Month: December 2023

Google Reneges on Data Storage Promise, Provides Impossibly Short Deadline techdirt.com

Timothy Burke posted this on Bluesky four days ago:

So I paid Google a lot of money for a long time for a plan that included unlimited storage. They then unilaterally ended that plan, but assured me my data would remain safe — just in read-only mode. Today they informed me I have seven days to move the entire archive offsite. It’s 150 TB.

Correction, I miscalculated. It’s 237.22 TB. My life’s work. And I have seven days to find somewhere else to put it.

Mike Masnick, Techdirt:

As Tim notes, this is his life’s work. And even if he had access to ~250 TBs of free storage, it’s not even clear he’d be able to transfer that much data in just seven days.

[…]

And, yes, some people have asked why Tim doesn’t have other backups around, but (again) the FBI took all of his shit. And finding (and paying for) multiple backup services that can handle 250 TBs of data is likely pretty cost prohibitive.

Blaming people for not having local copies of everything is such a lazy slight. Google markets Drive as a “secure place” to “use less of your PC/Mac disk space” by keeping files only in the cloud. After all, is that not the point of cloud storage? The software encourages us to go beyond just synchronizing our files between computers and entrust it as an extension of our local storage, so of course people are generally going to treat it as just another disk.

In Burke’s case, it is even worse because it is completely reasonable not to place personal limitations on storage marketed as “unlimited” and, now, is likely impossible to download a local copy in a preposterously short timeframe.

If you search the web or Google’s forums, you will find other stories of users consuming large amounts of Google Drive space suddenly being told they must delete files. It is an unfair bait-and-switch. These are certainly a minority of users and are extreme in their data requirements, but it seems impossible that Google would not consider that this would happen — that is to say Google did, in all likelihood, recognize that some people would take up dozens of terabytes of cloud storage when offered the opportunity, and the company either did not have a plan or, worse, its plan was to shut off unlimited access and tell people to delete stuff. Either way, it is an obviously disruptive broken promise that, like recent Drive data loss, should impact trust in Google more than it will.

Mechanical Turk Drive-Through bloomberg.com

Daniela Sirtori-Cortina, Bloomberg:

Presto Automation Inc. pitched a restaurant industry desperate to combat rising wages on a talking chatbot that could take orders with almost no human intervention. The firm touted OpenAI’s Sam Altman as an early investor. And it has used the firm’s technology to improve its system as it aims to triple deployments to 1,200 locations next year.

But disclosures in recent filings with the US Securities and Exchange Commission and changes to marketing suggest that the technology is less autonomous than it first appeared. The company, which went public last year, now says “off-site agents” working in locales such as the Philippines help during more than 70% of customer interactions to make sure its AI system doesn’t mess up.

The “blockchain” rebranding of yesterday has become the “A.I.” marketing of today.

The Year Twitter Died theverge.com

The Verge put together a package of articles about the year Twitter died, and it must be seen to be believed. There is a slider in the lower-left so you can adjust the “Chaos” level of the layout but, even in its most normal setting, it is a uniquely challenging series to read.

If you move past that, you will find a few articles worth your time:

  • Zoë Schiffer wrote about Twitter’s purported founding ideals and how it changed, even before it was acquired.

  • Sarah Jeong recalled, in the best article of the set, the circumstances of targeted harassment against her, and how Twitter combined out-of-context musings and direct personal access to produce mob-like conditions.

  • Nilay Patel covered the effect of Twitter on journalists individually and media as a whole.

There is also a collection of truly excellent tweets presented in, to the best of my knowledge, the most inefficient manner possible. I am not linking to it because it was — I shit you not — a 350 megabyte webpage this morning. Several hours later, it is now a 15 megabyte page on initial load which makes Vivaldi consume more than one CPU core constantly. At any rate, the HTML alone is 2.1 megabytes; the rest is a massive amount of decoration. It is a shame because I love a collection of funny tweets. I cry laughing every time. But I cannot, in good conscience, link you to something so inefficient and reader hostile.

A Cultural Critique of the Tesla Cybertruck roadandtrack.com

Victoria Scott, Road and Track:

So automakers have given us what we demanded, and the stylistic language has changed to match: the overarching trends of this decade thus far is to make our vehicles broader, heavier, boxier, and more militaristic in nature, as rounded lines don’t project power. The Cybertruck — which Musk stated at its launch “will win” in an “argument” with other vehicles — simply follows all of these themes to their logical endpoints.

A bulletproof three-and-a-half ton stainless-steel truck equipped with “Bioweapon Defense Mode” designed to slam through other cars is the perfect vehicle for a society where over a third of people are scared to walk around at night.

