Warning: Cannot modify header information - headers already sent by (output started at /home/pxlnvcom/public_html/wordpress/wp-content/themes/pxlnv8/archives.php:10) in /home/pxlnvcom/public_html/wordpress/wp-content/themes/pxlnv8/header.php on line 6
Archives — Pixel Envy

Pixel Envy

Written by Nick Heer.

Samsung Is Working to Patch a Flaw With Their Under-Display Fingerprint Reader, Which Can Be Defeated With a Screen Protector

Ju-min Park, Reuters:

Samsung Electronics Co Ltd said on Thursday it will soon roll out a software patch to fix problems with fingerprint recognition on its flagship Galaxy S10 smartphone.

A British user told the Sun newspaper this week that a bug on her Galaxy S10 allowed it to be unlocked regardless of the biometric data registered in the device.

After she bought a third-party screen protector, her husband was able to unlock her phone using his fingerprint, even though it was not registered.

This is shockingly trivial. Methods for bypassing Touch ID that involved etching a PCB generated alarmist headlines about it being “no challenge at all”; circumventing Face ID was said to be accomplished in “less than 120 seconds” — assuming, of course, that you were able to get a jerry-rigged pair of glasses onto the iPhone owner’s face without resistance.

This is nothing like that; it is exactly as easily-defeated as reported. That’s embarrassing, sure, but where Samsung really loses me is its explanation for why this is happening:

The issue can happen when patterns of some protectors that come with silicone phone cases are recognized along with fingerprints, the South Korean tech giant said in a notice on its customer support app.

I could be reading this wrong, but what I’m understanding is that Samsung is blaming the screen protector for introducing a pattern that appears to the sensor to be a fingerprint. But if that were the case, this flaw would only exist if fingerprint registration was completed with the screen protector in place.

However, according to a video from Twitter user StaLight, that must an inadequate explanation because the fingerprint reader can be bypassed after a fingerprint has been registered without a screen protector. In this example, the user completes a registration process without a screen protector, then successfully unlocks the phone with a different finger after putting a clear phone case between the display and their finger.

I would love to know what this flaw is, and how a software update may apparently fix what seems, to me, to be a critical hardware problem.

The Galaxy S10 also has facial recognition, but that’s defeated by a photo.

U.S. Sen. Ron Wyden Introduces National Privacy Act

Earlier this week, Michael Beckerman — the president of the Internet Association, a lobbying group that includes Amazon, Facebook, Google, and Microsoft among its members — got an op-ed published in the New York Times strongly objecting to state-level privacy laws:

A patchwork of state laws means that a California woman who orders an item from a Missouri business that manufactures in Florida could have her data regulated by three separate laws, or by no applicable law. Despite California’s Consumer Privacy Protection Act the state’s residents cannot be assured that the protections that apply when they deal with a business covered by the law will apply when they shop at their corner store, travel across the country or engage in online transactions with companies that are not subject to California’s privacy law.

Not only will this add to consumer confusion around how data is handled, it will also undoubtedly lead to inconsistent treatment of data depending on a variety of factors, including the residency of the consumer and the type of businesses with whom they interact.

Beckerman argued for a national privacy law, and that’s what Sen. Ron Wyden is introducing today. You can read the bill in full, and Wyden’s office has put together a one-and-a-bit page summary (PDF) of the highlights.

Dell Cameron, Gizmodo:

First off, the “Mind Your Own Business Act” would finally arm the Federal Trade Commission (FTC) with the power and personnel necessary to adequately punish out-of-control corporations. Companies would no longer simply get off with a warning the first time they break their users’ trust. Instead, they would face immediate fines of up 4 percent of their annual revenue. For companies the size of Google and Facebook, that means billions of dollars.

But here’s the kicker: Under the bill, executives who knowingly lie to the FTC about privacy violations could face up to 20 years behind bars, and their companies could then be forced to pay a tax based on the salary of the convicted executive.

I can’t imagine the successful passage of Wyden’s proposal to require companies to offer a paid version of their product or service that doesn’t track users, but I imagine the penalties able to be levied against privacy violations will be a deterrent.

Of course, this is extremely strict. It’s great for consumers. I bet the Internet Association is going to hate it.

It Currently Requires a Small Amount of Patience to Buy a New iPhone

Jason Koebler, in a Vice article bizarrely titled “It Is Currently Impossible to Exchange Money for an iPhone”. It’s bizarre because millions of people in the United States and around the world are buying new iPhones, often in exchange for money. But Koebler can’t buy a new iPhone — though, reading this, you’d imagine that it’s the last thing he wants to do:

I think that buying a new phone is a shameful but occasionally necessary activity to continue living in the modern world. I disagree with most of Apple’s corporate philosophies on recycling, repair, and its walled-garden, monopolistic approach to the App Store. I do not like spending time in Apple Stores, nor do I like giving the company money, but I appreciate Apple’s commitment to privacy and security, and my current phone is more than three years old, has been repaired three times, and no longer takes photos or connects to WiFi. It is, unfortunately, Time for a New Phone.

This is a weird way for one to convince themselves that they are not actually excited by technology and are resigned to the fact that they must exchange money for goods and services. I can imagine Koebler standing in a long line for brunch on a Sunday morning trying to convince himself that it’s an infuriating rip-off to pay twenty dollars for a halved English muffin with two poached eggs and some hollandaise overtop; and, instead of admitting that, yeah, it is actually kind of nice to indulge in this modicum of expensive joy every once in a while, he bashes out an article with the headline “It Is Currently Impossible to Exchange Money for Breakfast”.

Anyway:

The problem is that, at the moment, it is nearly impossible to exchange US currency for an iPhone 11 Pro.

Well that certainly narrows the vast scope that the headline suggests.

256GB iPhone 11 Pros (the objectively correct phone to buy, if you are going to buy a new iPhone) don’t ship until the end of the month if you order one online, and they’re sold out in stores all over the country according to the company’s website.

Oh, so it’s still not impossible, it just takes a couple of weeks? And this staggering level of impatience for a new product — that is, apparently, a reluctant purchase — is being displayed by the same guy who wrote and linked to an article in the previous paragraph about how you shouldn’t buy a new iPhone unless your old one is completely broken.

It’s fine to admit you like stuff and are excited by new things — even things from Apple. Nothing bad will happen to you; you will not be stuffed into a cannon and fired into the cloud hanging over Cupertino made of Steve Jobs’ reality distortion field.

Google Launches Pixel 4 Line and New Pixel Buds

Dieter Bohn of the Verge got to spend time with the new line of Google Pixel 4 phones and was particularly impressed with its new facial identification system:

I’ll admit, it was a little jarring. Every phone I’ve ever used had some sort of secondary action between picking up the phone and getting into it: a tap on a fingerprint sensor or a swipe on the screen. With the Pixel 4, it’s like there isn’t a lock screen at all because you almost never get a chance to see it.

I’ll have to do some actual timing in the review because it’s 100 percent possible that this speed is more perception than reality. The phone begins its unlock procedure before you even touch it, using that Motion Sense radar to detect you’re reaching for it. (More on that below.) It also feels faster because it jumps right into the last thing you were doing instead of requiring a second action with no animation that I could detect.

As facial recognition becomes faster on all phones, I wonder if today’s interpretation of the look and function of lock screens could effectively vanish.

The main thing Motion Sense does is pay attention to whether you’re even near the phone or if you’re reaching for it. If you walk away from it, it detects that and turns off the always-on display. If you reach for it, it activates the screen and face unlock.

Motion Sense lets you skip forward or back when music is playing, too. But the best feature is dismissing alarms and calls. When you simply reach for the phone, the volume drops when the phone sees your hand. Then you can simply wave to dismiss the call or snooze the alarm.

Without trying this feature — and I know that’s a big caveat — it sounds almost like the inverse of 3D Touch. And we all know how that experiment ended.

Google has clearly always wanted to do their own Android phones: they started with the Nexus One in 2010 and keep launching new ones every year. But they’ve never really been a big sales hit. These could be great phones, and will almost certainly be the best Android experience you can buy — primarily because the experience is unashamedly cribbed from the iPhone playbook. But, based on sales numbers, there just isn’t a huge market for people who want an iPhone that runs Android. People who want an iPhone buy an iPhone; people who want a premium Android phone seem to want it to be very different from an iPhone.

Google also launched a bunch of Google Home stuff today that doesn’t interest me, and a pair of earbuds that does. The old Pixel Buds were panned by reviewers, but the new ones ought to be better.

Victoria Song, Gizmodo:

Battery life is the same at five hours, though Google says they can last up to 24 hours with the wireless charging case. Sound-wise, they have dynamic volume adjusting depending on your environment. Google also emphasized they thought real hard about stuffing all those components into a new design — a video described them as “floating computers.” They’re not exactly noise-canceling; Google described them as “noise-isolating.” Basically, it’s got a small spatial vent to let in outside air. Supposedly that makes for a more comfortable Pixel Bud, but we’ll have to try them out for ourselves.

I love the sound of that dynamic volume adjustment feature. Every morning, I put my AirPods in and start listening to something while I’m waiting for the elevator; a couple of minutes later, I’m walking down a busy street and find myself reaching for the volume up button. And then, a few minutes after that, I turn onto a quieter side street and need to turn it back down a bit. What a great idea.

Unfortunately, while Google said today that these new Pixel Buds could do a lot of very cool new things, they won’t be shipping until next year and the demo models they showed to the press were non-functional.

Nevertheless, I’d love to try them, and one of these new Pixel phones.

Dan Seifert wrote a good piece in the Verge before today’s Google press event about the wireless earbud market:

While a few niche startups were first to put truly wireless headphones on the market, Apple really defined the scene with its 2016 release of the AirPods, showing what a good execution on the idea is like: reliable wireless connectivity, at least five hours of battery life, and a compact, easy-to-use charging case.

Since then, we’ve seen Samsung release several iterations of its own wireless earbuds before landing on a (mostly) working formula with this year’s Galaxy Buds. Many smaller companies, such as Jabra and Jaybird, have put out products that try to address the remaining AirPod faults, such as the lack of a customizable fit or poor sound blocking characteristics. Even Apple is selling multiple versions of truly wireless earbuds between the AirPods and its Beats brand.

It’s a crowded space. It’s also the category of tech products that, I think, comes closest to feeling futuristic today — especially with features like the new Announce Messages with Siri option coming in iOS 13.2.

Gig Services to Become More Costly As Investors Begin to Question Valuations

Derek Thompson, the Atlantic:

Several weeks ago, I met up with a friend in New York who suggested we grab a bite at a Scottish bar in the West Village. He had booked the table through something called Seated, a restaurant app that pays users who make reservations on the platform. We ordered two cocktails each, along with some food. And in exchange for the hard labor of drinking whiskey, the app awarded us $30 in credits redeemable at a variety of retailers.

I’ve read Seated’s guide for restaurants and a 2017 review and I still don’t understand how they’re able to offer a thirty percent money back reward for restaurant reservations booked through the app. It’s even more ridiculous than the Boost feature on Square’s Cash card, which only received compensation from a participating retailer earlier this year. It can’t possibly be paid for out of interchange fees, nor would any restaurant willingly refund a third of the cost of a menu item against already-slim profit margins.

Anyway — Thompson:

Starting about a decade ago, a fleet of well-known start-ups promised to change the way we work, work out, eat, shop, cook, commute, and sleep. These lifestyle-adjustment companies were so influential that wannabe entrepreneurs saw them as a template, flooding Silicon Valley with “Uber for X” pitches.

But as their promises soared, their profits didn’t. It’s easy to spend all day riding unicorns whose most magical property is their ability to combine high valuations with persistently negative earnings — something I’ve pointed out before. If you wake up on a Casper mattress, work out with a Peloton before breakfast, Uber to your desk at a WeWork, order DoorDash for lunch, take a Lyft home, and get dinner through Postmates, you’ve interacted with seven companies that will collectively lose nearly $14 billion this year. If you use Lime scooters to bop around the city, download Wag to walk your dog, and sign up for Blue Apron to make a meal, that’s three more brands that have never earned a dime or have seen their valuations fall by more than 50 percent.

These companies don’t give away cold hard cash as blatantly as Seated. But they’re not so different from the restaurant app. To maximize customer growth they have strategically — or at least “strategically” — throttled their prices, in effect providing a massive consumer subsidy. You might call it the Millennial Lifestyle Sponsorship, in which consumer tech companies, along with their venture-capital backers, help fund the daily habits of their disproportionately young and urban user base. With each Uber ride, WeWork membership, and hand-delivered dinner, the typical consumer has been getting a sweetheart deal.

It’s going to be a disaster if many of these arguably predatory businesses go bust: cities’ transportation networks will have to adjust, warranties won’t be honoured, and gig economy workers will be looking for jobs. When they raise their prices — even to a break-even point — we will all realize that these services are just as expensive as any traditional version of whatever they disrupted.

Canadian Telecom Lobbyists Influence Swedish Firm to Stop Including Canada in Worldwide Price Report

Anja Karadeglija, the Wire Report:

Tefficient, a Swedish consulting company that has released a number of telecom price reports highlighting Canada as one of the highest-priced jurisdictions for such services, will no longer be including the country in at least one future research report, The Wire Report has learned.

The “fact that the data is reported so late for Canada (and since none of the carriers report data traffic or usage) we aren’t too interested in incorporating Canada in our analyses going forward,” Fredrik Jungermann, founder of Tefficient, said in an email when asked about the company’s information on Canadian telecom pricing. He noted that was “primarily” the driver of that decision.

He said that “another reason is the workload created when lobbyists try to shoot down the credibility of the whole report because they don’t like to see Canada presented as an outlier. We have no business in Canada and have, unlike lobbyists, no agenda.”

Canadian cellular plans are among the highest in the world by an obscene margin. We pay more than those who live in any other developed country; this is something that multiple studies have confirmed for years. Everyone knows it, and the lobbyists for our major telecom providers want us to forget it.

Every Major U.S. Payment Processor Has Exited Facebook’s Libra Project

Russell Brandom, the Verge:

When Libra launched on June 18th, it seemed like an alarming new front in Facebook’s megalomaniacal expansion. Having captured billions of users and tens of billions of dollars in annual profits, the company would now be taking over currency itself. The company’s head of blockchain, David Marcus, laid out his plan for Libra in a detailed white paper, with some of the financial world’s most powerful companies already signed on to help govern the new currency as part of the Libra Association. It was Facebook’s vision for an international currency, and based on the company’s partners, it seemed unstoppable.

That was then. The first to ditch Libra was Paypal, which withdrew on October 4th. Then, over the course of a few hours on October 11th, Visa, Mastercard, Stripe and Mercado Pago all bailed on the project, with eBay tagging along for good measure. That meant every major US payment processor has exited the association. (The final remaining payment processor, PayU, has not responded to multiple requests for comment.) It’s an alarming turnaround for the Facebook-backed project, and the first clear indication that Libra’s founders may have bitten off more than they can chew.

Losing five companies in the span of a couple hours might seem like a panicked rush for the door, but the timing matters. On October 14th, all the founding members are set to convene in Geneva for the first ever Libra Council meeting. That’s where they will hammer out the different roles to be played by the different parties and try to answer all the governance questions that aren’t spelled out in the initial white paper. Ultimately, that will result in a formal charter, with each member signing their name to the new agreement.

A promising start.

China’s Powerful Marketplace Is Encouraging Studios to Succumb to Censorship

Alex Kantrowitz and John Paczkowski, Buzzfeed News:

In early 2018 as development on Apple’s slate of exclusive Apple TV+ programming was underway, the company’s leadership gave guidance to the creators of some of those shows to avoid portraying China in a poor light, BuzzFeed News has learned. Sources in position to know said the instruction was communicated by Eddy Cue, Apple’s SVP of internet software and services, and Morgan Wandell, its head of international content development. It was part of Apple’s ongoing efforts to remain in China’s good graces after a 2016 incident in which Beijing shut down Apple’s iBooks Store and iTunes Movies six months after they debuted in the country.

I think it’s important to be highly critical of efforts to succumb to the demands of an authoritarian state. But this is not a story about Apple’s practices, as the eighth paragraph of this article points out:

Apple’s tip toeing around the Chinese government isn’t unusual in Hollywood. It’s an accepted practice. “They all do it,” one showrunner who was not affiliated with Apple told BuzzFeed News. “They have to if they want to play in that market. And they all want to play in that market. Who wouldn’t?”

The bigger story here can be found in an article yesterday from Shane Savitsky in Axios:

While the U.S. reckons with the fact that China’s market power can stymie free speech after the NBA’s firestorm, Hollywood — America’s premier cultural exporter — has long willingly bent to Chinese censorship to rake in profits.

China is set to become the world’s biggest movie market in 2020, and with its 1.4 billion citizens, it won’t relinquish that title anytime soon. That means it’s key for Hollywood studios to do all they can to ensure that their tentpoles can pass the standards of the country’s strict censors.

This is a far greater cultural question to contend with. Films have been compromised for decades to meet specific MPAA ratings in the United States, but Chinese censors are even more unwelcoming:

Perhaps the most extreme example was the 2018 decision to not allow Disney’s “Christopher Robin” to be released, purportedly because Chinese President Xi Jinping’s resemblance to Winnie the Pooh had become a joke among activists who resisted the country’s Communist regime.

Ludicrous.

MacOS Catalina’s Teething Problems

Mark Gurman, Bloomberg:

Apple rolled out Catalyst, the technology to transition iPad apps into Mac versions, on Monday. It’s the initial step toward a bigger goal: By 2021, developers should be able to build an app once and have it work on iPhones, iPads and Mac computers through a single, unified App Store. But the first iteration, which appears to still be quite raw and in a number of ways frustrating to developers, risks upsetting users who may have to pay again when they download the Mac version of an iPad app they’ve already bought.

From a user’s perspective, buying different apps on different platforms is the status quo; and, as the subscription model continues to grow in popularity, it makes little difference.

Gurman, continued:

Developers have found several problems with Apple’s tools for bringing iPad apps over to Mac computers. Some features that only make sense on iPad touchscreens, such as scrollable lists that help users select dates and times on calendars, are showing up on the Mac, where the input paradigm is still built around a keyboard and mouse or trackpad.

Troughton-Smith said Mac versions of some apps can’t hide the mouse cursor while video is playing. He’s also found problems with video recording and two-finger scrolling in some cases, along with issues with using the keyboard and full-screen mode in video games. Thomson, the PCalc developer, said some older Mac computers struggle to handle Catalyst apps that use another Apple system called SceneKit for 3-D gaming and animations.

Catalyst is a frustrating bridge between the entirely-discrete AppKit and UIKit worlds, and the ostensibly cross-platform SwiftUI model. It’s “frustrating” because apps built with it don’t feel like Mac apps, and it’s probably too early to start building with SwiftUI since it will likely change dramatically for developers over the next few years. It’s an awkward middle ground that isn’t as good as either. Apple’s promotion of it as “just a checkbox” in Xcode — and, weirdly, using that as part of its pitch to users — is overly optimistic.

That’s not to say that there are no good Catalyst apps. John Voorhees reviewed Lire for MacOS and was fairly impressed with its platform-specific customizations. But it’s a harder process than Apple promotes to developers, and I’m still not confident we’ll see truly great apps built with Catalyst.

Tyler Hall has compiled a list of bugs that he has run into so far:

I love the Mac and everything its software and hardware stand for. The iMac Pro and new Mac mini are phenomenal. The revamped Mac Pro (six years? really?) is a damn beast. And, honestly, I don’t even mind USB-C.

But the keyboards, the literally hundreds if not thousands of predatory scams on the Mac App Store, whatever the fuck is going on with Messages.app on macOS, iCloud Drive, the boneheaded, arrogant, literally-put-on-the-consumer-facing-marketing-website claim that iPad-to-Mac with Catalyst was merely a checkbox, all the dumb, stupid little bugs I mentioned above, and the truckload of other paper-cuts I’m sure to run into once I’m on Catalina for more than 48 hours…

My god.

It is absolutely clear that the Mac is far outside of what the upper-ranks of Apple is focusing on.

It is unsurprising to find bugs in an x.0 release of anything, but this post is maddening. The number and variety of bugs in iCloud-connected things is concerning when it displays error messages; it’s even worse when something silently fails.1

It’s not the fault of the engineers; it’s the fault of whichever parties have decided that software updates must ship annually. While I’m happy to see that they’re willing to delay features that aren’t ready, Apple’s operating system updates are promoted every June with features that may not ship for months after the initial release and the first versions are still full of absurd bugs. It feels chaotic and uncontrolled — like all middle managers for every organization are not on speaking terms.


  1. A quick aside that has little to do with Catalina but has everything to do with silent failure and bug reporting: I’ve written a couple of times about how the Home app simply doesn’t work for me on any device. It just displays a screen that says “Loading Accessories and Scenes” and has an infinitely-running spinner on it. There is no error message; there is no way to move past this.

