Ultimately, that’s the beauty of the hardcore shirt. If you want a specific design, you’re likely going to find it through somebody who posts it somewhere like eBay or if one of the couple of good bootleggers like Justified Arrogance decides to print some up. The demand for these shirts will likely always be online, a place for the people that really want them, the maybe 20 thousand or so that follow Life. Love. Shirts. Maybe a vintage hardcore shirt or two will sneak through into the mainstream, like when Rihanna wore a vintage Nemesis Records “End Racism” shirt in a Harper’s Bazaar spread and sent eBay buyers scouring the net and spending big money on the first one they could find. Or, maybe, like with artists connected to the early punk and hardcore scenes like Gary Panter or Raymond Pettibon —the artists behind the Screamers and Black Flag logos, respectively — some of the artists who drew album art or the logos for bands like Earth Crisis or Racetraitor will grow in stature, capturing the attention of the worlds of art and fashion.
Boundless respect and admiration for the internet’s ability to connect people of niche interests for decades. I love this story.
Microsoft Office documents with malicious macros — often called “maldocs” — have resurged as a vector to infect systems, growing in the last half of 2020 to account for more than a third of malicious attachments and, at one point in September 2020, accounting for almost 80% of malicious attachments, according to data from Sophos.
Macros have had a long history of use by attackers, with many early viruses and worms — including the Melissa virus — using Office documents with malicious macros to spread. Both Microsoft Word documents and Excel spreadsheets are equally popular among attackers, and modern cybercrime services allow attackers to easily create maldocs. Some macros even allow attacks on the MacOS.
As I was writing earlier today about Safari’s slow development cycle compared to Chrome’s rapid introduction of APIs that pose new security and privacy risks, I remembered that we have been down this road before.
Microsoft Office, like the web, began purely as a document-based medium. But through features like macros, it became practical to create programs within Word documents and Excel spreadsheets. That opened up automation possibilities. It also created one of the most frequently-used exploit vectors on Windows. Microsoft has spent decades trying to improve security but, ultimately, individual users often find themselves as the ill-equipped defence against these attacks:
Overall, security awareness training may be the best way to harden the workforce against running macros. Microsoft has already added warnings by default to any attempt to run unsigned macros, but users can still accept macros and run them.
“Maybe we could see a shift in the industry or a shift in the use of it. We could really demand an alternative,” [Kilian Englert of Varonis] says. “Mistakes happen, and we shouldn’t ascribe blame to the end user. It is our job as security professionals to give them the best defenses that we can and then have tools to defend them.”
We ought to learn from these mistakes, not repeat them.
There’s a lot of history here. WebKit — being a part of Apple — plays it slow and a bit close to the chest. Historically, they’re pretty tight-lipped about the small number of features they’re working on and uninvolved in community outreach. Quarterly updates to Safari Technical Preview have been an awesome consolation prize, but after years of waiting I find my expectations for the annual release of Safari (specifically Mobile Safari) are intolerably low. This creates an increasing amount of apathy in me that the situation with Safari will get better soon.
These APIs, often proposed by the Chrome team, give browsers power to use bluetooth, write to local files, and sync content with servers in the background. For each of these, Safari and Firefox have signalled that they intend to ignore the API entirely, never implementing it, due to security, privacy & battery life concerns.
The development environment is also available as a native application. Good. That is a more appropriate way to distribute software packages, particularly those that interface with hardware accessories. There is nothing wrong with creating a separation between websites and applications, and there are risks inherent to mixing them.
For the new proposed APIs specifically, in the end they’ll either have to engage with Chrome’s proposals, or become incompatible with the growing part of the web that has, losing large portions of their userbase and their influence on standards along the way. There is no point in winning on principles if there are no users left.
I want to see a world where Apple, Mozilla, Microsoft and Brave are leading web standards, driving the web forwards with features that support new use cases and allow for exciting new products, but with care for user privacy, tracking-resistance and security embedded as first-class priorities.
Perry’s argument is sound: almost no users really care what web browser they are using, so the moment they are told they need to use Chrome to use something, that is probably where they will stay unless something else motivates them to change. That worries me. A web browser, at its core, should be a boring piece of software that frames documents. But today’s popular web browsers are built and distributed by companies that have motivation to undermine that simplicity.
