Pixel Envy

Written by Nick Heer.

Archive for April, 2021

There Is No Way to Report App Store Scams

You remember Kosta Eleftheriou, right? He tweeted about clones of his app FlickType, and has since found a bunch of App Store scams that he has tweeted about. Here are a couple of recent examples, starting with X-Gate VPN:

Another typo in the title, but this time it’s not even a title – it’s PLACEHOLDER TEXT!

How the heck does this app have a 4-star rating? Or passed review twice??

Anyway, let’s continue to see what this “7 day” trial is all about.

On the next screen the trial is now for 3 days instead of 7, and we can “Incredibly increase speed” for a mere $12/week.

You’re telling me people are signing up for $624/year for *this*? And are giving it 4 stars?

And here’s a game for kids:

This @AppStore app pretends to be a silly platformer game for children 4+, but if I set my VPN to Turkey and relaunch it becomes an online casino that doesn’t even use Apple’s IAP.

Both of these apps were available for hours after Eleftheriou tweeted about them, but have now been removed from the store. On one hand, you could argue that this indicates the need for a centralized and policed app marketplace: since Eleftheriou finds scummy apps like these in Apple’s controlled marketplace, it is possible that many more would be available if not for the controls in place. Apple is also able to disable apps like these when they are found.

But the fact that these apps are found in “a place you can trust” also indicates that Apple’s review process is not as stringent as it needs to be. It is possible that there would be more nefarious apps available for iOS if the App Store were not the sole distribution platform, but Apple’s App Store could still be the best marketplace if there were competitors. It could be safer and more controlled than it already is. It is also true that Apple could disable worrisome apps’ certificates, which are unconnected to the App Store’s monopoly on native app distribution for iOS.

One more thing that I think is critical is that it is, right now, impossible to flag an app as a rule-breaker or a scam. Say you download an app and it is, in some way, worth reported to Apple. Let’s start in the App Store, where there is no button to report an app, not even in the app listing’s share menu. If you go to Apple’s Report a Problem website, you will see all of your purchases and downloads from your Apple ID, and you will be be asked a question, “What can we help you with?” for a dropdown menu containing these options:

  • Request a refund

  • Report a quality issue

  • Find my content

  • Report suspicious activity

If you pick the last one, you’ll be sent to a screen where you will be told to contact Apple Support if you think your Apple ID has been compromised; it has nothing to do with the items you purchased or downloaded.

The second item on the list, which is my next best guess for a relevant answer, is limited to Apple subscriptions and in-app purchases. It is the answer you choose when, say, a movie you rented has playback problems, or an app subscription is not working properly. It is one option you could use if an app is abusing in-app purchases and you have fallen for the scam but, if you are alert enough to avoid subscribing, this choice won’t help. It is the same story for requesting a refund, and “find my content” is irrelevant.

So you visit Apple’s contact page where, under the “Product and Services Support” section, you are redirected to Apple’s support page. And, long story short, there is nothing in this support site about App Store scams or reporting a problem with a third-party app. If I am wrong about this, please get in touch and tell me — I will update this post. But it appears that, if a scam makes its way into the App Store, Apple is entirely dependent on users posting on social media or contacting Apple through another channel to be alerted to problems.

Online Proctoring Programs Try to Detect Cheating Through Machine Learning, So You Can Imagine What They Get Wrong

Katie Deighton, Wall Street Journal:

Millions of college students facing final exams, professionals pursuing new qualifications and others were asked to take important tests at home using programs such as ProctorExam, Proctorio and ProctorU—software designed to fight cheating by getting a human or machine to remotely watch for suspicious behavior in test takers’ faces, rooms and audio levels.

[…]

One criticism leveled at Proctorio, which uses machine-learning technology to monitor a student’s behavior during a test, is that its system sometimes fails to detect the faces of users with darker skin tones, prompting concerns that these students may be unable to begin an exam. Mr. Olsen said the software occasionally fails to pick up students’ faces if they are in badly lighted spaces, but a human member of Proctorio’s support team can assist and admit test takers into an exam if the software has issues detecting their face in the pre-check process.

[…]

Some users reported trouble getting digital proctoring software to install or function properly on their devices, often because of technical issues such as an unstable internet connection.

Via D’Arcy Norman, who was interviewed by Deighton and whose full response is worth reading:

There is a fundamental problem with how online exam proctoring software is designed. This problem involves issues of power, control, consent, and agency. The concept itself puts students and instructors into an adversarial relationship, with students framed as assumed cheaters, and instructors as police or security analysts trying to catch the students. This can’t be resolved through interface tweaks or streamlined installation processes – the problem is the nature of the software, not the design of the interface or user experience.

This reminds me of the surveillance applications some employers require staff to install while working from home. People are sometimes going to do things while on the clock or at school that they should not be doing, but it is not solved by assuming people are unworthy of trust.