    What’s supposed to happen, according to Apple, is that a button for resetting HomeKit should appear somewhere on that screen if you leave it open for half an hour. This is their official troubleshooting recommendation. I cannot possibly stress enough how absurd it is that someone decided that the best way to present a reset button is for a screen to be left on and running in the foreground for an entire episode of Last Week Tonight, and users should somehow expect to know that a button will emerge from an otherwise-empty space. It’s also silly that there’s no remedy for HomeKit errors anywhere between live with it and delete everything; why isn’t there a way to roll back to a known good configuration?

    Anyway, I’ve tried this several times on different devices across four versions of iOS — 10.0 through 13.2 — and in MacOS Mojave, and I’ve never seen this unicorn of a button.

    This wasn’t a big deal — I don’t have any HomeKit devices — until I updated to tvOS 13, which prompted me to add the device to my Home network. I tried; it failed, predictably. And I have an allergy to red notification dots in Settings. So I got in touch with Apple support. In the past two weeks, I’ve spoken on the phone for several hours, sent in a couple of sysdiagnose examples, and have repeatedly pointed out that this occurs on all of my devices, so it’s likely to be something iCloud related and all I want to do is start from scratch. I don’t blame the support representatives for their inability to fix this, but it is tedious and irritating that there is seemingly no way for me to fix this silently-presenting problem myself. ↩︎

The Transformation of Apple’s Deep Investment in China From Unique Advantage to Liability

Peter Kafka, Vox:

Plenty of US companies work in and with countries that require them to make moral compromises. Facebook, for instance, finds itself frequently pulling down videos and posts because they upset Turkey’s censors; Netflix took down an episode of comedian Hasan Minhaj’s Patriot Act in Saudi Arabia because it was critical of Crown Prince Mohammed bin Salman. The standard argument these companies all make is that those countries are better off when they have access to their products.

This is Apple’s argument, too. “We believe our presence in China helps promote greater openness and facilitates the free flow of ideas and information,” Cook told Sen. Ted Cruz (R-TX) and Sen. Patrick Leahy (D-VT) in a December 2017 letter. “We are convinced that Apple can best promote fundamental rights, including the right of free expression, by being engaged even where we may disagree with a particular country’s law.”

Left unsaid in Cook’s letter is that Apple has to do business in China.

Unlike tech companies that haven’t broken into the country or only do minor business in it, Apple is now so deep in China that leaving it could be catastrophic. Even if the company was willing to forgo the $44 billion a year in sales it makes in China, it can’t leave the deep network of suppliers and assemblers that build hundreds of millions of iPhones every year.

Just a few months ago, Tim Cook denied that the company was exploring other places to build their products. The depth and extent of the electronics supply chain in China beggars belief — and, in one of those decades-old twists of fate, Cook helped make it so. There are loads of American tech companies that build products in China; Apple’s particular investment, though, is notable.

Tim Cook’s Internal Email Regarding the Removal of HKmap.live App

Tim Cook to Apple employees, as leaked to the app’s developer:

It is no secret that technology can be used for good or for ill. This case is no different. The app in question allowed for the crowdsourced reporting and mapping of police checkpoints, protest hotspots, and other information. On its own, this information is benign. […]

When the developer previously submitted the app to the App Store, it was rejected on the basis that the app “facilitates, enables, and encourages an activity that is not legal”. Presumably, that refers to its ability to locate police on a map. If it were “benign” — as Cook says and which I agree with — why was it rejected in the first place?

[…] However, over the past several days we received credible information, from the Hong Kong Cybersecurity and Technology Crime Bureau, as well as from users in Hong Kong, that the app was being used maliciously to target individual officers for violence and to victimize individuals and property where no police are present. This use put the app in violation of Hong Kong law. Similarly, widespread abuse clearly violates our App Store guidelines barring personal harm.

Maciej Cegłowski, who has been reporting on the protests from Hong Kong since August, says that this does not comport with what the app actually shows:

Moreover, what are these incidents where protesters have targeted individual police for a premeditated attack? Can Mr. Cook point to a single example? Can anyone?

When Hong Kong police have been in danger, it is invariably because they broke off in small groups into a sea of demonstrators and got separated from their colleagues. I witnessed this personally in Prince Edward on 9/2; many others have seen or videotaped similar situations.

So not only is there no evidence for this claim, but it goes against the documentary record of 18 weeks of protests, and is not even possible given the technical constraints of the app (which tracks groups of police).

Meanwhile, HKmap.live remains available on Google Play stores in Hong Kong and China. Google did remove a game that allows you to role-play as a protester at the behest of the Chinese government.

Stories From Uber and Lyft Drivers About Their Working Conditions and Pay

Hamilton Nolan, Splinter:

After a monumental political battle, California passed AB5, a law that will make it much harder for gig economy companies to classify their workers as “independent contractors.” Now, the same political battle is coming to New York. That means it’s a perfect time to hear from Uber and Lyft drivers, in their own words.

[…]

When California was considering its bill last month, we asked Uber and Lyft drivers, who are the most visible class of gig employees who would be directly affected by these changes, to email us and tell us about their working conditions. Hundreds did. As New York wrestles with the same questions, let’s hear from more of the people whose lives could be changed.

Given that drivers pay for fuel, increased-wear-and-tear on their vehicles, and insurance, this simply isn’t a very profitable enterprise for individuals — or, seemingly, the companies they work for. I’m also not convinced that it’s particularly effective as an occasional gig for people to pick up a little extra cash: if there’s a collision, an insurance company could deny coverage if the driver has typical auto insurance instead of commercial insurance, for example.

On a related and upsetting note, Splinter is shutting down. Nolan, the author of the linked piece about gig economy drivers, wrote a very relevant and thoughtful piece last year about private equity’s pitfalls.

Chinese State Media Accuses Apple of ‘Protecting Rioters’

Verna Yu, the Guardian:

The app HKmap.live, which crowdsources the location of police and anti-government protesters, was approved by Apple on 4 October and went on its App Store a day later, after the company reversed an earlier decision to reject the submission, according to an anonymous developer cited in the South China Morning Post. The app displays hotspots on a map of the city that is continuously updated as users report incidents, hence allowing protesters to avoid police.

The headline of the People’s Daily commentary carried by its official microblog on Wednesday said: “Protecting rioters – Has Apple thought clearly about this?”

It went on to say: “Allowing the ‘poisonous’ app to flourish is a betrayal of the Chinese people’s feelings.”

Someone in the Chinese government ought to familiarize themselves with the Streisand Effect — if Techdirt isn’t already blocked in the country.

Apple should absolutely not acquiesce to China’s demands. HKmap.live ought to remain in the App Store. But it is extraordinarily risky for Apple to resist an authoritarian force that controls the export and, therefore, sale of nearly every product they make.

Update: In an inauspicious development, John Keefe of Quartz says that Apple has succumbed to Chinese government pressure and pulled the publication’s app from the App Store in Hong Kong.

Update: Apple has removed HKmap.live from the App Store in Hong Kong. Shameful.

A Handful of Links and Thoughts Concerning the Future of Transportation

Over the weekend, I ended up reading several recent articles painting a fairly bleak picture of the middle-term future of transportation. I thought I’d stitch them together in a way that helps me — and, hopefully, you — see how they relate to each other. Let’s start with the bedrock of transportation in the United States and Canada: the personally-owned car.

Patrick George, Jalopnik:

The Wall Street Journal has a new story out that’s a kind of overview of something we’ve covered extensively around these parts — that super-long car loans, often with very high interest rates, are the new normal in car buying. And buyers are having a hell of a time keeping up. It means that car loans stick around well into when some of these models need pricey repairs, or past their original owners, and they eat into more and more of our incomes.

This is obviously concerning for owners who may not truly be able to afford lengthy car loans, it’s also likely to collapse in a situation reminiscent of the mid-2000s subprime mortgage crisis.

Making matters worse is that automakers like Ford and Mitsubishi are discontinuing sales of family cars in North America and focusing on SUVs and crossovers.1 These replacements are bigger, more expensive to buy, more expensive to run, and often more expensive to insure. They’re also more dangerous, both to the occupants and the people they crash into.

And, speaking of safety, Peter C. Baker of the Guardian wrote about a deadly decade for pedestrians:

In 2010, the small community of specialists who pay attention to US road safety statistics picked up the first signs of a troubling trend: more and more pedestrians were being killed on American roads. That year, 4,302 American pedestrians died, an increase of almost 5% from 2009. The tally has increased almost every year since, with particularly sharp spikes in 2015 and 2016. Last year, 41% more US pedestrians were killed than in 2008. During this same period, overall non-pedestrian road fatalities moved in the opposite direction, decreasing by more than 7%. For drivers, roads are as safe as they have ever been; for people on foot, roads keep getting deadlier.

[…]

Ask a room full of safety experts about smartphones and you will get a mix of resignation, bemusement and contempt. “I tend not to buy the smartphone distraction stuff,” says Garrick, echoing nearly identical comments from just about everyone I talked to. “To me, it reads as shoving aside actually dealing with the relevant issues.” What particularly bothers him, he says, is how poorly thought out the distraction discourse tends to be. In the UK, Belgium, Germany, Spain, France, Austria and Iceland, for example, pedestrian deaths occur at a per capita rate roughly half of America’s, or lower. Are we really to believe that the citizens of these countries are 50% less susceptible than Americans to distraction, by their phones or anything else? Plus, within the US, pedestrian death occurs disproportionately in neighbourhoods populated by people with low-incomes and people of colour. Is distraction really more endemic in those neighbourhoods, or among people driving through them, than it is in wealthier, whiter areas? Or is it more likely that these neighbourhoods are more likely to be criss-crossed by high-speed roads, and less likely to receive investment in transit interventions that protect pedestrians?

Baker also touches on partly- and fully-autonomous vehicles as a panacea for automobile-related maladies:

Of course, in time-honoured Silicon Valley tradition, this simple profit motive was quickly swaddled in all manner of high-flying rhetoric about saving lives (of car users and pedestrians alike), saving cities and transforming transportation as we know it. “Every year that we delay this, more people die,” Anthony Levandowski, then of Google, told the New Yorker in 2013. At a 2016 press event, Elon Musk, the CEO of Tesla, warned journalists who expressed doubts about self-driving cars – like the type that Tesla plans to sell – that they had blood on their hands. “If, in writing something that’s negative, you effectively dissuade people from using an autonomous vehicle, you’re killing people.”

“There is simply a very good business reason for car companies to sell people a future where everything is better, especially when the way to get there is by purchasing a lot of cars,” says Peter Norton, perhaps the most prominent historian of how Americans think about traffic safety. As Norton pointed out, car manufacturers have long made a practice of stoking consumer dissatisfaction, and yoking it to utopian visions of the future in which cars of the future solve problems created by cars of the present. “I don’t think there’s any chance that autonomous vehicles will deliver us a safe future, and I don’t necessarily think the companies think so either. I think they think we’ll buy a lot of stuff. The safe future will recede before our eyes like a desert mirage.”

It is notoriously stupid to try to predict the success of future technologies. As I’ve written before, I strongly suspect that truly autonomous vehicles are decades out. What a Tesla can do today is remarkable — if not quite road-worthy yet. Waymo’s answer is even better, of course. But I’ll be stunned if, in the next few years, a car can drive itself from, say, the parking garage in my building through the Rocky Mountains in wintertime to Lake Louise without human intervention. Part of the trip? Sure. But the whole way — a truly autonomous vehicle? I have doubts.

For the sake of argument, let’s suppose that partially autonomous transport is solved soon for a limited set of uses. Something broader than fixed bus routes, and more along the lines of Waymo One, but for the rest of us. That would perhaps require us to purchase new cars equipped with expensive new technologies. Instead of owning these cars individually, though, we could share them with a Car2Go-esque service.2 Unfortunately, it’s hard to be optimistic about the success of something like that because Car2Go announced last month that they would be ending service in four big North American cities by the end of October, including Calgary. In its email to users, Car2Go blamed city policy, a poor economy, and increased competition. The first reason has been disputed by the city, the second is a possibility, and the third seems like a red herring — there are no competing car sharing services in Calgary, but we do have Uber, and it’s wildly popular.

Of course, “wildly popular” does not mean “a good business”. Car2Go said it was very popular in Calgary just last year. When it filed for its IPO earlier this year, Uber reported total losses of $7.9 billion between when it was founded in 2009 and the end of 2018. In the first quarter of 2019, they added another $1 billion to that tab; in the second quarter, they added a whopping $5.2 billion. Between 2009 and June 30 of this year, Uber has lost over $14.1 billion — an average of about $4 million per day, every day, for over ten years of operations. And those losses are overwhelmingly recent: in 2017, the company lost $2.2 billion; in 2018, $1.8 billion; in 2019, so far, $6.2 billion. All of that is without factoring in last month’s decision in California to classify drivers as employees instead of contractors, meaning that Uber will be obligated to pay minimum wage.

Is Uber a sustainable business over the long term? They are clearly planning to be, but they have to dig themselves out of a multibillion-dollar hole before we can sincerely have a discussion about the reasonableness of future viability. But if they, like Car2Go, are forced to retreat somewhat, it puts those who are reliant upon its services in a difficult position. Car sharing and ride sharing services mean that people may not need to own a car if they live in a moderately dense part of their city. They are a solution for the increasingly high financial and environmental cost of personal vehicle ownership.

But so is public transportation.

After reading all of these pieces and thinking this whole thing through, I keep winding up wondering what our cities would look like if we channeled the money we spend on Ubers and car sharing into public transit. What if venture capital firms funded trains and buses instead of autonomous vehicle startups? I recognize that’s not how venture capital firms operated because their incentive is in making money through risky betting — which is not necessarily the same thing as making cities better and safer to travel through. Public transportation also carries reduced risk for those who depend on it, as a public transit operator won’t simply end service in a city by giving a month’s notice and recalling all of its vehicles.

This is not an original argument, but it is one I was hounded by as I spent my weekend reading these articles.

As I wrote at the outset, this is a loose knitting-together of disparate strands of a complex conversation: what does transportation look like in cities of the future? Is it roads filled with individually-occupied privately-operated autonomous vehicles? I think it’s a fascinating technical puzzle and solution, but I’m struggling to find the practical appeal.


  1. As of writing, Mitsubishi still sells the Mirage in North America, but it’s rumoured to be replaced with a crossover of the same name↩︎

  2. This has been proposed by many people. I think a recent paper by Todd Litman (PDF) of the Victoria Transport Policy Institute compares different ownership schemes very well. ↩︎

Twitter Tries Being More Like Facebook

Makena Kelly, the Verge:

On Tuesday, Twitter announced that it “unintentionally” used phone numbers and email addresses for advertising purposes even though the information was provided by users for two-factor authentication.

According to Twitter, no personal data was shared with the company’s third-party partners, and the “issue that allowed this to occur” has been addressed. As of September 17th, phone numbers and email addresses are now only collected for security purposes, Twitter said.

Facebook acknowledged a similar issue earlier this year. Conveniently, I only need to swap company names in response:

This isn’t just yet another example of [Twitter] behaving outrageously when it comes to the company’s pathological need to slurp up everything about its users’ every living moment. It also has the potential to reduce the likelihood that users will adopt two-factor authentication. Technically-literate people have been preaching two-factor authentication for a long time, but average users have been slow to enable it; if they get the impression that it’s yet another piece of data that creepy companies can use to track them, they will be even more hesitant.

I’m starting to think that business models based on a relentless hoarding of personal details may need to be reconsidered.

The China Cultural Clash

Ben Thompson:

The biggest, shift, though, is a mindset one. First, the Internet is an amoral force that reduces friction, not an inevitable force for good. Second, sometimes different cultures simply have fundamentally different values. Third, if values are going to be preserved, they must be a leading factor in economic entanglement, not a trailing one. This is the point that Clinton got the most wrong: money, like tech, is amoral. If we insist it matters most our own morals will inevitably disappear.

In August, two hundred of the largest companies in the world pledged that shareholder value was no longer the primary motivation for their business. It’s time to prove it.

The Legal Case for Net Neutrality Increasingly Lacks Resemblance to Policy

Nilay Patel, the Verge:

Regardless of the legal history, it really does seems obvious to most people that broadband internet access is a telecommunications service that should be neutral. In this case, Ajit Pai and the FCC made the argument that broadband is actually an “information service” because access is paired with… DNS and caching services. That’s DNS, as in the domain name lookup servers that translate domain names to IP addresses, and caching services that host copies of data closer to your location to speed up your access.

Not email, not some wacky AOL chat room. DNS and caching. And because that argument worked in the 2005 Brand X case, the court in 2019 was obligated to say the FCC could use the same argument again.

[…]

The court next addresses whether mobile broadband is a “commercial mobile service,” which is the wireless version of a telecommunications service, or a “private mobile service,” which is the analogue to an information service. I will spare you the details of the long, long discussion that follows, except to say the state of telecom law in 2019 is such that the court winds up making its decision based on the fact that smart washing machines cannot make phone calls.

There is overwhelming support across all sectors of the American public for ISPs to be treated as utility providers. Every renter knows that internet service is listed under a Utilities heading in the lease agreement. Even ISPs call themselves utilities when they benefit, but argue the opposite when they would be treated to similar regulatory oversight.

Broadband is a utility. Everyone knows it; ISPs know it, too. They just don’t want it to be treated as such because they would have to compete on speed and price instead of lacklustre incentives and anti-competitive policies. It’s time to regulate it as such.

Facebook Changes Policies to Allow Advertisers to Lie

Judd Legum in his Popular Information newsletter:1

Prior to last week, Facebook had a rule against running any ads with “false and misleading” content: “Ads, landing pages, and business practices must not contain deceptive, false, or misleading content, including deceptive claims, offers, or methods.”

But today, category 13 of prohibited content has been narrowed significantly. Now, Facebook only “prohibits ads that include claims debunked by third-party fact checkers or, in certain circumstances, claims debunked by organizations with particular expertise.”

The old rules prohibited all ads that contained “false” and “misleading” content and made no mention of the fact-checking program. The new rules are limited to claims that are “debunked by third-party fact checkers.”

Moreover, Facebook says “political figures” are exempt from even that narrow restriction.

Not too long ago, Facebook bragged on its advertising case studies page about how effective their ads were for political campaigns. Last year, however, the company hid that category as it publicly pretend that it couldn’t possibly influence an election. And those ads were supposed to be factual. What happens when notoriously unscrupulous leaders are able to exploit highly-targeted creepy advertising to lie to people directly with the support of Facebook’s policies?


  1. This webpage is horrible and I’m sorry to subject readers to it. Click “let me read it first” to dismiss the full-page subscription screen. ↩︎

One Year After ‘The Big Hack’

Today marks the one-year anniversary of Bloomberg’s publication of a story about Chinese intelligence intercepting the supply chain of Supermicro, a company which has built and sold servers to Amazon, Apple, the U.S. Department of Defense, and dozens of other companies. Apparently, they developed a chip that looked identical to a rice-sized standard component placed along the main power lines of a server; the implanted chip ostensibly contained a processor and networking capabilities and could, theoretically, act as a backdoor for Supermicro servers.

It sounded like the information security scoop of the decade — except there’s virtually no proof that any of it is true.

At the time of the story’s publication, representatives from the named companies denied Bloomberg’s reporting in statements that left virtually no wiggle room. Tim Cook called for the story’s retraction — a call that was soon echoed by Amazon and Supermicro. Michael Riley — who reported the story alongside Jordan Robertson — took to Twitter on October 5 to point out that the physical evidence would make it “hard to keep more [details] from emerging”.

So far, that has not happened.

On October 9, the duo published a followup story claiming that backdoor hardware was found on a Supermicro server belonging to a telecom firm. Their report relied on documents provided by Yossi Appleboum who subsequently argued in an interview with ServeTheHome that Bloomberg’s characterization was incorrect. Appleboum claimed that the problem is broader than Supermicro and the entire supply chain in China was compromised; however, no evidence was provided publicly to support his assertions.

And that was pretty much the last update we heard from Bloomberg’s reporters regarding this important information security scoop. Michael Riley published just one story between October 9, 2018 and August 31, 2019; Jordan Robertson reported nothing for Bloomberg until September 2, 2019. Given an entire year to dig around on this huge story, no other publication has been able to independently verify their claims.

Here’s every significant development I can find from the past year:

  • At the end of October last year, Erik Wemple of the Washington Post reported that the then-Director of National Intelligence — the turnover in this administration is wild — and an NSA official had no evidence to support Riley and Robertson’s story.

  • In November, Wemple wrote about Bloomberg’s continued reporting efforts. An investigative reporter who wasn’t part of the team behind the original “Big Hack” pieces emailed Apple employees to try to figure out what was right and what was wrong. In conversations with Wemple, Apple employees disputed everything about the story and subsequent rumours about internal Apple investigations.

