Pixel Envy

Written by Nick Heer.

Archive for July, 2019

The FTC Pleads With Claimants to Accept Credit Monitoring After Pitiful Equifax Money Pot Empties

As I wrote earlier this week, the settlement between the FTC and Equifax left only a $31 million money pot for consumers to share if they already have credit monitoring services. Well, it seems that the pot has run dry already, just a week after the settlement was announced.

Robert Schoshinski of the FTC:

The public response to the settlement has been overwhelming, and we’re delighted that millions of people have visited ftc.gov/Equifax and gone on to the settlement website’s claims form.

But there’s a downside to this unexpected number of claims. First, though, the good: all 147 million people can ask for and get free credit monitoring. There’s also the option for people who certify that they already have credit monitoring to claim up to $125 instead. But the pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.

Consumers could never be fully compensated for the impact of this breach, but announcing this as a settlement of over $575 million with $300 million going towards credit monitoring services is misleading at best. Equifax also did not have to admit culpability, and the CEO responsible retired with a compensation package with a minimum $18 million value — more than half this $31 million pot that could be split between 147 million affected consumers.

This settlement is infuriating and insulting.

Tim Cook’s Comments on Manufacturing and Supply Chain Questions

From Jason Snell’s transcript of Apple’s third-quarter 2019 conference call:

Wamsi Mohan, Bank of America/Merrill Lynch: Tim, the China trade situation remains sort of fluid over here and more recently you asked for some tariff exceptions, were not granted those. How are you thinking about the longer term footprint for manufacturing and can you talk about any potential alternatives that you’ve looked at and considered in moving parts of production potentially out of China.

Tim Cook: Yeah I know there’s been a lot of speculation around the topic of different moves and so forth. I wouldn’t put a lot of stock into those, if I were you. The way I view this is, the vast majority of our products are kind of made everywhere. There’s a significant level of content from the United States, and a lot from Japan to Korea to China, and the European Union also contributes a fair amount. And so that’s the nature of a global supply chain. Largely, I think that will carry the day in the future as well. In terms of the exclusions, we’ve been making the Mac Pro in the U.S., we want to continue doing that. And so we’re working and investing currently in capacity to do so, because we want to continue to be here. And so that’s what’s behind the exclusions. And so we’re explaining that and hope for a positive outcome.

Apple’s earnings call was held on the same day that the New York Times published an article speculating that upcoming generations of iPhone would be manufactured, in part, in Vietnam. Last month, the Wall Street Journal reported that the new Mac Pro would be made in China and, last week, the objectively racist American president1 said that tariff waivers would not be granted to Apple for Mac Pro production. He also said in an interview that Apple might announce a new factory in Texas, but the new Mac Pro ships this autumn, so I don’t see how that’s immediately relevant.

Cook’s answer to this question seems like it contradicts that reporting somewhat, but he’s very careful to hedge his language. I don’t think he’s being cagey, though. A reasonable interpretation of this might be an acknowledgement that a small percentage of iPhones might be made in India, Vietnam, and Brazil for some markets, but not necessarily the U.S., and not necessarily indicating a large geographic shift in manufacturing.


  1. That’s not strictly relevant to this post; I just thought I’d remind you that he is, in fact, broadcasting openly racist statements from among the world’s most powerful offices. ↩︎

Over 100 Million Capital One Customers in U.S. and Canada Compromised

Lily Hay Newman, Wired:

On Monday, the FBI and the bank Capital One disclosed a data breach of 106 million credit card applications that compromised information like names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data. It’s one of the biggest breaches of a major financial institution ever. Four months after the incident occurred, within just 10 days of Capital One discovering it, the FBI has already made an arrest in connection with the crime.

Without a doubt, an enormous data breach, described by Capital One in the slimiest possible way in their press release:

No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of our credit card customers

  • About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

Only in an era of gigantic security breaches can the disclosure of over a hundred thousand Social Security Numbers and tens of thousands of bank account numbers be rounded down to none.

