Month: May 2022

Developers on Apple’s Platforms Are Now Able to Increase Subscription Prices Without User Confirmation Once Per Year developer.apple.com

Last month, Apple confirmed to Sarah Perez it was testing with Disney a new way for developers to increase the price of subscriptions without requiring user confirmation. Today, Apple launched that capability.

Apple developer news:

With this update, under certain specific conditions and with advance user notice, developers may also offer an auto-renewable subscription price increase, without the user needing to take action and without interrupting the service. The specific conditions for this feature are that the price increase doesn’t occur more than once per year, doesn’t exceed US$5 and 50% of the subscription price, or US$50 and 50% for an annual subscription price, and is permissible by local law. In these situations, Apple always notifies users of an increase in advance, including via email, push notification, and a message within the app. Apple will also notify users of how to view, manage, and cancel subscriptions if preferred.

With all those notifications, it sounds like this is a fair change with reasonable safeguards. But in the paragraph immediately prior, Apple gives the impression that opting back into a cancelled subscription is some kind of arduous process:

Currently, when an auto-renewable subscription price is increased, subscribers must opt in before the price increase is applied. The subscription doesn’t renew at the next billing period for subscribers who didn’t opt in to the new price. This has led to some services being unintentionally interrupted for users and they must take steps to resubscribe within the app, from Settings on iPhone and iPad, or in the App Store on Mac.

If this experience is not so great for someone having to re-subscribe after failing to confirm they are okay with a new price, does it not also mean it is not ideal for someone unsubscribing from an app when they want to reject a price increase?

This is going to make a lot of people upset when their $10-per-month subscription can double within two years without their approval. People are going to remember how they feel when they figure that out. I know exactly how I reacted when my internet provider did that to me.

Scrupulous developers will avoid doing anything too extraordinary, but there are a whole lot of App Store developers abusing subscription pricing today. I think I understand the intent, but I do not like the sound of this.

Google Thanks Procrastinators With Free G Suite Accounts for Non-Commercial Use support.google.com

Earlier this year, Google announced it would be transitioning “legacy” free G Suite users to paid Google Workspace plans. To its credit, Google’s plans are reasonably priced and it offered a further discount. Unfortunately, the way it handled this transition was a mess.

Ron Amadeo, Ars Technica:

Users being hit by the shutdown faced two options: either suddenly start paying for their accounts, which had been free for years, or lose access to core Workspace apps like Gmail. Users who didn’t want to pay could only export data with Google Takeout, which would download some account data that would become a bunch of cumbersome, local files. Takeout was a terrible option because it makes it difficult to get your data back in the cloud, and you can’t export things like purchased content from Google Play or YouTube.

Google added options to help users transition purchased materials to a standard Google account. But many users of the legacy G Suite offering are individuals and families who just wanted to connect a personal domain to an email provider. There are now many options open to these users at similar price points — Fastmail, ProtonMail, and even Apple have custom domain options — but this sort of thing is just enough of an irritation that it would be nice to avoid it.

I am one of those people. I have had this on my Things “Today” list for months now because I do not understand the concept of today and I do not want to deal with my DNS. I should move things off Google entirely, but its G Suite offerings generally have better privacy protections than its consumer accounts. Plus, I do not want to lose access to Mimestream, a Gmail client I think is the best email app for MacOS.

It turns out my procrastination has been rewarded. Google has updated its transition document to say users like me can retain our free accounts if they are for personal use (via Steve Whitcher):

If you’re using the G Suite legacy free edition for non-commercial purposes, you can opt out of the transition to Google Workspace by clicking here (requires a super administrator account) or going to the Google Admin console. You can continue using your custom domain with Gmail, retain access to no-cost Google services such as Google Drive and Google Meet, and keep your purchases and data.

You will need to take these steps by August 1. Google advises contacting its support team if you are not a procrastinator and already paid to upgrade.

I suppose this is a good reminder that we should move things away from providers like Google which offered free services for a long time, since they are able to take that away at any time. It is unfortunate because Mimestream really is my favourite email application for the Mac, so I am probably going to forget about my own advice and forget about migrating until the next time Google pulls the rug out from under me.

Apple Updated Its Platform Security Guide support.apple.com

Howard Oakley:

Don’t be put off by its title: Apple Platform Security Guide is mandatory reading for all advanced Mac Users, and the only way we get to learn about important details of macOS, iCloud, and much else.