Update: Via a reader, another story about Proctorio. Joe Mullin of the Electronic Frontier Foundation:

Given these invasions, it’s no surprise that students and educators are fighting back against these apps. Last fall, Ian Linkletter, a remote learning specialist at the University of British Columbia, became part of a chorus of critics concerned with this industry.

Now, he’s been sued for speaking out. The outrageous lawsuit — which relies on a bizarre legal theory that linking to publicly viewable videos is copyright infringement — will become an important test of a 2019 British Columbia law passed to defend free speech, the Protection of Public Participation Act, or PPPA.

Vile.

Users of the iOS Discord App Will Be Unable to Access NSFW Channels

Kyle Orland, Ars Technica:

Discord users who access the Discord app through iOS will now face restrictions on adult content that go beyond those for other platforms. The gaming-focused social networking app — which lets users create public or private servers to chat via text, image, voice, and video livestreaming — announced this week that “all users on the iOS platform (including those aged 18+) will be blocked from joining and accessing NSFW servers. iOS users aged 18+ will still be able to join and access NSFW communities on the desktop and web versions of Discord.”

That NSFW designation can be set by the server owner or by Discord itself, in keeping with community guidelines requiring the label on “adult content.” Individual channels within a server can be designated as NSFW without imposing limits on the full server, but an entire server may be labeled as NSFW “if the community is organized around NSFW themes or if the majority of the server’s content is 18+,” the company said.

Matthew Bischoff on Twitter:

When we dealt with this at Tumblr, it became my full time jobs for weeks to find incredibly complex ways to appease Apple’s censors. This happened every time they found a sexy blog they didn’t like. It’s absurd.

Speaking of Twitter, that company expressly permits “graphic violence and consensually produced adult content” within users’ tweets “provided that [users] mark this media as sensitive”. Reddit permits NSFW text and media so long as it is marked. Discord has a similar policy of allowing NSFW media in channels so long as those channels are marked. What makes it different? Is Apple going to demand that Reddit and Twitter also prohibit accessing NSFW media from within those companies’ iOS apps?

This is nothing like the Parler situation. Parler and Gab have little to no moderation of their platforms, so they are not compliant with the App Store rules. That is understandable to me; you may disagree with that policy, but it is at least a written policy. But Discord, Reddit, and Twitter all attempt to moderate their platforms to varying degrees of success. What makes Discord different?

The Trust Gap Between Journalists and Companies Is Widening, as Is the Reporter-Public Relations Gap

Jim Prosser of Edelman:

As I see it, there are three distinct structural shifts happening that both explain and give merit to a shift in emphasis toward businesses using their direct channels instead of relying on media coverage. Collectively, they have some profound implications for companies, communicators, and journalists.

[…]

Put simply, Americans on the whole trust business as an institution more than the press as an institution. That’s not conjecture. It’s backed by data.

[…]

There are far more stories businesses want to tell than there are reporters to tell them. How do we know that? Let’s look at U.S. Bureau of Labor Statistics data. In 2000, there were about two people working in public relations for every one working reporter in America. By 2019, that spread more than doubled to over five, driven by both an increase in PR jobs and a decrease in reporter jobs. By 2029, BLS projects the spread will keep expanding to over six.

I found this post illuminating and alarming. A collective trust in business marketing — or “storytelling”, as Prosser puts it — over good journalism means that more credence is given to media that has an inherent conflict of interest over that which, ostensibly, does not.

A common retort to this is that media outlets have, for years, degraded their own trust. CNN spends hours a day broadcasting talking head shouting matches; entire books have been dedicated to the inadequacies of the New York Times; Fox News is Fox News. This is not a U.S.-exclusive phenomenon: trust in the media, scientists, and academics has fallen in Canada, too.

But this trust gap is almost inherently unfair. When companies screw up, they barely flinch. Consider that, as of last year, 71% of Americans surveyed have a favourable opinion of Facebook. This is after years of behaviour that should have destroyed its reputation.

Media, on the other hand, operates within far tighter margins of trust. Brooke Gladstone, writing for the New York Times in 2015:

Americans say they want accuracy and impartiality, but the polls suggest that, actually, most of us are seeking affirmation. Americans want the news to be patriotic, which explains the big drop in 2004 when stories abounded about Abu Ghraib, the 9/11 commission’s slam on the government’s handling of terrorism, and the Senate Intelligence Committee finding that the White House “overstated” the threat of weapons of mass destruction. Plus, it was an election year. Trust in news media always dips in election years.

We tend to trust media that reflects our own views, and inherently distrust outlets that do not. Companies are perceived to be more neutral; the view that they are only interested in the bottom line is both cynical and perceived as more trustworthy than journalism. I think this is false, but it is what surveys suggest. Prosser makes several suggestions in this article about how media can improve reader trust — many of which have been made before — but I do not think they will be effective. For example, here’s one idea:

While the means of news distribution have changed starkly over the previous decade, news presentation online remains largely the same: text with occasional links and photos, sometimes video, presented in a format that basically tracks the print experience. There’s a meaningful opportunity here to look at means of presenting stories that reinforce trust: presenting primary source documents in line instead of just writing in reference to them, detailing how a piece was sourced in ways people understand […]

“Present primary sources” sounds like a slam-dunk, right? If a publication has documentation of something and shows it, the story should speak for itself. But this has mixed results. In 2004, records supposedly denigrating George W. Bush’s military service were shown to be created in Microsoft Word because those documents were available. On the other hand, even after a full summary was released by the White House of a call between then-U.S. president Donald Trump and Ukraine president Volodymyr Zelensky, less than half of Republicans believed news reports about the substance of the call. I am sure you can find plenty of similar examples from different political parties and orientations; these are my own biases.

