Pixel Envy

Written by Nick Heer.

RIP, the Outline

Leah Finnegan, the now-former executive editor at the Outline:

farewell @outline. we have all been laid off.

Rachel Hawley:

I cannot possibly stress how much The Outline changed the trajectory of my life. They were the first place to publish my writing. They were one of the last bastions of the off-the-wall mix of content that the Internet was made for. This is a huge loss.

Paul Blest, writing at Discourse:

This year, the coronavirus is going to join forces with longstanding, structural problems in the journalism business to wreck so many of the best websites and papers we read. Alt-weeklies, already dying, are going to be on life support by the end of this. Even the websites and papers that survive are going to be hit hard.

The Outline should be remembered as more than just an early casualty of the reckoning we’re about to face. I’m going to miss The Outline for selfish reasons; it gave my friends money, and it gave me money, and it gave writers I’d never heard of and now regularly read money, and now there’s one fewer website in the world that’s willing to give us money.

But I’m also going to miss it because, as Darren Rovell would say, the content was tremendous. The Outline was more than a survivor; it was a good website.

The Outline is one of those websites that I loved to the extent that it frustrated me on a nearly daily basis. It was a sort of extant limb of Gawker — another website that irritated as much as it delighted. But it was always for a good reason: these websites explored topics you might not expect from angles you would not see anywhere else. Sometimes, those angles were brilliant; other times, they made me roll my eyes. But the web is less good when it lacks venues for trying new, weird, earnest, and honest things. That, alone, is commendable. The Outline will be missed.

The NASA Worm Is Back — Sort Of

Far from just the best NASA logo, the “worm” has always been one of my favourite pieces of identity design. I welcome its return, but I wish it were not in such a limited capacity.

Zoom Responds

Eric Yuan, CEO of Zoom:

For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

[…]

Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:

  • Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.

I think this is a generally well-written, meaningful apology. The CEO of Zoom clearly feels awful about a week of previously undisclosed security and privacy vulnerabilities coming to the fore, and has a plan to address them. That’s promising.

But there’s still an air of defensiveness about this post. For example:

First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

According to Yuan, Zoom’s call volume grew by twenty times in just a couple of months. It is understandable that some features, like its LinkedIn integration, do not translate well to non-enterprise contexts. But Zoom’s bigger problems — its false claims of end-to-end encryption, its malware-like installer, the webcam security problem exposed last year, and its vulnerability to malicious links — have nothing to do with Zoom’s scale. They are technical debts incurred by years of sloppy work.

Thomas Brewster, Forbes:

Towards the end of March, three of the American government’s key coronavirus response organizations spent a collective $1.3 million on videoconferencing tech from Zoom, a Forbes review of government contracts has found. That was despite widespread criticism of the app’s privacy and security.

The orders – from Centers for Disease Control and Prevention (CDC), the Federal Emergency Management Agency (FEMA) and the National Institutes of Health (NIH) – were all made in just a few days from March 23 to 26. They ranged in cost, the highest being $750,000, which the CDC ordered for hosting webinars on COVID-19. FEMA spent $320,000 on 1,500 Zoom software licenses, whilst CDC spent another $160,000 on Zoom webinar tech. An NIH contract at $90,000 also specified some Zoom licenses. They weren’t delivered directly by Zoom, but by partner government contractors CDW Government and Carahsoft Technology.

I am glad that Zoom is serious about addressing these flaws anyhow, but particularly so after learning that it is being used by these government agencies.

More on In-App Purchases for Amazon Prime Video

John Gruber dug into yesterday’s confusing Amazon Prime Video situation and, predictably, has created the most comprehensive explanation I’ve seen yet:

Why would Apple agree to this? Financially, Apple now gets a cut of some Prime Video rentals and purchases, and a recurring cut of new Prime Video subscriptions made in-app. And Apple TV users get all the benefits from the Prime Video app supporting AirPlay 2, universal search, and integration with the TV app that Apple is trying to make the default interface for watching shows and movies. Prior to this deal, Apple made nothing from Prime Video — it was a free app with no in-app purchases, and there was no way to subscribe to Prime Video through iTunes.

[…]

It’s a win for Apple, a win for Amazon, and a win for users in the Apple TV ecosystem.

It does seem like an all-around win. However, the question remains why this policy is something that is seemingly only available through channels not generally available to providers of comparable services, and why it so far seems to apply to just three service providers.

Amazon Prime Video Now Allows In-App Purchases and Rentals With Its Own Payment Method Thanks to Special Apple Entitlement

Nick Statt, the Verge:

Amazon’s Prime Video iOS and Apple TV apps now let customers make in-app purchases, including renting and buying films and TV shows. The change marks a huge shift in Amazon’s approach to the App Store, which mandates a 30 percent cut on all in-app purchases. Prior to the change, Amazon would not allow you to rent or buy content on the Prime Video app, instead, directing users to a web browser to avoid the App Store fee.

Now, when users log in to the Prime Video app, there should be a message reading, “Browse, rent, or buy new release movies, popular TV shows, and more — now within the app.” (Big thanks to George Watson, who tipped us off to this change.)

Ryan Jones:

Amazon Prime Video now avoids Apple’s payment system and ostensibly the 30% fee. You pay directly to Amazon.

Change was made server-side without an app update. This is huge news either way.

Guilherme Rambo:

The Prime Video app has a special “com.apple.storekit.request-data” entitlement. This reminds me of the “requestData” property on SKPayment, which has been “Reserved for future use” for a long time. Hmmmm…

Rambo isn’t kidding — that entitlement has been around since iOS 3.

Apple’s statement, as posted by Benjamin Mayo:

Apple has an established program for premium subscription video entertainment providers to offer a variety of customer benefits — including integration with the Apple TV app, AirPlay 2 support, tvOS apps, universal search, Siri support and, where applicable, single or zero sign-on. On qualifying premium video entertainment apps such as Prime Video, Altice One and Canal+, customers have the option to buy or rent movies and TV shows using the payment method tied to their existing video subscription.

This is bizarre, undocumented, and, as far as I can figure out, has never previously been acknowledged.

Apple’s statement does not seem to fully reflect exactly what is going on here. The features described as being part of an “established program for premium subscription video entertainment providers” — a phrase that, I think, needs more words — do not appear to be unique to apps that are allowed to bypass Apple’s in-app purchase mechanism. The Netflix app on tvOS, for instance, is part of universal search; CBC’s Gem app integrates with the Apple TV app but uses standard iOS in-app purchases, not its own. So those “benefits” are not unique to the listed apps: Prime Video, Altice One, and Canal+.

What does appear to be entirely unique to those apps is that they are allowed to bypass Apple’s in-app purchase regime, contrary to the App Store rules:

If you want to unlock features or functionality within your app, (by way of example: subscriptions, in-game currencies, game levels, access to premium content, or unlocking a full version), you must use in-app purchase. Apps may not use their own mechanisms to unlock content or functionality, such as license keys, augmented reality markers, QR codes, etc. Apps and their metadata may not include buttons, external links, or other calls to action that direct customers to purchasing mechanisms other than in-app purchase.

Why is Amazon Prime Video allowed to use a non-Apple payment method for its movie purchases and rentals, but not for subscriptions? Why is this entirely undocumented? Why did it take until today to enable this for Amazon Prime Video, and not something that has been available all along for the app?

Most of all, why has this notoriously immutable App Store rule turned out to be something that can be bypassed, if only by an invitation offered to a few apps?

Update: Apple provided a slightly different statement to the Verge stating that this new policy only applies to individual purchases, not subscriptions. No clarification was provided on how a developer would go about joining this program, though it seems like the “benefits” that Apple described in its statement — AirPlay support, universal search, and the like — are something a developer has to agree to integrate in order to get this special entitlement.

Among the Myriad Industries Harrowed by Coronavirus Effects, Journalism Is Uniquely Impacted

Todd Spangler, Variety:

Ad spending is falling off a cliff amid the COVID-19 pandemic — and Facebook and Google, the two heavyweights in digital advertising, are expected to bear the brunt of the downturn in terms of sheer dollars lost.

The two internet giants together could see more than $44 billion in worldwide ad revenue evaporate in 2020, Cowen & Co. analysts estimate. That said, both Google and Facebook will continue to be massively profitable even with double-digit revenue drops.

Craig Silverman, Buzzfeed News:

Many advertisers use lists of sensitive or controversial keywords to avoid placing ads — and spending their ad dollars — adjacent to content they consider unsafe for their brands. But the addition of coronavirus-related terms to these keyword blacklists has choked off revenue as publishers struggle to capitalize on soaring audiences amid catastrophic revenue declines.

[…]

In March, Integral Ad Science, an ad verification company that works with the brand to improve the quality of its ad placements, automatically blocked 309,726 — roughly 36% — of ads the brand attempted to place on the New York Times’ website. In January, only 3% were blocked, and in February, 6%. Thirty-four percent of the ads the company attempted to place on USA Today’s website were blocked in March, as were 45% of those on the Washington Post’s website, and 29% on CNN’s website. In total, nearly 2.2 million ads for the brand were blocked from appearing.

Daniel Bernhard, the Star:

Even before the COVID-19 crisis struck, private media outlets were so beleaguered that they required special tax assistance just to stay afloat. Despite this support, Postmedia and Torstar, Canada’s largest producers of daily newspapers, are in dire financial straits. As of Thursday, you could buy all Torstar stock for just $21 million. As the economic downturn intensifies and businesses of all sizes suffer horrendous financial consequences, the few advertising dollars that remain are drying up overnight.

For its part, the CBC is so underfinanced that it cancelled all local TV news broadcasts last week. In a video town hall with CBC employees, Barb Williams, executive vice-president of English services, said the move was necessary to keep the network from “fading to black.”

The bleak irony of the coronavirus pandemic is that it is necessary for frequent and comprehensive coverage at all levels — local media is just as important as national media. But those articles are not being supported by big advertisers, many of which are resistant to their new products being promoted alongside articles about a global pandemic.

This effect is compounded by an overall spending pullback by advertisers, largely because the entire economy is, technically, in the shitter.

Drew Curtis of Fark:

Late last week, a fellow Farker who is CTO of an adtech company we’ve been working with closely hit me up with a warning. He said that as of last Thursday, they’re seeing industry-wide cancellations. Companies aren’t waiting until the 2nd quarter — they’re pulling ads -now- on existing deals. Understandable given the current situation, but it doesn’t help Fark at all.

Curtis, in a second post:

However, there’s more bad news — also last week the IAB, which is the primary trade group for online advertising among other things, released the results of a survey of ad buyers to try to figure out what effect the lockdown will have on ad revenues. The short version is it’ll be worse than 2008, which is pretty dire because in 2008, Fark’s revenue dropped to near zero. There’s more info and data from the IAB survey here.

It has become a cliché to say that we need great journalism now more than ever, and it is also untrue: we have always needed great journalism.

We desperately need local press that can tell us what is happening at city and regional levels, but the publications that are best positioned to cover this have long been dangling by a financial thread. Big and comparatively wealthy national publications, on the other hand, are necessary to see the broader scope of this pandemic, but stumble at effective reporting.

Practically every industry is going to suffer due to this pandemic. I cannot imagine ranking which organizations are more deserving of financial assistance than others. But it would be a horrific loss if media organizations were not a focus of some kind of help, plus a long-term plan to try to stabilize the industry.

U.S. Government Websites Give Bad Security Advice

Brian Krebs:

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.

[…]

The text I have a beef with is the bit on the right, beneath the “This site is secure” statement. Specifically, it says, “The https:// ensures that you are connecting to the official website….”

Here’s the deal: The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

However, the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

This is probably obvious to technically-literate readers like yourself, but I think this poor advice would make sense to many people. It’s exacerbated by browsers’ interfaces that emphasize the difference between HTTP and HTTPS connections. Visiting scripting.com, a staunch HTTP-only website, in Chrome and Safari will show a “Not Secure” badge in the address field. Visiting my HTTPS site, on the other hand, will show a nice little padlock instead that, when clicked in either browser, indicates that the connection is “secure” and “encrypted”.

Krebs:

Other federal sites — like dhs.gov, irs.gov and epa.gov — simply have the “An official website of the United States government” declaration at the top, without offering any tips about how to feel better about that statement.

There’s nothing preventing just anyone from claiming that they, too, operate an “official website of the United States government”. It is not helped by the U.S. government’s mixed use of .gov, .mil, .us, and .org domains, not to mention the many GitHub demos I found. Conversely, there are plenty of official U.S. government websites that do not display that notice: the FAA, OSHA, the Small Business Administration, and Recreation.gov, to name just a few.

Finally, I can’t work out why there are three different domains associated with the census: census.gov is fine, but 2020census.gov is kind of sketchy looking, and my2020census.gov — the actual website of the survey — is very sketchy looking. None of those websites share the same design language, and only the survey URL has the aforementioned “official website” notice. What a mess.

Update: It was possible to upload just about any file to fcc.gov as late as 2017, a capability which was predictably abused.

Zoom Video Calls Are Not End-to-End Encrypted, Contrary to Its Public Claims

Micah Lee and Yael Grauer, the Intercept:

In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it.

But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

[…]

“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the Zoom spokesperson wrote, apparently referring to Zoom servers as “end points” even though they sit between Zoom clients. “The content is not decrypted as it transfers across the Zoom cloud” through the networking between these machines.

Dan Moren, Six Colors:

In and of itself, this situation is raising a lot of questions, but what’s worse is that it’s part of a clear pattern with Zoom. Just this past week, the company’s iOS app was discovered to be sending information to Facebook without disclosing that in its privacy policy. Others have pointed out that its macOS installer also seems to have some shady behavior. And, of course, last year the company was found to be installing a secret local web server to bypass an Apple security restriction.

