Pixel Envy

Written by Nick Heer.

Archive for October, 2018

Facebook’s Political Ad Transparency Efforts Are Woefully Poor

William Turton, Vice:

One of Facebook’s major efforts to add transparency to political advertisements is a required “Paid for by” disclosure at the top of each ad supposedly telling users who is paying for political ads that show up in their news feeds.

But on the eve of the 2018 midterm elections, a VICE News investigation found the “Paid for by” feature is easily manipulated and appears to allow anyone to lie about who is paying for a political ad, or to pose as someone paying for the ad.

To test it, VICE News applied to buy fake ads on behalf of all 100 sitting U.S. senators, including ads “Paid for by” by Mitch McConnell and Chuck Schumer. Facebook’s approvals were bipartisan: All 100 sailed through the system, indicating that just about anyone can buy an ad identified as “Paid for by” by a major U.S. politician.

Allen Tan:

Feature built to curb abuse relies on… people and organizations using it in good faith.

If you can’t trust organizations trying to manipulate elections by preying on individuals’ trust in apparently honest discourse at this tense time in the world, who can you trust?

Pioneer

There’s a lot to discuss following today’s Apple event in New York, but one thing, in particular, that I’d like to highlight is how they promoted external display capabilities as one reason for the change on the new iPad Pro to a USB-C connector from Apple’s proprietary Lightning connector. It’s something John Ternus mentioned a few times onstage but, oddly, this capability is only shown in the video on the iPad Pro’s marketing webpages and it has barely been given a passing mention in the company’s press release.

Even with the limited information available, I think this speaks to Apple’s greater ambitions for the iPad as much — or even more than — the power and software improvements they’ve made over the past few years. The future of the computer probably looks a lot like plugging a display into an iPad and using a connected keyboard and perhaps a trackpad with a different UI.

This isn’t entirely revolutionary; Microsoft has been pursuing a similar strategy with their Surface line for years. The critical difference, I think, is that the Surface was borne of a desktop-and-laptop world, while the iPad was derived from a smartphone. In 2012, I wrote a piece where I proposed — poorly — that that the reason the iPad was selling well where Microsoft’s tablet efforts, at the time, were not was because the common criticism of the iPad as a bigger iPhone was actually an advantage.

If there is a smartphone-to-desktop continuum, with the tablet somewhere in the middle, Microsoft has long approached it as skinning Windows with touch drivers and bigger buttons, while Apple chose to start by making a touchscreen phone and build up from there.

The vestiges of these differing approaches are clearly evident today. There are still plenty of examples of Windows feeling like a desktop operating system even when running on a tablet; and there are lots of places throughout iOS that feel like upscaled smartphone interfaces.

Looking beyond that, though, at what is plausibly within reach in the next few years is a culmination of efforts to overhaul the way we think about computers. Apple has, for years, been touting the iPad as the computer of the future — the pioneer in the post-PC era. But the product has not necessarily matched the company’s rhetoric, largely because it’s still trying to grow out of the smartphone-based constraints that are primarily exposed in software; that’s the root of where most of its limitations still lie.

If the scenario I outlined above is, indeed, the way Apple sees the future of this product line, there’s still a long way to go: multitasking isn’t there yet, the keyboard remains an afterthought, an iPad isn’t as information-dense because its controls still need to be touch-friendly, and so on. But there are clues that Apple is very serious about the iPad as a replacement computer. USB-C and the singling-out of external display support is one such indicator, I feel; iOS 11 brought the Dock to the iPad, which makes it feel much faster for switching between apps; and there are some iPad-specific Springboard improvements destined for iOS 13 that ought to shake things up.

Taking a step back, I think it’s worth addressing how far the iPad’s software has felt compared to the hardware, as far as telling a complete and elegant story about using it as a full Mac replacement. The new iPad Pro models look wildly impressive — like pure slabs of magic internet-connected glass. But the software has evolved far slower. A big reason for this is, I believe, that using iOS as the basis for the future of personal computers has required a rethink of every system paradigm taken for granted on the Mac. I don’t think it has been universally successful. But I do truly believe that by building iOS up as opposed to breaking MacOS down — that is, adding functionality within a made-for-touch framework rather than glomming touch onto MacOS — will prove to be a wise choice in the coming years.

iOS 12’s Security Improvements Impede GrayKey Passcode Cracking Functionality

Thomas Brewster of Forbes broke the news of the existence of GrayKey in March, and has been covering it brilliantly since:

Now, though, Apple has put up what may be an insurmountable wall. Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.