The Canadian acknowledgement feels like an insulting throwaway. This breach is, for me, a natural extension of a deeply irritating customer service experience. In my early twenties, I was offered what was pitched to me as a rewards and discount card for Hudson’s Bay; it was actually a credit card, despite repeated denials from the customer service representative. That credit card — which I cancelled a few minutes after realizing what it was — was provided through Capital One.

Newman:

Seattle resident Paige A. Thompson, 33, was charged Monday with one count of computer fraud and abuse, according to the FBI and court records. Thompson, the criminal complaint alleges, went by the hacker name “erratic” in many online accounts and forums. She allegedly exploited a misconfigured firewall to access a Capital One cloud repository and exfiltrate data sometime in March. On April 21, the FBI says, Thompson posted the data to her GitHub account, which included her full name and resume. It is unclear whether anyone downloaded the data after she allegedly posted it, but they very well may have given that Thompson allegedly talked openly about stealing the data, even on Slack.

It’s pretty terrible that this data was exfiltrated in March and was made public in April, but wasn’t reported to Capital One until July — this intrusion apparently wasn’t detected.

Note: This post has been edited.

Fast Software, the Best Software

Craig Mod:

It feels — intuitively — that software (beyond core functionality) should aim for speed. Speed as a proxy for efficiency. If a piece of software is becoming taurine-esque, unwieldy, then perhaps it shouldn’t be a single piece of software. Ultimately, to be fast is to be light. And to be light is to lessen the burden on someone or some task. This is the ultimate goal: For our pocket supercomputers to lesson burdens, not increase them. For our mega-powered laptops to enable a kind of fluency — not battle, or struggle — of creation.

This essay speaks to me on a gut level; I’m sure many of you will have a similar appreciation for it.

Mod’s essay is positive and delightful. I will say — in a more negative and grouchy tone — that slow software invariably irritates me, in a very thousand cuts kind of way. I use Windows at work and I wince every time I click on the Start menu and have to wait for the second-long superfluous render-blocking animation to play. Some of the very slow animations in tvOS make me feel the same way — for example, when exiting the screen saver. Don’t get me wrong — animation adds expected polish — but it should not be an impediment.

Slow software feels imprecise and untrustworthy. Fast software feels implicitly more reliable and cared-for. I have a top-of-the-line iMac; not only should I not feel sluggishness in any day-to-day task, everything ought to feel instantaneous. I wish this were a higher priority for all software firms at an organizational level. For me, at least, it determines what I use.

Contractors Also Listen to Some Siri Audio Without Users’ Explicit Knowledge

With Amazon and Google’s voice assistants confirmed to have humans listening to recordings, it was only a matter of time before it was known whether anyone does the same for Siri.

Alex Hern, the Guardian:

Apple says the data “is used to help Siri and dictation … understand you better and recognise what you say”.

But the company does not explicitly state that that work is undertaken by humans who listen to the pseudonymised recordings.

Apple told the Guardian: “A small portion of Siri requests are analysed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. Siri responses are analysed in secure facilities and all reviewers are under the obligation to adhere to Apple’s strict confidentiality requirements.” The company added that a very small random subset, less than 1% of daily Siri activations, are used for grading, and those used are typically only a few seconds long.

A whistleblower working for the firm, who asked to remain anonymous due to fears over their job, expressed concerns about this lack of disclosure, particularly given the frequency with which accidental activations pick up extremely sensitive personal information.

Hern confirmed to me that their source works for a third party, not Apple directly. That’s similar to the way Google does it, while Bloomberg describes the people who listen to Amazon’s recordings as “employees and contractors”. I think it matters whether these individuals are employed directly or through third parties like Apex — both for the sake of the employees as well as the inherently private nature of what they’re dealing with.

I also think it matters what kind of company is using this data. Amazon and Google use users’ behavioural data to sell targeted advertisements. While they’ve denied that they use voice data for targeting, I still find it slightly more uncomfortable that they may keep records of users’ voice recordings than I do for Apple which doesn’t build huge user data profiles for advertising purposes. In other words, while it’s reasonable to be upset by similar revelations, there are different reasons to be concerned.