Lacking end-to-end encryption for video chat is not uncommon. What is unique to Zoom is that they’re lying about it in marketing materials by redefining “end-to-end encryption” to fit their needs.

Stuff like this — and the installer that runs on the preflight step instead of the correct installation step — are things that are so easy to get right. Zoom’s repeated failures would ordinarily only seem sloppy, but the web server that it installed last year created a massive security vulnerability which the company did not address for months. Zoom’s problems point to an entirely avoidable reckless culture.

Update: Oded Gal of Zoom:

In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it. This blog is intended to rectify that discrepancy and clarify exactly how we encrypt the content that moves across our network.

Zoom continues to market its product as having “end-to-end encryption for all meetings”, which simply isn’t true.

Dark Sky Has Been Acquired by Apple, Announces Discontinuation of Widely-Used API

Adam Grossman of Dark Sky:

Today we have some important and exciting news to share: Dark Sky has joined Apple.

[…]

Our API service for existing customers is not changing today, but we will no longer accept new signups. The API will continue to function through the end of 2021.

Dark Sky’s API is used by loads of apps you know — Carrot, Weather Line, and Hello Weather are just a few examples — but also organizations like conEdison, NASA’s Jet Propulsion Laboratory, and JCDecaux for its outdoor advertisement installations.

Via John Voorhees at MacStories:

Dark Sky’s announcement comes as a surprise, but it certainly makes sense from Apple’s perspective. Weather data is notoriously expensive and Dark Sky has some of the most accurate forecast data for many parts of the world, which undoubtedly made it an attractive acquisition. It will be a shame to see their data disappear from third party apps.

It’s not just expensive — weather data is a privacy concern as well. Last year, the city attorney of Los Angeles sued IBM, accusing their Weather Channel app of surreptitiously mining user data for purposes other than the app stated. Apple’s own Weather iOS app and MacOS widget also rely on Weather Channel data, which wasn’t implicated in the lawsuit. But it remains unclear if any data provided by users of either the app or widget was subject to the same privacy violations as the company’s own app.

Even though the Dark Sky API will be shutting down, it is possible that iOS and MacOS apps will soon have a native weather API.

It’s All So Premiocre

Amanda Mull, the Atlantic:

As with many aesthetically pleasing food trends that have thrived in the era of constant internet access, the value of a deluxe cupcake isn’t necessarily in its physical consumption. Instead, it’s more like an edible Gucci logo belt, or a sprinkle-topped boutique hotel with a beautifully decorated lobby bar and painfully cramped showers. These goods are the least expensive way to gain temporary entry to a particular consumer class — for example, Gucci belts cost $450, while one of the brand’s bags could easily set you back $3,500. The brand’s belts are not any better at belting than many far less expensive options, but they provide a conduit for a person of middling means to transport herself into the lavish life she wants, if only within the highly edited confines of a carefully staged Instagram photo.

Crumbs Bake Shop expanded to 79 locations in the United States before it went out of business in 2014, but the value system that enabled it remains: A plethora of subpar options is the foundation of modern shopping. Most Millennials were too young to get a foothold in the economy before it fell out from under them, and now, confronted with the precariousness of working- and middle-class life in the decade after the Great Recession, the most many can do is playact modern success for as long as possible while hoping the real thing happens eventually.

All of the faux-Eames chairs the internet tried to sell me are props for this Kabuki theater: things you buy because they’re masquerading as more exceptional than they are. Some of these products are perfectly good at fulfilling their function, but they paper over a problem of class mobility that consumer choices can’t change. The market has looked upon the people it serves and said, “Let them eat cupcakes.”

Maya Kosoff, Marker:

Until a few weeks ago, when a very different picture emerged of Outdoor Voices. The Business of Fashion reported that for all of the startup’s apparent growth and cachet — including 11 stores in cities like Los Angeles and Nashville — the company “continues to lose money on customer acquisition.” According to BoF, Outdoor Voices was hemorrhaging up to $2 million per month last year on annual sales of around $40 million. Its executives also seemed to be bailing out on a company in a tailspin. The new president Haney had managed to lure last year from Nike lasted only a few months, and Drexler left the board. The startup was able to get a new cash infusion from the company’s investors, but at a lower valuation than previous rounds. On February 25, CEO Haney sent a Slack message to her hundreds of employees: “with heartbreak, I have tendered my resignation,” BuzzFeed News reported. In the wake of her departure, she wrote, there would also be layoffs, and Cliff Moskowitz, the president of a fashion-oriented private-equity firm, would take over as interim CEO.

The news could be interpreted simply as an unfortunate isolated incident — an inexperienced founder who mismanaged her way into overspending. But for anyone familiar with the harsh realities of the [direct to consumer] model, it’s an affirmation of something much more fundamental: Once you get past all the shiny objects in the DTC category — the plump VC rounds, the sleek sans serif designs, the experiential storefronts in hot retail locations, the podcast ad blitzes — it turns out it’s extremely difficult to actually make the economics work.

I remember when DTC startups were touting that their lack of a physical storefront is one reason they were able to offer their products for less. It turns out that people want to try mattresses and clothing in person. Who knew?

Getting a Copy of Your Clearview AI Profile

Thomas Smith, OneZero:

What does a Clearview profile contain? Up until recently, it would have been almost impossible to find out. Companies like Clearview were not required to share their data, and could easily build massive databases of personal information in secret.

Thanks to two landmark pieces of legislation, though, that is changing. In 2018, the European Union began enforcing the General Data Protection Regulation (GDPR). And on January 1, 2020, an equivalent piece of legislation, the California Consumer Privacy Act (CCPA), went into effect in my home state.

[…]

Within a week of the Times’ expose, I submitted my own CCPA request to Clearview. For about a month, I got no reply. The company then asked me to fill out a web form, which I did. Another several weeks passed. I finally received a message from Clearview asking for a copy of my driver’s license and a clear photo of myself.

I provided these. In minutes, they sent back my profile.

Companies like Clearview AI are the next level in the kind of “data enrichment” firms of the type that suffered a massive data breach last year. After that breach, I submitted requests to every big data enrichment company I could find to see what they had on me. Many had nothing, but a few had built extremely accurate profiles of me based solely on whatever they could scrape. I had never heard of these companies; I had to ask them, individually, to delete anything they had on me.

Safari and Progressive Web Apps

Aral Balkan is one of many developers who have raised concerns about Apple’s just-released update to Safari:

Block all third-party cookies, yes, by all means. But deleting all local storage (including Indexed DB, etc.) after 7 days effectively blocks any future decentralised apps using the browser (client side) as a trusted replication node in a peer-to-peer network. And that’s a huge blow to the future of privacy.

Ignoring the whataboutism that Balkan invokes with regards to Apple News — which, as far as I can tell, is not a fair representation — and the App Store, this is a reasonable question: are web apps that use local storage now impossible to build?

John Wilander of Apple’s WebKit team updated the announcement to clarify:

As mentioned, the seven-day cap on script-writable storage is gated on “after seven days of Safari use without user interaction on the site.” That is the case in Safari. Web applications added to the home screen are not part of Safari and thus have their own counter of days of use. Their days of use will match actual use of the web application which resets the timer. We do not expect the first-party in such a web application to have its website data deleted.

This change effectively creates a distinction between web apps that users run by typing in a URL, and web apps that users run by tapping an icon pinned to their home screen.

I get why this [upsets some developers], and that progressive web app technologies are used on websites that are not web apps. But I suspect that the real-world impact of this will be felt little by users compared to the frequent misuse of these technologies for tracking purposes.

John Bergmayer:

Amazing the number of developers who think “Oh yeah, of course every web page you visit should be a full-fledged app that has permanent storage on your computer”.

I still think it’s remarkable that you can visit a webpage and somehow your web browser will dumbly execute literally every valid command written by the developer. It is often magical; it is also indicative of developer hubris to decide that everything they do is right and just.

Improvements to Tracking Prevention in Safari 13.1 on MacOS, and Safari on iOS and iPadOS 13.4

Reading through these release notes indicate the many ways providers of analytics and tracking scripts attempt to evade the restrictions of Intelligent Tracking Prevention. It is an arrogant and disrespectful practice — an assumption that the browsers that default to allowing tracking everywhere are correct, and that browsers that choose different defaults are wrong. It is, after all, an option in Safari: users who want to allow cross-site tracking can disable ITP.

John Wilander of Apple’s WebKit team provides just one example:

Some trackers have started to delay their navigational redirects, probably to evade ITP’s bounce tracking detection. This manifests as the webpage disappearing and reloading shortly after you land on it. We’ve added logic to cover such delayed bounce tracking and detect them just like instant bounces.

The workaround that these trackers invented is detrimental to users’ browsing experience — nobody wants a page to load twice — all just to make it a little bit easier to track users across the web against their will.

The only comparison I can think of, in terms of software that is constantly changed to fight against attempts to detect and eradicate it, is malware.

The New iPad Pro Models Are Iterative Updates on the Last Generation, and Everybody Really Wants to Try the New Magic Keyboard

Joe Rossignol, MacRumors:

The first reviews of the new iPad Pro have hit the web and we’ve rounded them up below.

Given that trackpad support is coming to all modern iPad models with iPadOS 13.4, set to be released later today, the actual hardware changes to the 2020 iPad Pro are rather minor. Reviews confirm that the device’s new A12Z Bionic chip has very similar CPU performance as the previous A12X chip, and beyond that, the only additions are an Ultra Wide camera, LiDAR scanner, and better sounding microphones.

John Gruber:

In short, if you’re an AR junkie, you should jump all over the new iPad Pro. If you’re not an AR junkie — which is to say the overwhelming majority of you — well, it’s not that big a deal. I don’t mean to be dismissive of AR and ARKit. I think an AR revolution is coming, and the whole “use your iPhone and iPad as ARKit devices” effort on Apple’s part — and it’s a massive effort — is laying the groundwork for an AR-first device to hit the ground running with developer support from day one. But are there really people for whom ARKit-powered apps are so important right now that they’ll upgrade to a new iPad just for lidar support? I suppose the answer is yes — for example, developers working on ARKit apps and games. But for most people the answer is clearly no.

Off the top of my head, I can’t think of another time when new camera hardware or features from Apple debuted on a non-iPhone device.

In his review for the Verge, Dieter Bohn says that lidar is cool, but it’s one more piece of hardware for a software world that doesn’t exist yet. The new iPads also maybe possibly have 6 GB of RAM apiece, too — not just the high-end models. Both of these things continue a years-long narrative about the iPad as a product category: the hardware outpaces the software by years. There’s a good argument to be made that, because people will be using these things for a very long time, it makes sense to give them hardware that will allow for plenty of growth. But it also means that there’s little to try this new stuff out of the box, and its future viability depends on developer support.

That includes Apple. It has released an updated version of ARKit that allows developers to take advantage of the special qualities of the lidar sensor in these new iPads. Presumably, some new iPhones released later this year will have the same capabilities, and it looks like it makes a huge difference in the accuracy and reliability of augmented reality software.

Matthew Panzarino, TechCrunch:

Currently, iPadOS is still too closely tethered to the sacred cow of simplicity. In a strange bout of irony, the efforts on behalf of the iPad software team to keep things simple (same icons, same grid, same app switching paradigms) and true to their original intent have instead caused a sort of complexity to creep into the arrangement.

The current system of inscrutable gestures and indeterminate window focus reads, to me, like a lack of confidence in the iPad’s ability to grow and change. I don’t know that Panzarino’s ideas are the correct solution, but they are an idea that helps solve multitasking on the iPad for its unique context.

The trackpad and mouse support in iPadOS 13.4 is, similarly, a change that shows renewed confidence in the iPad as a discrete platform. It is a welcome upgrade to a project that began as an accessibility feature that combines references to traditional computer interfaces with a smart reconsideration of how it ought to behave in a touch environment. I don’t think I would want an iPad-style cursor in MacOS, but I also would not want to see a Mac-style cursor on an iPad. Neither makes sense outside of its context.

On that note, a consistent thread in all of these reviews is that the new Magic Keyboard accessory is the real news in iPad World. But, because it won’t be shipping for several weeks, and there is no way to do a remote hands-on area for equally remote press briefings, nobody has tried it yet. The good news is that, unless you need lidar hardware, there are few changes over the 2018 iPad Pro models, which you can pick up for a significant discount. And the Magic Keyboard is compatible with those models as well.

Magic Mailboxes

Chris Hynes:

I worked on the Mail team from just before Public Beta thru Tiger. One of my proudest achievements on the team (and at Apple) was brainstorming with my team members and pushing an idea we internally called Magic Mailboxes and eventually became called Combined Mailboxes.

[…]

For this example, I’m going to presume that a novice user has one account, probably a POP account. Here’s what it looked like in Mail.

[…]

As you add more and more accounts, this model falls apart. With three accounts, you have 3 inboxes, 3 drafts, 3 trashes, and so on.

I’ve tried probably half a dozen alternative email clients over the years, but I keep coming back to Apple’s on MacOS and iOS. One reason has been its long-time support for unified mailboxes. I have an indefensible number of email addresses and this is essential for my use.

This is a typically great piece from Hynes. If you haven’t subscribed to Tech Reflect yet, you’re missing out an insightful behind-the-scenes look at some of the software you use daily.

We Could Just Ban Targeted Advertising

Gilad Edelman, Wired:

The thinking goes like this. Google and Facebook, including their subsidiaries like Instagram and YouTube, make about 83 percent and 99 percent of their respective revenue from one thing: selling ads. It’s the same story with Twitter and other free sites and apps. More to the point, these companies are in the business of what’s called behavioral advertising, which allows companies to aim their marketing based on everything from users’ sexual orientations to their moods and menstrual cycles, as revealed by everything they do on their devices and every place they take them. It follows that most of the unsavory things the platforms do — boost inflammatory content, track our whereabouts, enable election manipulation, crush the news industry — stem from the goal of boosting ad revenues. Instead of trying to clean up all these messes one by one, the logic goes, why not just remove the underlying financial incentive? Targeting ads based on individual user data didn’t even really exist until the past decade. (Indeed, Google still makes many billions of dollars from ads tied to search terms, which aren’t user-specific.) What if companies simply weren’t allowed to do it anymore?

