Month: October 2019

Samsung Is Working to Patch a Flaw With Their Under-Display Fingerprint Reader, Which Can Be Defeated With a Screen Protector reuters.com

Ju-min Park, Reuters:

Samsung Electronics Co Ltd said on Thursday it will soon roll out a software patch to fix problems with fingerprint recognition on its flagship Galaxy S10 smartphone.

A British user told the Sun newspaper this week that a bug on her Galaxy S10 allowed it to be unlocked regardless of the biometric data registered in the device.

After she bought a third-party screen protector, her husband was able to unlock her phone using his fingerprint, even though it was not registered.

This is shockingly trivial. Methods for bypassing Touch ID that involved etching a PCB generated alarmist headlines about it being “no challenge at all”; circumventing Face ID was said to be accomplished in “less than 120 seconds” — assuming, of course, that you were able to get a jerry-rigged pair of glasses onto the iPhone owner’s face without resistance.

This is nothing like that; it is exactly as easily-defeated as reported. That’s embarrassing, sure, but where Samsung really loses me is its explanation for why this is happening:

The issue can happen when patterns of some protectors that come with silicone phone cases are recognized along with fingerprints, the South Korean tech giant said in a notice on its customer support app.

I could be reading this wrong, but what I’m understanding is that Samsung is blaming the screen protector for introducing a pattern that appears to the sensor to be a fingerprint. But if that were the case, this flaw would only exist if fingerprint registration was completed with the screen protector in place.

However, according to a video from Twitter user StaLight, that must an inadequate explanation because the fingerprint reader can be bypassed after a fingerprint has been registered without a screen protector with Samsung’s own screen protective film, as clarified later. In this example, the user completes a registration process without a screen protector, then successfully unlocks the phone with a different finger after putting a clear phone case between the display and their finger.

I would love to know what this flaw is, and how a software update may apparently fix what seems, to me, to be a critical hardware problem.

The Galaxy S10 also has facial recognition, but that’s defeated by a photo.

Update: The patch has rolled out.

U.S. Sen. Ron Wyden Introduces National Privacy Act gizmodo.com

Earlier this week, Michael Beckerman — the president of the Internet Association, a lobbying group that includes Amazon, Facebook, Google, and Microsoft among its members — got an op-ed published in the New York Times strongly objecting to state-level privacy laws:

A patchwork of state laws means that a California woman who orders an item from a Missouri business that manufactures in Florida could have her data regulated by three separate laws, or by no applicable law. Despite California’s Consumer Privacy Protection Act the state’s residents cannot be assured that the protections that apply when they deal with a business covered by the law will apply when they shop at their corner store, travel across the country or engage in online transactions with companies that are not subject to California’s privacy law.

Not only will this add to consumer confusion around how data is handled, it will also undoubtedly lead to inconsistent treatment of data depending on a variety of factors, including the residency of the consumer and the type of businesses with whom they interact.

Beckerman argued for a national privacy law, and that’s what Sen. Ron Wyden is introducing today. You can read the bill in full, and Wyden’s office has put together a one-and-a-bit page summary (PDF) of the highlights.

Dell Cameron, Gizmodo:

First off, the “Mind Your Own Business Act” would finally arm the Federal Trade Commission (FTC) with the power and personnel necessary to adequately punish out-of-control corporations. Companies would no longer simply get off with a warning the first time they break their users’ trust. Instead, they would face immediate fines of up 4 percent of their annual revenue. For companies the size of Google and Facebook, that means billions of dollars.

But here’s the kicker: Under the bill, executives who knowingly lie to the FTC about privacy violations could face up to 20 years behind bars, and their companies could then be forced to pay a tax based on the salary of the convicted executive.

I can’t imagine the successful passage of Wyden’s proposal to require companies to offer a paid version of their product or service that doesn’t track users, but I imagine the penalties able to be levied against privacy violations will be a deterrent.

Of course, this is extremely strict. It’s great for consumers. I bet the Internet Association is going to hate it.

It Currently Requires a Small Amount of Patience to Buy a New iPhone vice.com

Jason Koebler, in a Vice article bizarrely titled “It Is Currently Impossible to Exchange Money for an iPhone”. It’s bizarre because millions of people in the United States and around the world are buying new iPhones, often in exchange for money. But Koebler can’t buy a new iPhone — though, reading this, you’d imagine that it’s the last thing he wants to do:

I think that buying a new phone is a shameful but occasionally necessary activity to continue living in the modern world. I disagree with most of Apple’s corporate philosophies on recycling, repair, and its walled-garden, monopolistic approach to the App Store. I do not like spending time in Apple Stores, nor do I like giving the company money, but I appreciate Apple’s commitment to privacy and security, and my current phone is more than three years old, has been repaired three times, and no longer takes photos or connects to WiFi. It is, unfortunately, Time for a New Phone.

This is a weird way for one to convince themselves that they are not actually excited by technology and are resigned to the fact that they must exchange money for goods and services. I can imagine Koebler standing in a long line for brunch on a Sunday morning trying to convince himself that it’s an infuriating rip-off to pay twenty dollars for a halved English muffin with two poached eggs and some hollandaise overtop; and, instead of admitting that, yeah, it is actually kind of nice to indulge in this modicum of expensive joy every once in a while, he bashes out an article with the headline “It Is Currently Impossible to Exchange Money for Breakfast”.

Anyway:

The problem is that, at the moment, it is nearly impossible to exchange US currency for an iPhone 11 Pro.

Well that certainly narrows the vast scope that the headline suggests.

256GB iPhone 11 Pros (the objectively correct phone to buy, if you are going to buy a new iPhone) don’t ship until the end of the month if you order one online, and they’re sold out in stores all over the country according to the company’s website.

