Month: July 2020

Apple’s Security Research Device Program, Announced Last Year, Is Now Accepting Applicants vice.com

Lorenzo Franceschi-Bicchierai, Vice:

Apple just announced that it will send special devices that make it easier to find flaws and vulnerabilities in its mobile operating system iOS to iPhone hackers that apply and qualify for a program the company announced last year. The program might make some hackers less likely to engage in the underground market for stolen prototype iPhones hackers currently use to research iPhone security, and encourage them to share their findings with Apple.

In a new website published on Wednesday, Apple wrote that the program “features an iPhone dedicated exclusively to security research, with unique code execution and containment policies.”

Franceschi-Bicchierai doesn’t link to the program itself, but it’s a simple one-page description of eligibility, and an application form that asks for CVE citations. I do not see any mention of cost other that of an Apple developer account. If you are a security researcher based on one of the twenty-three countries where this program is available, you should apply.

Studies Offer Conflicting Impressions of Uber and Lyft Driver Pay nytimes.com

Noam Scheiber, reporting for the New York Times, reviewed the work of different studies of Uber and Lyft driver pay. A recent Cornell study, which Uber and Lyft paid for, found median driver earnings in Seattle were over $23 per hour, even after deducting expenses. However, a New School study, also of Seattle Uber and Lyft drivers, found that they made just $9.73 per hour after expenses. The latter study was commissioned by the City of Seattle Office of Labor Standards.

Scheiber:

Scholars typically obtain such data in two ways: They approach the company with a research question they would like to answer; one recent paper in this vein examined the wage gap between male and female Uber drivers, and another sought to put a value on the flexibility of working for Uber. Or the companies can approach scholars with a question they want answered, as with the Cornell study.

When the scholars are faculty members at an academic institution, the companies typically cede editorial control to them.

But the process still tends to skew what we know about the companies, Mr. Zingales said, because companies are unlikely to approve the release of data for a study, or approach a scholar with data, if they believe the conclusion is likely to reflect poorly on them. One such study, he has noted, recently asked whether traffic fatalities increase after Uber and Lyft start operating in a city, for which the companies did not provide detailed data.

Studies commissioned by sponsors with an interest in its findings are certainly not guaranteed a favourable result. But the conclusions drawn from a single study must be placed in a greater context — most studies are finding that gig economy drivers are earning less than $20 per hour, especially after expenses, so the more positive Cornell study stands out.

An Apple-Funded Study Compares App Store Commission Rates to Other Digital and Physical Platforms techcrunch.com

Sarah Perez, TechCrunch:

Apple today is again taking to the press to fight back against claims of anti-competitive practices on its App Store. Last month, the company detailed the results of a commissioned study that showed how Apple wasn’t receiving a cut of revenue on the majority of App Store transactions — $519 billion in commerce. This time, Apple is touting the results of a new study that is meant to demonstrate how Apple’s App Store commission rate is similar to those of other app stores and digital content marketplaces.

The new study also comes from the Analysis Group, the same analyst group Apple used for its most recent study. The fact that Apple has tasked the firm with rolling out a series of reports to argue its case via market data indicates how seriously Apple is taking the antitrust claims.

The study is by the same authors, too, all antitrust experts. Unlike last time, though, Apple did not publish a press release on its website, though Analysis Group did. Notably, this study offers no comparison between rates in app stores and fees involved in direct sales — for instance, the relatively low interchange fees charged by credit card companies. It does, however, compare Apple’s 30% cut to the 20% profit margin of used car sales, for some reason.

Tim Cook will be testifying on Monday before the House Judiciary Antitrust Subcommittee, alongside the CEOs of Amazon, Google, and Facebook — but not Microsoft.

Twitter Begins Limiting the Spread of QAnon Conspiracy Theories, Bans Seven Thousand Harassing Accounts nbcnews.com

Ben Collins and Brandy Zadrozny, NBC News:

Twitter will stop recommending accounts and content related to QAnon, including material in email and follow recommendations, and it will take steps to limit circulation of content in features like trends and search. The action will affect about 150,000 accounts, said a spokesperson, who asked to remain unnamed because of concerns about the targeted harassment of social media employees.

The spokesperson said that as part of its new policy, the company had taken down more than 7,000 QAnon accounts in the last few weeks for breaking its rules on targeted harassment.

The sweeping enforcement action will ban QAnon-related terms from appearing in trending topics and the platform’s search feature, ban known QAnon-related URLs and prohibit “swarming” of people who are baselessly targeted by coordinated harassment campaigns pushed by QAnon followers.

