Month: August 2024

Lawrence Abrams, Bleeping Computer:

Almost 2.7 billion records of personal information for people in the United States were leaked on a hacking forum, exposing names, social security numbers, all known physical addresses, and possible aliases.

The data allegedly comes from National Public Data, a company that collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators.

National Public Data is believed to scrape this information from public sources to compile individual user profiles for people in the US and other countries.

Troy Hunt, creator of Have I Been Pwned?:

So, this data appeared in limited circulation as early as 3 months ago. It contains a huge amount of personal information (even if it isn’t “2.9B people”), and then to make matters worse, it was posted publicly last week:

[…]

[…] Instead, we’re left with 134M email addresses in public circulation and no clear origin or accountability. […]

Connor Jones, the Register:

The data broker at the center of what may become one of the more significant breaches of the year is telling officials that just 1.3 million people were affected.

Jones got this number from a report National Public Data was required to file with the Maine attorney general which, for whatever reason, is not embedded or linked to in this story — here it is. My bet is National Public Data is bad at filing breach notifications. It says, for example, the breach was discovered “December 30, 2023”, the same day on which it occurred. Yet in the notice it is mailing to affected Maine residents, it says there were “potential leaks of certain data in April 2024 and summer 2024”, which would be difficult to know in December 2023.

Brian Krebs:

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.

This is not the first time a huge amount of compromised data has been traced back to some legitimate but nevertheless scummy broker. There was Exactis with 340 million records, People Data Labs with 622 million, and Apollo with around 200 million. The only reason most of us have heard of these businesses is because they hoard our information and — critically — do not protect it. These giant brokers evidently do not care about basic data privacy practices and should not be allowed to operate, and their executives should be held responsible for their failure.

Reed Albergotti, Semafor:

Google’s Android phones are about to get an AI upgrade.

The company’s flagship AI model, Gemini, will replace Google Assistant as the default service on Android phones in the coming weeks, the company announced Tuesday.

Joanna Stern, Wall Street Journal:

When I asked it to set a timer, it said it couldn’t do that — or set an alarm — “yet.” Gemini Live is a big step forward conversationally. But functionally, it’s a step back in some ways. One big reason: Gemini Live works entirely in the cloud, not locally on a device. Google says it’s working on ways for the new assistant to control phone functions and other Google apps.

This is nitpicking, I know, but I have to wonder about the disconnect between what executives believe is an improvement compared to how people actually use their phones. Maybe I have been ruined by Siri’s inability to do much else reliably, but setting timers and alarms is a core function of a voice-controlled software assistant for me. Google’s live, conversational assistant is remarkable, to be sure. Yet I am not sure I would consider it an “upgrade” if it no longer supports the feature I use most.

Scharon Harding, Ars Technica:

Over the past few years, TV makers have seen rising financial success from TV operating systems that can show viewers ads and analyze their responses. Rather than selling as many TVs as possible, brands like LG, Samsung, Roku, and Vizio are increasingly, if not primarily, seeking recurring revenue from already-sold TVs via ad sales and tracking.

[…]

Walmart’s proposed Vizio acquisition is an obvious example of how eager retailers and advertisers are to access data collected from TVs. Through its Platform+ business unit, Vizio was one of the first OEMs to focus more business on ad sales and tracking than hardware.

Gregory Meyer, Financial Times:

Yet Walmart disclosed in an earnings release this week that its US advertising business had grown 30 per cent in the past year, rocketing past the growth rate of the company as a whole.

[…]

“After you click on an ad at a general-purpose search engine, they don’t know what you did after that,” said Ryan Mayward, senior vice-president of retail media sales at Walmart US. “We capture the click and we also know that you checked out and bought those specific things after you were exposed [to] or interacted with the ads. That’s the core value [proposition] of retail media versus other types of media.”

Mayward told Meyer Walmart intends to install screens throughout its stores: at department counters, on dedicated wall space, and at checkstands. All of these are primarily for ads. If there was ever a time retailers were worried about how tacky this would look, those days are over. Instead, every digital and physical surface is an opportunity for showing a typically ugly ad.

But all this is an evolution of existing tolerances. Ads already play over the in-store speaker system. Manufacturers already pay retailers slotting fees to get products on shelves; paying for ad space is another negotiating opportunity. Ad views are already linked to credit card transactions. Television is ad-supported and so is streaming. This is just more — and worse. I cannot imagine any person wants to be increasingly surrounded by aggressive and distracting ads; our built environment is planned by cynical people who also surely do not want to live in the world they are creating.

Julia Love and Davey Alba, Bloomberg:

Google now displays convenient artificial intelligence-based answers at the top of its search pages — meaning users may never click through to the websites whose data is being used to power those results. But many site owners say they can’t afford to block Google’s AI from summarizing their content.

[…]

Google uses a separate crawler for some AI products, such as its chatbot Gemini. But its main crawler, the Googlebot, serves both AI Overviews and Google search. A company spokesperson said Googlebot governs AI Overviews because AI and the company’s search engine are deeply entwined. The spokesperson added that its search results page shows information in a variety of formats, including images and graphics. Google also said publishers can block specific pages or parts of pages from appearing in AI Overviews in search results — but that would also likely bar those snippets from appearing across all of Google’s other search features, too, including web link listings.

I have quoted these two paragraphs in full because I think the difference between Google’s various A.I. products is worth clarifying. The effects of the Google-Extended control, which a publisher can treat as a separate user agent in robots.txt, is only relevant to training the Gemini and Vertex generative products. Gemini powers the A.I. overviews feature, but there is no way of opting out of overviews without entirely removing a site from Google’s indexing.