If you prefer this document with a little more gravitas, Apple also provides it in PDF format. Max Zinkus tweeted a thread of notable new sections and updates, like this one:

First interesting deletion in the Messages for Business Chat (those grey iMessage conversations with Apple or a supported business support text line).

May 21: “The Business Chat service never stores conversation history.”

And then May 22: *gone*

This is part of a broader question about whether Apple could switch any iMessage discussion to Messages for Business Chat, which has looser security and privacy standards than peer-to-peer iMessage.

iMessage itself retains a misleading description of its security architecture:

[…] Apple doesn’t log the contents of messages or attachments, which are protected by end-to-end encryption so no one but the sender and receiver can access them. Apple can’t decrypt the data.

This remains true of iMessage in isolation. But Apple’s law enforcement guidelines (PDF) continue to indicate iMessages may be provided by subpoena if iCloud Backups or Messages in the Cloud are enabled.

Farewell to the iPod newstatesman.com

Tom Gatti wrote a rather lovely eulogy for the iPod for the New Statesman. I was nodding along until I got to the last sentence of this excerpt, where I think my brain played a subliminal record scratch:

Crucially, the music was yours – made up of albums you owned, whether you’d spent many evenings patiently “ripping” your CD collection to your iTunes (it was lucky I already had a girlfriend by my early twenties otherwise I might have struggled to find one) or spent your disposable income in the infinite aisles of Apple’s digital music store. Of course, there were the illegal downloaders, too – peer-to-peer file-sharing continued long after Napster was shut down in July 2001. But I suspect the music fans who dumped enormous quantities of material onto their iPod for free ultimately regretted it – stuck in an endless scroll of the entire Bob Dylan and Jay-Z back catalogues, they lost sight of what they actually liked.

“Regret”? What is Gatti talking about? Anyone who has immersed themselves in an artist’s catalogue has used that as a jumping-off point and a way to develop their musical taste. If you spend enough time with a single artist, you will go through their highs and lows, their “new sound” album, their “return to form”, their masterpieces, their throwaway tracks. And then you will discover the artists they inspired and drew inspiration from. Piracy, for all its ills, is one reason why any music fan’s library these days has breadth and depth that would be unheard-of in the days of milk crates full of records.

Gatti:

Which is, of course, where we find ourselves today: a digital landscape dominated by Spotify and other streaming platforms, in which music is not exactly free, but not owned either. Instead of a collection that has been expanded and cultivated over years, we have a bottomless pool of recorded music. You can “like” an album and “follow” the artist, but the transaction is so low-stakes that it feels meaningless, and your “library” is not really yours at all.

A low-stakes transaction is a recipe for discovery.

But I do sympathize with Gatti’s other argument: these music libraries do not belong to anyone. For all music customers won by encouraging record labels to drop DRM, the labels clawed their way back with a reverse bargain: anyone can listen to all the music they want for $10 per month. But there is no way for that to be a sustainable business model if all that music could simply be walked off with, so we are back to having DRM-encumbered libraries.

Riccardo Mori:

As I said at the beginning, a device like the iPod touch is rather redundant for the way we consume music nowadays. However, I think a device like the iPod shuffle still makes a lot of sense. Its main characteristics, what made it an ingenious and very successful device back then, still make it an interesting and appealing device today: […]

Tyler Hall:

With all the shit in the world in the last few years, listening to music has become even more of a refuge and safe space for me than it ever was before.

But, for me at least, the incredible technological convergence of every single use-case into a deck of cards-sized pocket super-computer means that when I do want to only listen to music – there are a million beeps, boops, and badges fighting for my attention.

An underappreciated feature of the iPod (because it wasn’t a feature you could market during its heyday) was that it was only an iPod. Not also a mobile phone and internet communicator.

For all the new things added to Apple Music in the past couple years — animated covers, Spatial Audio, a dedicated section for songs that friends have texted me — all I really want most of the time is to put on a record and listen to it uninterrupted. I do not care what device that is on.

Hall bought an Android-based Sony Walkman. I know Sony has a few of these players and I am sort of intrigued by them. Not enough to buy one, though; that is what my turntable is for. Sometimes, I just want to escape and, for me, music provides that venue. I wish the experience on my existing devices were better suited to that. Unfortunately, the incentives for streaming services are not always aligned with these modest goals.