  • In December, Supermicro announced that a third-party investigator had found “no evidence of any malicious hardware”.

  • In April, Wemple reported that Bloomberg submitted the story for a National Magazine Award. It was not a finalist.

  • In August, the story received Pwnie awards for the Most Over-Hyped Bug and the Most Epic Fail at Black Hat.

  • Last month, a vulnerability was discovered in Supermicro servers that would allow remote USB access. It was patched the following day.

  • Also last month, Michael Riley got promoted. Congratulations.

Unfortunately, a year later, we’re still no closer to understanding what happened with this story. Bloomberg still stands by it, but hasn’t published a follow-up story from its additional reporting. No other news organization has corroborated the original story in any capacity. After being annihilated after the story’s publication, Supermicro’s stock has bounced back.

Most upsetting is that we don’t know the truth here in any capacity. We don’t know how the story was sourced originally other than the vague descriptions given about their roles and knowledge. We don’t know what assumptions were made as Riley and Robertson almost never quoted their sources. We don’t know anything about the thirty additional companies — aside from Amazon and Apple — that were apparently affected, nor if any of the other nine hundred customers of Supermicro found malicious hardware. We don’t know what role, if any, Bloomberg’s financial services business played in the sourcing and publication of this story, since they were also users of Supermicro servers. We don’t know the truth of what is either the greatest information security scoop of the decade or the biggest reporting fuck-up of its type.

What does that say about Bloomberg’s integrity?

FCC’s ’Unhinged‘ Net Neutrality Repeal Was Upheld Because ISPs Offer DNS and Caching

Jon Brodkin, Ars Technica:

To defend the reclassification, the FCC had to explain why broadband fits the federal definition of “information service” and not the federal definition of “telecommunications service.” Under US law, telecommunications is defined as “the transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received.”

That sounds like what broadband companies provide, but the FCC claims that broadband isn’t telecommunications because Internet providers also offer DNS (Domain Name System) services and caching as part of the broadband package. According to the FCC, the offering of DNS and caching makes broadband an information service, which is defined under US law as “the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications.”

Judges reluctantly ruled that the FCC made a permissible reading of the statute.

The preceding case that allows internet connectivity to be classified as information services in no way resembles the way broadband is actually used by consumers, nor is it a reasonable interpretation of the function of DNS and caching services. Precedent says that the judge’s decision is not incorrect, but the law is — as ever — outdated and fundamentally broken when it comes to interpreting newer technologies.

Bloomberg: Apple Is Reviewing Rejection of App That Allows Users to Track Protests in Hong Kong

Mark Gurman, Bloomberg:

Apple Inc.’s App Store is reviewing a recent decision to reject a Hong Kong app designed to track police activity in the midst of increasingly violent pro-democracy protests in the city.

The app, known as HKmap.live, is a mobile version of a website that helps users avoid potentially dangerous areas, according to the developer, who uses the alias Kuma to remain anonymous. It was rejected from Apple’s App Store because it “facilitates, enables, and encourages an activity that is not legal,” Apple told the developer, according to a copy of the rejection notice seen by Bloomberg News. “Specifically, the app allowed users to evade law enforcement,” Apple wrote.

At this stage, it seems just as likely to me that this rejection was due to an App Review failure as it was a way to appease the Chinese government. Either way, it’s a problem of Apple’s own creation.

If it’s the former, it just goes to show how accurate App Review needs to be, and the gaping chasm between where it is now and where it ought to be. Facebook and Twitter take flak for moderation failures1 on their platforms; Apple’s equivalent is in App Store mistakes. Apps that abuse subscriptions sail through App Review, but this gets summarily blocked? Nonsense.

But if it’s deliberate, it suggests a far worse situation. The reason Apple gave for preventing HKmap.live from being available in the App Store is that it “allowed users to evade law enforcement”. But that’s not its sole purpose:

The developer said the app is built to “show events happening” in Hong Kong, but what users choose to do with that information is their choice. “We don’t encourage any advice on the map in general,” the developer told Bloomberg News. “Our ultimate goal is safety for everyone.”

Plenty of apps could be illegitimately accused of the same thing. As Jane Manchun Wong noted on Twitter, Waze is still available in the App Store, despite alerting users of speed traps and DUI checkpoints. Meanwhile, law enforcement has been complaining that encrypted messaging apps like WhatsApp and Apple’s own Messages app prevent interception. There are even “vault” calculator apps that are explicitly designed to secrete user data.

What it suggests, then, is that Apple is perhaps complying with oppressive Chinese laws that restrict protestor activity in the “second system” separately-governed region of Hong Kong. This isn’t the first time that Apple has made a decision that gives the appearance of appeasing an authoritarian government that’s important to the company for its sales and manufacturing.

Let’s hope it’s App Review being its unduly sensitive, mistake-ridden self. The other option is unconscionable.

Update: Apple has now approved HKmap.live.


  1. A fun one from today comes to mind. ↩︎

Jesus Diaz Writes the Inevitable Article About Microsoft’s Apple-Beating Though Not-Yet-Shipping Innovation

Jesus Diaz — sigh — writing at Tom’s Guide:

Yesterday, as I finished watching Microsoft’s presentation on my iPad Pro, I thought that Redmond had crushed its old archnemesis in just half an hour. The Surface Neo and the Surface Duo made me think that Microsoft is now the king of innovation and industrial design. They have beaten Apple at its own game.

This take — that future Microsoft products beat current Apple products — is so trite that you can search the Macalope’s default quip, which I stole for the aside in this paragraph, and get eleven years’ worth of uses.

It’s even a cliché for Diaz: he previously said that Mountain Lion was out-innovated by Windows 8, and that the then-not-yet-shipping Surface “made the MacBook Air and iPad look obsolete”. And, like the 2008 article in which the Macalope coined its “future Microsoft products” line, Diaz also claimed that Windows Phone 7 beat iOS in a piece published eight months before the first Windows Phone would ship.

That was easy.

Media Relations Firms Are Faking Public Policy Comments With Personal Details From Data Breaches

An impressive investigation by Jeremy Singer-Vine and Kevin Collier of Buzzfeed News:

A BuzzFeed News investigation — based on an analysis of millions of comments, along with court records, business filings, and interviews with dozens of people — offers a window into how a crucial democratic process was skewed by one of the most prolific uses of political impersonation in US history. In a key part of the puzzle, two little-known firms, Media Bridge and LCX Digital, working on behalf of industry group Broadband for America, misappropriated names and personal information as part of a bid to submit more than 1.5 million statements favorable to their cause.

The FCC proceeding is not the only public debate to have been compromised. BuzzFeed News also found that LCX, an obscure advertising agency based in Southern California, has worked on at least two other campaigns that raised similar impersonation allegations — issues that were so alarming that state legislators in South Carolina and Texas referred the matters to law enforcement. Media Bridge, a political consultancy based in Virginia, also participated in the South Carolina campaign.

Buzzfeed correlated nearly two million formulaic comments submitted by Media Bridge with identifying details from a 2016 database provider breach. Several of the comments are attributed to people who either did not support the repeal of Obama-era FCC Title II classification — like, say, Barack Obama himself — or were dead at the time “they” commented.

These findings are similar to those published by Gizmodo earlier this year, but this is the most concentrated and attributable data set that has been reported so far.

There clearly needs to be a way for the public to provide feedback on policy proposals, but this is so ineffective as to be meaningless. A Stanford University study found that non-bot comments overwhelmingly favoured Title II classification (PDF), but the researchers behind that proposal were only able to say that about 646,000 of the 22 million comments submitted were unique. And even if a comment was unique, it didn’t matter because the FCC ignored all comments unless they articulated a legal argument.

The system in place right now is basically the comments section at the end of a news article, except it’s supposed to provide influence over policy — but it doesn’t, unless you’re well-versed in law and can make a counterargument on those terms. Oh, and comments obviously submitted in bulk are not screened or rejected, so organizations can flood a proposal with countering form letters that do nothing to enable discussion.

Like all comments sections, it should be scrapped.

Microsoft Announces New Surface Products, Including Dual-Screened Devices for End of Next Year

Panos Panay of Microsoft:

Today in New York we announced our broadest Surface lineup ever – with five new products coming this holiday and two new dual-screen devices, Surface Neo and Surface Duo, coming in Holiday 2020.

As far as I can tell, the updates Microsoft announced today have been well-received by those who know their products well. The Surface line has, generally, seemed very successful — I see them all the time when I’m in coffee shops or at the library.

But there were still traces of the old Microsoft during today’s announcements which became most obvious when they introduced the Surface Neo and Surface Duo — two products that, while intriguing, won’t be available until the end of next year. Why show them now?

Lauren Goode of Wired got to interview Panay and Satya Nadella at Microsoft’s headquarters last week. There isn’t a rationale in her report of why these products are being shown over a year before anyone can buy them; the closest she gets is explaining that Panay can’t talk about where the camera is going to be because it might give competitors ideas. The piece starts with this strange request:

No matter what you do, do not call the new Surface phone a phone. You can call it a Surface, a mobile product, a dual-screen device, a new kind of 2-in-1, a pathway to the all-important cloud. But Panos Panay, Microsoft’s chief product officer, doesn’t want you to call it a phone.

Never mind that the thing slips in and out of the pocket of Panay’s salt-and-pepper tweed blazer exactly the way a smartphone would. Or that one of the earliest scenes in the marketing video for the thing, with its slow, fetishized swirls of the gadget, shows a woman picking it up to her ear and saying “Hello?” the way you would with, well, you know. Or that Panay himself admits he makes what are universally known as a “phone calls” from it.

A few companies have weird stylistic conventions, but people are gonna call this phone-sized, phone-shaped product that has general phone functionality a “phone”.

That phone, by the way, runs Android, and it speaks to the company’s radical transformation since the Steve Ballmer era that this is how Satya Nadella responded when Goode asked if the company would ever make another Windows-based phone:

Later on I ask Nadella the same question, and he zooms out even further. “The operating system is no longer the most important layer for us,” he says. “What is most important for us is the app model and the experience. How people are going to write apps for Duo and Neo will have a lot more to do with each other than just writing a Windows app or an Android app, because it’s going to be about the Microsoft graph.”

Could you imagine a previous Microsoft CEO saying that they do not consider the operating system nearly as important as the app ecosystem?

Regardless of how bizarre it is that these devices were introduced a year out, I’m fascinated by the Surface Neo. I’ve always liked the Microsoft Courier, especially some of its weirder UI ideas that leaned heavily on maximizing its book-like form. I’m not sure how any of this stuff will translate into real life — the marketing video doesn’t give a good impression and neither do the hands-on videos I’ve seen — but it’s interesting, and I dig that.

Appeal Court Upholds Repeal of Net Neutrality Laws, but Permits States to Set Their Own Rules

Adi Robertson, the Verge:

The court said the FCC exhibited “disregard of its duty” to evaluate how its rule change would affect public safety. Public safety was a key issue in a hearing earlier this year, with net neutrality advocates arguing that the FCC’s decision let ISPs throttle first responders’ data — something that happened in California last year. “The harms from blocking and throttling during a public safety emergency are irreparable. People could be injured or die,” reads the ruling, which orders the FCC to address these safety concerns.

The FCC also didn’t sufficiently explain what the rules would mean for utility pole access — which can make it easier for new competitors to set up internet service networks — and didn’t address concerns about how the change would affect the Lifeline internet access program for low-income Americans.

And most notably, the court vacated a section of the rules that let the FCC preempt any stricter state net neutrality laws. The FCC has previously filed suit against states that passed their own net neutrality rules.

The court was not persuaded of the wrongness of the FCC’s arguments that Title II classification suppressed ISP investment; you can read their ruling on those claims starting on page 74. However, several studies have found no evidence to support reduced ISP investment in broadband. The court’s ruling today did not explicitly support the FCC’s position — coincidentally, I’m sure, the same as that of ISPs — only finding that it was “reasonable” for them to argue that. Which, well, sure. But it certainly isn’t borne out by the evidence so far.

Tesla Releases Smart Summon Feature in Software Update

After delays, Tesla released a software update last week that includes the Smart Summon feature which, supposedly, allows the driver to summon their once-parked car to their present location. In the real world, it is having some issues.

Jason Torchinsky, Jalopnik:

The Version 10 release notes for Smart Summon do state that

“You are still responsible for your car and must monitor it and its surroundings at all times.”

which is, of course, true, but this is still a completely unprecedented use of a car, for better or worse. On the plus side, sure, it’s great for impressing people and not getting wet in the rain or having to walk to your car, possibly with a bunch of heavy crap, but at the same time, when has it ever been okay to attempt to be “in control” of your car from potentially across a parking lot?

There’s plenty of cases where Smart Summon has worked just fine. And yes, people do stupid shit in parking lots every day. Tesla does specify that it’s a Beta release, which is fine for most software, but does it make sense when that software is driving a full-sized car in a public space?

The collisions that have been reported so far have all been property damage, either to the Tesla or to whatever it hit. I haven’t seen any reports of pedestrians either getting hit or nearly so. I suppose that’s the silver lining to this story: in the four days since the software started rolling out, nobody has been injured or killed.

It does raise questions about whether it’s fair for Tesla to use developer-centric terms like “beta” as cover for software that it is not fully confident is complete and safe — I do not think that’s okay. Tesla, in particular, has historically exaggerated the capabilities of its autonomous software while simultaneously tacking “beta” onto the end of several of its features. Plenty of people were upset with iCloud’s myriad problems in the beta releases of iOS 13. Those problems are solely relegated to the user’s own files, however; they are not a matter of public safety.

Study Indicates the FCC’s Core Justification for Killing Net Neutrality Was False

Karl Bode, Vice:

“Under the heavy-handed regulations adopted by the prior Commission in 2015, network investment declined for two straight years, the first time that had happened outside of a recession in the broadband era,” [Ajit] Pai told Congress last year at an oversight hearing.

“We now have a regulatory framework in place that is encouraging the private sector to make the investments necessary to bring better, faster, and cheaper broadband to more Americans,” Pai proclaimed.

But a new study from George Washington University indicates that Pai’s claims were patently false. The study took a closer look at the earnings reports and SEC filings of 8,577 unique companies from Q1 2009 through Q3 2018 to conclude that the passage and repeal of the rules had no meaningful impact on broadband investment. Several hundred of these were telecom companies.

“The results of the paper are clear and should be both unsurprising and uncontroversial,” The researchers said. “The key finding is there were no impacts on telecommunication industry investment from the net neutrality policy changes. Neither the 2010 or 2015 US net neutrality rule changes had any causal impact on telecommunications investment.”

We knew this. We knew it before Pai rolled back net neutrality regulations. But it bears repeating that he made law by amplifying the cable industry’s lies, leading to abuses of power from an increasingly-concentrated media and telecom industry.

Art in the Age of Digital Subscription

Maddy Myers, Kotaku:

I feel like I actually have started to devalue a lot of pieces of media in ways that I didn’t do when I was growing up in the ’90s. I used to go to Blockbuster and spend a couple of bucks on renting a movie. But nowadays, I don’t want to spend 5 dollars on “renting” a movie from iTunes. I just don’t. I’d rather watch a different movie on a subscription service that I pay for than pay not that much more money to rent a movie. Why is that? That’s interesting. That’s clearly a mental change in me that I’ve observed.

Matt Birchler:

This resonates with me a ton. There is more amazing content out there today that ever before, whether it be video games or movies or TV shows, but I think I cherish less of it than I used to. As a consumer, streaming music is an incredible deal. I get to listen to basically every song ever made, everything new this week, and everything coming out in the future for $9.99 per month. That’s less than buying a single album every month, which is just insane.

But while this is wonderful, I do get the feeling that I appreciate individual things less. Spending $15 on an album meant I was invested in giving it a serious listen. Now it costs me what feels like nothing to hear everything and it’s super easy to bounce off albums and try something else. Again, this could be considered a benefit as I keep seeking out the best things, but I find I know fewer albums from start to finish than before streaming.

I empathize with both Myers’ and Birchler’s perspectives, but I feel a little differently about this when it comes to music.

To generalize, most people like music, a few monsters actively dislike the entire idea of it, and some people love everything about music to the point where it’s obsessive. I’m in the latter category. There are few genres I don’t listen to, and nothing I won’t take a chance on. I hoard records — physical and digital, alike.

If you also love music and have somewhat flexible morals, you’re probably familiar with early 2000s music blogs. You could visit these sites, often hosted on Blogspot, multiple times every day and discover something unfamiliar. It could be a brand new record, a classic album you recognize but never listened to, a deep cut from an artist you’ve heard of, or something in a language you don’t understand. On every post, there would be a Rapidshare link for you to download the full record — just below a reminder to pay for the album.

Of course, this is morally- and legally-dubious. I’m not going to defend that. However, they were also remarkably well-curated places to discover bands and artists you’d likely never find on your own. And, of course, free downloads meant that there was no risk to trying something unexpected. Again, I offer no counterargument to depriving artists of earnings, except to note that multiple studies suggest that people who download music illegally also tend to buy the most music. That’s probably because these people are simply the biggest fans of music and want to listen to as much of it as they possibly can.

Streaming services allow the same kind of risk-free exploration without the guilt and legal jeopardy of music blogs. You can still use music blogs and other discovery mechanisms to find new music, but you can listen to it with Apple Music or Spotify instead.

One more thing: I’ve never found CDs or cassette tapes to be particularly valued ways of listening to music. CDs, in particular, are a brittle delivery mechanism for music that sounds basically the same as what you’d get from iTunes. This is only a smidge less corny than talking about the warmth of vinyl and the way it friggin breathes; but, for me, a vinyl record is a fantastic way of expressing the personal value of an album.

There’s a great piece of writing at the top of the Nine Inch Nails online store that mirrors my thoughts in hard-to-read small uppercase text:

Vinyl has returned to being a priority for us – not just for the warmth of the sound, but the interaction it demands from the listener. The canvas of artwork, the weight of the record, the smell of the vinyl, the dropping of the needle, the difficulty of skipping tracks, the changing of sides, the secrets hidden within, and having a physical object that exists in the real world with you… all part of the experience and magic.

I get why this makes people roll their eyes, but it’s exactly how I feel. Putting on a record is a completely different experience. It’s more whole, somehow; more fulfilling.

An Apple Music subscription and a turntable — that’s how I listen to music. And I feel like I value music no less than when I was buying CDs every week.1


  1. I was trying to find a link for this piece and I stumbled across a 1995 issue of Billboard in which Ed Christman argues that CD subscription clubs were devaluing music. ↩︎

Researcher Discovers Method for Exploiting Boot ROM in Several iPhone Models

Sean Gallagher, Ars Technica:

Today, an iOS security researcher who earlier developed software to “jailbreak” older Apple iOS devices posted a new software tool that he claims uses a “permanent unpatchable bootrom exploit” that could bypass boot security for millions of Apple devices, from the iPhone 4S to the iPhone X. The developer, who goes by axi0mX on Twitter and GitHub, posted via Twitter, “This is possibly the biggest news in iOS jailbreak community in years. I am releasing my exploit for free for the benefit of iOS jailbreak and security research community.”

[…]

It’s possible that this exploit has been found by other researchers and is already in use, especially via tools used by intelligence and law enforcement agencies, such as GreyShift’s GreyKey. Many of these tools use proprietary hardware to collect data off iOS devices.

Ryan Stortz, writing on the Trail of Bits blog:

We strongly urge all journalists, activists, and politicians to upgrade to an iPhone that was released in the past two years with an A12 or higher CPU. All other devices, including models that are still sold — like the iPhone 8, are vulnerable to this exploit. Regardless of your device, we also recommend an alphanumeric passcode, rather than a 6-digit numeric passcode. A strong alphanumeric passcode will protect the data on your phone from this and similar attacks.

The bad news is that A11-and-older iPhone models — and their iPad and iPod Touch equivalents — are vulnerable to this exploit. Because this vulnerability exists in boot ROM, it reportedly cannot be patched in a software update and it’s extremely powerful.

But it requires hardware access to a device; your iPhone cannot be breached through a remote attack, and someone would need to connect it to another device. It also resets itself every time the phone is rebooted, and the Secure Enclave is not at risk through this vulnerability. Finally, it is overwhelmingly unlikely an average person’s phone would be at risk of someone actually using this exploit against it. The categories of possible victims are more-or-less how Stortz describes them: public figures, politicians, judges, journalists, activists, and spies.

Regardless, this exploit is both worrisome because of the impossibility of patching it, and deeply impressive.

A unique complicating risk factor of late is that someone wishing to exfiltrate lots of data about you need not breach your phone, specifically. If you’re using cloud services to keep your devices in sync, they could breach — for example — your iPad while your iPhone remains untouched.

