Month: July 2024

Tim Berners-Lee in 1998:

Keeping URIs so that they will still be around in 2, 20 or 200 or even 2000 years is clearly not as simple as it sounds. However, all over the Web, webmasters are making decisions which will make it really difficult for themselves in the future. Often, this is because they are using tools whose task is seen as to present the best site in the moment, and no one has evaluated what will happen to the links when things change. The message here is, however, that many, many things can change and your URIs can and should stay the same. They only can if you think about how you design them.

Jay Hoffmann:

Links give greater meaning to our webpages. Without the link, we would lose this significant grammatical tool native the web. And as links die out and rot on the vine, what’s at stake is our ability to communicate in the proper language of hypertext.

A dead link may not seem like it means very much, even in the aggregate. But they are. One-way links, the way they exist on the web where anyone can link to anything, is what makes the web universal. In fact, the first name for URL’s was URI’s, or Universal Resource Identifier. It’s right there in the name. And as Berners-Lee once pointed out, “its universality is essential.”

In 2018, Google announced it was deprecating its URL shortener, with no new links being created after March 2019. All existing shortened links would, however, remain active. It announced this in a developer blog post which — no joke — returns a 404 error at its original URL, which I found via 9to5Google. Google could not bother to redirect posts from just six years ago to their new valid URLs.

Google’s URL shortener was in the news again this month because the company has confirmed it will turn off these links in August 2025 except for those created via Google’s own apps. Google Maps, for example, still creates a goo.gl short link when sharing a location.

In principle, I support this deprecation because it is confusing and dangerous for Google’s own shortened URLs to have the same domain as ones created by third-party users. But this is a Google-created problem because it designed its URLs poorly. It should have never been possible for anyone else to create links with the same URL shortener used by Google itself. Yet, while it feels appropriate for a Google service to be unreliable over a long term, it also should not be ending access to links which may have been created just about five years ago.

By the way, the Sophos link on the word “dangerous” in that last paragraph? I found it via a ZDNet article where the inline link is — you guessed it — broken. Sophos also could not bother to redirect this URL from 2018 to its current address. Six years ago! Link rot is a scourge.

Mark Bergen and Dawn Chmielewski, reporting for Vox — or perhaps Recode — in June 2016:

The latest charge comes from SourceFed, a stray pop culture web and video site. It uploaded a short YouTube video on Thursday charging Google with deliberately altering search recommendations — through its function that automatically offers suggestions as a query is typed — to give positive treatment to Clinton.

Google vehemently denied the charges. “Google Autocomplete does not favor any candidate or cause,” a rep wrote. “Claims to the contrary simply misunderstand how Autocomplete works.”

A spokesperson for Google explained the search engine’s autocomplete feature will “not show a predicted query that is offensive or disparaging”, which is understandable. Eight years later, that appears to be how Google continues to work. A search for donald trump cr offers just one autocompleted suggestion: crypto. Another, for donald trump fe, presents no autocompletion suggestions even though he is a convicted felon. One can see why Google would choose to err on the safe side.

Mike Masnick, Techdirt, after a series of similar claims spread over the past few weeks:

The key point here is that some of this stuff just happens. It’s part of how algorithms work. Sometimes they make mistakes. Sometimes you disagree with why they do things. And people need to stop overreacting to it all. Most of the examples discussed in this article were just normal things that happen all the time, but which got a ton of extra attention because everyone’s on edge and amped up.

That doesn’t mean people shouldn’t be on the lookout for stuff, but don’t immediately jump to conclusions and assume malfeasance.

It is reasonable to want to hold technology companies to a high standard and expect them to be more competent, especially when it comes to election-related topics. In some cases, systems are being triggered as they should, but they are poorly explained to users by generic error messages. Others are just broken. None of this should be surprising in an era where even the largest platforms seem to be so fragile as to be held together by the software equivalent of thumbtacks and glue sticks.

Karissa Bell, Engadget:

Zuckerberg then launched into a lengthy rant about his frustrations with “closed” ecosystems like Apple’s App Store. None of that is particularly new, as the Meta founder has been feuding with Apple for years. But then Zuckerberg, who is usually quite controlled in his public appearances, revealed just how frustrated he is, telling Huang that his reaction to being told “no” is “fuck that.”

It all has a whiff of the image consultant, with notes of Musk.

Everybody knows a corporate executive wearing boring business clothes and answering questions with defined talking points is playing a role. This costume Zuckerberg is wearing is just as much of a front. The billionaire CEO of a publicly traded social media company cannot be a rebel in any meaningful sense.

Nilay Patel, of the Verge, interviewed Hanneke Faber, CEO of Logitech, for the Decoder podcast.

NP […] You sell me the keyboard once. It’s got Options Plus. It has an AI button. I push the button, and someone has to make sure the software still works. Someone probably has to pay ChatGPT for access to the service. Where is that going to come from? Are you baking that into the margin of the keyboard or the mouse?