But this does not have to mark the end of the personal music library. The iPod was a signifier of that, but its death — which really happened several years ago; the iPod Touch is more like a stripped-down iPhone than an iPod, but never mind — does not mean personal libraries have to go away. You can still buy music on iTunes, Bandcamp, and elsewhere. Vinyl records often come with download codes. And, yes, there are still plenty of places to acquire music illegitimately. I will keep building my personal music library in a way unencumbered by DRM, without rights negotiation issues, and free of dependence on third-party services. If you care about the music you listen to, I encourage you to do the same.

Email and Password Exfiltration Before Form Submission homes.esat.kuleuven.be

Leaky Forms is a new study by Asuman Senol, Gunes Acar, Mathias Humbert, and Frederik Zuiderveen Borgesius (emphasis theirs):

Email addresses — or identifiers derived from them — are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms are misused by online trackers, we present a measurement of email and password collection that occur before form submission on the top 100K websites.

These researchers received marketing emails from some of the leaky sites where, I will repeat, they never submitted a form. Their typed email address was captured and whisked into the ad tech and data broker machinery without their explicit consent. When using a U.S.-based crawler to assess these forms, researchers found a greater proportion of incidents (PDF, section 4.3) of email address collection than when they used an E.U.-based crawler, “perhaps due to stricter data protection regulations”.

The worst offenders were, according to researchers, fashion and beauty websites, with shopping and general news sites in second and third places. Notably more private: porn sites, the only category for which not a single one was found to have leaky forms.

Competition Bureau Wants to Block Rogers–Shaw Merger on Wireless Basis Alone canada.ca

The Competition Bureau earlier this week released a statement objecting to the merger of Rogers and Shaw, to which the providers preemptively responded. Unfortunately, it is entirely focused on the wireless space, which makes sense given the two companies’ firewall avoiding competing in cable TV or internet:

The Bureau’s investigation concluded that the proposed merger would substantially prevent or lessen competition in wireless services.

The Bureau is challenging the merger to shield Canadians from higher prices, poorer service quality and fewer choices which are likely to occur as a result of the merger.

The two providers say they are prepared to jettison Shaw’s wireless division, thereby resolving the Bureau’s concerns.

It is too bad the Bureau cannot seem to nullify the longstanding non-competition agreement between Rogers and Shaw. It cannot force them to compete in the same markets, but it should not permit such a blatant divvying up of the country.

E.U.’s Online CSAM Proposal Compromises Privacy and Is Overbroad edri.org

Natasha Lomas, TechCrunch:

The European Union has formally presented its proposal to move from a situation in which some tech platforms voluntarily scan for child sexual abuse material (CSAM) to something more systematic — publishing draft legislation that will create a framework which could obligate digital services to use automated technologies to detect and report existing or new CSAM, and also identify and report grooming activity targeting kids on their platforms.

Lomas reports this is an attempt to unify a splintered set of policies that apply to individual countries within the E.U. but, as written, it appears to require the ability for providers to locally scan the contents of messages and even detect the possibility of minors being coerced, if ordered.

The European Commission has published a guide in question-and-answer format. While it assures there are multiple safeguards, that is not comforting to European Digital Rights, an advocacy group:

The proposal may appear superficially to contain a balanced and proportionate approach. In particular, providers can only be forced to scan on their platform or service if required to do so by a judicial authority, and are subject to a series of safeguards. According to Contexte, many of these safeguards have only been introduced in the last few days, which shows that pressure from the EDRi network and our supporters has had a positive effect.

However, there are several provisions which would indicate that these protections are mainly cosmetic, and that we may in fact be facing the worst-case scenario for private digital communications. For example, providers of services and platforms have to take actions to mitigate the risk of abuse being facilitated by their platform. But they will still be liable to be issued with a detection order forcing them to introduce additional measures unless they have demonstrated in their risk assessment that there is no remaining risk of abuse at all.

Even German child protection advocates are worried this is overbroad. This proposal is one to keep an eye on for its potentially far-reaching consequences.

Tech Trade Groups Appeal to Supreme Court on Deranged Texas Moderation Law protocol.com

Last year, Texas House representatives voted in favour of a bill that was effectively a copy of one in Florida to prohibit social media platforms from moderating based on “viewpoints”. It was blocked by a judge in December after two tech industry trade groups argued it was unconstitutional. Obviously.