I can see why website owners would want to do this; I sympathize with the frustration of those profiled in this article. But Google has been distorting the presentation of results and reducing publishers’ control for years. In 2022, I was trying to find an article from my own site when I discovered Google had generated an incorrect pros and cons list from an iPad review I wrote. Google also generates its own titles and descriptions for results instead of relying on the page-defined title and meta description tags, and it has introduced features over the years like Featured Snippets, the spiritual predecessor of A.I. Overviews.

All of these things have reduced the amount of control website owners can have over how their site is presented on a Google results page. In some cases, they are often beneficial — rewritten titles and descriptions may reflect the actual subject of the page more accurately than one provided by some SEO expert. But in other cases, they end up making false claims cited to webpages. It happened with Featured Snippets, it happened with Google’s interpretation of my iPad review, and it happens with this artificially “intelligent” feature as well.

Marko Zivkovic, in an April report for AppleInsider, revealed several new Safari features to debut this year. Some of them, like A.I.-based summarization, were expected and shown at WWDC. Then there was this:

Also accessible from the new page controls menu is a feature Apple is testing called “Web Eraser.” As its name would imply, it’s designed to allow users to remove, or erase, specific portions of web pages, according to people familiar with the feature.

WWDC came and went without any mention of this feature, despite its lengthy and detailed description in that April story. Zivkovic, in a June article, speculated on what happened:

So, why did Apple remove a Safari feature that was fully functional?

The answer to that question is likely two-fold — to avoid controversy and to make leaked information appear inaccurate or incorrect.

The first of these reasons is plausible to me; the second is not. In May, Lara O’Reilly of Business Insider reported on a letter sent by a group of publishers and advertisers worried Apple was effectively launching an ad blocker. Media websites may often suck, but this would be a big step for a platform owner to take. I have no idea if that letter caused Apple to reconsider, but it seems likely to me it would be prudent and reasonable for the company to think more carefully about this feature’s capabilities and how it is positioned.

The apparent plot to subvert AppleInsider’s earlier reporting, on the other hand, is ludicrous. If you believe Zivkovic, Apple went through the time and expense of developing a feature so refined it must have been destined for public use because there is, according to Zivkovic, “no reason to put effort into the design of an internal application”,1 then decided it was not worth launching because AppleInsider spoiled it. This was not the case for any other feature revealed in that same April report for, I guess, some top secret reason. As evidence, Zivkovic points to several products which have been merely renamed for launch:

A notable example of this occurred in 2023, when Apple released the first developer betas of its new operating system for the Apple Vision Pro headset. Widely expected to make its debut under the name xrOS, the company instead announced “visionOS.”

Even then, there were indications of a rushed rebrand. Apple’s instructional videos and code from the operating systems contained clear mentions of the name xrOS.

Apple renamed several operating system features ahead of launch. To be more specific, the company renamed its Adaptive Voice Shortcuts accessibility feature to Vocal Shortcuts.

As mentioned earlier, Intelligent Search received the name Highlights, while Generative Playground was changed to “Image Playground.” The name “Generative Playground” still appears as the application title in the recently released developer betas of Apple’s operating systems.

None of these seem like ways of discrediting media. Renaming the operating system for the Vision Pro to “visionOS” makes sense because it is the name of the product — similar to tvOS and iPadOS — and, also, “xrOS” is clunky. Because of how compartmentalized Apple is, the software team probably did not know what name it would go by until it was nearly time to reveal it. But they needed to call it something so they could talk about it in progress meetings without saying “the spatial computer operating system”, or whatever. This and all of the other examples just seem like temporary names getting updated for public use. None of this supports the thesis that Apple canned Web Eraser to discredit Zivkovic. There is a huge difference between replacing the working name of a product with one which has been finalized, and developing an entire new feature only to scrap it to humiliate a reporter.

Besides, Mark Gurman already tried this explanation. In a March 2014 9to5Mac article, Gurman reported on the then-unreleased Health app for iOS, which he said would be named “Healthbook” and would have a visual design similar to the Passbook app, now known as Wallet. After the Health app was shown at WWDC that year, Gurman claimed it was renamed and redesigned “late in development due to the leak”. While I have no reason to doubt the images Gurman showed were re-created from real screenshots, and there was evidence of the “Healthbook” name in early builds of the Health app, I remain skeptical it was entirely changed in direct response to Gurman’s report. It is far more likely the name was a placeholder, and the March version of the app’s design was still a work in progress.

The June AppleInsider article is funny in hindsight for how definitive it is in the project’s cancellation — it “never became available to the public”; it “has been removed in its entirety […] leaving no trace of it”. Yet, mere weeks later, it seems a multitrillion-dollar corporation decided it would not be bullied by an AppleInsider writer, held its head high, and released it after all. You have to admire the bravery.

Juli Clover, of MacRumors, was first early to report on its appearance in the fifth beta builds of this year’s operating systems under a new name (Update: it seems like Cherlynn Low of Engadget was first; thanks Jeff):

Distraction Control can be used to hide static content on a page, but it is not an ad blocker and cannot be used to permanently hide ads. An ad can be temporarily hidden, but the feature was not designed for ads, and an ad will reappear when it refreshes. It was not created for elements on a webpage that regularly change.

I cannot confirm but, after testing it, I read this to mean it will hide elements with some kind of identifier which remains fixed across sessions — an id or perhaps a unique string of classes — and within the same domain. If the identifier changes on each load, the element will re-appear. Since ads often appear with different identifiers each time and this feature is (I think) limited by domain, it is not an effective ad blocker.

