Month: March 2021

Please Never Make Me Buy a New TV theverge.com

Chris Welch, the Verge:

This afternoon, I was updating the streaming apps on my 2020 LG CX OLED TV, something I do from time to time, but today was different. Out of nowhere, I saw (and heard) an ad for Ace Hardware start playing in the lower-left corner. It autoplayed with sound without any action on my part.

I know you can prevent this stuff by never connecting your smart TV to the internet, but it seems kind of silly that the only way to make a new TV work properly is to treat it like an old TV. You’ve spent thousands of dollars to get something that should allow you to toss your Roku or your Apple TV or whatever, but you can’t because the company that makes the TV wants to milk the money out of every pixel of that screen and every byte that passes through its network interface for the lifetime of the product.

Our Long Year of Being Mad at Each Other Online gen.medium.com

Maya Kosoff, Gen:

Vaccine scolding is the perfect end to a year of policing from people who would rather judge people on an individual level than interrogate the systems and institutions that make the rules. A couple of weeks ago I wrote about why I dislike the phrase “pandemic wall.” By using this phrase we’re entertaining a fiction where it’s on individuals, and not a broader system, to fight a global public health crisis that is impossible to fight on an individual level. Left to our own devices, with no guidance from our officials who have been busy hiding the Covid-19 death toll at nursing homes and then taking a victory lap by writing a book about how to lead during a pandemic, we are left to judge for ourselves what is good and what is not, which has resulted in a year of getting mad at other people online, mostly.

We’re almost there — almost able to consider the most aggressive parts of what we think of as a “pandemic” behind us. Let us try to be nicer to each other as we wait our turn in the kind-of global lineup to get our vaccine.

After a Report Last Month, Dependency Confusion Remains a Significant Vulnerability blog.sonatype.com

Last month, I linked to a deviously simple attack vector which swaps internal packages for same-named public ones. It has been several weeks since that demonstration, which showed that even big companies like Apple and Microsoft were vulnerable before they made changes. So, how is it going?

Ax Sharma of Sonatype, a company that sells software supply chain security products:

This week, a vigilante actor flooded PyPI and npm repositories with nearly 5,000 dependency confusion packages.

Just a day has elapsed since Sonatype discovered and reported on malicious dependency confusion packages that targeted Amazon, Zillow, Lyft, and Slack, and we are now seeing these packages appear in PyPI and npm claiming to “make everyone pay attention to software supply chain attacks, because the risks are too great.”

To be clear, these are not malicious packages in the sense that they are exfiltrating scores of sensitive data or planting shells in these companies’ servers. They are packages used to demonstrate the risks many companies face by not carefully limiting their dependency sources, and to collect bug bounties. Still, in Alex Birsan’s report last month, he said that he often received the maximum bounty available, indicating that many companies consider this a high-risk problem. Sure seems like something that would engender a speedier timeline for prevention.

Amazon’s Publishing Arm Prevents Digital Library Cataloguing washingtonpost.com

Geoffrey Fowler, Washington Post:

You probably think of Amazon as the largest online bookstore. Amazon helped make e-books popular with the Kindle, now the dominant e-reader. Less well known is that since 2009, Amazon has published books and audiobooks under its own brands including Lake Union, Thomas & Mercer and Audible. Amazon is a beast with many tentacles: It’s got the store, the reading devices and, increasingly, the words that go on them.

Librarians have been no match for the beast. When authors sign up with a publisher, it decides how to distribute their work. With other big publishers, selling e-books and audiobooks to libraries is part of the mix — that’s why you’re able to digitally check out bestsellers like Barack Obama’s “A Promised Land.” Amazon is the only big publisher that flat-out blocks library digital collections. Search your local library’s website, and you won’t find recent e-books by Amazon authors Kaling, Dean Koontz or Dr. Ruth Westheimer. Nor will you find downloadable audiobooks for Trevor Noah’s “Born a Crime,” Andy Weir’s “The Martian” and Michael Pollan’s “Caffeine.”

Amazon does generally sell libraries physical books and audiobook CDs — though even print versions of Kaling’s latest aren’t available to libraries because Amazon made it an online exclusive.