Earlier this week, a panel of judges voted two to one to lift the injunction and allow the government of Texas to enforce that law.

Ken White on Twitter:

See, the Texas law lets the AG, or any aggrieved user, sue if they think the site censored improperly, and get attorney fees and costs and injunctions if they win. If the Texas law stands, there’s no more saying “it’s Twitter’s First Amendment right to moderate.”

Say Twitter has a no-swearing policy and I say “@DavidAFrench has a shit-ass opinion about Aquaman.” Twitter suspends me. All I have to do is sue and claim Twitter’s REAL reason for censoring me is my viewpoint on David, or Aquaman, not my swearing. Twitter has to litigate it

This will be made easier because automated moderation on scale is always difficult and usually inconsistent and I will be able to point to other times when non-anti-Aquaman swears weren’t punished. And people ALWAYS think they’re being singled out. It’s in the GOP Platform.

David Greene:

It’s even worse Ken since the law prohibits moderation of posts based on viewpoints expressed on OR OFF the site. So even if the post itself expresses no viewpoint, a litigious plaintiff can claim that the action was a response to some viewpoint they expressed somewhere else.

Mike Masnick, Techdirt:

There are many more problems with this law, but I am perplexed at how anyone could possibly think this is either workable or Constitutional. It’s neither. The only proper thing to do would be to shut down in Texas, but again the law treats that as a violation itself. What an utter monstrosity.

Unsurprisingly, the tech industry trade groups are going to be asking the Supreme Court to deal with this completely deranged law.

Issie Lapowsky, Protocol:

Tech groups fighting Texas’s social media “censorship” law may file an emergency application with the Supreme Court as early as Friday, according to two sources familiar with the case. The groups, NetChoice and CCIA, have said they plan to ask the justices to vacate the Fifth Circuit’s Wednesday ruling, which lifted an injunction on the Texas law, allowing it to go into effect and prompting panic throughout the tech industry.

NetChoice and CCIA are now soliciting amicus briefs in their application to be filed by next week. NetChoice did not respond to Protocol’s request for comment. CCIA wouldn’t confirm its plans, but president Matt Schruers said in a statement, “We will take whatever steps are necessary to defend our constituents’ First Amendment rights. These include the right not to be compelled by the government to carry dangerous content on their platforms.”

It is still shocking to me how many tech companies decided to expand their presence in Texas just to save a little in local taxes. It was not exactly a bastion of reasonable laws and careful thinking before, and then the state government there went and got their technology policy arguments from Florida. What did they think was going to happen?

Google Cannot Decide Whether It Likes Headphone Jacks in Phones theverge.com

Google’s new A-series Pixel phone, the Pixel 6A, does not have a headphone jack. This phone comes less than a year after the Pixel 5A ad in which Google loudly trumpeted the headphone jack in that model.

Jay Peters, the Verge:

The thing is, this isn’t even the first time this circle has come full circle. In an ad for the very first Pixel — released in 2016, the same year as the iPhone 7 — Google noted this key feature: “3.5mm headphone jack satisfyingly not new.” But the headphone jack was gone from the Pixel 2 released just a year later. The first A-series Pixel, the Pixel 3A, would bring it back, but not until 2019. Once again, Google has parodied Apple only to become a parody itself the following year.

I was one of many people who thought Phil Schiller’s use of the word “courage” was a bit much to describe the company’s decision to drop the headphone jack. But you know what? Apple made that decision and then stuck to it; it did not chicken out and do anything like Google’s weird back-and-forth nonsense. You may still disagree with that decision and wish Apple had reverted; that is fine. But it would be infuriating if Apple kept changing its mind.

Jason Kottke Is Taking a Sabbatical kottke.org

Jason Kottke:

Does what I do here make a difference in other people’s lives? In my life? Is this still scratching the creative itch that it used to? And if not, what needs to change? Where does kottke.org end and Jason begin? Who am I without my work? Is the validation I get from the site healthy? Is having to be active on social media healthy? Is having to read the horrible news every day healthy? What else could I be doing here? What could I be doing somewhere else? What good is a blog without a thriving community of other blogs? I’ve tried thinking about these and many other questions while continuing my work here, but I haven’t made much progress; I need time away to gain perspective.