Even so, there should surely be a way to opt out entirely and not allow any of your Siri conversations to be selected for review. It’s absurd that there seemingly isn’t a way to do this — turning off Siri entirely is not a solution — though I’ve reached out to confirm if disabling the analytics sharing options in Settings would opt users out. Also, as with Google, I have to question why users are not first asked whether a human can review their audio recording. Less than one percent is a very small proportion, but is still probably a lot of recordings per day given the half-billion devices it’s used on.

It’s pretty strange to me that this is an issue at all for Apple. I’m reminded of their introduction of object recognition in Photos. As Craig Federighi said on the Talk Show in 2016, “if you want to get pictures of mountains, you don’t need to get [them] out of people’s personal photo libraries. We can find some pictures of mountains”. Why should audio recorded in users’ homes, workplaces, schools, and gyms not be treated with a similar or greater level of sensitivity?

T-Mobile and Sprint Merger Approved by Justice Department, FCC Expected to Concur

Makena Kelly, the Verge:

The United States Justice Department has approved the $26 billion merger deal between T-Mobile and Sprint. After over a year in regulatory limbo, the merger received the green light from the last federal agency to hold out, with the Federal Communications Commission already signaling that it will approve the deal.

Karl Bode, Vice:

The DOJ says it will impose requirements offsetting the competitive harm of the deal. More specifically, the DOJ says that T-Mobile and Sprint will need to offload Sprint’s Boost Mobile and some spectrum to Dish Network, who’ll then attempt to build a new, viable fourth competitor from these scraps to offset the elimination of Sprint from the market.

[…]

But experts consulted by Motherboard say the proposal isn’t likely to work, and the end result of the merger will still very likely be higher prices and worse service for all.

For one thing, Dish has been promising to build a wireless network for the better part of the last decade with little to show for it. The company has routinely been accused of “spectrum squatting,” or buying spectrum it doesn’t use in a bid to turn around and sell it later when it’s more valuable. Even T-Mobile made this complaint when Dish initially criticized the merger.

Bode on Twitter:

At risk of being redundant, it would be cool if even 10% of the hyperventilation over Facebook and “big tech” was also applied to big telecom and dumb megamergers.

I’m Canadian, so I can attest to the drop in overall quality and increased prices that Americans can expect as their telecom options continue to deteriorate. It’s bad now in the United States; I can only imagine how awful it will become with the combined results of no net neutrality legislation, and the conglomeration of telecom and entertainment companies.

One last thing from Kelly:

T-Mobile’s connections to the Trump administration have come under heightened scrutiny as the deal has progressed. In March, The Washington Post reported that the company had spent over $195,000 at the Trump Hotel in Washington, DC while lobbying for the merger.

There’s a long list of legal, moral, ethical, and cultural grievances with this administration, but the ease and openness of its corruption is a revolting spectacle.

You Have a Moral Obligation to Claim Your Portion of the Equifax Breach Settlement

Josephine Wolff, Slate:

Go claim your $125 from Equifax. Right now. Even if $125 isn’t a sum of money that matters to you, even if you don’t feel you were really directly affected by the breach. Even if the prospect of filling out a relatively brief online form fills you with more dread than the theft of all your personal data.

Consider it a part of your civic duty: driving up the costs of data breaches for corporations so they have an incentive to invest more heavily in security.

Keep in mind that $125 is the minimum you are owed if your data was part of the Equifax breach. There are other categories of remediation that you can claim for, and I highly recommend that you get as much as you can. Whatever you’ll get, it won’t be enough, but at least you’ll do your part to make events like these costly for the companies involved until meaningful changes are made to eliminate the surveillance economy.

By the way, Wolff suggests in this piece that the Equifax breach may have been the product of a financial decision:

I think the costs of security breaches should, in some sense, be the costs of doing business, as opposed to an existential threat that drives the breached company into the ground. That way companies can weigh those costs against the costs of larger security investments and adjust their budgets accordingly. But I would like for those breach costs to be high enough to drive significant investment, and for that to happen, you have to do your part.