HF Absolutely. We’re baking that in, and I’m not particularly worried about that. What I’m actually hoping is that this will contribute to the longevity of our products, that we’ll have more premium products but products that last longer because they’re superior and because we can continue to update them over time. And again, I talked about doubling the business and reducing the carbon footprint by half. The longevity piece is really important.

I’m very intrigued. The other day, in Ireland, in our innovation center there, one of our team members showed me a forever mouse with the comparison to a watch. This is a nice watch, not a super expensive watch, but I’m not planning to throw that watch away ever. So why would I be throwing my mouse or my keyboard away if it’s a fantastic-quality, well-designed, software-enabled mouse. The forever mouse is one of the things that we’d like to get to.

Faber goes on to say this is a mouse with always-updated software, “heavier” — which I interpreted as more durable — and something which could provide other services. In response to Patel’s hypothetical of paying $200 one time, Faber said the “business model obviously is the challenge there”, and floats solving that through either a subscription model or inventing new products which get buyers to upgrade.

The part of this which is getting some attention is the idea of a subscription model for a mouse which is, to be fair, stupid. But the part which I was surprised by is the implication that longevity is not a priority for business model reasons. I am not always keen to ascribe these things to planned obsolesce, yet this interview sure looks like Faber is outright saying Logitech does not design products with the intention of them lasting for what at least seems like “forever”.

To be fair, I have not bought anything from Logitech in a long time, and I do not remember when I last did. I believe its cable may have terminated in a PS/2 plug. I switched to a trackpad on my desk long ago. When I bought my Magic Trackpad in 2015, I assumed I would not have to replace it for at least a decade; nine years later, I have not even thought about getting a new one. Even if its built-in battery dies — its sole weakness — I think I will be able to keep using it in wired mode.

But then I went on Wikipedia to double-check the release date of the second-generation Magic Trackpad, and I scrolled to the “Reception” section. Both generations were criticized as being too expensive at $70 for the first version, and $130 for the second. But both price tags seem like a good deal for a quality product. Things should be built with the intention they will last a long time, and a $200 mouse is a fine option if it is durable and could be repaired if something breaks.

I know this is something which compromises business models built on repeat business from the same customers, whether that means replacing a broken product or a monthly recurring charge. But it is rare for a CEO to say so in such clear terms. I appreciate the honesty, but I am repelled by the idea.

Lily Dupuis, CBC News:

Calgary: Blue Sky City.

That’s the new city slogan unveiled by Calgary Economic Development and Tourism Calgary on Wednesday, replacing “Be Part of the Energy,” marking the start of a new era of branding.

Strategists with the groups say this new brand is a nod to innovation — Calgary being a city of blue-sky thinking — and one that reflects all Calgarians.

Richard White:

Calgary tried to rebrand itself in the late ‘90s as the “Heart of the New West.” And when that didn’t work, in 2011 we tried “Be Part of the Energy.” It didn’t work either. The fact is, the best city nicknames are not contrived in workshops and brainstorming sessions, they happen at more a grassroots level or based on some obvious fact. I wonder, “Can a city give itself a nickname?”

Daughter is responsible for this rebranding:

We created a visual language inspired by beadwork, a cross-cultural art form where individual elements come together to form something strong, beautiful, and greater than the sum of its parts — a balance of individuality and collective identity. This is reflected in a dynamic logo system, and a broader visual language of beadwork and patterning.

I do not like linking to hard paywalled things, but Armin Vit of Brand New recently reviewed this new identity and it is exceptionally thoughtful:

I was in Calgary once in the dead of winter for a quick in-and-out trip so I saw a limited range of the city, which felt a little desolate in the 48 hours I was there and it was just brutally cold too. Sunny, though! So I can attest to that. Overall, this helps present Calgary in, almost literally, a new light and it should help in attracting visitors and business or at least consider it as a viable alternative to the more popular Canadian destinations like Toronto, Montréal, and Vancouver.

Even though it intersects perfectly with my local interests and design career, I have been sitting on this news for a while because it is the kind of thing which needs to settle. It is a huge ask to give a city a marketable identity. The most successful of them, as White points out, are given by others or earned, not self-created.

That must have been a tall order for Daughter. Mohkinstsis, and other names for this area before it was colonized, are a reference to our two major rivers and the elbow junction where they meet. Post-colonization, the city was known first as the “sandstone city” and then the Stampede City. “Calgary” possibly traces its name to Old Norse words for “cold garden”. But the city, as Calgary, is relatively new — incorporated just 140 years ago — and we are in the midst of attempting to correct for the terrible legacy of colonizer violence. Wrapping all of this together in a pleasant visual identity to market to tourists is surely a difficult task.