Once upon a time, it seemed like projecting antisocial behaviours was a rebellious move, but it feels increasingly as though the countercultural statement is just being nice.

Why Are So Many Pedestrians Getting Killed in the United States?

Emily Badger, Ben Blatt, and Josh Katz, New York Times (via Clive Thompson):1

Sometime around 2009, American roads started to become deadlier for pedestrians, particularly at night. Fatalities have risen ever since, reversing the effects of decades of safety improvements. And it’s not clear why.

What’s even more perplexing: Nothing resembling this pattern has occurred in other comparably wealthy countries. In places like Canada and Australia, a much lower share of pedestrian fatalities occurs at night, and those fatalities — rarer in number — have generally been declining, not rising.

This is a fascinating article precisely because of this second quoted paragraph. It has become commonplace to blame increased pedestrian deaths on the growing presence of massive trucks and SUVs, but I am skeptical of that reasoning.

The Times article does not really get into this, but the Canadian and U.S. auto markets are pretty similar, with basically the same vehicles for sale, the same trend of trucks replacing cars, and the same overwhelming preference for vehicles with automatic transmissions instead of those with a clutch pedal. Canadians do drive less than Americans — an average of 15,366 kilometres per year compared to 21,687 kilometres per year in the U.S. — though the latest data I can find for Canada is from 2009. It is rather bizarre to me that the Times ignores such a close comparison after acknowledging it exists, instead choosing to treat the U.S. data in isolation for much of the rest of the article.

We also seem to do the same selfish and shameful things when we drive, though this is where I get a little out of my wheelhouse. Here is what I can find: U.S. drivers get arrested more often for driving under the influence: around 312 times per 100,000 people.2 The rate in Canada is lower, at 228 per 100,000, but it is not like assholes do not drink and drive here. We also legalized marijuana nationally in 2018, but trying to reliably measure drug impairment is considerably more difficult, resulting in a controversial criminal code change.

Plenty of people also use their phones while driving. I question the reliability of these reports; the Times cites a report from Cambridge Mobile Telematics, a company which produces an “AI-driven platform” for safer driving that “gathers sensor data from millions of IoT devices — including smartphones, proprietary Tags, connected vehicles, dashcams, and third-party devices — and fuses them with contextual data to create a unified view of vehicle and driver behavior”. I have only a vague sense of what that means, and I am not sure I can trust its precise-sounding finding of 2 minutes and 11 seconds per hour of driving time in the U.S. compared to a U.K. average of just 44 seconds.

I cannot trust the self-reported data of surveys conducted by Travelers Insurance, but if it is even remotely close to accurate, it suggests one reason why there is such a divergence. In the United States, 57% of survey respondents admitted to using a handheld device while driving, compared to just 17% in Canada. There is a similar split in people who read texts or emails — 57% in the U.S. and 21% in Canada — and in phone calls: 80% in the U.S. compared to 48% in Canada. Again, I do not think it is worth reading too much into this or any distracted driving statistic because it is obviously hard to accurately measure what drivers do when they are alone behind the wheel.

National collision data may be more reliable. In the U.S., the NHTSA says (PDF) around 8% of fatal collisions in 2021 were “distraction-affected’. According to Transport Canada, distraction was a “contributing factor” in an estimated 19.7% of fatal collisions the same year. These seem to me that they are reporting the same thing but they are so different I am not sure they are comparable. I was going to remove this section because I do not know how to reconcile these numbers, but then I would be left with only that dumb self-reported Travelers survey.

As I noted, the above few paragraphs are out of my lane of expertise. Call this more of a working-it-out-in-public post than an authoritative perspective, because this specific divergence of the safety of pedestrians in Canada and the U.S. — on roads which, as discussed, are fairly similar — is something which has haunted me since I wrote about it in July. I kept seeing articles blaming increasing vehicle size for pedestrian deaths, and it made sense to me: the top of the hood of a stock Chevrolet Silverado is very nearly the same height as the roof of a Volkswagen Golf like the one we have. I am most often a pedestrian and cyclist, and it can be terrifying to cross in front of these massive trucks, even though I am fairly tall. I fully bought this premise in part because I do think trucks and SUVs should have a legislated maximum size, and that most people should really just buy a hatchback or station wagon. I have heard all the excuses for why people in Canada need to daily drive a large vehicle, and they all fall flat. Other countries have dry-wallers and plumbers and larger families and camping holidays, and they all get by without needing to go everywhere in an apartment building on alloy rims.

The proliferation of these massive cars makes life worse for everyone else on the road who does not have one. At night, the headlights of oncoming traffic are pointed at my eye line, which means my eyes compensate and make it impossible to see the dark road ahead. When I am entering an intersection with an SUV parked on either side on the perpendicular road, I cannot see oncoming traffic until I nearly pull into its path. When I drive down the narrow-for-Calgary streets in my area, it is an increasingly tight squeeze when most other cars are massive and their drivers often less confident.