One positive note that I found while researching for this: Canadians are more trusting of local media, as are Americans (PDF).

Spotify Continues to Remove Episodes of Joe Rogan’s Podcast

Paul Resnikoff, Digital Media News:

Just last week, Digital Music News first reported that 40 different Joe Rogan Experience podcast episodes were found missing from Spotify, now the exclusive platform for the show. Now, that number has quickly grown to 42, with potentially more shows quietly getting removed from the catalog.

Among the newly-missing is an episode (#411) with Bulletproof Coffee founder Dave Asprey, a frequent guest on The Joe Rogan Experience. Strangely, Spotify has deleted three total episodes with Asprey for reasons that aren’t entirely clear.

You may remember Asprey from his many years of bullshit.

It is worth reading this article alongside something like Ben Thompson’s piece about sovereign writers, and considering the balance of editorial control and independence against guaranteed income.

I am not a fan of Rogan’s podcast; I think it sounds like if you grafted a mouth onto a lifted Dodge Ram covered in Punisher decals. I also think that it is probably a good thing for the world that Spotify can exercise some control over a popular but obsequious host. But I have to wonder how comfortable Rogan is with sharing his fame with Spotify while letting it meddle with his show. Spotify surely benefits from the exclusivity of his show and being associated with one of the world’s most popular podcasts; Rogan benefits because he is a hundred million dollars richer, which is a galling amount of money for Joe Rogan’s HGH and PCP power hour. Spotify apparently has little editorial control, but it now has control and responsibility over distributing an exclusive show that it paid, again, a hundred million dollars for. Rogan’s name may be on the show, but it is Spotify’s reputation that is on the line.

Private Exploit Marketplaces May Have Broad Security Benefits

Hey, remember that iPhone 5C that the U.S. government barely tried to crack before demanding Apple give them a back door, only to find a way in just one day before a related court hearing was to begin? It turns out that the company that they paid to crack it was not one of the usual suspects like Cellebrite or Grayshift.

Ellen Nakashima and Reed Albergotti, Washington Post:

The iPhone used by a terrorist in the San Bernardino shooting was unlocked by a small Australian hacking firm in 2016, ending a momentous standoff between the U.S. government and the tech titan Apple.

Azimuth Security, a publicity-shy company that says it sells its cyber wares only to democratic governments, secretly crafted the solution the FBI used to gain access to the device, according to several people familiar with the matter. The iPhone was used by one of two shooters whose December 2015 attack left more than a dozen people dead.

[…]

Apple has a tense relationship with security research firms. Wilder said the company believes researchers should disclose all vulnerabilities to Apple so that the company can more quickly fix them. Doing so would help preserve its reputation as having secure devices.

What a bizarre turn of phrase. It would help it “preserve its reputation as having secure devices” because it really would help improve the security of its devices for all users, in much the same way that telling a fire department that there is a fire nearby would help a building’s reputation as a fire-free zone.

Thanks to this report, we now know some of the backstory of how the 5C came to be cracked without Apple’s intervention, and Nakashima and Albergotti confirm why the FBI was so eager to take Apple to court for this specific case:

Months of effort to find a way to unlock the phone were unsuccessful. But Justice Department and FBI leaders, including Director James B. Comey, believed Apple could help and should be legally compelled to try. And Justice Department officials felt this case — in which a dead terrorist’s phone might have clues to prevent another attack — provided the most compelling grounds to date to win a favorable court precedent.

It was not “months of effort”; according to a Department of Justice report, the FBI spent a few hours actively trying to figure out how to crack the device. But if it was not perfectly clear before, it is now: this was the model case for getting a law enforcement back door in encryption because it involved a terrorist. The next time the FBI brought this up, it was because of another terrorist attack. In both cases, the iPhones were able to be cracked without Apple’s intervention.

Most of all, this report adds one more data point to the debate over the ethics of the zero-day market. If Azimuth had reported the vulnerabilities it exploited in cracking this iPhone — including a critical one reportedly found well before this terrorist attack occurred — Apple could have patched it and improved the security of its devices. However, if third parties were unable to find an adequate exploit, a court may have compelled Apple to write a version of iOS that would give law enforcement an easier time breaking into this iPhone. Once that precedent is set, it cannot be un-set.

Katie Moussouris of Luta Security on Twitter:

Selling exploits to law enforcement removes their plausible cause to petition courts to order Apple & others to self-sabotage security of all customers.

