows is not exactly new, but I want to set something up in your mind.
You used to have to pay for the entirety of your local paper if you wanted news in print form, and it worked even if you only read a few stories a day, and you had to flip through loads of big ads to get to the handful of stories you actually cared about. All of this came from one or two sources, largely because you couldn’t live in, like, Lowell, Indiana and get that day’s Los Angeles Times dropped on your doorstep every morning. It didn’t matter that the local paper was comprised of a mix of original and syndicated reporting; it was the only way to get the news.
Now, you can read far more stories in a day and never touch your local paper. And why would you when, through a horrible downward spiral of business choices, it may now be almost entirely Associated Press stories that you can get anywhere? Besides, the big scoops largely go to the New York Times, Washington Post, and Wall Street Journal. Just look at this year’s list of Pulitzer Prize winners in journalism — of the fourteen award categories, fully half were won by the Times, Washington Post, Reuters, and USA Today. Compare the clustered wins of 2018 against the more widely-awarded prizes twenty or thirty years ago.
Many of us will, therefore, only pay a monthly fee towards one or two publications that we find really valuable; and, for most of us, that’s probably a national broadsheet “paper of record” rather than a thin local edition. But the national papers of record can’t realistically cover all local news of relevance across an entire country. Also, I’ve focused on American papers here, but this is a massive problem in Canada as well, and around the world.
Like I mentioned at the top of the preceding paragraphs, I’ve been thinking about this quandary a lot, for reasons of obvious importance — the continued existence of a press covering all levels of government and activities is crucial — but also for selfish concerns: I want to find a way for Pixel Envy to support itself. What ails the news industry also affects, albeit to a far lesser extent, independent blogs and web-only publications. Relatively large websites like the Onion and Gizmodo Media Group are struggling; the Awlshuttered earlier this year. Maybe the web cannot support all of these fantastic sites — that it did at any time was maybe a silly fluke. But I think giving up and treating the web as a place for giants and nobody else would be a mistake and a great shame.
Perhaps new legislation and the reclamation of our privacy online will spur the creation of small, privacy-focused advertiser networks again, akin to the Deck Network or something like the Outline’s ad strategy. Perhaps we need more networks of bloggers, too, allowing readers to subscribe to several related websites at the same time, without creating barriers to readership with paywalls. Maybe there’s a third and fourth source of money beyond readers and advertisers — I’m not sure. But non-giant entities, whether web-only or in print, need a funding solution for the future that isn’t solely reliant upon massive traffic, Facebook referrals, or subscriptions.
Shortly after his arrival in 2017, John Boynton, Cruickshank’s replacement as publisher of the newspaper and Torstar CEO, called a town hall in the newsroom. Boynton is a fifty-four-year-old turnaround specialist with no real journalistic experience but a record of success in running Aeroplan and other multi-million-dollar loyalty programs. The job of saving the Star has fallen to him. What he inherited when hired wasn’t just the fate of Torstar’s 3,800 employees but the legacy of the Star’s costliest and most valuable resource: its reporting.
According to sources, Boynton, standing near the empty desks of the men and women who’d been hired and then fired as a result of Star Touch, looked at what was left of his staff and said: “We can’t be a department store anymore.” The Star needed to transform into a publication less concerned with being everything for everyone on the streets of Toronto. It needed instead to do what tech companies like Facebook and Google were doing — study its readership algorithmically, learn what readers want, and stop feeding them what they don’t.
“We’re going to kill some sacred cows,” he said. The words alarmed many. Someone asked what the Star would consider a sacred cow. “We need the data,” Boynton replied. The response didn’t ease any concerns. In the old model, every reader counted. Soon, only those whom data science indicates have a propensity to pay may end up mattering to the Star — and any other newspaper still standing after the next presidential election. The trend won’t just redefine the value of certain journalists but the value of certain types of journalism as well.