But all of these issues are shared between Canada and the U.S. — and only one of those countries is seeing soaring pedestrian death rates. The Times says this is happening particularly often at night, but we also have night, and commuting, and Daylight Saving Time.

In related news, Apple still says its new and more immersive version of CarPlay will appear in vehicle announcements in “late 2023” which, if I am not mistaken, is approximately now. It still worries me that drivers will soon be surrounded by screens with more information, more open apps, and more to be distracted by. A driver does not need to simultaneously see, as Apple illustrates, the current weather, international clocks, a list of smart home devices, a calendar, and the current song while doing 72 kilometres (45 miles) per hour. They need to look at and around the road — not drunk, not high, not using their phone, and not speeding — and recognize the responsibility of guiding a multi-tonne automobile on roads alongside other people who may not be enrobed in metal.

I know this is a very boring public service announcement but, in fairness, I do not want to die on the grille of a Chevrolet. It is unfortunate that so much else is more exciting than driving, yet someone who is unable to focus cannot instead do their daily tasks in many Canadian and American cities using public transit.

  1. The passive voice of the Times headline irks me:

    Why Are So Many American Pedestrians Dying at Night?

    Pedestrians are not “dying”. They are actually being killed, and at an alarming rate. ↥︎

  2. The FBI reported 1,024,508 DUI arrests in 2019 in a country of 328,239,523 people. Then I did math. ↥︎

Apple Confirms It Closed the Mechanism Used by Beeper Mini theverge.com

David Pierce, of the Verge, obtained a statement from Nadine Haija at Apple acknowledging it was responsible for shutting down Beeper Mini’s reverse-engineered iMessage app:

At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks. We will continue to make updates in the future to protect our users.

Pierce:

This statement suggests a few things. First, that Apple did in fact shut down Beeper Mini, which uses a custom-built service to connect to iMessage through Apple’s own push notification service — all iMessage messages travel over this protocol, which Beeper effectively intercepts and delivers to your device. To do so, Beeper had to convince Apple’s servers that it was pinging the notification protocols from a genuine Apple device, when it obviously wasn’t. (These are the “fake credentials” Apple is talking about. Quinn Nelson at Snazzy Labs made a good video about how it all works.)

I am not surprised Apple leaned on privacy and security. Though I framed it as “shakier” than a business defence — since Beeper Mini apparently used the same standards as Apple’s own iMessage client — I did write that it would likely “treat this reverse engineering exercise as a security problem”, which is exactly what happened. Beeper Mini was a high-profile vulnerability proof-of-concept disguised as a neat new app.

Calling Nelson’s embargoed preview a “good video about how it all works” is a curious choice of words. I do not disagree that Nelson explained the mechanism successfully, but there is a whole chapter in it named “Apple isn’t likely to patch this ‘exploit'”. Nelson:

Needless to say, this doesn’t appear to be some easy thing that Apple can just turn off. It will require a complete redesign of their entire authentication and delivery strategy — not just for iMessage, but for Apple ID account access as a whole.

Maybe Apple really did redevelop its entire iMessage and Apple ID architecture in the three days between Beeper Mini’s public launch and when it was shut down — or, more charitably, between when the pypush demo was published in early August and now. But I do not think so; I think this was a relatively straightforward change. It seems like Nelson’s choice of language reflected Beeper’s overly confident explanation.

Pierce:

Since Apple cut off Beeper Mini, Beeper has been working feverishly to get it up and running again. On Saturday, the company said iMessage was working again in the original Beeper Cloud app, but Beeper Mini was still not functioning. Founder Eric Migicovsky said on Friday that he simply didn’t understand why Apple would block his app: “if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS?”

Migicovsky says now that his stance hasn’t changed, even after hearing Apple’s statement. He says he’d be happy to share Beeper’s code with Apple for a security review, so that it could be sure of Beeper’s security practices. Then he stops himself. “But I reject that entire premise! Because the position we’re starting from is that iPhone users can’t talk to Android users except through unencrypted messages.”

I am not falling for Migicovsky’s play-dumb act here and, I am certain, neither are you. Of course Apple does not want some random company piggybacking on its iMessage infrastructure with an unofficial client. What part of Apple’s history since about 1997 would indicate that it would look at a reverse-engineered client for a rival operating system and say geez, thanks for helping out?