Zivkovic’s follow-up story from after Distraction Control was included in an August beta build is, more or less, a rehashing of only the first explanation for the feature’s delay from what he wrote in June, never once commenting on his more outlandish theory:

Based on the version of Distraction Control revealed on Monday, it appears as though Apple wanted to distance itself from Web Eraser and the negative connotations surrounding the feature.

As mentioned earlier, the company renamed Web Eraser to Distraction Control. In addition to this, the fifth developer beta of iOS 18 includes a new pop-up message that informs users of the feature’s overall purpose, making it clear that it’s not meant to block ads.

It has been given a more anodyne name and it now has a dialog box.

Still, this shows Zivkovic’s earlier report was correct: Apple was developing an easy-to-use feature to hide page elements within Safari and it is in beta builds of the operating systems launching this year. Zivkovic should celebrate this. Instead, his speculative June report makes his earlier reliable reporting look shaky because, it would seem, he was too impatient to wait and see if the feature would launch later. That would be unusual for Apple but still more likely than the company deciding to cancel it entirely.

The August report also adds some new information but, in an effort to create distance between Web Eraser and Distraction Control, Zivkovic makes some unforced errors:

When it comes to ads, pre-release versions of Web Eraser behaved differently from the publicly available Distraction Control. Internal versions of the feature had the ability to block the same page element across different web pages and maintained the users’ choice of hidden elements even after the page was refreshed.

This description of the Distraction Control behaviour is simply not true. In my testing, page elements with stable identifiers remain hidden between pages on the same domain, after the page has been refreshed, and after several hours in a new browser tab.

Zivkovic should be thrilled about his April scoop. Instead, the two subsequent reports undermine the confidence of that first report and unnecessarily complicate the most likely story with baseless speculation that borders on conspiracy theories. From the outside, it appears the early rumour about Web Eraser was actually beneficial for the feature. Zivkovic accurately reported its existence and features. Publishers, worried about its use as a first-party ad blocker, wrote to Apple. Apple delayed the feature’s launch and, when it debuted, gave it a new name and added a dialog box on first use to clarify its intent. Of course, someone can still use Distraction Control to hide ads but, by being a manual process on a per-domain basis, it is a far more tedious process than downloading a dedicated ad blocker.

This was not a ruse to embarrass rumour-mongers. It was just product development: a sometimes messy, sometimes confusing process which, in this case, seemed to result in a better feature with a clearer scope. Unless someone reports otherwise, it does not need to be much more complicated than that.


  1. If Zivkovic believes Apple does not care much about designing things for internal use only, he is sorely mistaken. Not every internal tool is given that kind of attention, but many are. ↥︎

I quoted Steve Jobs the other day; here is another one courtesy of a 2006 interview with Brian Williams which, in its re-uploaded form, has been bizarrely stabilized relative to each face in a way that is difficult to describe and nauseating to watch:

Brands are like bank accounts. You can have withdrawals and you can have deposits.

So if a customer has a great experience — they buy an iPod and they love it — that’s a deposit into our brand account in their mind. If you buy something from us and you have a bad experience, then it’s a withdrawal.

Today, Apple spent big from its brand account. While there are some who are upset with Patreon for having an iOS app in the first place, the overwhelming frustration is justifiably directed toward Apple.

As upsetting as it is, I cannot say I am surprised by any beat in this story. First, Apple decided to, for years, treat Patreon pledges as something other than In-App Purchases against which it would normally levy a commission. But that could not last forever because Apple would — as it has several times before — want to reclassify pledges to get what it feels is its cut. It is now going to require Patreon treat them as subscriptions, similar to Substack.

Hamish McKenzie, Substack’s co-founder, is more positive toward Apple’s In-App Purchase system, but notes how it does not really fit with authorship by individuals or small teams:

But creators aren’t Apple’s traditional customers. They’re not app makers or game developers. They don’t actually have a piece of real estate in the App Store. They instead find their distribution through media platforms, including the likes of Patreon and Substack. It might feel weird for someone who publishes a podcast through Patreon, or a publication through Substack, to receive the same treatment from Apple as Netflix.

John Gruber, in linking to my piece from earlier, also mentioned the Substack parallels:

Lastly, I suppose it’s implicit here that a lot of Patreon users go through the iOS app. But I can’t help but think they should do what Substack does and just not allow paid subscriptions through the app. I just double-checked this was still true, and it seems to be. Substack’s iOS app lets you subscribe only to free subscriptions in-app. If you tap “Manage Subscription” in the app, you’re presented with a sheet that says, unhelpfully, “You cannot manage your subscription in the app.” (It’s Apple’s odious anti-steering rules that disallow apps like Substack from explaining where you can manage your subscription, which, of course, is on the web.)

I also wondered why the Patreon app could not simply be a viewer for subscriptions a user has purchased elsewhere. My understanding is that Apple has raised objections by invoking rule 3.1.3(b):

Apps that operate across multiple platforms may allow users to access content, subscriptions, or features they have acquired in your app on other platforms or your web site, including consumable items in multi-platform games, provided those items are also available as in-app purchases within the app.

This is the rule for what Apple calls a “Multiplatform Service”, which is somehow different from a “‘Reader’ App” that allows users to subscribe to “magazines, newspapers, books, audio, music, and video”. A “reader” app does not have to provide In-App Purchases which are equivalent to those available outside the app, but a “Multiplatform Service” does. It seems likely to me both Patreon and Substack are “Multiplatform Services” in Apple’s view.