Previously, GrayKey used “brute forcing” techniques to guess passcodes and had found a way to get around Apple’s protections preventing such repeat guesses. But no more. And if it’s impossible for GrayKey, which counts an ex-Apple security engineer among its founders, it’s a safe assumption few can break iPhone passcodes.

That last sentence requires two more words: “for now”. That’s how it works. After a security threat is revealed, it is patched; repeat constantly until the end of time. The biggest difference here is that there’s an enormous market for iOS vulnerabilities due to its high grade of security and its popularity, so it is not in the best interests of those who find these vulnerabilities to report them to Apple or disclose them publicly.

That, in part, is why the method by which Apple prevented GrayKey from working is just as mysterious as the means by which GrayKey worked in the first place. It’s also why it is plausible that there is a vulnerability just as insidious in every iOS device out there that won’t get reported to Apple for fixing if it’s good enough for Grayshift or Cellebrite to buy.

Hundreds of Popular Android Apps Part of Multimillion-Dollar Ad Fraud Scheme

Craig Silverman, Buzzfeed:

Last April, Steven Schoen received an email from someone named Natalie Andrea who said she worked for a company called We Purchase Apps. She wanted to buy his Android app, Emoji Switcher. But right away, something seemed off.

[…]

Schoen had a Skype call with Andrea and her colleague, who said his name was Zac Ezra, but whose full name is Tzachi Ezrati. They agreed on a price and to pay Schoen up front in bitcoin.

“I would say it was more than I had expected,” Schoen said of the price. That helped convince him to sell.

A similar scenario played out for five other app developers who told BuzzFeed News they sold their apps to We Purchase Apps or directly to Ezrati. (Ezrati told BuzzFeed News he was only hired to buy apps and had no idea what happened to them after they were acquired.)

Giant klaxons are already blaring in my head and this doesn’t even concern the actual — you know — fraud part of the story. The ability to migrate apps and their entire user bases to different developers is an alarming security risk, particularly with the broad use of automatic update mechanisms. This reminds me of when the Stylish browser extension was sold to a new owner that immediately saddled it with spyware. Users should be made fully aware of an ownership change and some sort of action on the user’s ought to be required for them to update to a newer version of the software.

Silverman:

One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies. They then capture the behavior of the app’s human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News’ request.

This means a significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application. By copying actual user behavior in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems.

[…]

App metrics firm AppsFlyer estimated that between $700 million and $800 million was stolen from mobile apps alone in the first quarter of this year, a 30% increase over the previous year. Pixalate’s latest analysis of in-app fraud found that 23% of all ad impressions in mobile apps are in some way fraudulent. Overall, Juniper Research estimates $19 billion will be stolen this year by digital ad fraudsters, but others believe the actual figure could be three times that.

In other forms of advertising, spots are pre-sold for a specific fee based only on an estimated audience. If yet another vacuum-packed mattress company buys ads in an episode of a podcast, it doesn’t matter whether that episode is downloaded ten thousand times or a hundred thousand times — the mattress company will have paid the same price for that spot. Sponsoring later episodes might cost them more if there are an increasing number of listeners, or the podcaster may cut them a deal for multiple sponsorships, but there isn’t a real-time bidding scheme. It’s the same for print and television. Effectiveness in terms of action taken is harder to measure directly, but that encourages advertisers and creative firms to make something eye-catching and memorable.

For most online advertising, though, this is completely backwards: advertisers are charged and ad placements are paid out based on how many views or clicks there have been, not how many there are expected to be. This makes it much harder to differentiate fraudulent behaviour from honest views. It typically requires more tracking in order to be able to model real human behaviour — something that was defeated in this case. And, according to a recent report produced for Radiocentre — a trade group for British commercial radio stations — online ads of all types are completely ineffective (PDF).1

In general, the incentives of online advertising encourage fraud, clickbait, and spyware. This will continue to be the case so long as these ads are behaviourally targeted, and are paid for based directly on the number of views and clicks.


  1. One side effect of the ineffectiveness of online ads is that a huge industry has been built on the basis of creating ads that don’t look like ads. Social media “influencers”, native advertising, and content marketing all fall into this bucket. They’re generally just as unmemorable as other online advertising, but with the added bonus of feeling scummier and more manipulative because they aren’t obviously ads. ↩︎

Apple News’ Reliance on Human Editors Reduces Misinformation in the App

Apple granted Jack Nicas of the New York Times a rare glimpse inside its Apple News team’s editorial discussions:

Apple has waded into the messy world of news with a service that is read regularly by roughly 90 million people. But while Google, Facebook and Twitter have come under intense scrutiny for their disproportionate — and sometimes harmful — influence over the spread of information, Apple has so far avoided controversy. One big reason is that while its Silicon Valley peers rely on machines and algorithms to pick headlines, Apple uses humans like [editor in chief Lauren Kern].