Earlier this week, I listened to an excellent two-part episode of the Malicious Life podcast (via Roee), in which the host, Ran Levi, argued that Equifax’s CEO was among the most aware of security risks, and worked hard to mitigate them. I am loathe to empathize with a CEO who oversaw among the most disastrous breaches of trust in corporate history only to be allowed to retire, but Levi’s argument is compelling and worth a listen, if you have the time.

Update: Rufo Sanchez actually read the settlement agreement unlike me and, presumably, everyone sharing the advice to claim your cash settlement. From the settlement (PDF):

If there are more than $31 million in claims for Time Spent made during the Initial Claims Period […], all payments for Time Spent will be reduced and distributed on a proportional basis.

[…]

If you already have some other kind of credit monitoring or protection services, and do not claim the free Credit Monitoring Services available through the settlement, you may file a claim for Alternative Reimbursement Compensation for up to $125. […]

If there are more than $31 million claims for Alternative Reimbursement Compensation, all payments for Alternative Reimbursement Compensation will be lowered and distributed on a proportional basis.

There are two pools of $31 million here. One pool is for people taking $125 instead of credit monitoring services; the other $31 million is for people claiming time spent.

As Sanchez calculated, if all 147 million affected people claim the cash payment instead of credit monitoring, everyone gets $0.21. Of course, there’s no way that every impacted person will claim the cash payment — or, indeed, claim anything at all — but I would not be surprised if more than 248,000 people claim cash, given the publicity it has received, so everyone might get less than $125.

Apple Acquires ‘Majority’ of Intel’s Cellular Modem Business

From the joint press release:

Intel and Apple have signed an agreement for Apple to acquire the majority of Intel’s smartphone modem business. Approximately 2,200 Intel employees will join Apple, along with intellectual property, equipment and leases. The transaction, valued at $1 billion, is expected to close in the fourth quarter of 2019, subject to regulatory approvals and other customary conditions, including works council and other relevant consultations in certain jurisdictions.

It’s been an open secret that Johny Srouji’s team at Apple has been working on modems for the iPhone, iPad, Apple Watch, and future devices that need smaller and more efficient cellular connections. I’m sure the acquisition of Intel’s hardware will help somewhat, but this is decidedly an intellectual property and talent acquisition for the value of one Instagram.

Amazon Has Entered Into Agreements With U.S. Police Departments to Push Their Ring Doorbell Cameras with Kickbacks

Caroline Haskins, Vice:

Amazon’s home security company Ring has enlisted local police departments around the country to advertise its surveillance cameras in exchange for free Ring products and a “portal” that allows police to request footage from these cameras, a secret agreement obtained by Motherboard shows. The agreement also requires police to “keep the terms of this program confidential.”

Dozens of police departments around the country have partnered with Ring, but until now, the exact terms of these partnerships have remained unknown. A signed memorandum of understanding between Ring and the police department of Lakeland, Florida, and emails obtained via a public records request, show that Ring is using local police as a de facto advertising firm. Police are contractually required to “Engage the Lakeland community with outreach efforts on the platform to encourage adoption of the platform/app.”

At best, this is a gross partnership; more realistically, it’s a way to privatize a surveillance state through bribery. Amazon’s doorbell cameras have questionable privacy practices, too, and the company wants to be its own crime news broadcaster to further justify the existence of its products.

Joshua Benton, NiemanLab:

So think about this managing editor job. The places where Ring wants to be “covering local crime” are… everywhere, down to the house and neighborhood level. So one managing editor, plus however many other people are on this team, are supposed to be creating a thoughtful, non-exploitative editorial product that is sending journalistically sound “breaking news crime alerts,” in real time, all across the country. Will they really be delivering news or just regular pulses of fear in push-notification form? If that’s the job, it is literally impossible to do responsibly.