Oh, so it’s still not impossible, it just takes a couple of weeks? And this staggering level of impatience for a new product — that is, apparently, a reluctant purchase — is being displayed by the same guy who wrote and linked to an article in the previous paragraph about how you shouldn’t buy a new iPhone unless your old one is completely broken.

It’s fine to admit you like stuff and are excited by new things — even things from Apple. Nothing bad will happen to you; you will not be stuffed into a cannon and fired into the cloud hanging over Cupertino made of Steve Jobs’ reality distortion field.

Google Launches Pixel 4 Line and New Pixel Buds theverge.com

Dieter Bohn of the Verge got to spend time with the new line of Google Pixel 4 phones and was particularly impressed with its new facial identification system:

I’ll admit, it was a little jarring. Every phone I’ve ever used had some sort of secondary action between picking up the phone and getting into it: a tap on a fingerprint sensor or a swipe on the screen. With the Pixel 4, it’s like there isn’t a lock screen at all because you almost never get a chance to see it.

I’ll have to do some actual timing in the review because it’s 100 percent possible that this speed is more perception than reality. The phone begins its unlock procedure before you even touch it, using that Motion Sense radar to detect you’re reaching for it. (More on that below.) It also feels faster because it jumps right into the last thing you were doing instead of requiring a second action with no animation that I could detect.

As facial recognition becomes faster on all phones, I wonder if today’s interpretation of the look and function of lock screens could effectively vanish.

The main thing Motion Sense does is pay attention to whether you’re even near the phone or if you’re reaching for it. If you walk away from it, it detects that and turns off the always-on display. If you reach for it, it activates the screen and face unlock.

Motion Sense lets you skip forward or back when music is playing, too. But the best feature is dismissing alarms and calls. When you simply reach for the phone, the volume drops when the phone sees your hand. Then you can simply wave to dismiss the call or snooze the alarm.

Without trying this feature — and I know that’s a big caveat — it sounds almost like the inverse of 3D Touch. And we all know how that experiment ended.

Google has clearly always wanted to do their own Android phones: they started with the Nexus One in 2010 and keep launching new ones every year. But they’ve never really been a big sales hit. These could be great phones, and will almost certainly be the best Android experience you can buy — primarily because the experience is unashamedly cribbed from the iPhone playbook. But, based on sales numbers, there just isn’t a huge market for people who want an iPhone that runs Android. People who want an iPhone buy an iPhone; people who want a premium Android phone seem to want it to be very different from an iPhone.

Google also launched a bunch of Google Home stuff today that doesn’t interest me, and a pair of earbuds that does. The old Pixel Buds were panned by reviewers, but the new ones ought to be better.

Victoria Song, Gizmodo:

Battery life is the same at five hours, though Google says they can last up to 24 hours with the wireless charging case. Sound-wise, they have dynamic volume adjusting depending on your environment. Google also emphasized they thought real hard about stuffing all those components into a new design — a video described them as “floating computers.” They’re not exactly noise-canceling; Google described them as “noise-isolating.” Basically, it’s got a small spatial vent to let in outside air. Supposedly that makes for a more comfortable Pixel Bud, but we’ll have to try them out for ourselves.

I love the sound of that dynamic volume adjustment feature. Every morning, I put my AirPods in and start listening to something while I’m waiting for the elevator; a couple of minutes later, I’m walking down a busy street and find myself reaching for the volume up button. And then, a few minutes after that, I turn onto a quieter side street and need to turn it back down a bit. What a great idea.

Unfortunately, while Google said today that these new Pixel Buds could do a lot of very cool new things, they won’t be shipping until next year and the demo models they showed to the press were non-functional.

Nevertheless, I’d love to try them, and one of these new Pixel phones.

Dan Seifert wrote a good piece in the Verge before today’s Google press event about the wireless earbud market:

While a few niche startups were first to put truly wireless headphones on the market, Apple really defined the scene with its 2016 release of the AirPods, showing what a good execution on the idea is like: reliable wireless connectivity, at least five hours of battery life, and a compact, easy-to-use charging case.

Since then, we’ve seen Samsung release several iterations of its own wireless earbuds before landing on a (mostly) working formula with this year’s Galaxy Buds. Many smaller companies, such as Jabra and Jaybird, have put out products that try to address the remaining AirPod faults, such as the lack of a customizable fit or poor sound blocking characteristics. Even Apple is selling multiple versions of truly wireless earbuds between the AirPods and its Beats brand.

It’s a crowded space. It’s also the category of tech products that, I think, comes closest to feeling futuristic today — especially with features like the new Announce Messages with Siri option coming in iOS 13.2.

Gig Services to Become More Costly As Investors Begin to Question Valuations theatlantic.com

Derek Thompson, the Atlantic:

Several weeks ago, I met up with a friend in New York who suggested we grab a bite at a Scottish bar in the West Village. He had booked the table through something called Seated, a restaurant app that pays users who make reservations on the platform. We ordered two cocktails each, along with some food. And in exchange for the hard labor of drinking whiskey, the app awarded us $30 in credits redeemable at a variety of retailers.

I’ve read Seated’s guide for restaurants and a 2017 review and I still don’t understand how they’re able to offer a thirty percent money back reward for restaurant reservations booked through the app. It’s even more ridiculous than the Boost feature on Square’s Cash card, which only received compensation from a participating retailer earlier this year. It can’t possibly be paid for out of interchange fees, nor would any restaurant willingly refund a third of the cost of a menu item against already-slim profit margins.