I think Daughter and the others involved in this rebrand have largely succeeded. Past rebranding attempts have centred an outdated cowboy image and our filthy petrochemical industry. To that end, it sure looks a little like greenwashing — or, perhaps, bluewashing. But, while locals like White have reacted somewhat negatively to the change, the more international commenters on Brand New are effusive in their praise.

I think it is an impressive rebrand, though the typesetting of the “blue sky city” tagline looks disconnected to my eyes from the rest of the work. Perhaps this is only a reflection of my writing this under a cloudy sky. Everything in this package positions Calgary as a destination which may be overlooked outside of ten days each July, but it also suggests a nagging subtext: Montreal, Toronto, and Vancouver speak for themselves, but Calgary needs to be taglined and positioned. We are a city of a million and a half people and we are not yet acting like it.

Anthony Chavez, of Google:

[…] Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We’re discussing this new path with regulators, and will engage with the industry as we roll this out.

Oh good — more choices.

Hadley Beeman, of the W3C’s Technical Architecture Group:

Third-party cookies are not good for the web. They enable tracking, which involves following your activity across multiple websites. They can be helpful for use cases like login and single sign-on, or putting shopping choices into a cart — but they can also be used to invisibly track your browsing activity across sites for surveillance or ad-targeting purposes. This hidden personal data collection hurts everyone’s privacy.

All of this data collection only makes sense to advertisers in the aggregate, but it only works because of specifics: specific users, specific webpages, and specific actions. Privacy Sandbox is imperfect but Google could have moved privacy forward by ending third-party cookies in the world’s most popular browser.

Anthony Ha, of TechCrunch, interviewed Jean-Paul Schmetz, CEO of Ghostery, and I will draw your attention to this exchange:

AH I want to talk about both of those categories, Big Tech and regulation. You mentioned that with GDPR, there was a fork where there’s a little bit of a decrease in tracking, and then it went up again. Is that because companies realized they can just make people say yes and consent to tracking?

J-PS What happened is that in the U.S., it continued to grow, and in Europe, it went down massively. But then the companies started to get these consent layers done. And as they figured it out, the tracking went back up. Is there more tracking in the U.S. than there is in Europe? For sure.

AH So it had an impact, but it didn’t necessarily change the trajectory?

J-PS It had an impact, but it’s not sufficient. Because these consent layers are basically meant to trick you into saying yes. And then once you say yes, they never ask again, whereas if you say no, they keep asking. But luckily, if you say yes, and you have Ghostery installed, well, it doesn’t matter, because we block it anyway. And then Big Tech has a huge advantage because they always get consent, right? If you cannot search for something in Google unless you click on the blue button, you’re going to give them access to all of your data, and you will need to rely on people like us to be able to clean that up.

The TechCrunch headline summarizes this by saying “regulation won’t save us from ad trackers”, but I do not think that is a fair representation of this argument. What it sounds like, to me, is that regulations should be designed more effectively.

The E.U.’s ePrivacy Directive and GDPR have produced some results: tracking is somewhat less pervasive, people have a right to data access and portability, and businesses must give users a choice. That last thing is, as Schmetz points out, also its flaw, and one it shares with something like App Tracking Transparency on iOS. Apps affected by the latter are not permitted to keep asking if tracking is denied, but they do similarly rely on the assumption a user can meaningfully consent to a cascading system of trackers.

In fact, the similarities and differences between cookie banner laws and App Tracking Transparency are considerable. Both require some form of consent mechanism immediately upon accessing a website or an app, assuming a user can provide that choice. Neither can promise tracking will not occur should a user deny the request. Both are interruptive.

But cookie consent laws typically offer users more information; many European websites, for example, enumerate all their third-party trackers, while App Tracking Transparency gives users no visibility into which trackers will be allowed. The latter choice is remembered forever unless a user removes and reinstalls the app, while websites can ask you for cookie consent on each visit. Perhaps the latter may sometimes be a consequence of using Safari; it is hard to know.

App Tracking Transparency also has a system-wide switch to opt out of all third-party tracking. There used to be something similar in web browsers, but compliance was entirely optional. Its successor effort, Global Privacy Control, is sadly not as widely supported as it ought to be, but it appears to have legal teeth.

Both of these systems have another important thing in common: neither are sufficiently protective of users’ privacy because they burden individuals with the responsibility of assessing something they cannot reasonably comprehend. It is patently ridiculous to put the responsibility on individuals to mitigate a systemic problem like invasive tracking schemes.

There should be a next step to regulations like these because user tracking is not limited to browsers where Ghostery can help — if you know about it. A technological response is frustrating and it is unclear to me how effective it is on its own. This is clearly not a problem only regulation can solve but neither can browser extensions. We need both.