Azimuth’s exploit sale saved us all from a mandated back door then, & the court precedent that would force backdoors elsewhere.

I’m midway through Kim Zetter’s excellent “Countdown to Zero Day”. One of the chapters is dedicated to exactly this question in the context of Stuxnet: how much responsibility do security researchers have to report critical security problems to vendors? An auxiliary question some specific vendors, like Microsoft, may face is what their obligation is for patching vulnerabilities that may be currently exploited by friendly governments in their intelligence efforts. That is something Google’s Project Zero wrestled with recently.

In the case of this iPhone, it seems like the private exploit marketplace helped avoid a difficult trial that may have, in effect, resulted in weakened encryption. But it is a marketplace that creates clear risks: platform vendors cannot patch software they do not know is vulnerable; there is little control over the ultimate recipient of a purchased exploit, despite what companies like Azimuth say about their due diligence; and these marketplaces operate with little oversight.

It does seem likely that this market perhaps provides some security benefit to us all. So long as bug bounty programs continue to pay well and there are true white hat researchers, vulnerabilities will continue to be found, responsibly disclosed, and patched. If it manages to avert mandatory back doors or other weakening that at least seven countries’ governments are demanding, it may be to our benefit.

I do not like that idea, but I like the apparent alternatives — anything requiring deliberate flaws in encryption — a whole lot less. In a better world, I would rather these exploits be reported immediately to platform vendors. But the lid for this particular Pandora’s Box has long been lost.

End Trends

Charlie Warzel, in the first edition of his new newsletter Galaxy Brain:

The entire phenomenon of “Twitter’s Main Character” functions as a master class in context collapse. Many Very Online Users approach this daily ritual as something between high school cafeteria gossip time and one of those Rage Rooms where you pay money to break things with a hammer. But what’s really happening is thousands of strong individual online identities colliding against each other. In Hunt’s case, it was horror and sci-fi fans and film buffs who felt it was important to weigh in as a way to maintain their particular identities.

[…]

Twitter’s Trending Topics only seem only to exacerbate the site’s worst tendencies, often by highlighting the day’s (frequently trollish or bigoted) main character and increasing the opportunities for context collapse. And of course, none of this is new. For years, Twitter let Trending Topics devolve into a cesspool of misinformation. Conspiracy theorists and trolls have hijacked hashtags and manipulated trending topics to sow confusion and inject dangerous ideas into mainstream discourse.

You cannot escape the cloud of radioactive waste emanating from Twitter’s trending list even if you try. For one, the structure of Twitter’s website makes it difficult to hide the list of trends.1 It is far easier, not to mention much nicer, to use a Twitter client like Tweetbot or Twitterrific, where the list of trending topics is buried in some part of the app you never have to touch.

But everybody else is seeing those trends and piling on. Most people use Twitter through its website or official apps, all of which push trending topics to the foreground, so they all get a full menu of today’s main characters from which they can choose which outrage to weigh in on. You know those rules of thumb about breaking news stories? Trending topics on Twitter are like the pure concentrated version of what happens when those rules are ignored.


  1. I had some luck by adding #react-root section[aria-labelledby^="accessible-list"] div[role="link"] { display: none !important; } to my Safari.css file, but it seems fragile and likely to break. Nothing in Twitter’s website is named semantically. The markup looks like it was written by people who do not care. I bet they do, though, and have no say in how this thing is built. ↩︎

Apple’s ‘Spring Loaded’ Event Is April 20

Apple’s spring events have been interesting as of late. On the surface, they seem to be a bit of a grab-bag. With WWDC creating the perfect venue for operating system updates and Mac hardware, and the autumn events used to introduce flagship iPhone and Apple Watch hardware, the spring event often feels like an appetizer round to the year’s main courses.

But last year’s springtime products, announced by press release, included the iPhone SE, iPad Pro and Magic Keyboard, and a MacBook Air bump; the year before, it was the services event, a couple of iPad models, an iMac bump, and the second-generation AirPods. These product categories are not on the margins of Apple’s business, but they are also not the headliners, so these product launches are not seen by some in the tech press has having the gravitas as others throughout the year.

Anyway, Tuesday, usual time. Expect iPad Pros.

Spotify Announces Car Thing

Ashley Carman, the Verge:

Spotify’s first gadget has landed. Car Thing, a Spotify-only, voice-controlled device for the car, is launching today in limited quantities to invited users. It’s a dedicated, Bluetooth-connected device for controlling Spotify without the need for a phone screen, which seems to be meant for people who drive older cars without built-in infotainment systems or phone connections.

It is called “Car Thing”. How terrific is that? I don’t even care that it is, according to Carman, not a particularly great product. It is called “Car Thing”. That is a slam-dunk.

Bloomberg: Apple Is Working on a New TV Product With HomePod and Videoconferencing Capabilities

Mark Gurman, Bloomberg:

The company is working on a product that would combine an Apple TV set-top box with a HomePod speaker and include a camera for video conferencing through a connected TV and other smart-home functions, according to people familiar with the matter, who asked not to be identified discussing internal matters.