All I Want to Do Is Create Havoc as a Terrible Goose

Kelsey McKinney, Deadspin:

I have tried for years to love a video game. I understand the appeal. I too want to forget all of my anxieties and struggles by immersing myself in another world. I too want entertainment that forbids me (by nature of its controller) from looking at my phone while I do it and scrolling a real-time chronicle of democracy’s crumbling. But I had two problems: 1) I do not know how the buttons work so every game has a massive learning curve for me. and 2) I don’t like to hit things or die. This makes me feel stressed and I don’t like to feel stressed in my down time.

What I like is to be told a story. I like a narrative arc and a riveting main character. I like to be entertained. And that is how I became a terrible, horrible, no-good, extremely bad goose.

I struggle with video games generally, but Untitled Goose Game is pretty much perfect for my tastes. It’s charming, it’s silly, and you play as a goose; it’s kind of calming because of the music, but it also requires just a little bit of thought for the different puzzles. It is wonderful.

The Peril of Old Slack Posts

Brian Feldman, New York magazine:

On Tuesday evening, Vox Media announced that it had acquired New York Magazine and its associated brands. This includes Intelligencer, the website you are reading right now. In an all-hands meeting at New York’s Canal Street office at noon yesterday, Vox head honcho Jim Bankoff and New York Media CEO Pam Wasserstein addressed the tension floating throughout the company. There will not be any layoffs, they stressed. It’s, supposedly, business as usual. Still, uncertainty lingered in the air.

Of the many known unknowns, a few centered around Slack, the workplace communication software popular in media circles. Anxiety regarding Slack yesterday was exacerbated by rumors and murmurs. In the afternoon, a similar all-hands meeting occurred at Vox’s headquarters in the Financial District, and a harrowing detail of the acquisition emerged. The gossip, as conveyed in a group chat of NYMag employees, was: “They told Vox we’re all gonna be on one Slack.” Absolutely devastating.

I can think of few more catastrophic circumstances than if Slack’s archives were leaked. For what it’s worth, I’m not much sassier in Slack than I am anywhere else online or in real life — and I’m sure many people are the same way — but the looser context of a chat room means that the nuance gets lost within jokes, private conversations, and snide comments.

iFixit Really Doesn’t Think Apple Deserves Any Credit for Using Recycled Aluminum in New Products

iFixit took apart a couple of the new Apple Watch models and found a wildly different battery in the 40mm model than in the 44mm. They also took the time to snark about the recycled aluminum case.

Craig Lloyd:

Now, about Apple’s claim that the Series 5 Sport cases are made from “100% recycled aluminum.” While using recycled materials is great, the truth is most of the world’s aluminum is already recycled, and recycled aluminum is dramatically cheaper than the freshly-mined variety. The real question is whether Apple uses any recycled aluminum that wouldn’t have been recycled anyway. And after analyzing Apple’s statements on the matter, the answer seems to be no. Apple is in line with industry standards, and isn’t remaking the field. Recycling all the lithium or cobalt in their batteries would be a true leap forward, and Apple may well be working on something like that, but using recycled aluminum isn’t much to get excited about.

Let’s start with the overall argument: Apple’s use of recycled aluminum is a form of greenwashing because aluminum is already recycled, so they shouldn’t get credit for using the existing supply chain. That seems, to me, like a harsh oversimplification of a reasonable and more nuanced critique.

If it’s truly the case that the aluminum Apple uses has likely always been recycled — as Lloyd implies in the second and third sentences of this paragraph — one would think that they would have mentioned this before. After all, they’ve long explained that one of the reasons they use aluminum in the first place is because it’s highly recyclable. If Lloyd’s implications are correct, it should be trivial for Apple to make products that are ostensibly nearly fully recycled already and turn them into 100% recycled aluminum, right? But they didn’t say that they were doing so until the introduction of the new Mac Mini and Retina MacBook Air last year, which suggests that Lloyd’s cynical reading is simply incomplete. Furthermore, it’s worth asking why none of the company’s major competitors ever attempts to argue environmental bonafides.

For what it’s worth, I think Maddie Stone wrote a much more thoughtful critique of the company’s environmental efforts last year for Gizmodo. It acknowledges that electronic supply chains are complex and that Apple’s extensive use of the material presents further complications, that using fully-recycled aluminum in cases is a step forward, and says that many of the trace components in the company’s products are still mined in unsustainable ways. All terrific arguments. Lloyd’s critique is shallow and misleading.

Then there’s the way Lloyd pointed out that using recycled aluminum is cheaper than mining more — why bring this up? It isn’t actually relevant; it doesn’t change Lloyd’s argument one bit if you drop it. But it does leave the impression that Apple’s use of recycled aluminum is at least partly for economic reasons — which, I guess, is supposed to be inherently bad and evil. That’s a ludicrous argument. Environmental efforts can go hand-in-hand with economic incentives, and there’s nothing wrong with that.

And if I’m being nitpicky — and I most certainly am but, well, they started it — Apple dropped the “Sport” designation with the introduction of the Series 1 and 2 models.

Google Chrome Keystone Update Is Causing Boot Issues on Macs With System Integrity Protection Switched Off

I know yesterday was particularly newsy, but there’s one story I was watching for updates on because it was so bizarre.

Janko Roettgers, Variety:

Film and TV editors across Los Angeles were sweating Monday evening as their workstations were refusing to reboot, resulting in speculations about a possible computer virus attack. Social media reports suggested that the issue was widespread among users of Mac Pro computers running older versions of Apple’s operating system as well as Avid’s Media Composer software.

Weird, right? Today, though, a possible answer. It appears as though this issue was not isolated to just Mac Pros, or just computers belonging to video editors — any Mac that had Google Chrome installed, Chrome’s auto-updates enabled, and System Integrity Protection switched off could see the same problems.

Craig Tumblison of Google:

We recently discovered that a Chrome update may have shipped with a bug that damages the file system on macOS machines with System Integrity Protection (SIP) disabled, including machines that do not support SIP. We’ve paused the release while we finalize a new update that addresses the problem.

If you have not taken steps to disable System Integrity Protection and your computer is on OS X 10.9 or later, this issue cannot affect you.

This post also contains recovery instructions. It’s odd that this problem seemed to most greatly affect media professionals, but a search of the web turns up instructions to disable SIP as a workaround for misbehaving media apps. “Mr. Macintosh” wrote a deeper, more technical explanation of what’s going on.

Update: A reader email prompted me to think about this a little more.

Most software needs admin privileges to be updated if it’s writing to /Applications/. Google developed a workaround for this by placing Chrome’s updater in /Library/ instead of ~/Library/, which allows Chrome to update itself regardless of which user is currently logged in. I don’t find anything particularly nefarious about that — if it’s a family computer or a shared computer in a college library, for example, it may be preferable for Chrome to be able to update at any time.

However, it does create an elevated level of risk. Disabling SIP or modifying permissions can compound that risk. I don’t understand why the updater would ever need to touch /var/, but I do think that shipping software updates that will be installed automatically carries with it an extraordinary level of trust that can be shattered in an instant with careless bugs like this one.

On That Rumour of Dedicated Camera RAM in the iPhone 11 Pro

Speaking of the iPhone 11’s cameras, there was a funny rumour going around that the iPhone 11 Pro could have 2 GB of extra RAM solely dedicated to camera functions. When iFixit tore one apart, though, they were unable to find any sign that this rumour could be correct.

It’s an interesting idea, though, and one that I would welcome. I’ve long expressed my frustration with the way iOS handles memory limitations — particularly on the iPad — but it seems like opening the camera shouldn’t kick nearly every other app out of memory. It’s odd to me that using one specific hardware feature monopolizes system memory. Adding more globally-accessible memory isn’t the answer, I don’t think, as it would still be shared with other apps.

Limitations of the iPhone 11’s Ultra-Wide Camera

Gannon Burgett, DPreview:

Last week, Apple debuted its new iPhone 11 devices, all three of which feature an ultra-wide camera module. This marks the first time Apple has put an ultra-wide camera in an iOS device and with the new camera comes all-new capabilities and shooting modes.

Not all of the cameras are made equal though. In addition to not having optical image stabilization, it’s been revealed the ultra-wide camera unit on all three models isn’t yet capable of capturing Raw image data or manual focus, unlike the wide-angle camera (and telephoto camera on the iPhone 11 Pro models).

These are curious limitations that put the ultra-wide camera on a similar level to the fixed-focus front-facing camera that only captures compressed image formats. It’s expected on the front, but a little disappointing for a back-mounted camera, especially as the other cameras don’t have these restrictions, so it’s a little inconsistent.

For what it’s worth, I don’t buy speculation that the ultra-wide camera does not support RAW capture because of excessive distortion. The user of a third-party app that supports RAW capture would probably be comfortable with distortion, and apps like Lightroom have lens correction profiles.

Intelligent Tracking Prevention 2.3

John Wilander of Apple’s WebKit team:

The reason why we cap the lifetime of script-writable storage is simple. Site owners have been convinced to deploy third-party scripts on their websites for years. Now those scripts are being repurposed to circumvent browsers’ protections against third-party tracking. By limiting the ability to use any script-writeable storage for cross-site tracking purposes, ITP 2.3 makes sure that third-party scripts cannot leverage the storage powers they have gained over all these websites.

I remember when hotlinked third-party media on your website would get the picture replaced with something funny or disturbing — though there is nothing of the sort on the linked page. This paragraph is a reminder that it can be so much worse when you factor in the breadth of capabilities typically afforded to scripts.

It’s great to see the WebKit team continuing to treat privacy violations with the same gravity as security vulnerabilities; the two go hand-in-hand.

MacStories Reviews WatchOS 6

Alex Guyot, MacStories:

watchOS 6 is one of the more subtle updates we’ve encountered over the last five years of Apple Watch, but that subtlety should not be mistaken for insignificance. The user-facing updates in watchOS 6 may not be the most exciting we’ve seen, but their skillful execution makes it clear that Apple understands the device it has created. Nearly every first-party watchOS app is well crafted and properly honed down to its simplest ideas. New health updates expand use cases for the Apple Watch’s most important category of features. Only a few new watch faces manage to pass my very high bar, but continuing to throw options at the wall every year is exactly what Apple should be doing; by now we’re starting to see quite a few diamonds among the rough.

For the first time ever, a subset of third-party apps can exist independent of their iOS counterparts. The vision is far from fully realized, but this year is a start that will be continued in the years to come. It won’t be long before every relevant watchOS API which requires an attached iPhone has been freed from its restrictions. Break the chains!

Previous WatchOS updates closely mirrored the first several releases of iOS in knocking critical items off to-do lists — though, in the case of the Apple Watch, these updates also helped better-define the product. The future of the Watch looks to me like a product that can be used independently of an iPhone for most of the day, with the exception of snapping a photo or two. It seems like WatchOS 6 is a bridge to get there.

QuickTake

Those of you picking up a new iPhone 11 model today will get to experiment with the new QuickTake feature in the camera app. But this isn’t the first time Apple branded something “QuickTake” — from 1994 until 1997, the company sold a line of digital cameras with the same name.

Thomas Brand:

The QuickTake 100 was capable of storing up to eight photos at 640×480 resolution, 32 photos at 320×240 resolution, or a mixture of both sizes on its 1MB Flash EPROM. The QuickTake 100 had no upgradable memory. All photos were stored with 24 bits of color in a proprietary QuickTake PICT format that can not be easily read in Mac OS X. Every photo taken with the QuickTake 100 had to later be converted into a JPEG, TIFF, or BMP before they could be shared. The QuickTake 100 produced photos with quality similar to today’s most primitive camera phones.

I know this is twenty-five years ago and one of the first ever consumer digital cameras, but the idea of storing a maximum of only eight photographs is staggering to me, and at miserably low resolution, too. A grid of six “3×” iPhone icons would just fit into the area of a single QuickTake 100 photograph. I know times change and all, but that’s positively quaint.

Austin Mann’s iPhone 11 Pro Review

I look forward to Austin Mann’s iPhone review every year. This is particularly true when Apple dedicates much of its product launch materials to explaining camera improvements, because nobody can test those changes quite like Mann does.

Indeed, the photos in this year’s review are stunning. There are shots in here that seem impossible to have been created with a smartphone — particularly the photo of a lantern-lit boat and a self-portrait.

There are also some fascinating technical details in this piece. On comparing Night mode to traditional long exposure photography:

But with iPhone 11 Pro the rules are different… it’s not capturing one single continuous frame but blending a whole bunch of shots with variable lengths (some shorter exposures to freeze motion and longer shots to expose the shadows.) This means the subject can actually move during your exposure but still remain sharp.

I’m sure some of you are wondering, “well this is cool for handholding but what if you want to do light trails?” The iPhone actually detects when it is on a tripod and changes exposure method so that light trails and movement can still be captured.

In a separate review in Outdoor Photographer, Mann says that the ultra wide lens can be used for panoramas, which allows for an even wider landscape shot in every direction.

One other thing I noticed thanks to the original image files included in John Gruber’s review is that noise reduction seems to preserve more detail and create less of a painterly effect when zoomed in. I hope this is true for high-detail scenes such as landscapes and architectural photos.

Our Economic Model of Privacy Is Deeply Flawed

Will Oremus, OneZero:

The apparent disconnect between most people’s stated desire for online privacy and their incautious online behavior has become known as the privacy paradox. There are competing explanations, but most experts agree it’s hard to draw conclusions about people’s values from their real-world actions. That’s because their choices are shaped by all kinds of factors: the limited available options (how many social networks have the majority of your friends and family on them?), the circumstances under which they make decisions (who has time to read a 4,000-word privacy policy before downloading each app?), the difficulty of predicting outcomes (who knew that Yahoo Mail would get hacked when they signed up for it?), and feelings of general helplessness (why spend a ton of energy protecting your data now when so much is already out there?).

It really is bizarre that we willfully sign away our right to the privacy and security of huge amounts of deeply personal information with little thought or care — and that the discussion about how to best regulate this industry and its breaches of trust, if at all, is dominated by economic rationales instead of moral and ethical ones.

Facebook Launches New Portal Devices for Video Calling

Nicole Nguyen, Buzzfeed News:

Facebook announced three new products today: the 8-inch Portal Mini ($129) and 10-inch Portal ($179) — two picture frame–sized devices designed to sit on a countertop — and the Portal TV ($149), an accessory designed to sit on top of at-home televisions and let far-flung friends view Facebook Watch shows together. The devices include cameras and microphones designed specifically for video calling and have voice control via built-in Amazon Alexa software. As of today, Amazon Prime Video can also be streamed through Portal, alongside Spotify, Pandora, iHeartRadio, and other apps announced last year. Currently, Netflix and Hulu are not available through Portal or Portal TV.

Notably, the new devices have significantly lower prices than last year’s models, which ranged between $200 and $349. Facebook executives said the cuts are aimed at allowing more people to use Portal. “The most important thing for us is getting our experiences out there, and seeing how people react to them,” said Andrew Bosworth, vice president of augmented and virtual reality at Facebook, at a press event on Tuesday. “We’re not focused on the [Portal] business model right now.”

Aside from price, the other thing Facebook is emphasizing with these new products is a commitment to privacy. They ship them with camera covers and physical switches to turn off the camera and microphone. And to show you that the mic and camera are, indeed, off, a little light turns on — otherwise known as the universal sign that a device’s camera and microphone are also on.

This is something Facebook communicates on a marketing webpage with the headline “Privacy by Design”.

Nilay Patel:

Facebook selling the new Portal for $129 — almost certainly less than what it costs — with @boztank casually admitting it has no business model yet is really something else.

As @ashleyrcarman has noted many times, the tech giants are so willing to lose money on hardware to lock into their services that the entire indie hardware market is being crushed. It’s why companies like Eero couldn’t stay independent.

A pattern for ad-supported tech giants is to encourage more user investment through time and data by offering services free-of-charge and selling cheap hardware, then cataloguing users’ behaviour to sell ads against. This is not a pattern that fits profitable companies that do not fund their operations through advertising and, so, have no need to exploit users, instead choosing to accept money in exchange for goods and services.

Reassessing Smartphone Upgrade Recommendations

Brian X. Chen, New York Times:

Year after year, the formula was this: I tested the most important new features of Apple’s latest smartphone and assessed whether they were useful. Assuming the newest iPhone worked well, my advice was generally the same — I recommended upgrading if you had owned your existing smartphone for two years.

But with this review of the iPhone 11, 11 Pro and 11 Pro Max — the newest models that Apple unveiled last week and which will become available this Friday — I’m encouraging a different approach. The bottom line? It’s time to reset our upgrade criteria.

I think this is a wise approach with purchasing anything: you should figure out if a newer version of the product will meaningfully advance how you use it, and whether those improvements are worth the cost to you based on their importance. Here’s where Chen lost me:

So here’s what I ultimately suggest: You should definitely upgrade if your current device is at least five years old. The iPhone 11 models are all a significant step up from those introduced in 2014. But for everyone else with smartphones from 2015 or later, there is no rush to buy. Instead, there is more mileage and value to be had out of the excellent smartphone you already own.

Chen has clarified that the improvements in the iPhone 11 and 11 Pro models are “nice to have, but [not] must have[s]” for owners of, say, an iPhone 6S. I think there are plenty of instances where one could have made a judgement like that, but this year seems like the worst possible one. To be fair, I have not used these phones. But every review I’ve read has extolled extraordinary advancements to camera quality — particularly in low-light situations &mdash and battery life in the 11 and 11 Pro. Those are two of the biggest things that people care about in a smartphone, along with having more storage.1

To be clear, I think Chen’s advice is generally sound. If you’re an iPhone user, Apple is making it completely viable to make your device last four or five years with its latest versions of iOS. But I think Chen undersells the advantages of having a battery that lasts far longer than even a brand new iPhone 6S, and far better photos in non-daylight conditions. I’m not convincing you to upgrade, especially since I haven’t used these devices, but I’m suggesting that these are massive improvements for any 6S owner that wants to take pictures in restaurants or in the evening, and doesn’t like having their phone die.


  1. The iPhone 6S came in 16, 32, 64, and 128 GB configurations, while the iPhone 11 starts at 64 GB — so 6S owners are also likely getting a storage upgrade too. ↩︎

Wariness of Tech Companies Isn’t Necessarily Resulting in Reduced Use

Rob Walker, New York Times:

It’s fun, and increasingly fashionable, to complain about technology.

Counterargument: it has always been “fashionable” to complain about technological change.

Our own devices distract us, others’ devices spy on us, social media companies poison public discourse, new wired objects violate our privacy, and all of this contributes to a general sense of runaway change careening beyond our control. No wonder there’s a tech backlash.

But, really, is there? There certainly has been talk of a backlash, for a couple of years now. Politicians have discussed regulating big tech companies more tightly. Fines have been issued, breakups called for. A tech press once dedicated almost exclusively to gadget lust and organizing conferences that trot out tech lords for the rest of us to worship has taken on a more critical tone; a drumbeat of exposés reveal ethically and legally dubious corporate behavior. Novels and movies paint a skeptical or even dystopian picture of where tech is taking us. We all know people who have theatrically quit this or that social media service, or announced digital sabbaticals. And, of course, everybody kvetches, all the time.

However, there is the matter of our actual behavior in the real-world marketplace. The evidence there suggests that, in fact, we love our devices as much as ever. There is no tech backlash.

Walker’s entire argument is predicated on the fact that despite numerous lawsuits, data breaches, widespread recognition of privacy violations, and antitrust investigations — all of which represent a radical shift in the way we think about technology companies from just a few years ago — consumer use has risen and, therefore, we are not reacting with our behaviour. It is a silly argument that masks misgivings held by the public at large.

An Edelman survey from earlier this year found that respondents in developed nations were weakly trusting of tech companies; it also found that respondents were generally capable of separating hardware manufacturers — which they generally trusted — from social media companies, which they did not. But we still use Facebook, Twitter, and YouTube to increasing degrees. We know they’re toxic to us and we know that they don’t give a shit about our privacy, so why do we do it?

Well, probably for similar reasons as we do lots of things that we know are terrible for us. We’ve known tobacco usage increases the likelihood of myriad diseases for decades, but the prevalence of smoking has not consistently declined. Likewise, we’ve known for years that our emissions are smothering the planet, but we keep on emitting at ever-greater rates. Our understanding that something is damaging does not necessarily mean that we will not continue our poor behaviour. After all, we still find that these risky choices are often at odds with how much value we get from these things. We emit more because we heat bigger homes, drive more fuel-thirsty cars, and want more clothes.1

Likewise, we want to send out potluck invitations without starting a gigantic “reply all” email thread, complain about the news in public, and watch goofy videos. We want to passively keep in touch with family, friends, and colleagues. We may even want to experiment with photography.

We’ve weighed all of these clearly- and immediately-tangible benefits against the more difficult question of what effects it will have for us to compromise our privacy to monopolistic tech companies, and many people hesitantly accepted those benefits often years ago. Disentangling your real social life from your electronic social life can be very difficult, especially if you’ve built up years of cruft. It’s a job unto itself.