Thom Holwerda:

A story that’s been persistently making the rounds since the CrowdStrike event is that while several airline companies were affected in one way or another, Southwest Airlines escaped the mayhem because they were still using Windows 3.1. It’s a great story that fits the current zeitgeist about technology and its role in society, underlining that what is claimed to be technological progress is nothing but trouble, and that it’s better to stick with the old. At the same time, anybody who dislikes Southwest Airlines can point and laugh at the bumbling idiots working there for still using Windows 3.1. It’s like a perfect storm of technology news click and ragebait.

Too bad the whole story is nonsense.

I would say Holwerda’s debunking is a thorough exploration of how so many media outlets got this story wrong but — and I mean this in the nicest possible way — that would be overselling it. As Holwerda admits, it took scarcely any research to fact check a claim carried by Tom’s Hardware, Tech Radar, Forbes, Digital Trends, and lots of others. Embarrassing.

Dana Mattioli, Wall Street Journal:

When Amazon launched the Echo smart home devices with its Alexa voice assistant in 2014, it pulled a page from shaving giant Gillette’s classic playbook: sell the razors for a pittance in the hope of making heaps of money on purchases of the refill blades.

A decade later, the payoff for Echo hasn’t arrived. While hundreds of millions of customers have Alexa-enabled devices, the idea that people would spend meaningful amounts of money to buy goods on Amazon by talking to the iconic voice assistant on the underpriced speakers didn’t take off.

According to Mattioli’s reporting, in a span of just four years — 2017 through 2021 — Amazon lost $25 billion on “devices”. According to SEC filings (PDF), this category would likely include things like Fire TV sticks, Ring doorbell cameras, Kindles, and Alexa products. It is unclear to me what portion of these losses can be specifically attributed to Alexa devices.

I know I am probably an outlier, but I have never understood why someone would buy anything with just their voice. I cannot think of a reason why I would buy any of these smart speakers in general, though I understand why controlling your house with your voice could be useful for a person with a disability. But buying things from the world’s most popular flea market without any control over what shows up at your door sounds horrible.

Kate Conger, New York Times:

On May 11, Mr. [Elon] Musk posted that he had selected a chief executive [for Twitter]. It was Ms. [Linda] Yaccarino.

[…]

Many of her longtime peers in the advertising world were shocked that Ms. Yaccarino accepted the job — they feared she would tarnish her reputation by associating herself with Mr. Musk. But several colleagues who worked with her at X said she and Mr. Musk were more alike than their public personas might suggest. They share a fervent belief that their responsibilities range beyond running a viable business into rescuing the principle of free speech, a paranoia of sabotage from employees and associates, and a willingness to pursue legal action against critics.

Colin Kirkland, MediaPost:

As X owner Elon Musk continues to post about record high engagement on his social media hub, a new report by data intelligence platform Tracer shows “significant drops” in user engagement and “drastic drops” in advertising unlike competitors like YouTube, Instagram and Pinterest.

In June, X advertising saw drops month-over-month and year-over-year, the report shows, with click-through-rates (CTRs) declining 78% month-over-month, which the report suggests reflects a sharp downturn in user activity. In addition, cost-per-thousand (CPMs) decreased 17% from May to June, suggesting that advertisers are also leaving X.

I cannot imagine being Yaccarino in the position she finds herself: trying to build advertising partnerships for a platform owned by the world’s richest jackass. But, while X seems to have lost some clout — and, according to the Times article, over half its advertising revenue — compared to Twitter, I wonder how much it matters in the short term.

Do not get me wrong; it is revolting for a platform to expressly support and even boost conspiracy theories and regressive ideologies. Yet the continuing relevance of this platform indicates some portion of the public wants a light 4chan-like experience, which is an alarming but not surprising finding. The world has, unfortunately, become more comfortable with reactionary and previously extremist ideas. It is no longer poisonous for public figures to have odious beliefs.

We are not better for tolerating this shallow, unproductive, and repulsive interpretation of free expression — quite the opposite, in fact. If Yaccarino thinks this is what it looks like when one is, in the Times’ words, “rescuing the principle of free speech”, she is failing. She is helping her boss give morons a loudspeaker with barely any restrictions, while treating normal words as slurs because they are politically incorrect for the site’s regressive user base. Is this all Musk’s fault? How much of an active role does Yaccarino play? Perhaps blaming Yaccarino for any of this, even partially, is unfair of me. But she is a CEO who was placed — in part, at least — to legitimize this platform for advertisers.

Barath Raghavan and Bruce Schneier, Lawfare:

Today’s internet systems are too complex to hope that if we are smart and build each piece correctly the sum total will work right. We have to deliberately break things and keep breaking them. This repeated process of breaking and fixing will make these systems reliable. And then a willingness to embrace inefficiencies will make these systems resilient. But the economic incentives point companies in the other direction, to build their systems as brittle as they can possibly get away with.

This is a tremendous essay — a call to action in opposition to the shallow cost-effectiveness embraced by corporations up and down the high technology chain. Now all we need is to hope businesses do things which are not in their immediate financial interest.