There are plenty of end-to-end encrypted messaging apps available for iOS and Android, like Signal and WhatsApp, so the premise that “iPhone users can’t talk to Android users except through unencrypted messages” is also complete nonsense. This is basically a U.S. problem, and the most common reasons cited for cross-platform compatibility — media quality, group chats, and privacy — are resolved for everyone if we choose a different app. I think it would be great if iMessage were available universally as it has been stable and reliable for me; I would also like some way for any messaging client to securely communicate with others.1 The reality is that iMessage is an Apple proprietary protocol and that is unlikely to change. Messaging is one area where there is no shortage of choice for users.

Update: Beeper says it is back, but only for users with an email address registered as an Apple ID, not phone numbers. Seems like a weird way to make another bug report.

  1. Perhaps through a vendor-provided plugin system. Admittedly, even if there were some kind of universal messaging client on Android with a Facebook-created WhatsApp plugin and a Telegram-made Telegram plugin, would you bet on Apple building iMessage compatibility? I would not. ↥︎

Google’s Tricky Gemini Demo bloomberg.com

Surely by now you have seen Google’s Gemini demo. The company opens the video with this description:

We’ve been testing the capabilities of Gemini, our new multimodal Al model.

We’ve been capturing footage to test it on a wide range of challenges, showing it a series of images, and asking it to reason about what it sees.

What follows is a series of split-screen demos with a video on the left, Gemini’s seemingly live interpretation on the right, and a voiceover conversation between — I assume — a Google employee and a robotic voice reading the Gemini interpretation.

Google acknowledges in the video description that “latency has been reduced and Gemini outputs have been shortened for brevity”. Other than that, you might expect the video to show a real experience albeit sped up; that is how I interpreted it.

Parmy Olson, Bloomberg:

In reality, the demo also wasn’t carried out in real time or in voice. When asked about the video by Bloomberg Opinion, a Google spokesperson said it was made by “using still image frames from the footage, and prompting via text,” and they pointed to a site showing how others could interact with Gemini with photos of their hands, or of drawings or other objects. In other words, the voice in the demo was reading out human-made prompts they’d made to Gemini, and showing them still images. That’s quite different from what Google seemed to be suggesting: that a person could have a smooth voice conversation with Gemini as it watched and responded in real time to the world around it.

If you read the disclaimer at the beginning of the demo in its most literal sense, Google did not lie, but that does not mean it was fully honest. I do not get the need for trickery. The real story would have undoubtably come to light, if not from an unnamed Google spokesperson then perhaps someone internally feeling a guilty pang, and it undermines how impressive this demo is. And it is remarkable — so why not make the true version part of the story? I do not think I would have found it any less amazing if I had seen a real-time demonstration of the still frame of the video being processed by Gemini with its actual output, and then I saw this simplified version.

Instead, I feel cheated.

Sponsor: Magic Lasso Adblock: Incredibly Private and Secure Safari Web Browsing magiclasso.co

Online privacy isn’t just something you should be hoping for — it’s something you should expect. You should ensure your browsing history stays private and is not harvested by ad networks.

By blocking ad trackers, Magic Lasso Adblock stops you being followed by ads around the web.

Magic Lasso Adblock privacy benefits

It’s a native Safari content blocker for your iPhone, iPad, and Mac that’s been designed from the ground up to protect your privacy.

Rely on Magic Lasso Adblock to:

  • Remove ad trackers, annoyances and background crypto-mining scripts

  • Browse common websites 2.0× faster

  • Double battery life during heavy web browsing

  • Lower data usage when on the go

So, join over 280,000 users and download Magic Lasso Adblock today.

My thanks to Magic Lasso Adblock for sponsoring Pixel Envy this week.

‘No CGI’ Is Really Just Invisible CGI youtube.com

Todd Vaziri:

In this day and age, when there are filmmakers out there like James Cameron, Martin Scorsese, David Fincher, Michael Bay, Zack Snyder and others proudly showing off the digital effects work in their movies, considering them valuable partners in the filmmaking process (and earning billions of dollars at the box office and awards and prestigious accolades in the meantime), it’s absolutely bizarre that certain studios and filmmakers steadfastly maintain the idea that marketing a modern movie means highlighting physical production while outright lying about their use of digital visual effects — and indirectly and directly insulting an entire craft in the process.

Vaziri links to the first part of a series that will eventually be four videos by Jonas Ussing, called “‘No CGI’ is really just invisible CGI”.1 Coincidentally, Ussing uploaded the second part today, and it is excellent.

  1. If it feels familiar on this website, it is because I linked to it in the context of Apple’s October event, which it shot with iPhones. ↥︎

End-to-End Encryption Will Be on by Default in Facebook Messenger messengernews.fb.com

Dan Milmo, reporting for the Guardian in 2021:

The head of safety at Facebook and Instagram’s parent company, Meta, announced that the encryption process would take place in 2023. The company had previously said the change would happen in 2022 at the earliest.

