Written by Nick Heer.

Archive for April, 2022

NSO Group and Candiru Spyware Allegedly Used by Spanish Government Against Catalan Independence Movement Leaders

John Scott-Railton, et al., of the University of Toronto’s Citizen Lab:

In 2019, WhatsApp patched CVE-2019-3568, a vulnerability exploited by NSO Group to hack Android phones around the world with Pegasus. At the same time, WhatsApp notified 1,400 users who had been targeted with the exploit. Among the targets were multiple members of civil society and political figures in Catalonia, Spain. The Citizen Lab assisted WhatsApp in notifying civil society victims and helping them take steps to be more secure.

The cases were first reported by The Guardian in 2020. Following these reports, the Citizen Lab, in collaboration with civil society organisations, undertook a large-scale investigation into Pegasus hacking in Spain. The investigation has uncovered at least 65 individuals targeted or infected with Pegasus or spyware from Candiru, another mercenary hacking company.

Not only did researchers find spyware on the devices of activists and political figures, but also on the devices of family members.

Ronan Farrow, in a deeply reported article for the New Yorker:

The Citizen Lab’s researchers concluded that, on July 7, 2020, Pegasus was used to infect a device connected to the network at 10 Downing Street, the office of Boris Johnson, the Prime Minister of the United Kingdom. A government official confirmed to me that the network was compromised, without specifying the spyware used. “When we found the No. 10 case, my jaw dropped,” John Scott-Railton, a senior researcher at the Citizen Lab, recalled. “We suspect this included the exfiltration of data,” Bill Marczak, another senior researcher there, added. The official told me that the National Cyber Security Centre, a branch of British intelligence, tested several phones at Downing Street, including Johnson’s. It was difficult to conduct a thorough search of phones — “It’s a bloody hard job,” the official said — and the agency was unable to locate the infected device. The nature of any data that may have been taken was never determined.

The Citizen Lab suspects, based on the servers to which the data were transmitted, that the United Arab Emirates was likely behind the hack. “I’d thought that the U.S., U.K., and other top-tier cyber powers were moving slowly on Pegasus because it wasn’t a direct threat to their national security,” Scott- Railton said. “I realized I was mistaken: even the U.K. was underestimating the threat from Pegasus, and had just been spectacularly burned.” The U.A.E. did not respond to multiple requests for comment, and NSO employees told me that the company was unaware of the hack. One of them said, “We hear about every, every phone call that is being hacked over the globe, we get a report immediately” — a statement that contradicts the company’s frequent arguments that it has little insight into its customers’ activities. In its statement, the company added, “Information raised in the inquiry indicates that these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.”

Does the NSO Group receive regular activity reports or does it not? That should be such a simple question for the company to answer, but Farrow quotes an employee wholly contradicting NSO Group’s public statements. This whole spyware industry is built on a sketchy foundation and these companies beg for trust, yet it seems we just do not know such a fundamental truth about how they operate: do they or do they not know what devices are being targeted by their clients?

As a result of this incident, Farrow reports, U.K. numbers — like U.S. numbers — have been disallowed from targeting. For those of us elsewhere, our activists and lawmakers and journalists are simply not valuable enough for NSO Group to treat with the same dignity or respect for privacy. As Farrow reports, this spyware is a tool for diplomacy as much as it is a product for warfare. Non-American and non-British people are apparently undeserving of the same level of humanity.

Researchers Find Shades of Opacity, Plenty of Tracking, After App Tracking Transparency

Dan Goodin, Ars Technica:

Last year, Apple enacted App Tracking Transparency, a mandatory policy that forbids app makers from tracking user activity across other apps without first receiving those users’ explicit permission. Privacy advocates praised the initiative, and Facebook warned it would spell certain doom for companies that rely on targeted advertising. However, research published last week suggests that ATT, as it’s usually abbreviated, doesn’t always curb the surreptitious collection of personal data or the fingerprinting of users.

If anything, Goodin underplays this rather scathing report (PDF), in which researchers describe finding minimal changes in app-based tracking after the implementation of App Tracking Transparency. There are some benefits — more apps chose to ask for certain permissions later rather than upfront, minimizing unnecessary data collection, for example, and a significant drop in IDFA use. Some tracking SDKs also saw reduced usage.