[…]

That approach also led Apple News to not run an ABC News bombshell in December about Robert Mueller’s investigation into the Trump campaign’s ties to Russia. The story alleged that former national security adviser Michael Flynn was prepared to testify that Mr. Trump had directed him to contact Russian officials during the 2016 campaign. It rocketed across the internet, boosted by Google, Facebook and Twitter, before ABC News retracted it.

Ms. Kern said she and her team did not run the story because they didn’t trust it. Why? It’s not a formula that can be baked into an algorithm, she said.

“I mean, you read a story and it doesn’t quite pass the smell test,” she said.

There has been a rush to make much of the world driven by machine learning because we now can do that, but seemingly few of the people who are a position to make decisions about this have actually questioned whether we should be letting algorithms replace thought. Apple’s solution is imperfect, but it certainly helps reduce the likelihood of embarrassing blunders — even Apple itself can learn from that.

Tim Cook Speaks About Privacy at ICDPPC

Jon Brodkin, Ars Technica:

Apple CEO Tim Cook today called on the US government to pass “a comprehensive federal privacy law,” saying that tech companies that collect wide swaths of user data are engaging in surveillance.

Speaking at the International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Brussels, Cook said that businesses are creating “an enduring digital profile” of each user and that the trade of such data “has exploded into a data-industrial complex.”

“This is surveillance,” Cook said. “And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us very uncomfortable.”

Apple is, of course, imperfect in this regard: while they try to restrict the ways in which app developers may collect sensitive data, there are plenty of apps that still ask for access to your contact list, ostensibly to allow you to find friends using the same app or service, but without clearly indicating how they will treat that list over a long term; and, as others have mentioned, they have retained Google as the default search provider in Safari on all platforms. The latter is particularly hard to reconcile — last year, they changed web searches made through Siri or Apple Search from Bing to Google. Google reportedly paid Apple $9 billion in 2018 for this privilege, which feels a little bit like a bribe to collect Safari users’ personal information.

On the other hand, Apple has made strides to reduce users’ dependency on Google. The website suggestions that appear as you type in the address bar are not driven by Google, but by Apple’s own web crawler; the suggestions in Search on iOS for things like the weather and sports scores are also not powered by Google. Apple has also continued to roll out privacy protections in Safari with features like Intelligent Tracking Prevention.

Natasha Singer of the New York Times, on Twitter:

It’s much easier to be a privacy hawk when your business doesn’t depend on surveillance-based advertising. Even so, Tim Cook’s critique of the “data industrial complex” is a watershed for tech industry discourse.

It’s also much easier to not build a business dependent on surveillance when you are a privacy hawk.

Cook’s speech reads to me as an honest representation of his own stance and Apple’s ideals about how data ought to be collected and stored. Privacy does not seem like an add-on, but an integral part of the company’s development processes. It is a principled stance.

iPhone XR Reviews Roundup

Embargoes for reviews of the iPhone XR were lifted this morning and John Voorhees of MacStories collected some of the more notable excerpts. Based on everything I’ve read, it sounds like you’re getting virtually all of the experience of an iPhone XS Max in a slightly smaller, far more colourful, and vastly less-expensive device with a not-as-spectacular-but-still-excellent display. All of that sounds great.

But there is one thing eating at me with this new iPhone lineup: the starting price for a current model year iPhone is now $50 more than last year, and $100 more than two years’ prior. It’s as though they’ve dropped the entry-level model and are starting at what was previously Plus model pricing. In Canada, the difference is even more pronounced — for the first time, you cannot get a current model year iPhone for under $1,000. The iPhone XR might be the least-expensive iPhone Apple launched this year, but it is by no means a budget device.

That’s not to say that it’s necessarily the wrong move from a unit sales perspective. Presales of the XR seem strong, and every indication — including the rapidly-rising average selling price — indicates that the iPhone X and XS models have sold very well indeed. It is arguably indicative of how much we value our smartphones compared to any other consumer electronics device. But it also means that getting into the iPhone ecosystem at the base model flagship level has become markedly more pricey.

There are two ways of looking at this: Apple has made more affordable the iPhone X design and features, and Apple has dramatically increased the base price of an iPhone.