Thomas Claburn, the Register:

Google promotes its reCAPTCHA service as a security mechanism for websites, but researchers affiliated with the University of California, Irvine, argue it’s harvesting information while extracting human labor worth billions.

[…]

“Traffic resulting from reCAPTCHA consumed 134 petabytes of bandwidth, which translates into about 7.5 million kWhs of energy, corresponding to 7.5 million pounds of CO2. In addition, Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set.”

I have seen this paper (PDF) being passed around and, while I find its participant-reported data believable — people are much less satisfied with image-based CAPTCHA puzzles than checkboxes — these calculations are unbelievable.

To reiterate, the researchers are estimating reCAPTCHA sessions have, over the past thirteen years, been responsible for $888 billion of Google’s income. In that time, Google has made $1.8 trillion in revenue. These researchers are suggesting up to 49% of that can be directly tied to reCAPTCHA cookies.

Here is the explanation they give in the paper for how they arrived at that conclusion:

[…] According to Forbes [3], digital ad spending reached over $491 billion globally in 2021, and more than half of the market (51%) heavily relied on third-party cookies for advertisement strategies [1]. The expenditure on third-party audience data (collected using tracking cookies) in the United States reached from $15.9 billion in 2017 to $22 billion in 2021 [2]. More concretely, the current average value life-time of a cookie is €2.52 or $2.7 [58]. Given that there have been at least 329 billion reCAPTCHAv2 sessions, which created tracking cookies, that would put the estimated value of those cookies at $888 billion dollars.

It seems the researchers simply multiplied the total estimated number of reCAPTCHA sessions by a current value average to arrive at this number. I am probably missing some obvious flaws, but there are three I noticed. First, this calculation assumes cookies created thirteen years ago still exist today and have the same value, on average as any other cookie. Second, it assumes all sessions materialize in a unique individually valuable cookie. Lastly, it is unclear that a cookie’s value can be directly tied to Google’s income, as the researchers claim: “Google has potentially profited $888 billion from [reCAPTCHA] cookies”. None of these assumptions makes sense to me.

Aditya Kalra, Reuters:

An investigation by India’s antitrust body has found that Apple exploited its dominant position in the market for app stores on its iOS operating system, engaging “in abusive conduct and practices”, a confidential report seen by Reuters showed.

[…]

“Apple App Store is an unavoidable trading partner for app developers, and resultantly, app developers have no choice but to adhere to Apple’s unfair terms, including the mandatory use of Apple’s proprietary billing and payment system,” the CCI unit said in the June 24 report.

India is a rapidly growing market for Apple and one which Tim Cook identified as important in 2017.

At what point will it be easier for more flexible and open App Store policies to become available worldwide instead of individual countries and regions? That day seems to be approaching fast.

Katie McQue, the Guardian:

The UK’s National Society for the Prevention of Cruelty to Children (NSPCC) accuses Apple of vastly undercounting how often child sexual abuse material (CSAM) appears in its products. In a year, child predators used Apple’s iCloud, iMessage and Facetime to store and exchange CSAM in a higher number of cases in England and Wales alone than the company reported across all other countries combined, according to police data obtained by the NSPCC.

Through data gathered via freedom of information requests and shared exclusively with the Guardian, the children’s charity found Apple was implicated in 337 recorded offenses of child abuse images between April 2022 and March 2023 in England and Wales. In 2023, Apple made just 267 reports of suspected CSAM on its platforms worldwide to the National Center for Missing & Exploited Children (NCMEC), which is in stark contrast to its big tech peers, with Google reporting more than 1.47m and Meta reporting more than 30.6m, per NCMEC’s annual report.

The reactions to statistics related to this particularly revolting crime are similar to all crime figures: higher and lower numbers can be interpreted as both positive and negative alike. More reports could mean better detection or more awareness, but it could also mean more instances; it is hard to know. Fewer reports might reflect less activity, a smaller platform size or, indeed, undercounting. In Apple’s case, it is likely the latter. It is neither a small platform nor one which prohibits the kinds of channels through which CSAM is distributed.

NCMEC addresses both these problems and I think its complaints are valid:

U.S.-based ESPs are legally required to report instances of child sexual abuse material (CSAM) to the CyberTipline when they become aware of them. However, there are no legal requirements regarding proactive efforts to detect CSAM or what information an ESP must include in a CyberTipline report. As a result, there are significant disparities in the volume, content and quality of reports that ESPs submit. For example, one company’s reporting numbers may be higher because they apply robust efforts to identify and remove abusive content from their platforms. Also, even companies that are actively reporting may submit many reports that don’t include the information needed for NCMEC to identify a location or for law enforcement to take action and protect the child involved. These reports add to the volume that must be analyzed but don’t help prevent the abuse that may be occurring.