[…]

But what bugs me about this is that it wants to bring in the credibility of journalism as a layer on top of the state of constant fear it promotes. A company that relies on people feeling unsafe to sell its products will now be able to take whatever trust professional journalism has left and put it to work toward that end. It’s like relying on the people who make antivirus software to tell you about the latest cybersecurity issues: Even when the reporting is sound, it’s still prone to exaggerating the scale of the threat and still aimed at making you so afraid that you give them money.

Partnering with police departments is a logical next step for this deeply cynical product.

Update: Sam Kimbrel:

[…] Amazon is basically using this to drive down package loss, by giving police heatmaps of where lost Amazon packages are reported, then asking for sting ops.

So Amazon uses Prime Day to deeply discount their Ring cameras, contractually obligates police departments to promote sales of those cameras, and runs their own pseudo news division to emphasize the apparent need for cameras — all to cut down on losses due to Amazon package theft.

Samsung Swears That It Has Fixed the Galaxy Fold

Ina Fried, Axios:

The company said it made several changes, including

  • Extending the top protective layer of the phone’s inner displays so users know that it is not a removable screen protector.

  • “Additional reinforcements” to better protect the device from external particles.

  • The top and bottom of the hinge have been straightened and additional layers placed underneath the display.

So a refined prototype is what they’re shipping? Got it.

I would be shocked if in, I presume, several months of testing before its announcement, not a single Samsung Galaxy Fold unit exhibited any of the myriad problems reviewers found within days. Why not sort that stuff out before having such an embarrassing launch?

Details of Facebook Penalty Released by FTC

The FTC’s press release:

The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. It is one of the largest penalties ever assessed by the U.S. government for any violation.

The settlement order announced today also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.

The graphic the FTC uses to illustrate the scale of this fine is also an unintended acknowledgement that the $275 million fine levied against Equifax is pitiful.

Kurt Wagner and Sarah Frier, Bloomberg:

But the deal won’t do much to alter Facebook’s main business. The company will be able to make product decisions as it always has, and will also still be able to collect the same data from users. For the most part, Facebook will be able to continue targeting ads in the same way it does today.

Bryan Menegus, Gizmodo:

In what may be the most insulting paragraph of Stretch’s note, which Facebook published exactly when it knew news of former special counsel Robert Mueller’s testimony would drown out any other news item, he writes, “the agreement will require a fundamental shift in the way we approach our work […] It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”

I don’t know how Facebook approaches its work. What I do know is how it approaches its users — which is to incrementally, and more often after being caught doing something untoward — placate them with promises of fundamental changes in how it’s thinking about or implementing privacy; how it’s empowering us, the consumers, to control our privacy; and how privacy, privacy, privacy. Why would we trust Zuckerberg’s sign-off on quarterly data privacy assessments when he and his team have consistently published statements claiming Facebook will protect our privacy, which we can say in light of Cambridge Analytica turned out to be broadly untrue.

All of Facebook’s transgressions since 2012 have been conducted after they promised the FTC they would stop abusing users’ data without their knowledge. They kept doing that anyhow. But they’ll really stop this time — they promise.

Attorney General William Barr Really Wants to Read Your iMessages

Kate Cox, Ars Technica:

US Attorney General William Barr today launched a new front in the feds’ ongoing fight against consumer encryption, railing against the common security practice and lamenting the “victims” in its wake.

“The deployment of warrant-proof encryption is already imposing huge costs on society,” Barr claimed in remarks at a cybersecurity conference held at Fordham University Tuesday morning. Barr added that encryption “seriously degrades” law enforcement’s ability to “detect and prevent a crime before it occurs,” as well as making eventual investigation and prosecution of crime more difficult.

[…]

He also accused tech firms of “dogmatic” posturing, saying lawful backdoor access “can be and must be” done, adding, “We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement, without materially weakening the security provided by encryption.”

It is almost impressive how people with no clue about how encryption works have, time and time again, ignored the advice of actual experts in it. If Barr were in charge of NASA, he’d demand a faster-than-light Space Shuttle even after being told that it is impossible.