Don’t think of this as a flip-a-switch instant fix for all that ails the web; think of it as cutting out the junk food and taking up jogging.

This piece is deeply researched and well worth your time. One thing that stood out to me is the vehement defence by advertising types of personalization, as though they cannot envision an effective ad that does not depend on creepy targeting. Any time they have been questioned about personalization, ad industry representatives love to threaten that it will financially cripple the web. But, as Edelman notes, targeted advertising is a recent invention, and there’s little indication that non-personalized ads are less effective or lucrative.

A New ‘Get Up’ Weekly Playlist Is Available in Apple Music

Igor Bonifacic, Engadget:

Apple is trying something new to keep people’s spirits up during the coronavirus pandemic. In Apple Music, it’s introducing a new algorithmic playlist called the Get Up! Mix that the company says is full of “happy-making, smile-finding, sing-alonging music.” With the help of human editors, it will update the playlist each week with new songs. Think: Discovery Weekly, but with a focus on playing tunes that will encourage good vibes — though there’s the promise of discovering new music as well.

Mine is chock full of the “happy-making” tunes of Death Grips and Show Me the Body, and the “smile-finding” sound of Radiohead and Joy Division. Your mileage may vary. Good vibes only.

Zoom’s Attention-Tracking Feature Is Ripe for Misuse

Mehreen Kasana, Input:

With bosses increasingly requiring their workers to turn to remote conferencing, Zoom gives administrators full power to track attendees’ attention with an indicator that points out when a participant doesn’t have the app “in focus” for more than 30 seconds. Privacy organizations like EPIC have previously criticized this tool in an official complaint to the Federal Trade Commission, noting that it bypasses browser security and gives access to users’ web cameras without their knowledge.

D’Arcy Norman has an excellent walkthrough of Zoom’s preferences, including how to turn this feature off. It’s possible to turn it off organization-wide — slip your IT department a pack of decent beer and I’m sure that can happen.

Samantha Cole, Vice:

On Twitter, people are finding ways to use the Zoom Rooms custom background feature to slap an image of themselves in their frames. You can record a short, looping video as your background, or take a photo of yourself looking particularly attentive, depending on the level of believability you’re going for. Zoom says it isn’t using any kind of video or audio analysis to track attention, so this is mostly for your human coworkers and boss’ sake. With one of these images on your background, you’re free to leave your seat and go make a sandwich while your boss thinks you’re still there paying attention.

It’s like the security camera trick from every heist movie. Just be careful not to walk back into the frame.

Harnessing Our Existing Surveillance Capitalist Infrastructure for Good Instead of Evil

Natasha Singer and Choe Sang-Hun, New York Times:

As countries around the world race to contain the pandemic, many are deploying digital surveillance tools as a means to exert social control, even turning security agency technologies on their own civilians. Health and law enforcement authorities are understandably eager to employ every tool at their disposal to try to hinder the virus — even as the surveillance efforts threaten to alter the precarious balance between public safety and personal privacy on a global scale.

Yet ratcheting up surveillance to combat the pandemic now could permanently open the doors to more invasive forms of snooping later. It is a lesson Americans learned after the terrorist attacks of Sept. 11, 2001, civil liberties experts say.

Maciej Cegłowski:

The most troubling change this project entails is giving access to sensitive location data across the entire population to a government agency. Of course that is scary, especially given the track record of the Trump administration. The data collection would also need to be coercive (that is, no one should be able to opt out of it, short of refusing to carry a cell phone). As with any government surveillance program, there would be the danger of a ratchet effect, where what is intended as an emergency measure becomes the permanent state of affairs, like happened in the United States in the wake of the 2001 terrorist attacks.

But the public health potential of commandeering surveillance advertising is so great that we can’t dismiss it out of hand. I am a privacy activist, typing this through gritted teeth, but I am also a human being like you, watching a global calamity unfold around us. What is the point of building this surveillance architecture if we can’t use it to save lives in a scary emergency like this one?

The lack of legal separation of the widely useful attributes of the universal tracking we all endure from its usual implementation in targeted advertising — or its potential in powering a dystopian police state — is a massively consequential failure. It may have been possible to gain acceptance for this moderate intrusion of privacy if there were some framework of trust.

Alas, no such assurance is in place and users’ trust has badly been abused, so it’s understandable why so many are treating this as a horrible idea.

The Great Empty

I am sure many of us are feeling the effects of being encouraged to self-isolate, but there’s nothing quite like seeing a dearth of people in usually packed spaces. Haunting as they are, these pictures also indicate the effectiveness of the isolation strategy.

Counterweighting a Cantilever

I really liked this piece by Dr. Drang:

I’m sure the new iPad Pro will be great, but what every iPad Pro user is eager learn more about are the pointer control enhancements in iPadOS 13.4 and the new Magic Keyboard with its “floating cantilever” design. What I’m most interested in is the stability of iPad when it’s mounted on the Magic Keyboard and how much weight Apple added to the keyboard to achieve that stability.

One thing seems clear: the Magic Keyboard will weigh significantly less than the Brydge Pro+. We would have guessed that anyway, based on Apple’s longstanding obsession with thickness and weight, but the images of the Magic Keyboard show us conceptually how Apple is solving the stability problem.

I can’t wait to try one of these things in person.

What About the 13-Inch MacBook Pro?

Chance Miller, 9to5Mac:

At this point, the 13-inch MacBook Pro is the only Apple laptop still sold brand-new with the butterfly keyboard. The 15-inch MacBook Pro was updated in November to become the 16-inch MacBook Pro with the new Magic Keyboard. The 12-inch MacBook was discontinued last year as well.

With the MacBook Air’s transition to Magic Keyboard now out of the way, the 13-inch MacBook Pro is surely next on the docket. Reliable Apple analyst Ming-Chi Kuo has said that Apple is accelerating its MacBook refresh plans, and that we should expect a new 13-inch MacBook Pro with the Magic Keyboard during the first half of this year.

I tend to think that the MacBook Pro range is comprised of laptops of similar purpose, available in two different sizes — but that’s not the case. The 13-inch model has long been a junior version of its bigger sibling in more ways than just size. It has never been offered with dedicated graphics memory, for example, and the first two generations of the Touch Bar model had two slower Thunderbolt ports. By that standard, it makes some sense that the 13-inch MacBook Pro was not updated at the same time as the 16-inch.

But, on the other hand, it now stands out as the Mac model nobody should buy. It is now the One With the Bad Keyboard — the only one that is sold, brand new, with automatic coverage from the company’s keyboard service program. There is certainly an update in this Mac’s near future, but it is awkward that it was not released alongside either of the new MacBook models.

The Changing Nature of Apple’s Product Announcements

Dan Moren, Macworld:

Most of us love Apple events. There’s an excitement and a theater to them that is rare in corporate presentations, and is surprisingly hard to replicate. (We’ve all probably seen events from rival companies that have tried to pull off an Apple-esque vibe with less than successful results.)

This week’s updates, however, arrived by press release. Apple’s no stranger to that methodology: the company has dropped plenty of products like this in its history, especially when it clearly considers the products in question to be more minor releases, such as updates to existing devices that don’t really require spinning a story.

[…]

In addition to the usual press materials and images distributed with this week’s announcements came something more unusual: a video featuring Apple senior vice president of software engineering, Craig Federighi, demoing the new trackpad features. While it was reminiscent of the slick product videos that Apple frequently shows off during its events, look closer and you start to see that it’s not quite as smooth. It’s shot at Apple Park, with nobody else onscreen but Federighi, though there may be someone else using the iPad at some points. It’s hard to tell.

This video has fascinated me since it was first posted by Dieter Bohn at the Verge. Partly, that’s because it was posted with no attribution, but also because the fine print does not say “Magic Keyboard coming in May” but, rather, “R1x coming in May”. It does not appear on Apple’s YouTube channel, nor is it included in the iPad Pro’s press release — not even in the package of images at the bottom. Eventually, Six Colors posted the video to YouTube, where it noted in the description that it was “supplied to journalists by Apple”.

That’s odd. Apple’s PR strategy has been so consistent that any changes are inherently interesting, if you’re the kind of person who cares about the foibles of the company.

Apple has done one-to-one briefings before, both in person and remotely. It has held small-scale press-only events, it has announced products through press releases, and it gives reference materials to journalists supplied with review units. But I can’t think of an instance where it has given promotional videos to the press for them to publish.

A Status Update on the Toaster-Refrigerator Project

Daniel Rubino wrote a decent piece over at Windows Central about how the new iPad Pro — and, in particular, the Magic Keyboard — steps on Microsoft’s Surface turf. But I do not buy his argument that it represents an about-face for Apple:

Putting aside how wrong Apple was about the 2-in-1 form factor, which it is now ironically fully embracing, this move by Apple is likely to harm sales of the Surface Pro line. Apple’s iPad has long bucked the trend of the failing tablet market because it has the best hardware and an OS that people relish.

I’d argue – and many of you would too – that Windows 10 is still a more “serious” OS built for doing “real” work. But for many, those lines are blurring. For the last few years there have been many attempts by people trying to make do with just an iPad, and today’s announcement will only make that easier.

Tim Cook’s 2012 comments about convergence devices were again unearthed in myriad commentaries as a counterpoint to the company’s announcements yesterday, especially given the growing similarities between iPad and Microsoft’s Surface hardware. I think that’s noteworthy, but not indicative that Apple’s long-term strategy for the iPad has been wrong.

I’m going to irritatingly self-quote here from a piece I wrote a couple of years ago:

If there is a smartphone-to-desktop continuum, with the tablet somewhere in the middle, Microsoft has long approached it as skinning Windows with touch drivers and bigger buttons, while Apple chose to start by making a touchscreen phone and build up from there.

The addition of real mouse and trackpad support to the iPad is not just a slapped-on version of the MacOS cursor, but a clearly considered rethinking of what that should be on a system that is still primarily used by touch. I expect to see plenty more changes like this as Apple continues to add more advanced features to iPadOS — features that will probably be similar to aspects of MacOS, but reconsidered for a touch-based operating system.

Cook’s “toaster and refrigerator” remarks were made around the time that Microsoft released Windows 8, which took the standard version of Windows and slapped a touch-friendly tile interface on top — no matter what device you installed it on. Have a big-ass desktop display? Doesn’t matter; you still got that tile interface by default. That problem existed in the reverse, too: many Windows settings were not able to be changed through the default touch-based interface, no matter which device you were on, so you would often need to muck around in the historic anachronism that is the Control Panel, even on a tablet.

The iPad and its iPadOS is decidedly not this experience. If anything, its biggest drawbacks are in the ways that it is still attached to a small-screen smartphone experience. But those ties are still inherently touch-based, and are slowly loosening as every part of the personal computer experience is rethought for an interface that is expected to be used primarily — though not entirely — by a user’s fingers. Some of those things will be successful; some, like the stubborn effort to go without a file browser, will not.

This strategy is not, from my very outsider perspective, a radical departure from what I expected for the iPad. Since day one, it has supported Bluetooth keyboards for text entry and limited per-app shortcuts. There was even a weird keyboard dock. I am only surprised and, admittedly, disappointed that advancements like these did not happen sooner.

I anticipate that we will see more desktop-grade features brought to the iPad in the coming years, but interpreted with a style all their own. The iPad of a few years from now might increasingly resemble a far nicer version of those two-in-one laptop and tablet hybrids, but it will not behave like any of them. It will not be a desktop operating system with some bigger buttons; it will be fully imagined as a touch-based operating system.

If that wasn’t the strategy all along, what could it possibly have been? Does anyone seriously think that the iPad would have forever remained something on which you could read email while you used the bathroom?

By the way, there’s a funny postscript to Cook’s toaster-refrigerator remark. Todd Bishop, reporting for the Seattle Pi in 2005:

Before this week’s unveiling of the new video-enabled iPod, Apple Computer’s Steve Jobs was renowned in technology circles for his skepticism about video on portable devices.

Just how ridiculous did he consider the concept? Jobs joked in a conference call with reporters last year that if Apple were to add video to the iPod, it might as well turn the device into a toaster, too.

“I want it to brown my bagels when I’m listening to my music,” he said at the time. “And we’re toying with refrigeration, too.”

Two years after Jobs said this, Microsoft released the Zune. It played audio and video, and came in a shade of brown that would look alright on a toasted bagel.

Apple Updates the MacBook Air

Speaking of our favourite Mac models, the MacBook Air generation that launched in 2010 and was only discontinued a few years ago would easily be in my top five. I still remember how wild it seemed to have a solid state drive in a really thin notebook for a reasonable price. I know a lot of people loved the 11-inch model, but the 13-inch was the one I ultimately bought a couple of years later, and it’s still going strong.

That original 13-inch model, with 2 GB of RAM and a 128 GB SSD, started at $1,299. By the time Apple issued its last update to the non-Retina MacBook Air, the price of entry had dropped to $999. For its entire lifespan, it was the default Mac — the one you would tell people to buy unless there was a good reason for them to get something else.

When the Retina MacBook Air dropped in 2018, it had nearly everything people loved about the model it replaced, with two exceptions: a new crappy keyboard, and a $200 higher price tag. Both of those things, but especially the keyboard, made it just a little harder to recommend to your friends.