Gurman says that this product is “still in the early stages” which, if you want to be a bit cynical, gives this report enough wiggle room to never pan out.

But it is intriguing, isn’t it? I know that it is something I would have loved to own this past year. Over Christmastime, I used AirPlay to place a FaceTime window onto the television and set my MacBook Air on the coffee table so that we could spend time with family in a more immersive way. It was a pretty nice, albeit janky, setup.

The obvious question about something like this is where a camera would be mounted, given that some people probably do not put their Apple TV out in the open or adjacent to their television screen. The other question is whether we can expect a new remote, something that for years I have been hearing is in the works, yet somehow never arrives. The Apple TV appears to be on the development cycle usually reserved for new kinds of water.

Logitech Discontinues Its Harmony Universal Remote Control Line

Ben Patterson, TechHive:

Well, the other shoe finally dropped. After years of speculation about the fate of its Harmony line of universal remotes, Logitech has announced that it will stop making the devices effective immediately.

In a post on its support site, Logitech said that its remaining stock of Harmony remotes will continue to be available through retail channels until stocks run out, and that it will continue to support the remote for the foreseeable future.

If you have older A/V equipment, this is probably frustrating. Harmony, acquired by Logitech in 2004, dominated the market on universal remote controls for years, and also provides home automation stuff. Its more recent models require a server-side infrastructure, not just IR programming, so when Logitech decides to shut that system down, those remotes will likely stop working. According to Jason Knott at CEPro, support will be offered “in perpetuity”, but I doubt that. I give it a few years.

So, this is certainly a difficult situation for those who own Logitech’s Harmony hardware and have relied upon it for years. But Matt Stoller has a bad take on it that I would also like to address:

Logitech’s products are pretty, but the actual quality of the software is terrible, which is the classic sign of a marketing-driven organization run by lazy executives. Logitech is a monopolist in the universal remote control space, which it acquired in 2004 when it purchased a firm called Harmony. “Their market dominance has been ironclad because of their database: they have infrared codes for hundreds of thousands of devices, from brand-name TVs to random HDMI doodads on page fourteen of Amazon. For obvious reasons, they haven’t open-sourced this database.”

I say ‘was’ because Logitech is actually killing the entire product line now. Their CEO says it is because of competition from streaming, but that’s nonsense, they’ve wanted to get rid of the product line since 2013. As my source says, “if Harmony were its own company, I highly doubt they’d decide to shut down due to abject hopelessness.” Now the database will probably be destroyed, and people will have to redesign their systems to no longer include a universal remote. There’s also a security issue. :Since much of the Harmony software is cloud-based, countless systems may become inoperable, or impossible to update as new devices (e.g. the PS5) aren’t added to the database, or else vulnerable to hacking as security issues go unpatched.”

The punctuation in this excerpt is unclear, so I am unsure whether the “database being destroyed” claim is Stoller’s or his source’s. I think the colon in front of “since” was supposed to be an opening quotation mark. Nevertheless, the impression Stoller leaves is that this is the end of universal remote controls generally because Logitech is closing down its monopoly — and that is simply false on several levels.

To be fair, I am not a universal remotes expert by any means. I do have a couple of salient counterpoints that, I feel, undercut Stoller’s dramatic reading.

For one, there are many other companies that maintain databases of IR remote control codes, not just Logitech, so those codes are not disappearing off the face of the planet just because Harmony is going away. Some of those databases are also open to the public, like this one on GitHub. There are also some other universal options that, like those from Logitech, have those codes in a database and do not require individual programming — Logitech’s Harmony line seems to be the default pick among buyers’ guides, but Joanna Stern’s choice was the Ray Super Remote and TechHive likes a Caavo model. Most importantly, the universal control problem is slowly fading as HDMI CEC becomes more widely used and different remotes can be used with different equipment.

I do not have some sort of wild home theatre setup so a universal remote has never felt justified to me. The market does seem to have been dominated by Logitech’s products, but it is unclear why that is the case. It is not as though there are no other companies that produce universal remotes that work with audio-visual products from a bunch of different manufacturers, as well as smart home gadgets and streaming boxes. But while Logitech has firmly dominated the market for fifteen years and its absence will surely leave a void, that does not make Stoller’s take any more accurate.

Update: I have heard from a few people about their terrible experiences with CEC, and I feel compelled to half-correct half-clarify my remarks above. The correction is that CEC is not itself a driving force for why universal remotes are becoming less relevant. Smart TVs are a far bigger influence on that market.

For clarity, I also want to separate what CEC promises from what it is currently delivering. CEC seems to be a minefield of problems right now, and it is unclear that it will get better. But it does not seem inherently problematic by design. Its implementation is, from what I have read, all over the place, which makes it unreliable and kind of a crapshoot. So, in theory, CEC is a fine standard that, for many people, should eliminate the need for a Harmony remote; in practice so far, it is a small nightmare.