Predictably, venture capital types have reacted to this article supportively, confident in the safety of their practice of growing the user base of bleeding-edge tech products2 and then slapping some surveillance-based ads on them. It’s easier to loudly dismiss public concerns about technology than it is to reform the business model of many of the biggest Silicon Valley firms raring for their IPO.

Meanwhile, public concern over technology is, indeed, far greater than it was not too long ago. Trust in Facebook dropped precipitously after the Cambridge Analytica scandal broke — and didn’t recover after a solid year of serious problems were reported — to the extent that Facebook is pretending to change its business model. Google also decided to become a company that ostensibly protects privacy. If these companies were confident that users didn’t see any problems with their services and business model, why would they feel the need to so aggressively tout their privacy credentials, no matter how weak?

Big tech companies with exploitative business practices are worried that their tainted reputation will overshadow our enthusiasm for the implicit progress of high technology. But you can’t quickly turn this billion-passenger ship around, especially when non-technical publications ignored the privacy and security risks of services like these for years.


  1. We also fail to adequately regulate the biggest polluters, which are not consumers directly. ↩︎

  2. If the product is software-based, it’s probably wedging itself into an everyday industry and stripping it of all regulation because “it’s just a platform”. If it’s hardware-based, it’s something that you own that does not presently have either WiFi or Bluetooth, and now has WiFi and Bluetooth. Fund me. ↩︎

Lock-In and Ecosystems

On an earnings call in 2009, Tim Cook was asked how the company would fare when it inevitably lost Steve Jobs in the CEO post, and he responded by delivering a now-famous explanation of how he views Apple’s core values. It was, typically for Cook, an efficient and profound monologue that, among other statements, captured core truths for what sets the company apart:

[…] We believe that we need to own and control the primary technologies behind the products that we make […] We believe in deep collaboration and cross-pollination of our groups, which allow us to innovate in a way that others cannot.

I trimmed a fair bit of this, but these two statements complement each other beautifully. The tight integration of the company’s hardware and software — and the individual teams within those disciplines — have come to define the company’s key products: the Mac, iPod, iPhone, iPad, Watch, and AirPods. An arbitrary set of Bluetooth headphones cannot replicate the ease of pairing, connectivity, and device switching that Apple can achieve by building both the hardware and software sides of the AirPods.

Internet services have not been an exception to this, as they are universally better on Apple’s own platforms, but they have offered an opportunity to see what the company will offer on a cross-platform basis. iCloud — as with its MobileMe predecessor — has a Windows client; Apple Music is available for Android phones. The company is bringing the Apple TV Plus service to virtually every platform — including some television hardware. All of these services can be accessed through a web browser, too. But iMessage, Apple Arcade, and Apple News are all stubbornly constrained to products with an Apple logo on them.

And so is the Apple Card. Damon Beres of Medium’s OneZero publication sees all of these things — but particularly the card — as egregious examples of lock-in:

In fact, Apple’s most fascinating hardware release in ages arrived last month, a thin slab of titanium with accompanying software that — yes — you can use to order clothes while in the tub. The Apple Card connects to your iPhone’s Wallet app and can pop up as a default option whenever you use Apple Pay. It makes monitoring your finances kind of pleasant: A digital representation of the card is rendered on-screen and stained with colors (blue for transportation, orange for food, etc.) related to how you’re spending money. And the card, like so many other Apple products in recent years, has been developed not just to provide a good service to consumers but to increase the gravitational pull of the technology brand itself.

Others have certainly noted its major value to Apple: In being such an appealing payment option, and by only working with an iOS device, the Apple Card could be understood less as a typical credit card and more as a trojan horse. It will keep you in orbit around a Cupertino blackhole that sucks in cash for annual iPhone upgrades, new Apple TV+ shows, Apple Music, video games, MacBooks, and AirPods.

Throughout this piece, Beres seems to insist that Apple’s credit card is somehow stickier than that from any traditional financial institution, but I don’t think it is. It’s well-integrated throughout iOS, but so is any card that works with Apple Pay. You can use it with a new iPhone, of course, but it still works with any iPhone that has Apple Pay, all the way back to the iPhone 6. I guess it looks nicer than most credit cards, and the physical version is classy as hell. Is that really “lock in” in a way different from any credit card?

But Beres doesn’t stop at the Apple Card. This article points to all of Apple’s services — including TV Plus, which is, to reiterate, available on virtually all platforms independent of use or ownership of other Apple products or services — as evidence of a giant spinning lock-in machine.

Beres compares this to the approaches of other companies:

Any tech giant worth its salt is doing the same thing. Amazon may not have enough pull in the hardware game to make Prime streaming exclusive to something like the Fire TV Stick, but its Prime credit card, at least, will keep you shopping on Amazon, giving you 5% back on Amazon and Whole Foods purchases. And it has expanded its Alexa service to proprietary tablets, security cameras, and alarm clocks. If you’re into the Amazon Echo, there’s no way you’re going to switch to Facebook’s Portal, which itself hooks into a shared universe of messaging apps like WhatsApp and Messenger. Samsung is trying — and struggling — to establish a line of Galaxy products that tap into its Bixby A.I. Buying a gadget today is rarely a one-off choice; it’s an opportunity for a company to keep you on a platform.

Here’s where I have the most disagreement with Beres, and these arguments of Apple’s ostensibly severe lock-in more generally. I don’t think Apple’s products are necessarily sticky because of an ecosystem effect, but I do think the ecosystem becomes stronger as more users are retained. Apple routinely has one of the highest customer retention rates in the industry, and they regularly report some of the highest customer satisfaction rates. I wonder if there’s a correlation.

To compare this to the lock-in activities of other companies is at its most effective only at a shallow level. Apple’s stuff works better when it’s used in conjunction with other Apple things, of course, but if you want to stop using the company’s products and services, you can do that almost piecemeal or wholesale, if you wish. You cannot say the same about any other major technology company, as Kashmir Hill discovered earlier this year:

Critics of the big tech companies are often told, “If you don’t like the company, don’t use its products.” I did this experiment to find out if that is possible, and I found out that it’s not — with the exception of Apple.

These companies are unavoidable because they control internet infrastructure, online commerce, and information flows. Many of them specialize in tracking you around the web, whether you use their products or not. These companies started out selling books, offering search results, or showcasing college hotties, but they have expanded enormously and now touch almost every online interaction. These companies look a lot like modern monopolies.

No matter how powerful Apple seems to be, it is entirely possible to never use a product or service from them again. It is, I grant you, expensive and time-consuming to change your computer, phone, streaming music service, encrypted messaging platform, and anything else you use from them — your Apple News Plus subscription, I suppose — but it’s not out of the question. It is virtually impossible to stop interacting with non-Apple tech giants. You can’t escape Facebook, either, as their beacons and scripts keep track of you as you browse most popular websites. Google is trying to replace HTML with AMP, and is globally dominant in various horizontally- and vertically-integrated product categories. You can stop shopping at Amazon, but you’re not going to be able to rid yourself of the infrastructure of the modern internet. Apple’s power comes at a platform integration level; their competitors have absorbed themselves into the web and internet. If you wish to participate in the web today, you have little choice but to accept the use of — and tracking by — the services of Apple’s competitors.

That is, I think, true lock-in that makes Apple’s interconnected services, hardware, and accessories look comparatively banal.


One other thing in Beres’ piece I’d like to mention is this paragraph at the top:

Apple’s certainly something different now than it was even just a couple of years ago, when the iPhone X debuted with a notch and a dutifully frenzied press. Its keynote event on September 10, described by my colleague Will Oremus as its least interesting, cemented a new identity for a technology brand that no longer leans quite so much on surprising gadgets to make its name: improvements to the Apple Watch, iPad, and of course the iPhone were short of jaw-dropping. (The Apple Watch’s face is now always on — like, you know, a real watch — and the iPhone gained a third camera lens.)

This is a criticism that has been leveled at every Apple product launch that lacked a radically new hardware design language for the iPhone since the 3GS. In fact, even when there was new hardware, Apple was accused of playing it safe and boring. The iPad was known as “just a big iPod Touch” when it came out in 2010. For the past decade, analysts have called Apple’s products dull and uninspired, and the products have gone on to sell in unfathomably large numbers. Little has changed in that time except the ever-widening gulf in analyst expectation and customer reaction.

Uber’s Chief Counsel Argues That Drivers Are Not Integral to Its Business

Annie Palmer, CNBC:

Uber and Lyft maintain that AB5 won’t immediately change independent contractors into employees. Tony West, Uber’s chief legal officer, said on a call with reporters that the bill builds on legal tests already established in California around how drivers should be classified. West said drivers may not necessarily fall under the new rules laid out in AB5.

“Under that three-part test, arguably the highest bar is that a company must prove that contractors are doing work ‘outside the usual course’ of its business,” West said. “Several previous rulings have found that drivers’ work is outside the usual course of Uber’s business, which is serving as a technology platform for several different types of digital marketplaces.”

That’s not the impression Uber gave in its S-1 filing (emphasis mine):

Our success in a given geographic market significantly depends on our ability to maintain or increase our network scale and liquidity in that geographic market by attracting Drivers, consumers, restaurants, shippers, and carriers to our platform. If Drivers choose not to offer their services through our platform, or elect to offer them through a competitor’s platform, we may lack a sufficient supply of Drivers to attract consumers and restaurants to our platform.

Too vague? How about the voiceover at the very beginning of their partner app tutorial?

Welcome to Uber. Drivers are our most important partners.

I could do this all day.

How to Flip an App for Profit

Becky Hansmeyer:

Background used to be a good app. You can tell from its early reviews that its users genuinely enjoyed browsing and making use of its hand-curated selection of iPhone wallpapers. In fact, its reviews are generally positive up until late June, when an update began causing some issues. From that point on it becomes clear that Background is no longer owned or updated by its original developer. It’s been flipped.

So how does an app get flipped? Read on to discover the ultimate secret to making millions on the iOS App Store.

I was one of those happy users of Background. I remember it always having an upsell component, but nothing as scummy as this. Subscription abuse is a part of the App Store I’d like to see Apple pay more attention to. For example, if an app experiences a sudden surge in subscribers compared to its history — and particularly after a change of ownership — perhaps that should set off a giant klaxon in Cupertino.

Assorted Items of Note Following Apple’s September 2019 Product Launch Presentation

I haven’t done one of those posts for a while where I list off several notable things mentioned during and after today’s product announcements, so here goes. I feel like this announcement is perfect for that: major upgrades wrapped in modest refinements of last year’s tailoring. That’s something I can get behind: most people don’t upgrade year-over-year, and stretching a two-year upgrade cycle to three is just fine by me; but, if you were to upgrade from an iPhone XS or a Series 4 Apple Watch, you’ve still got a lot to look forward to.

Anyway, onto a list:

  • The rumour mill missed a lot this year. The always-on display of the Apple Watch wasn’t even rumoured. Nor was the new green colour for the Pro, or the camera combination in the iPhone 11, or the enormous battery life improvements across the board. Then there were the things that didn’t materialize: no new mute switches, Sleep Tracking on the Apple Watch, or the ability to wirelessly charge devices from the back of the new iPhones. The latter two are perhaps possible through software updates.

  • The Apple Watch is now being sold as an entirely customizable product from the point of purchase. Deirdre O’Brien showed off the retail store implementation what they’re calling the Apple Watch Studio, and it’s also available online.

    When I bought my first Apple Watch, I thought this was how the buying experience would be. The table in the store had all of these bands laid out and you could swap whatever you wanted — with the assistance of a staff member, of course. But you couldn’t buy an arbitrary combination of watch and band. You could only buy a watch and then additional bands. I’m glad to see that’s changing, but I can’t imagine how difficult it must be at Apple’s scale.

  • The titanium Apple Watch looks very special in all of the photos I’ve seen.

  • The new U1 chip in the iPhone 11 line went unmentioned during the presentation, but it’s Apple’s implementation of ultra-wideband. Apple’s marketing webpage says that this will prioritize nearby devices for AirDrop, but it could also be used for the forthcoming item tracking beacon that also did not appear today, or the rumoured Walkie Talkie feature.

  • The iPhone 11 ships with a USB-A Lightning cable, while the 11 Pro includes a Lightning-to-USB-C cable and compact 18W wall adaptor. The now-perennial rumours of the iPhone’s impending switch to a USB-C connector have been greatly exaggerated.

  • Like last year, promotional photos that show the front of the phones feature a wallpaper that makes the notch visible on the base-model iPhone 11 and hides the notch on the iPhone 11 Pro. Most of the product photography seems to emphasize the camera bumps on each model, however, which reminds me of the iPhone 7 campaign.

  • These iPhones don’t have “iPhone” written on the back any more. There’s nothing on the back except the cameras and an Apple logo. It looks clean, but it’s hard to adjust to the centred logo when it’s been about a third of the way from the top for so long.

    I can’t find it right now, but I remember an old piece of advice — possibly in the HIG — that said that items mathematically centred vertically tend to look like they’re lower than they are. The suggestion was that a visually vertically centred item typically needed about twice as much space below the item compared to the space above it.

    Update: On page 184 of the 2003 edition of the HIG (PDF), Apple recommends visually centring application windows: “[the] distance from the bottom of the window to the top of the Dock (if it’s at the bottom of the screen) should be approximately twice the distance as that from the bottom of the menu bar to the top of the window.”

  • Federico Viticci says that iOS 13 will be available September 19, while 13.1 will be released just eleven days later. It sounds like iPads won’t get a x.0 release, only the iPadOS 13.1 update.

  • WatchOS 6 won’t be available until later this year for Series 1 and 2 models.

  • 3D Touch has been wholly replaced by Haptic Touch. It’s likely that the requirements for the dynamic range of this display wouldn’t work with the additional screen layer required for 3D Touch. I bet it’s also easier to integrate an under-display Touch ID scanner without worrying about a 3D Touch layer.

  • You can get an Apple TV Plus subscription and an Apple Arcade subscription for the cost of an Apple News Plus subscription.

Redefining ‘Privacy’ Can Give Users a False Impression of Secrecy

Ryan Broderick, Ryan Mac, and Logan McDonald, Buzzfeed News:

Photos and videos posted to private accounts on Instagram and Facebook aren’t as private as they might seem. They can be accessed, downloaded, and distributed publicly by friends and followers via a stupidly simple work-around.

The hack — which works on Instagram stories as well — requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.

If you have any familiarity with how the web works, you probably rolled your eyes while reading these paragraphs — I know I did. But despite my reservations about the way this is written — it reads like a parody of infosec reporting — I bet most people have no clue that it is trivial to get the address of any resource. Images need to be hosted somewhere, and protecting those addresses is often more difficult than necessary for social networks.1

The problem is not with the way that URLs work. The problem is that social networks continue to abuse the definition of the word “private”, thereby giving users a false sense of safety and secrecy with whatever they post there. Educating users is important, yes, but it is equally important for them to not be lied to by implying that flipping a single toggle switch is enough to make their pictures private to everyone except select users.2


  1. Attempting to access an Apple Music .m4a file directly, for example, will result in an error. ↩︎

  2. Also, it’s crazy that some Instagram settings can only be changed from within a web browser. ↩︎

Apple Says It Made Adjustments to the App Store to Reduce Its Inherent Influence Over Search Results

Jack Nicas and Keith Collins, New York Times:

When search results were flooded with Apple apps, Apple executives said, the algorithm concluded that people were looking for a specific Apple app and decided to surface other apps by the same developer.

That wasn’t always to Apple’s benefit. For instance, they said, searching “office” returns a series of Microsoft apps because the algorithm recognizes they are looking for Microsoft Office tools.

Apple engineers said the algorithm believed people searching “music” wanted just Apple Music because users clicked on the Apple Music app so frequently. Apple Music had a distinct advantage over other apps: It comes preinstalled on iPhones. Apple said some people used the search engine to find apps that were already on their phones.

When people search “music,” the App Store reminds them that they already have Apple Music installed. Many people then click on the app, the engineers said, adding to its popularity in the eyes of the algorithm.

Charlie Warzel:

I think a big thing we’ll still be grappling with years from now was how we spent years uncritically absorbing content via recommendation engines and algorithms and how so many of the choices we thought were our own were really driven by this kind of stuff.

Nilay Patel:

One notes that “your search algorithm favors your own products” is the core of almost every antitrust decision Google has lost.

A difference is that Google is actually very good at building search engines; Apple is not. It’s hard to give any company the benefit of the doubt when the facts of the case seem so straightforward, but it is completely plausible to me that the App Store would elevate Apple’s own apps purely because the search engine isn’t very good. That’s not an excuse — especially not when there is no other venue for iOS apps — but it’s believable.

Don’t Speak

The more I’ve thought about Apple’s statement regarding the iOS exploit chains discovered last week, the more bizarre it seems. In short, I do not understand why Apple felt it necessary to issue a news release at all, and I’ve no clue why this is the release they went with. Let’s start with the first paragraph:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

Apple’s use of the word “blog” here seems pejorative — an insinuation that this multipart highly-technical explanation should be taken less seriously because of its publishing medium. Should Google have published this information in a book? Would it matter if the explanation were not hosted on Blogspot? I don’t think so, but Apple’s statement seems to imply that I should care.

The next two paragraphs need to be examined together:

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Google’s explanation can be misread, but it is not wrong.

The iPhone is assumed to be the most secure consumer device on the planet — nothing revealed in the past week actually changes that. But because of its reputation and its widespread use by higher-value targets — celebrities, politicians, businesspersons, and the like — the market for iOS security breaches is booming. Exploits that require little to no user interaction and rely upon so-far-undisclosed vulnerabilities have long been associated with targeting specific users in a truly clandestine fashion.

The series of exploit chains Google wrote about are entirely different. They’re comprehensive — they span multiple major and minor versions of iOS. They’re targeted to surveil an entire persecuted group of people, which makes them far more exposed than specific user applications but not as indiscriminate as a computer virus. Make no mistake: this was an exploitation deployed “en masse”, exactly as Google says.

Apple’s acknowledgement that users would be exposed only if they visited one of “fewer than a dozen websites” is a little misleading as well. Those websites, Google estimates, served thousands of users per week.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Whether these websites were active for months or years seems to be confused by the context of Google’s explanation:

TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

The way this is written makes it sound like Google has extrapolated the time that these websites were operational from the version numbers of iOS. Apple doesn’t provide any source for their assertion that they were live for two months, other than “all evidence” — which, sure, but what evidence? Whatever it may be, it doesn’t seem to be available publicly.

The last paragraph is an acknowledgement that software security is a constant chase, and that neither the bugs nor the patches will stop. That’s fine; it’s probably the most straightforward paragraph in the entire release.

And that’s it — that’s the release in summary. The only new information in its five paragraphs is a slightly more accurate number of affected websites and the controversy of whether the attack was running for two months or two years. But those new details are not as relevant as the number of visitors who may have been affected, and making an estimate is still a fraught exercise. If we take the lowest possible figures that we can extrapolate from “thousands of visitors per week” (1,000), two months (or about nine weeks) of operations, mobile share of web browsing in China (about 60%) and Chinese iOS market share (about 20%), we’re left with maybe a thousand exploited iPhones.1

But, again, this is a not-particularly-useful estimate, and I won’t vouch for its accuracy. I put it out there only as a guess about how many devices may be affected by an authoritarian government’s relentless surveillance of Uyghurs worldwide. So, I return to my original question: why did Apple issue this statement?

As both Apple and Google acknowledge, these bugs were patched six months ago, so there is little ongoing customer risk from these websites. Neither company has disclosed which websites were spreading these exploit chains, however, so it’s impossible to say whether your iPhone is likely to be affected. Apple’s disputes seem to be about little more than language choices.

John Gruber points to a story by Thomas Brewster of Forbes as one possible reason. Google’s report only covered iOS vulnerabilities, but Brewster says that the same websites also distributed exploits for Windows and Android systems. The final paragraph in Apple’s statement seems to hint at this possibility:

[…] iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. […]

I suppose that’s one possibility, but I’m not convinced.

An argument like Rhett Jones’ of Gizmodo also doesn’t seem quite right:

Cutting through the corporate-speak in that statement, it is important to acknowledge that the Project Zero crew does great work, and there’s no reason to believe that their work is motivated by malice. It’s also worth emphasizing that Apple’s reputation for making secure products has been earned by making secure products. What’s at issue here is who will have the best reputation for security in the future, and the answer is up for grabs.

I don’t see how Apple gains anything by pushing a nonsense statement on a Friday afternoon when they are preparing to unveil new iPhones, Apple Watches, and other devices on Tuesday. Their statement says nothing, but it does remind people of a reputational failure. Why not, instead, demonstrate a commitment to security during the product launch?