No matter how much I want the Star to succeed and cannot imagine the pressures it faces, along with almost every other newspaper, this sort of thinking worries me. The present U.S. administration has probably caused subscriptions to the Washington Post and New York Times to shoot higher, but that’s not because we want to read more hard news; we like spectacle, and we’re getting that in spades. We also need news coverage with less intrigue, but still carries great importance, and that remains a hard sell.
Last year, I read “Saving the Media” by Julia Cagé, and its proposal fascinated me. Cagé proposes a new way for media organizations to be recognized in a business sense, which, she says, would give greater control over a newspaper’s editorial direction to its staff, and more diversified funding sources without editorial influence. I don’t know how scalable this business model is for, say, a local-only paper to something more like the Star, but it’s a proposal worth considering. Try to find the book at your local library or independent bookshop.
In just two weeks, the E.U. can begin fining GDPR violators. This is a must-read essay by Doc Searls, touching on the law itself, consent, and adtech. There’s a lot in this piece that is quotable and brilliant, but I think this is a truly critical paragraph:
And that’s on top of the main problem: tracking people without their knowledge, approval or a court order is just flat-out wrong. The fact that it can be done is no excuse. Nor is the monstrous sum of money made by it.
In addition to GDPR, Apple’s anti-tracking feature in iOS 11 and MacOS High Sierra has also, apparently, caused great concern amongst adtech companies that rely upon users’ implied consent, as most browsers’ default preferences permit the setting of third-party cookies. In cases where they don’t — for example, in Safari — adtech companies actively try to subvert your preferences. For example, Criteo:
A reminder that Criteo’s idea of unambiguous consent has long been represented by a banner across the bottom of the screen that indicates that any further clicks on the webpage will be construed as consent, and that you can opt out in the future if you read the banner in full and managed to remember the name of the third-party company that is now tracking you across the site.
It’s obvious — but no less revealing about their suspension of morality — how adtech companies will take full advantage of browser defaults to imply consent, but will actively fight against browser defaults through nefarious behaviours when it impacts their business.
Searls’ next paragraph is key, too:
Understanding that the GDPR is the direct result of widespread bad behaviours is truly critical. I don’t think this will eliminate bad actors, but it will provide a framework for adequate consequences. If a company cannot bear the legal blowback from a failure of responsibility to adequately protect users’ information, they should not be collecting it in the first place.
Yet Pichai said Google had been working on the Duplex technology for “many years”, and went so far as to claim the AI can “understand the nuances of conversation” — albeit still evidently in very narrow scenarios, such as booking an appointment or reserving a table or asking a business for its opening hours on a specific date.
“It brings together all our investments over the years in natural language understanding, deep learning, text to speech,” he said.
What was yawningly absent from that list, and seemingly also lacking from the design of the tricksy Duplex experiment, was any sense that Google has a deep and nuanced appreciation of the ethical concerns at play around AI technologies that are powerful and capable enough of passing off as human — thereby playing lots of real people in the process.
Google Assistant making calls pretending to be human not only without disclosing that it’s a bot, but adding “ummm” and “aaah” to deceive the human on the other end with the room cheering it… horrifying. Silicon Valley is ethically lost, rudderless and has not learned a thing.
Instead of worrying about humanoid robots becoming self-aware and destroying us all, I think it’s more satisfying and intellectually stimulating — and, of course, more practical — to ask questions about the ethics of the pseudo-automated systems we’re so quick to applaud.
It’s bothersome that Google was scooping up users’ emails for ad targeting purposes in the first place, then said that they would stop doing it — after way too long — and has now given itself permission to keep doing so if they want to. But it isn’t going to make a difference: the popularity of Gmail and, more broadly, how deeply we’ve allowed surveillance capitalism to become embedded in the way we live and work on the web.
In the instances we’ve seen, the apps in question don’t do enough to inform users about what happens with their data. In addition to simply asking for permission, Apple appears to want developers to explain what the data is used for and how it is shared. Furthermore, the company is cracking down on instances where the data is used for purposes unrelated to improving the user experience:
You may not use or transmit someone’s personal data without first obtaining their permission and providing access to information about how and where the data will be used.