Those caveats no longer apply. The MacBook Air was just updated with the same Magic Keyboard as the 16-inch MacBook Pro, twice the standard storage, better performance, and a $999 price. It’s pretty much the perfect notebook again.

Mac Madness 2020

March Madness may be cancelled, but Stephen Hackett has put together the next best thing: a tournament to determine the community’s all-time favourite Mac. Matchups were chosen at random, begetting what I believe to be the most difficult possible bracket right out of the gate.

Voting for this first round lasts until Friday.

New iPad Pro Models Announced, iPadOS 13.4 Features Trackpad and Mouse Support

Federico Viticci:

With a press release published earlier today, Apple officially announced the fourth generation of its iPad Pro line. The new iPad Pro models – available, as with the current generation, in 11-inch and 12.9-inch flavors – feature the all-new A12Z Bionic chip, a new camera system that includes an ultra-wide camera and LiDAR scanner for augmented reality, and integration with a long-awaited accessory, which will become available starting in May: the new Magic Keyboard with trackpad.

These new iPads look pretty remarkable, but my attention was immediately drawn to that new Magic Keyboard accessory. Not only does it have a sweet floating design and an integrated USB-C port for charging, the keyboard is now backlit and, yes, it has a trackpad.

Apple:

With iPadOS 13.4, Apple brings trackpad support to iPad, giving customers an all-new way to interact with their iPad. Rather than copying the experience from macOS, trackpad support has been completely reimagined for iPad. As users move their finger across the trackpad, the pointer elegantly transforms to highlight user interface elements. Multi-Touch gestures on the trackpad make it fast and easy to navigate the entire system without users ever lifting their hand.

Because this enhanced trackpad and mouse support is an iPadOS feature, I was able to try it out with my current iPad. I don’t have a spare trackpad laying around, but I do have an unused Magic Mouse. So I connected my mouse to my iPad — that is a very weird phrase to write. And you know what? It works very well.

Apple’s description of how the cursor works is a bit of an exaggeration; I don’t necessarily buy that this is a “complete reimagining”, but it is a thoughtful interpretation. The cursor — normally round, like a finger’s touch area — transforms a lot more smoothly than in MacOS, and the animation for highlighting UI elements is extremely nice. Using a mouse means less capability than a trackpad, but there are very few shortcomings. Gestures are now widely supported, so you can swipe with a finger to archive a message in Mail, for example. The main one I’ve spotted is that there doesn’t appear to be a way to dismiss a Slide Over app. By design, using the app switcher to go to a different app will allow the Slide Over app to remain floating overtop with its massive shadow obscuring anything underneath and giving the impression that it is still the focused app. But you can always lift your hand off the mouse and swipe it away. There also doesn’t appear to be a way to map a secondary Magic Mouse click but, as with MacOS, you can control-click to reveal a contextual menu. Update: It turns out it’s under General settings, Trackpad and Mouse, and then Secondary Click. My mistake.

This sort of stuff makes the iPad ridiculously flexible. It doesn’t mean that all of the system’s awkward limitations and multitasking weirdness — see above, with regards to the Slide Over app — have suddenly been remedied. But it allows for more powerful uses of the iPad more of the time, and I like it a lot.

Apple says that iPadOS 13.4 with trackpad and mouse support will ship on Tuesday, and the new iPad Pro models will be available in stores next Friday. Given the current pandemic, I expect availability will be pretty limited, but you can be certain Apple’s own stores will have lots of stock. Be sure to check it out at your nearest open location.

Popular iPhone and iPad Apps Appear to Snoop on the System Pasteboard

Talal Haj Bakry and Tommy Mysk:

This article provides an investigation of some popular apps that frequently access the pasteboard without user consent. These apps range from popular games and social networking apps, to news apps of major news organizations. We found that many apps quietly read any text found in the pasteboard every time the app is opened. Text left in the pasteboard could be as simple as a shopping list, or could be something more sensitive: passwords, account numbers, etc.

The clipboard is a well-known security risk on all popular platforms — including the web. Not only is it available across the system, it is expected to be in every app with reading and writing capabilities.

Most apps do not breach user trust in this manner, so it is surprising to see the breadth of very popular apps that are doing so in this case — many of which have no practical reason for reading pasteboard data in the first place. It’s the kind of thing that makes me wonder if they are all, perhaps, using a shared development framework or analytics bundle.

One way to resolve this may be to require consent from the user before the app can access the pasteboard. That consent can be provided in the form of the user tapping the paste button, upon which point the app is authorized.

The Bungled Launch of Verily’s Coronavirus Screening Website

Lauren Hepler, Levi Sumagaysay, and JP Mangalindan, reporting for Protocol on Friday:

With financial markets tanking, the nation’s most valuable companies going remote and medical concerns mounting about inadequate COVID-19 testing,Trump announced that Google has been tapped to build a website to help determine if and where people should get tested for the virus. The endeavor was announced at a Friday Rose Garden news conference, during which Trump declared a national state of emergency and said he was enlisting Walmart, Roche, CVS and other corporations to help respond to the virus and public anxiety.

“I want to thank Google. Google is helping to develop a website,” the president said. Then, in an apparent swipe at the disastrous launch of healthcare.gov under former President Barack Obama, Trump said, “It’s gonna be very quickly done, unlike websites of the past.” He said the website would serve to “determine whether a test is warranted and to facilitate testing at a nearby convenient location.”

Dieter Bohn, reporting for the Verge hours later:

Google is not working with the US government in building a nationwide website to help people determine whether and how to get a novel coronavirus test, despite what President Donald Trump said in the course of issuing an emergency declaration for the coronavirus pandemic. Instead, a much smaller trial website made by another division of Alphabet, Google’s parent company, is going up. It will only be able to direct people to testing facilities in the Bay Area.

[…]

Carolyn Wang, communications lead for Verily, told The Verge that the “triage website” was initially only going to be made available to health care workers instead of the general public. Now that it has been announced the way it was, however, anybody will be able to visit it, she said. But the tool will only be able to direct people to “pilot sites” for testing in the Bay Area, though Wang says Verily hopes to expand it beyond California “over time.”

I never thought I’d say this — but, in fairness to the vulgar talking yam, nobody really understands the difference between Alphabet and Google. Why did Google acquire itself by creating an obscure holding company that bought its most prestigious name? Nobody knows.

In fairness to everyone else, though, the difference between what the President described and what Verily was planning on delivering is a vast gaping chasm. This is a pandemic situation; the President said this at the same press conference as he declared a national state of emergency. The least we can ask from public officials is careful and precise wording so that we get the best information available.

Jennifer Elias, CNBC:

Alphabet’s Verily on Sunday night launched a pilot of a COVID-19 screening and testing website in the San Francisco Bay Area, a day earlier than it said it would.

[…]

In order to be eligible, users must be at least 18 years of age, a U.S. resident, able to speak and read English, located in one of the available counties, and willing to sign the COVID-19 Public Health “authorization form.”

Before the user can find out if they qualify for testing, they have to create or use a Google account to login and sign an authorization waiver. During the registration process, Verily informs users that it will be collecting personal information like name, address, email, phone number and health information, which can all be used by various government and health authorities and for “public health purposes.”

This information is also not being collected and stored under HIPAA rules. Alphabet later clarified that the bulk data would be used in conjunction with other tools, but would not be associated with users’ individual Google account data. That they needed to issue such a clarification speaks to the rushed launch of this site, and the selection of a privacy compromised provider.

I don’t think this was malicious; I think Alphabet used an existing framework to try to get this thing up and running as quickly as possible, and that framework just happened to have a user scheme built on Google accounts. None of this would be worrying if there were adequate privacy protections in place for all users. But, because there aren’t, it is inherently suspicious that an advertising company is building healthcare software.

Matthew Wille, Input:

Say you do live in one of these two counties. You’re coughing, have a fever, and are generally very scared that you’ve contracted COVID-19. You log onto Project Baseline seeking assistance in finding a testing facility nearby. The site prompts you with an opening question about your symptoms: “Are you currently experiencing severe cough, shortness of breath, fever, or other concerning symptoms?”

You click yes. Project Baseline provides you with an answer: “We suggest that you seek medical attention.” There’s also a link to the CDC’s website.

That’s the entire screener. No links to testing facilities, even within Project Baseline’s supposed coverage area.

Lauren Goode, this morning:

Verily’s Project Baseline is already at capacity.

Goode tweeted this about twelve hours after the thing launched.

Ina Fried and Kyle Daly, writing for Axios on Sunday before this screening tool launched:

Google was blindsided by Trump’s Friday announcement of such a project. The company is now working on two different tracks: ramping up a small pilot project that partially resembles what Trump spoke of Friday but had much more modest scope, while also scrambling to launch an entirely new, less personalized nationwide information portal about the virus.

The personalized service Trump spoke about Friday will be based on a tool in development by Google’s sister company Verily and initially will serve only the San Francisco Bay area.

This was the website that launched shortly after Axios published this piece.

Only after Trump’s claim Friday that the tool would be rolling out nationally “very quickly” did Google begin working on the separate national website project, Axios has learned.

An incredible effort all around.

I understand that a crisis often involves miscommunication and rapidly changing circumstances. Nobody was going to be perfect here, and mistakes happen. But it is not often that such egregious errors are made during press conferences that, by their very nature, are supposed to clarify what is known and defuse misinformation.

Alphabet, for its part, rushed this half-baked survey to the public, and it is not at all as helpful as was promised. It’s not even close to something that people should be directed towards.

I am positive that there are many factors that I am not taking into consideration, including political dealings. But I am also certain that this was not anyone’s best effort. It goes without saying that the expectations of the President were low and he still failed. That is just the kind of guy he is. But the screening tool that Alphabet ultimately delivered appears rushed, of little help, and with privacy concerns to seal the deal.

After all of this, the good news is that people are, generally, stepping up and taking this seriously. I am working from home for the foreseeable future as, I am sure, are many of you. Economically painful measures are being taken — events are being cancelled and stores are being shut — so that this virus spreads less quickly and gives healthcare systems around the world a chance. Doctors, nurses, and researchers are doing their damndest, and we owe them patience and gratitude. Government agencies and professionals, including those in the United States, are trying to provide accurate information clearly and rapidly. We are doing our collective best to slow this thing down, because our shared responsibilities demand a shared response.

That message, sadly, has not reached the highest levels of the U.S. Executive Branch.

The Story Behind the Coronavirus ‘Flatten the Curve’ Chart

Mark Wilson, Fast Company:

The first instance of Flatten the Curve can be found in a paper called Interim pre-pandemic planning guidance: community strategy for pandemic influenza mitigation in the United States: early, targeted, layered use of nonpharmaceutical interventions, and no, it doesn’t exactly roll off the tongue. Published in 2007 by the CDC, the paper was a preview to a pandemic like COVID-19, and it suggested simple interventions like social distancing and keeping kids home from school in order to slow the spread of a disease so that the healthcare system could keep up.

On page 18, a graphic appears called Goals of Community Mitigation. No one I’ve talked to at the CDC can remember who made it, but the image is the root of Flatten the Curve as it appears today. Rendered in purple, it presents those two familiar curves with three numbered goals: 1. Delay outbreak peak 2. Decompress peak burden on hospitals/infrastructure 3. Diminish overall cases and health impacts. These curves don’t appear to be rooted in hard, literal data. Rather, they are illustrative of the exponential spread of pandemics, and how we might impact their speed of growth. In 2017, when the paper was updated, the graphic lost its 1, 2, 3 numbering scheme. In 2020, the graph’s colors were changed from purple to blue and orange. Otherwise, it remained mostly unchanged.

“I thought it was a beautifully clear and simple illustration of an important concept, but I had no idea that it would end up causing such a stir on Twitter and elsewhere,” says Rosamund Pearce, a data visualization journalist at The Economist. Pearce first heard about the graphic from her colleague Slavea Chankova, and she decided to rebuild it for a piece the pair was working on about COVID-19 for The Economist.

I first saw this illustration in that Economist article that popularized the term, but much deserved credit goes to the CDC for creating such a brilliant piece of design.

Major U.S. ISPs Agree to Relax Bill Payments and Late Penalties for Next Sixty Days

Karl Bode, writing Thursday for Vice:

For years, US broadband providers have taken advantage of a lack of US competition by imposing arbitrary and expensive broadband usage caps and “overage fees.” With the country facing a massive surge in videoconferencing and home learning thanks to the coronavirus epidemic, experts say it’s time for broadband providers to suspend these costly, unnecessary restrictions.

AT&T was the first major U.S. ISP to commit to suspending data caps, with Comcast following on Friday. The FCC also launched an initiative Friday, spearheaded by Chairman Ajit Pai, to “keep Americans connected”. Tony Romm, Washington Post:

As part of the so-called “Keep Americans Connected Pledge,” nationwide providers including CenturyLink and T-Mobile and more regional telecom companies across the country agreed for the next 60 days that they would not terminate service or assess late fees on customers and businesses that fall behind on their bills. They also agreed to open wi-fi hot spots to any American who needs them.

Jon Brodkin, Ars Technica:

Led by Pai, the Republican-majority Federal Communications Commission gave up its authority to restrict data caps and other anti-consumer practices in late 2017 when it repealed net neutrality rules and deregulated the broadband industry. That vote also eliminated requirements for ISPs to be more transparent with customers about hidden fees and the consequences of exceeding data caps, and it lifted a ban on “unjust or unreasonable discrimination” in broadband rates, practices, and services. Stripping away these regulations made it harder for the FCC to guarantee affordable broadband.

Concerns like these apply to no other utility, and they are entirely valid. In 2018, Verizon throttled firefighters’ ostensibly unlimited plans. It’s good that ISPs are not taking advantage of this crisis, too, but the very possibility that they could is surely an indication that broadband infrastructure is broken.