I am certain that Apple’s public relations people are much smarter than I am. I’m sure they have a reason for this release. I just can’t fathom what it is, nor can I understand why this is the statement they went with. If Apple did not want to engage with the troubling abuse of their platform to help surveil Uyghurs — and I think they should have, for what it’s worth, but I understand the economic risks of speaking up against the Chinese government — why not issue a succinct release solely about security? One that acknowledges Google’s findings, reminds users that these bugs are patched, reiterates the importance of software updates, and includes a commitment to maintaining device security. That explanation meaningfully helps reassure customers that apparently contacted Apple with concerns, even if the company can’t tell them the likelihood of their device being affected.

One cogent paragraph beats five mediocre ones most of the time, but demonstrating beats telling every single time.


  1. While there are Uyghurs worldwide, the overwhelming majority live in China, so that is why I’ve used those figures for mobile browser usage and iOS market share. Again, this figure is a wildly inaccurate estimate, but it’s the closest I could come up with given public data. ↩︎

Apple Responds to Concerns About iOS Security After Uyghur Targeting

From the statement:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

A blog is a collection of blog posts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

In the first couple of years of the iPhone’s availability, users simply needed to tap a link on a webpage to jailbreak their device. Even though it was an elegant solution, there was still a nagging feeling that this mechanism could be easily abused.

Apple patched the affected vulnerabilities, of course, but it is an ongoing battle — particularly with JavaScript engines that run far closer to the CPU and GPU than they used to.

As far as I know, nobody has yet published a list of the websites affected, but I imagine they’re highly targeted. That is, even though anyone could have accessed them, that doesn’t mean every iPhone user is equally vulnerable or a likely victim.

Update: Ryan Mac of Buzzfeed News reports that this attack campaign originated in China. Apple and Google have so far skirted that aspect of the story.

Update: Michael Tsai thoughtfully disputes Apple’s downplaying. Regardless of scale, I think Bruce Schneier explained very well the way in which these findings change how we think about zero-day vulnerabilities.

Google Assistant’s Ambient Mode Turns Android Devices Into Passive ‘Hub’ Displays

Dieter Bohn, the Verge:

Today at IFA, Google is announcing a new feature for Google Assistant: Ambient Mode. On a few upcoming Android phones and tablets, this new mode will turn those devices into something like a Google Nest Hub (neé Google Home Hub) display when docked. It will show calendar info, weather, notifications, reminders, music controls, and smart home controls. Also like the Nest Hub smart display, it will automatically show a slideshow from your Google Photos account.

For its first couple of years on the market, the iPad could show a photo slideshow when it was docked. I’ve always been confused why this capability was removed in iOS 7 instead of being refined along similar lines to this Android feature.

A Library for Bartenders

I’m fascinated by this library of hundreds of books about and for the bartending profession. There are volumes in here dating back to the 1700s; there’s a book in the library containing the first printed martini recipe. The web viewer is pretty irritating, but all of the books can be downloaded as PDF documents. If you have a bit of a home bar, this is worth your time. (Via Metafilter.)

Apple Releases Web App For Apple Music

John Voorhees, MacStories:

As first reported by TechCrunch and The Verge, Apple has launched a web-based version of its Music app as a public beta at beta.music.apple.com. The app looks and feels a lot like the Music app coming to Catalina later this fall. The two are so close in fact that it’s easy to confuse the two if they’re open at the same time, which I did almost immediately.

Benjamin Mayo:

First impressions: Apple Music web client is a bit slow and laggy. But the UI layout is better optimised for the iPad screen size than the native Music app lol.

The Music app on the iPad should be a lot closer to iTunes or the new Music app on Catalina than it is; it’s one of my most disliked default iPad apps.

New Camera Sales Continue to Fall

Om Malik:

Camera sales are continuing to falling off a cliff. The latest data from the Camera & Imaging Products Association (CIPA) shows them in a swoon befitting a Bollywood roadside Romeo. All four big camera brands — Sony, Fuji, Canon, and Nikon — are reposting rapid declines. And it is not just the point and shoot cameras whose sales are collapsing. We also see sales of higher-end DSLR cameras stall. And — wait for it — even mirrorless cameras, which were supposed to be a panacea for all that ails the camera business, are heading south.

Of course, by aggressively introducing newer and newer cameras with marginal improvements, companies like Fuji and Sony are finding that they might have created a headache. There is now a substantial aftermarket for casual photographers looking to save money on the companies’ generation-old products. Even those who can afford to buy the big 60-100 megapixel cameras are pausing. After all, doing so also involves buying a beefier computer. (Hello Mac Pro, cheese grater edition!)

There’s never been a better time to get into photography by picking up a second-hand DSLR or mirrorless camera. You probably won’t find a full-frame professional-grade camera at a surprisingly good deal — the slight year-over-year improvements that Malik references mean that photographers can keep using years-old kit for much longer than they used to — but the used market is flooded with great mid-level cameras.

Samsung Says It’s Going to Start Selling the Galaxy Fold in Select Countries

After reviewers reported problems with the Galaxy Fold’s display after just a few days of use in April, Samsung delayed shipping the phones while it investigated. Half a year later, the company says that the product is ready — first in Korea, and then in a handful of countries. Notably, the Canadian marketing webpage has been removed. Samsung has listed the changes they’ve made, but I’m most interested in a different press release:

We’re introducing the new Galaxy Fold Premier Service to give you direct access to Samsung experts who can provide you tailored guidance and support over the phone any time, any day. This includes an optional one-on-one onboarding session to walk you through every innovation packed into the Galaxy Fold and demonstrate how best to navigate this revolutionary device.

The optimistic interpretation of this is that this is a premium product with a premium tech support experience. The more cynical read is that Samsung is still worried about the durability of the Galaxy Fold and hopes to put out any fires before they become public relations catastrophes.

Investigation by Brave Finds Google Is Circumventing Privacy Controls by Providing Unique User Identifiers to Third Parties

Madhumita Murgia, Financial Times:

The regulator is investigating whether Google uses sensitive data, such as the race, health and political leanings of its users, to target ads. In his evidence, Johnny Ryan, chief policy officer of the niche web browser Brave, said he had discovered the secret web pages as he tried to monitor how his data were being traded on Google’s advertising exchange, the business formerly known as DoubleClick.

The exchange, now called Authorized Buyers, is the world’s largest real-time advertising auction house, selling display space on websites across the internet.

Mr Ryan found that Google had labelled him with an identifying tracker that it fed to third-party companies that logged on to a hidden web page. The page showed no content but had a unique address that linked it to Mr Ryan’s browsing activity.

Johnny Ryan of Brave explained the “hidden web pages” in more detail:

Google Push Pages are served from a Google domain (https://pagead2.googlesyndication.com) and all have the same name, “cookie_push.html”. Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.

All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.

The Push Pages are not shown to the person visiting a web page, and will display no content if accessed directly.

A cursory web search turns up an article by Nic Jansma about ResourceTiming that references cookie_push.html in the context of cross-frame communication. It also references a Facebook script, another Google page, and similar blank-appearing pages from Twitter and Criteo — all of which appear to be for frame-bypassing tracking purposes. I’d love to know if any of these other companies are also passing uniquely-identifying characteristics to third parties through similar means.

Don’t Play in Google’s Privacy Sandbox

Bennett Cyphers, of the Electronic Frontier Foundation, on Google’s proposals for privacy standards on the web:

As a result, Google has apparently decided to defend its business model on two fronts. First, it’s continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers’ access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.

At the same time, Google seems to be hedging its bets. The “Privacy Sandbox” proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google’s targeting business will continue as usual.

I would love a world in which the biggest privacy offenders have figured out that their business model is fundamentally objectionable and are radically transformed to become privacy leaders instead. I’m not a cynic, but I believe that hoping for that is unearned optimism. Even something as simple as building lightweight webpages is a twisted attempt at control over the web. Google is a skeevy advertising company masquerading as a purveyor of high technology.

BuzzFeed News Investigation Finds Increasing Demand for Urgent Amazon Deliveries Has Led to Safety Corners Cut, Resulting in Collisions and Deaths

Caroline O’Donovan and Ken Bensinger, Buzzfeed News:

The super-pressurized, chaotic atmosphere leading up to that tragedy was hardly unique to Inpax, to Chicago, or to the holiday crunch. Amazon is the biggest retailer on the planet — with customers in 180 countries — and in its relentless bid to offer ever-faster delivery at ever-lower costs, it has built a national delivery system from the ground up. In under six years, Amazon has created a sprawling, decentralized network of thousands of vans operating in and around nearly every major metropolitan area in the country, dropping nearly 5 million packages on America’s doorsteps seven days a week.

[…]

UPS and FedEx, the traditional powers of the logistics world, are deeply invested in safety. UPS, which spends $175 million a year on safety training alone, even has a policy prohibiting drivers from taking unnecessary left turns to reduce exposure to oncoming traffic, finish routes faster, and save fuel. Both firms are also heavily regulated by the government, and many of their trucks are subject to regular federal safety inspections and can be put out of service at any time by the Department of Transportation.

But Amazon’s ingenious system has allowed it to avoid that kind of scrutiny. There is no public listing of which firms are part of its delivery network, and the ubiquitous cargo vans their drivers use are not subject to DOT oversight. But by interviewing drivers as well as reviewing job boards, classified listings, online forums, lawsuits, and media reports, BuzzFeed News identified at least 250 companies that appear to work or have worked as contracted delivery providers for Amazon. The company said it has enabled the creation of at least 200 new delivery firms in the past year, a third of which are owned and run by military veterans. Inpax gets fully 70% of its business from Amazon; some companies depend on the retail giant for all of their income.

The 250 “last mile” delivery companies Buzzfeed found aren’t exactly competitors to UPS or FedEx — even though I bet plenty of people would wish for more competition in that space. Often, they’re couriers working in tandem with heavyweight logistics companies. FedEx might get the parcel across the country, for example, but will have one of these smaller companies bring the product from a warehouse to a customer’s home. And there are hundreds of these courier companies operating with little regulation, high demand, and core dependency on Amazon.

Among the characteristics that distinguish this era of enormously powerful technology companies: increasing the layers of abstraction between companies and their infrastructure; promising consumers more and relying on already-squeezed contractors, thereby exploiting their services; and celebrating their contractors’ successes as their own while deferring responsibility for any mistakes or problems.

Uyghur Android and Windows Users Also Targeted in Malware Campaign

Earlier this week, Zach Whittaker of TechCrunch reported that the complex series of exploits used to plant malware on iPhones was an attempt to infect the phones of Uyghurs — presumably by the Chinese government.

Thomas Brewster, Forbes:

The unprecedented attack on Apple iPhones revealed by Google this week was broader than first thought. Multiple sources with knowledge of the situation said that Google’s own Android operating system and Microsoft Windows PCs were also targeted in a campaign that sought to infect the computers and smartphones of the Uighur ethnic group in China. That community has long been targeted by the Chinese government, in particular in the Xinjiang region, where surveillance is pervasive.

[…]

Google hadn’t provided comment at the time of publication. It’s unclear if Google knew or disclosed that the sites were also targeting other operating systems. One source familiar with the hacks claimed Google had only seen iOS exploits being served from the sites.

This must be one of the most expansive known surveillance campaigns in the post-Snowden era, and certainly the most brazen. It doesn’t target communications in transit; because many messaging platforms employ at least some form of encryption, the contents of messages must be captured at either the source or destination. That makes devices themselves much higher value targets and more active participants in spying.

Jack Dorsey’s Twitter Account Compromised

Janelle Griffith and Ben Collins, NBC News:

The official Twitter account of Jack Dorsey, the co-founder of the social media platform, was hacked on Friday.

One of the first tweets sent from his “compromised” account was the N-word. Another, sent minutes later, praised Hitler.

More than a dozen racist or otherwise offensive original tweets were sent within 20 minutes from the account.

It would be pretty terrifying if there were a world leader that used their Twitter account as a primary means of broadcasting barely-literate official announcements, racist commentary, and off-the-cuff nonsense that swings markets worldwide.

That would be scary, wouldn’t it?

Teens Are Making Short Cinematic Videos on TikTok

Brad Esposito, Pedestrian:

The genres of TikTok become quickly apparent to anyone who spends upwards of 30 minutes scrolling on the app. In many ways, it’s just a regurgitation of what already works: prank videos, funny skits, a few lingering lip-sync efforts, still holding on to what the app used to be.

But Cinematic TikToks have arrived somewhat rapidly, tapping into the innate pop culture knowledge of teenagers everywhere. They are a generation that has spent years with access to every piece of content imaginable. That has left a mark, one they farm within themselves to create content that often even they can’t explain. It’s a feeling, it’s a vibe. It reminds them of someone else’s work, or a movie they saw. They don’t know what to call it. It just is.

It’s been said before, but TikTok is very much the spiritual successor to Vine. It’s fascinating to see the creative output encouraged by the thirty second maximum video length.

A Very Deep Dive Into iOS Exploit Chains Found in the Wild

Ian Beer of Google’s Project Zero team:

Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.  

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.  

TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple’s software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we’ll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users.

The posts in this series truly are a deep dive — each post is technically dense with exploit code and explanations of how they worked. That doesn’t mean that these methods are advanced, but they are exploit chains and, given what the implant pilfers, I wouldn’t be surprised if these attacks were the fault of state actors intending to hit specific targets. Beer doesn’t say exactly that, but he hints at its possibility:

Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.

Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. […]

If you aren’t interested in reading the entire series, this introductory post and the description of the payload are worth spending some time with.

Update: Zack Whittaker of TechCrunch is reporting that these exploit chains were deployed by the Chinese government to target Uyghur Muslims.

Apple’s New Independent Repair Provider Program

Apple:

Apple today announced a new repair program, offering customers additional options for the most common out-of-warranty iPhone repairs. Apple will provide more independent repair businesses — large or small — with the same genuine parts, tools, training, repair manuals and diagnostics as its Apple Authorized Service Providers (AASPs). The program is launching in the US with plans to expand to other countries.

“To better meet our customers’ needs, we’re making it easier for independent providers across the US to tap into the same resources as our Apple Authorized Service Provider network,” said Jeff Williams, Apple’s chief operating officer. “When a repair is needed, a customer should have confidence the repair is done right. We believe the safest and most reliable repair is one handled by a trained technician using genuine parts that have been properly engineered and rigorously tested.”

This appears to be the program that the company has quietly been testing for about a year, and it sounds great. Joining the IRP program is free, though it is limited to commercial addresses. That should mean that mall kiosks and smaller repair shops can perform repairs to the same grade and with the same parts as an Apple Store or an Authorized Service Provider. I think this is an excellent change.

Apple Announces Changes to Siri Privacy, Audio Review, and Data Retention

Apple issued this press release this morning, and I think it’s appropriately apologetic:

As a result of our review, we realize we haven’t been fully living up to our high ideals, and for that we apologize. As we previously announced, we halted the Siri grading program. We plan to resume later this fall when software updates are released to our users — but only after making the following changes:

  • First, by default, we will no longer retain audio recordings of Siri interactions. We will continue to use computer-generated transcripts to help Siri improve.

  • Second, users will be able to opt in to help Siri improve by learning from the audio samples of their requests. We hope that many people will choose to help Siri get better, knowing that Apple respects their data and has strong privacy controls in place. Those who choose to participate will be able to opt out at any time.

  • Third, when customers opt in, only Apple employees will be allowed to listen to audio samples of the Siri interactions. Our team will work to delete any recording which is determined to be an inadvertent trigger of Siri.

Asking users whether they want their requests to be used for Siri improvements and leaving the choice off by default is exactly the right response. Allowing only Apple employees to review the recordings of anyone who has opted in is also important; sensitive data should not be delegated to contractors.

But not having an option to opt out of transcripts is the weakest part of this response. On a separate FAQ page, Apple says that the only way to disable transcripts is to turn off Siri and dictation features entirely. I get that these are basically bug reports, but there’s something inherently queasy about automatic transcription of audio from a home or workplace being submitted to a company. I think transcripts could be lumped in with Apple’s opt-in analytics submission option as a reasonable middle ground.

Otherwise, this response is contrite and privacy-focused. They fucked up, they’re sorry, and they promise they will do better. That’s the best anyone could have hoped for.

A ramification of these changes is that hundreds of contracted workers in Ireland were laid off. That’s a horrible result for so many people. It reinforces that employees at tech companies need to carefully consider the impact of their product or service.

Every Credit Card Transaction Leaves a Trail of Data Sharing

Geoffrey A. Fowler, Washington Post:

I recently used my credit card to buy a banana. Then I tried to figure out how my credit card let companies buy me.

You might think my 29-cent swipe at Target would be just between me and my bank. Heavens, no. My banana generated data that’s probably worth more than the banana itself. It ended up with marketers, Target, Amazon, Google and hedge funds, to name a few.

Oh, the places a banana will go in the sprawling card-data economy. Despite a federal privacy law covering cards, I found that six types of businesses could mine and share elements of my purchase, multiplied untold times by other companies they might have passed it to. Credit cards are a spy in your wallet — and it’s time that we add privacy, alongside rewards and rates, to how we evaluate them.

All of the possible touch points for a single purchase gives the surveillance economy plenty of opportunity to scoop up whatever information it can without your knowledge or explicit approval. Apple has been touting the privacy advantages of its credit card, but it really only secures two of the six categories identified by Fowler — and that’s fine. That’s about as much as they can possibly control without, as Fowler suggests, using a different card number for every transaction.

All of this is to say that people just aren’t protected from near-constant privacy intrusions. To do so requires a level of awareness bordering on paranoia. It means distancing yourself from the services of anything with an AC adapter. We’re increasingly aware that we live in a world that operates under the assumption that everything that can be tracked — and collected, associated, shared, resold, combined, and kept — ought to be.

Old-Media Celebrities are Vlogging on YouTube

Sophie Kleeman, Vice:

“Am I crazy?” Naomi Campbell asks in her very first vlog. “I’m opening my life to YouTube!” Campbell snaps a movie slate and laughs. She’s wearing an oyster-colored turtleneck sweater. Her hair is long, pin-straight, and parted perfectly down the middle. She sits on a grey couch in what appears to be her home, or at least a very good approximation of what one assumes the home of a brilliant supermodel must look like, with bright pink flowers, gentle lighting, and soft throw pillows.

She’s not crazy. But she’s also not alone. Campbell has joined a growing handful of very famous, very mainstream celebrities who have ventured into the wilds of YouTube, a platform known more than a smidge dismissively for sugary makeup gurus and Casey Neistat, and decidedly more seriously for extremism and the people who weaponize it. But over the past 20 months, Campbell — along with Will Smith, Jack Black, Zac Efron, Victoria Beckham, Jennifer Lopez, Alexa Chung, and Jason Momoa, among others — have ostensibly opened up their lives to the site’s 2 billion monthly users. Others, like prodigal YouTube son Justin Bieber, are working with the company on “top-secret” original content.

This article transported me back to when celebrities first joined Twitter and spoke with fans and followers directly. It brought those celebrities back down to Earth — until, of course, you remembered that most of what gets posted to their account has a full production crew of photographers, makeup artists, technicians, public relations professionals, and social media managers behind it. Even if you know that, though, it still creates an illusion of being more honest than it is, while simultaneously lending YouTube greater legitimacy and prestige.

The Many Problems With Facebook’s Tool to Dissociate Off-Facebook Behavioural Data

Erin Egan, Facebook’s Chief Privacy Officer, in May 2018:

Today, we’re announcing plans to build Clear History. This feature will enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward. […]

It will take a few months to build Clear History.

Nicole Nguyen and Ryan Mac, reporting for Buzzfeed News last week, which — and I’m sure I don’t need to mention this to my very astute audience, but I feel like emphasizing the point — is a shade more than “a few months”:

Facebook collects information about its users in two ways: first, through the information you input into its website and apps, and second, by tracking which websites you visit while you’re not on Facebook. That’s why, after you visit a clothing retailer’s website, you’ll likely see an ad for it in your Facebook News Feed or Instagram feed. Basically, Facebook monitors where you go, all across the internet, and uses your digital footprints to target you with ads. But Facebook users have never been able to view this external data Facebook collected about them, until now.

Facebook tracks your browsing history via the “Login with Facebook” button, the “like” button, Facebook comments, and little bits of invisible code, called the Facebook pixel, embedded on other sites (including BuzzFeed News). Today the company will start to roll out a feature called “Off-Facebook Activity” that allows people to manage that external browsing data — finally delivering on a promise it made over a year ago when CEO Mark Zuckerberg announced at a company event that it would develop a feature then called “Clear History.”

[…]

However, the data isn’t being removed from Facebook servers. Just as Facebook still collects aggregated, anonymous browsing information from people who are logged out or don’t have Facebook accounts, Facebook will treat people who have opted out of external website tracking similarly, a Facebook spokesperson confirmed to BuzzFeed News.