If you have mercifully avoided the world of the QAnon conspiracy theory, know that it is stupid and absurd even by the low standards of conspiracy theories. It is truly distressing to see that it has crossed over from a fringe internet thing to a real-world violent extremist movement. But Twitter doesn’t ban people simply for posting stupid and absurd things, and it hasn’t banned QAnon topics overall. Rather, it is reducing the artificially high impact of accounts associated with the theory.

Twitter:

We will permanently suspend accounts Tweeting about these topics that we know are engaged in violations of our multi-account policy, coordinating abuse around individual victims, or are attempting to evade a previous suspension — something we’ve seen more of in recent weeks.

Twitter also says that it will not recommend QAnon-related accounts and topics in its algorithmic features. Many of these users coordinate on message boards and in Discord servers to flood Twitter, thereby brute-forcing their way into its trending topics features, which effectively advertises the theory to a broader audience. It isn’t clever and these people are not smart; it is simply abusing Twitter as the president’s platform. Twitter’s policy isn’t limited to QAnon, either, but it is only one platform.

Julia Carrie Wong, reporting last month for the Guardian:

Moreover, Facebook is not merely providing a platform to QAnon groups. Its powerful algorithms are actively recommending them to users who may not otherwise have been exposed to them.

The Guardian did not initially go looking for QAnon content on Facebook. Instead, Facebook’s algorithms recommended a QAnon group to a Guardian reporter’s account after it had joined pro-Trump, anti-vaccine and anti-lockdown Facebook groups. The list of more than 100 QAnon groups and accounts was then generated by following Facebook’s recommendation algorithms and using simple keyword searches. The Instagram accounts were discovered by searching for “QAnon” in the app’s discovery page and then following Instagram’s algorithmic recommendations.

Receiving QAnon recommendations from Facebook does not appear to be that uncommon. “Once I started liking those pages and joining those groups, Facebook just started recommending more and more and more and more, to the point where I was afraid to like them all in case Facebook would flag me as a bot,” said Friedberg. Erin Gallagher, a researcher who studies social media extremism, said she was also encouraged to join a QAnon group by Facebook, soon after joining an anti-lockdown group.

Spokespeople for social media platforms insist that software-based recommendations are not sending people down pathways to extremism, but reporters keep finding that they do.

Update: A tangental story from Rachel E. Greenspan at Insider:

A national organization fighting to end human trafficking says the believers in the unfounded Wayfair human trafficking conspiracy theory are overwhelming the organization with reports and making it harder to do its work.

[…]

Believers in the conspiracy theory think that the furniture company is selling human children who have gone missing by disguising them as pillows and other goods. The theory went viral in the last few weeks after being spread by QAnon believers on Twitter and Facebook, though both platforms told Insider they had removed certain posts containing this misinformation.

These idiots live in the kind of corrupted universe where they won’t listen to actual authorities on human trafficking but are instead convinced by a few tweets.

Microsoft President Brad Smith Raised Apple Issues to House Antitrust Group bloomberg.com

Dina Bass, Bloomberg:

Microsoft Corp. President Brad Smith raised concerns to U.S. lawmakers about what the company regards as Apple Inc.’s anti-competitive behavior around its app store, according to a person familiar with the matter.

Smith, who is also chief legal officer, was invited by the House of Representatives’s antitrust subcommittee to share his experiences around Microsoft’s own antitrust battle with the U.S. government in the late 1990s. During the conversation, which occurred weeks ago, he discussed the company’s issue with Apple, said the person, who asked not to be identified because the discussion was private.

I’m not arguing that there isn’t an antitrust case to be made against Apple — clearly, regulators believe that there is. It’s just that it is a little hard to take seriously that Microsoft, the world’s second most valuable company, has major complaints with the App Store. What is its grievance? That it deserves to be the most valuable company, and it would be if not for those meddling kids at Apple?

Apple Wallet Car Keys Are Live macrumors.com

Juli Clover, writing for MacRumors last week:

watchOS 6.2.8 introduces Car Key, a feature also available on the iPhone with iOS 13.6. Car Key is designed to allow an iPhone or an Apple Watch to be used in lieu of a physical key to unlock an NFC-enabled vehicle.

Car Key needs to be implemented by car manufacturers to function, and BMW is one of Apple’s first partners. BMW’s Digital Key for iPhone feature will let iPhone owners tap to unlock their vehicles, start the car by placing the iPhone in the smartphone tray, place limitations on young drivers, and share keys with up to five other users.

Car Key will work in a wide range of BMW models, including the 1, 2, 3, 4, 5, 6, 8, X5, X6, X7, X5M, X6M and Z4 if manufactured after July 1st 2020. An Apple Watch Series 5 or newer is required, as is the watchOS 6.2.8 update.