The Chromium rendering engine is the dream of a developer who wishes for the web to be a sort of universal operating system. As Perry writes, it has the broadest API support. It underpins Google Chrome on all platforms, Microsoft’s Edge browser, and its forks power various other browsers; combined, according to Wikimedia’s statistics, these browsers are used by over half of all web users.
Chrome itself is dominant and, by default, it automatically updates whenever Google pushes out a new version. It means that one company in Mountain View, California has the power to change the web browsing experience for about half of all web users every month. That company also operates by far the biggest online advertising marketplace, the world’s most popular search engine, a video platform so commanding that it is synonymous with “online video”, the most popular website analytics software, the biggest email service, and the most popular operating system. One reason Chrome is so popular today is because Google has given it prime advertising space on its search engine for years. Google treats the web as one of its own operating systems because, in some ways, it kind of is.
Then there’s Safari which, on the desktop, is not particularly popular. But its unique position on iOS — where no other rendering engines are permitted — gives it a stick-in-the-mud reputation. Its slow development pace can be seen as protective against Google’s market position, as luddite, and as an anti-competitive tactic to force developers to go through the App Store. I am one of a seemingly small number of people who prefers this approach, even though it makes my life harder as a front-end developer. I do not think websites should be given the same amount of power on my computer as desktop apps, and this is a losing battle I will continue to fight.
Both Apple and Google have incentives beyond developing the best web browser possible for users. Apple has been slowly working for years to improve web apps on iOS and that work continues, but I doubt that web apps will ever achieve the same capabilities as native applications. Google’s incentives may have the knock-on effect of giving websites extraordinary abilities but, in the process, that has introduced security problems, plus privacy concerns that the company has only been too happy to take advantage of to solidify its position in the online targeted advertising space. Those conflicts of interest will, I think, always result in tension between privacy, security, capability, and development speed.
One more evidence exhibit showing why tech duopolies are bad for consumers, no matter whether they playing the role of an end user or a developer. But, on the bright side, it highlights that there is very little web without a web browser, so the companies that make the latter inherently control the former.
“Breakthrough Covid cases are on the rise among the vaccinated,” blares a headline on an NBC News article published Friday.
However, as the sub-headline points out, “The 125,682 ‘breakthrough’ cases in 38 states represent less than .08 percent of the 164.2 million-plus people fully vaccinated since January.”
Only about half of Americans are vaccinated against Covid-19, as federal, state, and local governments have struggled to convince large swaths of the public to get the shot. Yet, that is the headline NBC News chose.
I do not much like articles that are mostly collections of tweets, but it is both heartening and worrying to see the number of Twitter users doing a better job of contextualizing breakthrough cases than the press. Twitter is not designed for the nuance required to discuss a pandemic — that’s the job of news outlets, which have been casually minimizing the efficacy of vaccinations with headlines like those from NBC News and the Washington Post. This needs to stop.
A few years ago, Brushed Type released the excellent Doppler app for iPhone which, by focusing on local music libraries, has offered a delightful experience ever since. Well, now there’s a Mac version.
Doppler’s appeal runs deeper, though. There are plenty of music players you can point at a folder of files. What sets Doppler apart is its attention to delivering a top-notch listening experience in a reliable, great-looking package. I’d love to see Doppler adapted to the iPad too, and hopefully, syncing with Apple Music’s library will be out soon, but if you’re a music fan looking for a great playback experience for the music you own, Doppler is a must-try app.
If you’re like me and you still have a local music collection — and I think that is a pretty good idea — you owe it to yourself to give Doppler a try, if only for its exquisite album art finder. I found the overall experience very refined, especially for a first version, and I am excited to see its progress as more features take shape. Seven day trial and then just $25 USD.
Why did Bustle Digital Group want me to edit Gawker in the first place? Well, I was Gawker’s features editor from 2014 to 2015, before I was asked to leave because I live-tweeted a meeting during which Gawker founder Nick Denton hit his head on a lamp. From there I went on to be executive editor of The Outline, which was acquired by Bustle in 2019. Bustle immediately shut down The Outline when the pandemic started, for which I hold no ill will, because The Outline, while a very special site, made no money. I suppose my selling points as a potential editor-in-chief of Gawker were that I had previously worked at Gawker and Bustle and was unemployed. I was also willing to do it, which not many people can say. And I am a genius.