Ad Attribution Gives False Hope

I read these two stories from the Wall Street Journal today, back to back, and I think that is how you should also read them. You may be able to find these in Apple News Plus, but I also recommend checking out your local public library’s website — many will have a way of accessing paywalled newspapers like the Journal.

First, Christopher Mims reports on the impact felt by businesses owners as Facebook makes changes to its advertising attribution in advance of iOS 14.5:

Before, even the smallest business could throw as little as a hundred bucks at a tiny ad campaign on Facebook or Instagram, and get detailed and immediate feedback. Now they will have to spend substantially more — thousands of dollars at least — to show their ads to a larger audience, because the targeting will be less precise, says Christian Lovrecich, founder of PixlFeed Media, an e-commerce marketing agency.

[…]

“Even though in the short term this is probably not a great thing for small and medium-size businesses, in the long term it’s probably for the best,” says Solo Stove’s Mr. Merris. He expects innovators to find ways to build “wonderful personalized experiences that generate good return on investment, while getting around some of these hotter topics like data collection.”

There is little proof that greater perceived precision in targeting and attribution leads to lower spending or improved results.

Gilad Edelman, Wired:

Meanwhile, the ability to track users wherever they go tends to shift ad revenue from higher quality sites to less reputable ones. “The way the adtech system works is, it follows the reader from Wired.com all the way down to the cheapest possible place, the basement bottom-feeders on the internet, and will serve you the ads there,” explained Nandini Jammi, a former product marketer and co-founder of Sleeping Giants, which pressures brands not to advertise on sites that promote hate or bigotry. Jammi pointed me to worldlifestyle.com, whose homepage features a random jumble of years-old articles on celebrities, self-help, and cute animals. It’s a content farm: a site designed not for human eyes, but to make money by harvesting ad clicks from bots.

[…]

Many small businesses, especially direct-to-consumer, do use behavioral ads to build their customer base. David Heinemeier Hansson told me his company, Basecamp, had success with a Facebook ad campaign in 2017. “Compared to everything else we did online, they were the most effective,” he said. “Targeted advertising works.” (Hansson added that he gave up on Facebook advertising anyway because he finds it objectionable.)

And yet, if behavioral advertising were such a boon to entrepreneurship, you might expect it to have spurred a wave of startup growth. Even more than a decade since the recession, though, both the startup rate and the share of Americans working for small businesses are at historic lows—in large part thanks to the rise of monopolistic companies like Facebook and Google, according to many experts. Microtargeting might help some small enterprises get ahead, but that doesn’t mean it’s a boon overall. As with any business strategy, there are both winners and losers.

Ad tech companies love to put lots of numbers in front of customers because it gives the illusion of accuracy. The truth is that most of the numbers are fake. Ads are still targeted fairly imprecisely despite a wealth of user data — many of the ads I see are inexplicably in French — and they are not revenue goldmines. They are just the new standard and it will take some time to adjust. Merris, the primary individual profiled in Mims’ article, is right. This is going to be difficult for some people and businesses to adapt to, but it is the right thing to do.

Here’s the other Journal article I read, from Jeff Horwitz and Keach Hagey:

Google acknowledged in its responses that it had agreed to make “commercially reasonable efforts” to ensure that Facebook was able to identify 80% of mobile users and 60% of desktop users, excluding users of Apple’s Safari web browser, in ad auctions. The Texas complaint alleges that this activity appears “to allow Facebook to bid and win more often in auctions.”

Google further acknowledged in the filing that Jedi Blue required Facebook to spend $500 million or more in Google’s Ad Manager or AdMob auctions in the fourth year of the agreement, and that Facebook committed to making commercially reasonable efforts to win 10% of the auctions in which it had bids.

In reality, small businesses are handing over huge sums of money to Google and Facebook as they rig the online advertising market and scoop up unfathomable amounts of tracking information. The tracking is real; the targeting is hit-or-miss.

Keyboard Shortcuts in Many Web and Electron Apps Do Not Work Correctly With Non-ANSI Keyboard Layouts

Speaking of bad keyboard shortcuts, here’s Thomas Kainrad (via Michael Tsai) explaining how web apps from big-name tech companies are not fully compatible with his German keyboard layout:

This is most annoying when the most important keyboard shortcuts are inaccessible. A very common shortcut is / for accessing search functionality. Unfortunately, there is no /-key on most international layouts. Adding modifiers to produce this key with your layout rarely helps. For example, on my German layout, / is produced via Shift+7. Most web applications will ignore this. Similarly painful is when Electron apps use [ and ] for navigating backwards and forwards.

[…]

I want to be clear, broken keyboard shortcuts are not a law of nature. It is possible to implement web application shortcuts so that they can be typed with any layout. It shouldn’t be an excuse that even some of the most popular apps do not get it right.

Kainrad focuses on web applications partly because of how popular they are and partly because of their often flawed interpretation of key presses.