Loredana Crisan, vice president of Messenger, yesterday:

Today I’m delighted to announce that we are rolling out default end-to-end encryption for personal messages and calls on Messenger and Facebook, and a suite of new features that let you further control your messaging experience. We take our responsibility to protect your messages seriously and we’re thrilled that after years of investment and testing, we’re able to launch a safer, more secure and private service.

This news comes days after Meta announced it would separate the previously intertwined chat features of Messenger and Instagram. The company did not say why, leading some to speculate it was for E.U. regulatory compliance reasons.

Instagram and Messenger already have optional end-to-end encryption. Notably, Meta specifically says the default will be coming to Facebook and Messenger; “Instagram” is not mentioned anywhere in this announcement. It is only if you look toward the bottom of the engineering blog post that Meta says “additional testing” for end-to-end encryption in Instagram messaging is planned for “the next year”. In a Wired story, Lily Hay Newman reports “it will take some time for the rollout of full default end-to-end encryption to reach all Messenger and Instagram chat users”.

Kim Zetter says on Twitter that Meta briefed journalists last week about this news — which was supposed to be revealed tomorrow — at approximately the same time Joan Donovan filed a complaint against Harvard. Donovan claims the school forced her out after she tried to make public documents leaked by Frances Haugen. Shortly thereafter, the Chan Zuckerberg initiative pledged $500 million to Harvard around the same time and, Donovan alleges, that in part led to her eventual dismissal.

Judge Vows to Investigate Google for Intentionally Destroying Chats theverge.com

Sean Hollister, the Verge:

On Friday, Judge Donato vowed to investigate Google for intentionally and systematically suppressing evidence, calling the company’s conduct “a frontal assault on the fair administration of justice.” We were there in the courtroom for his explanation.

“I am going to get to the bottom of who is responsible,” he said, adding he would pursue these issues “on my own, outside of this trial.”

The incidents of apparent evidence destruction — which have surfaced during both recent Google trials — are matched only by very smart executives playing dumb in court, as though everyone involved simply could not know any better. Quite the audacious plan. Everyone knows judges love to have their patience tested.

Forums of Pain

Today, after searching for a technical problem I was having, I wound up in a familiar place: a software vendor’s support forum. I ended up staring at an answer from someone proudly touting their contribution level while confidently pasting irrelevant instructions from some knowledgebase article, while echoes of Jason Snell’s frustration on “Upgrade” played in my head. I could not find a solution for my problem, but it reminded me of the recent troubles in Google Drive.

Bill Toulas, writing at Bleeping Computer on November 27:

Google Drive users are reporting that recent files stored in the cloud have suddenly disappeared, with the cloud service reverting to a storage snapshot as it was around April–May 2023.

That is bad — and it gets worse:

A trending issue reported on Google’s support forums starting last week describes a situation where people say they lost recent data and folder structure changes.

[…]

A notable aspect of the situation is that Google’s support forums are backed by volunteers with limited insight or understanding of the cloud service, so the lack of effective assistance in critical problems like this makes it all the worse.

The forum thread was opened on November 22; it took until November 27 for Google to acknowledge the problem. In the meantime, users — including those who pay money for this product — could only ask each other for support on a public discussion board where none of them have any power or internal knowledge. It is, as Snell said about these forums generally, an “abdication of responsibility”.

On November 29, Google said it had “identified the issue impacting a small subset” of users, and would be posting an update “in the next few days”. A full week later, Google has published recovery steps. Unfortunately, some users are still reporting problems even after following these instructions.

There are people out there who will blame users who keep important files in Google Drive or treat it as a backup service. I get that argument, but I disagree — Google is a giant internet company that is not usually so careless with user data, and it is perfectly reasonable to assume this folder in the sky is capable of keeping one’s precious data safe. Do not blame the users.

Blame Google, though, because this whole thing has been a catastrophe. The company failed to safeguard user data and then, when users became understandably worried, failed to communicate or in any way give the impression it was taking these problems seriously. Now, it says it has fixed the problem without any explanation for what went wrong, and some users are still reporting missing files. If I were affected by something like this, I would for sure appreciate a delayed but complete solution over a rushed but incomplete one — but Google has somehow failed to deliver either.

I think Google’s dependence on support forums is a huge part of this problem. The company has notoriously poor service. Only people who pay for a support plan are able to get help from a real person, and not by phone or even live chat. For most people, Google’s primary suggestion is to post on its forum.1 Google even frames it as an instruction to “contact us via our forum” — but you are not really contacting Google, are you? You are contacting some person named Alex who lives in Springfield and has no idea what is going on, either, but says you should try restarting your computer.