Not only are many reports not useful, they are also part of an overwhelming caseload with which law enforcement struggles to turn into charges. Proposed U.S. legislation is designed to improve the state of CSAM reporting. Unfortunately, the wrong bill is moving forward.

The next paragraph in the Guardian story:

All US-based tech companies are obligated to report all cases of CSAM they detect on their platforms to NCMEC. The Virginia-headquartered organization acts as a clearinghouse for reports of child abuse from around the world, viewing them and sending them to the relevant law enforcement agencies. iMessage is an encrypted messaging service, meaning Apple is unable to see the contents of users’ messages, but so is Meta’s WhatsApp, which made roughly 1.4m reports of suspected CSAM to NCMEC in 2023.

I wish there was more information here about this vast discrepancy — a million reports from just one of Meta’s businesses compared to just 267 reports from Apple to NCMEC for all of its online services. The most probable explanation, I think, can be found in a 2021 ProPublica investigation by Peter Elkind, Jack Gillum, and Craig Silverman, about which I previously commented. The reporters here revealed WhatsApp moderators’ heavy workloads, writing:

Their jobs differ in other ways. Because WhatsApp’s content is encrypted, artificial intelligence systems can’t automatically scan all chats, images and videos, as they do on Facebook and Instagram. Instead, WhatsApp reviewers gain access to private content when users hit the “report” button on the app, identifying a message as allegedly violating the platform’s terms of service. This forwards five messages — the allegedly offending one along with the four previous ones in the exchange, including any images or videos — to WhatsApp in unscrambled form, according to former WhatsApp engineers and moderators. Automated systems then feed these tickets into “reactive” queues for contract workers to assess.

WhatsApp allows users to report any message at any time. Apple’s Messages app, on the other hand, only lets users flag a sender as junk and, even then, only if the sender is not in the user’s contacts and the user has not replied a few times. As soon as there is a conversation, there is no longer any reporting mechanism within the app as far as I can tell.

The same is true of shared iCloud Photo albums. It should be easy and obvious how to report illicit materials to Apple. But I cannot find an obvious mechanism for doing so — not in an iCloud-shared photo album, and not in an obvious place on Apple’s website, either. As noted in Section G of the iCloud terms of use, reports must be sent via email to abuse@icloud.com. iCloud albums use long, unguessable URLs, so the likelihood of unintentionally stumbling across CSAM or other criminal materials is low. Nevertheless, it seems to me that notifying Apple of abuse of its services should be much clearer.

Back to the Guardian article:

Apple’s June announcement that it will launch an artificial intelligence system, Apple Intelligence, has been met with alarm by child safety experts.

“The race to roll out Apple AI is worrying when AI-generated child abuse material is putting children at risk and impacting the ability of police to safeguard young victims, especially as Apple pushed back embedding technology to protect children,” said [the NSPCC’s Richard] Collard. Apple says the AI system, which was created in partnership with OpenAI, will customize user experiences, automate tasks and increase privacy for users.

The Guardian ties Apple’s forthcoming service to models able to generate CSAM, which it then connects to models being trained on CSAM. But we do not know what Apple Intelligence is capable of doing because it has not yet been released, nor do we know what it has been trained on. This is not me giving Apple the benefit of the doubt. I think we should know more about how these systems are trained.

We also currently do not know what limitations Apple will set for prompts. It is unclear to me what Collard is referring to in saying that the company “pushed back embedding technology to protect children”.

One more little thing: Apple does not say Apple Intelligence was created in partnership with OpenAI, which is basically a plugin. It also does not say Apple Intelligence will increase privacy for users, only that it is more private than competing services.

I am, for the record, not particularly convinced by any of Apple’s statements or claims. Everything is firmly in we will see territory right now.

Mark Zuckerberg:

Today we’re taking the next steps towards open source AI becoming the industry standard. We’re releasing Llama 3.1 405B, the first frontier-level open source AI model, as well as new and improved Llama 3.1 70B and 8B models. In addition to having significantly better cost/performance relative to closed models, the fact that the 405B model is open will make it the best choice for fine-tuning and distilling smaller models.

[…]

Meta is committed to open source AI. I’ll outline why I believe open source is the best development stack for you, why open sourcing Llama is good for Meta, and why open source AI is good for the world and therefore a platform that will be around for the long term.

Benj Edwards, Ars Technica:

So, about that “open source” term. As we first wrote in an update to our Llama 2 launch article a year ago, “open source” has a very particular meaning that has traditionally been defined by the Open Source Initiative. The AI industry has not yet settled on terminology for AI model releases that ship either code or weights with restrictions (such as Llama 3.1) or that ship without providing training data. We’ve been calling these releases “open weights” instead.

I think I have seen this movie before, or at least a version of it.