BMWs are not the most expensive iPhone accessory you can buy — that would almost certainly be a Koenigsegg, and I suppose I could find time to test its CarPlay integration if anyone wants to lend me theirs. Car Key does seem to be the culmination of the smartphone as an ultimate convergence device, though. If you live in one of the handful of places worldwide that accepts a digital driving license, you have smart locks on your doors, and you have a BMW made in the last three weeks, you could leave home with nothing more than your iPhone. Sure beats the gigantic key fobs that most cars use.

This is the kind of thing that necessarily needs a lot of time to roll out. But, perhaps the next time you buy a car, this feature will be present and just work for you.

Seven No-Logging VPN Providers Publicly Exposed Over a Terabyte of Logs theregister.com

Shaun Nichols, the Register:

A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.

This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to stumble upon.

It all came to light this week after Comparitech’s Bob Diachenko spotted 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN.

An un-bylined report from vpnMentor dug deeper:

The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.

Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.

The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer and white-labeled for other companies.

Let’s set aside the logging story for now — Dreamfii HK, the creator of all of these VPN services, denies that the logs are exactly as described and claims that their presence does not undermine its claim that these services do not log users’ activity. I want to focus on this business of white labelling, as it is rampant in the VPN world.

There are so many companies that promote VPN reselling as a get-rich-quick business that it makes it hard to trust any provider. NordVPN, for example, is a well-regarded service that resells its infrastructure to many other brands — BullGuard is one such customer, according to Trusted Reviews, but I cannot find any acknowledgement of this arrangement other than a 2018 press release. There is no instance that I can see of NordVPN in BullGuard’s marketing materials and other customer-facing pages.

In a June report, Katie Kasunic of vpnMentor found seven companies that own dozens of VPNs between them, usually only acknowledging their ties in legal documents or press releases. However, Kasunic does not state anywhere that NordVPN offers its own white label service, even as vpnMentor heavily promotes and recommends it.

This kind of reminds me of the food supply chain. I don’t know if you’ve ever flipped through the recalls issued by Health Canada, the FDA, or your local equivalent, but it’s an educational experience. You’ll often see entries, like this one for salads or this one for margarine, with lists of several ostensibly competing brands contaminated with the same stuff from the same plant.

There is nothing inherently wrong with white labelled goods and services, but I do think their use is inadequately disclosed. It is detrimental to our understanding of what we are buying and makes it hard to compare different products.

Defeating Spy Pixel Workarounds in Email gmass.co

Ajay Goel of GMass, an extension for Google Chrome that helps people send more spam email (via David Heinemeier Hansson):

Starting today, the open tracking pixel we insert into your emails to track opens will look different. They will now be non-parameterized, encrypted URLs that are very, very difficult for pixel-blockers to detect.

Ever since email marketers invented a way to track whether someone opens an email, counter measures have been trying to block the ability to tell whether an email has been opened. Open tracking works by inserting an image tag into the email, where the image URL is unique to each recipient. If that particular image is downloaded by the email client, then the marketer knows that that particular recipient opened the email. It’s a trick email marketers and cold emailers have used ever since emails were allowed to contain HTML.

I know it shouldn’t, but stuff like this winds me up. Goel seems very proud of building a product that does not respect users’ wishes. If I were so unethical, I would not want to draw attention to how much of an asshole I am in a smug blog post.

Most email clients allow you to switch off all images, even if they don’t have a fancy tracker-specific blocker like Hey or, somewhat ironically, Superhuman. For what it’s worth, I recommend doing so. Many email trackers are not simple read receipts; they can report far more information about you, as Goel’s blog post illustrates.

John Lewis Dies at 80 ajc.com

Tamar Hallerman, the Atlanta Journal-Constitution:

In June 1963, [John Lewis] moved to Atlanta, the headquarters of SNCC, taking up residence in a sparse second-floor walk-up in the southwest corner of the city. He had barely unpacked his bags before he and other civil rights leaders were invited to White House. President John F. Kennedy, who would be assassinated a few months later, had concerns about the impending march.

The peaceful event drew more than 200,000 people to the National Mall, all pushing for more federal attention to the electoral, social and economic plight of African Americans. That muggy August day lives on in America’s collective memory as the day King articulated his dream for an equal society. But Lewis, then 23, delivered the event’s most controversial address, rife with frustration and anger at the “cheap politicians” whose inaction perpetuated inequality. The Kennedy administration and march leaders implored him to soften the speech at the eleventh hour.