Sorry, but that will not do — not for precious files, and especially not for one of the richest corporations anywhere. Google is supposed to be good at internet services — and, historically, it has been — but it is not good at customer service. Google’s abdication in this case should be a reminder that even near-perfect reliability is irrelevant the moment there is a problem as serious as this, and when that happens, a real person being helpful will matter more than anything else. We need to have higher standards. Think about it this way: if the first couple of people to see this problem could have talked to a real person at Google, that person could have escalated this and flagged it as the big problem it is. Instead, a forum thread lingered for a week until someone at Google bothered to check on it.

  1. If you click on that link, the first item actually says “contact us” and requires you to sign in, but after logging in, it just advises you to use the forum or complete a feedback form. ↥︎

Governments Are Spying on Push Notifications reuters.com

U.S. Senator Ron Wyden:

In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone “push” notification records from Google and Apple. My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.

Raphael Satter, Reuters:

In a statement, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.

“In this case, the federal government prohibited us from sharing any information,” the company said in a statement. “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

[…]

Wyden’s letter cited a “tip” as the source of the information about the surveillance. His staff did not elaborate on the tip, but a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.

This is an entire category of stuff the U.S. government has apparently prohibited Apple and Google from disclosing and it is a good reminder that their transparency reports exist at the behest of governments, with their limitations imposed. But, also, Apple specifically blames the “federal government” — I take that to mean the U.S. federal government. Why would they be able to prevent Apple from disclosing this category of law enforcement requests from other countries?

Joseph Cox of 404 Media reviewed one warrant which mentioned push notifications in the case of an Ohio researcher, questioning whether it “is boilerplate language that has been included in the search warrant application”. I poked around on RECAP and found a lot of filings which include the same language, including a warrant (PDF) issued to Life360 for, among other things, push notifications if they are related to the geographic location history of a specific device. Both the one I found and the one Cox cites were issued by U.S. authorities for U.S. subjects. But in another warrant (PDF), this one issued to Google, there is a difference: the subjects are based in Mexico and Vietnam.

That raises questions for me about whether push notifications, having to go through servers from Apple and Google, are a vector for the U.S. surveillance campaign on the rest of the world. It is possible to encrypt notifications on iOS and Android; my understanding is that iMessage and Signal both do so. But some metadata, as noted by Wyden, remains in clear text.

Days After Downplaying Data Breach, 23andMe Confirms Information Disclosure From About Half Its Users techcrunch.com

Lorenzo Franceschi-Bicchierai, TechCrunch:

On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access “a significant number of files containing profile information about other users’ ancestry.” But 23andMe would not say how many “other users” were impacted by the breach that the company initially disclosed in early October.

As it turns out, there were a lot of “other users” who were victims of this data breach: 6.9 million affected individuals in total.

The announcement Friday was made in a financial disclosure, and the company updated an old blog post a day after this TechCrunch article was published. According to 23andMe, the information disclosed by the “DNA Relatives” feature will at minimum include a display name derived from one’s (presumably real) name, recent site activity, and “predicted” relationship.

Jason Koebler, 404 Media:

Every few years, I write an article about how it is generally not a good idea to voluntarily give your immutable genetic code to a for-profit company (or any other genetic database, for that matter), and how it is an even worse deal to pay money to do so. It is also not wise or ethical to gift a 23andMe Saliva Collection Kit to your loved ones for Christmas, their birthday, or any other reason.

Give your family and friends the gift of not subjecting their genetics to businesses with a data breach record of, as of writing and I cannot stress this enough, half their customer base.

Update: A very important postscript, via Brian Sutorius. Matthew Cortland:

So what measures has 23andMe announced to mitigate the tremendous harm their negligence has caused? If you guessed, “updating their Terms of Service to force customers – including everyone who has used 23andMe since their first product became available in the United States in 2007 – into binding arbitration” you’d be correct. 23andMe is updating their TOS to strip victims of the company’s negligence of the right to seek justice in a court of law, instead forcing those harmed by 23andMe’s conduct into binding arbitration. […]

Notification of the updated Terms of Service was sent to 23andMe users one day before it disclosed the results of its investigation. If you are a user, there are specific steps you need to follow this month to opt out of binding arbitration. Read Cortland’s post in full for more information.

‘A.I.’ and Trust schneier.com

Bruce Schneier, Slate:

Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.

Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets — it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.

And Schneier on his blog, a republished transcript of a September talk at Harvard:

In this talk, I am going to make several arguments. One, that there are two different kinds of trust—interpersonal trust and social trust—and that we regularly confuse them. Two, that the confusion will increase with artificial intelligence. We will make a fundamental category error. We will think of AIs as friends when they’re really just services. Three, that the corporations controlling AI systems will take advantage of our confusion to take advantage of us. They will not be trustworthy. And four, that it is the role of government to create trust in society. And therefore, it is their role to create an environment for trustworthy AI. And that means regulation. Not regulating AI, but regulating the organizations that control and use AI.