Derek Guy, for the Guardian:

The ruling class today is hardly inspiring in terms of taste. The preponderance of tech vests, which have replaced navy blazers, demonstrates that socio-economic class still drives dress practices, albeit with less appealing forms. The irony is that, while elites dress increasingly like the middle class preparing for a Whole Foods run, wealth inequality in the United States has mostly worsened every decade since the 1980s, the last era when men were still expected to wear tailored jackets.

Imagine being able to get all your clothes — heck, basically everything — made just for you, and choosing this costume.

CrowdStrike:

On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.

Pradeep Viswanathan, Neowin:

It turns out that similar problems have been occurring for months without much awareness, despite the fact that many may view this as an isolated incident. Users of Debian and Rocky Linux also experienced significant disruptions as a result of CrowdStrike updates, raising serious concerns about the company’s software update and testing procedures. These occurrences highlight potential risks for customers who rely on their products daily.

Rajesh Kumar Singh and David Shepardson, Reuters:

Delta Air Lines CEO Ed Bastian on Monday said it will take the U.S. carrier another couple of days before its operations recover from a global cyber outage that snarled flights around the world.

The Atlanta-based carrier has been hit hard by the outage. It has canceled over 4,000 flights since Friday, stranding thousands of customers across the country. By contrast, disruptions at other major U.S. carriers had largely subsided.

If one has a general worldview for technology today, they can find it in some analysis of this CrowdStrike failure. This saga has everything. For those who think this reinforces the safety of restrictive software policies, that is one possible explanation. Or for one who may be a permanent asshole and thinks diversity initiatives and “woke” programmers are to blame, they are both insufferable and wrong. For those who think marketplace concentration has a role to play — I am one — there is someone who agrees. And for those who want to blame the E.U., the Wall Street Journal has that angle covered.

One comment I found particularly insulting, however, was a line in Microsoft’s response: “We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines”. I get why Microsoft would want to reframe this issue; the words “Microsoft outage” are in headlines instead of “CrowdStrike bug”.1 But this does not minimize the impact of this bug — which Microsoft’s statement acknowledges in the very next sentence — and it does not disprove claims about concentrated market share. It is used by nearly 60% of Fortune 500 companies including, it says, 80% of the top automotive, financial, food and beverage, and technology companies. It may not have an influential position compared to the Windows install base at large, but who cares? That is not an appropriate metric for this specific software.

Blaming Microsoft’s agreement with the E.U. also seems unnecessarily reductive, though it had a role to play. If Microsoft could have restricted kernel access in the way Apple does, it is much less likely this precise catastrophic failure by a third-party company would have occurred. But it is beside the point. It seems it could have done so at any time if it did not unfairly give its own security products elevated access. Left unexplored is why it has not done so. Also, CrowdStrike was singing the praises of Apple’s approach when kernel extensions were deprecated in MacOS. CrowdStrike loved the idea of “[r]educing the need for privileged access” which “is always a more secure approach”. Why did it fail to do so on Windows? Even without the same kind of mandate as MacOS, it seems there has been ample opportunity all around to increase protections.

Though I was oversimplifying when I wrote “just a handful of vendors are entrusted with the digital infrastructure on which our society runs” — it is more than a handful, but it is a relative handful in most any category — I maintain at least part of my original argument as written:

Even if there are serious financial and reputational consequences for these failures, the world is still no closer to being freed of its dependence on Windows or Ticketmaster or Snowflake or CrowdStrike. These seem to be incredibly fragile systems on which society rests with little accountability for their makers.

CrowdStrike’s stock is down 23%, which is far more than AT&T suffered. But I am not comfortable with investors’ bad vibes as an accountability mechanism. There needs to be legal structures so that our world’s vast interconnected technological infrastructure has resilience as a rule.

Update: Marcus Hutchins:

Everyone keeps citing that Dave’s Garage video where he claims Microsoft had some super secret fix everything security API that they were going to release but the EU stopped them.

[…]

Microsoft has released multiple APIs that match said description and the EU hasn’t stopped them.

Hutchins also says the 2006 case cited by Thompson about E.U.-related concessions is not the one Microsoft is referring to in this circumstance.


  1. In that particular article, CrowdStrike is not mentioned until the final paragraph. ↥︎

Matt Novak, Gizmodo:

“Tesla will have genuinely useful humanoid robots in low production for Tesla internal use next year and, hopefully, high production for other companies in 2026,” Musk tweeted on Monday morning.

As Electrek points out, that’s a delay from what was previously promised by Musk. The Tesla CEO had said back in April that he’d have Optimus robots working in Tesla factories by the end of 2024 with deliveries to other companies by 2025. That’s clearly not happening anymore, based on more recent comments.

I am sure there are people somewhere who still believe this is a good-faith “serious endeavour” which is just facing a few hurdles and will soon be able to get groceries autonomously. But this thing was tentatively on track to be produced last year. I am sure this is just a minor delay, much like the fully autonomous vehicles which owners will be able to rent out to others as taxis, which is also assuredly mere weeks away.