Substack does have several subscriptions available as In-App Purchases, according to its App Store page and the app itself. I am not sure this is true of all newsletters because Apple only lists ten popular In-App Purchases on the app’s page. It seems you can manage a subscription from within the app only if you paid for it from within the app; if you paid for your subscription on Substack’s website, you can only manage it there, and you get the notice Gruber quoted if you try from inside the app. Oddly, I can also read paid issues from within the Substack app for a newsletter which does not have an In-App Purchase option because it is no longer active on Substack. Perhaps it once did and that is why viewing this subscription is allowed.

Maybe Substack is a “reader” app that just so happens to provide In-App Purchases for some newsletters. More likely it is a “Multiplatform Service” that treats subscriptions purchased in the app as different products from those made externally, and the app merely allows access to the latter. It seems Apple is requiring Patreon to be consistent with Substack which, as it stands, is inconsistent with “reader” apps — even though Substack is more of a reading app than Netflix — and does not permit a transaction-free experience.

For years, the Patreon app on iOS has allowed users to buy digital subscriptions without using Apple’s In-App Purchases model.1 Instead, it throws up a Safari sheet with its own payment form. In 2021, Jacob Kastrenakes, of the Verge, contrasted this with the mandate given to Fanhouse, a similar platform, to use In-App Purchases. Kastrenakes followed up a few weeks later after Jack Conte, Patreon’s CEO, was interviewed for the “Decoder” podcast:

Patreon has been one of the odd exceptions to the rule. The platform’s iOS app has been able to accept payments outside of Apple’s in-app purchase system, which lets the company walk around that 30 percent cut. Conte suggests this may be allowed because users don’t come to Patreon to discover creators and content. “A lot of the actual engagement is happening on other platforms … So it’s just not the primary behavior that’s happening on Patreon,” Conte said. The Verge has reached out to Apple for comment.

That is a fair argument. Apple says its cut reflects services it provides, mostly marketing, though it does also admit it is just making money off its platform because it can. Patreon users do not benefit from the former. If Apple promotes In-App Purchases from third-party developers at all, I could not find an example in the App Store. Even if it did, Apple would not be a bigger draw for fans of people who make their living on Patreon than those individuals themselves.

Even so, Apple is now demanding Patreon make the switch:

As we first announced last year, Apple is requiring that Patreon use their in-app purchasing system and remove all other billing systems from the Patreon iOS app by November 2024.

This has two major consequences for creators:

  • Apple will be applying their 30% App Store fee to all new memberships purchased in the Patreon iOS app, in addition to anything bought in your Patreon shop.

  • Any creator currently on first-of-the-month or per-creation billing plans will have to switch over to subscription billing to continue earning in the iOS app, because that’s the only billing type Apple’s in-app purchase system supports.

That earlier announcement was made in December 2023 and it seems as though Apple did not provide a specific date, just a rough timeframe.

This is both a naked attempt to take an outsized cut from independent creative professionals, and a more consistent treatment of In-App Purchases. There are so many unanswered questions. Why was Patreon allowed an exemption in the first place, and for so long? Why did Apple change its mind late last year but also permit a long transition period which Patreon will complete next November? What changed? It is not as though Patreon is untrustworthy, or that cancelling a subscription is a laborious Amazon-like or New York Times-esque process.

Steve Troughton-Smith:

If you in the EU had left the App Store and were offering your app in an Alternative Marketplace and using Patreon as the monetization behind it, and your users are subbing in the Patreon app, now Apple will be taking the Core Technology Fee plus 30% of your revenue. They can tax both sides of the equation.

This would be similarly true for any Patreon competitor. Apple seems to believe it is entitled to a share of any financial gain from its platforms — except for physical goods, or transactions made through Mac apps distributed outside the App Store.

The 30% fee is also notable. As far as I can tell, only a handful of Patreon users would exceed the million-dollar annual threshold for Apple’s Small Business Program. That is, everyone who earns less than a million dollars per year through iOS Patreon pledges should, in theory, fork over a 15% commission rate to Apple. But it appears it is Patreon itself which is subject to the 30% rate. Whether that decision was made by Apple or Patreon, or if it is something which is a consequence of how App Store billing works, is unclear to me. But one thing is true regardless: Apple’s 30% commission is at least double the rate charged by Patreon itself, and only the latter has any material effect on the relationship between a creative professional and their supporters.

Update: In response to a question about whether Patreon would support the third-party payment options available in the U.S., E.U., and elsewhere, a spokesperson told me the company has “looked into alternate options but those also come with complex Apple requirements. Right now, because of these requirements, we do not believe they are viable options for Patreon nor do we believe they would result in a better experience for fans or creators”.


  1. Hey, I have not plugged mine in a while. ↥︎

Shane Goldmacher, New York Times:

Former President Donald J. Trump has taken his obsession with the large crowds that Vice President Kamala Harris is drawing at her rallies to new heights, falsely declaring in a series of social media posts on Sunday that she had used artificial intelligence to create images and videos of fake crowds.

The A.I.-generated crowds claim is something I had seen bouncing around the fringes of X — and by “fringe”, I mean accounts which have paid to amplify their posts. I did not expect a claim this stupid to become a mainstream argument. But then I remembered what the mainstream looks like these days.

This claim is so stupid because you do not need to rely on the photos released by the campaign. You can just go look up pictures for yourself, taken at a bunch of different angles by a bunch of different people with consistent lighting, logical crowds, and realistic hands. There are hundreds of them, and videos too. A piece of supposed evidence for the fakery is that Harris’ plane does not have a visible tail number, but there are — again — plenty of pictures of that plane which show no number. The U.S. Air Force made the change last year.