I am impressed that all of the old links appear to be working. There is a lot of history contained in URLs that begin with “gawker.com”. But this iteration of the website, as a product of Bustle Digital Group, uses the same deconstructed design language as Input and the Outline and Nylon and basically everything else BDG does. I think it spoils the bloggish appeal in the same way that the Onionbecame a bit less funny when it was migrated to the Kinja stack.
Yeah. It’s like any given the price is going to be wrong. So we’ll just adjust it over time, as we see if the value proposition makes sense to people. I’m not thinking about this a lot right now. We need to make full self-driving work in order for it to be a compelling value proposition.
Tesla has been selling this service for years now, and Elon is saying that for it to be a “compelling value,” the company will “need to make full self-driving work.”
That sure sounds like he’s saying that anyone who has already paid for FSD both does not yet have a system that works, and their purchase was not a “compelling value.”
It sounds to me like Tesla has been treating the ten thousand dollar self-driving option as a sort of Kickstarter for maybe, eventually, making its existing fleet of vehicles fully autonomous. But what happens if Tesla is unable to deliver these future features with the hardware it has sold under the promise of “Full Self-Driving Capability”? How many Tesla owners optioned it now with the hope that it will be compelling value in the future, instead of waiting for that time — when it will likely be more expensive?
Tesla’s approach to autonomous vehicles is full of contradictions. The company calls the feature “Full Self-Driving”, but a car optioned with it does not currently drive itself, and it may never do so. The company keeps raising the cost of the option creating pressure on buyers to spec it now or risk a greater expense if and when Tesla can deliver the promised features, but Musk also says that the option is not yet “compelling”.
Google’s parent company flexed its digital dominance, reporting its highest quarter ever for sales and profit behind a gusher of online advertising from businesses vying for customers across reopened economies.
Other tech companies have benefited from a soaring digital ad market. Snap Inc. last week reported revenue more than doubled behind strong user growth, while Twitter Inc. reported sales surged 74% behind increased advertising.
Advertising revenue growth in the second quarter of 2021 was driven by a 47% year-over-year increase in the average price per ad and a 6% increase in the number of ads delivered. Similar to the second quarter, we expect that advertising revenue growth will be driven primarily by year-over-year advertising price increases during the rest of 2021.
Facebook Inc said on Wednesday it expects revenue growth to “decelerate significantly,” sending the social media giant’s shares down 3.5% in extended trading even as it reported strong ad sales.
Facebook said it expects Apple’s recent update to its iOS operating system to impact its ability to target ads and therefore ad revenue in the third quarter. The iPhone maker’s privacy changes make it harder for apps to track users and restrict advertisers from accessing valuable data for targeting ads.
Facebook said much the same thing in its earnings press release last quarter. Perhaps its advertising revenues will begin to be impacted by App Tracking Transparency after all, but it seems likely that the feature will benefit the online advertising duopoly. In this riskier climate, advertisers seem to be favouring the known quantities of Google and Facebook. I will repeat what I wrote in April:
As is often the case for stories about privacy changes — whether regulatory or at a platform level — much of the coverage about App Tracking Transparency has been centred around its potential effects on the giants of the industry: Amazon, Facebook, and Google. But this may actually have a greater impact on smaller ad tech companies and data brokers. That is fine; I have repeatedlyhighlighted the surreptitious danger of these companies that are not household names. But Facebook and Google can adapt and avoid major hits to their businesses because they are massive — and they may, as Zuckerberg said, do even better. They are certainly charging more for ads.
Privacy should not be something that users must buy, nor should its violation be a key selling point. Privacy is something that should be there, for all of us, regardless of the device we use, the websites we visit, or the ad tech networks we unknowingly interact with.
If you parked your car in one of the thousands of parking spots across Calgary, there’s a good chance you paid the Calgary Parking Authority for the privilege. But soon you might be hearing from the authority after a recent security lapse exposed the personal information of vehicle owners.