Data collected from apps may not be used or shared with third parties for purposes unrelated to improving the user experience or software/hardware performance connected to the app’s functionality.
Good — there’s almost no circumstance in which a third-party has any business in receiving location data when it isn’t connected with what the app actually does. But this is also the kind of thing I wish App Review was better at catching in the first place. Apps that request permission for location data, or access to contacts, or access to the photo library — in particular — ought to be subject to a degree of scrutiny that would prevent malicious uses of this functionality from appearing in the App Store in the first place. I’m not saying that they don’t catch this behaviour; rather, that there shouldn’t be enough apps in the store abusing location permissions to warrant a “crackdown”.
Securus offers the location-finding service as an additional feature for law enforcement and corrections officials, part of an effort to entice customers in a lucrative but competitive industry. In promotional packets, the company, one of the largest prison phone providers in the country, recounts several instances in which the service was used.
In one, a woman sentenced to drug rehab left the center but was eventually located by an official using the service. Other examples include an official who found a missing Alzheimer’s patient and detectives who used “precise location information positioning” to get “within 42 feet of the suspect’s location” in a murder case.
Asked about Securus’s vetting of surveillance requests, a company spokesman said that it required customers to upload a legal document, such as a warrant or affidavit, and certify that the activity was authorized.
“Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel,” the spokesman said in a statement. Securus offers services only to law enforcement and corrections facilities, and not all officials at a given location have access to the system, the spokesman said.
To be clear, all that this software requires is for users to type in a phone number, upload a supporting document, and check a box certifying that it’s a legal request. The location of the phone attached to that number will then be revealed; there appears to be no intermediary step of verifying that the location search is legally justified. No wonder this news story is about the abuse of such a flawed system.
While observers were preoccupied with its CEO’s personal life, Tesla disclosed it has added its Fremont, Calif. factory to a pool of collateral backing its US asset-based revolving credit line from nine banks.
CreditSights analysts called attention to the addition of the Fremont factory — a 5.3m-square-foot facility that was previously home to a famous joint venture between GM and Toyota — in a Tuesday note. The electric carmaker also said vehicles in or on their way to Belgium could be included in the base of collateral for its Dutch borrowings.
About six months ago, the Economist wrote about the rarity of future success for firms with billion-dollar debts. Watch this space.
Starting later this year, consumer applications (not including games) sold in Microsoft Store will deliver to developers 95% of the revenue earned from the purchase of your application or any in-app products in your application, when a customer uses a deep link to get to and purchase your application. When Microsoft delivers you a customer through any other method, such as in a collection on Microsoft Store or any other owned Microsoft properties, and purchases your application, you will receive 85% of the revenue earned from the purchase of your application or any in-app products in your application.
This kind of arrangement doesn’t necessarily mean that developing for one platform is necessarily more lucrative than another. However, it might be a pretty good incentive for major developers to submit their apps to the store, as Microsoft isn’t garnering a third of their earnings.
I wonder if we’ll see anything about App Store fee structures at WWDC. I’d like to see Apple adopt something more like a progressive tax rate: for example, the first thousand downloads of an app could be at a 0% rate, then 5% for the next 10,000 downloads, then 10% for another 25,000, and so on. Their current 30% cut looks comparatively antiquated on the back of Microsoft’s announcement.
Equifax had already reported that the names, Social Security numbers, and dates of birth of 143 million US consumers had been exposed, along with driver’s license numbers “in some instances,” in addition to the credit card numbers of 209,000 individuals. The company’s management had also reported “certain dispute documents” submitted by about 182,000 consumers contesting credit reports had been exposed as well, in addition to some information about British and Canadian consumers.
A reminder that, instead of pushing for record fines and legal repercussions in the wake of the worst data breach in American history, the head of the CFPB — you know, the regulatory agency that’s responsible for financial industry oversight — doesn’t feel the need to proceed with his agency’s investigation into Equifax.