This is sadly true of many exclusive arrangements with digital publishers. Calgary Public Library has a huge video catalogue but, from Netflix, only the handful of TV shows that have been released on DVD are available. That’s right: DVD, not Blu-Ray, and not through the library’s streaming video service. The many documentaries that are Netflix exclusives remain solely available in that company’s streaming catalogue.

Bullies and Platforms garbageday.email

Speaking of Taylor Lorenz, some men including Tucker Carlson and Glenn Greenwald have become obsessed with Lorenz’s tweets over the past several weeks. They are not critiquing her work, despite the way they frame these pieces; it is a strangely obsessive campaign that tests the line between criticism and harassment. Carlson dedicated the A-block of his show last night to mocking women — those with a platform, specifically, including Lorenz — who point out times when they have been treated with disdain and contempt. Greenwald sent a rant to his, as Substack puts it, “tens of thousands” of subscribers last month complaining about an erroneous claim she made and corrected within a few hours.1 It is a very weird and arguably cruel beat these commentators have chosen.

This targeting of any woman who dares to express the unique vitriol they experience is, sadly, standard fare, as is the mockery directed towards anyone in a position of relative influence or wealth who is not happy and satisfied at all times. This clearly needs to change. Without discounting that more serious and pressing concern, I am mentioning this situation because I think there’s a broader point here about platforms.

Ryan Broderick in his Garbage Day newsletter:

Substack released their first real community guidelines in December. At the time, I wrote about them, saying I was skeptical, but I liked the general direction they were going in. One thing that worried me was how simplistic their definition of harassment was. It’s one line in their content guidelines, “In all cases, Substack does not allow harassment or threats.” And in their December announcement, they also said they don’t allowing doxxing. I read through Greenwald’s original Substack piece on Taylor (it wasn’t easy lol). And it was a vicious screed, but he doesn’t doxx her. But online harassment is a constantly evolving process of boundary testing. Campaigns become better and more organized and every community guideline that can be stress-tested will be. Right now most of the abuse being carried out by this group is confined to Twitter, but it stands to reason that it will eventually spill over to Substack. And dealing with people like Greenwald is going to be much harder to moderate than your average troll.

Carlson and Greenwald get to make choices about how they use their platforms and, make no mistake, they both have considerable power. Fox News has claimed for decades that it is in opposition to the “mainstream media”, but it finished 2020 as the mainstreamiest cable network with its best year ever. It may have begun the year on an off-note, but its CEO is confident of a rebound. Carlson is one of the network’s biggest stars and a trust fund baby. Greenwald may not have the circulation or institutional gravitas of the Times behind him, but he is certainly an influential and powerful media figure. He has a Pulitzer to his name, his recent reporting of the Operation Car Wash scandal in Brazil rocked the country, and he was able to replace his six-figure salary after quitting the Intercept and grow his audience at the same time.

Both commentators have decided to throw their considerable weight this week behind against a specific Times reporter. Neither outright calls for targeted harassment, but both are surely aware of the size of the audience they are directing at their target. How much responsibility do they bear for using their influence in this way and, more to the point, how much responsibility is borne by the platforms that host them? I don’t mean legally, but ethically: do Fox or Substack have any moral culpability when they are a vehicle for aggressive targeted disparagement?

The people who run Fox should, I think, be ashamed of its broadcasting — just in general, all the time — but we all know what that channel is and strives for. It is Substack that is a more complicated and interesting case. Substack is not like Twitter or Facebook’s blue site. Posts from its publishers stand alone, have more context, and there are not really any mechanisms to juice popularity — there is not an intra-network reshare button; there is really no “network” to speak of. Substack is more like an old-school blogging platform with email.

Except, Substack also has paid subscriptions of which it takes a cut. Anyone can theoretically offer subscriptions — give me money on Patreon — but those with an existing fan club particularly benefit, regardless of those writers’ ethics. To be clear, nothing about Substack is uniquely a problem here: Broderick’s newsletter is hosted on Substack, and Lorenz offers an email subscription through it too. But there is an awkward relationship between deliberate assholes and those who financially benefit from that behaviour. I don’t think we — in the broadest sense — are navigating that relationship well. Part of the reason for that is undoubtably because Substack has positioned itself as a more household name; you can identify a Substack newsletter through its poor typography and consistent layout. Substack is a particularly identifiable beneficiary of the users of its platform in a way that a generic self-hosted email subscription is not.