But a logging server used to monitor the authority’s parking system for bugs and errors was left on the internet without a password. The server contained computer-readable technical logs, but also real-world events like payments and parking tickets that contained a driver’s personal information.
Nice to see my city being recognized by the international technology press. As of writing, the Calgary Parking Authority has not notified account holders, and I could not find any relevant local news stories.
The first time I remember shopping for music was at a Best Buy one day in 2001. I came home with two CDs: the Baha Men’s Who Let the Dogs Out and the pop compilation Now That’s What I Call Music! 5.
Each of those albums cost more than a month of streaming does today, which reflects all that happened to music listening in the intervening 20 years — Napster and LimeWire, iPods and iPhones, Spotify and TikTok. Every decade I’ve been alive, a new format has ascended. Tapes were displaced in the 1990s by CDs, which were displaced in the 2000s by mp3s, which were displaced in the 2010s by streaming. Now, instead of buying music, people rent it.
The music I’ve salvaged from earlier times is now part of my collection on Spotify, which I’ve been using since it launched in the United States, 10 years ago this month. But as I look back on the churn of the past couple of decades, I feel uneasy about the hundreds of playlists I’ve taken the time to compile on the company’s platform: 10 or 20 years from now, will I be able to access the music I care about today, and all the places, people, and times it evokes?
I still have the very first CD I remember buying, in a particularly luxe A&B Sound location in 2003 now occupied by a gym. I cannot remember when I last put that disc into a player. According to Music, the MP3s I ripped from that CD were most recently listened to in 2010, but I streamed that same record just a few weeks ago. That raises some interesting questions: Am I likely to ever play the MP3s I created all those years ago? Will they work next time I try? What am I most likely to do when I want to listen to that record and find that it has, for example, been pulled from streaming services? What new format will emerge in a decade’s time, and will it have that album on it?
In some sense, we have never stored music recordings in a permanent way. Vinyl records degrade with time and on playback. Manufacturers promised that CDs would last hundreds of years, but their actual lifespan is entirely variable. Hard drives degrade, and music streaming is an unproven business model with an oddly stagnant price point. Even so, transitioning so much of our listening to a deliberately temporary model seems short-sighted. We have replaced our hope of permanence with the more honest promise of ephemerality, which is perhaps more honest, but places all control and trust over our very personal attachment to art in the hands of big companies. I’m not sure about you, but that seems like a mistake.
Here’s a simple way to put the explosion of vinyl record sales in perspective: Pressing plants around the globe have the capacity to manufacture 160 million albums a year, according to the estimate of one executive with decades of experience in physical formats. But, he explains, the current “extraordinary” demand for vinyl looks to be more than double that: somewhere between 320 million and 400 million units.
We still want physical versions of many records even though much of our casual listening has been moved to a rental model. They may not last forever, but they cannot be removed from our shelves if a record label and a streaming service have a legal dispute.
Speaking of Safari, the developer of the OldOS app featuring a recreated iOS 4 interface built in SwiftUI has created something old and exciting: Safari 5. It is incomplete, sure, but it features all of the gradients, shiny icons, and Lucida Grande you would expect.
There is some good news: the “⋯” Button of Mystery has been scrapped and replaced with the standard share button. There’s also a reload button in the address bar right beside the URL — but it is grey, while every other tappable control in Safari is blue.
However, a whole-cloth web browser redesign is perhaps one of the most ambitious and difficult UI changes to make, and it still shows. I appreciate that Apple has been trying to move user interface components toward the bottom of the display in several applications; phone screens are still growing, and notification bubbles can cover toolbars at the top. It makes sense to prioritize thumb-accessible areas for interactivity. But when Google prototyped a similar bottom-focused redesign, many users found it “disorienting”, according to Chris Lee. It is a similar story in iOS 15.
They’re already desperately trying to make this UI work *and it’s a brand new UI*; imagine if a year or two from now they want to add some new option to it.
I often get the impression that software vendors, in general, imagine that it is inherently good for them to ship frequent updates with noticeable changes, and that users must appreciate the knowledge that their software is being updated all the time. This is a hallmark of the “Agile” development model and the software-as-a-service world. But I would submit that most users just want to get stuff done in more-or-less the same way as they did before an update. Software should enable that as much as possible; it should not be a barrier, and whole-cloth redesigns like these are burdensome on users.