Good questions to ponder for anyone, even us hobbyists. Best wishes to Kottke for finding the time and space to get to know himself again.

Let Us Check in on the Wild World of Cryptocurrency todayintabs.com

Rusty Foster, of the truly excellent Today in Tabs newsletter:

TerraUSD is an “algorithmic stablecoin,” where the much-abused word “algorithmic” here means “bullshit.” It is the third largest stablecoin in existence, with almost 18 billion tokens in circulation. The way it works is this: a developer named Do Kwan made two new crypto tokens. One is called Terra, and Kwan said “those are each worth one dollar.” The other is called Luna, and the value of Luna is allowed to float, so it’s worth whatever someone wants to pay for it. The two tokens can be converted into each other, so if Luna is worth $30, you can destroy one Luna and get 30 Terra (which are supposed to be worth $1 each). And if Terra was worth less than a dollar, you could destroy 30 Terra to create 1 Luna at a discount, which also will decrease the supply of Terra and make it more valuable, via good old supply and demand, eventually pulling it back up to $1.

Have you spotted the problem yet? If you have: lol, right? If not: I promise you have, you just think it can’t possibly be that stupid. […]

Caitlin Ostroff and Alexander Osipovich, Wall Street Journal:

TerraUSD in Monday evening trading was at about 80 cents, after touching the low of 69 cents earlier, according to CoinMarketCap. Panic selling also hit the related Luna cryptocurrency, which plunged 50% from Sunday to Monday, wiping out more than $10 billion of market value, CoinMarketCap data show.

Andy Baio adds:

This was entertaining to watch yesterday until I saw a suicide hotline topping their subreddit.

That is what is going on at a smaller player in the cryptocurrency world. How about one of the biggest and most popular exchanges? What is the situation like at, say, Coinbase?

Ben Levisohn and Janet H. Cho, Barron’s:

Coinbase stock is down 83% from an all-time high of $368.90 last November, when Bitcoin’s price also peaked at $67,802.30 per coin.

Coinbase reported a loss of $1.98 a share, missing estimates for a 1-cent loss based on generally accepted accounting principles, or GAAP, on sales of $1.165 billion, below forecasts for $1.5 billion. That was down 27% from one year ago.

If you tweet the word “Coinbase” right now, you may get some automatic replies masquerading as Coinbase support, with a link to a Google form where you can enter your Coinbase login information.

The Last iPod Has Already Been Made apple.com

This press release from Apple is kind of strange. The dek reads “iPod touch will be available while supplies last”, which is entirely what this release is intended to announce, but its three main paragraphs entirely skirt that news. Each of them reiterates how you can listen to music on Apple’s many other products. Seriously, read it — it is the same paragraph written in three different ways. And then you get to the very last sentence which reiterates how the iPod Touch is only available while supplies last.

For what it is worth, I think the true iPod era ended in either 2014, when the Classic was discontinued, or 2017 when the last Nano and Shuffle were made. But this was the last pocket-friendly Apple device you could buy that was not dependent on monthly fees. Pour one out for the last of the iPods.

I guess the big question now is whether this means anything for iOS 16’s device support. The iPod Touch includes an A10 Fusion SoC, similar as in the iPhone 7 line and the seventh-generation iPad. The iPod and iPad were both introduced in 2019, but the iPhone 7 will turn six years old this year. I would bet on another year of support, but it seems dicey.

Works as Currently Designed

I am beginning to think the ways I use AirPlay, which seem entirely normal to me, are exotic outliers heretofore untested by Apple’s engineers because its promise does not match my experience. Here are the two ways I most frequently use AirPlay through my Apple TV:

  1. I want to listen to music on my living room speakers, so I play albums — local and streamed from Apple Music — from my iPhone or my Mac.

  2. I want to watch a movie I previously ripped from disc or a TV show I have in my library, so I will AirPlay from QuickTime on my Mac.

Both of these features are acknowledged on Apple’s AirPlay marketing webpage, but neither works as expected. In the first behaviour, for example, when I change playback from one album to another — or one playlist to another — I expect my AirPlay connection to be retained. But no; every time, I have to manually reconnect and adjust the volume to where I last set it.

It took an embarrassingly long time for me to see that my Apple TV was actually going to sleep, and that is why the connection was dropping. Sometimes, it will also fall asleep in the middle of AirPlay playback. But, strangely, it will often refuse to sleep when truly idle, even for several hours or overnight.