It seems to me that a key differentiator between platforms and more infrastructural elements is how conspicuous they are. If Substack were entirely customizable and had no branding, I doubt there would be as much expectation that it will intervene — but there also would not be trend pieces about Substack appearing in media outlets worldwide.

  1. I am intending to make a broader argument so I don’t want to get too into the specific disputes or individuals here. But, for completeness, Greenwald wrote a followup piece today complaining about Lorenz and, more generally, how he feels that journalists should just toughen up, smile, and embrace the consequences of criticizing powerful people. Which, whatever. I think burying your feelings is a terrible suggestion for being on the receiving end of abuse because abuse should not be happening to anyone, but I don’t have the time for all of this.

    One thing he wrote early in his piece stood out to me because it was trivial to check:

    She [Lorenz] also often uses her large, powerful public platform to malign private citizens without any power or public standing by accusing them of harboring bad beliefs and/or associating with others who do. (She is currently being sued by a citizen named Arya Toufanian, who claims Lorenz has used her private Twitter account to destroy her [sic] reputation and business, particularly with a tweet that Lorenz kept pinned at the top of her Twitter page for eight months, while several other non-public figures complain that Lorenz has “reported” on their non-public activities). It is to be expected that a New York Times journalist who gets caught lying as she did against Andreessen and trying to destroy the reputations of non-public figures will be a topic of conversation.

    Calling Toufanian a mere “citizen” not only makes for an awkward sentence, it is misleading. He is the founder of a couple of scummy companies, elected not to comment on a critical article by Lorenz about his business practices, and has repeatedly appeared in national and online media since 2012 including in other Times articles. Greenwald’s claim is also factually incorrect: in a PACER search, I was unable to find any lawsuit against Lorenz, and the only relevant suit involving Toufanian was against someone else. Lorenz’s article was cited by the defence in that libel suit, which is now being considered for dismissal.

    I brought this to Greenwald’s attention by email about two hours after he tweeted a link to this edition of his newsletter. Seven hours have passed between when I sent that email and published this post. During that time, he has been active on Twitter and at least one other person has informed him of this apparent error. He has not replied to me nor has he corrected his article. If Lorenz’s claim about Marc Andreessen is to be considered a “lie” because it was tweeted and then deleted after three hours, what would be the best term for Greenwald’s claim about this, as best as I can tell, entirely fictitious lawsuit?

    Update, March 12 The above is incorrect, and I apologize. This (SLAPP) lawsuit exists. The DC court system, where this suit was filed, is not searchable by PACER, which is why I was unable to find it. I still think it’s weird that Greenwald seems excited by the prospect of a lawsuit against a journalist for critical but fair coverage. I thought he was against that sort of thing. Also, he still hasn’t replied. ↥︎

In the Influencer Economy, Everything Is for Sale nytimes.com

Taylor Lorenz, New York Times:

Tens of millions of people around the globe consider themselves creators, and the creator economy represents the “fastest-growing type of small business,” according to a 2020 report by the venture capital firm SignalFire.

But as the market gets more and more competitive — and the platforms and their algorithms remain unreliable — creators are devising new, hyper-specific revenue streams.

One comes in the form of NewNew, a start-up in Los Angeles, that describes its product as creating a “human stock market.” On the app, fans pay to vote in polls to control some of a creator’s day-to-day decisions.

For example, a creator can use NewNew to post a poll asking which sweater they should wear today, or who they should hang out with and where they should go. Fans purchase voting power on NewNew’s platform to participate in the polls, and with enough voting power, they get to watch their favorite influencer live out their wishes, like a real life choose-your-own-adventure game.

This kind of reminds me of the earliest days of Justin.tv mixed with Calvin’s entrepreneurial spirit.

Letters From Tesla’s Counsel to California DMV Show Greater Wariness of Self-Driving Capability Than Elon Musk’s Public Comments arstechnica.com

Timothy B. Lee, Ars Technica:

In a pair of letters last November and December, officials at the California DMV asked Tesla for details about the FSD beta program. Tesla requires drivers using the beta software to actively supervise it so they can quickly intervene if needed. The DMV wanted to know if Tesla planned to relax requirements for human supervision once the software was made available to the general public.