Anyway — Thompson:

Starting about a decade ago, a fleet of well-known start-ups promised to change the way we work, work out, eat, shop, cook, commute, and sleep. These lifestyle-adjustment companies were so influential that wannabe entrepreneurs saw them as a template, flooding Silicon Valley with “Uber for X” pitches.

But as their promises soared, their profits didn’t. It’s easy to spend all day riding unicorns whose most magical property is their ability to combine high valuations with persistently negative earnings — something I’ve pointed out before. If you wake up on a Casper mattress, work out with a Peloton before breakfast, Uber to your desk at a WeWork, order DoorDash for lunch, take a Lyft home, and get dinner through Postmates, you’ve interacted with seven companies that will collectively lose nearly $14 billion this year. If you use Lime scooters to bop around the city, download Wag to walk your dog, and sign up for Blue Apron to make a meal, that’s three more brands that have never earned a dime or have seen their valuations fall by more than 50 percent.

These companies don’t give away cold hard cash as blatantly as Seated. But they’re not so different from the restaurant app. To maximize customer growth they have strategically — or at least “strategically” — throttled their prices, in effect providing a massive consumer subsidy. You might call it the Millennial Lifestyle Sponsorship, in which consumer tech companies, along with their venture-capital backers, help fund the daily habits of their disproportionately young and urban user base. With each Uber ride, WeWork membership, and hand-delivered dinner, the typical consumer has been getting a sweetheart deal.

It’s going to be a disaster if many of these arguably predatory businesses go bust: cities’ transportation networks will have to adjust, warranties won’t be honoured, and gig economy workers will be looking for jobs. When they raise their prices — even to a break-even point — we will all realize that these services are just as expensive as any traditional version of whatever they disrupted.

Canadian Telecom Lobbyists Influence Swedish Firm to Stop Including Canada in Worldwide Price Report thewirereport.ca

Anja Karadeglija, the Wire Report:

Tefficient, a Swedish consulting company that has released a number of telecom price reports highlighting Canada as one of the highest-priced jurisdictions for such services, will no longer be including the country in at least one future research report, The Wire Report has learned.

The “fact that the data is reported so late for Canada (and since none of the carriers report data traffic or usage) we aren’t too interested in incorporating Canada in our analyses going forward,” Fredrik Jungermann, founder of Tefficient, said in an email when asked about the company’s information on Canadian telecom pricing. He noted that was “primarily” the driver of that decision.

He said that “another reason is the workload created when lobbyists try to shoot down the credibility of the whole report because they don’t like to see Canada presented as an outlier. We have no business in Canada and have, unlike lobbyists, no agenda.”

Canadian cellular plans are among the highest in the world by an obscene margin. We pay more than those who live in any other developed country; this is something that multiple studies have confirmed for years. Everyone knows it, and the lobbyists for our major telecom providers want us to forget it.

Every Major U.S. Payment Processor Has Exited Facebook’s Libra Project theverge.com

Russell Brandom, the Verge:

When Libra launched on June 18th, it seemed like an alarming new front in Facebook’s megalomaniacal expansion. Having captured billions of users and tens of billions of dollars in annual profits, the company would now be taking over currency itself. The company’s head of blockchain, David Marcus, laid out his plan for Libra in a detailed white paper, with some of the financial world’s most powerful companies already signed on to help govern the new currency as part of the Libra Association. It was Facebook’s vision for an international currency, and based on the company’s partners, it seemed unstoppable.

That was then. The first to ditch Libra was Paypal, which withdrew on October 4th. Then, over the course of a few hours on October 11th, Visa, Mastercard, Stripe and Mercado Pago all bailed on the project, with eBay tagging along for good measure. That meant every major US payment processor has exited the association. (The final remaining payment processor, PayU, has not responded to multiple requests for comment.) It’s an alarming turnaround for the Facebook-backed project, and the first clear indication that Libra’s founders may have bitten off more than they can chew.

Losing five companies in the span of a couple hours might seem like a panicked rush for the door, but the timing matters. On October 14th, all the founding members are set to convene in Geneva for the first ever Libra Council meeting. That’s where they will hammer out the different roles to be played by the different parties and try to answer all the governance questions that aren’t spelled out in the initial white paper. Ultimately, that will result in a formal charter, with each member signing their name to the new agreement.

A promising start.

China’s Powerful Marketplace Is Encouraging Studios to Succumb to Censorship axios.com

Alex Kantrowitz and John Paczkowski, Buzzfeed News:

In early 2018 as development on Apple’s slate of exclusive Apple TV+ programming was underway, the company’s leadership gave guidance to the creators of some of those shows to avoid portraying China in a poor light, BuzzFeed News has learned. Sources in position to know said the instruction was communicated by Eddy Cue, Apple’s SVP of internet software and services, and Morgan Wandell, its head of international content development. It was part of Apple’s ongoing efforts to remain in China’s good graces after a 2016 incident in which Beijing shut down Apple’s iBooks Store and iTunes Movies six months after they debuted in the country.

I think it’s important to be highly critical of efforts to succumb to the demands of an authoritarian state. But this is not a story about Apple’s practices, as the eighth paragraph of this article points out:

Apple’s tip toeing around the Chinese government isn’t unusual in Hollywood. It’s an accepted practice. “They all do it,” one showrunner who was not affiliated with Apple told BuzzFeed News. “They have to if they want to play in that market. And they all want to play in that market. Who wouldn’t?”

The bigger story here can be found in an article yesterday from Shane Savitsky in Axios:

While the U.S. reckons with the fact that China’s market power can stymie free speech after the NBA’s firestorm, Hollywood — America’s premier cultural exporter — has long willingly bent to Chinese censorship to rake in profits.