Here in Canada, Telus is waiving overage fees; Shaw has lifted data caps and opened its WiFi hotspot system to non-subscribers. However, Shaw previously announced that its bullshit biannual rate increase would take effect on June 1, and there’s no word yet on whether it has been postponed.

Update: Margaret Harding McGill, Axios:

The virus crisis is offering vivid case studies of real-world, everyday harms that result from inequality between those who have access to and can afford high-speed internet, and those who cannot.

[…]

The FCC estimates 21 million Americans don’t have access to high-speed broadband, though that number could be higher due to problems with data collection.

That’s a huge number of people — roughly equivalent to the entire population of Australia — who lack broadband. Working from home isn’t always an option even with broadband, due to different employment requirements, but those without broadband may find it harder to access support and information.

MacRumors Source: New MacBook Air Models Coming Next Week

Joe Rossignol, MacRumors:

Now, the same anonymous tipster has informed MacRumors that Apple plans to announce new MacBook Air models next week. We have yet to confirm this information, but given the tipster now has an established track record, we have elected to share this rumor. The tipster did not provide any further details at this time.

A few days ago, analyst Ming-Chi Kuo said Apple plans to launch updated MacBook Air and MacBook Pro models with scissor keyboards in the second quarter of 2020, following in the footsteps of the 16-inch MacBook Pro.

While the second quarter does not begin until April, an announcement next week would be just a few weeks earlier. Apple has announced new or refreshed products in March for the last five consecutive years, so there is precedence. In terms of covering all bases, however, we cannot rule out the possibility that the tipster received wrong information.

This is one of the products that was going to be announced at a planned March media event; the event’s cancellation, which occurred before any invitations were sent, was first reported by Jon Prosser.

Apple Cancels In-Person WWDC, Will Be Offering Online-Only Version

Apple Newsroom:

Apple today announced it will host its annual Worldwide Developers Conference in June. Now in its 31st year, WWDC 2020 will take on an entirely new online format packed with content for consumers, press and developers alike. The online event will be an opportunity for millions of creative and innovative developers to get early access to the future of iOS, iPadOS, macOS, watchOS and tvOS, and engage with Apple engineers as they work to build app experiences that enrich the lives of Apple customers around the globe.

[…]

Apple also announced it will commit $1 million to local San Jose organizations to offset associated revenue loss as a result of WWDC 2020’s new online format.

Unsurprising, even in the framing of this announcement. Nothing has yet been disclosed about the cost of WWDC this year, or even the date beyond “June”. Apple says that more details are to come.

The Creative Use of Disparate Tools Makes It Easier Than Ever to Find Hidden Details in Photos

Jon Keegan, the Markup:

Stripping out the metadata in your photos is not too difficult. Here is a handy guide, but a simple trick is just to take a screenshot of your photo before posting it. The screenshot will contain metadata only about the time and location of the screenshot, not the time the photo was originally taken.

But metadata is not all you should be thinking about. Tools and techniques that were once available only to intelligence agencies to collect “open source intelligence” (known as OSINT in national security parlance) are now available to amateur sleuths. These techniques can be used to reveal personal identifying information in your photos, even if you have taken care to lock down your metadata.

For most people, most of the time, there probably isn’t a great reason to be quite this paranoid about what may be revealed in a photo. What is news here, I think, is not that the incidental features of a photo may be revealing, but that it is easier than ever to use those details. This concept is likely familiar to long-time players of GeoGuessr.

Financial Times: Recent Apple Music Contracts With Record Labels Do Not Yet Include a Bundling Agreement

Anna Niclaou, Financial Times:

Apple has struck fresh deals for songs from the world’s largest record labels, as the technology giant strives to increase its media presence and siphon more people towards iPhones. 

In recent months, the iPhone maker sealed multiyear licensing deals with Universal Music, Sony Music and Warner Music, said four people familiar with the matter, allowing for hits from artists spanning Taylor Swift, Lizzo and Adele to continue to be streamed on Apple Music.

Apple’s new contracts do not, however, include an economic agreement to bundle Apple Music with the company’s television service, these people said, indicating that a widely anticipated super-bundle of Apple’s media content may be months away.

The good news is that Niclaou also reports that service bundling is something Apple continues to pursue.

There’s no news about whether there are any price increases for the foreseeable future. Perhaps everyone is happy at ten bucks a month in perpetuity.

Assessing the Goals and Consequences of the Proposed EARN IT Act

Alfred Ng, CNet:

Google, Facebook, Microsoft, Twitter, Snap and Roblox have agreed to adopt 11 voluntary principles to prevent online child sexual exploitation, government officials said Thursday. But the effort also hints at the potential to undercut encryption, an essential element of online security.

[…]

The federal government has argued that it doesn’t want to end encryption that protects the average person, and instead wants “lawful access.” The concept would mean creating a technical opening, or backdoor, that only law enforcement could use in investigations — something cryptography experts have long argued is impossible.

Tech companies like Apple, Facebook, Google and Microsoft agree with those experts and have refused to create backdoors to their encryption protocols. They’ve warned that if they’re forced to create such openings, it would essentially weaken security for everyone by creating an unlock tool that could fall into the wrong hands.

Additional reporting from Ng:

Depending on who you ask, the EARN IT Act could either destroy the fundamental values of an open internet or protect children from being sexually exploited online. The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which requires tech companies to meet safety requirements for children online before obtaining immunity from lawsuits, will have its first public hearing on Wednesday.

Unlucky for me, I have a severe allergy to strained backronyms and I have broken out into hives. Please send help.

A bipartisan group of US lawmakers introduced the bill Thursday, saying that the legislation would enforce standards to protect children from sexual exploitation online. The announcement came at the same time the Justice Department hosted a press event to argue that end-to-end encryption protects online predators.

While few would question the importance of ensuring child safety, technology experts warn that the bill is really just the government’s latest attempt to uproot both free speech and security protections online.

A copy of the current draft of the Act can be found on the Senate website (PDF).

Elliot Harmon of the Electronic Frontier Foundation:

The EARN IT Act would create a “National Commission on Online Child Sexual Exploitation Prevention” tasked with developing “best practices” for owners of Internet platforms to “prevent, reduce, and respond” to child exploitation online. But far from mere recommendations, those “best practices” would essentially become legal requirements: if a platform failed to adhere to them, it would lose essential legal protections for free speech.

[…]

As we mentioned when we wrote about the prior version of EARN IT, Section 230 does not exempt online intermediaries from liability for a violation of federal criminal law. If a platform knowingly distributes child exploitation imagery, then the Department of Justice can and must enforce the law. What’s more, if an Internet company finds sexual abuse material on its platform, the law requires it to provide that information to the National Center for Missing and Exploited Children and to cooperate with law enforcement investigations.

Riana Pfefferkorn of the Center for Internet and Society:

The bill would, in effect, allow unaccountable commissioners to set best practices making it illegal for online service providers (for chat, email, cloud storage, etc.) to provide end-to-end encryption — something it is currently 100% legal for them to do under existing federal law, specifically CALEA. That is, the bill would make providers liable under one law for exercising their legal rights under a different law. Why isn’t this conflict with CALEA acknowledged anywhere in the bill? (We saw the exact same problem with the ill-fated Burr/Feinstein attempt to indirectly ban smartphone encryption.)

In a tangentially-related report, Vice created a data set of five hundred iPhone search warrants to give some context to this discussion.

Joseph Cox:

One of the top level findings of Motherboard’s dataset is that many law enforcement agencies and officials can not reliably access data stored on iPhones. Whether that’s due to a device having too strong a passcode, the phone being damaged, an unlocking capability not being available at that specific point in time, or a particular agency not having access to advanced forensic technology itself, Motherboard found many cases where investigators were not able to extract data from iPhones, at least according to the search warrants.

But in some cases officials were able to obtain data from a variety of devices, including some of the latest models of iPhones offered at the time. Multiple federal agencies and local police departments have access to tools from companies such as Grayshift and Cellebrite, which can, depending on a variety of factors, unlock and obtain data from iPhones.

[…]

Most of all, the records compiled by Motherboard show that the capability to unlock iPhones is a fluid issue, with an ebb and flow of law enforcement sometimes being able to access devices and others not. The data solidifies that some law enforcement officials do have trouble accessing data stored on iPhones. But ultimately, our findings lead experts to circle back to the fundamental policy question: should law enforcement have guaranteed access to iPhones, with the trade-offs in iPhone security that come with that?

This piece focuses on the iPhone because it has a consistent and known security policy, but this question applies similarly to every device and mode of communication.

I don’t think anyone would doubt the inherent good in creating laws to ensure the safety of children and assisting in the capture and prosecution of those who abuse them. I entirely support the idea of an encryption standard that preserves the security and privacy of legal activities, yet still allows law enforcement to surveil and capture those abuse its protections to commit serious crimes. Nothing like that currently exists, however, and it is unlikely that it will — at least for the foreseeable future. We should not choose to become less safe because of the limitations of math, nor should we punish technologists for being unable to comply with impossible requests.

Update: Lauren Feiner, CNBC:

Senators disputed the tech industry’s claims that a bipartisan bill targeting tech’s long-standing legal shield would prohibit encryption by necessity.

“This bill says nothing about encryption,” Sen. Richard Blumenthal, D-Conn., said at a hearing Wednesday to discuss the legislation. Blumenthal introduced the EARN IT Act last week with Senate Judiciary Committee Chairman Lindsey Graham, R-S.C., ranking member Dianne Feinstein, D-Calif., and Sen. Josh Hawley, R-Mo.

Issie Laopwsky, Protocol:

[…]The EARN IT Act still opens up the possibility that an administration interested in weakening encryption — as the last several have been — could make Section 230 immunity dependent upon building a backdoor for law enforcement. If that weren’t at least part of the goal of the bill, Mayer said, its authors could easily write in language to allay those concerns. But they haven’t.

It’s worth asking why that is the case.

In Separate Cases, iOS and Android Apps Did Not Disclose Their Sketchy Data Farming Affiliations

Craig Silverman, BuzzFeed News:

Sensor Tower, a popular analytics platform for tech developers and investors, has been secretly collecting data from millions of people who have installed popular VPN and ad-blocking apps for Android and iOS, a BuzzFeed News investigation has found. These apps, which don’t disclose their connection to the company or reveal that they feed user data to Sensor Tower’s products, have more than 35 million downloads.

Since 2015, Sensor Tower has owned at least 20 Android and iOS apps. Four of these — Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus — were recently available in the Google Play store. Adblock Focus and Luna VPN were in Apple’s App Store. Apple removed Adblock Focus and Google removed Mobile Data after being contacted by BuzzFeed News. The companies said they continue to investigate.

Once installed, Sensor Tower’s apps prompt users to install a root certificate, a small file that lets its issuer access all traffic and data passing through a phone. The company told BuzzFeed News it only collects anonymized usage and analytics data, which is integrated into its products. Sensor Tower’s app intelligence platform is used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps.

This is comparable to Facebook’s use of its Onavo VPN to spy on users’ app activity.

Joseph Cox and Jason Koebler, Vice:

Banjo, an artificial intelligence firm that works with police used a shadow company to create an array of Android and iOS apps that looked innocuous but were specifically designed to secretly scrape social media, Motherboard has learned.

[…]

Banjo did not have that sort of data access. So it created Pink Unicorn Labs, which one former employee described as a “shadow company,” that developed apps to harvest social media data.

[…]

But once users logged into the innocent looking apps via a social network OAuth provider, Banjo saved the login credentials, according to two former employees and an expert analysis of the apps performed by Kasra Rahjerdi, who has been an Android developer since the original Android project was launched. Banjo then scraped social media content, those two former employees added. The app also contained nonstandard code written by Pink Unicorn Labs: “The biggest red flag for me is that all the code related to grabbing Facebook friends, photos, location history, etc. is directly from their own codebase,” Rahjerdi said.

These are entirely separate events and companies, but the reports overlap in their descriptions of what can only be described as a worrying indifference to ethical norms. If the people running these companies have to cauterize their soul before work each day, perhaps they should treat that as a yelping klaxon that something is wildly wrong.

I expect to see more reports like these in the coming years as the country where similar companies are headquartered — and, consequently, where users’ rights are often contractually obligated — has yet to enact and enforce meaningful privacy rights.

Ranchero Releases NetNewsWire for iOS

I’ve been using NetNewsWire on my iPhone and iPad for months now and I adore its simplicity, clarity, and speed. It has feature parity with its Mac counterpart, with one exception: NetNewsWire for iOS supports Feedly — in addition to Feedbin and the local feed library — which has yet to be added to the Mac app.

Leak Deja Vu

Stop me if you’ve heard this before: 9to5Mac and MacRumors have, apparently, obtained part of a prerelease build of a forthcoming version of iOS and have reverse-engineered it to reveal unannounced features and products. Spoilers follow, obviously.

Over the weekend, Steven Troughton-Smith tweeted:

Sure sounds like that iOS 14 filesystem from those recently-pictured devices is floating around; last I heard, it was a December 2019 build, so information coming out of it may be a little less concrete and less reliable than something more recent. I have not seen it myself, tho

After it stopped “floating around”, it seems to have landed at the same two websites that also got a copy of the iOS 11 and HomePod OS builds that, famously, revealed the iPhone X. This year, MacRumors has so far published stories about iMessage, OCR capabilities, voice synthesizers, new fitness features, and the much leaked AirTag. 9to5Mac has published its own series of pieces: new headphones, WatchOS features, Apple Watch hardware, and new iPad Smart Keyboard capabilities.

As an aside, I immensely dislike both sites’ tendency of wrapping each feature in its own article and slowly dripping these pieces over what will ultimately be several weeks.