“To those who have said, ‘Be patient and wait,’ we must say that ‘patience is a dirty and nasty word,’” Lewis stated in his original speech. “We cannot be patient, we do not want to be free gradually. We want our freedom, and we want it now.”

The crowd’s applause interrupted Lewis 14 times.

Barack Obama:

I first met John when I was in law school, and I told him then that he was one of my heroes. Years later, when I was elected a U.S. Senator, I told him that I stood on his shoulders. When I was elected President of the United States, I hugged him on the inauguration stand before I was sworn in and told him I was only there because of the sacrifices he made. And through all those years, he never stopped providing wisdom and encouragement to me and Michelle and our family. We will miss him dearly.

Lewis lived an incomparable life. His loss is immense, but good trouble must carry on.

Twitter’s Preliminary Investigation Reveals That a Backup of Eight Accounts’ Data Was Downloaded in Its Entirety twitter.com

Twitter:

As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.

[…]

For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. We are reaching out directly to any account owner where we know this to be true.

[…]

There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts.

Ben Collins:

This is a doomsday scenario, and the hackers who have claimed credit for this attack and have spoken to news outlets have not mentioned it.

They said it was purely for Bitcoin and account takeovers and they let it get out of hand. Not sure why we’re taking their word for it.

Julia Carrie Wong:

None of the “hackers” who are speaking to the press appear to have actually been involved in the hacking side of what happened.

Though I’m inclined to agree with Collins that we should be very skeptical of the perpetrators’ apparent motivations, what we know so far is consistent with this being a purely financial scam.

The Breach of Dozens of High-Profile Twitter Accounts May Be the Work of ‘OG’ Profile Hijackers krebsonsecurity.com

Brian Krebs:

There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping,” an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.

People within the SIM swapping community are obsessed with hijacking so-called “OG” social media accounts. Short for “original gangster,” OG accounts typically are those with short profile names (such as @B or @joe). Possession of these OG accounts confers a measure of status and perceived influence and wealth in SIM swapping circles, as such accounts can often fetch thousands of dollars when resold in the underground.

In the days leading up to Wednesday’s attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers — a forum dedicated to account hijacking — a user named “Chaewon” advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.

Krebs identifies “PlugWalkJoe” as central to the series of account breaches on Wednesday, but reporting by Nathaniel Popper and Kate Conger at the New York Times offers a counternarrative:

Discord logs show that while PlugWalkJoe acquired the Twitter account @6 through “ever so anxious,” and briefly personalized it, he was not otherwise involved in the conversation. PlugWalkJoe, who said his real name is Joseph O’Connor, added in an interview with The Times that he had been getting a massage near his current home in Spain as the events occurred.

“I don’t care,” said Mr. O’Connor, who said he was 21 and British. “They can come arrest me. I would laugh at them. I haven’t done anything.”

Mr. O’Connor said other hackers had informed him that Kirk got access to the Twitter credentials when he found a way into Twitter’s internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company’s servers. People investigating the case said that was consistent with what they had learned so far. A Twitter spokesman declined to comment, citing the active investigation.

“Kirk” is a pseudonymous hacker who claimed to be a Twitter employee with access to the company’s internal tools; so far, however, that does not appear to be entirely true.

In 2011, Twitter settled an FTC investigation (PDF), with the enforcement agency finding that:

On approximately January 4, 2009, an intruder used an automated password guessing tool to derive an employee’s administrative password, after submitting thousands of guesses into Twitter’s public login webpage. The password was a weak, lowercase, letter-only, common dictionary word. Using this password, the intruder could access nonpublic user information and nonpublic tweets for any Twitter user. In addition, the intruder could, and did, reset user passwords, some of which the intruder posted on a website. Thereafter, certain of these fraudulently-reset user passwords were obtained and used by other intruders to send unauthorized tweets from user accounts, including one tweet, purportedly from Barack Obama, that offered his more than 150,000 followers a chance to win $500 in free gasoline, in exchange for filling out a survey. Unauthorized tweets also were sent from eight (8) other accounts, including the Fox News account.

The password was “happiness”.

Prominent Organizations, Including Github and Apple, Are Dropping Exclusionary Developer Terminology developer.apple.com

Catie Keck writing last month for Gizmodo:

Github, the Microsoft-owned developer platform, is working on implementing language that moves away from long-used “master” and “slave” terms, the programming language that refers to the dominant relationship between processes. Google Chrome developer Una Kravets on Friday tweeted support for switching to more inclusive terms like “main,” specifically requesting Github lead the effort “by implementing in their product moving forward.”