China is set to become the world’s biggest movie market in 2020, and with its 1.4 billion citizens, it won’t relinquish that title anytime soon. That means it’s key for Hollywood studios to do all they can to ensure that their tentpoles can pass the standards of the country’s strict censors.

This is a far greater cultural question to contend with. Films have been compromised for decades to meet specific MPAA ratings in the United States, but Chinese censors are even more unwelcoming:

Perhaps the most extreme example was the 2018 decision to not allow Disney’s “Christopher Robin” to be released, purportedly because Chinese President Xi Jinping’s resemblance to Winnie the Pooh had become a joke among activists who resisted the country’s Communist regime.

Ludicrous.

MacOS Catalina’s Teething Problems tyler.io

Mark Gurman, Bloomberg:

Apple rolled out Catalyst, the technology to transition iPad apps into Mac versions, on Monday. It’s the initial step toward a bigger goal: By 2021, developers should be able to build an app once and have it work on iPhones, iPads and Mac computers through a single, unified App Store. But the first iteration, which appears to still be quite raw and in a number of ways frustrating to developers, risks upsetting users who may have to pay again when they download the Mac version of an iPad app they’ve already bought.

From a user’s perspective, buying different apps on different platforms is the status quo; and, as the subscription model continues to grow in popularity, it makes little difference.

Gurman, continued:

Developers have found several problems with Apple’s tools for bringing iPad apps over to Mac computers. Some features that only make sense on iPad touchscreens, such as scrollable lists that help users select dates and times on calendars, are showing up on the Mac, where the input paradigm is still built around a keyboard and mouse or trackpad.

Troughton-Smith said Mac versions of some apps can’t hide the mouse cursor while video is playing. He’s also found problems with video recording and two-finger scrolling in some cases, along with issues with using the keyboard and full-screen mode in video games. Thomson, the PCalc developer, said some older Mac computers struggle to handle Catalyst apps that use another Apple system called SceneKit for 3-D gaming and animations.

Catalyst is a frustrating bridge between the entirely-discrete AppKit and UIKit worlds, and the ostensibly cross-platform SwiftUI model. It’s “frustrating” because apps built with it don’t feel like Mac apps, and it’s probably too early to start building with SwiftUI since it will likely change dramatically for developers over the next few years. It’s an awkward middle ground that isn’t as good as either. Apple’s promotion of it as “just a checkbox” in Xcode — and, weirdly, using that as part of its pitch to users — is overly optimistic.

That’s not to say that there are no good Catalyst apps. John Voorhees reviewed Lire for MacOS and was fairly impressed with its platform-specific customizations. But it’s a harder process than Apple promotes to developers, and I’m still not confident we’ll see truly great apps built with Catalyst.

Tyler Hall has compiled a list of bugs that he has run into so far:

I love the Mac and everything its software and hardware stand for. The iMac Pro and new Mac mini are phenomenal. The revamped Mac Pro (six years? really?) is a damn beast. And, honestly, I don’t even mind USB-C.

But the keyboards, the literally hundreds if not thousands of predatory scams on the Mac App Store, whatever the fuck is going on with Messages.app on macOS, iCloud Drive, the boneheaded, arrogant, literally-put-on-the-consumer-facing-marketing-website claim that iPad-to-Mac with Catalyst was merely a checkbox, all the dumb, stupid little bugs I mentioned above, and the truckload of other paper-cuts I’m sure to run into once I’m on Catalina for more than 48 hours…

My god.

It is absolutely clear that the Mac is far outside of what the upper-ranks of Apple is focusing on.

It is unsurprising to find bugs in an x.0 release of anything, but this post is maddening. The number and variety of bugs in iCloud-connected things is concerning when it displays error messages; it’s even worse when something silently fails.1

It’s not the fault of the engineers; it’s the fault of whichever parties have decided that software updates must ship annually. While I’m happy to see that they’re willing to delay features that aren’t ready, Apple’s operating system updates are promoted every June with features that may not ship for months after the initial release and the first versions are still full of absurd bugs. It feels chaotic and uncontrolled — like all middle managers for every organization are not on speaking terms.

  1. A quick aside that has little to do with Catalina but has everything to do with silent failure and bug reporting: I’ve written a couple of times about how the Home app simply doesn’t work for me on any device. It just displays a screen that says “Loading Accessories and Scenes” and has an infinitely-running spinner on it. There is no error message; there is no way to move past this.

    What’s supposed to happen, according to Apple, is that a button for resetting HomeKit should appear somewhere on that screen if you leave it open for half an hour. This is their official troubleshooting recommendation. I cannot possibly stress enough how absurd it is that someone decided that the best way to present a reset button is for a screen to be left on and running in the foreground for an entire episode of Last Week Tonight, and users should somehow expect to know that a button will emerge from an otherwise-empty space. It’s also silly that there’s no remedy for HomeKit errors anywhere between live with it and delete everything; why isn’t there a way to roll back to a known good configuration?

    Anyway, I’ve tried this several times on different devices across four versions of iOS — 10.0 through 13.2 — and in MacOS Mojave, and I’ve never seen this unicorn of a button.

    This wasn’t a big deal — I don’t have any HomeKit devices — until I updated to tvOS 13, which prompted me to add the device to my Home network. I tried; it failed, predictably. And I have an allergy to red notification dots in Settings. So I got in touch with Apple support. In the past two weeks, I’ve spoken on the phone for several hours, sent in a couple of sysdiagnose examples, and have repeatedly pointed out that this occurs on all of my devices, so it’s likely to be something iCloud related and all I want to do is start from scratch. I don’t blame the support representatives for their inability to fix this, but it is tedious and irritating that there is seemingly no way for me to fix this silently-presenting problem myself. ↥︎

The Transformation of Apple’s Deep Investment in China From Unique Advantage to Liability vox.com

Peter Kafka, Vox:

Plenty of US companies work in and with countries that require them to make moral compromises. Facebook, for instance, finds itself frequently pulling down videos and posts because they upset Turkey’s censors; Netflix took down an episode of comedian Hasan Minhaj’s Patriot Act in Saudi Arabia because it was critical of Crown Prince Mohammed bin Salman. The standard argument these companies all make is that those countries are better off when they have access to their products.