I do not understand why so many Electron apps, in particular, have invented their own shortcuts instead of doing their best to copy the system defaults. Most MacOS shortcuts are a combination of modifier keys and letters of the alphabet. But Apple is not perfect, either: the German version of that page indicates that the shortcut for showing and hiding the status bar in Finder windows, for example, is Command+/.

As I was digging around on this topic, I found a bunch of threads from German and Swiss German and French and Croatian Mac users who found some of the universal keyboard shortcuts difficult or impossible to type without fully switching layouts. But I also found an excellent eight year old post from Daniel Hoelbling-Inzko with a keyboard layout file that can be used with Ukelele to remap keys on the fly. I have not tried it myself but I am hopeful it might help those with non-U.S. keyboards switch layouts more easily.

Apple Keeps iMessage Exclusive to Its Products Because It Is an Effective Differentiator

In a court filing from Epic in support of its lawsuit against Apple, many Apple executives are on the record in emails stating the obvious: iMessage is not offered on non-Apple platforms because it is a compelling exclusive feature. For some reason, this is being seen as a shocking admission.

Sam Rutherford, Gizmodo:

In one quote dating back to 2013, Eddy Cue — who is now Apple’s senior vice president for internet software and services — said that Apple “could have made a version [of iMessage] on Android that worked with iOS,” providing the possibility that “users of both platforms would have been able to exchange messages with one another seamlessly.”

Sadly, it seems multiple Apple execs were concerned that doing so would make it too easy for iPhone owners to leave the Apple ecosystem, with Apple’s senior vice president of software engineering, Craig Federighi, having said, “iMessage on Android would simply serve to remove [an] obstacle to iPhone families giving their kids Android phones” — a sentiment Epic’s brief says was also shared by Phil Schiller, who back then was in charge of overseeing Apple’s App Store.

[…]

Unfortunately, while these testimonies seem to be pretty damning for Apple, it’s unclear if these revelations will force Apple to reconsider porting iMessage over to Android in the future. But at least now we know for sure why it never happened before.

It is worth pointing out that the “lock-in” described by Apple executives is not a literal lock preventing users from switching to another platform, nor is iMessage mandatory. You can stick to SMS on an iPhone if you want, and you can disconnect from iMessage if you do not want to use it.1

So how is this “damning”, exactly? Plenty of companies offer exclusive features that make it emotionally difficult to choose a different platform, while also having disadvantages. Google can show off the wide selection of phones that run Android, but Apple has made a choice to keep iOS to its own hardware, so it cannot make the same sales pitch. Conversely, Google cannot market the chaos of messaging apps on Android as an advantage, but Apple can show that iMessage is simple, works spectacularly, and requires no configuration.

This isn’t even new information. After WWDC 2016, Walt Mossberg asked Apple about the same topic:

When I asked a senior Apple executive why iMessage wasn’t being expanded to other platforms, he gave two answers. First, he said, Apple considers its own user base of one billion active devices big enough to provide a large enough data set for any possible AI learning the company is working on. And second, having a superior messaging platform that only worked on Apple devices would help sales of those devices — the company’s classic (and successful) rationale for years.

Is iMessage a compelling reason to buy more stuff from Apple? Sure — depending on where you live and how attached you are to other devices. But I fail to see the evil in a differentiating service or feature.


  1. I know there have been problems with Apple’s disconnecting tool. I do not think it is a case of Apple making things deliberately difficult. It is incompetence, if anything, which is not nefarious but also not an excuse. This service should be entirely reliable. ↩︎

Wix Is Running a Bizarre Ad Campaign Mocking WordPress

Matt Mullenweg:

Wix, the website builder company you may remember from stealing WordPress code and lying about it, has now decided the best way to gain relevance is attacking the open source WordPress community in a bizarre set of ads. They can’t even come up with original concepts for attack ads, and have tried to rip-off of Apple’s Mac vs PC ads, but tastelessly personify the WordPress community as an absent, drunken father in a therapy session. 🤔

[…]

Wix is a for-profit company with a valuation that peaked at around 20 billion dollars, and whose business model is getting customers to pay more and more every year and making it difficult to leave or get a refund. (Don’t take my word for it, look at their investor presentations.) They are so insecure that they are also the only website creator I’m aware of that doesn’t allow you to export your content, so they’re like a roach motel where you can check in but never check out. Once you buy into their proprietary stack you’re locked in, which even their support documentation admits.

Much like those recent Intel ads that also parody the Mac vs. PC campaign, Wix’s ads do not make much sense if you give them even a little extra thought. Take the one where a low-budget Bryan Cranston, playing the part of WordPress, collapses to the floor under the weight of forgotten maintenance and implores the site owner to switch to Wix. Sounds promising, except it is comparing a self-hosted software package to a managed platform, so it is not honest. Maintenance is not inherent to WordPress and, if you would prefer not to deal with it, there are managed options available through Automattic and many third-party providers.

If these ads are merely comparing the ease of a managed platform against something self-hosted, there’s no shortage of those, either. Squarespace is a pretty good choice, Shopify is terrific for commerce, and I have heard good things about Webflow. But the advantage of all of those — and WordPress.com — is that they let you take your website with you if you would like to switch to another platform. Wix does not.