But ATT was not as aggressive an anti-tracking measure as Apple may have hoped for or portrayed in its advertising. While IDFA use dropped, other attributes about a user’s phone are collected more often. Plenty of apps and SDKs are still tracking users without their consent or knowledge — most often, sending data to Google and Facebook, but also Unity, Verizon, and Oracle. And nine apps went even further:

In our analysis, we found 9 apps that were able to generate a mutual user identifier that can be used for cross-app tracking, through the use of server-side code. These 9 apps used an “AAID” (potentially leaning on the term Android Advertising Identifier) implemented and generated by Umeng, a subsidiary of the Chinese tech company Alibaba. The flow to obtain an AAID is visualised in Figures 6a and 6b. As expected, the IDFA is only zeros because we used the opt-out provided by iOS 14.8; we observe, however, that the IDFV (ID for Vendors), a non-resettable, app-specific identifier is shared over the Internet, see Figure 6a. The sharing of device information for purposes of fingerprinting would be in violation of the Apple’s policies, which do not allow developers to “derive data from a device for the purpose of uniquely identifying it”.

As Apple was preparing to release the iOS 14.5 update that introduced ATT, it told a group of developers — also from China — to cease and desist creating a workaround to allow individual device tracking. The researchers of this more recent analysis reported this apparent synthetic tracking identifier to Apple and, when the researchers later tried to reproduce it in iOS 14.8, found that the identifier request was now encrypted but was likely similar. When they tried to reproduce using iOS 15, they were unable to do so.

This is only tangentially related, but Alibaba was the same company that was collecting users’ history from their web browser, even when it was being used in incognito mode.

This observation from the researchers’ report is upsetting:

At the same time, it is worrying that a few changes by a private company (Apple) seem to have changed data protection in apps more than many years of high-level discussion and efforts by regulators, policymakers and others. This highlights the relative power of these gatekeeper companies, and the failure of regulators thus far to enforce the GDPR adequately. An effective approach to increase compliance with data protection law and privacy protections in practice might be more targeted regulation of the gatekeepers of the app ecosystem; so far, there exists no targeted regulation in the US, UK and EU.

Regulators and companies like Apple are still trying to catch up to the underhanded mechanisms involved in the surveillance-powered economy. There is some progress, but it is slow and not nearly enough to undo such a deeply engrained, intrusive, and hostile system. Privacy needs to be treated as a serious public policy issue and the stewards of its enforcement must be adequately resourced. That simply is not happening.

Updates on the Elon Musk and Twitter Dialogue Which, I Promise, Are More Thoughtful Than This Title Suggests

First, the biggest news — Twitter is trying to force Elon Musk to negotiate or abandon his attempted acquisition of the company.

Lauren Hirsch and Kate Conger, New York Times:

Twitter on Friday unveiled its counterattack against Elon Musk by putting in place a corporate maneuver known as a poison pill.

The strategy aims to slow or block Mr. Musk’s $43 billion bid to buy Twitter.

A poison pill, devised by law firms in the 1980s to protect companies from corporate raiders, essentially lets a takeover target flood the market with new shares or allow existing shareholders other than the bidder to buy them at a discount. That means anyone trying to acquire the company must negotiate directly with the board.

The pill will be triggered once any individual or a group of people working together buy 15 percent or more of Twitter’s shares. Mr. Musk currently owns more than 9 percent.

That should buy Twitter more time to strike a truce with Musk, but it is a tricky situation because some analysts believe the company’s stock could tank if he sells his shares.

Shortly after announcing his plan to acquire Twitter yesterday, Musk appeared onstage at the TED Conference in Vancouver to chat about his plans for the company should his takeover bid be successful. Musk and his conversation partner, TED head Chris Anderson, may have made a lot of word salad, but both made very little sense.

Mike Masnick, Techdirt:

And, again, as anyone who has lived through (or read up on) the history of content moderation knows, platforms all went through this exact process. The process that Musk thinks no one has actually done. They all started with a fundamental default towards allowing more speech and moderating less. And they all realized over time that it’s a lot more nuanced than that.

They all realized that there are massive trade-offs to every decision, but that some decisions still need to be made in order to stop “making the product worse” and to figure out ways to build “maximal trust” and to be “broadly inclusive.” In other words, for all of Musk’s complaining, Twitter has already done all the work he seems to pretend it hasn’t done. And his “solution” is to go back to square one while ignoring all the people who learned about the pitfalls, challenges, nuances, and trade-offs of the various approaches to dealing with these things… and to pretend that no one has done any work in this area.