I know none of the people promoting this theory are interested in facts. They began with a conclusion and are creating a story to fit, in spite of evidence to the contrary. Still, it was equal parts amusing and worrisome to see this theory be spun from whole cloth in real time.

In response to Apple’s increasingly distrustful permissions prompts, it is worth thinking about what benefits this could provide. For example, apps can start out trustworthy and later become malicious through updates or ownership changes, and users should be reminded of the permissions they have afforded it. There is a recent example of this in Bartender. But I am not sure any of this is helped by yet another alert.

The approach seems to be informed by the Steve Jobs definition of privacy, as he described it at D8 in 2010:

Privacy means people know what they’re signing up for — in plain English, and repeatedly. That’s what it means.

I’m an optimist. I believe people are smart, and some people want to share more data than other people do. Ask ’em. Ask ’em every time. Make them tell you to stop asking them, if they get tired of your asking them. Let them know precisely what you’re gonna do with their data.

Some of the permissions dialogs thrown by Apple’s operating systems exist to preempt abuse, while others were added in response to specific scandals. The prompt for accessing your contacts, for example, was added after Path absorbed users’ lists.

The new weekly nag box for screen recording in the latest MacOS Sequoia is also conceivably a response to a specific incident. Early this year, the developer of Bartender sold the app to another developer without telling users. The app has long required screen recording permissions to function. It made some users understandably nervous about transferring that power, especially because the transition was done so quietly to a new shady owner.

I do not think this new prompt succeeds in helping users make an informed decision. There is no information in the dialog’s text informing you who the developer is, and if it has changed. It does not appear the text of the dialog can be customized for the developer to provide a reason. If this is thrown by an always-running app like Bartender, a user will either become panicked or begin passively accepting this annoyance.

The latter is now the default response state to a wide variety of alerts and cautions. Car alarms are ineffective. Hospitals and other medical facilities are filled with so many beeps staff become “desensitized”. People agree to cookie banners without a second of thought. Alert fatigue is a well-known phenomenon, such that it informed the Canadian response in the earliest days of the pandemic. Without more thoughtful consideration of how often and in what context to inform people of something, it is just pollution.

There is apparently an entitlement which Apple can grant, but it is undocumented. It is still the summer and this could all be described in more robust terms over the coming weeks. Yet it is alarming this prompt was introduced with so little disclosure.

I believe people are smart, too. But I do not believe they are fully aware of how their data is being collected and used, and none of these dialog boxes do a good job of explaining that. An app can ask to record your screen on a weekly basis, but the user is not told any more than that. It could ask for access to your contacts — perhaps that is only for local, one-time use, or the app could be sending a copy to the developer, and a user has no way of knowing which. A weather app could be asking for your location because you requested a local forecast, but it could also be reselling it. A Mac app can tell you to turn on full disk access for plausible reasons, but it could abuse that access later.

Perhaps the most informative dialog boxes are the cookie consent forms you see across the web. In their most comprehensive state, you can see which specific third-parties may receive your behavioural data, and they allow you to opt into or out of categories of data use. Yet nobody actually reads those cookie consents because they have too much information.

Of course, nobody expects dialog boxes to be a complete solution to our privacy and security woes. A user places some trust in each layer of the process: in App Review, if they downloaded software from the App Store; in built-in protections; in the design of the operating system itself; and in the developer. Even if you believe dialog boxes are a helpful intervention, Apple’s own sea of prompts do not fulfil the Jobs criteria: they most often do not tell users specifically how their data will be used, and they either do not ask users every time or they cannot be turned off. They are just an occasional interruption to which you must either agree or find some part of an application is unusable.

Users are not typically in a position to knowledgeably authorise these requests. They are not adequately informed, and it is poor policy to treat these as individualized problems.

Natasha Lomas, TechCrunch:

One big change Apple announced Thursday is that developers who include link-outs in their apps will no longer need to accept the newer version of its business terms — which requires they commit to paying the Core Technology Fee (CTF) the EU is investigating.

In another notable revision of approach, Apple is giving developers more flexibility around how they can communicate external offers and the types of offers they can promote through their iOS apps. Apple said developers will be able to inform users about offers available anywhere, not only on their own websites — such as through other apps and app marketplaces.

These are good changes. Users will also be able to turn off the scary alerts when using external purchasing mechanisms. But there is a catch.

Juli Clover, MacRumors:

There are two fees that are associated with directing customers to purchase options outside of the App Store. A 5 percent initial acquisition fee is paid for all sales of digital goods and services that the customer makes on any platform that occur within a 12-month period after an initial install. The fee does not apply to transactions made by customers that had an initial install before the new link changes, but is applicable for new downloads.

Apple says that the initial acquisition fee reflects the value that the App Store provides when connecting developers with customers in the European Union.

The other new fee is a Store Services Fee of 7% or 20% assessed annually. Apple says it “reflects the ongoing services and capabilities that Apple provides developers”:

[…] including app distribution and management; App Review; App Store trust and safety; re-discovery, re-engagement and promotional tools and services; anti-fraud checks; recommendations; ratings and reviews; customer support; and more.

Contrary to its name, this fee does not apply solely to apps acquired through the App Store; rather, it is assessed against any digital purchase made on any platform. If an app is first downloaded on an iPhone and then, within a year, the user ultimately purchases a subscription in the Windows version of the same app, Apple believes it deserves 7–20% of the cost of that subscription in perpetuity, plus 5% for the first year’s instance. This seems to be the case no matter whether the iPhone version of that app is ever touched again.