Other News Organizations Have Tried But Are Not Able to Corroborate Bloomberg’s Story

Erik Wemple, Washington Post:

According to a [Bloomberg] company source, editorial staff has been “frustrated” that competing news organizations haven’t managed to match the scoop. Sources tell the Erik Wemple Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed. (The Post did run a story summarizing Bloomberg’s findings, along with various denials and official skepticism.) It behooves such outlets to dispatch entire teams to search for corroboration: If, indeed, it’s true that China has embarked on this sort of attack, there will be a long tail of implications. No self-respecting news organization will want to be left out of those stories. “Unlike software, hardware leaves behind a good trail of evidence. If somebody decides to go down that path, it means that they don’t care about the consequences,” Stathakopoulos says.

In the face of challenges to the story’s veracity, Bloomberg has commissioned additional reporting to reinforce its initial findings. One of the story’s reporters, for example, contacted a former Apple employee on Oct. 10 seeking information on the alleged purge of Supermicro servers, according to correspondence reviewed by the Erik Wemple Blog. We asked Bloomberg about any additional reporting on the alleged hack. “We do not comment on our unpublished newsgathering, editorial processes, or plans for future reporting,” replied a company spokeswoman.

Michael Riley, one of the reporters on the story, quickly asserted after the story’s publication that the physical evidence assured that corroborating stories would soon be published. Not only has that not happened, it’s the inverse that has: source after source raising doubts about the accuracy of the story’s core arguments. This isn’t just embarrassing, it’s toxic to Bloomberg’s credibility and the often-necessary use of sources speaking only on background.

In Interview With Buzzfeed News, Tim Cook Calls for Retraction of Bloomberg ‘Big Hack’ Story

John Paczkowski and Joseph Bernstein, Buzzfeed:

The result has been an impasse between some of the world’s most powerful corporations and a highly respected news organization, even in the face of questions from Congress. On Thursday evening, an indignant Cook further ratcheted up the tension in response to an inquiry from BuzzFeed News.

“There is no truth in their story about Apple,” Cook told BuzzFeed News in a phone interview. “They need to do that right thing and retract it.”

This is an extraordinary statement from Cook and Apple. The company has never previously publicly (though it may have done so privately) called for the retraction of a news story — even in cases where the stories have had major errors or were demonstratively false, such as a This American Life episode that was shown to be fabricated.

What’s wild to me is, if Bloomberg’s story is completely true, no other news organization has been able to independently corroborate it — even in part. Reporters at the New York Times, Wall Street Journal, and Financial Times all have terrific sources within the tech companies concerned, the Chinese supply chain, and the American government. Surely, if the story is as Bloomberg describes, one of those publications ought to be able to use the story as a starting point to confirm either an ongoing investigation or the existence of the suspicious components, right? Or how about well-connected infosec and supply chain experts — why haven’t they, as Buzzfeed reports, been able to echo any of Bloomberg’s claims?

This is one of the most baffling sagas I can remember. Either the supply chain is hosed and companies like Apple and Amazon really have no idea, they do know and their executives are covering it up in flagrant violation of the law, or an esteemed news organization fucked up to an immense degree. If it’s the latter, Bloomberg is doing themselves no favours by continuing to stand by its increasingly dubious reporting.

How did Bloomberg get this so wrong?

Apple Announces October 30 Event in New York

I think these invitations are great. Many companies have strict guidelines that prohibit any transformation of their logo but, because of the ubiquity and simplicity of the Apple logo, they’re able to produce dozens of variations — some more successful than others.

The opera house at the Brooklyn Academy of Music is an interesting venue choice, largely because it’s not in the Bay Area. With the creative theme of the invitations and the venue, new iPad Pros seem like a given for this event. I’m also hoping for new desktop Macs: a refreshed iMac and a completely new Mac Mini seem like safe bets. I wouldn’t expect to hear anything about the Mac Pro or new displays at this event.

Update: If that rumoured Retina display-equipped MacBook Air is slated for this event as well, I’m interested to see how that’s pitched.

Chartbeat: Social Media Referrals Are Down, but Direct Traffic Is Up

Sara Fischer, Axios:

The big picture: Since January 2017, per Chartbeat…

  • Twitter and Facebook have declined in their share of traffic sent to news sites.

  • Facebook traffic to publishers is down so much (nearly 40%) that according to Chartbeat, “a user is now more likely to find your content through your mobile website or app than from Facebook.”

  • Google Search on mobile has grown more than 2x, helping guide users to stories on publishers’ owned and operated channels.

  • Direct mobile traffic to publishers’s websites and apps has also steadily grown by more than 30%.

The declining influence of social networks is a promising sign, but their dominance over publishers’ business decisions should be heeded as a warning — particularly with the rising influence of Google Search, Google News, and Apple News.