Nevertheless, a curious thing about the reporting from both of these sites is that neither one acknowledges how they obtained details from an apparently months-old iOS 14 build. When the iOS 11 golden master build was leaked in 2017, MacRumors openly admitted that they were sent the download link, but skirted the obvious next step of describing who provided it. This year, there’s even less detail: all either site is saying is that they have “leaked iOS 14 code”. No source; no details about whether that constitutes a full build.

It’s common for new features to be described in whole or in part; it’s uncommon to see leaked screenshots, but it happens every so often. Leaks of non-public code are extraordinarily rare, and it’s understandable why both sites would want to protect what is presumably an Apple internal source. For that to go entirely unacknowledged, however, is bizarre.

Jason Snell Charts the Number and Type of Ports in Mac Laptops Since 2001

I’m nitpicking here, but I disagree with Snell’s choice to merge FireWire and Thunderbolt numbers on this chart, since it gives the impression that they are equally comparable, and that recent Mac laptops do not contain display or power ports.

Still, the decline in ports on Apple’s flagship notebook model is striking. It demonstrates the replacement of cabled peripherals with wireless equivalents, but it also indicates shifting priorities for what Apple thinks a typical notebook ought to include. While neither an ExpressCard or SD Card slot are ports, per se, I think the removal of those connection options is also noteworthy.

Is It Cancelled Yet?

Of the big tech events later this year, Google I/O, GDC, Facebook F8, Adobe Summit, and IBM’s Think conference have all been cancelled; SXSW was cancelled today, just a week before it was supposed to begin. But Microsoft Build is so far proceeding in May as scheduled, and WWDC hasn’t yet been announced.

The Pit of Bad Decisions Made by Clearview AI Simply Has No Bottom

A unique quality of companies that are inherently unethical is that once the narrative thread starts to unravel, the whole thing collapses pretty quickly. As reporters begin digging into it and those with insider knowledge begin to speak up, it’s hard for their public relations teams to keep everything in a nice well-packaged story.

So, let’s look at a few developments regarding Clearview AI.

Dave Gershgorn, OneZero:

Clearview AI worked to build a national database of every mug shot taken in the United States during the past 15 years, according to an email obtained by OneZero through a public records request.

[…]

It’s unclear how many images a national database of mug shots would add to the online sources Clearview AI has already scraped. For context, the FBI’s national facial recognition database contains 30 million mug shots. Vigilant Solutions, another facial recognition company, has also compiled a database of 15 million mug shots from public sources.

Caroline Haskins, Ryan Mac, and Logan McDonald, Buzzfeed News:

Clearview AI, the secretive company that’s built a database of billions of photos scraped without permission from social media and the web, has been testing its facial recognition software on surveillance cameras and augmented reality glasses, according to documents seen by BuzzFeed News.

Clearview, which claims its software can match a picture of any individual to photos of them that have been posted online, has quietly been working on a surveillance camera with facial recognition capabilities. That device is being developed under a division called Insight Camera, which has been tested by at least two potential clients according to documents.

On its website — which was taken offline after BuzzFeed News requested comment from a Clearview spokesperson — Insight said it offers “the smartest security camera” that is “now in limited preview to select retail, banking and residential buildings.”

Kashmir Hill, New York Times:

In response to the criticism, Clearview published a “code of conduct,” emphasizing in a blog post that its technology was “available only for law enforcement agencies and select security professionals to use as an investigative tool.”

The post added: “We recognize that powerful tools always have the potential to be abused, regardless of who is using them, and we take the threat very seriously. Accordingly, the Clearview app has built-in safeguards to ensure these trained professionals only use it for its intended purpose: to help identify the perpetrators and victims of crimes.”

The Times, however, has identified multiple individuals with active access to Clearview’s technology who are not law enforcement officials. And for more than a year before the company became the subject of public scrutiny, the app had been freely used in the wild by the company’s investors, clients and friends.

Those with Clearview logins used facial recognition at parties, on dates and at business gatherings, giving demonstrations of its power for fun or using it to identify people whose names they didn’t know or couldn’t recall.

Any one of these stories would, in isolation, be worrying. But seeing all three together — particularly with the context of the things I’ve linked to about Clearview over the past several weeks — shine a light on a distressing nascent industry. I strongly suspect that there are other companies exactly like Clearview that are taking steps to avoid exposure.

This industry simply should not exist.

Reading Newsletters With Feedbin

Federico Viticci:

The problem: despite automatic filing of newsletters performed by SaneBox into a folder called ‘SaneNews’ in my Gmail account, I realized that I don’t really like reading newsletters in an email client. I don’t like spending time in an email client these days, period. For professional reasons, I receive a lot of email on a daily basis, so I find it hard to concentrate and read a longform newsletter in an app that is filled to the brim with messages and not exactly built around focused reading.

As I was thinking about ways to improve this (I considered using a second email app just for newsletters, for instance), I remembered that Feedbin, my RSS service of choice, offers the ability to give you a unique email address you can send newsletters to. Emails sent to your personal Feedbin email address will end up in the service’s queue alongside your other regular RSS subscriptions, and you can then choose to file the “source” behind a newsletter however you see fit – for example, by creating a folder in Feedbin called ‘Newsletters’. Feedbin has more details on this functionality here. Given how I’ve been trying to consolidate all my reading into Reeder by way of the app’s support for RSS and a read-later account, I thought it’d be interesting to try throwing newsletters at it as well.

I subscribed to Feedbin last month for a few reasons, but being able to receive email newsletters as, effectively, news feeds has been a wonderful thing. I know it’s only March, but this may be the best decision I make all year.

Viticci uses Reeder, but I’ve been using the new version of NetNewsWire on everything I own and I cannot recommend it enough.

Apple Formally Begins Permitting Ads in Push Notifications

Orion Rummler, Axios:

Apps on Apple products can now send push notifications for ads and promotions as long as customers explicitly opt in to get those alerts, according to the company’s updated App Store guidelines.

Ads delivered by push notifications were once verboten, but some developers ignored that rule and Apple didn’t police it. The company softened its stance a few years ago by updating the text of section 4.5.4 to read (emphasis mine):

Push Notifications must not be required for the app to function, and should not be used for advertising, promotions, or direct marketing purposes or to send sensitive personal or confidential information. Abuse of these services may result in revocation of your privileges.

So, while Apple would not reject or pull an app if it uses the push notification system to send ads, it was frowned upon. But now, this same section reads:

Push Notifications must not be required for the app to function, and should not be used to send sensitive personal or confidential information. Push Notifications should not be used for promotions or direct marketing purposes unless customers have explicitly opted in to receive them via consent language displayed in your app’s UI, and you provide a method in your app for a user to opt out from receiving such messages. Abuse of these services may result in revocation of your privileges.

Realistically, Apple is simply giving in to what many developers already do. It sucks; I wish this section became more strict, not less so.

The rules are ambiguous about whether users must be able to opt out of push notification ads without entirely disabling notifications for an app. While there is the ability for developers to set some notifications as critical, this feature is designed for emergency apps and requires a special entitlement. iOS does not make it easy for developers to separate notification types otherwise, which means that every developer is going to have to build a way to categorize notifications — or, more likely, users will simply have to switch off notifications for an app to disable advertising.

Notably, there is also no requirement that push notification ads be a promotion for the app or its features. It seems perfectly legal under these rules for unscrupulous developers to sell push notification ad slots to third parties. Gross.

There’s good news in this update to the guidelines, too. Mike Peterson, Apple Insider:

The company has also implemented a blanket ban on apps used to commit or attempt to commit crimes by evading police. Previously, it only barred apps that tracked DUI checkpoints.

[…]

There’s also an entirely new section dedicated to App Store reviews. In it, Apple instructs developers to “treat customers with respect when responding” to comments. The same section bans custom review prompts, requiring developers to use Apple’s official review API.

It’s probably because those custom review prompts are irritating and it’s impossible to opt out of them.

Sounds familiar.

Update: Stuart Breckenridge points out that it isn’t technically difficult for a developer to create multiple notification types. Twitter clients, for example, often allow you to decide whether you want to see notifications about mentions, new followers, messages, and so forth — all independently of each other. So why don’t many developers allow more granular control in more of their apps? I suspect the kinds of apps that will take advantage of this rule change won’t create a separate category for advertising — if you want to know when your food delivery will arrive, you will also put up with promo code notifications and enticements to use the app.

I would love if App Review became simultaneously more consistent and more careful. Apps should be meeting a higher bar for quality; the App Store needs less junk, not more.

Also, I wasn’t thinking when I wrote that the ban on apps that help users evade law enforcement was a good thing. For one, it formalizes the rule used to ban the HKMap Live app last year; for another, it’s subject to extraordinarily broad interpretation. However, when I went to check this out in section 1.4.4, Apple appears to have reverted the language here to a previous version. Compare the live version to how it read previously.

A Profile of the People Resurrecting Old iPods

Melanie Ehrenkranz, writing for OneZero:

Apple may have discontinued the last of the click-wheel iPods years ago, but Pichi is part of a growing community of tinkerers giving the devices new life. It’s not just for nostalgia (though that’s part of it): iPod modders say they earnestly view the devices, with a few modern tweaks, as a superior way to listen to music. That this elite audio quality is packaged in a device that is also dear to their heart makes it even better.

The more popular modifications are relatively simple: updates like adding more storage or battery life, or installing firmware that allows for customization of the user interface or downloading games outside of Apple’s ecosystem. Few iPod modders are injecting the music players with wild features or stark new aesthetics.

A well-known modification for the past fifteen years or so has been to swap the iPod’s hard drive for a Compact Flash card. After I got my 60 GB fifth-generation iPod, I thought I’d give it a shot with the iPod Mini it replaced. The Mini was aluminum, except for the glued-on plastic caps on the top and bottom planes. When I tried to pry one of those caps off to get at the logic board, I immediately snapped it — and that was the end of my iPod modding hobby.

I approve of the efforts of Pichi to keep these things alive.

Google Begins Rolling Out a Software-Based Clone of 3D Touch to Pixel Devices

Dieter Bohn, the Verge:

But there was one line on Google’s support page for the update that caught my eye (emphasis mine): “In addition to long press, you can now firmly press to get more help from your apps more quickly.”

[…]

Tap your screen right now, and think about how much of your fingertip is getting registered by the capacitive sensors. Then press hard and note how your finger smushes down on the screen — more gets registered. The machine learning comes in because Google needs to model thousands of finger sizes and shapes and it also measures how much changes over a short period of time to determine how hard you’re pressing. The rate of smush, if you will.

I have no idea if Google’s machine-learning smush detection algorithms are as precise as 3D Touch on the iPhone, but since they’re just being used for faster detection of long presses I guess it doesn’t matter too much yet. Someday, though, maybe the Pixel could start doing things that the iPhone used to be able to do.

As of last year, the hardware-based version of 3D Touch no longer exists; new iPhones do not have the component that registers touch pressure, and iPads never did. It’s kind of interesting that Google decided that now was an ideal time to replicate in software the ability to detect pressure — something which, as far as I can figure out, iOS does not do. I do not believe features like the context menu measure anything other than how long a finger has been touching the screen; I don’t think there’s a smush algorithm in iOS.

Adios, MacSurfer

From the message posted to the MacSurfer homepage:

Dear MHN Readers:

Not seeing a viable future with subscriptions, MacSurfer and TechNN will cease operations effective immediately. Please allow a few weeks to process forthcoming refunds. If need be, subscription inquiries can be addressed to the Publisher at the bottom of the Homepage.

Thanks kindly for your support, and thanks for the memories…

MacSurfer’s Headline News Team

Dan Moren, Six Colors:

I don’t remember how I started reading MacSurfer — I’m sure Jason or one of my other Macworld colleagues mentioned them to me as a place to check in my earliest days of blogging at MacUser. For many years, they were an invaluable resource, a manageable way to quickly see what was going on in the Apple world without having to subscribe to hundreds of sites and spend literally all of your time trawling headlines.

But as social media and podcasting grew in popularity and RSS and “visiting actual websites” ebbed, MacSurfer struggled to adjust. They attempted a subscription plan, as the above note mentions, but it seemed like it never really caught on. I still loaded up MacSurfer once or twice a week, especially when digging for a topic for my weekly column, but the coverage had gotten much sparser.

Being slow to change with the times may have been MacSurfer’s downfall, to some extent, but I love how stubbornly it stuck by its formula, even refusing to give up its <table>-based layout. I’ll miss it.

Cable TV’s Dumbest Habits Will Make the Leap to Streaming

Karl Bode, Techdirt:

In many ways, the streaming TV revolution is finally delivering many of the things that consumers had been begging for for years — more flexibility, better customer service, and cheaper overall packages. Thanks to increased competition, streaming is finally forcing the sector to adapt and actually listen to customers. At least for now, when a flood of competitors are jockeying for market share.

At the same time, many of the same annoyances that have frustrated consumers for years will also be making the jump to streaming, including a steady parade of price hikes with little in the way of notable improvements for your purchasing dollar. Annoying “retrans disputes” — where a broadcaster and cable TV provider will bicker over programming and blackout out user content (without refunds) in the process — have also come along for the ride. That’s before you get to ISPs abusing their monopoly power over broadband to disadvantage competitors, the whole reason for the entire net neutrality fracas.

As soon as cable TV providers figured out that they, too, could put a bunch of video files in an Amazon S3 bucket, streaming services stopped seeming like the future of entertainment and instantly became just a mild adaptation of legacy providers’ existing models. Even cost-wise, I’m not sure streaming services really are that much cheaper. It depends on where you live, but in Canada, you’ll have to stitch together offerings from half a dozen subscription services to get a similar selection as a typical cable TV bundle, and it works out to a similar price. At least you can choose to a more granular degree what you want to pay for.