When I AirPlay movie files from my Mac, it is almost like the opposite problem occurs: it is my Mac which falls asleep during playback. You know how your Mac will remain awake when you are watching a movie on its own display, no matter your Energy Saver preferences? That behaviour does not carry over to AirPlay, and the Mac’s sleep timer is not suppressed. It is not as though my Mac cannot remain permanently awake — it is an iMac with an SSD. It will silently wake up without turning on the display to update iCloud Drive and make Time Machine backups. But an AirPlay connection will be terminated when the sleep timer kicks in.

I am aware of applications like Caffeine and Amphetamine that will prevent a Mac from sleeping. But they seem like they ought to be unnecessary for this use case; my Mac should just do the right thing. There is an active AirPlay connection, and it should be kept alive until I quit the app or terminate the connection.

I have filed bug reports against all of these behaviours.1 It is this last one where I received the biggest surprise: Apple closed it with the explanation that it “works as currently designed”. That is a weak excuse. Setting aside its most literal meaning, which could be applied to any bug ever, I am reporting it as a bug because it clearly does not work as it ought to.

Am I missing something? Is my AirPlay experience entirely unique? At least I was finally able to set up my Apple TV in the Home app, last year, but it did not correct any of this behaviour. I feel like I am in a world where all of my AirPlay intentions are exactly opposite, or I am an idiot who simply has no idea how to use AirPlay.

  1. FB7465311, FB9395702, FB9894231, FB9987176. ↥︎

Websites Excluded From Big-Budget Advertisers Are Creating Marketer-Friendly Alternate Sites twitter.com

Nandini Jammi of Check My Ads on Twitter:

I first caught whiff of WhoaCanada.ca while digging around @Yahoo’s sellers.json directory. TPM’s account contains 3 domains:

  • ThePostMillennial(.)com (hate site)

  • HumanEvents(.)com (hate site)

  • Whoa Canada (“7 desserts you can get in Toronto”)

Lol what

It took me ~15 sec to realize that WhoaCanada.ca *is* The Post Millennial — an ad operation explicitly designed to be the “brand safe” arm of TPM. This secret domain allows them to continue collecting ad $$, effectively subsidizing TPM’s racist + transphobic content.

After Jammi published this thread, Yahoo banned this publisher ID from its network.

It is an extremely sneaky tactic, and the Post Millennial is not the only website using a friendlier sibling for fundraising. Check My Ads also found a network of three innocuous-seeming websites subsidizing Steve Bannon’s web show.

Clearview AI Settles With ACLU aclu.org

This settlement is significant, but perhaps not as triumphant as the ACLU makes it out to be:

The central provision of the settlement restricts Clearview from selling its faceprint database not just in Illinois, but across the United States. Among the provisions in the binding settlement, which will become final when approved by the court, Clearview is permanently banned, nationwide, from making its faceprint database available to most businesses and other private entities. The company will also cease selling access to its database to any entity in Illinois, including state and local police, for five years.

This does not eliminate the need for stronger privacy laws in the United States. Outside the U.S., it seems that Clearview AI is able to continue developing and selling its product under the cover of American jurisdiction, unless expressly prohibited by local laws. Clearview is still expanding.

This settlement does prohibit Clearview from providing free trial access without supervisor approval, among its biggest sales tactics. Good.

Rogers and Shaw Say Competition Bureau Commissioner Plans to Oppose Merger theglobeandmail.com

Alexandra Posadzki, the Globe and Mail:

Canada’s Commissioner of Competition plans to oppose Rogers Communications Inc.’s $26-billion takeover of Shaw Communications at the Competition Tribunal, the telecom companies said in a combined statement early Saturday morning.

Rogers and Shaw said they plan to oppose the anticipated application by Matthew Boswell, Commissioner of Competition, to block the proposed takeover, which would combine two of the country’s largest cable networks. The companies said they were notified of the commissioner’s intention to file the application on Friday afternoon, after the close of trading.

The telecom companies, as well as the Shaw family trust, have also agreed to extend the takeover deadline from June 13 to July 31.