I am not sure what these mean-spirited ads are supposed to achieve, but they do not make me want to recommend Wix to anyone. Quite the opposite. Other platforms are for nice people.

Third-Party Accessories Can Now Use Apple’s ‘Find My’ Network

Apple:

Apple today introduced the updated Find My app, allowing third-party products to use the private and secure finding capabilities of Apple’s Find My network, which comprises hundreds of millions of Apple devices. The Find My network accessory program opens up the vast and global Find My network to third-party device manufacturers to build products utilizing the service, so their customers can use the Find My app to locate and keep track of the important items in their lives. New products that work with the Find My app from Belkin, Chipolo, and VanMoof will be available beginning next week.

Belkin’s first product compatible with Find My is a set of wireless earbuds; the Chipolo product is a small tag you can attach to luggage or key rings. Sure seems like there is plenty of room for first-party versions of both.

Perhaps the most notable omission from this list of participants is Tile, but it should not be surprising that it is not in the program. For one, it is a member of the Coalition for App Fairness, a group of developers putting pressure on lawmakers to regulate app marketplaces because of Apple’s policies. For another, Tile has accused Apple of illegal anticompetitive practices by asking users to confirm background location tracking.

But the biggest hangup Tile faces is that the Find My spec is intentionally restrictive on privacy grounds. Rene Ritchie posted a few of the privacy considerations on Twitter today, but there was more information in the draft documentation released last summer. More relevant to Tile is that the spec prohibited locator devices from using Apple’s Find My network and a third-party network. Tile has its own network, so it would have to choose — or let users choose — whether specific tags are synced to Find My or to Tile’s network, not both. The spec is now locked away as part of Apple’s MFi program, so I cannot see the latest version, but I do not imagine this rule has changed.

Also, the badge in the photo of the VanMoof bike in Apple’s press release — the one that reads “Locate with Apple Find My” — is so much nicer than the MFi badge for packaging.

Movie Studios Know Streaming Service Exclusivity Is Untenable for Audiences

Katharine Trendacosta of the Electronic Frontier Foundation:

Instead of building better services — faster internet access, better interfaces, better content — the model is all based on exclusive control. Many Americans don’t have a choice in their broadband provider, a monopoly ISPs jealously guard rather than building a service so good we’d pick it on purpose. Instead of choosing the streaming service with the best price or library or interface, we have to pay all of them. Our old favorites are locked down, so we can’t access everything in one place anymore. New things set in our favorite worlds are likewise locked down to certain services, and sometimes even to certain devices. And creators we like? Also locked into exclusive contracts at certain services.

And the thing is, we know from history that this isn’t what consumers want. We know from the ’30s and ’40s that this kind of vertical integration is not good for creativity or for audiences. We know from the recent past that convenient, reasonably-priced, and legal internet services are what users want and will use. So we very much know that this system is untenable and anticompetitive, that it can encourage copyright infringement and drives the growth of reactionary draconian copyright laws that hurt innovators and independent creators. We also know what works.

The golden age of streaming really is behind us. But if movie studios come to their senses, there could be a renaissance of appreciation for streaming services, replacing the exhaustion of yet another monthly charge on our credit card bill.

Facebook Isn’t Sorry for Letting Someone Steal Personal Details of Half a Billion Users

Elizabeth Culliford, Reuters:

Facebook Inc did not notify the more than 530 million users whose details were obtained through the misuse of a feature before 2019 and recently made public in a database, and does not currently have plans to do so, a company spokesman said on Wednesday.

[…]

The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified. He said it also took into account that users could not fix the issue and that the data was publicly available in deciding not to notify users. Facebook has said it plugged the hole after identifying the problem at the time.

Graham Cluley:

Nowhere in Facebook’s post will you find the word “sorry.” Nowhere in Facebook’s post will you see an apology.

So I can assume that Facebook isn’t sorry. It doesn’t even say that it’s going to contact the half a billion users who have had their details leaked onto the internet – not because of the users’ own fault, but because of Facebook’s incompetence and lack of care.

There has been plenty of reporting around this latest data dump, but Facebook’s repeated breaches of security and user trust should not be so easily dismissed by the company. It is mostly treating this as a public relations problem that will blow over, which is unconscionable.

Google’s Primary Apps Now Feature Privacy Labels

Taha Broach, the 8-Bit:

After an almost four-month-long wait, Google has updated the App Store pages of all of its popular apps with Apple’s Privacy Nutrition labels. This news comes as reports suggest Google might be preparing its own privacy nutrition labels for individual app pages on the Play Store.

Today, Google updated the App Store page of its last popular app — Google Photos — to reflect the app’s tracking practices to users who are about to download the app.

At the beginning of January, Google said that it would be rolling these out “this week or the next week”. It’s pretty embarrassing that it took one of the world’s most valuable companies until the second week of April to tick more-or-less every box for the personally-linked data it collects.