Apple:

At Apple, we’re working to remove and replace non-inclusive language across our developer ecosystem, including within Xcode, platform APIs, documentation, and open source projects. These changes began on June 22 with the beta software and developer documentation released at WWDC20 moving to terms such as allow list and deny list, and main as the default SCM branch in Xcode 12. An updated Apple Style Guide reflects these and other changes.

Changes like these are incremental compared to the much harder work of undoing the broad effects of discrimination, but they are positive changes nevertheless. It may seem like little more than subtle language adjustments — and, to some, that is all they will be — but language matters.

Of course, the lack of representation of black Americans at Github and Apple, particularly in technical roles, matters far more. Both report that around 6% of technical positions are filled by black employees; at Apple, that’s actually down by about two percentage points compared to just a few years ago. Both companies have greater representation of black employees than the U.S. national average for “information” roles (see table nine) but black Americans are still disproportionately poorly represented. That needs to change.

Today’s Twitter Breach Reveals How It Is Often Used as Critical Infrastructure theverge.com

Ryan Denham, WGLT:

Like many authoritative or official accounts, the @NWSLincolnIL account is verified—signified by that iconic blue check mark. It has over 17,000 followers.

Twitter temporarily restricted access to verified accounts Wednesday night following a large-scale and coordinated cryptocurrency hack. That unprecedented step came after the Twitter accounts of some of the richest and most famous people on the social media platform were attacked. The @NWSLincolnIL account itself was not hacked.

The @NWSLincolnIL account did not send any original tweets between 4:49 p.m. and 7:38 p.m., despite several severe weather watches and warnings being in effect. That included tornado watches and warnings in McLean County. Tornado sightings were reported between Gridley and Chenoa in northeastern McLean County, according to NWS storm reports.

Casey Newton, the Verge:

And that makes you wonder what contingencies the company has put into place in the event that it is someday taken over not by greedy Bitcoin con artists, but state-level actors or psychopaths. After today it is no longer unthinkable, if it ever truly was, that someone take over the account of a world leader and attempt to start a nuclear war. (A report on that subject from King’s College London came out just last week.)

Bruce Potter:

We need to re-examine the Clinton-era definition of critical infrastructure and recognize the role of new industries like social media as critical to modern society and safety. And then we need to find better ways to engage CI companies.

Earlier this year, two Twitter employees were allegedly bribed by the Saudi Arabian government to track dissidents. If humans are, indeed, the greatest security vulnerability within any company, Twitter needs to do far better. It did not ask to be a broadcast arm for weather services and world leaders, but that’s what it has become — and it is clear that it is unprepared for that reality.

Just a reminder that it is an election year in the United States during a pandemic, and one of the most powerful people in the world is an idiot who cannot stop tweeting.

Today’s Breach of High-Profile Twitter Accounts Was Enabled by an Employee vice.com

Natalie Gagliordi, ZDNet:

A number of high profile Twitter accounts, including Bill Gates, Elon Musk and Apple, were breached on Wednesday.

The verified accounts for Gates, Musk and Apple issued tweets promoting a cryptocurrency scam, asking followers to send money to a blockchain address in exchange for a larger pay back.

The official account for former vice president and US presidential candidate Joe Biden was also hacked. Hackers also breached the official account of former president Barack Obama.

These account breaches were an extraordinary thing to watch unfold today, as it evolved from cryptocurrency-focused accounts to mainstream celebrities. Eventually, it became sort of a guessing game about which account would be next. All told, the blockchain address in question received less than $120,000 USD at current exchange rates.

So how did they do it? How did they manage to hijack dozens of high-profile accounts, many of which were apparently protected by two-factor authentication, and post tweets to commit this fraud?

Joseph Cox, Vice:

“We used a rep that literally done all the work for us,” one of the sources told Motherboard. The second source added they paid the Twitter insider. Motherboard granted the sources anonymity to speak candidly about a security incident.

The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool.

This thing didn’t need to be perfect in order for it to work, and bribing employees to change email addresses is a simple enough way to do it. People are, after all, often the greatest security vulnerability in an organization.

Google’s Abuse of Its Dominant Position Isn’t Only Maybe Illegal, It Also Makes for Worse Products

David McCabe, reporting for the New York Times on worldwide antitrust investigations into Google’s business practices:

Google has largely stayed quiet about its conversations with federal investigators as the Justice Department has looked into whether the company abused its dominance of the online advertising market.

But a little-noticed 67-page document sent to Australian regulators in May by Google’s advisers may provide clues to how the Silicon Valley titan intends to beat back a legal challenge from the agency.