In this context, reconfiguring Safari so that the entire user interaction happens in the lower half of the screen is a win for usability, but a loss for muscle memory. I think this once-in-a-lifetime update could make sense in the long term. But when coupled with some of the space constraints created by this specific iteration and how cramped the controls are, it is hard to argue in favour of this interpretation of Safari.
Meanwhile, the latest version of iPadOS has gained a preference in Safari to toggle the new unified tab and address bar, similar to that introduced in the last MacOS Monterey beta seed, which ought to be a clue. I think adding options to, effectively, switch between new and old versions of an app is a tacit admission that a change is big enough to be troublesome for a large number of users.
None of the versions of Safari 15, including the one in Monterey, should be scrapped entirely. But many of the UI changes are either too ambitious or — in the case of colour-changing tabs — poorly considered. New versions of iOS and iPadOS will probably be rolling out to users in six to eight weeks, and I do not think this flagship app is close to being shippable.
I wish I was kidding at this point, but the Safari tab bar in iOS 15 beta 4 *can* get busier.
Here’s what happens if you do a Google search, have an extension active, and have just downloaded a file.
In the pursuit of simplicity, the first version of this Safari redesign hid almost everything so that the UI could be condensed into a single address bar. Just three revisions in, Safari now appears far more complicated than its predecessor.
In the headphones category on Amazon, 1,800 different products from 666 brands were among the top 100 best-sellers in the last twenty-four months. That’s nearly three new products from almost one new brand every day replacing current items in the best-sellers list. Those brands are pseudo-brands like NUBBYO, LAFITEAR, NANMING, AIWONS, or HWCONA.
Only five brands – Apple, Samsung, Sony, Soundcore, and Tozo – had a product in the headphones best-sellers list for the entire twenty-four months. Just twenty have been in it for over 500 days (70% of the time). More than half of brands were on the list for only five days or less; hundreds of brands that gained some momentum, all to get lost among the sea of lookalikes a few days later.
I appreciate this longer-term view into the staying power — or lack thereof — of passthrough trademarks raised in a story I linked to last year by John Herrman, New York Times:
“For brand owners, enrolling provides you with powerful tools to help protect your trademarks, including proprietary text and image search and predictive automation,” the company declares. It gives owners control over product listings that contain their products, and the ability to protect themselves against unauthorized sellers using their names. Crucially, Amazon says on its site, “it gives you more access to advertising solutions, which can help you increase your brand presence on Amazon,” as well as to “utilize the Early Reviewer Program to gain initial reviews on new products” — a sanctioned method for improving a product’s search result.
If you’re feeding a brand-new listing into the Amazon machine, in other words, and doing so without a pre-existing brand or customers, getting into Brand Registry is extremely important. To achieve real and lasting success on Amazon, it’s vital.
As of 2017, it also requires a registered trademark.
Amazon’s policies have singlehandedly incentivized the creation of hundreds of these nonsense trademarks, and Kaziukėnas shows that they have no long-term staying power. These are entirely disposable brands for disposable goods: if you have a problem with your new pair of HWCONA headphones, where do you turn to get them fixed? What company is staking their reputation on the quality of these products? From a consumer’s perspective, there is nothing giving these products any greater expectations than some knock-off brand stocked in a dollar store.
I would love to see an investigation like the one Kaziukėnas did across dozens of different product categories to see if the results are similar.
Most Americans by now understand that our phones are tracking our movements, even if we don’t necessarily know all the gory details. And I know how easy it can be to feel angry resignation or just think, “so what?” I want to resist both of those reactions.
Hopelessness helps no one, although that’s often how I feel, too. Losing control of our data was not inevitable. It was a choice — or rather a failure over years by individuals, governments and corporations to think through the consequences of the digital age. We can now choose a different path.
Most articles about privacy tend to feel pretty bleak, but Ovide’s comes across refreshingly optimistic. I appreciate that.
These are choices we can demand of our governments at different levels. It is particularly warranted in the United States, given that it is the headquarters of many privacy-hostile companies and, therefore, the jurisdiction in which users’ data is regulated.