Lawsuit Alleges Facebook Inflated Video Ad Viewing Times for Over a Year

Rachel England, Engadget:

It all comes down to the way Facebook initially reported the average viewing time of video ads. During the original investigation, it was found that the company only counted video views that lasted more than three seconds when calculating its “average duration of video viewed” metric. Views under three seconds weren’t factored in, thereby inflating the average length of a view. Facebook disclosed the issue in 2016, claiming it had “recently discovered” the error.

After reviewing some 80,000 pages of internal Facebook records, obtained as part of court proceedings, Crowd Siren now claims that Facebook had not only known about the issue for over a year, but had massively underestimated its miscalculations. The company told some advertisers it overestimated average time spent watching videos by 60% to 80%. The plaintiffs, however, believe that figure is much larger, and that average viewership metrics had been inflated by as much as 900%.

This occurred at roughly the same time a bunch of publishers decided to “pivot to video” — that is, to lay off reporters, writers, and editors and hire a bunch of video producers in their place. Over a longer term, it became clear that this change was driven by ad dollars rather than audience interest, to great detriment to the industry.

It’s a terrible idea to be dependent on traffic from platforms beyond a publisher’s control; it is also awful that Facebook — allegedly — failed to correct the effectiveness of their video platform for a year while paying publishers to buoy it.

See Also: Laura Hazard Owen, Nieman Lab:

It’s impossible to say whether media executives felt the way we did, or whether they actually did watch a lot of news video and truly believed it was the future. What is clear, however, is that plenty of news publishers made major editorial decisions and laid off writers based on what they believed to be unstoppable trends that would apply to the news business.

Concerns Linger About MacBook Pro Keyboards

Casey Johnston, the Outline:

[…] Every time I described the 2017 MacBook Pro I sold because I couldn’t stand its non-functional keyboard and asked an Apple store employee if the new one would screw me over the same way, each assured me that Apple had changed the keyboards so that that would never happen again. I described my issues with “dust” to one shop associate at the Apple Store at the World Trade Center and asked if the new computers were any better. “Yeah, yeah, they fixed that problem… it was a BIG problem,” she told me. “So it doesn’t happen at all?” I asked. “No, it shouldn’t happen,” she said. Maybe the bad days were finally over.

But checking around online, it appears the new keyboards have the same old issues. They may be delayed, but they happen nonetheless. The MacRumors forum has a long thread about the the “gen 3 butterfly keyboard” where users have been sharing their experiences since Apple updated the design. “How is everyone lse’s keyboard doing? I rplaced th first one because ‘E’ and ‘O’ gave double output. The replacment ither eats “E”, “O”, “I” and “T”, or doubles them,” wrote one poster. “I didn’t correct the typos above on purpose.”

It’s pretty wild that the Apple Store employee would admit to anyone that this was a “big problem”, given how often Apple has emphasized that it was a small percentage of users and that the silicone membrane in the 2018 models is just for quieter typing — though, in service documentation, they copped to its debris-fighting intention.

This is my favourite quoted response from that MacRumors thread:

“That’s just plain reckless,” responded a third. “I mean he took a laptop from a closed apartment to a balcony. It was probably an open balcony. Does he think that a laptop is a portable computer or what?!?”

The nature of online reviews and Mac enthusiast forum users, in general, tends to draw out negative experiences in a sort of shared commiseration experience. There aren’t loads of people who will chime in with their flawless keyboard experience. But, even if a smaller number of 2018 MacBook Pro owners are finding their computers susceptible to dust-induced keyboard failures compared to 2016 or 2017 model year users, these problems are still unique to the ultra low profile “butterfly” mechanism used in these models and are not present in previous generations of keyboards. This a serious regression of one of its single most critical components. These are not good keyboards.

Johnston’s thoughts on the current Apple notebook lineup echo my own:

[…] The MacBook is aesthetic but underpowered; the Air is an outdated design paradigm, a “thin and light” notebook that has the worst performance-to-weight-to-cost tradeoff of all the computers Apple makes, but the only one left with a decent keyboard; the MacBook Pro fails at being a Pro in a number of ways (a small number of ports that almost always require dongles, garbage battery life), not least of which is that the keyboard stops working after a couple of months for many people. Every laptop offering has serious tradeoffs, none of them are compellingly priced, and most are just old.

The MacBook today fills the same slot as the MacBook Air of 2008, and vice-versa. Neither represents a massive upgrade for me over my mid-2012 MacBook Air for my changed workflow. The MacBook Pro has a worrisome keyboard, and it’s extremely expensive: a base 15-inch PowerBook in 2004 cost $2,649 in Canada, the 2007 15-inch MacBook Pro started at $2,199, and the Retina 15-inch MacBook Pro started at $2,449 in 2015. But the new 15-inchers start at $3,199. That’s a big leap; Apple’s 15-inch portables haven’t been that expensive since the early 2000s.