Far from being a “clear history” feature, this is simply a way for Facebook to collect the same data it always has, except it promises it won’t tie your very personal browsing data with all of the information you’ve given Facebook, like your name and occupation. That’s not “deleting” anything.

Also, while I don’t like to argue with FUD, I will note that Facebook rarely announces that a bug or privacy exploit it found is not as catastrophic as it estimated.

If you’re interested in using this new tool, you should know that it has only launched in three countries so far: Ireland, Spain, and South Korea.

Robert Burnson, Bloomberg:

A state judge in Texas on Thursday temporarily blocked the planned rollout of the Off-Facebook Activity feature in the U.S. at the request of a woman who claims in a lawsuit the company didn’t do enough to save her from being trafficked after meeting predators on the social network as a teenager.

[…]

Lawyers for the woman who is suing, identified only as Jane Doe, asked Facebook to provide them with the browsing history of her alleged pimp, which the attorneys expected would reveal his ties to sex-trafficking sites. They said in a court filing that Facebook didn’t turn over the data they sought and that the history-clearing feature would allow the pimp to destroy evidence of his role in Doe’s exploitation.

Facebook’s company-wide pivot to privacy is going well.

‘The HomePod’s Fancy Technology Is Wasted’

This post from Kirk McElhearn runs through a litany of complaints he has with the HomePod, but the one that has stuck out to me is how much high technology is in every HomePod for what is effectively a niche product. I’m not sure whether the HomePod is a failure — there are plenty of people I know who love theirs; and, at any rate, it’s hard to know whether Apple intended this to be anything more than a small-scale early-stage experiment. But I wonder if some of this advanced speaker technology is being prototyped for a wider rollout in the company’s more mainstream products. Perhaps this is a test bed for getting impossibly good sound out of the speakers in a MacBook or an iMac, for example.

Apple’s Iterative Approach with Maps Contrasts with the Many Services Google Has Shut Down

Bradley Chambers, 9to5Mac:

Apple wants to own its future of mapping to be able to make changes quickly, protect user privacy, and create the best overall mapping experience for customers. One of the things I’ve often heard about Apple vs. Google is that Google is willing to do the dirty work of projects like book scanning where Apple isn’t. That might be true, but with Apple Maps, they’ve shown a persistence to stay focused on a product that clearly wasn’t the best in its field.

Google’s product strategy has often been to throw a lot of things at the wall to see what sticks and kill the rest (see Google Buzz, Wave, Google+, etc.). If Google had launched a mapping product in 2012 with the same problems as Apple, they would have canned the project within a year. Apple had a vision of what they wanted mapping on their platform to be, and they weren’t going to be stopped until that vision was a reality. When was the last time Google showed that focus with a product?

I don’t necessarily disagree with Chambers, but I think this is more reflective of the value of owning maps data, and how tech firms have changed in the past decade. The Google of 2005 could get away with more experimental projects than the Google of 2012 or 2019, and it grew Maps into an industry leader over that time. Apple needed something competitive because mapping data is inherently valuable for the myriad services it enables, and it didn’t matter how long it took to build it.

Focus remains an issue for Google, however: in addition to Google Maps, their roster of location-based products include Google Earth, Waze, and Google Travel, and they just recently shut down Google Trips.

Exploring Google’s Flimsy Proposal for Web Privacy Protections

I’m sure many of you have already read this piece by Jonathan Mayer and Arvind Narayanan on Freedom to Tinker regarding Google’s proposal for a “privacy budget” to allow them to keep tracking users with something resembling privacy in mind, but I thought it was worth linking to for this paragraph alone:

Apple and Mozilla have tracking protection enabled, by default, today. And Apple is already testing privacy-preserving ad measurement. Meanwhile, Google is talking about a multi-year process for a watered-down form of privacy protection. And even that is uncertain — advertising platforms dragged out the Do Not Track standardization process for over six years, without any meaningful output. If history is any indication, launching a standards process is an effective way for Google to appear to be doing something on web privacy, but without actually delivering.

Something that occurred to me after I read several articles about this proposal is that Google wins with any outcome, so long as Chrome remains the world’s most popular browser and we exclude the possibility of regulatory action. If it gets stuck in standards processing hell or gets rejected, Google gets to keep abusing users’ privacy in exactly the same way; if it gets approved, Google gets a slightly different way of targeting users with privacy-robbing ads.

Of course, if cookie-blocking practices and technologies similar to Safari’s Intelligent Tracking Prevention were more widespread, and people chose a non-Chrome browser, it could critically impact Google’s business model and perhaps prompt them to think harder about the tradeoffs they’re expecting web users to make.

The Adults in the Room

Today was Megan Greenwell’s last day at Deadspin — a decision she made after the private equity firm that bought the Gizmodo Media websites from Univision tried to change things up in a really stupid way.

Her last piece for the website is brilliant:

There is a version of the story of this company in which idealistic journalists, unconcerned with profit, are posed against ruthless business-doers, concerned about profit above all else. That would be a convenient story, pitching me and my colleagues and friends as people who just care too much about The Truth to yield before the gale-force winds of Capitalism, but it wouldn’t be a true one.

The real and less romantic story is this: The journalists at Deadspin and its sister sites, like most journalists I know, are eager to do work that makes money; we are even willing to compromise for it, knowing that our jobs and futures rest on it. An ever-growing number of media owners, meanwhile, are so exceedingly unwilling to reckon with the particulars of their own business that they refuse to accept our eagerness to help them make money. They’re speaking a language no one else does, proud of their own inability not just to not fail, but to not understand the terms on which they’re failing. The tragedy of digital media isn’t that it’s run by ruthless, profiteering guys in ill-fitting suits; it’s that the people posing as the experts know less about how to make money than their employees, to whom they won’t listen.

Greenwell is moving to Wired, and I imagine that their output will continue to improve because of it. As a daily reader of Deadspin, I sincerely hope that the person who takes her place has a similar approach to the job; I hope they do not cave to management’s wishes that they “stick to sports”.

DoorDash Announces It Will No Longer Skim Tips From Workers

Amrita Khalid, Engadget:

DoorDash drivers will earn 100 percent of tips under a revamped set of rules on pay. The delivery service today announced a new tipping and earnings policy that it claims will lead to drivers earning more on average. The development comes more than a month after news reports exposed the company for pocketing its driver’s tips. In response to the widespread backlash, DoorDash CEO Tony Xu promised it would reevaluate how it pays its workers.

I think tipping is a silly practice that should be abandoned, but barring that, at least a policy like this no longer allows DoorDash to use tips to replace worker wages.

Update: Amazon also announced that it will stop skimming tips, thus also meeting basic ethical expectations.

Google Proposes New Privacy and Anti-Fingerprinting Controls for the Web

Frederic Lardinois, TechCrunch:

What Google basically wants to do here is change the incentive structure for the advertising ecosystem. Instead of trying to circumvent a browser’s cookie and fingerprinting restrictions, the privacy budget, in combination with the industry’s work on federated learning and differential privacy, this is meant to give advertisers the tools they need without hurting publishers, while still respecting the users’ privacy. That’s not an easy switch and something that, as Google freely acknowledges, will take years.

An independent study from earlier this year by Carnegie Mellon found that publishers lose only 4% of their revenue when cookies are blocked by users. Google cites their own study finding that dropping the “behavioural” part of behavioural advertising cost publishers over 50% of their revenue. Those are remarkably different figures, and Google’s result will be tainted by its inherent conflict of interest.

For what it’s worth, the New York Times dropped ad exchanges entirely for European visitors after GDPR took effect, preferring to sell ads directly, and digital advertising revenue grew.

For the time being, though, there’s nothing here for you to try out or any bits being shipped in the Chrome browser. For now, this is simply a proposal and an effort on the Chrome team’s part to start a conversation. We should expect the company to start experimenting with some of these ideas in the near future, though.

Mat Marquis:

Imagine, if you will, a glorious future where Google, the advertising company known for massive privacy violations, building you a special private Google-controlled web where the icky bad guys can’t track you! Lucky you.

There are things in Google’s proposal that require broader support from ad tech companies and browser vendors, but there’s a lot Google could do today with its market dominating position in both industries. Like Facebook, Google is attempting to distort the definition of privacy beyond what any user would expect so that its core business is not impacted by increased scrutiny.

Now AMP Runs Scripts

Google’s AMP Project has announced that the platform will now run arbitrary site-defined scripts in a special <amp-script> tag, albeit with some caveats: scripts are limited to 150 KB each, and redrawing after the page has loaded isn’t possible without a precipitating user action. It says that this is to preserve the speed of an AMP page, and I believe this argument — generally, the less bytes a page transfers, the faster it is. This follows the project’s recent announcement of sending markup to client browsers instead of unpacking pages with a required 100 KB JavaScript file.

The AMP team has not yet confirmed a date at which it expects to entirely replicate HTML in its proprietary language, but all signs point to Google continuing to use its influence to coax publishers into running a second version of their websites entirely tailored for the company’s needs.

Nation Stunned by Support Document Explaning Ways in Which an Apple Card May Not Look New Forever

Apple:

If your titanium Apple Card comes into contact with hard surfaces or materials, it’s possible that the coating can be damaged.

[…]

Some fabrics, like leather and denim, might cause permanent discoloration that will not wash off.

Dr. Drang:

My complaint is not that the Apple Card may lose its luster in a wallet. I’m not sure anything will maintain its looks when put between sheets of leather and compressed by my butt. My complaint is that Apple wrote a support document that looks absurd and invites snarky comments. Everything Apple does generates derision from Apple haters; this generated derision from Apple’s best customers.

There are many reasons to criticize Apple’s credit card, including its very concept. But its propensity for becoming stained is a remarkably silly complaint. Everything that has been in my wallet for more than a few months looks a little worn, and I wouldn’t expect anything sandwiched in leather and sat on for eight hours a day to behave differently.

If you’ve exhausted a list of possible things to do in the world to the point where you’re spending time cleaning your credit cards, this support article is for you.

Teslas Can’t Drive Autonomously Around Parking Lots, but the Company Thinks That It Will Ship Full Automation by Early Next Year

Timothy B. Lee, Ars Technica:

In July, Tesla was still struggling to get the technology working. “Parking lots are a remarkably hard problem,” Musk tweeted. “Doing an in-depth engineering review of Enhanced Summon later today.” Three days later, he announced an August 16 price hike of $1,000 for the full self-driving package, adding, “that’s approximately date when we expect Enhanced Summon to be in wide release.”

But August 16 came and went with no price hike and no release of smart, enhanced, or advanced summon technology. Now Musk admits that the technology is still a month or two away.

Tesla is far from the only company to miss a self-imposed technology deadline — especially in the self-driving sector. We certainly don’t fault the company for delaying release of a safety-sensitive technology that’s not ready for prime time. But we do wonder if Musk should be more cautious about projecting technology release dates.

Elon Musk said in a 2015 interview that self-driving cars are “a much easier problem than people think” they are, and predicted fully-autonomous vehicles would be on the road within two to three years. He has made similar predictions that downplay the difficulty of shipping a car that can accelerate, brake, steer, change lanes, merge, navigate complex intersections, handle tricky terrain, and anticipate the actions of other drivers. Teslas can’t reliably navigate a parking lot in California, let alone the traffic circle around Arc de Triomphe — or worse.

This stuff is obviously hard. It’s possible that a fully-autonomous vehicle is decades away, if one will ever ship. Why does Musk so eagerly promise deadlines that I am sure he recognizes are impossible to meet? After all, it’s not just customers that he needs to avoid misleading.

Opting Out of Binding Arbitration Isn’t Just an Apple Card Thing

Apple Card’s binding arbitration clause is something I’ve written about before, but I wanted to re-up it in the wake of the broader launch of the credit card for two main reasons.

The first thing I think you should know is that, while everyone has been discussing this in the context of the Apple Card, mandatory arbitration is by no means exclusive to that product. It is increasingly likely that most of the contracts you’ve either signed or agreed to electronically have bound you to resolving disputes through arbitration rather than a lawsuit.1 What’s worse, these clauses must be opted out of within a specified time frame from when the agreement became active. For Apple’s credit card, it’s within ninety days (PDF), while American Express gives new cardholders just forty-five days (PDF) to maintain their right to file a class action suit.

It’s not just payment card companies that include an arbitration provision. I found binding arbitration clauses in the terms and conditions documents of various internet service providers, cell carriers, eyewear companies, consumer electronics companies, and subscription boxes for clothing, grooming products, and food. That’s right: food subscriptions have a mandatory arbitration clause. And if you’re a HelloFresh customer and you’d like to retain your right to join a class action lawsuit, you’d have to opt out by mailing a letter to the company within sixty days of agreeing to their terms — which, of course, you had to do when you signed up.

In fact, most of the time, you’ll have to physically mail something to these companies; you usually cannot opt out electronically. Buy some stamps. But, while it may be easier to opt out of the Apple Card arbitration agreement than most others, it does have a caveat, and that’s the second thing I wanted to make note of.

Barbara Krasnoff, the Verge:

[A] couple of readers have reported that if you opt out of the arbitration agreement using Messages, you will not get any type of confirmation. Instead, the representative at the other end of the line will recommend that you take screenshots of your conversation. Needless to say, until the company changes that policy, screenshots are an excellent idea — just in case.

Make sure you keep a record of this conversation in a safe place. Chances are, you’ll never need to use it; but, if you do, it will be for a very good reason and you won’t want to have lost this admittedly minimal documentation.

Update: As Lawrence Velázquez points out, most companies do not provide confirmation of your request to opt out of binding arbitration. Keep a paper trail as best you can.


  1. I think the Economic Policy Institute’s report on mandatory arbitration is a well-rounded explanation of why this is often highly beneficial to companies at huge loss to consumers and employees. ↩︎

The Fate of the iTunes Store in MacOS Catalina

Kirk McElhearn:

In early betas of macOS Catalina, the iTunes Store was visible, but in recent betas it did not show up in the sidebar of the Music app if the user was signed into Apple Music. That seems to be the default now: if a user has an Apple Music account, they won’t see the iTunes Store. You can display it, if you wish, in the Music app’s Preferences, on the General pane, but if you’re a streamer, you won’t see it by default.

This seems like a graceful way to handle the virtually-complete transition of listeners from purchasers to streamers. For those of us who do both, it’s a preference change. Pretty straightforward.

What this means for the future of the iTunes Store seems obvious, but it is not a future I’m willing or eager to accept.

Disinformation Campaigns Targeting Hong Kong Protesters Run Rampant on Twitter

Maciej Cegłowski in a Twitter thread:

Every day I go out and see stuff with my own eyes, and then I go to report it on Twitter and see promoted tweets saying the opposite of what I saw. Twitter is taking money from Chinese propaganda outfits and running these promoted tweets against the top Hong Kong protest hashtags

What China is doing is clear. If these peaceful, extremely self-disciplined protesters who enjoy the clear backing of the overwhelming majority of Hong Kongers can be discredited, it will be easier to crack down. What the fuck Twitter thinks it’s doing is less clear.

Ryan Mac and Rosalind Adams, Buzzfeed News:

The Chinese government has struggled to contain the narrative of the months-long protests, which have seen pro-democracy activists face increasingly aggressive police tactics in the streets. Though Twitter and Facebook are banned in China, the Chinese state media runs several English-language accounts to present its views to the outside world.

“It’s very clear that the Chinese state media is essentially buying ads on Twitter and Facebook for the purpose of reaching an international audience as part of China’s effort to ‘tell its story better,’” said Adam Ni, a China researcher at Macquarie University in Sydney. The Communist Party sees this “as critical in the battle of hearts and minds,” he added.

In a similar vein, Ryan Gallagher of the Intercept reported that the Chinese government was also buying ads on Twitter that served as propaganda against the Uighur people of Xinjiang.

Twitter responded:

Today, we are updating our advertising policies with respect to state media. Going forward, we will not accept advertising from state-controlled news media entities. Any affected accounts will be free to continue to use Twitter to engage in public conversation, just not our advertising products.

This is a global approach and will be enforced across our entire business.

The turnaround on this policy change was just a few days from when Cegłowski began tweeting about it, indicating that Twitter can change quickly when it needs to, and tacitly raising the question of why it takes so long for the company to react to other obvious shortcomings in its product.

Twitter also disclosed today that there was a coordinated astroturfing campaign of propaganda that used a little over 900 accounts in an effort to surreptitiously manipulate opinion and coverage of the demonstrations in Hong Kong.

Facebook has said that it won’t ban state-run media advertisers on its platform.

Media’s Mega-Mergers Are Already Having an Impact on Storytelling

Alex Cranz, io9:

Now imagine what’s happening right this moment. The House of Mouse may already be self-censoring because it has a brand image to uphold. That self-censorship will now be applied to nearly 40 percent all the movies you watch, and between ABC and Hulu and Disney+ it will own a whole heckuva lot of the TV you consume too. AT&T is cutting costs and killing favorites to try and build a popular and inoffensive rival to the other big streamers (and Disney’s looming giant). CBS and Viacom have only just begun their own plans for streaming domination, but already people are noting, and/or hoping, for reboots and continuations of their favorites.

Cranz’s piece illustrates the necessary impact on storytelling when new films and television shows are run through the machinations of a shrinking number of large studio, the largest of which has a particularly sensitive approach to more challenging topics. But because these companies also control many of the distribution channels to the greatest degree since United States v. Paramount, it’s possible that independent films would find themselves shut out of an audience even if they could be financed.

Or, perhaps the combined bureaucratic weight of these mega-studios will cause them to collapse on themselves; they may find it difficult to produce captivating new works. That doesn’t seem to be likely. When all but a couple of the twenty highest-grossing films of the year are either franchise tie-ins or sequels, we’ve demonstrated a booming market for mediocrity.

AT&T, Disney, and CBS haven’t been as explicit in noting their desire for our viewing habits, but it’s absolutely one reason they’re pushing into the streaming space and trying to gobble up as much of the pie as they can. “Basically, sign up as many subscribers as possible and get them into the service, and give them a chance to enjoy the great intellectual property and product that will be part of that service,” Disney CEO Bob Iger told a group of analysts and reporters last week, per a CNBC report.

Nothing would warm my heart and disrupt my stomach more than for “intellectual property” to replace the current miserable term for anything made by anyone in any context.

Server-Side Rendering With AMP

Let me get this straight: Google launched AMP as a way to speed up the web by, somehow, adding a hundred kilobytes of JavaScript as an intermediary for all pages created with its language. It then realized that this was not as fast as serving plain markup, so it’s now extolling the virtues of adding a server-side rendering process, which — and I promise that I am not making this up — breaks the AMP spec. And, somehow, this is all better and more logical than sending some standard HTML down the pipe.

I guess that it must be, so long as Google keeps manipulating search results for mobile users to favour its own AMP project over any normal webpage, even very fast ones.

WebKit Publishes Tracking Prevention Policy

Earlier this week, Apple’s WebKit team announced its strong Tracking Prevention Policy:

This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers. These practices are harmful to users because they infringe on a user’s privacy without giving users the ability to identify, understand, consent to, or control them.

[…]

We treat circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities.

This is the correct position. Kudos.

Reflecting on the Targeted Harassment of Women on the Internet, Five Years After ‘Gamergate’

It is very hard to come to terms with the brutality of the tactics honed by abusive people — nearly entirely men — during the “Gamergate” saga, and now used constantly to dehumanize women, queer individuals, and non-white people.

Sarah Jeong was targeted last year for some decontextualized Twitter jokes:

Tucker Carlson did a segment about me on Fox News. The president called me “disgusting” in a tweet. Shortly after the arrest of Mr. Sayoc, the MAGA bomber, the media discovered that he had sent me a death threat on Twitter.

Of the many threats of rape, dismemberment and murder sent to me and to my workplace, at least one was concerning enough that The New York Times filed a police report. But Mr. Sayoc’s tweet at me — a bizarre, confusing insinuation that my corpse was going to be dumped in the Everglades — barely pinged anyone’s radar, let alone my own, until he made the news for mailing pipe bombs.

Charlie Warzel contributed an article documenting the myriad influences on broader culture that are directly linked to the reaction on Reddit and 4chan to a crappy blog post. But the pieces from Jeong and Brianna Wu reflect on the terrible effects these harassment techniques have had on the women who experience them, and they are absolutely worth your time and reflection.

The Cost of Cross-Platform Code Sharing

Eyal Guthmann of Dropbox:

Until very recently, Dropbox had a technical strategy on mobile of sharing code between iOS and Android via C++. The idea behind this strategy was simple—write the code once in C++ instead of twice in Java and Objective C. We adopted this C++ strategy back in 2013, when our mobile engineering team was relatively small and needed to support a fast growing mobile roadmap. We needed to find a way to leverage this small team to quickly ship lots of code on both Android and iOS.