Once upon a time, Apple offered an easy-to-understand business model. The company made personal computers, small, medium, and large. Successfully positioned in the affordable luxury market sector, Apple devices sold well with healthy margins. Those margins helped finance strong R&D investments and took good care of employees, investors, and Uncle Sam.
In the company’s latest SEC filing for the quarter ended in March 2021, Apple’s Services reached $16.9B, exactly as much as the $16.9B number for the combined Mac and iPad revenue, although still far form the $48B iPhone revenue for that quarter.
This changes the business model’s “center of gravity”.
Apple’s business model is still admirably simple compared to many of its biggest competitors. Facebook and Google sell advertisements against scraped user data and profiling; Microsoft and Amazon are more diversified, but a large slice of their revenue comes from enterprise and government contracts. Apple, for the most part, sells physical products, bytes, and service contracts to end users.
But this new focus on recurring services revenue — predictable monthly payments from as many buyers as possible — has created plenty of opportunities for Apple to degrade its existing product offerings. As the iTunes Store gave way to the Apple Music streaming model, iTunes was replaced with the much worse Music app, which feels like an old <frame>-based website given the façade of a desktop application. Applications across MacOS and iOS now interrupt users with advertisements in a nagging reminder that your multi-thousand-dollar purchase of a hardware product is merely the beginning of your financial relationship with Apple.
I understand why this is happening, but a pivot to services is a hard turn for Apple to make, and I feel it is not executing it as gracefully as it could — and should — be.
As Gassée writes, the definition Apple uses for reporting revenue in its Services category is pretty broad. This is how Apple described the category in its most recent annual filing:
Services net sales include sales from the Company’s advertising, AppleCare, digital content and other services. Services net sales also include amortization of the deferred value of Maps, Siri, and free iCloud storage and Apple TV+ services, which are bundled in the sales price of certain products.
One thing not mentioned by either Gassée or Apple is that about one-fifth to one-quarter of Apple’s services revenue is from Google for making it the default search engine across Apple’s ecosystem. I mentally subtract $3 billion from this category in the quarterly earnings report to create a truer estimation of how Apple’s own-brand services are performing.
FSD beta 9 is a prototype of what the automaker calls its “Full Self-Driving” feature, which, despite its name, does not yet make a Tesla fully self-driving. Although Tesla has been sending out software updates to its vehicles for years—adding new features with every release—the beta 9 upgrade has offered some of the most sweeping changes to how the vehicle operates. The software update now automates more driving tasks. For example, Tesla vehicles equipped with the software can now navigate intersections and city streets under the driver’s supervision.
“Videos of FSD beta 9 in action don’t show a system that makes driving safer or even less stressful,” says Jake Fisher, senior director of CR’s Auto Test Center. “Consumers are simply paying to be test engineers for developing technology without adequate safety protection.”
But the fact of the matter is that these features are being marketed as “Full Self-Driving” and “Autopilot”. Unlike other cars equipped with automatic lane keeping and radar-assisted cruise control, Tesla is not pitching these features as part of a safety enhancement package, but as autonomous vehicle technologies. There is no way the company does not know how owners are using these features and, consequently, subjecting other drivers, pedestrians, and cyclists to their beta testing experience at great risk to public safety.
It is also true that human drivers will make mistakes. Not every driver on the road is equally competent, and it is possible that Tesla’s system is better than some human drivers. But autonomous systems can lull the human operator into a false impression of safety, with sometimes deadly consequences.
And then there’s the Playdate from Panic. Whereas the aforementioned handhelds are almost uniformly technological upgrades, the Playdate offers something much weirder. It looks kind of like a Game Boy that comes from an alien world. There are familiar elements, like a D-pad and face buttons, but many of its games are controlled by a crank that slots into the side. And those games are only available in black and white, and they’ll eventually be released as part of weekly mystery drops.
It sounds strange and fascinating, and I had the chance to head into the PlayDate’s parallel universe over the last few days with a near-final version of the device. It definitely is weird — but that’s also what makes it exciting.