Masnick links to an excellent paper called “The New Governors” (PDF) by Kate Klonick in the Harvard Law Review. I am a little embarrassed to admit I had not heard of this paper before today, given how often this topic has come up. But I knew as soon as I finished it that it is essential reading for anyone thinking about moderation in any context. It is less than eighty pages; it is worth taking time to read it for yourself. It can help avoid embarrassing ideas about how online platforms work or how they ought to work.

Update: The more I think about this situation, the more it feels like an unforced pain in the ass that is no good for anybody. What are the outcomes here? Maybe Twitter is acquired by Musk, he finds it a huge burden and has no idea what he has gotten himself into, and tries to get rid of it. Maybe he realizes he has to get out of this thing before it gets too out of hand? Well, Twitter’s stock prices will collapse — for how long, who knows? — and it makes shareholders nervous. Different sets of users are skeptical either way. What a mess.

Bill C–10 Is Now Bill C–11, but Still Terrible

Canadian readers: remember last year’s terrible Bill C–10? It did not make it through the legislative process at the time, but it is back, admittedly with some changes but still with the same goals and many of the same flaws.

Ramneet Bhullar, of OpenMedia:

Bill C-11 expands the Broadcasting Act that grants the CRTC regulatory powers over radio and television to cover all audiovisual content on the Internet, including content on platforms like Tik Tok, YouTube, Spotify, and podcast clients.

Under Bill C-11, all platforms hosting audiovisual content that are not specifically excluded must make financial contributions to producing officially recognized “CanCon” – currently defined by a 1980s era points system built around legacy media broadcast media.

Does that system support Canadian storytelling? Unevenly at best. In recent years productions about US President Trump and the English Tudors have been greenlit as CanCon, while lavish productions of iconically Canadian stories like the Handmaid’s Tale and Turning Red have not met the standard.

I understand the value in juicing Canadian cultural exports. It is likely one of the reasons why many of the biggest names in music for decades have originated in Canada: Drake, the Weeknd, Justin Bieber, and Shawn Mendes have repeatedly landed in Billboard’s top ten artist charts for the past decade, as a sort of bulwark against largely American chart domination. Frequent radio airplay in Canada probably influenced the international success of those artists.

But modern web platforms look nothing like legacy broadcasting providers, and this bill is a ridiculous attempt to fit them into the same mould. Bhullar’s guide to the bill is a clearheaded look at how wrong this system would be in a streaming and digital platform context.

Adtech Company Report Finds Increasing Rate of iOS Users Opting Into Tracking

Adjust, an analytics and advertising technology firm, today released a mobile app trends report. Sadly, you are required to enter an email address to read the full report,1 but Filipe Espósito, of 9to5Mac, has summarized the part in question:

According to the research firm, the industry feared that the new App Tracking Transparency in iOS would hurt the mobile app market, which heavily relies on advertisements. In May 2021, opt-in rates were at around 16%. Now that number has grown to 25% a year later.

When it comes to games, the number is even higher – 30% of users have allowed developers to collect their data for advertisements. The numbers are based on a global research considering the 2,000 most popular apps in Adjust’s database. In some cases, popular games have achieved opt-in rates of up to 75%.

75% sounds very high to me. That particular stat comes from a year-old blog post that highlighted just four games: two with opt-in rates above 70%, and two at around 30%. All are from AppLovin. Interestingly, the two games with lower opt-in rates are from the PeopleFun brand, while the two higher opt-in rates are in games from the Lion Studios brand. Lion Studios makes a lot of samey apps; its latest release is, perhaps predictably, a Wordle clone.

The most puzzling thing to me is that these four games have exactly the same first-launch flow for gaining consent to track users, yet they are producing wildly varying results. The lower results are closer to data from Flurry Analytics showing an opt-in rate of about 18%. Adjust claims this is because the better-performing games were likely found through targeted advertising, so users see how sacrificing their privacy can benefit them:

For example, in the data presented above, Animal Transform and Save the Girl! are hyper casual games that are discovered by consumers via advertising. A large portion of their users will have found the games via ads and will therefore be likely to find other games/apps of interest through ads displayed within these games. […]

The key to achieving this high level of consent is to clearly and simply explain the value of consenting and sharing data in order to get relevant ads. […]

I am skeptical of this explanation. A lot of apps — a lot of things — are marketed through targeted advertising, and it seems unlikely to me that these games are special enough to diverge from that 18–30% range. Adjust also says this is due to the transparency around the consent prompts, but they are identical among these four apps.