We have now completely backed off from this strategy in favor of using each platforms’ native languages (primarily Swift and Kotlin, which didn’t exist when we started out). This decision was due to the (not so) hidden cost associated with code sharing. Here are some of the things we learned as a company on what it costs to effectively share code. And they all stem from the same basic issue:

By writing code in a non-standard fashion, we took on overhead that we would have not had to worry about had we stayed with the widely used platform defaults. This overhead ended up being more expensive than just writing the code twice.

Fascinating stuff from a company that is about to launch an Electron-based desktop client.

Amazon’s Bezos Brigade Unleashed On Twitter

Aric Toler, Bellingcat:

On August 14, a Twitter thread that included a small army of “Amazon FC Ambassadors” went viral, bringing to light Amazon’s year-long social media brand ambassador program.

[…]

Last year, Amazon rolled out a program where employees at these fulfillment centers (warehouses) are able to also work as brand ambassadors to describe their experiences working at Amazon. A number of media outlets reported on this new program last year after the first wave of Ambassadors sent out bizarre tweets promoting Amazon’s workplace conditions.

Per the 2018 reports, these Ambassadors were given “an extra paid day off and a [$50] gift card” for their efforts in volunteering to defend Amazon from their online detractors.

If employees want to defend their employer against criticism — online or offline, I don’t care — that’s their jam. But they shouldn’t be paid to be a public relations prop when they’re clearly not an official representative. This is a dismal practice that I hope does not spread.

Tech Companies Should Be More Upfront and Plain-Spoken with Practices That Could Violate Users’ Privacy

Nicole Nguyen, Buzzfeed News:

As we found out yesterday, Facebook paid outside contractors to transcribe voice memos from users who turned on chat transcription in the Messenger app. The company is the latest in a string, including Amazon, Google, Apple, and Microsoft, caught sending users’ audio to third-party firms for analysis.

[…]

Most folks buying Google Homes and Echos from a mall kiosk aren’t aware. That’s in part because of the products’ “just like that!” marketing, but largely because Amazon, Google, Apple, Microsoft, and Facebook haven’t clearly told consumers what they do with their voice and video information. None of those companies’ data policies state that what we say and do in front of our voice assistants, internet-connected cameras, and messaging apps can be shown to strangers employed by the companies or their contractors.

Plain-language explanations of practices that may be compromising to users’ privacy can be hard to write. I am certain that the opt-in rate would be extremely low if these devices asked users — during the onboarding process, for example — whether a selection of their voice recordings can be retained and later reviewed by a human being.

Nevertheless, it is unquestionably the right thing to do.

Companies should be able to educate customers on why they should opt-in. They should be upfront and direct about what they will do with recordings. They should go to great lengths to explain how recordings will be de-identified, processed anonymously, and removed within days. That builds confidence that users’ recordings will not be exploited, and that a small compromise of their privacy will lead to better results, should they so choose. Of course the opt-in rate for this will be low — but that’s how it should be. Better that then having these shady practices exposed, with users left feeling violated.

Suprema’s Biometrics Database with Fingerprints, Face Photos, and Plain Text Passwords Found to Be Publicly Accessible

Josh Taylor, the Guardian:

The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches.

In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

Biostar 2 is operated by Suprema, a Korean company, which means that this breach should be investigated under the country’s strict Personal Information Protection Act. If this report is true, it’s shocking that they did not bother to encrypt fingerprint data, staff details, or administrative usernames and passwords.

Apple Card’s Targeted Ads May Be Non-Creepy, But They’re Still Unexpected

Steve Moser (via Michael Tsai):

Apple will target users for marketing emails and push notifications based on their transaction history. “For example, Apple may send a message to your device that is relevant to people who typically purchase travel.” Apple might have been able to negotiate reduced fees by agreeing to allow advertising to Apple Card users.

Moser posted a copy of the on-boarding text in full, which describes this in more detail:

Apple may use your Apple Card account status, such as whether you have applied for or have a current Apple Card account, to determine whether a message is relevant to you, including a marketing message. Apple may also send messages to your device, which may use information known only to you and your device, such as your transaction history and location, to help determine whether a message is relevant to you. For example, Apple may send a message to your device that is relevant to people who typically purchase travel. Apple does not need to know whether you purchased travel. Your device can use your transaction history to decide whether the message is relevant to you. This helps to ensure that you receive relevant communications, while protecting your privacy. Apple does not know which messages you see on your device.

Anonymous and aggregate information that cannot be tied to you may also be used for Apple Card marketing and other messaging. You may opt out of marketing messages by clicking the unsubscribe link in a marketing email or by turning off notifications for Apple Card.

Based on what I’m reading here, it sounds like Apple is sending push notification message text to all Apple Card users, but only displaying it if it’s relevant to a specific user. It’s a clever way of doing semi-targeted ads without violating users’ privacy.

I think that’s less relevant to users than whether they expect to receive ads in their email account and on their lock screen because they signed up for Apple’s credit card. The more nihilistic user might, but Apple is supposed to be the company that doesn’t point to some clause in their terms and conditions as a free pass to exploit users.

Apple’s marketing website:

At Apple, we firmly believe in your right to privacy. That’s why we created a unique architecture for Apple Card that generates things like your transaction history and spending summaries right in the Wallet app on your iPhone.

Of course, Goldman Sachs will use your data to operate Apple Card. But they will never share or sell your data to third parties for marketing or advertising.

Apple’s solution is in agreement with the letter of these statements, but certainly not the spirit.1

There is are parts of this product that are distinctly un-Apple-like, but none more so than the use of push notifications to send targeted advertisements. I do not believe that Apple must compromise its advantages and expectations to compete effectively in the services business; but, if it feels like it does, why should I choose its offerings over those from competitors?


  1. Also, I thought that using push notifications to deliver advertisements was against Apple’s policies. It certainly was. But a 2018 rewrite of the App Review policies document indicates a softer stance (italics mine):

    4.5.4 Push Notifications must not be required for the app to function, and should not be used for advertising, promotions, or direct marketing purposes or to send sensitive personal or confidential information. Abuse of these services may result in revocation of your privileges.

    “Must not” indicates an outright ban on app functionality being dependent on enabling push notifications, but “should not” is basically just a recommendation. Gross.

    Update: The allowance of push notification advertising actually dates back to 2016. Thanks, George↩︎

Netflix Is Starting to Behave a Lot More Like a Traditional Big Studio

Natalie Jarvey, Hollywood Reporter:

With a market-leading 152 million global subscribers, 10 percent of TV screen time in the U.S. and a several-year head start, Netflix may be too big to fail. But that hasn’t stopped a growing chorus of questions over how long the “Netflix bubble” can last. Its ballooning costs — analysts estimate that it will spend between $10 billion and $15 billion on content this year — means it burns through cash ($3 billion in 2018). Its current debt load is $12 billion.

Worries ratcheted up July 17 when the company reported its first subscriber loss in the U.S. in eight years. Its high-flying stock came crashing down 15 percent, erasing $24 billion in value in less than a week. “It’s notable that they lost subscribers before they lost a meaningful amount of content and before there was direct competition from their suppliers,” says Wedbush’s Michael Pachter, a noted Netflix bear. “This suggests they will face additional pressure when they lose content later this year and as their current [licensing] contracts with Warner Bros., Fox, Disney and NBCU expire.”

Once the studios figured out that they, too, could sign a contract with AWS and build a streaming media player, they replaced Netflix’s big advantage with an even worse version of the old cable television model. If you’re a film or television buff and want to maintain a moral and legal high ground, there’s no question in my mind that you’ll pay more for a combination of streaming services than you used to for cable.

But if I were an executive at one of these conglomerates, I’m not sure I’d wager too much on the inability for users to remember how their torrent client works.

Automattic Acquires Tumblr

Ursula Perano and Dan Primack, Axios:

Verizon is set to sell the social network Tumblr to Automattic Inc, the owner of online publishing tool WordPress. A source familiar with the deal puts the price-tag “well below” $20 million, while another source puts it below $10 million.

To clarify, Automattic is the owner of WordPress.com, the commercial entity that provides hosting and support of websites powered by WordPress the software; the latter is maintained by the WordPress Foundation, and Automattic’s CEO is Matt Mullenweg, who began developing WordPress alongside Mike Little. It’s quite confusing. I assume his favourite song is “Wilco” off the album Wilco by Wilco.

Primack on Twitter:

Again, just to be clear… emphasis on the “well below” $20 million…

Story updated: Price less than $3 million.

A fire sale for the property, but that excludes the salaries of the two hundred employees they’re also bringing with them. Kudos to Automattic for keeping the staff on board.

Matt Mullenweg formally announced the acquisition on his Tumblr account:

When the possibility to join forces became concrete, it felt like a once-in-a-generation opportunity to have two beloved platforms work alongside each other to build a better, more open, more inclusive – and, frankly, more fun web. I knew we had to do it.

[…]

In the underlying technology of our platforms, I think there are some good opportunities to standardize on the Open Source WordPress tech stack, but the front-end user experience on Tumblr will evolve on its own path. It has been so successful already, and we want to keep that going. The Tumblr team also has some exciting functionality they’re eager to unlock once we close the acquisition officially in a few weeks…

Automattic will obviously be a better steward of Tumblr than Yahoo or Verizon were, but I question whether the unique qualities of its communities can experience a resurgence. It has felt for years like it has been dying a protracted death, and its 99% discounted sale price speaks to that.

In Pursuit of Increased and Diversified Revenue Streams, Google’s Internal Culture Eroded

Nitasha Tiku, Wired:

All of those precepts sent Google’s workforce into full tilt after the travel ban was announced. Memegen went flush with images bearing captions like “We stand with you” and “We are you.” Jewglers and HOLA, affinity groups for Jewish and Latinx employees, quickly pledged their support for Google’s Muslim group. According to The Wall Street Journal, members of one mailing list brainstormed whether there might be ways to “leverage” Google’s search results to surface ways of helping immigrants; some proposed that the company should intervene in searches for terms like “Islam,” “Muslim,” or “Iran” that were showing “Islamophobic, algorithmically biased results.” (Google says none of those ideas were taken up.) At around 2 pm that Saturday, an employee on a mailing list for Iranian Googlers floated the possibility of staging a walkout in Mountain View. “I wanted to check first whether anyone thinks this is a bad idea,” the employee wrote. Within 48 hours, a time had been locked down and an internal website set up.

[…]

In his short, off-the-cuff remarks to the packed courtyard, Pichai called immigration “core to the founding of this company.” He tried to inject a dose of moderation, stressing how important it was “to reach out and communicate to people from across the country.” But when he mentioned Brin’s appearance at the airport, his employees erupted in chants of “Ser-gey! Ser-gey! Ser-gey!” Brin finally extricated himself from the crowd and shuffled up to the mic, windbreaker in hand. He, too, echoed the protesters’ concerns but tried to bring the heat down. “We need to be smart,” he said, “and that means bringing in folks who have some different viewpoints.” As he spoke, a news chopper flew overhead.

And that was pretty much the last time Google’s executives and workers presented such a united front about anything.

Tiku presents a deep, well-investigated look at an increasingly toxic internal culture as executives pursued morally-challenged money making opportunities.

We’re All Killing Uber Just By Using It

Jamie Powell, FT (registration required):

Uber is a decade old global brand whose core business — ride-sharing — is now growing at just 2 per cent. It is also betting heavily that its smaller business lines, such as food delivery and freight, will be a source of future growth.

In other words, it’s acting less like a start-up, and more like a legacy tech company scrambling for new growth. Think Oracle, IBM or perhaps even the modern-day Apple.

Notice the difference, however. All of these companies have “cash cow” products which help to keep the buybacks and dividends flowing, as well as funding future bets. Uber on the other hand…

Edward Ongweso Jr, Vice:

Typically, this business model would be paid for with passenger fares. But Uber’s passenger fares are artificially low because it uses investor money to subsidize trips, attract customers, and undercut competitors. This means that Uber is losing money on many of its rides. Taxicab companies can’t operate like this because they don’t have the billions in investor capital that Uber does. Simply put, Uber is losing money in part because its fares are too low; it’s long-game is to undercut competitors long enough for them to go out of business so it can jack up prices, or to develop driverless car technology before it completely runs out of money, pushing its expenses on drivers down toward zero.

I keep returning to a 2017 piece in the Economist, which was summarized and expanded upon by Ryan Felton at Jalopnik: in short, the most shocking thing about Uber would be if it had long-term success. It’s worth pointing out that the Economist made this assessment on having losses of a billion dollars a year; Uber just reported five billion dollars of loss in a single quarter. Even if you’re desperate to give them all the benefit of accounting by deducting the losses incurred from paying out shareholders — and have not read Powell’s piece refuting this very argument — that’s still over a billion dollars in a single quarter.

That’s not to say that Uber is an assured failure. But indicators are stacking up that something must fundamentally change for the company to function in the long term.

The FTC Completely Blew Its Settlement With Equifax

The rollercoaster of stories that followed last month’s settlement between the FTC and Equifax was truly something to behold. The FTC touted its value, which critics excoriated as inadequate. Articles soon explained how to get a cash settlement for those who already have a credit monitoring service, but were quickly followed by those arguing that the widely-publicized $125 figure was dependent on the number of claimants for a $31 million pool. Some, like Karl Bode at Vice, said that the “FTC should fine itself for false advertising” after claiming that those affected could be eligible for $125.

I don’t think this fully grasps just how badly the FTC blew this settlement, and primarily for a reason almost entirely unrelated to the confusion about the $31 million fund for credit monitoring payouts.

I was among many who got this wrong when I repeated the claim of the $125 payout, and also in my summary of why that $125 figure may be incorrect, so I thought it would be valuable to go back to the settlement itself to explain why this is a raw deal. In its press release, the FTC summarized the divvying up of the $575–700 million settlement:

  • $100 million is paid as a fine to the Consumer Financial Protection Bureau

  • $175 million is paid to settle cases brought by 48 states, plus Washington D.C. and Puerto Rico

  • $300 million is set aside for a consumer restitution fund, which would compensate individual claimants directly

It’s that last bucket of cash in which two specific piles of money reside. The first is a $31 million pool for alternative payouts for credit monitoring, which the FTC required Equifax provide to claimants. But if a claimant already has credit monitoring, they can opt to be paid up to $125 instead. And we will get to that “up to” in a moment.

A second pool, also of $31 million, is to be used to compensate claimants for time spent dealing with the settlement. For example, if a claimant spent an hour on the phone with an Equifax representative to get their credit frozen, that would be paid out of this second pool.

The remainder of the $300 million is to be set aside for direct out-of-pocket losses arising from the breach, such as those stemming from fraud, identity theft, and so forth. None of the money from this settlement will be given back to Equifax, but the details are not as simple as the FTC portrayed, either.

I want to get the matter of the $31 million buckets out of the way first, and I think Lily Hay Newman of Wired explains it perfectly:

But not all is lost, and there’s still a decent chance that Equifax will pay you all $125. As Slate points out, the $31 million cap will lift, assuming Equifax hasn’t spent all of the $425 million in its “Consumer Fund” — money it has committed to things like covering people who can specifically document losses stemming from the breach — in four and a half years. At that point, whatever’s left of that $425 million will be applied to the $125 payouts, presenting much better, if belated, odds.

Like all things Equifax, this does not come without a caveat. Even if the full $425 million in the consumer restitution bank account goes towards $125 payments for compensation of credit monitoring services, that amount would only support the claims of 3,400,000 people. Over forty-three times that number were affected by this breach.

Also, because this bucket is part of a pile of money with broader scope, those claims will be mixed with requests for compensation of time spent, as well as direct losses from fraud.

A bigger problem still is that this settlement is designed to mitigate the financial damage to consumers. That would be handy if this data were stolen for economically opportunistic reasons, but that doesn’t seem to be the case. A February report from Kate Fazzini at CNBC noted that no Equifax breach data had surfaced anywhere, despite financially-motivated hackers usually publicizing their haul with urgency.

A more likely scenario is that those responsible for exfiltrating Equifax’s files were state actors. A Bloomberg story from September 2017, citing investigators and those briefed on their findings, claimed that China was a likely culprit, though another country could be responsible.1 It is likely that the data stolen — which comes from a financial firm, making it ostensibly more accurate than any old data dump — could be combined with other sources to target specific individuals, per Fazzini’s reporting and Bloomberg’s story.

This settlement does nothing to dissuade state actors from continuing to pilfer sensitive data, nor does it encourage care for those who stockpile information like this. Of course, the FTC has limited scope and powers. It could not accomplish the former, but it certainly could attempt the latter.

Instead, the Commission agreed to a weak deal that barely impacts Equifax’s financial status and does little to encourage better behaviour in data-hoarding industries. Even if this were a financially-motivated crime, this settlement does not protect those affected. But this breach was so much more, and this settlement doesn’t begin to address the far more serious and more likely rationale.


  1. I am obligated to point out that this Bloomberg story bears in its byline the two reporters responsible for the inaccurate “Big Hack” feature.

    By the way, that story just won the Black Hat Pwnie for the most overhyped bug. Congratulations — I guess? — Michael Riley and Jordan Robertson. ↩︎

Uber Lost Over $5 Billion Last Quarter, Including $3.9 Billion in Stock-Based Compensation After IPO

Kate Clark, TechCrunch:

$5.2 billion in net losses represents the company’s largest-ever quarterly loss. Revenue, for its part, is up only 14% year-over-year, igniting concerns over slower-than-ever growth. The company says a majority of 2Q losses are a result of stock-based compensation expenses for employees following its May IPO. Stock compensation aside, Uber still lost $1.3 billion, up 30% from Q1.

Aaron Gordon, Jalopnik:

But you math whizzes out there will note that leaves approximately $1.3 billion in regular ol’ we-just-lost-a-buncha-money losses, up from $1 billion last quarter and $878 million a year ago.

[…]

As of this writing, Uber has lost $16.2 billion since 2016.

How is this investor-subsidized pirate taxi operation not considered predatory?

Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials

Kim Zetter, Vice:

For years, U.S. election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can’t be hacked.

But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties — all states that are perennial battlegrounds in presidential elections.

Some of the systems have been online for a year and possibly longer. Some of them disappeared from the internet after the researchers notified an information-sharing group for election officials last year. But at least 19 of the systems, including one in Florida’s Miami-Dade County, were still connected to the internet this week, the researchers told Motherboard.

A reminder that proposals to fund increased election security are being blocked by Senate Republicans. Also, it remains unclear to me what glaring problems exist with paper ballots which are solved by electronic voting machines.

The Grey Fog of Moderating the Web

I’m not sure why, but the hottest topic right now in technology ethics seems to be Section 230 of the Communications Decency Act, and I’m already hearing the snoring of half of the people reading this post. This latest round of discussion was perhaps spurred by the ridiculous bill brought by Josh Hawley, which resulted in horrible articles in mainstream publications — one in the New York Times, and another in Bloomberg.

Moderation powers, more generally, have become newsworthy after Cloudflare dropped 8chan in the wake of revelations that the terrorist responsible for the two-hundred-ninety-first mass shooting of 2019 in the U.S. posted his manifesto on the discussion board. Jennings Brown of Gizmodo found this to be a symbolic and ineffectual gesture.

I think Ben Thompson’s take is well-rounded:

This third point is a valid concern, but one I, after long deliberation, ultimately reject. First, convenience matters. The truly committed may find 8chan when and if it pops up again, but there is real value in requiring that level of commitment in the first place, given said commitment is likely nurtured on 8chan itself. Second, I ultimately reject the idea that publishing on the Internet is a fundamental right. Stand on the street corner all you like, at least your terrible ideas will be limited by the physical world. The Internet, though, with its inherent ability to broadcast and congregate globally, is a fundamentally more dangerous medium. Third, that medium is by-and-large facilitated by third parties who have rights of their own. Running a website on a cloud service provider means piggy-backing off of your ISP, backbone providers, server providers, etc., and, if you are controversial, services like Cloudflare to protect you. It is magnanimous in a way for Cloudflare to commit to serving everyone, but at the end of the day Cloudflare does have a choice.

One nitpick I have with Thompson’s piece is that he compares Cloudflare’s decision to net neutrality:

To be perfectly clear, I would prefer that 8chan did not exist. At the same time, many of those arguing that 8chan should be erased from the Internet were insisting not too long ago that the U.S. needed to apply Title II regulation (i.e. net neutrality) to infrastructure companies to ensure they were not discriminating based on content. While Title II would not have applied to Cloudflare, it is worth keeping in mind that at some point or another nearly everyone reading this article has expressed concern about infrastructure companies making content decisions.

I see these as vastly different concerns. Internet service providers are utility providers. All of your web traffic from the same location goes through the same ISP, so it’s truly infrastructural. Cloudflare is entirely unlike that: it’s something that a web engineer can insert into the technology stack between their web host and incoming connections. It feels infrastructural, but it isn’t.

That nitpick aside, this is an excellent piece.