In its first response, sent in November, Tesla emphasized that the beta software had limited functionality. Tesla told state regulators that the software is “not capable of recognizing or responding” to “static objects and road debris, emergency vehicles, construction zones, large uncontrolled intersections with multiple incoming ways, occlusions, adverse weather, complicated or adversarial vehicles in the driving path, and unmapped roads.”

In a December follow-up, Tesla added that “we expect the functionality to remain largely unchanged in a future, full release to the customer fleet.” Tesla added that “we do not expect significant enhancements” that would “shift the responsibility for the entire dynamic driving task to the system.” The system “will continue to be an SAE Level 2, advanced driver-assistance feature.”

Apparently this is the year that we get fully autonomous transportation — assuming Tesla manages to resolve that enormous list of things not recognized by its “full self-driving” software. So this is not the year that we get fully autonomous transportation, and the name of Tesla’s “Autopilot” software is still writing cheques that it cannot cash. Some things never change.

Biden Administration Hires Tim Wu and Lina Khan politico.com

Today’s Politico Playbook, maniacal capitalization corrected by yours truly:

President Joe Biden has decided to nominate Lina Khan, a Columbia University legal scholar championed by anti-Big Tech activists, to the Federal Trade Commission.

Along with the recent hiring of Tim Wu as an economic adviser inside the White House — also first reported in Playbook — the addition of Khan signals that Biden is poised to pursue an aggressive regulatory agenda when it comes to Amazon, Google, Facebook and other tech giants.

Wu joined the National Economic Council and is known for arguing in favour of net neutrality and against the huge power of large tech companies. Khan is perhaps best known for her contributions to the House Antitrust Subcommittee and her blockbuster 2017 piece about Amazon in the Yale Law Journal. These are two of the most respected voices in technology policy and I am looking forward to the work they will do.

Surveillance and Facial Recognition Systems From Verkada Breached bloomberg.com

William Turton, Bloomberg:

A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.

[…]

Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.

The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. After Bloomberg contacted Verkada, the hackers lost access to the video feeds and archives, Kottmann said.

Jason Koebler and Joseph Cox, Vice:

The spreadsheet, provided by one of the hackers to Motherboard, shows more than 24,000 unique entries in the “organization name” column. Verkada’s cameras are capable of identifying particular people across time by detecting their faces, and are also capable of filtering individuals by their gender, the color of their clothes, and other attributes.

[…]

From the spreadsheet itself, it is not clear which specific customers are deploying Verkada’s facial recognition capabilities. But those features appear to be basic functions of the camera, and not add-ons. Verkada’s website advertises that “all” of its cameras include “Smart Edge-Based Analytics,” referring to the cameras’ facial recognition, person identification, and vehicle analysis tools. It adds the cameras can detect “meaningful events,” which can mean unusual activity and “unusual motion” as determined by the camera’s AI. After detecting faces, a companion web app allows the camera’s administrator to search over time for footage that includes that specific person.

Access to the cameras and video archives of thousands of clients was granted by a username and password that was publicly available on the web, from which these activists were able to explore Verkada’s network. Just a staggering degree of incompetence. Apparently, some of Verkada’s clients are in Canada — including at least one government agency I can find — and I am sure our Privacy Commissioner will dig this.

T-Mobile to Automatically Enable Ad Targeting of Customers, Including Those of Sprint wsj.com

This piece from the New York Times editorial board just three days ago sets the tone for the main topic, I think:

Americans have become inured to the relentless collection of their personal information online. Imagine, for example, if getting your suit pressed at the dry cleaner’s automatically and permanently signed you up to have scores of inferences about you — measurements, gender, race, language, fabric preferences, credit card type — shared with retailers, cleaning product advertisers and hundreds of other dry cleaners, who themselves had arrangements to share that data with others. It might give you pause.

[…]

One straightforward solution is to let people opt in to data collection on apps and websites. Today, with few exceptions, loads of personal data are collected automatically by default unless consumers take action to opt out of the practice — which, in most cases, requires dropping the service entirely.

Drew FitzGerald, Wall Street Journal:

T-Mobile US Inc. will automatically enroll its phone subscribers in an advertising program informed by their online activity, testing businesses’ appetite for information that other companies have restricted.