Facebook Announces New Messenger App, Discovers That Not Rebuilding System Frameworks Makes Apps Simpler

Facebook Engineering:

We started with the premise that Messenger needed to be a simple, lightweight utility. Some apps are immersive (video streaming, gaming); people spend hours using them. Those apps take up a lot of storage space, battery time, etc., and the trade-off makes sense. But messages are just tiny snippets of text that take less than a second to send. Fundamentally, a messaging app should be one of the smallest, lightest-weight apps on your phone. With that principle in mind, we began looking at the right way to make our iOS app significantly smaller.

[…]

In the end, we reduced core Messenger code by 84 percent, from more than 1.7M lines to 360,000. We accomplished this by rebuilding our features to fit a simplified architecture and design. While we kept most of the features, we will continue to introduce more features over time. Fewer lines of code makes the app lighter and faster, and a streamlined code base means engineers can innovate more quickly.

I mean, it’s great that Messenger isn’t gigantic any more, but anyone could — and did — point out that rebuilding system features is terribly inefficient. Kudos; but, also, duh.

David Heinemeier Hansson:

Did Facebook just kill off React Native? Either way, it’s funny that I actually agree. We write all our hybrid shells with the native platform tooling (and then fill them with server-rendered HTML using Turbolinks!). Full control to level up UI to native.

Josh Constine, TechCrunch:

Chat bots were central to Facebook Messenger’s strategy three years ago. Now they’re being hidden from view in the app along with games and businesses. Facebook Messenger is now removing the Discover tab as it focuses on speed and simplicity instead of broad utility like China’s WeChat.

I cannot find a clear answer confirming whether Messenger was at all written in React Native. But, just a few years ago, both React Native and Messenger Bots were being pushed hard by Facebook. Now, it seems like the company is being more circumspect in its tacit acknowledgement that neither is so wonderful. Neither is dead, however.

Vox Media’s Video, Audio, and Motion Graphic Professionals Review the New Mac Pro

Nilay Patel, the Verge:

At the same time, the Mac Pro is not a single product. There are no stock configurations aside from the it-has-to-start-somewhere $5,999 base setup, and the machines won’t be sold in the company’s retail stores. Apple’s expectation is that customers will configure almost every Mac Pro to order, all the way up to a top spec with a 28-core Intel Xeon W processor and two AMD Radeon Pro Vega II Duo GPUs that hovers near $54,000. Simply figuring out which Mac Pro to review in a way that reveals something interesting has been a process.

Making things more complicated, while Apple did provide Mac Pro units to a few excellent YouTubers who use Final Cut Pro, it has not offered any traditional review units to the press, citing the above-mentioned difficulties in picking a representative spec sheet. So we ended up buying our own Mac Pro. (Apple did seed reviewers with the Pro Display XDR, which we also reviewed; you can find that here.)

So to get this right, we needed to find a configuration that is broadly representative of what pro users might actually buy, allows us to investigate Apple’s performance claims, and hopefully reveals something interesting about what pro users might experience if they upgrade to this machine. And we needed to do all of this knowing that we wouldn’t just send this machine back when the review was done, like we do with every standard review unit. This one was going to be ours to keep.

Happily, we have a bit of an advantage: The Verge is part of Vox Media, a company full of media professionals who use a huge variety of software to work on everything from Netflix shows to print magazine design. And of course, The Verge’s own art and video teams make illustrations and motion graphics for our site and YouTube all day long. So we called in a few friends, let everyone use the Mac Pro and Pro Display XDR to work on their various projects, and had them report back.

I thought this was a good review of how the new Mac Pro works by dropping it into an existing environment. Vox staffers seemed a little underwhelmed by its performance at this time, but that’s mainly because their Adobe Creative Cloud apps have not yet been updated to take advantage of the Mac Pro’s power, and partly because the Afterburner card currently only works with ProRes video files.

The hardware is, as Patel says, just one piece of a much more complex professional workflow. But the fact that this piece even exists — especially with its level of care and attention to detail — is remarkable in its own right.

Google’s Flaky Reputation Is Impacting Development for Its Stadia Gaming Platform

Ben Gilbert, Business Insider, after explaining that some developers felt like there isn’t enough financial incentive to port their game to Google Stadia:

But Stadia doesn’t have a large audience to reach — at least not yet — so Google must create that incentive for developers. And the people we spoke with said, outside of money, there wasn’t much reason to put their games on Stadia.

“If you could see yourself getting into a long term relationship with Google?” one developer said. “But with Google’s history, I don’t even know if they’re working on Stadia in a year. That wouldn’t be something crazy that Google does. It’s within their track record.”

This concern — that Google might just give up on Stadia at some point and kill the service, as it has done with so many other services over the years — was repeatedly brought up, unprompted, by every person we spoke with for this piece.

Why would any developer see a viable partnership with a company that introduces and kills products at Google’s rate?

James Lipton Dies Aged 93

I was not the best student in college; I semi-frequently pulled all-nighters to finish projects and papers that I should have started much, much sooner. At around 3:00 in the morning, and with several cups of coffee in my system, I’d start to feel like I was vibrating from the inside, so I would take a break and fire up an episode of Inside the Actor’s Studio. There is something superhuman about James Lipton’s calming voice as he interviewed someone in a way I have never heard elsewhere. I think everyone who watched that series had their own answers to his infamous survey — I know I did.

$500 Million Settlement Proposed in Class Action Suit Over iPhone CPU Throttling

Julie Steinberg, Bloomberg Law:

A proposed class settlement calling for Apple Inc. to pay up to $500 million to resolve allegations it throttled the battery performance of older iPhones should get tentative approval, plaintiffs told a federal trial court in California.

Apple agreed to pay at least $310 million, up to a maximum settlement of $500 million, with plaintiffs calling it “an excellent recovery,” according to Feb. 28 court filings.

This follows a €25 million fine issued last month by France’s competition bureau. In that case, at least, lawyers weren’t skimming 30% off the top and pocketing nearly $100 million.

Five Year Flop

Mark Wilson of Fast Company does not like the Apple Watch. You can see his many, many screeds about how awful he thinks it is if you just search the web for "mark wilson" "apple watch" site:fastcompany.com; it is not a delightful series. He probably never will like the Watch, and that’s fine.

But there is a big difference between disliking something and calling it a failure. I am not one of the Watch’s biggest fans, but even I know better than to call it a dud. Last year, Apple sold an estimated thirty million of the things and, in recent years, dozens of reports have credited the ECG feature with saving lives. Even a more cynical person would, I think, find it hard not to give it credit for that.

However, on this day five years ago, Wilson made a prediction:

Few analysts or writers will outright say it, but I will: the Apple Watch is going to flop. And I bet a lot of other people are thinking the same thing for many good reasons.

Wilson runs through a whole list of reasons the Apple Watch would fail, all of which were reactions to the first-generation product which, as of his writing, was nearly two months away from its release. It is fair that he could only consider the Watch by what he was presented with. But Wilson’s myopia reveals itself when he writes that it would be indistinguishable “from any other fitness band on the market”, and that Apple Pay was also going to flop, so the only thing the Watch would actually be able to do was show notifications. Even at its debut, it was hailed as helping people walk more; closing the activity rings became something to do every day. And, five years on, it clearly does more than the limited scope of tasks Wilson imagined. “Jony Ive’s Newton” it is not.

A Look at YouTube’s Recommendations of Conspiracy Theories, One Year After the Platform Vowed More Aggressive Action

Jack Nicas, New York Times:

For years it has been a highly effective megaphone for conspiracy theorists, and YouTube, owned and run by Google, has admitted as much. In January 2019, YouTube said it would limit the spread of videos “that could misinform users in harmful ways.”

One year later, YouTube recommends conspiracy theories far less than before. But its progress has been uneven and it continues to advance certain types of fabrications, according to a new study from researchers at University of California, Berkeley.

YouTube’s efforts to curb conspiracy theories pose a major test of Silicon Valley’s ability to combat misinformation, particularly ahead of this year’s elections. The study, which examined eight million recommendations over 15 months, provides one of the clearest pictures yet of that fight, and the mixed findings show how challenging the issue remains for tech companies like Google, Facebook and Twitter.

This is impressive, but the limitations of YouTube’s strategy are revealing:

One video, a Fox News clip titled “The truth about global warming,” which was recommended 15,240 times in the study, illustrates YouTube’s challenge in fighting misinformation. YouTube has said it has tried to steer people to better information by relying more on mainstream channels, but sometimes those channels post discredited views. And some videos are not always clear-cut conspiracy theories.

Fact-checking this video is not YouTube’s responsibility, but whether it should appear in recommendations is entirely its purview. Does YouTube want to be known as the frame around users’ descent into an alternate universe of disinformation and miseducation?

The company faces similar problems outside of the world of conspiracy mongering. There are loads of life-hack compilation channels on the site pushing videos that reach millions of people. But many of them are peddling information that is not just wrong — it’s dangerous. Chris Fox of the BBC recently interviewed Ann Reardon of the How to Cook That YouTube channel. In addition to showing viewers how to cook and bake, she also tests many of these tip compilations.

One of the videos advised teens to put milk in cola, for some reason, and to create white strawberries by bleaching red ones in actual bleach. The tips video is still online, but, based on its comments, it appears that the video file has been replaced with one that does not feature the strawberry bleaching trick. According to Reardon, when people tried reporting the bleached strawberry video, YouTube found that it did not violate any of its rules. Another video shows viewers how to make a delicate caramel bird’s nest garnish by drizzling hot molten sugar into a spinning motorized beater. Reardon tried this and, predictably, found that it would be a terrific way to get seriously burned. The original video remains on YouTube.

Google Earth Now Supported in Edge, Firefox, and Opera

Tom Warren, the Verge:

Google is opening up its web-based version of Earth to browsers like Firefox, Edge, and Opera today. The search giant originally launched Google Earth on the web back in 2017, and axed its desktop apps at the same time. Google says “we are big supporters of open web standards,” but Earth launched on the web with Chrome-only Native Client (NaCl) technology as there wasn’t a standard available to support what it wanted to do. This resulted in Earth becoming one of the first of many Chrome-only sites from Google.

[…]

“We still have some work to do,” notes the Google Earth team in a blog post. “Namely polishing our experience across all these browsers and adding support for Safari.” Google revealed last year that Earth would support Safari once Apple adds “better support for WebGL2” in the browser.

For what it’s worth, I changed my Safari user agent and Google Earth ran fine, for the most part. I didn’t notice any broken features or bugs, but I also did not test it thoroughly. It started to run a little slow when I turned on animated clouds; Chrome did not exhibit the same lag. Safari also ran Google Earth with less RAM and far lower CPU consumption than Chrome, though I’m not sure if some private API jiggery-pokery explains that.

By the way, the blog post announcing this change was posted to Medium. Why? Is the Google Earth team aware that they have a blog on Google’s own top-level domain, or that the company still run a blogging platform?

Five Years After Setting a $70,000 Minimum Salary, a Look at Its Effects on Gravity Payments’ Employees

Five years ago, Dan Price, the CEO of Gravity Payments, announced to media fanfare that he would be setting a minimum employee wage of $70,000. He cut his own salary to match.

Stephanie Hegarty of the BBC followed up with Price on the effects of his decision:

“Before the $70,000 minimum wage, we were having between zero and two babies born per year amongst the team,” he says.

“And since the announcement – and it’s been only about four-and-a-half years – we’ve had more than 40 babies.”

More than 10% of the company have been able to buy their own home, in one of the US’s most expensive cities for renters. Before the figure was less than 1%.

Hegarty also reports that employees have contributed far more to their pensions, the working environment has improved for staff across levels of seniority, and the company has hired more people.

“You’re not thinking I have to go to work because I have to make money,” Rosita Barlow agrees. “Now it’s become focused on ‘How do I do good work?'”

There are ways in which Price’s story is far more complicated than the glowing press he frequently receives, and I do not think that should be ignored. But it does not invalidate the goodness that has resulted from paying employees a solid living wage.

I know a lot of the things that I write about here are bleak and miserable. I see my role as being a useful element of friction between the vast universe of news and the things I think are important, and a fair chunk of what’s important right now is not particularly positive. But I thought this was a heartwarming story that, hopefully, assuages the times I pointed out that the FCC are cowards and that iOS is aggressively self-promotional.

Apple Suspends Clearview’s Enterprise Distribution Certificate

Logan McDonald, Ryan Mac, and Caroline Haskins, Buzzfeed News:

In distributing its app for Apple devices, Clearview, which BuzzFeed News reported earlier this week has been used by more than 2,200 public and private entities including Immigration and Customs Enforcement (ICE), the FBI, Macy’s, Walmart, and the NBA, has been sidestepping the Apple App Store, encouraging those who want to use the software to download its app through a program reserved exclusively for developers. In response to an inquiry from BuzzFeed News, Apple investigated and suspended the developer account associated with Clearview, effectively preventing the iOS app from operating.

An Apple spokesperson told BuzzFeed News that the Apple Developer Enterprise Program should only be used to distribute apps within a company. Companies that violate that rule, the spokesperson said, are subject to revocation of their accounts. Clearview has 14 days to respond to Apple.

Zack Whittaker, TechCrunch:

TechCrunch found Clearview AI’s iPhone app on an public Amazon S3 storage bucket on Thursday, despite a warning on the page that the app is “not to be shared with the public.”

The page asks users to “open this page on your iPhone” to install and approve the company’s enterprise certificate, allowing the app to run.

But this, according to Apple’s policies, is prohibited if the app’s users are outside of Clearview AI’s organization.