This is Apple’s argument, too. “We believe our presence in China helps promote greater openness and facilitates the free flow of ideas and information,” Cook told Sen. Ted Cruz (R-TX) and Sen. Patrick Leahy (D-VT) in a December 2017 letter. “We are convinced that Apple can best promote fundamental rights, including the right of free expression, by being engaged even where we may disagree with a particular country’s law.”

Left unsaid in Cook’s letter is that Apple has to do business in China.

Unlike tech companies that haven’t broken into the country or only do minor business in it, Apple is now so deep in China that leaving it could be catastrophic. Even if the company was willing to forgo the $44 billion a year in sales it makes in China, it can’t leave the deep network of suppliers and assemblers that build hundreds of millions of iPhones every year.

Just a few months ago, Tim Cook denied that the company was exploring other places to build their products. The depth and extent of the electronics supply chain in China beggars belief — and, in one of those decades-old twists of fate, Cook helped make it so. There are loads of American tech companies that build products in China; Apple’s particular investment, though, is notable.

Tim Cook’s Internal Email Regarding the Removal of HKmap.live App pastebin.com

Tim Cook to Apple employees, as leaked to the app’s developer:

It is no secret that technology can be used for good or for ill. This case is no different. The app in question allowed for the crowdsourced reporting and mapping of police checkpoints, protest hotspots, and other information. On its own, this information is benign. […]

When the developer previously submitted the app to the App Store, it was rejected on the basis that the app “facilitates, enables, and encourages an activity that is not legal”. Presumably, that refers to its ability to locate police on a map. If it were “benign” — as Cook says and which I agree with — why was it rejected in the first place?

[…] However, over the past several days we received credible information, from the Hong Kong Cybersecurity and Technology Crime Bureau, as well as from users in Hong Kong, that the app was being used maliciously to target individual officers for violence and to victimize individuals and property where no police are present. This use put the app in violation of Hong Kong law. Similarly, widespread abuse clearly violates our App Store guidelines barring personal harm.

Maciej Cegłowski, who has been reporting on the protests from Hong Kong since August, says that this does not comport with what the app actually shows:

Moreover, what are these incidents where protesters have targeted individual police for a premeditated attack? Can Mr. Cook point to a single example? Can anyone?

When Hong Kong police have been in danger, it is invariably because they broke off in small groups into a sea of demonstrators and got separated from their colleagues. I witnessed this personally in Prince Edward on 9/2; many others have seen or videotaped similar situations.

So not only is there no evidence for this claim, but it goes against the documentary record of 18 weeks of protests, and is not even possible given the technical constraints of the app (which tracks groups of police).

Meanwhile, HKmap.live remains available on Google Play stores in Hong Kong and China. Google did remove a game that allows you to role-play as a protester at the behest of the Chinese government.

Stories From Uber and Lyft Drivers About Their Working Conditions and Pay splinternews.com

Hamilton Nolan, Splinter:

After a monumental political battle, California passed AB5, a law that will make it much harder for gig economy companies to classify their workers as “independent contractors.” Now, the same political battle is coming to New York. That means it’s a perfect time to hear from Uber and Lyft drivers, in their own words.

[…]

When California was considering its bill last month, we asked Uber and Lyft drivers, who are the most visible class of gig employees who would be directly affected by these changes, to email us and tell us about their working conditions. Hundreds did. As New York wrestles with the same questions, let’s hear from more of the people whose lives could be changed.

Given that drivers pay for fuel, increased-wear-and-tear on their vehicles, and insurance, this simply isn’t a very profitable enterprise for individuals — or, seemingly, the companies they work for. I’m also not convinced that it’s particularly effective as an occasional gig for people to pick up a little extra cash: if there’s a collision, an insurance company could deny coverage if the driver has typical auto insurance instead of commercial insurance, for example.

On a related and upsetting note, Splinter is shutting down. Nolan, the author of the linked piece about gig economy drivers, wrote a very relevant and thoughtful piece last year about private equity’s pitfalls.

Chinese State Media Accuses Apple of ‘Protecting Rioters’ theguardian.com

Verna Yu, the Guardian:

The app HKmap.live, which crowdsources the location of police and anti-government protesters, was approved by Apple on 4 October and went on its App Store a day later, after the company reversed an earlier decision to reject the submission, according to an anonymous developer cited in the South China Morning Post. The app displays hotspots on a map of the city that is continuously updated as users report incidents, hence allowing protesters to avoid police.

The headline of the People’s Daily commentary carried by its official microblog on Wednesday said: “Protecting rioters – Has Apple thought clearly about this?”

It went on to say: “Allowing the ‘poisonous’ app to flourish is a betrayal of the Chinese people’s feelings.”

Someone in the Chinese government ought to familiarize themselves with the Streisand Effect — if Techdirt isn’t already blocked in the country.

Apple should absolutely not acquiesce to China’s demands. HKmap.live ought to remain in the App Store. But it is extraordinarily risky for Apple to resist an authoritarian force that controls the export and, therefore, sale of nearly every product they make.

Update: In an inauspicious development, John Keefe of Quartz says that Apple has succumbed to Chinese government pressure and pulled the publication’s app from the App Store in Hong Kong.