The crux of the company’s argument: Even though it accounts for almost 30 percent of spending in the global digital ad market, it does not control enough of the industry to overcharge its customers and box out its competitors.

Google has little incentive to squeeze advertisers on ad rates or publishers on fees, write the paper’s authors, a lawyer and an economist hired by the company. It has not built its system to give its own services an advantage, they say, and it competes with a wide range of other companies.

One obvious reason market dominance is concerning is that it allows an advantaged player to raise prices — without serious competition, customers have little choice but to pay. Investigators in the United States, Europe, and Australia are trying to figure out if that’s something Google did in the online ad space. But Google doesn’t necessarily need to do anything illegal to make its products worse, particularly when there is such a vast gulf of exposure to the company between its users and customers.

Gerrit De Vynck, Bloomberg:

Type a query into the Google search bar on a smartphone and there’s a good chance the results will be dominated by advertising.

That stems from a decision in 2015 to test a fourth ad, rather than three, at the top of search results. Some employees opposed the move at the time, saying it could reduce the quality of Google’s responses, according to people familiar with the deliberations. But the company brushed aside those concerns because it was under pressure to meet Wall Street growth expectations, one of the people said.

By 2016, the extra marketing slot was a regular feature. It’s one of the many ways the search leader has altered how it presents results since its early days. Another example is the pre-packaged information Google often displays in a box at the top of a page, rather than sending users to other websites. Phased in gradually over years, changes like these have gone largely unnoticed by legions of consumers who regularly turn to Google to call up information and hunt for bargains. The company says these changes support its mission to organize the world’s information and make it useful and accessible to everyone.

Google’s search engine has long been a de facto directory of the web but, for years, it has primarily been a gateway to Google’s many other services. Searches for products might show shopping ads and Google Maps listings of possible retailers well above any information from the broader web. News-related searches will likely display Google News results, YouTube videos, Google-summarized Wikipedia entries in a biography box, and Google-copied tweets well above web stories. Google also puts its “people also ask” answer box on the results page of many queries, which infinitely replicates with summaries of third-party webpages. And, if you search for many things on your phone, Google juices the results to prioritize pages written in its own AMP language.

Google also owns YouTube; any changes made to its policies directly affect the thousands of people who now earn a living from publishing videos there. Several years ago, YouTube’s advertising policies and recommendation algorithms encouraged producers to create longer videos, upwards of an hour. But Google has now announced that, later this month, it will lower the video length threshold for automatically inserting mid-roll ads from ten to just eight minutes.

This will obviously suck for viewers, as millions of videos uploaded over the past few years will suddenly gain an ad or two in the middle. It looks bad for producers, too, as the many users who are unaware of how these ads work might get the impression that the uploader is responsible for an ad-heavy video.

Of course, it is Google’s prerogative to modify its ad policies on YouTube. If that’s how it wants to respond to what investors considered a mediocre quarter, I guess that’s something we all have to live with. One reason it has been able to ratchet up the number of ads served to users is because they have nowhere else to go. Because it is the dominant platform, YouTube is able to set the standards and expectations for hosted video, even if those standards are poor. Put it this way: if you were designing a video platform that prioritized and respected users, you would not design the YouTube of today.

All of this leads to a great series of articles by Rand Fishkin of SparkToro:

The best, and sometimes only, way to rank atop Google… is to be owned by Google themselves.

It’s a dirty secret that’s not very secret at all. And therein lies the heart of the problem. Google believes they have nothing to fear. They believe they are either A) doing no wrong or B) using their power arbitrarily in ways that cannot be held to account. This problem holds back investment to entrepreneurs who might create better alternatives. It holds back content creators and brands from crafting better solutions.

Google says it believes in a spirit of innovation, and its search engine has historically created a ton of innovative opportunities for web builders. But, when the search monopoly uses its dirty secret of ranking #1: ownership by Google, innovation suffocates.

Users of Google’s products suffer as well — not only because of the company’s self-beneficial changes, but also because of how much it corrupts a user’s experience.

Arguably, the markets Google is floundering in might self-correct. That carries a whole host of problems for those who make a living with Google properties — YouTube producers, in particular, who are reliant upon ad revenue could see a drop in their income. Some may point out that they should not be so dependent, but the reality is that some people are thanks, in part, to arguments Google has made that people can build a career with a YouTube channel. I think that gives the company some responsibility.

Whether users will respond by turning to competitors is anyone’s guess. Old habits are hard to break, and reputation is hard for anyone to take away. We’ve been down this road before with Apple Maps. What began in 2012 as an inadequate replacement on the iPhone has now spread across Apple’s platforms and on the web and, in my use, has become good enough in many places to use as a primary location client. But mistrust lingers: to this day, I don’t feel like I can depend on the business hours shown in an Apple Maps listing, and I almost always use the business’ own website or Google Maps to verify.