If you only have time for one of these, I recommend the latter. It is more expansive, thoughtful, and makes me reconsider how regulatory framing ought to work for these technologies.

Both are great, however, and worth your time.

Sony Removing Purchased Discovery TV Shows mjtsai.com

Sony PlayStation:

As of 31 December 2023, due to our content licensing arrangements with content providers, you will no longer be able to watch any of your previously purchased Discovery content and the content will be removed from your video library.

The list of shows which users “purchased” is extensive and, because this is digital media, varies by country. The above link is to the Canadian list; the U.S. list is even longer.

Michael Tsai has a good roundup of articles, with most noting this is not an isolated incident and sharing other — often entirely different — examples. It is obviously an intolerable practice. Yet it is increasingly standard for digital purchases to be licensed in a way where access can be changed or revoked without consent.

I spot-checked the PlayStation list and found many of these shows are not officially available in a hard copy format. Sure, nobody is entitled to own them at all, but if you want to ensure you retain access for whatever reason, you often have no legal option. “Okay, well, you know what that means: steal it”.

Reverse-Engineered iMessage Comes to Android With Beeper Mini blog.beeper.com

Beeper:

Now you can send and receive blue bubble texts from your phone number. As soon as you install Beeper Mini, your Android phone number will be blue instead of green when your iPhone friends text you. It’s easy to join iPhone-only group chats, since people can add your phone number instead of your email address. All chat features like typing status, read receipts, full resolution images/video, emoji reactions, voice messages, editing, un-sending, and more are supported.

Beeper is charging two dollars per month for access.

This is all made possible by the frankly incredible work of the pypush project. Primarily, its author is “JJTech”, a high school student who reverse-engineered the way iMessage works:

One of the most foundational components of iMessage is Apple Push Notification Service (APNs). You might have encountered this before, as it is the same service that is used by applications on the App Store to receive realtime notifications and updates, even while the app is closed.

However, what you probably didn’t know about APNs is that it is bidirectional. That’s right, APNs can be used to send push notifications as well as receive them. You can probably already tell where this is going, right?

This overview is pretty good; I think I understand what is going on here, even if the specifics are flying right over my head. This is extremely clever. Unlike the catastrophic launch of Nothing’s messaging client and all other predecessors, Beeper Mini is not proxying iMessages through Apple devices. It is sending and receiving iMessages as though it is an Apple device. Regardless of how concerned you may feel about privacy and security, you have to admit that is pretty impressive. It has somehow taken eleven years to fully reverse-engineer iMessage and build a user-friendly client — but it seems it has been done.

Journalists have understandably raised questions about how long this app will be tolerated by Apple. The people behind it — including “JJTech” — believe Apple could not turn it off for technical reasons, but it seems like Apple is prepared to discontinue services on older devices at least. The Verge’s Nilay Patel noted on Threads the P.R. risk of shutting it down, while Sarah Perez of TechCrunch points to current antitrust investigations and E.U. regulations.

I am not so sure any of this would be a deterrent for Apple. It could be more restrictive on what it would portray as privacy, security, and business grounds. The privacy and security excuses could feel shakier, as it does seem messages sent through Beeper Mini fit the iMessage protocol without additional risk exposure — pending third-party auditing, of course — but the business case is more solid. As noted earlier, Beeper is selling iMessage access, but Apple does not charge for the service. It bakes the cost into device sales. Beeper gets to profit from Apple’s free-to-users network.

I am not defending Apple’s revenue or its likely stance; I do not much care either way. For what it is worth, I do not think Beeper Mini will actually make much of an impact because iMessage interoperability concerns are localized to the United States and a handful of other countries. But I do think Apple is protective of its network and will treat this reverse engineering exercise as a security problem. If it wants to launch iMessage on Android, it will do so on its own terms.

YouTube, Chrome, and Ad Blockers engadget.com

Some table-setting: I rarely need to note any conflicts of interest in the things I publish here, but repeat site sponsor — most recently this weekMagic Lasso is an ad blocker, and its developer must navigate YouTube’s crackdown. To be clear, this post is not informed by that sponsorship, and I am mindful of separating the part of this site that makes me money from the reason people read anything I write in the first place. (Sorry, Magic Lasso.)

Anthony Ha, Engadget:

As noted in a blog post by the ad- and tracker-blocking company Ghostery, YouTube employs a wide variety of techniques to circumvent ad blockers, such as embedding an ad in the video itself (so the ad blocker can’t distinguish between the two), or serving ads from the same domain as the video, fooling filters that have been set up to block ads served from third-party domains.