I am not sure what business standards apply here and whether it is completely outlandish, but it sure feels that way. The App Store certainly helps with app discovery to some degree, and Apple does provide a lot of services whether developers want them or not. Yet this basically ties part of a developer’s entire revenue stream to Apple; the part is unknown but will be determined based on whichever customers used the iPhone version of an app first.

I think I have all this right based on news reports from those briefed by Apple and the new contract (PDF), but I might have messed something up. Please let me know if I got some detail wrong. This is all very confusing and, though I do not think that is deliberate, I think it struggles to translate its priorities into straightforward policy. None of these changes applies to external purchases in the U.S., for example. But what I wrote at the time applies here just the same: it is championing this bureaucracy because it believes it is entitled to a significant finder’s fee, regardless of its actual contribution to a customer’s purchase.

Jason Snell, Six Colors:

Apple’s recent feature changes suggest a value system that’s wildly out of balance, preferring to warn (and control) users no matter how damaging it is to the overall user experience. Maybe the people in charge should be forced to sit down and watch that Apple ad that mocks Windows Vista. Vista’s security prompts existed for good reasons — but they were a user disaster. The Apple of that era knew it. I’d guess a lot of people inside today’s Apple know it, too — but they clearly are unable to win the arguments when it matters.

The first evidence of this relentless slog of permissions prompts occurred on iOS. Want to allow this app to use the camera? Tap allow. See your location? Tap allow. Access your contacts? Tap allow. Send you notifications? Tap allow. On and on it goes, sweeping up the Mac in this relentless offloading of responsibility onto users.

On some level, I get it. Our devices are all synced with one another, passing our identities and secret information between them constantly. We install new applications without thinking too much about what they could be doing in the background. We switch on automatic updates with similar indifference. (If you are somebody who does not do these things, please do not write. I know you are there; I respect you; you are one of few.)

But relentless user confirmation is not a good answer for privacy, security, or competition. It merely kicks the can down the road, and suggests users cannot be trusted, yet must bear all the responsibility for their choices.

Kylie Robinson, of the Verge, obtained internal sales data from Humane. Not only is the A.I. Pin not selling super well, but many of them are being returned. That is a huge frustration, I imagine, for lots of people who worked on this product. Also, maybe it is simply an indicator it is not very good: for its own reasons, and also perhaps because it is hard to start a new platform, and maybe because integrating with established platforms is often a struggle.

That is what everyone is talking about. I wanted to highlight a different part of Robinson’s thorough report:

Once a Humane Pin is returned, the company has no way to refurbish it, sources with knowledge of the return process confirmed. The Pin becomes e-waste, and Humane doesn’t have the opportunity to reclaim the revenue by selling it again. The core issue is that there is a T-Mobile limitation that makes it impossible (for now) for Humane to reassign a Pin to a new user once it’s been assigned to someone. One source said they don’t believe Humane has disposed of the old Pins because “they’re still hopeful they can solve this problem eventually.” T-Mobile declined to comment and referred us to Humane.

It is inexcusable for a device to be launched in 2024 without considering the environmental effects of its disposal. Perhaps Humane can recover some of the hardware components for reuse or recycling — this is unclear to me — but for a product to be useful only to its original owner is terrible, even for its first generation.

Alfonso Maruccia, TechSpot:

Its most recent financials show Mozilla gets $510 million out of its $593 million in total revenue from its Google partnership. This precarious financial position is a side effect of its deal with Alphabet, which made Google the search engine default for newer Firefox installations.

Jason Del Rey, Fortune:

Mozilla is putting on a brave face for now, and not directly addressing the existential threat that the ruling appears to pose.

“Mozilla has always championed competition and choice online, particularly in search,” a spokesperson said in a statement to Fortune on Monday. “We’re closely reviewing the court’s decision, considering its potential impact on Mozilla and how we can positively influence the next steps… Firefox continues to offer a range of search options, and we remain committed to serving our users’ preferences while fostering a competitive market.”

It is possible Mozilla will not be impacted by remedies to Google’s illegal monopoly, the details of which will begin to take shape next month. It seems possible Mozilla could be losing virtually all its revenue, thereby destabilizing the organization behind one of the few non-Chromium browsers and the best documentation of web technologies available anywhere.

Trying to untangle an illegal monopolist is necessarily difficult. This will be a long and painful process for everyone. The short-term resolutions might be ineffectual and irritating, and they may not change Google’s market position. But it is important to get on the record that Google has engaged in illegal conduct to protect its dominance, and so it will be subjected to new oversight and scrutiny. This exercise is worth it because there ought to be limits to market power and anticompetitive behaviour.

Since owners of web properties became aware of the traffic-sending power of search engines — most often Google in most places — they have been in an increasingly uncomfortable relationship as search moves beyond ten relevant links on a page. Google does not need websites, per se; it needs the information they provide. Its business recommendations are powered in part by reviews on other websites. Answers to questions appear in snippets, sourced to other websites, without the user needing to click away.

Publishers and other website owners might consider this a bad deal. They feed Google all this information hoping someone will visit their website, but Google is adding features that make it less likely they will do so. Unless they were willing to risk losing all their Google search traffic, there was little a publisher could do. Individually, they needed Google more than Google needed them.

But that has not been quite as true for Reddit. Its discussions hold a uniquely large corpus of suggestions and information on specific topics and in hyper-local contexts, as well as a whole lot of trash. While the quality of Google’s results have been sliding, searchers discovered they could append “Reddit” to a query to find what they were looking for.