Emma Roth, the Verge:

On Friday morning, some of the biggest airlines, TV broadcasters, banks, and other essential services came to a standstill as a massive outage rippled across the globe. The outage, which has brought the Blue Screen of Death upon legions of Windows machines across the globe, is linked to just one software company: CrowdStrike.

[…]

“Our software is extremely interconnected and interdependent,” Lukasz Olejnik, an independent cybersecurity researcher, consultant, and author of the book Philosophy of Cybersecurity, tells *The Verge. “But in general, there are plenty of single points of failure, especially when software monoculture exists at an organization.”

Robert McMillan, Wall Street Journal:

Founded in 2011, CrowdStrike is widely used by Corporate America, supplying software that protects against cyberattacks to tens of thousands of customers, including 300 companies in the Fortune 500. The scale of the outage was compounded by the fact that cybersecurity software like CrowdStrike’s has access to the most fundamental elements of the operating system to ward off cyberattacks, security experts say.

This sounds like a terrible day for anyone affected. There are I.T. staff who were woken up in the middle of the night to see if there was anything they could do; while a workaround was posted within an hour and a half of CrowdStrike issuing this update, it requires tedious manual work on each impacted system. You can find countless stories online of hospitals, airports, government systems, broadcasters, and more severely interrupted by this one bad software update. A whole lot of people had a really terrible day today.

We keep seeing the ripple effects when just a handful of vendors are entrusted with the digital infrastructure on which our society runs. Bought tickets to a mainstream event in North America? It was probably facilitated by Ticketmaster, so your credit card was leaked. It and over a hundred other companies depended on Snowflake for data storage, which was breached. Do you live in the U.S. and own a phone? AT&T, T-Mobile, and Verizon have all suffered data breaches. Two years ago, Canadian ISP and cellular carrier Rogers was down for an entire day, “disrupting government services and payment systems”. Microsoft is busy convincing people it is taking security seriously after a series of embarrassing failures.

Even if there are serious financial and reputational consequences for these failures, the world is still no closer to being freed of its dependence on Windows or Ticketmaster or Snowflake or CrowdStrike. These seem to be incredibly fragile systems on which society rests with little accountability for their makers.

Update: Changed the word “driver” in my headline to “file” to reflect CrowdStrike’s technical analysis.

Annie Gilbertson and Alex Reisner, Proof:

AI companies are generally secretive about their sources of training data, but an investigation by Proof News found some of the wealthiest AI companies in the world have used material from thousands of YouTube videos to train AI. Companies did so despite YouTube’s rules against harvesting materials from the platform without permission.

Our investigation found that subtitles from 173,536 YouTube videos, siphoned from more than 48,000 channels, were used by Silicon Valley heavyweights, including Anthropic, Nvidia, Apple, and Salesforce.

According to Gilbertson and Reisner, this is a data set called — appropriately enough — “YouTube Subtitles”, which is part of a larger set called the “Pile”, which is distributed by EleutherAI. The “Pile” was used by Apple to train OpenELM.

Chance Miller, 9to5Mac:

Apple has now confirmed to 9to5Mac, however, that OpenELM doesn’t power any of its AI or machine learning features – including Apple Intelligence.

Lance Ulanoff, TechRadar:

While not speaking directly to the issue of YouTube data, Apple reiterated its commitment to the rights of creators and publishers and added that it does offer websites the ability to opt out of their data being used to train Apple Intelligence, which Apple unveiled during WWDC 2024 and is expected to arrive in iOS 18.

The company also confirmed that it trains its models, including those for its upcoming Apple Intelligence, using high-quality data that includes licensed data from publishers, stock images, and some publicly available data from the web. YouTube’s transcription data is not intended to be a public resource but it’s not clear if it’s fully hidden from view.

Even if you set aside the timing of allowing people to opt out, it scarcely matters in this case. If YouTube captions were part of the data set used to train any part of Apple Intelligence, it would be impossible for channel operators to opt out because they cannot set individualized robots.txt instructions.

Five New York Times reporters wrote in April about the tension OpenAI created after it began transcribing YouTube videos:

Some Google employees were aware that OpenAI had harvested YouTube videos for data, two people with knowledge of the companies said. But they didn’t stop OpenAI because Google had also used transcripts of YouTube videos to train its A.I. models, the people said. That practice may have violated the copyrights of YouTube creators. So if Google made a fuss about OpenAI, there might be a public outcry against its own methods, the people said.

I could not find any mechanism to opt one’s own YouTube videos out of A.I. training. This is one of the problems of YouTube being a singular destination for general-purpose online video: it has all the power and, by extension, so does Google.

By the way, I am still waiting for someone in Cupertino to check the Applebot inbox.