A possible clue sits in the reviews of the four apps in question. While none of the four are listed as games for children and all have a 12+ rating, I noticed more children in the reviews of the higher-performing apps than of Wordscapes and Blockscapes.

At any rate, if 18–30% of iOS users are now opting into tracking, it is considerably higher than the 5% estimate in May 2021 or even the 16% in Adjust’s data from about the same time period. I do not like tracking, but maybe a quarter of people do. The important thing right now is giving users a choice and respecting it.

  1. Marketers think this is a great way to collect interested people to spam later, but they must either not know or not care about the number of throwaway email services out there. ↩︎

A Tour of Apple’s External LCD Displays

A nice thing about writing this website by myself and as a hobby is how I do not feel like I need to cover today’s insanity.

Here is a nice post from Stephen Hackett covering Apple’s history of standalone displays. Maybe the most interesting one to me was 1998’s Studio Display:

This Studio Display would end up spanning the change from beige plastic to more colorful designs, and would ship in three distinct Revisions:

  • Rev. A: Used a DB-15 connector and came in a graphite finish. Included ADB ports, as well a RCA jack for extra connectivity.

  • Rev. B (January 1999): Used VGA and came in new styling to Match the Blue and White G3, as seen below. Came with a price cut to $1,099.

  • Rev. C (August 1999): Used DVI and included 2 USB ports and was styled to match the early Power Mac G4

It launched at $1,999, so the $900 price cut less than a year after its launch seems notable. Also notable is how I have never seen one of these displays in the wild. I was probably too young at the time of its release, but I do remember seeing its transparent tripod-like successor.

The 2004 era of Cinema Displays remains my favourite, if only because the 30-inch model made such an impression on me at a young age. A good working model still fetches hundreds of dollars on eBay — a testament to its quality and longevity. I still love those aluminum enclosures with the glossy white plastic side panels and soft edges on the top and bottom. They were professional products, but approachable, too.

Mac App Store Apps Using In-App Purchases to Hide Free Apps That Need Subscriptions

Jeff Johnson:

Top Mac App Store dev abuses Free with In-App Purchase for bait-and-switch apps demanding upfront payment, not free in any respect.

This developer has 9 apps in the Mac App Store, all of which seem to have the same “business model”: free to download, with In-App Purchase, but the first time you open the app, it demands an upfront one-time purchase, otherwise it doesn’t work at all.

No trial, no subscription.

Stephen Warwick, iMore:

In response to this report, Fokusek Enterprise’s CEO contacted iMore with comment on the story. Tiberiu Prioteasa claims that the IAP monetization the developer uses “is used by most of the big companies such as NordVPN, Microsoft and many apps that provide Health, Lifestyle and Fitness apps from the Apple App Store,” noting that Apple has approved the use of this monetization process everytime it has been submitted to Apple. However, while lots of companies offer in-app purchases on the Mac App Store, and use auto-renewal after a free trial, Fokusek’s Docs Pro for Google Drive apps greets users with the following screen as soon as you open it: […]

This is the kind of thing Apple sought to prevent when it launched In-App Purchases as a feature for paid apps only. Opening them up to free apps has created different purchasing mechanisms in the App Store and has pushed the industry toward subscription pricing, but it has also enabled scummy behaviour like this.

Not that it matters much, but Prioteasa is not entirely wrong by pointing out how similar this model is to that of big-name companies. All of them offer a trial — unlike these crappy apps — but they are a bit of a bait-and-switch. You might see Microsoft PowerPoint as one of the top free apps on the Mac App Store, but to save or edit a presentation, you need to activate a trial that will roll over into a minimum monthly payment.1 Not really a free app, is it?

  1. Microsoft also pitches the subscription as being “as low as” the single-user price, but preselects the more expensive family subscription. Gross. ↩︎

Apple Is Throwing a Third Party

Apple commissioned another report — its third — from the Analysis Group:

Today, economists at Analysis Group published a new report on the proliferation of third-party apps on the App Store, with new insights into how third-party apps perform in categories ranging from maps to music streaming, among others. The report finds that third-party apps experience broad regional and global success on the App Store, demonstrating the breadth of opportunity for developers and the wide range of choice available to consumers around the world.