Update: Apple has removed HKmap.live from the App Store in Hong Kong. Shameful.

A Handful of Links and Thoughts Concerning the Future of Transportation

Over the weekend, I ended up reading several recent articles painting a fairly bleak picture of the middle-term future of transportation. I thought I’d stitch them together in a way that helps me — and, hopefully, you — see how they relate to each other. Let’s start with the bedrock of transportation in the United States and Canada: the personally-owned car.

Patrick George, Jalopnik:

The Wall Street Journal has a new story out that’s a kind of overview of something we’ve covered extensively around these parts — that super-long car loans, often with very high interest rates, are the new normal in car buying. And buyers are having a hell of a time keeping up. It means that car loans stick around well into when some of these models need pricey repairs, or past their original owners, and they eat into more and more of our incomes.

This is obviously concerning for owners who may not truly be able to afford lengthy car loans, it’s also likely to collapse in a situation reminiscent of the mid-2000s subprime mortgage crisis.

Making matters worse is that automakers like Ford and Mitsubishi are discontinuing sales of family cars in North America and focusing on SUVs and crossovers.1 These replacements are bigger, more expensive to buy, more expensive to run, and often more expensive to insure. They’re also more dangerous, both to the occupants and the people they crash into.

And, speaking of safety, Peter C. Baker of the Guardian wrote about a deadly decade for pedestrians:

In 2010, the small community of specialists who pay attention to US road safety statistics picked up the first signs of a troubling trend: more and more pedestrians were being killed on American roads. That year, 4,302 American pedestrians died, an increase of almost 5% from 2009. The tally has increased almost every year since, with particularly sharp spikes in 2015 and 2016. Last year, 41% more US pedestrians were killed than in 2008. During this same period, overall non-pedestrian road fatalities moved in the opposite direction, decreasing by more than 7%. For drivers, roads are as safe as they have ever been; for people on foot, roads keep getting deadlier.

[…]

Ask a room full of safety experts about smartphones and you will get a mix of resignation, bemusement and contempt. “I tend not to buy the smartphone distraction stuff,” says Garrick, echoing nearly identical comments from just about everyone I talked to. “To me, it reads as shoving aside actually dealing with the relevant issues.” What particularly bothers him, he says, is how poorly thought out the distraction discourse tends to be. In the UK, Belgium, Germany, Spain, France, Austria and Iceland, for example, pedestrian deaths occur at a per capita rate roughly half of America’s, or lower. Are we really to believe that the citizens of these countries are 50% less susceptible than Americans to distraction, by their phones or anything else? Plus, within the US, pedestrian death occurs disproportionately in neighbourhoods populated by people with low-incomes and people of colour. Is distraction really more endemic in those neighbourhoods, or among people driving through them, than it is in wealthier, whiter areas? Or is it more likely that these neighbourhoods are more likely to be criss-crossed by high-speed roads, and less likely to receive investment in transit interventions that protect pedestrians?

Baker also touches on partly- and fully-autonomous vehicles as a panacea for automobile-related maladies:

Of course, in time-honoured Silicon Valley tradition, this simple profit motive was quickly swaddled in all manner of high-flying rhetoric about saving lives (of car users and pedestrians alike), saving cities and transforming transportation as we know it. “Every year that we delay this, more people die,” Anthony Levandowski, then of Google, told the New Yorker in 2013. At a 2016 press event, Elon Musk, the CEO of Tesla, warned journalists who expressed doubts about self-driving cars – like the type that Tesla plans to sell – that they had blood on their hands. “If, in writing something that’s negative, you effectively dissuade people from using an autonomous vehicle, you’re killing people.”

“There is simply a very good business reason for car companies to sell people a future where everything is better, especially when the way to get there is by purchasing a lot of cars,” says Peter Norton, perhaps the most prominent historian of how Americans think about traffic safety. As Norton pointed out, car manufacturers have long made a practice of stoking consumer dissatisfaction, and yoking it to utopian visions of the future in which cars of the future solve problems created by cars of the present. “I don’t think there’s any chance that autonomous vehicles will deliver us a safe future, and I don’t necessarily think the companies think so either. I think they think we’ll buy a lot of stuff. The safe future will recede before our eyes like a desert mirage.”

It is notoriously stupid to try to predict the success of future technologies. As I’ve written before, I strongly suspect that truly autonomous vehicles are decades out. What a Tesla can do today is remarkable — if not quite road-worthy yet. Waymo’s answer is even better, of course. But I’ll be stunned if, in the next few years, a car can drive itself from, say, the parking garage in my building through the Rocky Mountains in wintertime to Lake Louise without human intervention. Part of the trip? Sure. But the whole way — a truly autonomous vehicle? I have doubts.

For the sake of argument, let’s suppose that partially autonomous transport is solved soon for a limited set of uses. Something broader than fixed bus routes, and more along the lines of Waymo One, but for the rest of us. That would perhaps require us to purchase new cars equipped with expensive new technologies. Instead of owning these cars individually, though, we could share them with a Car2Go-esque service.2 Unfortunately, it’s hard to be optimistic about the success of something like that because Car2Go announced last month that they would be ending service in four big North American cities by the end of October, including Calgary. In its email to users, Car2Go blamed city policy, a poor economy, and increased competition. The first reason has been disputed by the city, the second is a possibility, and the third seems like a red herring — there are no competing car sharing services in Calgary, but we do have Uber, and it’s wildly popular.