More than anything I’m confused by the current Mac lineup. It feels all out of sorts — almost as if each model were handled by a separate team with its own shipping deadline and requirements. There isn’t a clear rubric. I don’t think the lineup needs to go back to the Jobs quadrant, but it ought to be easier to buy a computer than the current lineup permits.

Facebook Acknowledges That Contact Details of Twenty-Nine Million Users Were Stolen

Guy Rosen of Facebook followed up on their earlier disclosure of their security breach in a post euphemistically titled “An Update on the Security Issue”. They have to use the indefinite article “the security issue”, never “our security issue”.1 Anyway:

The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.

A portion of users have also had their Facebook Messenger conversation names and contacts compromised, and if they were an admin of a page, any messages to that page might also be compromised as well. Katie Notopoulos and Nicole Nguyen of Buzzfeed have put together a great article on how to tell if you’re one of the users impacted.

Earlier this week, Facebook launched an always-on microphone with an attached camera.


  1. I feel a little gross for interpolating Fight Club↩︎

Google Has Continued Its Growth in Europe Post-GDPR, While the Prevalence of Other Trackers Has Been Cut

Natasha Lomas, TechCrunch:

For the GDPR analysis, the team compared the prevalence of trackers one month before and one month after the introduction of the regulation, looking at the top 2,000 domains visited by EU or US residents.

On the tracker numbers front, they found that the average number of trackers per page dropped by almost 4% for EU web users from April to July.

Whereas the opposite was true in the US, with the average number of trackers per page rose by more than 8 percent over the same period.

[…]

Summing up their findings, Cliqz and Ghostery write: “For users this means that while the number of trackers asking for access to their data is decreasing, a tiny few (including Google) are getting even more of their data.”

This builds upon and somewhat echoes earlier reporting that GDPR would actually help Google and Facebook compared to their smaller competitors. That’s not surprising: GDPR requires individual companies to get an explicit opt-in from users for ad targeting and tracking, and that’s a lot easier to do when you’re Google or Facebook. It’s also something that can be addressed through greater antitrust enforcement, if the E.U. wishes to pursue more direct targeting of the mass surveillance business models of those two companies.

The Anatomy of a Click

As part of my morning review of news headlines, I like to read Charles Arthur’s excellent Overspill link roundup. In today’s edition, he linked to a fascinating-looking piece by James Ball in the Huffington Post called “The Anatomy of a Click” about programmatic advertising and all of the automated bidding that happens when you click. So I did.

I was greeted first by the burdensome opt-in advertising screen for Oath, the Huffington Post’s parent company. GDPR may require website owners to give visitors choices, but this is just egregious, and shows the scale of Oath’s operation. They don’t make it easy to simply opt-out of all targeting and tracking. This is why ad blockers are popular.

Then I noticed the URL, which now contained all sorts of referral information and tracking data.

The article itself is part of a section called “Digital Life”, which is sponsored by Microsoft — a company that runs a targeted programmatic advertising platform and allows Oath ads on its platforms, including in Windows. That what the people who make the big money call “synergy”, or “synchronicity”, or whatever.

If you look in your Web Inspector, you’ll notice that the article phones home to several trackers and contains loads of programmatic advertising. That makes it especially rich when you read to the bottom of what is generally a well-written explanation of how the market works:

The whole situation is summarised by data protection expert and privacy advocate Johnny Ryan.

“Every single time a person loads a page on a website that uses ‘programmatic’ advertising, information about what they are reading and the device they use is broadcast to a large number of adtech companies, who then do God knows what with it,” he explains.

[…]

“In GDPR terms, this “programmatic advertising” is a vast and ongoing data breach, and it means that everyone involved can be subject to an investigation by Elizabeth Denham, the Information Commissioner, and can be taken to court by Internet users.”

I’m not completely stupid; I understand why many websites — including this one — have analytics software and ads. But it is worth pointing out, and not solely to toot my own horn, that there is a vast difference between a “dumb” ad plus one or two analytics packages that do their best to anonymize traffic and respect Do Not Track, compared to the monstrosities created by companies like Oath and the Huffington Post that collect and distribute your browsing history on behalf of dozens of third parties in ways that are beyond your control.