While Rogers and Shaw have issued a joint press release, the Competition Bureau has not yet commented publicly. These companies have avoided competing for over twenty years, merger or no merger. Even if this acquisition were denied, each company will continue doing business only in its designated region, performing the outward appearance of competition while ensuring the prices we pay remain among the highest in the world.

In March, the CRTC approved Rogers’ purchase of Shaw’s media holdings.

Apple, Google, and Microsoft Commit to Expanded Support for FIDO Passwordless Standard fidoalliance.org

Lori Glavin, of the FIDO Alliance:

In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

I love this video demo from a FIDO-aligned partner company. It appears that signing into a website could soon look more like authenticating an Apple Pay payment on your Mac via your iPhone or Apple Watch. I am just as eager to have that experience for creating a new account, or for the ability to retain the same login even if the secret token is rotated. Great news, especially for accessibility.

Yield

This new piece from John Gruber, regarding the European Commission’s investigation into anticompetitive behaviours of the NFC system in the iPhone, is split roughly in two parts. In the first, Gruber claims Apple Pay was the factor in driving widespread adoption of contactless payments, but this seems more true in the United States than anywhere else. The second half is an exploration of the user experience perspective of locking NFC payments to Apple Pay on the iPhone; I think this is the more noteworthy and compelling part of this article.

But first, some stuff I just have to nitpick, starting with Gruber’s first paragraph in response to Margrethe Vestanger’s remarks:

Apple took a vibrant, perfectly balanced market where NFC payments were used by almost no one and turned it into a market where Apple Pay is accepted at most brick and mortar retailers and millions of iPhone users enjoy using it, with whatever credit and debit cards they choose. Let’s get back to a balanced market, right?

At the outset, this is framed as a market where Apple Pay enabled tap-and-go payments over swiping cards. The CNBC article Gruber links to is explicitly about that transition — not from swiping cards to phone-based payments, but from swiping cards to tapping anything. In the U.S., this was seen as a major hurdle. When I was in Los Angeles in 2014, I noticed restaurant patrons were often expected to give their card to waitstaff and the staff member would swipe it. That was wild to me.

Elsewhere, it was a different story. Paying by tapping a card was extremely common before the announcement of Apple Pay in Canada, in several regions in Asia, and in many parts of Europe, which is Vestanger’s jurisdiction. Was it less common for people to tap to pay for stuff than it is now? Sure, but not in a way that is necessarily tied to Apple Pay.

For example, by February 2015 in the U.K., financial institutions had issued 58 million cards with support for tap payments in a country that had, at the time, about 64 million residents. While Apple Pay was announced in September 2014, it did not launch in the U.K. until mid-2015. A contemporary press release touts 320 million contactless payments in 2014 in the U.K. alone, made nearly entirely by card. That is about a million transactions a day against 58 million capable cards, or about a 2 percent usage rate. Not extraordinary — but not bad, as you will see later.

A little later in the piece, Gruber argues that Apple Pay has disproportionately high use among phone-based payment platforms:

The E.C. complaint wavers between claiming Apple Pay dominates NFC payments on iPhones and dominates the entire industry. The latter was true as recently as October 2017, when Apple Pay accounted for 90 percent of all contactless transactions globally, where it was available. As I noted at the time, that’s a remarkable achievement for a platform that by all accounts is a distant second to Android in global market share.

Here’s a study from last year that claims in the U.S., Google Pay has 3 percent share, Samsung Pay 5 percent, and Apple Pay 92 percent. You know, your classic three-way neck-and-neck horse race.

The first statement was made by Apple’s Jennifer Bailey during a presentation at Money 20/20. Bailey said that Apple Pay accounted for 90 percent of contactless mobile transactions, where it was available, not 90 percent of global contactless transactions. Unfortunately, I have been unable to find a citation or a study that makes a similar statement.

The second claim is more checkable. While that study of U.S. debit transactions — it did not include credit cards — found Apple’s market share was 92 percent among mobile wallets, it also says about 2 billion transactions were made with phone-based wallets, comprising about 2.6 percent of all debit transactions. Perhaps most surprising to me is the study’s claim that only about 30% of debit cards in the U.S., as of the end of 2020, were capable of contactless payments. The study says a little over 5 percent of contactless cards were used for a transaction, or 1.6 percent of all debit payments. That is a full percentage point lower than the proportion of payments made through mobile wallets, though probably because most Americans do not have a debit card with contactless support.