Google realized this and, earlier this year, signed a $60 million deal with Reddit allowing it to scrape the site to train its A.I. features. Part of that deal apparently involved indexing pages in search as, last month, Reddit restricted that capability to Google. That is: if you want to search Reddit, you can either use the site’s internal search engine, or you can use Google. Other search engines still display results created from before mid-July, according to 404 Media, but only Google is permitted to crawl anything newer.

It is unclear to me whether this is a deal only available to Google, or if it is open to any search engine that wants to pay. Even if it was intended to be exclusive, I have a feeling it might not be for much longer. But it seems like something Reddit would only care about doing with Google because other search engines basically do not matter in the United States or worldwide.1 What amount of money do you think Microsoft would need to pay for Bing to be the sole permitted crawler of Reddit in exchange for traffic from its measly market share? I bet it is a lot more than $60 million.

Maybe that is one reason this agreement feels uncomfortable to me. Search engines are marketed as finding results across the entire web but, of course, that is not true: they most often obey rules declared in robots.txt files, but they also do not necessarily index everything they are able to, either. These are not explicit limitations. Yet it feels like it violates the premise of a search engine to say that it will be allowed to crawl and link to other webpages. The whole thing about the web is that the links are free. There is no guarantee the actual page will be freely accessible, but the link itself is not restricted. It is the central problem with link tax laws, and this pay-to-index scheme is similarly restrictive.

This is, of course, not the first time there has been tension in how a site balances search engine visibility and its own goals. Publishers have, for years, weighed their desire to be found by readers against login requirements and paywalls — guided by the overwhelming influence of Google.

Google used to require publishers provide free articles to be indexed by the search engine but, in 2017, it replaced that with a model that is more flexible for publishers. Instead of forcing a certain number of free page views, publishers are now able to provide Google with indexable data.

Then there are partnerships struck by search engines and third parties to obtain specific kinds of data. These were summarized well in the recent United States v. Google decision (PDF), and they are probably closest in spirit to this Reddit deal:

GSEs enter into data-sharing agreements with partners (usually specialized vertical providers) to obtain structured data for use in verticals. Tr. at 9148:2-5 (Holden) (“[W]e started to gather what we would call structured data, where you need to enter into relationships with partners to gather this data that’s not generally available on the web. It can’t be crawled.”). These agreements can take various forms. The GSE might offer traffic to the provider in exchange for information (i.e., data-for-traffic agreements), pay the provider revenue share, or simply compensate the provider for the information. Id. at 6181:7-18 (Barrett-Bowen).

As of 2020, Microsoft has partnered with more than 100 providers to obtain structured data, and those partners include information sources like Fandango, Glassdoor, IMDb, Pinterest, Spotify, and more. DX1305 at .004, 018–.028; accord Tr. at 6212:23–6215:10 (Barrett-Bowen) (agreeing that Microsoft partners with over 70 providers of travel and local information, including the biggest players in the space).

The government attorneys said Bing is required to pay for structured data owing to its smaller size, while Google is able to obtain structured data for free because it sends partners so much traffic. The judge ultimately rejected their argument Microsoft struggled to sign these agreements or it was impeded in doing so, but did not dispute the difference in negotiating power between the two companies.

Once more, for emphasis: Google usually gets structured data for free but, in this case, it agreed to pay $60 million; imagine how much it would cost Bing.

This agreement does feel pretty unique, though. It is hard for me to imagine many other websites with the kind of specific knowledge found aplenty on Reddit. It is a centralized version of the bulletin boards of the early 2000s for such a wide variety of interests and topics. It is such a vast user base that, while it cannot ignore Google referrals, it is not necessarily reliant on them in the same way as many other websites are.

Most other popular websites are insular social networks; Instagram and TikTok are not relying on Google referrals. Wikipedia would probably be the best comparison to Reddit in terms of the contribution it makes to the web — even greater, I think — but every article page I tried except the homepage is overwhelmingly dependent on external search engine traffic.

Meanwhile, pretty much everyone else still has to pay Google for visitors. They have to buy the ads sitting atop organic search results. They have to buy ads on maps, on shopping carousels, on videos. People who operate websites hope they will get free clicks, but many of them know they will have to pay for some of them, even though Google will happily lift and summarize their work without compensation.

I cannot think of any other web property which has this kind of leverage over Google. While this feels like a violation of the ideals and principles that have built the open web on which Google has built its empire, I wonder if Google will make many similar agreements, if any. I doubt it — at least for now. This feels funny; maybe that is why it is so unique, and why it is not worth being too troubled by it.


  1. The uptick of Bing in the worldwide chart appears to be, in part, thanks to a growing share in China. Its market share has also grown a little in Africa and South America, but only by tiny amounts. However, Reddit is blocked in China, so a deal does not seem particularly attractive to either party. ↥︎

Apple, in a Developer News bulletin:

In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn’t signed correctly or notarized. They’ll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run.

This is one of those little things which will go unnoticed by most users, but will become a thorn in the side of anyone who relies on it. These are likely developers and other people who are more technologically literate placed in the position of increasingly fighting with the tools they use to get things done. It may be a small thing, but small things add up.

Update: The weekly permission prompts for screen and audio recording, on the other hand, might be noticed by a lot more people.

Reddit user devanxd2000:

I was digging into the system files for the update and I found a bunch of json files containing what appears to be prompts given to the AI in the background. I found it interesting and thought I’d share.