Plex Makes Piracy Just Another Streaming Service

One thing about the film and television industry that I find endlessly fascinating — and it really helps that I am fascinated by probably-mundane esoteric things — is how differently they approach licensing and ownership rights compared to the music industry, despite often shared parent companies.

There are plenty of historical examples, but I wanted to look at just two. First, the use of DRM couldn’t be more starkly contrasted. In 2007, Apple negotiated with EMI to offer DRM-free music on iTunes; less than two years later, every major label got on board. But a similar switch has never happened for video distribution.

A few years after the DRM-free iTunes Store debuted came the next radical shift in music consumption: streaming services. Now, you can pay ten dollars a month to listen to virtually all of the music that has ever been recorded. You can choose which company you’re giving your money to — Apple, Google, Spotify, Tidal, and others — but the cost and catalogues are basically the same across the board. Again, nothing like this has ever existed for streaming video; and, with increased exclusivity agreements and conglomerate protectionism, that’s unlikely to change.

Well, legally, anyway. Bijan Stephen, the Verge:

Plex servers function a little like secret societies or private clubs. They can be large (like Liz’s), small (like Shawn’s), or any size in between, but they have a single purpose: to simplify the experience of streaming media and make it feel human. Every Plex server’s media catalog is different. They go beyond licensing agreements (because piracy) and anonymous algorithmic curation (because a person is choosing what’s on there) to make the streaming experience personal.

“The Plex mission is to provide a unified media experience that allows users to bring together the media they care about into one app, available on just about anything with a screen,” a spokesperson for Plex wrote in a statement. The one thing they carefully don’t mention is why.

Ethically, much of this article leans toward the defensive; it largely skates around the legal issues. I don’t see that as a flaw, necessarily, because many of these Plex servers are used largely by friends — kind of like lending out VHS tapes and DVDs to friends twenty years ago.

WatchOS 5.3 Enables ECG Support for Canadian and Singaporean Users

Speaking of the Apple Watch, Apple shipped WatchOS 5.3 today, which allows the ECG function to be used in Canada and Singapore.

Apple’s focus on health capabilities with the Watch is one of their most impressive product directions I can remember from any major company. I know there are cynics who view it as a cash grab on the back of health worries — and, without digressing too much, I think that’s a valid criticism of much of the broader medical industry. But there is also room to interpret this as a genuinely good thing for humanity. It is one of the few Silicon Valley things that can be described as life-changing without hyperbole.

Bloomberg: Apple Sold ‘Low Tens of Thousands’ of Gold Watches

Bloomberg’s Mark Gurman published a portrait today of Jeff Williams, painting him as a spiritual sibling to Tim Cook. It’s full of those de rigueur Gurman insider vignettes, but the nugget that has made some news surrounds the estimated sales figures of the solid gold Apple Watch.

Joe Rossignol, MacRumors:

As for the $10,000-plus, 18-karat gold Apple Watch Edition, the report claims Apple’s sales were “in the low tens of thousands” of units, with “few after the first two weeks.” The line was discontinued in September 2016 after just 16 months and, humorously, the gold models are now stuck on watchOS 4 and below.

Even with the lowest possible numbers within this framing — 10,000 units sold of a minimum $10,000 product — that still means Apple made a hundred million dollars on the first-generation Edition. I’m not making a judgement on whether this is good, obviously, but it’s noteworthy.

Anecdotally, I occasionally search eBay and Chrono 24 out of idle curiousity. I’ve never seen a gold Edition for sale.

Equifax to Pay $100 Million CFPB Fine and Set Aside Hundreds of Millions to Compensate Consumers

The FTC announced Equifax’s settlement this morning:

As part of the proposed settlement, Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.

The company also has agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties.

It seems to me that no fine and no penalty — no matter how great — can ever fully compensate the 147 million Americans who are now subject to a heightened risk of identity theft and fraud. This is certainly a lot of money, but Equifax’s stock price rose today when this news was announced, and it has nearly fully recovered to its pre-breach high. Equifax also continues to be one of only three companies that provides credit reports in the United States in a highly mature and noncompetitive market.