[…]

AT&T Inc. automatically enrolls wireless subscribers in a basic ad program that pools them into groups based on inferred interests, such as sports or buying a car. An enhanced version of the program shares more-detailed personal information with partners from customers who opt into it.

Verizon Communications Inc. likewise pools subscriber data before sharing inferences about them with advertisers, with a more-detailed sharing program called Verizon Selects for users who enroll. Its separate Verizon Media division shares data gathered through its Yahoo and AOL brands.

Ask pretty much anyone about their modern-day privacy concerns and you will get an earful about Facebook and Google. That’s understandable — they run a two-sided economy of users and advertisers, and have little competition in many of their markets. But the ad tech ecosystem is so gigantic that it is insufficient to focus solely on those two companies.

I have been writing for years that the market for private data needs to be curbed or even eliminated. Now that personal information is available in unfathomable supply, has huge demand, and is an effectively unregulated market, everyone seems to want in on it. Scott Brinker tracks the companies involved in marketing technologies. In 2020, the sector with by far the greatest growth was in data.1 Even the example the Times editorial board used in that lede is pretty much identical to an agreement between Google and Mastercard.

Even as Facebook and Google have become bywords for creepy online behaviour and have begun to spin privacy narratives around isolationist changes, the anti-privacy business is booming. There are thousands of companies only too eager to buy and sell whatever data they can get their hands on and “enrich” it by matching identifiers in different data sets. I maintain that this entire industry is illegitimate but, at the very least, it needs regulation and clear user protections.

This is also a reminder that antitrust investigations solely focused on tech companies is woefully inadequate.

  1. Within the data category, Brinker recorded a 68% growth in “governance, compliance, and privacy” firms. However, that does not mean that the data category grew primarily because of a large increase in compliance companies, perhaps spurred by increased regulation. If you actually look at the infographic, that subcategory went from a handful to a much larger handful — but it is vastly overshadowed by the number of analytics, “customer intelligence”, and “data enhancement” companies. ↥︎

Vulnerabilities in Microsoft Exchange Server, Reported in January, Have Enabled Breaching ‘Hundreds of Thousands’ of Organizations krebsonsecurity.com

Tom Burt of Microsoft:

Today, we’re sharing information about a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC) that we are calling Hafnium. Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor.

[…]

Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits, which are discussed in detail by MSTIC here. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.

More details about these vulnerabilities can be found on the ProxyLogon website set up by Devcore, which discovered these vulnerabilities, as well as a timeline that aligns with one posted by Brian Krebs.

But we’re well past these being interesting vulnerabilities that are scary only in theory.

Brian Krebs:

Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

[…]

The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.

“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”

Catalin Cimpanu, the Record:

The ongoing mass exploitation campaign targeting Microsoft Exchange email servers has expanded in less than a week to include attacks from multiple nation-state hacking groups and cybercrime operations alike.

Microsoft has instructions for sysadmins to verify if their Exchange server was compromised, and has released patches.

Ryan Naraine in the Security Conversations newsletter:

In my 20+ years writing about hackers and tracking advanced threats, I’ve never seen this volume of in-the-wild zero-day exploitation happening at the same time. Last week alone, we saw five 0-days exploited in the wild, including a mysterious Chrome attack and Chinese cyberspies hitting tens-of-thousands of companies globally via Microsoft Exchange server vulnerabilities.

Google’s 0-day tracker spreadsheet has so far flagged 12 in-the-wild 0day attacks in 2021 (there were 24 total last year) and I know they’re missing at least two — the Sonicwall firewall attacks and the the Accellion incident that’s also causing a world of hurt downstream.

Thumbing through that spreadsheet is informative. You will see exploits targeting software and firmware from Apple, Google, Mozilla, and Adobe — especially Adobe. But the number of vulnerabilities in Microsoft’s products that are being used in the wild stands head and shoulders above all other vendors. That is alarming but it is also unsurprising: organizations large and small use Microsoft’s productivity and server products; perhaps more importantly, these products are used by governments at all levels with no great alternatives.

Dino A. Dai Zovi:

My interpretation: we’ve never been this good at *detecting* in-the-wild zero-day exploitation.