You can find them here: /System/Library/AssetsV2/​com_apple_​MobileAsset_UAF_FM​_GenerativeModels

There’ll be a bunch of folders, some of them will have metadata.json files like this.

Wes Davis, the Verge:

Files I browsed through refer to the model as “ajax,” which some Verge readers might recall as the rumored internal name for Apple’s LLM last year.

It is unclear to me if these directly represent the instructions which interpret and produce the results users see. These could be something else, like a file involved in the development process but not related to how it functions on a user’s device; we just do not know.

But, assuming — quite fairly, I might add — that these instructions are what underpins features like message summaries and custom Memories in Photos, it is kind of interesting to see them written in plain English. They advise the model to “only output valid [JSON] and nothing else”, and warn it “do not hallucinate” and “do not make up factual information”. The latter two are just good rules for life. I am not sure what I expected, but I guess it was not these kinds of visible instructions. But, I guess it would make sense for it to feed through what I presume is the same system underpinning the revised version of Siri, which needs to interpret everything from plain English commands. After all, programming is just a specific version of a language.

Ashley Belanger, Ars Technica:

Google just lost a massive antitrust trial over its sprawling search business, as US district judge Amit Mehta released his ruling, showing that he sided with the US Department of Justice in the case that could disrupt how billions of people search the web.

“Google is a monopolist, and it has acted as one to maintain its monopoly,” Mehta wrote in his opinion. “It has violated Section 2 of the Sherman Act.”

Google will surely contest this finding when its implications are known; Mehta has not announced what actions the government will take against Google.

The opinion is full of details about the precise nature of how Google search and its ads work together, Google’s relationship with Apple and other third parties, and how its business has changed over time. For example, the judge notes Google adjusted ad pricing to maintain a specific growth target, and increased it incrementally to mask it in the typical fluctuations of ad costs. He also cites a finding that “thirteen months of user data acquired by Google is equivalent to over 17 years of data on Bing” in informing the quality of search results. Meanwhile, Google pays Apple a redacted amount through its revenue sharing agreement for default placement in Safari, and it pays for searches performed through Chrome on Apple devices as well. There is a lot more in here, and I fully intend on re-reading the opinion with a bunch of questions I have in mind.

Google really does have great search results a lot of the time, even though it has stumbled in recent years. DuckDuckGo is my default but I find myself often turning to Google for local results, very old results, and news. (DuckDuckGo is powered by Bing, which prioritizes MSN-syndicated versions of articles that I do not want.) Google has not fallen into the same trap as Bing by wholly cluttering the results page. Microsoft still has no taste.

But two things can be true: Google can be the best search engine for most people, most of the time, because it is very good; and, also, Google can have abused its market-leading position to avoid competition and maintain its advertising revenue. Those are not inconsistent with each other. In fact, per the judge’s citation of how long it would take for Bing to amass the same information about user activity as Google does in a year, it is fully possible its quality and its dominance are related, something the judge nods toward. In fact, Google’s position is now so entrenched “it would not lose search revenue if were to significantly reduce the quality of its search product”.

Notably, Mehta did not sanction Google for failing to preserve evidence in the case, writing:

On the request for sanctions, the court declines to impose them. Not because Google’s failure to preserve chat messages might not warrant them. But because the sanctions Plaintiffs request do not move the needle on the court’s assessment of Google’s liability. […]

In cases where the judge found evidence of monopolistic and abusive behaviour, the lack of supporting text messages and other communications would not have made a difference; this is also true, the judge says, for his finding of a lack of anticompetitive behaviour in SA360.

The Media Ecosystem Observatory:

On August 1, 2023, in response to Bill C-18, Meta blocked Canadians from viewing, accessing, and sharing news article links on its platforms. Over the past 12 months, our team of researchers has closely monitored the effects of the ban particularly on Canadian news organizations and how Canadians engage with news and political content online. 

Old News, New Reality: A Year of Meta’s News Ban in Canada” is the first data-informed analysis on what happened in Canada after Meta banned access to news on its platforms for Canadians. […]

I read the report; I was underwhelmed. Its authors provide no information about how news websites and apps have performed in the past year. Instead, they use the popularity of news outlets on social media as a proxy for their popularity generally and have found — unsurprisingly — that many Canadian publications have reduced or stopped using Meta platforms to promote their work. This decline was not offset by other social platforms. But this says nothing about how publications have fared in general.

Unfortunately, only publishers would be able to compare the use of their websites and apps today compared to a year ago. Every other source only provides an estimate. Semrush, for example, says it has a “unique panel of over 200 million” users and it ingests billions of data points each month to build a picture of actual browsing. Its ranking, which I have preserved in its current June 2024 state, indicates a 6.7% decline in traffic to the CBC’s website compared to June a year ago, a 6.2% decline for CTV News, a 4.2% decline for Global News, a 12.3% increase for City News, a 27.8% decline for the Star, and a 20.4% increase for the National Post. Among the hardest-hit publications were French language publications like Journal de Montreal and TVA Nouvelles. Some of these traffic losses are pretty large, but none are anywhere near the 43% decline in “online engagement” cited in this report.

I could not find a source for app popularity in Canada over time — or, at least, not one I could access.

To be sure, it would not surprise me to learn traffic had dropped for many publishers. But it is a mixed bag, with some indicating large increases in web visitors. The point I am trying to make is that we simply do not have a good picture of actual popularity, and this Observatory report is only confusing matters. Social media buzz is not always a good representation of actual readership, and it is frustrating that the only information we can glean is irrelevant.