While it’s hard for one company to take the reputation of another, it is far easier for that reputation to be shed. For years, Google has invented names of neighbourhoods, making me distrust its cartography. The top of Google search is dominated by ads and self-promotional items, making it harder for me to use. Google’s dominance makes it doubt that users will abandon its properties, so it is compromising its own product quality with confidence.

Companies perform better when they have equally engaged and motivated competitors. In cameras, Canon needs Nikon and, recently, both of them need Sony to keep innovating and moving their products forward. One of the reasons iCloud keeps getting better is because Apple sees Google’s cloud services performance as a benchmark. Google’s complete dominance in many areas of its consumer-facing products has allowed it to get cocky with prioritizing its own interests ahead of its users. It isn’t yet reflected in the company’s balance sheet, but pushing the tolerance of users rarely plays out well in the long term.

WindowSwap window-swap.com

Work from home? Bit tired of the view out of your own window, or don’t have a window to look out of? Enter WindowSwap: shuffle through videos shot through other people’s windows all around the world.

Via Lydia Polgreen.

Two Bills Before the U.S. Senate, EARN IT and LAED, Threaten Online Speech, Security, and Safety brookings.edu

Riana Pfefferkorn of the Stanford Center for Internet and Society, writing for the Brookings Institution’s TechStream column:

The potential stakes are high. Exclusion of evidence in [child sexual abuse material (CSAM)] prosecutions would make it harder to obtain a conviction for a hideous crime. If the senators who unanimously voted this bill out of committee care so much about online child safety, why are they willing to roll the dice on whether the bill will backfire and result in accused CSAM offenders going free?

The Leahy amendment attempts to neutralize concerns about EARN IT’s impact on encryption and cybersecurity by preserving immunity from CSAM claims based on the platform’s use of encryption. This does not go far enough. The amendment has been called a “fig leaf” that will merely tie up platforms in litigation. It could also lead platforms to either encrypt everything they can, making detection of CSAM more difficult, or else collect much more private information from their users. Plus, platforms could still be held liable for other measures besides encryption that they take to protect users’ security (or for refusing to implement measures that would undermine it).

LAED, however, renders Leahy’s effort superfluous. By outlawing platforms from giving users strong encryption, LAED would swallow Leahy’s EARN IT amendment. And the LAED bill applies even more broadly than EARN IT, encompassing everything from websites and social media platforms, to apps, email, messaging and chat, videoconferencing and voice calling apps, cloud storage, operating systems, and any electronic device with at least 1 gigabyte of storage — a very low bar in 2020.

I’ve been reading a lot about these two bills — most tech companies of note are based in the United States, so any legislation that impacts them represents a major change to worldwide digital security and civil liberties. Everything I have read from people who understand computer security makes me concerned that these bills, should they become law, would have disastrous consequences.

Auditors Hired by Facebook Highlight Decisions That ‘Represent Significant Setbacks for Civil Rights’ washingtonpost.com

Elizabeth Dwoskin and Cat Zakrzewski, Washington Post:

The conclusions by Facebook’s own auditors are likely to bolster criticism that the company has too much power and that it bends and stretches its rules for powerful people. Though Facebook frequently says it listens to experts when making judgment calls, the auditors found that is not always the case on critical matters of free expression.

“When you put free expression on top of every other consideration, I think civil rights considerations take more of a back seat,” said Laura Murphy, a civil rights lawyer and independent consultant who led the two-year audit. Murphy worked with a team from civil rights law firm Relman Colfax, led by partner Megan Cacace.

The auditors’ report (PDF) is an extraordinary document. Murphy’s team found numerous instances where civil rights of oft-oppressed groups of users were overruled by the company’s ostensible dedication to free expression, either because it felt that a post was okay to remain live or the company was slow to react. Facebook is under no obligation to retain anything posted to its website, and it has bent its policies specifically to favour discriminatory practices of a loud conservative faction.

Casey Newton and Zoe Schiffer, the Verge:

Facebook is so big that two of its properties, which collectively have hundreds of millions of users between them, were exempted from the audit altogether. Instagram and WhatsApp were deemed outside the scope of the two-year project, as were Facebook’s civil rights problems outside the United States.

It’s true that addressing the auditors’ complaints about the core Facebook app will have civil-rights benefits to Instagram, WhatsApp, and the larger world. But it also seems notable that even a multi-year audit resulting in a report that runs to nearly 100 pages can’t even attempt to consider the problem in a holistic way. As in so many other things, Facebook is a problem you can’t get your arms all the way around.