The lesson that has surely been learned here is that a company can have lax security, fail to notify customers for months about a breach, issue new revelations in drips, and be borderline useless through the entire process as long as that company participates in a market with few competitors, retains shocking amounts of personal data, and faces few consequences to its financial position as a result.

By the way, the CFPB fine is far more than I expected. That Bureau used to be run by Mick Mulvaney who, before he became the President’s Chief of Staff, tried to curtail the Equifax investigation and generally rob the Bureau of its duty.

A Reporter Spent a Few Days as a Gig Economy Food Courier

Andy Newman, New York Times:

Delivering restaurant food has always been a hard, thankless job. With the apps, it is becoming more flexible and better paying — but in some ways less stable.

This, said Niels van Doorn, an assistant professor of new media and digital culture at the University of Amsterdam who spent six months in New York studying app riders last year, “is what happens with an already precarious work force — what happens to an already invisibilized work force — when these platforms come to town.”

My own 27 hours on a borrowed electric bike, alternately hellbent and ping-starved as I navigated chaotic streets and clattering restaurant kitchens and sleek apartment towers, were an immersion in the paradoxes and perils of a job in which making more than minimum wage requires the physical daring of a bullfighter and the cognitive reflexes of a day trader. (I have neither.)

Being any kind of courier seems like a harrowing job, but that seems particularly so in the case of apps like Uber Eats, Foodora, and DoorDash. The latter has a unique tipping policy:

DoorDash offers a guaranteed minimum for each job. For my first order, the guarantee was $6.85 and the customer, a woman in Boerum Hill who answered the door in a colorful bathrobe, tipped $3 via the app. But I still received only $6.85.

Here’s how it works: If the woman in the bathrobe had tipped zero, DoorDash would have paid me the whole $6.85. Because she tipped $3, DoorDash kicked in only $3.85. She was saving DoorDash $3, not tipping me.

There is no way that customers believe that, when they tip, they’re helping DoorDash pay their workers. DoorDash does explain its tipping model on its website, but only in the most opaque language possible. How is this legal?

Newman also wrote an extended first-person report about how the article was put together:

Another unpleasant surprise: For almost two-thirds of my 43 deliveries, I got no tip. You may think the delivery fee takes care of the rider, but the apps’ pay structure leaves riders dependent on tips to make a living wage.

A friend of mine who has been delivering for three years, Wilder Selzer, called the job “a great window into our stratification.” Quite a few times, he said, he has delivered to people — men and women alike — who answered the door in their underwear, but not in a sexy way.

“It goes back to the class thing,” he said. “You’re like a eunuch — it’s O.K. to be naked in front of you because you’re not a person person.”

Aziz Shamim famously tweeted several years ago that Silicon Valley is obsessed with creating services that do what twenty-somethings’ moms did for them before they moved away from home, but I’ve always thought that interpretation wasn’t quite right. I think these services jealously attempt to replicate conveniences available to people who work several pay grades above them. There is a — and please forgive me for the phrasing here — trickling down of conveniences; on the other hand, it is at the expense of the livelihoods of a greater number of individuals needed to do these jobs.

Alexis Madrigal of the Atlantic described these services earlier this year as the “servant economy”, and I think he’s entirely correct.

See Also: Why Paris Marx doesn’t use Uber (via Michael Lopp).

NSO Group Spyware Can Exfiltrate Individual Users’ Cloud-Stored Data Using Credentials Stored On Targeted Devices

The headline for this linked item is deliberately not snappy, for reasons that should quickly become apparent.

Mehul Srivastava and Tim Bradshaw, Financial Times:

NSO Group’s flagship smartphone malware, nicknamed Pegasus, has for years been used by spy agencies and governments to harvest data from targeted individuals’ smartphones. 

But it has now evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration. 

The documents raise difficult questions for Silicon Valley’s technology giants, which are trusted by billions of users to keep critical personal information, corporate secrets and medical records safe from potential hackers. 

This report produced headlines claiming that the software “spies on Apple, Google and Facebook cloud data”, for example, which isn’t entirely accurate.