You may, quite rightly, point out that the Huffington Post is not the pinnacle of journalism. But I would argue that the standards of the web should not be so low that we ought to tolerate privacy-invasive behaviour from anyone. And, for what it’s worth, practitioners of great journalism like the Washington Post and the Financial Times also have an egregious record when it comes to online tracking. It is their responsibility to give readers the best possible information, written as well as they can, and publish it on the safest and most reader-friendly platform available.

Two Angles on Apple Product Repairs

Joe Rossignol, MacRumors:

Due to advanced security features of the Apple T2 chip, iMac Pro and 2018 MacBook Pro models must pass Apple diagnostics for certain repairs to be completed, according to an internal document from Apple obtained by MacRumors.

For the 2018 MacBook Pro, the requirement applies to repairs involving the display, logic board, Touch ID, and top case, which includes the keyboard, battery, trackpad, and speakers, according to the document. For the iMac Pro, the requirement only applies to logic board and flash storage repairs.

If any of these parts are repaired in an iMac Pro or 2018 MacBook Pro, and the Apple diagnostics are not run, this will result in an inoperative system and an incomplete repair, according to Apple’s directive to service providers.

Apple’s diagnostic suite is limited to internal use by Apple Stores and Apple Authorized Service Providers, as part of what is called the Apple Service Toolkit. As a result, independent repair shops without Apple certification may be unable to repair certain parts on the iMac Pro and 2018 MacBook Pro.

Adam O’Camb of iFixit:

This service document certainly paints a grim picture, but ever the optimists, we headed down to our friendly local Apple Store and bought a brand new 2018 13” MacBook Pro Touch Bar unit. Then we disassembled it and traded displays with our teardown unit from this summer. To our surprise, the displays and MacBooks functioned normally in every combination we tried. We also updated to Mojave and swapped logic boards with the same results.

That’s a promising sign, and it means the sky isn’t quite falling — yet. But as we’ve learned, nothing is certain. Apple has a string of software-blocked repair scandals under its belt, including the device-disabling Error 53, a functionality-throttling Batterygate, and repeated feature-disabling incidents. It’s very possible that a future software update could render these “incomplete repairs” inoperative, and who knows when, or if, a fix will follow.

FUD aside, this is pretty good reporting: Apple’s repair guides say that, for security reasons, many of the components of the iMac Pro and 2018 MacBook Pro must pass a software diagnostics check after replacement; iFixit tested this and found it not to be the case that the product becomes inoperable, even though Apple’s guidance suggests that it will.

Maintaining the security of components like the keyboard, Touch ID sensor, and logic board seems completely fair to me. Even if Bloomberg’s recent report on compromised Supermicro servers from China turns out not to be exactly as described, it’s completely plausible for cheap parts to contain malicious components — HP’s laptops had a keylogger preinstalled, and there were reports last year that inexpensive replacement phone screens could track a user’s touch input.

But I also completely understand the value of right-to-repair legislation. Sometimes, a Genius Bar appointment is difficult to make either because they’re fully booked or there isn’t an Apple or Apple-certified store in your area. Other times, Apple’s retail staff may suggest needlessly expensive replacements when a simpler fix could be found by more experienced independent technicians.

Rather than compromising the security and privacy of their products, I’d like to see more progress made on certifying independent technicians and making Apple’s official tools more accessible. The security threat model isn’t the same as it once was; your phone probably has a lot more information on it than your computer of ten years ago. Yes, it’s more complicated to replace parts now, but it’s not entirely because companies like Apple want to lock out independent repair shops. Apple’s diagnostic tools could play a great role in this: imagine if you could take a printed report of a successful repair and type in a serial number on Apple’s website to verify that your device was serviced with genuine parts and passed Apple’s testing.

For a different story, Wayne Ma at the Information has a look inside the world of iPhone repair fraud in China. It’s paywalled, but Benjamin Mayo of 9to5Mac has a good summary. Ma:

Five years ago, Apple was forced to temporarily close what was then its only retail store in Shenzhen, China, after it was besieged by lines of hundreds of customers waiting to swap broken iPhones for new devices, according to two former Apple employees who were briefed about the matter. In May 2013, the Shenzhen store logged more than 2,000 warranty claims a week, more than any other Apple retail store in the world, one of those people said.

After some investigation, Apple discovered the skyrocketing requests for replacements was due to a highly sophisticated fraud scheme run by organized teams. Rings of thieves were buying or stealing iPhones and removing valuable components like CPUs, screens and logic boards, replacing them with fake components or even chewing gum wrappers, more than a half-dozen former employees familiar with the fraud said. The thieves would then return the iPhones, claiming they were broken, and receive replacements they could then resell, according to three of those people. The stolen components, meanwhile, were used in refurbished iPhones sold in smaller cities across China, two of the people said.