[…]

Keeping pace with YouTube will likely become even more challenging next year, when Google’s Chrome browser adopts the Manifest V3 standard, which significantly limits what extensions are allowed to do. Modras said that under Manifest V3, whenever an ad blocker wants to update its blocklist — again, something they may need to do multiple times a day — it will have to release a full update and undergo a review “which can take anywhere between [a] few hours to even a few weeks.”

The transition to Manifest V3 has been a long time coming, which means much has been written about it, and I question the more absolutist claims that its eventual rollout will destroy ad blockers. In 2019, Catalin Cimpanu of ZDNet reported that Apple rolled out similar restrictions, pointing to shutdown notices from uBlock Origin and AdGuard Pro. Four years later, uBlock remains unavailable, but there is still a version of AdGuard for Safari. I would bet on there being differences, but ad blockers exist for Safari, which surely means the kinds of restrictions Google is working on are not a death knell for the industry.

Unsurprisingly, the motivations for this feel different when it is being done by Google instead of Apple because Google’s whole business model is based on advertising. When it changes extensions in Chrome, the world’s most popular web browser, in ways that make ad blocking more difficult, people are going to view that as a conflict of interest. YouTube also happens to be the place the most of the world watches video. That gives Google an extraordinary advantage: it runs the browser, it hosts the video, and it powers the ads.

Craig Mod:

YouTube premium is the greatest deal on the internet, and all the work to block YouTube ads leaves me confused. Premium is the best kind of paid service upgrade: it makes the user experience perfect and you support creators.

It is nice for there to be options available to users instead of an expectation of advertising. If you watch a lot of YouTube, Premium looks like a great choice, though I find it requires a reorientation of your headspace: think of YouTube Premium as “YouTube”, and YouTube sans Premium as the “free trial” or “lite” version. That framing also puts Google’s strategy for YouTube into a more understandable context, I think. Google has increased the per-video ad load and it delivers fewer skippable ads, and it is becoming more strict about ad blocking in the same way many software companies limit free trials.

But I can understand why people block ads, too, because the quality of ads I get on YouTube sucks. Part of this is my fault because I am a more privacy-conscious user and, so, take steps to prevent specific targeting. That means I get an awful lot of ads with deep-faked celebrities hawking sketchy investments, garbage supplements, gambling, diet scammers, and other bottom-of-the-barrel crap. I understand my restrictions reduce my likelihood of seeing things which interest me. On the other hand, why is Google accepting ads like these in the first place?

Ha notes that Adblock Plus is not dedicating itself to YouTube ad blocking, as it says they fall under the acceptable ads criteria. Fine. I do not think the sort of ads I get are actually acceptable in a broader sense; they are the kinds of things that would be rightfully be rejected by the sleaziest print publication. But if they are not seen as disruptive in the way, say, a popover or interstitial ad might be, I can understand that.

At least there are now options. You can grin and bear the nightmare surveillance ad machine, you can excise yourself from that targeting and still put up with ads, or you can pay to separate yourself from the results of that system while your data is still used to feed it. Or you can try to fight it. Just be prepared for Google to fight back.

You can also support your favourite video creators — or writers — on platforms like Patreon, too. But that cuts Google out of the revenue picture, so do not expect to see them pitching that as a legitimate alternative option. The main problem with YouTube is that it is a social network for some users, and a utility for others, and those perspectives are not always compatible.

Sponsor: Magic Lasso Adblock: 2.0× Faster Web Browsing in Safari magiclasso.co

Want to experience twice as fast load times in Safari on your iPhone, iPad, and Mac?

Then download Magic Lasso Adblock — the ad blocker designed for you. It’s easy to setup, blocks all ads, and doubles the speed at which Safari loads.

Magic Lasso Adblock is an efficient and high performance ad blocker for your iPhone, iPad, and Mac. It simply and easily blocks all intrusive ads, trackers and annoyances in Safari. Just enable to browse in bliss.

Magic Lasso Adblock screenshot

By cutting down on ads and trackers, common news websites load 2× faster and use less data.

Over 280,000+ users rely on Magic Lasso Adblock to:

  • Improve their privacy and security by removing ad trackers

  • Block annoying cookie notices and privacy prompts

  • Double battery life during heavy web browsing

  • Lower data usage when on the go

And unlike some other ad blockers, Magic Lasso Adblock respects your privacy, doesn’t accept payment from advertisers, and is 100% supported by its community of users.

With over 5,000 five star reviews; it’s simply the best ad blocker for your iPhone, iPad, and Mac.

Download today via the Magic Lasso website.

My thanks to Magic Lasso Adblock for sponsoring Pixel Envy this week.