In Europe, only 14 percent of contactless payments are made by phone or watch, according to a May 2020 Mastercard study; 86 percent are made using contactless cards. This surely varies country to country. In Canada, where tapping to pay for stuff has been similarly commonplace for years, people use their cards about twice as often as they use a mobile wallet, according to a 2021 report from Payments Canada:

Overall, Canadians chose contactless card payments over mobile contactless payments in 2020. Consumers not using mobile contactless payments indicated they were satisfied with their current payment methods, had security concerns using mobile contactless payments, and did not want to store their financial information on their mobile device.

If mobile wallet apps were so much more amazing to use, should they not have much greater adoption than this? It is ironic that the one clear benefit they provide — security — is cited as a reason against their use.

This report also found Apple Pay is used more than Samsung Pay only by four percentage points, even though iPhones are about twice as popular here as Samsung phones. The great disparity between Canadian and American adoption of Apple Pay compared to Samsung Pay is curious, especially given the similar device market share split. If nothing else, it underscores how weird the U.S. payments market is. Americans each have an average of four credit cards, while Europeans have far fewer, and the U.S. has been slower to adopt chip-and-PIN payments and contactless cards. It is an outlier among developed nations.

Even so, Apple Pay is huge, and Apple was closely involved with getting payment networks on board with more secure contactless transactions. Crediting it as even a primary driver of worldwide contactless adoption is, I think, a stretch. But because Apple’s digital wallet is the only one that can use the NFC system for payments, it must be the market leader among NFC-based payment options on iPhones. That is what Vestager seems worried about throughout this speech, from the second sentence on:

Today, the Commission has sent a Statement of Objections to Apple. We are concerned that Apple may have illegally distorted competition in the market for mobile wallets on Apple devices.

That is a problem if you are, say, attempting to launch a competing digital wallet with cross-platform availability.

The first chunk of this article does not seem to stand up to a closer look at the timeline of contactless payment adoption in several countries. I did not even mention the many countries in Asia where digital wallets have far higher levels of adoption. Apps like Paytm in India, GoPay in Indonesia, PayPay in Japan, and WeChat Pay in China are all way, way more popular locally than any of the digital wallets I have mentioned so far. But I did not include them for discussion because they are all reliant upon QR codes, not NFC.

The second part of Gruber’s piece makes the case that Apple does not permit alternative wallets because it would compromise the overall experience of paying for stuff with an iPhone:

I mean, it’s all just ones and zeroes. Apple could allow users to add third-party wallet apps and grant them permission to be invoked simply by double-pressing the side button. But what happens then? Do you get an extra step where the user has to choose which wallet to use, Apple Wallet or a third-party one? Or does the third-party one replace Apple Wallet? What happens when you add a second third-party wallet app? It would get confusing very quickly.

These arguments are persuasive, but are also besides the point. Nowhere in Vestanger’s remarks is there anything about the iPhone’s hardware buttons or making a third-party wallet the default. It is admittedly easy to see how those could be next steps. Mind you, I bet many PayPay or WeChat Pay users would prefer if double-clicking their iPhone’s side button would launch those apps instead of Apple’s own Wallet. All the Commission is asking about right now is why the iPhone does not permit third-party apps to use the NFC system for payments.

And you know what? There are probably some very good reasons. I can think of at least one unintended and horrible knock-on effect of permitting wider NFC use for payments: banks could require the use of their own apps instead of Apple’s Wallet. While they are at it, they could use the opportunity to up-sell people on financial products they do not need. That would suck — though at least one part of that does suck already — and it would be a worst-case scenario for this proposal. The way Apple Pay and the Wallet app work is far better than the apps my bank has come up with. This is a legitimate concern if you take Vestanger at her word. I hope this does not happen.

It also seems plausible there are legitimate security concerns for why other developers cannot be permitted to use NFC for payments. But Apple has not specifically explained any.

I look forward to Apple’s response to this inquiry. It seems like the European Commission has good reasons to be inquiring about this, but it also seems to be self-serving and I wish it would be more honest about that angle. I am most worried about the unintended effects of permitting widespread NFC use. It means Apple controls the platform less, but that seems to require giving more control to companies that people generally do not like. As much as I think NFC payments should be something usable by any developer, I can foresee how that seemingly simple change would make mobile payments a hell of a lot worse as banks will do what banks are wont to do.