These criminals were so sophisticated that they resorted to bribing employees and acquiring the serial numbers of iPhones in China to support this scheme.

Ma’s report also helps explain my frustrating support experience at my local Apple Store:

To slow down fraud at its retail stores — a main point of vulnerability — Apple developed a reservation system, which required customers to make appointments online with proof of ownership before they could file claims, according to more than 10 former Apple employees. However, the system was soon swamped with hackers who exploited vulnerabilities in its website to snap up the time slots, one of the people said.

It’s unfortunate that many of the things that used to make Apple’s stores a completely different retail experience — the virtually untethered demo units, easy-to-access support, “surprise and delight”, and a comparatively relaxed staff presence — is being watered down either by crime or for what can often feel like financial reasons.

Assorted Updates Regarding Bloomberg’s ‘Big Hack’ Story

I was going to split these updates into several posts, but there are so many and they all fit around similar narratives that it makes more sense to bundle them together. Previously, I wrote a little about Bloomberg’s massive report and tech companies’ responses. After that came government corroboration of the companies’ statements, as well as a report from Buzzfeed that indicated that senior Apple executives were confused by Bloomberg’s findings.

Yesterday, George Stathakopoulos, Apple’s vice president of information security, sent a letter to congress once again reiterating their claim that they have not found malicious hardware planted in their servers, and that the FBI has not been contacted nor have they been contacted by the FBI about these concerns — this is clearly contrary to Bloomberg’s specific claim that “two of the senior Apple insiders say the company reported the incident to the FBI”. I cannot find any wiggle room in either statement on that matter.

One of the few sources in Bloomberg’s story that was willing to be named has now appeared on a podcast where he expresses concern over how his hypothetical ideas about how a piece of hardware like this might work have seemingly been entirely realized in the final article.

The team of Jordan Robertson and Michael Riley have a new article out today in Bloomberg that claims that a U.S. telecommunications company found manipulated Supermicro hardware in their possession two months ago:

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

Robertson and Riley stress that this is not an identical manipulation to the type described in their earlier story, but it tracks closely: hardware on a Supermicro board that could be used to siphon or reroute data.

However, Jason Koebler, Joseph Cox, and Lorenzo Franceschi-Bicchierai of Vice contacted American telecom companies and, so far, all are denying that Bloomberg’s report could possibly describe them. A source at Apple also told them that they launched another internal investigation after the story was published and they still can’t find any evidence of what Robertson and Riley are claiming.

For what it’s worth, I don’t want Robertson and Riley to have egg on their faces. I hope the story is not entirely as described because, if it is, it is truly one of the biggest security breaches in modern history — Supermicro has supplied a lot of servers to industry giants. But I don’t want the reporters to be wrong; Bloomberg has a great reputation for publishing rigorously-researched and fact-checked longform stories; I don’t want to have lingering doubts about their future reporting. And I’m not defending the biggest corporations in the world out of loyalty or denial — they have PR teams for that, and should absolutely be criticized when relevant. And I think the central point of the article — that the supply chain of a vast majority of the world’s goods is monopolized by an authoritarian and privacy-averse government is a staggering risk — is absolutely worth taking seriously.

But something about this story is not adding up. It doesn’t make sense as-is. I want to see more evidence and a corroborating third-party judgement. Bloomberg — and Michael Riley, in fact — appear to have gotten stories like this one wrong before. I hope that isn’t the case here, despite the terrifying reality if it is, indeed, completely true.

Update: Robert M. Lee was previously contacted by the same journalists regarding other stories while working at the NSA. He thought they were well-meaning, but duped by unsupported theories that didn’t withstand technical scrutiny.

Apple Releases iOS 12.0.1

This update fixes some WiFi, Bluetooth, and iPhone XS charging bugs; but, the best fix is this, documented by John Voorhees at MacStories:

iOS 12.0.1 includes a small design change on the iPad too. With the iOS 12 update, the ‘.?123’ key was moved. With version 12.0.1, that key has been restored to its previous position on the software keyboard.

For the first few days of running the iOS 12 beta, I didn’t notice this change. I did, however, notice the effects of this change. I couldn’t work out why I was suddenly inserting a lot more emoji into anything I was writing on my iPad until I looked at an old screenshot and figured out that the key for symbols and punctuation had been swapped with the emoji key. Presumably, this was changed for consistency with the 12.9-inch iPad Pro, but it upset seven years of iPad typing muscle memory.

Anyway, now that’s fixed and I can delete from my still-in-progress iOS 12 review the three paragraphs I spent pointing out what a terrible change this was.