Dare Obasanjo sums it up nicely:

This is an incredibly misleading headline.

If your phone is compromised by malware then bad actors can access all data any apps on your phone can access including iCloud, Gmail, FB, etc.

This isn’t a cloud service problem but a compromised client issue.

Zack Whittaker:

[…] But it’s worth remembering that it’s in NSO’s best interests to ham up its abilities and stretch the truth in sales meetings. Also don’t forget that NSO malware targets only a few types of people, so don’t panic either.

Joseph Cox of Vice downplayed this story even more:

NSO’s malware can log into Facebook, Amazon etc, download content. FT has bizarrely framed this as an issue for the cloud services, when it’s really about how end devices secure auth tokens. You own the device, you are the device. This will get dumb hyped.

It seems that the Financial Times story is exaggerating the capabilities of this spyware, but I think Cox’s summary may be inaccurate as well. For example, the report leaves the impression that a lot of iCloud data can be pilfered from targeted users’ accounts, but I’m not sure how that squares with the multilayered encryption mechanisms described in Apple’s iOS security guide. Perhaps the data that can be pulled from iCloud is rather limited, and the report mixes iCloud-specific claims with the malware’s more general data-collecting abilities from all services.

I hope more in-depth reporting will be produced on how, exactly, this spyware works and what specifically it can collect. Alas, I don’t see that happening, given how tightly NSO Group controls access to it.

Six Popular Chrome and Firefox Extensions Funnelled User Browsing Data to Nacho Analytics

Dan Goodin, Ars Technica:

When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.

DataSpii begins with browser extensions — available mostly for Chrome but in more limited cases for Firefox as well — that, by Google’s account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.”

I’d be willing to bet that most people don’t think twice after installing a browser extension, and don’t fully consider the implications of its level of access. Extensions are a security and privacy risk, especially when you consider how much work is done through web browsers by employees with elevated access.

For their part, the CEO of Nacho Analytics responded weakly:

In an interview, Nacho Analytics founder and CEO Mike Roberts reiterated that the service is fully GDPR compliant and that the millions of people whose data is collected have expressly agreed to this arrangement.

“You absolutely do” click an agree button, Roberts said of all users whose data is published. What’s more, he said, “we spend quite a bit of time processing every URL that we see to remove all the personally identifiable information.” Ars has confirmed that in many cases, the URLs published by Nacho Analytics have had names, Social Security numbers, and other personal information removed. However, Ars was also able to find numerous instances of names and other personal information remaining in published URLs.

[…]

But Roberts defended the basic practice of publishing links that, when clicked, lead to private data — so long as that data isn’t viewable in the URL itself as published by Nacho Analytics.

I truly don’t believe Roberts intends to do wrong here, but the ease with which his company’s product can be abused at scale suggests that he underestimated the risk of anyone doing so. It also reinforces my contention that the valuation of collecting and exchanging data like this is a deeply corrosive industry.

Tesla Workers in Describe Pressure Meet Goals by Building Model 3s in Tents

Lora Kolodny, CNBC:

Current and former Tesla employees working in the company’s open-air “tent” factory say they were pressured to take shortcuts to hit aggressive Model 3 production goals, including making fast fixes to plastic housings with electrical tape, working through harsh conditions and skipping previously required vehicle tests.

For instance, four people who worked on the assembly line say they were told by supervisors to use electrical tape to patch cracks on plastic brackets and housings, and provided photographs showing where tape was applied. They and four additional people familiar with conditions there describe working through high heat, cold temperatures at night and smoky air during last year’s wildfires in Northern California.

Their disclosures highlight the difficult balance Tesla must strike as it ramps up production while trying to stem costs.

I love the idea of everything Tesla ostensibly stands for. Bringing reasonably-priced and reliable electric transport to the masses is a fantastic achievement. But there is so much to dislike about Tesla the company that it compromises my impression of the product. Tesla’s poor manufacturing conditions, offensive labour practices, misleading pricing, and unfocused strategy all make it hard to trust the company to stand by products that are supposed to last several years.