Nothing I’ve played on the Playdate thus far screams “revolutionary” or “must-have.” Two low-powered CPUs, intentionally lo-fi hardware, and a single rotary crank can only combine to deliver so much. These four test titles likely lack the scope or depth that some gamers hope for in a brand-new system’s launch library.
Yet everything I’ve played on the Playdate has been accessible, amusing, and unique, and getting four games at once has distributed the fun factor around in a way that I really appreciate. Two of the games are built with replayability in mind—one as a score chaser, the other as a puzzle-minded platformer with speedrunning potential. The other two titles are more linear but focus less on challenge and more on atmosphere; these show what developers can do within a wimpy system’s limits to deliver their own comfortable, unique games on black-and-white hardware.
Preorders for the Playdate begin one week from today, July 29. I am so excited about the possibilities of this weird little thing.
Kim Zetter’s Zero Day newsletter has been a consistently good read. Today’s issue, about that mysterious list of tens of thousands of phone numbers forming the basis of much of the Pegasus Project reporting, is a great example:
There is nothing on the list to indicate what purpose it’s meant to serve or who compiled it, according to the Post and other media outlets participating in the Pegasus reporting project. There is also nothing on the list that indicates if the phones were spied on, were simply added to the list as potential targets for spying or if the list was compiled for a completely different reason unrelated to spying.
Those varying descriptions have created confusion and controversy around the reporting and the list, with readers wondering exactly what the list is for. The controversy doesn’t negate the central thesis and findings, however: that NSO Group has sold its spy tool to repressive regimes, and some of those regimes have used it to spy on dissidents and journalists.
The reporting associated with the Pegasus Project has been enlightening so far, but not without its faults. The confusion about this list of phone numbers is one of those problems — and it is a big one. It undermines some otherwise excellent stories because it is not yet known why someone’s phone number would end up on this list. Clearly it is not random, but nor is it a list of individuals whose phones were all infected with Pegasus spyware. This murkiness has allowed NSO Group’s CEO to refocus media attention away from the ethical dumpster fire started when his company knowingly licensing spyware to authoritarian regimes.
Monsignor Jeffrey Burrill, former general secretary of the U.S. bishops’ conference, announced his resignation Tuesday, after The Pillar found evidence the priest engaged in serial sexual misconduct, while he held a critical oversight role in the Catholic Church’s response to the recent spate of sexual abuse and misconduct scandals.
According to commercially available records of app signal data obtained by The Pillar, a mobile device correlated to Burrill emitted app data signals from the location-based hookup app Grindr on a near-daily basis during parts of 2018, 2019, and 2020 — at both his USCCB office and his USCCB-owned residence, as well as during USCCB meetings and events in other cities.
I do not wish to devalue any reader’s faith; if you are Catholic, please know that I am not criticizing you specially or your beliefs.
The Catholic Church has a history of opposing LGBTQ rights and treating queer people with a unique level of hatred — this report says that the use of Grindr and similar apps “present[s] challenges to the Church’s child protection efforts”, invoking the dehumanizing myth tying gay men to pedophilic behaviour, an association frequently made by the Catholic Church.1 I find it difficult to link to this story because of statements like these, and it offends me how this priest was outed.
But I also think it is important to give you, reader, the full context of what is disclosed, and what is not. For example, I understand that Catholic priests have an obligation to be celibate and, theoretically, the Pillar would investigate any clergy it believed was stepping out of line. But this specifically involves one priest and Grindr, and leaves a lot of questions unanswered. For a start, how did the Pillar know? Did it get tipped off about Burrill’s activities so it would know where to look, or did it receive data dumps related to the phones of significant American clergy? And what about other dating apps, like Tinder or Bumble? Surely, there must be priests in America using one of those apps to engage in opposite-sex relationships; why not an exposé on one of them? This report does not give any indication about how it began investigating. I find that odd, to say the least.
The reason I am linking to this is because of that data sharing angle. As reported by Shoshana Wodinsky at Gizmodo, Grindr has repeatedly insisted on the anonymity of its data collection and ad tech ties:
When asked about the Burrill case, a Grindr spokesperson told Gizmodo that it “[does] not believe Grindr is the source of the data behind the blog’s unethical, homophobic witch hunt.”