The report analyzes apps from Apple and third-party developers across many popular app types, breaking down regional and global top performers. It also highlights just how many channels developers now have to distribute their apps — from mobile platforms, to PCs, to video game consoles.

It is an interesting report (PDF) but it is not as comprehensive as Apple’s press release implies. Five app categories were analyzed in eight regions, using different metrics depending on the type of app. For example, the study’s authors correctly observe that many people use multiple messaging apps; it is not the type of app where a user gained in one client necessarily implies a lost user in another. Usage behaviour is likely different for music streaming apps, so the study’s authors used the time spent listening in each. That seems fair to me.

Music streaming is where I started to get puzzled as I read this report. There is a large table on page 14 indicating that, in Japan, Spotify has “0.4×>” the use of Apple’s Music app. How would you interpret the way that is written? I assumed it was a shorthand for 0.4 times greater use — that is how Apple displays it in a graphic in its press release — but then I read this bullet point on the following page:

There is only one country and one type of app considered for which the Apple app accounts for more than half of app usage: Music streaming in Japan (55%).

Well that clearly does not add up. Spotify’s share in Japan cannot be “0.4 times greater” than Apple’s 55%. I may be missing something, but I think the table is unclear. A better representation of this research is in Appendix B, beginning on page 20. There, you can see a more complete picture of app usage broken down by country and category. Note each category’s footnotes showing how the share was measured.

In Figure 12, we can see that Spotify is the most popular streaming music service in many regions, excluding China, Korea, and Japan. Japan is the only one where Apple Music listening time is highest and, assuming some rounding errors, Spotify is indeed 0.4× as popular as Apple Music, not more popular. Not a grievous error, to be sure, but a notable one given that it is the only category and country where Apple’s first-party app is so dominant.

We can check this work against the popularity of Google Maps in the U.S., which is shown in Apple’s press release to be “1.5× greater” than the use of Apple Maps. Figure 13 in the report indicates Apple Maps has 16 million daily iPhone users in the U.S., while Google Maps has 24 million.

An aside: remember when Apple was bragging about having three times as much usage of its maps app compared to, presumably, Google Maps? 2015 was ever so long ago, and being so wildly popular could now be considered a liability. Apple is happy to brag in its press release that Netflix is used thirty-five times more often by French users than Apple’s own TV app, and over two hundred times as often by Japanese users. In any other context, this would be an embarrassment.

So Figure 6, the table on page 14 indicating each app’s use relative to Apple’s, should not have greater-than signs beside each number. Some of the third-party apps highlighted in this report are used much less often than Apple’s own.

Having sorted that out, I want to turn your attention toward methodology, where I have questions. Mostly, that is because of this acknowledgement:

For privacy reasons, Apple has limited visibility into usage data. We therefore obtained data on downloads, daily active users, and time spent in app from data.ai (formerly App Annie), a third-party provider of mobile device app use data. We also use other publicly available information, including industry reports, news articles, and developer websites.

Apple may have commissioned this study, but it does not appear to have done its authors any favours in getting them proprietary real-world metrics. The report contains endnotes pointing to all of the data sources, and it seems Data.ai was used an awful lot. Given that Apple may limit its own knowledge of app usage, how is Data.ai collecting it?

Our data sources include: anonymized and aggregated data from over 1 million apps, sizable consumer panels, top ad networks, and more.

The company has a list of its partnerships, which are primarily ad networks, but it also collects data from apps like a data monitoring utility it owns. Unfortunately, despite promising “a new standard for trust and transparency”, the company does not provide a list of any other apps from which it collects usage data.

Does a combination of ad network partnerships and a sneaky consumption utility mean it is able to provide reliable figures on the use of, say, Messages or the Phone app? I find it hard to believe this is anything more than a best guess.

Some of these figures are surprising. But one that is not is Spotify’s market share. Bob Lefsetz:

We’ve been hearing all this b.s. about Apple catching up with Spotify, but just the opposite appears true, Spotify is pulling away from Apple where it counts, in listenership. Furthermore, the report says that Spotify is especially popular amongst the young, who listen most and are most responsible for the breaking of new artists.

Now in truth Amazon is a stealth competitor. But in reality, Spotify is the world’s default streaming music app.

Apple Music appears to pay a much higher rate than Spotify, but Spotify really does seem to be the brand name music app to Apple’s store brand. It has better playlists, better social features, and has probably escaped culpability in the public eye for financing a guy who just has some questions. And it appears on the cusp of lobbing more legal grief in Apple’s direction.