Reminds me of something I heard years ago about cancer research. I am not sure where this came from, but one of the questions researchers face is how much of the rising number of cancer cases is due to more cancer, and how much can be attributed to better detection. This has stuck in my mind for years, and I think about it a lot as I hear about other trends — like this one.

Data Transfer Project wired.co.uk

Matt Burgess, writing for Wired in 2019:

GDPR is delivering results. Big time. Facebook has today announced a tool that allows anyone to copy their endless selfies and holiday pictures from the Zuckerberg empire to Google Photos.

[…]

And photos are just the beginning. The data moving tool has been created as a result of the Data Transfer Project. The project was setup in 2018 and is a collaboration between the world’s biggest tech companies: Apple, Facebook, Google, Microsoft and Twitter and are the group’s key members.

Curious that you can transfer to Google Photos images from two of its biggest competitors, Facebook and now Apple’s iCloud Photos, but not from Google to either of those. As noted in this article, Google showed a prototype of transferring images to Facebook during a 2019 presentation, but that has not yet materialized. When I tried using Google’s Takeout service for this post, I only saw transfer options for Flickr and Microsoft OneDrive.

The iMac Pro Waves Goodbye macrumors.com

This is not surprising news; the iMac Pro was never substantially updated in the three years it was available. But its stopgap nature had a unique charm that belied its capability, and I wish I had its cooling system to reduce my iMac’s fan noise.

If you want an expensive three year old computer with no configuration options and hardware that will likely be eclipsed by the next base model iMac, head on over to Apple’s online store while it is still available.

Google’s Proposal for Dropping User Tracking Is Really Just a Different Kind of Tracking eff.org

Bennett Cyphers, of the Electronic Frontier Foundation:

Google is leading the charge to replace third-party cookies with a new suite of technologies to target ads on the Web. And some of its proposals show that it hasn’t learned the right lessons from the ongoing backlash to the surveillance business model. This post will focus on one of those proposals, FLoC, which is perhaps the most ambitious — and potentially the most harmful.

[…]

In a world with FLoC, it may be more difficult to target users directly based on age, gender, or income. But it won’t be impossible. Trackers with access to auxiliary information about users will be able to learn what FLoC groupings “mean” — what kinds of people they contain — through observation and experiment. Those who are determined to do so will still be able to discriminate. Moreover, this kind of behavior will be harder for platforms to police than it already is. Advertisers with bad intentions will have plausible deniability — after all, they aren’t directly targeting protected categories, they’re just reaching people based on behavior. And the whole system will be more opaque to users and regulators.

I got this wrong and I feel bamboozled, but I have an excuse: this stuff is incomprehensible. Google’s proposal for dropping tracking is just a slightly broader version of tracking which happens to be much harder to understand. That should mean less adverse publicity for Google while still being hostile to user privacy.

Siri in iOS 14.5 Will Ask Users to Clarify Which Music, Podcast, and Audiobook Service They Prefer techcrunch.com

Sarah Perez, TechCrunch:

For example, if you tell Siri to play a song, album or artist, it may ask you which service you want to use to listen to this sort of content. However, your response to Siri is not making that particular service your “default,” Apple says. In fact, Siri may ask you again at some point — a request that could confuse users if they thought their preferences had already been set.

This is a clever way of dealing with multiple options without requiring users to dig into menus or make manual settings. But we often want to pick something and stick with it. Computers are just tools; as they attempt to make more decisions for us, it can sometimes be delightful but it can also be maddening.

It reminds me of that button in the Twitter app that allows you to toggle between an algorithmically sorted timeline and a reverse-chronological one. If you open the app often enough, it will usually stick with the last sorting mode you selected. But if you do not, it will revert to showing an algorithmic timeline. If you prefer reverse-chronological, it sucks.

It is a bit like if you went out to your car one morning and the seat and steering wheel were in a completely different position to the way you left it. It is uncomfortable. It is no longer yours.

LinkedIn Announces It Will Stop Collecting Advertising Identifier in Its iOS Apps business.linkedin.com

Kamakshi Sivaramakrishnan of LinkedIn:

We want to share an update on our plans and guidance to help you prepare for these changes. We have decided to stop our iOS apps’ collection of IDFA data for now. Although this change affects the LinkedIn Audience Network (LAN), Conversion Tracking and Matched Audiences, we expect limited impact to your campaign performance, and don’t foresee major changes required for your campaign set-up.