When the reckoning over social media platforms began in 2017, it was often said that Facebook’s proposed solution for every problem identified was “more Facebook”: more employees, more policies, more processes, more product, more features. It seems notable that the civil rights audit, for all its harsh judgments about recent decisions by the company, adopts the same point of view.

Pema Levy, Mother Jones:

As Mother Jones reported last year, Facebook resisted advocates’ efforts to address discrimination issues on the platform or a long time, including calls for such an audit. But after a series of high profile public relations crises — the Cambridge Analytica scandal revealing improperly obtained user data was used to target voters, Russia’s use of the platform to help elect Trump, the product’s role in sparking a genocide in Myanmar — Facebook agreed to a civil rights audit in 2018.

But just a few months later, the New York Times reported that Facebook had hired a Republican opposition research firm to discredit its critics, including Color of Change, one civil rights organizations that had lobbied for the audit. The firm, Definers Public Affairs, had sought to tie the non-profit to billionaire philanthropist George Soros, whose status as a rightwing boogeyman often carries the tinge of anti-Semitism. Facebook had not only gone after a civil rights group, but it had done so by fueling the type of bigotry that civil rights groups trying to get off the platform.

Levy is referring to this Times article; the same day it was published, Facebook cut ties with Definers Public Affairs.

Charlie Warzel of the Times interviewed Rashad Robinson, executive director of Color of Change, about this audit:

You were instrumental in pushing Facebook for a public civil rights audit. What’s your reaction to the audit?

The audit speaks to just how much Facebook’s incentive structure is broken. I keep thinking about the fact that the decisions around political speech and violations to rules goes through the team at the company that is the most political — who are in charge of dealing with lobbyists and Washington operators like Joel Kaplan [Facebook’s vice president of global public policy and a former Republican staffer and lobbyist].

And so then they consistently say things to me like, “Well, you just don’t like Republicans.” And I say, “I don’t think these issues should go through anyone who is primarily a political animal and operates inside D.C. politics.” I won’t pretend there are two equal sides of the issue. Joel Kaplan has political leanings that would make it harder for my grandfather to vote. And so if you put him in charge of voter suppression content, that’s an issue.

The audit report is not particularly dense but it is lengthy; set aside a solid hour if you’d like to churn through it. Robinson, though — he gets it, because of course he does — and it is absolutely worth your time to read his reaction in its entirety. Much credit and appreciation go to Color of Change and the many activists who pushed for this audit.

Facebook Moves Fast, Breaks Apps Again mjtsai.com

For the second time in two months, a change Facebook made to its iOS SDK caused disparate high-profile apps to crash. It doesn’t appear that there is presently a good way around the predicament hoisted upon developers: if they want to support “sign in with Facebook” in their apps, they must implement the official SDK that Facebook has proved it is comfortable breaking.

Must be nice for Facebook to have the apparent blame fall on other developers and Apple because no user is going to think “Spotify crashed on my iPhone because of Facebook”. Also, notice that this doesn’t happen to Facebook’s own apps.

App Review Rejects Information Superhighway twitter.com

Kyle Hughes:

Y’all, I fear that Information Superhighway is dead.

It was rejected by App Review twice for not meeting the bar of minimum usefulness and having no native iOS features (4.2 & 4.2.2).

I escalated the second rejection to the App Review Board and the rejection was confirmed.

Information Superhighway is this great little app that Hughes has been working on. It presents an infinite feed of randomized Wikipedia article summaries; you can tap on any article to read more, and you can open locations of interest in Maps. It is a perfect app to fiddle with when you’re stuck in an elevator with people you don’t want to talk to, sitting on a train, or just taking a moment to yourself.

I’ve been using it for months. It is one of the few apps on my phone that brings me genuine joy every time I open it — it feels more delightful than, say, scrolling through Twitter or a news app. I was looking forward to a day when I would be able to recommend it here.

It is a simple app, but it is a very good simple app. I could point to the large number of trash applications that have sailed through App Review, including the myriad fidget spinner apps that do far less, but Information Superhighway should be approved on its own merits. It’s fast and fluid, integrates well with other parts of iOS, and is extremely nice to use. I don’t understand how rejecting it is supposed to benefit the App Store or iPhone users. Unfortunately, Hughes has little recourse, so consider this the App Review equivalent of an amicus curiae. Also, Hughes didn’t ask me to post this; like a jerk, I didn’t even ask first.

Update: As of September 1, Information Superhighway is available in the App Store.