Of course, “wildly popular” does not mean “a good business”. Car2Go said it was very popular in Calgary just last year. When it filed for its IPO earlier this year, Uber reported total losses of $7.9 billion between when it was founded in 2009 and the end of 2018. In the first quarter of 2019, they added another $1 billion to that tab; in the second quarter, they added a whopping $5.2 billion. Between 2009 and June 30 of this year, Uber has lost over $14.1 billion — an average of about $4 million per day, every day, for over ten years of operations. And those losses are overwhelmingly recent: in 2017, the company lost $2.2 billion; in 2018, $1.8 billion; in 2019, so far, $6.2 billion. All of that is without factoring in last month’s decision in California to classify drivers as employees instead of contractors, meaning that Uber will be obligated to pay minimum wage.

Is Uber a sustainable business over the long term? They are clearly planning to be, but they have to dig themselves out of a multibillion-dollar hole before we can sincerely have a discussion about the reasonableness of future viability. But if they, like Car2Go, are forced to retreat somewhat, it puts those who are reliant upon its services in a difficult position. Car sharing and ride sharing services mean that people may not need to own a car if they live in a moderately dense part of their city. They are a solution for the increasingly high financial and environmental cost of personal vehicle ownership.

But so is public transportation.

After reading all of these pieces and thinking this whole thing through, I keep winding up wondering what our cities would look like if we channeled the money we spend on Ubers and car sharing into public transit. What if venture capital firms funded trains and buses instead of autonomous vehicle startups? I recognize that’s not how venture capital firms operated because their incentive is in making money through risky betting — which is not necessarily the same thing as making cities better and safer to travel through. Public transportation also carries reduced risk for those who depend on it, as a public transit operator won’t simply end service in a city by giving a month’s notice and recalling all of its vehicles.

This is not an original argument, but it is one I was hounded by as I spent my weekend reading these articles.

As I wrote at the outset, this is a loose knitting-together of disparate strands of a complex conversation: what does transportation look like in cities of the future? Is it roads filled with individually-occupied privately-operated autonomous vehicles? I think it’s a fascinating technical puzzle and solution, but I’m struggling to find the practical appeal.

  1. As of writing, Mitsubishi still sells the Mirage in North America, but it’s rumoured to be replaced with a crossover of the same name↥︎

  2. This has been proposed by many people. I think a recent paper by Todd Litman (PDF) of the Victoria Transport Policy Institute compares different ownership schemes very well. ↥︎

Twitter Tries Being More Like Facebook theverge.com

Makena Kelly, the Verge:

On Tuesday, Twitter announced that it “unintentionally” used phone numbers and email addresses for advertising purposes even though the information was provided by users for two-factor authentication.

According to Twitter, no personal data was shared with the company’s third-party partners, and the “issue that allowed this to occur” has been addressed. As of September 17th, phone numbers and email addresses are now only collected for security purposes, Twitter said.

Facebook acknowledged a similar issue earlier this year. Conveniently, I only need to swap company names in response:

This isn’t just yet another example of [Twitter] behaving outrageously when it comes to the company’s pathological need to slurp up everything about its users’ every living moment. It also has the potential to reduce the likelihood that users will adopt two-factor authentication. Technically-literate people have been preaching two-factor authentication for a long time, but average users have been slow to enable it; if they get the impression that it’s yet another piece of data that creepy companies can use to track them, they will be even more hesitant.

I’m starting to think that business models based on a relentless hoarding of personal details may need to be reconsidered.

The China Cultural Clash stratechery.com

Ben Thompson:

The biggest, shift, though, is a mindset one. First, the Internet is an amoral force that reduces friction, not an inevitable force for good. Second, sometimes different cultures simply have fundamentally different values. Third, if values are going to be preserved, they must be a leading factor in economic entanglement, not a trailing one. This is the point that Clinton got the most wrong: money, like tech, is amoral. If we insist it matters most our own morals will inevitably disappear.

In August, two hundred of the largest companies in the world pledged that shareholder value was no longer the primary motivation for their business. It’s time to prove it.

The Legal Case for Net Neutrality Increasingly Lacks Resemblance to Policy theverge.com

Nilay Patel, the Verge:

Regardless of the legal history, it really does seems obvious to most people that broadband internet access is a telecommunications service that should be neutral. In this case, Ajit Pai and the FCC made the argument that broadband is actually an “information service” because access is paired with… DNS and caching services. That’s DNS, as in the domain name lookup servers that translate domain names to IP addresses, and caching services that host copies of data closer to your location to speed up your access.

Not email, not some wacky AOL chat room. DNS and caching. And because that argument worked in the 2005 Brand X case, the court in 2019 was obligated to say the FCC could use the same argument again.

[…]

The court next addresses whether mobile broadband is a “commercial mobile service,” which is the wireless version of a telecommunications service, or a “private mobile service,” which is the analogue to an information service. I will spare you the details of the long, long discussion that follows, except to say the state of telecom law in 2019 is such that the court winds up making its decision based on the fact that smart washing machines cannot make phone calls.

There is overwhelming support across all sectors of the American public for ISPs to be treated as utility providers. Every renter knows that internet service is listed under a Utilities heading in the lease agreement. Even ISPs call themselves utilities when they benefit, but argue the opposite when they would be treated to similar regulatory oversight.

Broadband is a utility. Everyone knows it; ISPs know it, too. They just don’t want it to be treated as such because they would have to compete on speed and price instead of lacklustre incentives and anti-competitive policies. It’s time to regulate it as such.

Facebook Changes Policies to Allow Advertisers to Lie popular.info

Judd Legum in his Popular Information newsletter:1

Prior to last week, Facebook had a rule against running any ads with “false and misleading” content: “Ads, landing pages, and business practices must not contain deceptive, false, or misleading content, including deceptive claims, offers, or methods.”