Meanwhile, Facebook is exploiting this pandemic to whinge about Apple’s privacy improvements.

U.S. State Legislators Are Pushing Bills That Would Loosen App Store Control politico.com

The bill in North Dakota that failed last month was a pebble bouncing off a windscreen. But it looks like Apple is catching up to the gravel truck and cracks are beginning to form.

Leah Nylen, Politico:

Undeterred by that loss, the developers are focusing now on bills to let app-makers choose their own payment processors. So far, that legislation has been introduced in seven states, including New York, Illinois and Massachusetts, though the Arizona bill is the farthest along.

[…]

The state legislative fights are the latest manifestation of the long-running gripes that developers such as Spotify have aired to lawmakers and antitrust regulators in both Washington, D.C., and Europe about app store policies. Epic, the creator of the popular video game Fortnite, is also waging its own court fights against Apple and Google in an attempt to defang their app policies.

These bills are a testament to Google’s increasing control and Apple’s unwillingness to make smaller meaningful changes over time. Developers have been complaining about this stuff for years, without much response from either company — but particularly from Apple. Sure, subscriptions were opened to apps of all types several years ago and Apple takes a smaller commission from recurring subscribers. And, yes, small changes were made last year under increasing antitrust scrutiny. But I have to wonder if it would have become such a significant issue as to inspire legislation if Apple had been more proactive about making incremental rule changes to loosen its control and adapt more readily to complaints.

The way I see it, Apple could have continued to run the App Store as it has done while responding to developers’ feedback; or, at the very least, it could have loosened its control on its own terms. But it overplayed its hand. If enough state legislatures pass these bills — particularly in Illinois and New York — it is going to be forced to make major changes.

A Grizzled, Months-Old Chrome Tab Welcomes a Fresh-Faced New Tab to My Browser Window mcsweeneys.net

Simon Henriques, McSweeney’s:

Here, I’ll introduce you to some of the guys. On the end, that’s Gmail. He’s the only one been around longer’n me, and he’s not going anywhere. Practically invincible. This fella next to me has a page of upstate real estate listings that get refreshed every so often. We call him The Dreamer. And that’s Bank Web Portal. He’s sat idle so long that he’s auto-logged out. That’s a death sentence. As soon as he gets noticed, he’s a goner. Don’t stare, son.

I’d say I thank god that I’ve stuck around as long as I have, but when you stick around as long as I have, you realize there is no god. Just an unfeeling, capricious universe, playing with us as a child with marbles. You’ll learn. Over time you’ll move further and further to the left, pixel by pixel, as each new recruit pops in. All you can do is load pages as fast as you can, keep your ad blocker ready to fire at a moment’s notice, and try to tune out the constant thrum of lo-fi hip-hop beats to relax/study to.

I took this personally.

Apple Could Be Doing More for User Privacy, but It Should Not Have To macworld.com

Jason Snell, Macworld:

For years now, Apple has trumpeted its commitment to the privacy of its customers. Unlike most of its competitors, Apple’s business model (primarily selling products and services, not advertising) allows it to succeed without relying on collecting personal information from its customers. It’s a big advantage, and Apple knows it.

But when I look at Apple’s product strategy, I’m surprised at all the ways that the company has failed to take advantage of its unique position. From operating-system features to new services, the company should double down on privacy — and widen the lead it has over its competitors.

Snell is onto something here, and Apple could do more to improve privacy in Mail and improving the safety of its App Store. But I disagree with the suggestion at the end of this piece:

Most of my suggestions will cost Apple a lot of money to implement. In the case of something like App Store integrity, the company needs to pay up and do the right thing. But since Apple has built an impressive business on selling services to its users, perhaps there’s an opportunity here to increase privacy by providing a subscription service.

Privacy should be an expectation for all — not a premium product offering for those who can afford it. I have written before about how, in a better world, Apple could not market based on privacy because every company would be similarly respectful of its users. I am adamant that this is still true.

Privacy should not be something users need to become experts in so that they can make purchasing decisions. It should not be up to individual companies, and it should not be a competitive advantage. It ought to be what we all have no matter our choice of computer, phone, web browser, search engine, or television. This has always been a public policy issue that has, so far, been addressed as a business differentiator.