Apple prioritizes its Music app on iOS. It permits songs to be downloaded from the iTunes Store and added to a user’s library, all on an iPhone or iPad. Even if a third-party music store used the In-App Purchases mechanism, it is not possible for them to modify the Music library. But it seems many users do not care about that. They are happy keeping their music library siloed in whatever app they happen to be using. If they are using Spotify, they use the Spotify library; if they download a mixtape from DatPiff or want to support an indie artist more directly through Bandcamp, they must use each of those apps’ libraries. For the dedicated, this represents competition; for those with less patience, the winning app will be the one offering whatever they listen to most of the time.

It sure is an interesting time for technology policy at government and platform levels. All the findings in this report are the result of choices made primarily by Apple in its design of iOS and the App Store. It seems there is healthy competition in some categories of apps and in some regions. But this report is not comprehensive. Third-party apps have limitations Apple’s own versions do not, and there are many other categories where Apple’s entrant likely pulls ahead — browsers would be an especially interesting case because, although it is one of two types of app where you can set a system-level default on iOS, any third-party browser will still use Apple’s rendering engine.

I do not think this report is garbage; give it a read if you have time. But I think its shortcomings are enough to assume its figures are closer to an elastic estimate than actual data points.

AppsFlyer Report: Apple Benefits From App Tracking Transparency Rules

John Koetsier, Forbes:

Apple Search Ads has displaced Facebook as the best ad network for mobile marketers on iPhone and iPad, according to a new performance index from AppsFlyer. Apple’s ad network has significantly expanded since Apple changed marketing practices, hitting 60% of all its business from the first half of 2020 in just seven weeks this year.


We’re essentially seeing the continued rise of the platforms. 2021 wasn’t just good for Apple and its ad network: Google also did well in advertising to particularly Android but also iOS users. Ad engines built on owned platforms have inherent advantages that third-party ad networks are challenged to compete against.

Again, I believe Apple is committed to privacy values, generally speaking. But these conflicts of interest undermine its arguments.

Tim Cook’s Speech at the International Association of Privacy Professionals Conference 2022

Kif Leswing, CNBC:

Apple CEO Tim Cook on Tuesday criticized pending antitrust regulation in the U.S. and Europe, saying that some of the proposed policies would hurt iPhone user privacy and security.

Cook contended in a speech at the IAPP Global Privacy Summit in Washington, D.C., that regulator efforts to force Apple to allow iPhone users the option to install apps from the internet, called sideloading, could lead to a scenario where users can be tricked into installing malware and software that steals user data, citing reports of malicious apps on Android, on which sideloading is currently allowed.

Natasha Lomas, TechCrunch:

But the Apple CEO soon sought to intertwine threats to user privacy — which he’d suggested are countered by giving users more controls to make tracking them harder — with the broader issue of security threats, such as posed by malware like ransomware — going on to argue that security as an overarching bolster for privacy isn’t helped by giving users more control over the choice of third-party software they can download.

On the contrary, Cook argued, giving users a choice to step outside the “rigorous security protections” he suggested Apple has baked into the App Store (via the app review process) — by letting iOS users sideload apps or even choose to use a non-Apple app store entirely — would ultimately reduce their control by removing a “more secure choice.”

“I fear that we could soon lose the ability to provide some of those protections,” he suggested, framing looming competition-focused regulations as a risk to both “our privacy and security.”

Tim Cook:

We are deeply concerned about regulations that would undermine privacy and security in service of some other aim. Here in Washington and elsewhere, policymakers are taking steps — in the name of competition — that would force Apple to let apps onto iPhone that circumvent the App Store through a process called “sideloading”.

One could argue Apple’s resistance to this also serves to preserve its platform control status quo in the name of privacy. I believe Cook is deeply passionate about increasing user privacy and sees the current app distribution policies on iOS and iPadOS as the best balance between users’ interests and those of third parties. But those arguments are somewhat undermined by the financial and competitive benefits Apple reaps when it controls both the platform and its software distribution mechanism.

That is unfair: Apple has valued user privacy long before it even had an App Store or this distribution model. But it sure looks like a conflict of interest now.

Also, kudos to Cook for reminding people of the boring but essential benefits of end-to-end encryption for features like storing HomeKit videos in iCloud. We were reminded just recently how important it is to reduce access to user data — even by service providers. If only that applied to all iCloud data.