Obviously, only Grindr knows if Grindr is telling the truth. But these sorts of adtech middlemen the platform’s relying on have a years-long track record of lying through their teeth if it means it can squeeze platforms and publishers for a few more cents per user. Grindr, meanwhile, has a years-long track record of blithely accepting these lies, even when they mean multiple lawsuits from regulators and slews of irate users.
Wodinsky points to a piece at the Catholic News Agency — which both Pillar writers used to work for — claiming that an anonymous party had “access to technology capable of identifying clergy […] found to be using [dating apps] to violate their clerical vows”. It will come as no surprise to you that I find it revolting that someone can expose this behaviour through advertising data. It is a wailing klaxon for regulation and reform.
But, also, is it ethical for a news organization to acquire data like this for the purpose of publicly outing someone or sharing their private activities? In a 2018 story, the New York Times showed how it was possible to identify people using similar data. But the newsworthiness of that story was not in individuals’ habits and activities, it was about how easy it is to misuse advertising and tracking data. And where is the line on this? Are journalists and publications going to begin mining the surveillance of ad tech companies in search of news stories? I would be equally disturbed if this were instead a report that exposed the infidelity of a “family values”-type lawmaker. I think the Pillar exposed a worrisome capability with this report, and also initiated a rapid ethical slide.
The authors clarify that they are ostensibly concerned about the relative ease with which minors are able to use dating and hookup apps. That is a fair criticism. But this digression cannot be separated from this harmful belief, nor from the Church’s history of sexual abuse of minors. That abuse was not caustic because the clergy involved were engaged in same-sex relations, it was because they were powerful adults molesting children. ↩︎
I get the feeling I am going to be linking to a lot of NSO Group-related pieces over the next little while. There are a couple of reasons for that — good reasons, I think. The main one is that I think it is important to understand the role of private security companies like NSO Group and their wares in the context of warfare. They function a little bit like mercenary teams — Academi, formerly Blackwater, and the like — except they are held to, improbably, an even lower standard of conduct.
The second reason is because I think it is necessary to think about how private exploit marketplaces can sometimes be beneficial, at great risk and with little oversight. There are few laws associated with this market. There are attempts at self-regulation, often associated with changing the economics of the market through bug bounties and the like.
NSO can afford to maintain a 50,000 number target list because the exploits they use hit a particular “sweet spot” where the risk of losing an exploit chain — combined with the cost of developing new ones — is low enough that they can deploy them at scale. That’s why they’re willing to hand out exploitation to every idiot dictator — because right now they think they can keep the business going even if Amnesty International or CitizenLab occasionally catches them targeting some human rights lawyer.
But companies like Apple and Google can raise both the cost and risk of exploitation — not just everywhere, but at least on specific channels like iMessage. This could make NSO’s scaling model much harder to maintain. A world where only a handful of very rich governments can launch exploits (under very careful vetting and controlled circumstances) isn’t a great world, but it’s better than a world where any tin-pot authoritarian can cut a check to NSO and surveil their political opposition or some random journalist.
Sounds appealing, except many of the countries NSO Group is currently selling to are fantastically wealthy and have abysmal human rights records. I must be missing something here because I do not know that there is a way to increase the cost of deploying privately-developed spyware so that its use is restricted from regimes that many people would consider uniquely authoritarian, since they are often wealthy. Amnesty researchers found evidence of the use of NSO’s Pegasus on Azerbaijani phones, too: like Saudi Arabia, Azerbaijan is an oil-rich country with human rights problems. And then there is the matter of international trust: selling only to, for example, NATO member countries might sound like a fair compromise to someone living in the U.S. or the U.K. or Canada, but it clearly establishes this spyware as a tool of a specific political allegiance.
We must also consider that NSO Group has competitors on two fronts: the above-board, like Intellexa, and those on the grey market. NSO Group may not sell to, say, North Korea, but nobody is fooled into thinking that a particularly heinous regime could not invest in its own cybercrime and espionage capabilities — like, again, the North Korean ruling party has and does.
But — I appreciate the sentiment in Green’s post, and I think it is worthwhile to keep in mind as more bad security news related to this leak will inevitably follow in the coming days and weeks.