But today, category 13 of prohibited content has been narrowed significantly. Now, Facebook only “prohibits ads that include claims debunked by third-party fact checkers or, in certain circumstances, claims debunked by organizations with particular expertise.”

The old rules prohibited all ads that contained “false” and “misleading” content and made no mention of the fact-checking program. The new rules are limited to claims that are “debunked by third-party fact checkers.”

Moreover, Facebook says “political figures” are exempt from even that narrow restriction.

Not too long ago, Facebook bragged on its advertising case studies page about how effective their ads were for political campaigns. Last year, however, the company hid that category as it publicly pretend that it couldn’t possibly influence an election. And those ads were supposed to be factual. What happens when notoriously unscrupulous leaders are able to exploit highly-targeted creepy advertising to lie to people directly with the support of Facebook’s policies?

  1. This webpage is horrible and I’m sorry to subject readers to it. Click “let me read it first” to dismiss the full-page subscription screen. ↥︎

One Year After ‘The Big Hack’

Today marks the one-year anniversary of Bloomberg’s publication of a story about Chinese intelligence intercepting the supply chain of Supermicro, a company which has built and sold servers to Amazon, Apple, the U.S. Department of Defense, and dozens of other companies. Apparently, they developed a chip that looked identical to a rice-sized standard component placed along the main power lines of a server; the implanted chip ostensibly contained a processor and networking capabilities and could, theoretically, act as a backdoor for Supermicro servers.

It sounded like the information security scoop of the decade — except there’s virtually no proof that any of it is true.

At the time of the story’s publication, representatives from the named companies denied Bloomberg’s reporting in statements that left virtually no wiggle room. Tim Cook called for the story’s retraction — a call that was soon echoed by Amazon and Supermicro. Michael Riley — who reported the story alongside Jordan Robertson — took to Twitter on October 5 to point out that the physical evidence would make it “hard to keep more [details] from emerging”.

So far, that has not happened.

On October 9, the duo published a followup story claiming that backdoor hardware was found on a Supermicro server belonging to a telecom firm. Their report relied on documents provided by Yossi Appleboum who subsequently argued in an interview with ServeTheHome that Bloomberg’s characterization was incorrect. Appleboum claimed that the problem is broader than Supermicro and the entire supply chain in China was compromised; however, no evidence was provided publicly to support his assertions.

And that was pretty much the last update we heard from Bloomberg’s reporters regarding this important information security scoop. Michael Riley published just one story between October 9, 2018 and August 31, 2019; Jordan Robertson reported nothing for Bloomberg until September 2, 2019. Given an entire year to dig around on this huge story, no other publication has been able to independently verify their claims.

Here’s every significant development I can find from the past year:

  • At the end of October last year, Erik Wemple of the Washington Post reported that the then-Director of National Intelligence — the turnover in this administration is wild — and an NSA official had no evidence to support Riley and Robertson’s story.

  • In November, Wemple wrote about Bloomberg’s continued reporting efforts. An investigative reporter who wasn’t part of the team behind the original “Big Hack” pieces emailed Apple employees to try to figure out what was right and what was wrong. In conversations with Wemple, Apple employees disputed everything about the story and subsequent rumours about internal Apple investigations.

  • In December, Supermicro announced that a third-party investigator had found “no evidence of any malicious hardware”.

  • In April, Wemple reported that Bloomberg submitted the story for a National Magazine Award. It was not a finalist.

  • In August, the story received Pwnie awards for the Most Over-Hyped Bug and the Most Epic Fail at Black Hat.

  • Last month, a vulnerability was discovered in Supermicro servers that would allow remote USB access. It was patched the following day.

  • Also last month, Michael Riley got promoted. Congratulations.

Unfortunately, a year later, we’re still no closer to understanding what happened with this story. Bloomberg still stands by it, but hasn’t published a follow-up story from its additional reporting. No other news organization has corroborated the original story in any capacity. After being annihilated after the story’s publication, Supermicro’s stock has bounced back.

Most upsetting is that we don’t know the truth here in any capacity. We don’t know how the story was sourced originally other than the vague descriptions given about their roles and knowledge. We don’t know what assumptions were made as Riley and Robertson almost never quoted their sources. We don’t know anything about the thirty additional companies — aside from Amazon and Apple — that were apparently affected, nor if any of the other nine hundred customers of Supermicro found malicious hardware. We don’t know what role, if any, Bloomberg’s financial services business played in the sourcing and publication of this story, since they were also users of Supermicro servers. We don’t know the truth of what is either the greatest information security scoop of the decade or the biggest reporting fuck-up of its type.

What does that say about Bloomberg’s integrity?

FCC’s ’Unhinged‘ Net Neutrality Repeal Was Upheld Because ISPs Offer DNS and Caching arstechnica.com

Jon Brodkin, Ars Technica:

To defend the reclassification, the FCC had to explain why broadband fits the federal definition of “information service” and not the federal definition of “telecommunications service.” Under US law, telecommunications is defined as “the transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received.”

That sounds like what broadband companies provide, but the FCC claims that broadband isn’t telecommunications because Internet providers also offer DNS (Domain Name System) services and caching as part of the broadband package. According to the FCC, the offering of DNS and caching makes broadband an information service, which is defined under US law as “the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications.”

Judges reluctantly ruled that the FCC made a permissible reading of the statute.

The preceding case that allows internet connectivity to be classified as information services in no way resembles the way broadband is actually used by consumers, nor is it a reasonable interpretation of the function of DNS and caching services. Precedent says that the judge’s decision is not incorrect, but the law is — as ever — outdated and fundamentally broken when it comes to interpreting newer technologies.