Tesla-Supporting ‘Bots’

Russ Mitchell, Los Angeles Times:

Kirsch and Chowdhury tracked 186 Tesla-related bot accounts and found that after each was launched, the company’s stock appreciated more than 2%. (They looked at the average stock return for the week previous to the bot’s creation and for the week following.) While Tesla’s market value has increased over the years, the price has seen dramatic ups and downs. The periods around bot creation showed sharp increases, but outside those windows, trading was far more volatile, Chowdhury said.

“This isn’t a causal relationship, but it does raise questions,” Kirsch said, about why there’s a correlation that does not appear to be random. “We’re trying to understand the mechanism. It can’t be just a bunch of tweets that push the stock. People have to notice them, interpret them and act on them.”

The researchers are looking at the timing of the tweets and options activity in the overnight stock market, among other factors. One big unknown: whether the bots are the work of entities with a direct financial interest in Tesla.

This report is very hand-wavy; the above three paragraphs are the closest it gets to a narrative more concrete than seemingly automated Twitter accounts commenting on stories about Musk or Tesla. These apparent bots are not listed anywhere I can see, though Mitchell reports an article about this will be released by Kirsch and Chowdhury in June, so perhaps a better picture will emerge around then.

Even so, I would be cautious about forming any particular narrative around this story. There is no indication of meaningful activity around these automated accounts, and “Twitter bots” seems like one of those phrases foundational to building mountains out of molehills.

Fresh Hell

Manuel Grabowski:

As a year-long Twitter user who’s always logged in on all devices, I didn’t really consciously notice how things deteriorated over time. But thanks to the fresh hell that every damn iOS app has its own integrated “browser”, even despite already having an account I now often see what Twitter unleashes on people not willing to succumb to their pleas for signing up.

The mix of desperate clingy behaviours from all kinds of websites — all social networks, but also retail and media and pretty much everything these days — combined with siloed browsers on iOS is a real crappy experience. I know the latter is a privacy feature, but it is not great when seemingly every site begs for your email address. Web marketers and “growth hackers”: nobody likes this. Please stop it.

Behavioural Spam

Ryan Broderick, Garbage Day:

Twitter is still a primarily text-based app, which means that syntactical memes can spread across the platform. A good example would be the “me: / nobody:” tweet format. A recent syntactical meme has completely overwhelmed Twitter, though. It starts with the phrase “we’re cancelling each other over…” and then you’re meant to post a “cancellable” take about some niche subject. I’ve seen tweets calling for cancellable takes about everything from Boston’s public transport to ghosts.

This sort of thing has always existed, but it has historically occupied a specific section of a BBS or forum. You could ignore it. In the blended world of a typical Twitter timeline, it seems unavoidable. It would be cool if we could universally minimize these kinds of patterns. But seeing as Twitter still thinks trending topics are a good idea I doubt we will get any controls to reduce popular post formats.

Data Brokers on ‘Last Week Tonight’

I have written an awful lot about data brokers for years now and others have been covering this industry for much longer. Yet it persists, and I am glad it is getting the kind of spotlight that John Oliver’s “Last Week Tonight” can throw on it. It is a good high-level overview, accurately covering many familiar stories, and will hopefully motivate more comprehensive reforms.

This video is only available in the United States right now, but I am sure you are a clever person.

Today’s Claim That Tesla Is on the Verge of Producing a Humanoid Robot, as Viewed From the Year 2032

Sam Shead, writing for CNBC in April 2022:

Tesla may start production of a humanoid robot known as Optimus as early as next year, CEO Elon Musk said Thursday.


“We have a shot of being in production for version one of Optimus hopefully next year,” Musk said Thursday at the opening of Tesla’s new vehicle assembly plant in Austin, Texas, where he appeared on stage — in a cowboy hat and sunglasses — to Dr. Dre’s “Still D.R.E.”

Musk was, at best, spitballing with little more than a hope and a prayer. But this statement was similar to many of his previous claims which hid truth behind sensationalism. This tactic worked as a public relations strategy, creating years of breathless press coverage for Musk’s scarcely developed ideas and musings, but it repeatedly landed him in hot water with regulators.

Tesla has yet to reveal a working prototype of the robot, however, and it’s unclear how sophisticated Optimus is at this stage.

Tesla later pushed prototyping this robot years into the future as it sorted out a backlog of other promised products, including a pickup truck, a semi truck, and a sports car. Current prototypes cannot carry a mug of coffee without spilling it and tear clothing to shreds while attempting to fold it, and some have even played anti-union audio recordings on loop without any apparent way of shutting it off.

Musk has once again said a version of this robot will be delivered to customers next year, but researchers and other experts are skeptical anything like the version first shown in 2021 is around the corner.

When Musk first announced Tesla’s robot, he said it will be based on the same chips and sensors that the company’s cars use for self-driving features. […]

At the same media event, Musk also said a work-in-progress “beta” version of what the company then branded “Full Self Driving” would expand to all customers the same year. At the time, it was marketed as a level two system. This was a regression from years of assurance that level five autonomy would be delivered soon, something which has not yet been achieved. Empty promises like these coupled with the expensive Full Self Driving option pack led to numerous lawsuits and, ultimately, shareholders’ loss of confidence in Musk’s ability to deliver.

When reached for comment, Musk, now living on a dairy farm in Wisconsin, said he was starting a new company to turn cattle’s markings into mobile solar panels.

Worldcoin’s First Half-Million Test Users Are Treated More Like Unconsenting Subjects

Eileen Guo and Adi Renaldi, MIT Technology Review:

Gunungguruh was not alone in receiving a visit from Worldcoin. In villages across West Java, Indonesia — as well as college campuses, metro stops, markets, and urban centers in two dozen countries, most of them in the developing world — Worldcoin representatives were showing up for a day or two and collecting biometric data. In return they were known to offer everything from free cash (often local currency as well as Worldcoin tokens) to AirPods to promises of future wealth. In some cases they also made payments to local government officials. What they were not providing was much information on their real intentions.

This left many, including Ruswandi, perplexed: What was Worldcoin doing with all these iris scans?

This is a distressing read. It seems that Worldcoin, based in San Francisco, recruited people — primarily in developing countries like Indonesia and Kenya — to scan the irises of hundreds of thousands of others without their full understanding or consent. It says its privacy bonafides will improve as it grows, but it is providing little information about how it is treating the sensitive data it has collected so far, excusing these practices by its small size:

“I’m not sure if you’re aware of this,” he [Worldcoin CEO Alex Blania] said, “but you looked at the testing operation of a Series A company. It’s a few people trying to make something work. It’s not like an Uber, with like hundreds of people that did this many, many times.”


By the time we spoke to Blania in March, Worldcoin had already scanned 450,000 eyes, faces, and bodies in 24 countries. Of those, 14 are developing nations, according to the World Bank. Eight are located in Africa. But the company was just getting started — its aim is to garner a billion sign-ups by 2023.

If you are planning to scale from hundreds of thousands to a billion people in a year — a laughable goal, but bear with me — you cannot use the excuse of an early stage startup. Exploiting poor people for their biometric data with financial incentives is scummy enough; treating privacy as a problem for later is inexcusable.

Unsurprisingly, Clearview AI Aims to Branch Out Beyond Police

Matt O’Brien and Tali Arbel, the Associated Press:

A controversial face recognition company that’s built a massive photographic dossier of the world’s people for use by police, national governments and — most recently — the Ukrainian military is now planning to offer its technology to banks and other private businesses.


The new “consent-based” product would use Clearview’s algorithms to verify a person’s face, but would not involve its ever-growing trove of some 20 billion images, which [Clearview CEO Hoan] Ton-That said is reserved for law enforcement use. Such ID checks that can be used to validate bank transactions or for other commercial purposes are the “least controversial use case” of facial recognition, he said.

Remember when the company promised to only allow law enforcement uses? Ton-That killed that principle earlier this year. If Clearview could have operated with individual consent, it would have obtained it already.

Every day this company is allowed to keep operating represents an increasing policy failure.

9.2% and the Master of Twitter

Ranjan Roy, Margins:

It’s wild to think about. The U.S. government regulator has been in a fight with the world’s richest man over his ability to use a communications platform that’s vital to his business interests — and he just went and effectively bought the platform. Both Can and I have repeatedly written about the emerging market-ification of the U.S., and this really feels like another one of those moments where we look back on and remember how we all posted memes as it happened.

Does any of this sound healthy to you? Because it sounds to me like a personal vendetta has gotten mixed up in financial nihilism by someone who has a famously untethered grasp on reality.