Dell Cameron, Dhruv Mehrotra, and Shoshana Wodinsky of Gizmodo found the Android version of the app yesterday as well. They were unable to log in, but observed connections being opened to third-party app analytics providers:

Clearview CEO Hoan Ton-That said in an email to Gizmodo that the companion app is a prototype and “is not an active product.” RealWear, another company, which makes “a powerful, fully-rugged, voice operated Android computer” that is “worn on the head,” is also mentioned in the app, though it’s not immediately clear what for.

The app also contains a script created by Google for scanning barcodes in connection with drivers licenses. (The file is named “Barcode$DriverLicense.smali”) Asked about the feature, Ton-That responded: “It doesn’t scan drivers licenses.” Gizmodo also inquired about the app’s so-called “private search mode” but did not get a response.

The company frequently demurs when asked difficult but legitimate questions, and its clients deny all knowledge before recanting upon evidence being presented. Everything about Clearview is skeevy and it should not exist. I propose that everything it has ever created be sunk into the ocean.

FCC Announces Hilariously Inadequate Penalties Against Cell Companies for Allowing Third Parties Access to the Real-Time Location of Subscribers

The FCC, in a news release:

The Federal Communications Commission today proposed fines against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information. As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million. The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.

[…]

“American consumers take their wireless phones with them wherever they go. And information about a wireless customer’s location is highly personal and sensitive. The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information. And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t. Today, we do just that,” said FCC Chairman Ajit Pai. “This FCC will not tolerate phone companies putting Americans’ privacy at risk.”

According to Pai, carriers have been encouraged to be extremely cautious of location data for thirteen years, yet they continued to sell third parties access to subscribers’ personal information including their real-time location.

In 2019, T-Mobile earned $34 billion in revenue, and will pay a $91 million fine for this egregious and obvious privacy violation. In 2018, the latest year for which information is available, the median household income in the U.S. was around $63,000. In scaled terms, that’s a fine of $168 and change. In 2019, AT&T earned $48.7 $181 billion; their $57 million fine, when scaled to household income, would be about $75 $20.

I’m sure they’ve learned their lesson.

Buzzfeed News Obtains Clearview AI’s Client List

About a week ago, Hoan Ton-That, the CEO of Clearview AI — the creepy facial recognition company that the New York Times revealed in January and which has a database filled with photos posted to social media — claimed in an interview on Fox Business that his company’s technology was “strictly for law enforcement to do investigations”. That has been revealed to be a lie after Buzzfeed News acquired a leaked copy of Clearview’s client list.

Ryan Mac, Caroline Haskins, and Logan McDonald:

The internal documents, which were uncovered by a source who declined to be named for fear of retribution from the company or the government agencies named in them, detail just how far Clearview has been able to distribute its technology, providing it to people everywhere, from college security departments to attorneys general offices, and in countries from Australia to Saudi Arabia. BuzzFeed News authenticated the logs, which list about 2,900 institutions and include details such as the number of log-ins, the number of searches, and the date of the last search. Some organizations did not have log-ins or did not run searches, according to the documents, and BuzzFeed News is only disclosing the entities that have established at least one account and performed at least one search.

[…]

“This is completely crazy,” Clare Garvie, a senior associate at the Center on Privacy and Technology at Georgetown Law School, told BuzzFeed News. “Here’s why it’s concerning to me: There is no clear line between who is permitted access to this incredibly powerful and incredibly risky tool and who doesn’t have access. There is not a clear line between law enforcement and non-law enforcement.”

Ryan Mac on Twitter:

Reporting this story was surreal. Numerous organizations initially denied that they had ever used Clearview. We then followed up, and those same orgs later found that employees had signed up and used the software without approval from higher ups. This happened multiple times.

A lack of general privacy principles written into law makes it possible for Clearview to indiscriminately sell its highly accurate facial recognition software with little oversight. That is extremely concerning. It should not be so trivial to reduce the overall expectation of privacy to zero for a company’s profits.

Update: Allana Smith, Calgary Herald:

The Calgary Police Service has confirmed two of its officers tested controversial facial-recognition software made by Clearview AI, Postmedia has learned.

While the police service doesn’t use Clearview AI in any capacity, it said two of its members had tested the technology to see if it was worthwhile for potential investigative use.

[…]

Both the Calgary Police Service and the Edmonton Police Service had denied use of the software earlier this month, but both have since come forward with reports that several of their officers had tested the Clearview AI software.

As Mac pointed out, there’s a curious pattern to these responses: agencies that vehemently denied using Clearview are now turning around and admitting that they have, at least in some capacity.

About That Squiggle

I am not good at writing meta-type posts about this website. I worry that it comes across as unnecessarily self-promotional — you’re already reading, so why would I advertise myself to you? So, please bear with me for a couple of paragraphs.

I designed this iteration of Pixel Envy something like eight years ago. At the time, I didn’t have a proper logo and didn’t want to spend the time to design one, so I just wrote “PIXEL ENVY” into the header and called it a day. In retrospect, it’s probably a good thing that its launch did not depend on the completion of a logo because I am my own worst design client.

At any rate, there is now a proper logo in the upper left. You may have seen it if you’ve visited this week or your RSS reader has recently dumped its cache. Creating a logo isn’t just a box I had to tick; it was often difficult for me to figure out what I should use for things like social media icons. Alas, I now have something I’m pretty happy with, and I hope you like it too — or, at least, that it’s inoffensive enough that it doesn’t detract.

If you click the link for this post, you’ll see the embarrassingly Design School 101 explanation for what the logo means. At least it’s not that Pepsi rebrand.

The Embarrassing State of 5G

Dieter Bohn of the Verge reviewed the new Samsung Galaxy S20 Ultra, a product name which I would mock except its main competitor is the Apple iPhone 11 Pro Max and I can’t decide which superlative-laden branding is worse. Bohn is generally positive throughout the review, but this part caught my attention:

I tested two networks in New York City: T-Mobile and Verizon. As of this writing, AT&T 5G should work on the S20 Ultra but has not yet been officially certified. The S20 Ultra did its end of the job with 5G, happily downloading bits as quickly as the network was able to deliver them.

On T-Mobile, I saw 5G speeds that ranged from barely better than LTE all the way up to 120 Mbps, which is quite fast. On Verizon, once, I found a street corner with 5G (no easy feat), and I got download speeds between 800 and 1,400 Mbps, which is stupid fast. However, I could also walk 50 feet, and the 5G signal would drop. Or I could just turn around and put my body between the phone and the cell tower to slow down the signal. I could even simply stand in one spot and wait, and 5G would occasionally drop.

That’s the state of 5G right now. It hasn’t lived up to the outsized promises that have been made about it for the past couple of years. It may someday, but the buildout is going to take much longer than we’ve been led to think.

Pundits have been claiming for years, even just last week, how critical it is for Apple to ship a 5G iPhone sooner rather than later, but reviews like these make clear that 5G simply isn’t ready for mass adoption yet. This is not a knock against Samsung — while its strategy of being first at all costs doesn’t appeal to me, it’s something that many people like and I get that. But it is foolish to claim that it is imperative that new smartphones are 5G capable, and particularly the iPhone, lest any of them fall behind in a race that doesn’t exist.

Between 2015 and 2019, the NSA’s Domestic Phone and Text Monitoring Program Produced Exactly One Usable Lead

Charlie Savage, New York Times:

A National Security Agency system that analyzed logs of Americans’ domestic phone calls and text messages cost $100 million from 2015 to 2019, but yielded only a single significant investigation, according to a newly declassified study.

Moreover, only twice during that four-year period did the program generate unique information that the F.B.I. did not already possess, said the study, which was produced by the Privacy and Civil Liberties Oversight Board and briefed to Congress on Tuesday.

“Based on one report, F.B.I. vetted an individual, but, after vetting, determined that no further action was warranted,” the report said. “The second report provided unique information about a telephone number, previously known to U.S. authorities, which led to the opening of a foreign intelligence investigation.”

The surveillance program responsible for expending an average of $50 million per lead — only one of which was useful — was created through the passage of the stupidly named USA FREEDOM Act. That act was passed after Edward Snowden leaked a trove of documents exposing the NSA’s then-secret surveillance programs affecting basically everyone around the world. It is unlikely that such a bill would have been possible without Snowden’s disclosures.

At any rate, the Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 expires in a couple of weeks, and it’s worth asking if it makes sense to reauthorize programs like these. It’s also something to keep in mind as U.S. Attorney General Bill Barr fantasizes about other ways to ruin privacy worldwide.

Why TV?

If the Apple rumour mill could somehow be harnessed to generate power, I believe our climate crisis would be solved. Alas, it is only a source of curiosity before a product announcement and, afterwards, a quickly forgotten trash heap of mixed truths and spurious guesses. But it is sometimes instructive to look back on those rumours.

You probably recall all of the times Gene Munster asked about a full Apple television on one of its quarterly conference calls. You may even remember all those rumours about an “iPod Phone”. But do you remember all the speculation that Apple would launch a streaming video service, a la Netflix and Hulu? I found articles to that effect from 2016, two from 2015, a 2014 rumour, one from 2012 — all the way back to a 2009 All Things D article which said that the company was pitching a $30 per month streaming TV service for a 2010 launch.

That, to say the least, did not happen.

The reality was far more sedate. In 2010, Apple released a rental-based set-top box that streamed movies and episodes of TV shows from iTunes rather than storing them in a local library. In 2015, it released a new set top box that relied upon apps and used Siri to search titles from multiple sources. In 2017, it released its first attempts at original programming with Planet of the Apps, for which the crowd went mild, and acquired the Carpool Karaoke series. It also bought the rights to what would become the Morning Show.

Which brings us to last year, when the company introduced Apple TV Plus. And, a year later, I still do not understand why it exists — at least, not in this guise.

This isn’t about the shows, but the service itself. Compared to its competitors, it is unique, though probably not in the way Apple might have intended, as it is just about the only streaming service that does not have a collection of library titles in addition to its original material. YouTube Premium is possibly the only other big-name streaming service to lack a library of older shows, but it has other benefits like removing ads from YouTube and unlocking an entire music streaming service. Apple TV Plus is just, like, a $5 per month subscription that gives you access to a collection of about a dozen own-brand shows, with more being added at a steady clip.

It also seems like Apple TV Plus is off to a particularly rocky start. Alison Herman of the Ringer:

In the months since, Apple has undergone a dizzying sequence of ups and downs. The ups include Little America, a charming anthology about real-life immigrants, and Visible: Out on Television, a stirring new docuseries about the history of LGBTQ representation in TV. The downs include, well, everything listed below. Apple TV+ was always bound to be a fraught enterprise, bringing a computer manufacturer into an industry outside its core skill set and awash with other well-funded bids for viewers’ attention. Its history to date has borne that difficulty out, culminating in the recently reported suspension of sprawling page-to-screen project Shantaram. This is a guide to Apple’s bumps in the road, which began well before TV+ actually made it to our living rooms.

An October 2019 story from Lesley Goldberg and Natalie Jarvey in the Hollywood Reporter paints a more complex picture about whether the behind-the-scenes difficulties of Apple’s streaming service are normal for a new entrant. But that doesn’t erase Herman’s catalogue of everything that has gone wrong so far for its handful of productions, which seems to comprise an overwhelming blend of bad luck and early business chaos.

Don’t get me wrong — I know there are lots of people who like the shows Apple has produced so far. I’m not bashing what has been released. I’m just saying that this does not seem like the service Apple had intended to launch. This is entirely speculative, but I believe those initial rumours were correct: a huge library of video from major studios, available on demand for a monthly fee, strikes me as a more straightforward, understandable, and comprehensive service offer. In short, it is more Apple-y.

So why is it not what Apple ended up shipping? Well, while Apple was attempting to lock up streaming deals with major studios — between, say, the earliest rumour of this in 2009 and 2017, when Apple released its first slate of original material — those studios were busy being acquired by ISPs, and launching their own streaming services. All of them have their own rosters of big-name library titles, all have familiar names like Disney and HBO, and the vast majority have technical infrastructure because they’re owned by ISPs. So why would they have any reason to give Apple a cut of their revenue? Without those distribution deals, the only choice Apple has left for its own entry into streaming video is to set up a studio and outbid others for media it can call its own.

I am certainly not calling this strategy a failure. That would be stupid: it is in its earliest days, some of Apple’s shows have critical buzz, and there’s so much potential for an internal studio. But there is unique risk in attaching a provocative entertainment arm to the body of a consumer goods company — one of those, of course, is the Apple’s relationship with China. Hollywood studios are choosing to censoring films to have a shot at the lucrative Chinese market. But they, unlike Apple, don’t rely on factories in the country to produce the bulk of their revenue. It is not unreasonable to speculate that this is at least one of the reasons Apple is being particularly cautious about the portrayal of China in its original programming.

It’s also a particularly strange thing for Apple to get involved with. With its music endeavours, it invited artists to record NPR-style shows featuring compositions performed for the compilation interspersed with artist commentary. But it did not start a streaming service exclusively for those compilations and nothing else. That would have been very strange. It seems nearly as strange that its big splash into streaming video is basically being a premium cable channel.

Apple has a long list of projects that are in various stages of development, any of which it can support with high budgets and marketing to “a billion pockets, y’all”. They can brute force Apple TV Plus into existence as an efficient entertainment delivery product with a low monthly price tag. I don’t think that is out of the question, and I’m certainly not writing it off. But, for what it’s worth, I see more sense in taking a page from Amazon’s book and offering it as a component of an “Apple Prime” bundle, along with News Plus. Get users to pay some amount of money every year for plenty of iCloud storage, Apple Music, and Arcade, and they get a few media discovery services thrown in as nice-to-haves. Right now, I don’t think Apple TV Plus is all that compelling on its own. While it may become more enticing in the future, the other half of that sentence could more easily change: it doesn’t have to prove its unique worth if it is part of something that feels worthy as a package.

That takes care of the question of why someone might subscribe to Apple TV Plus. But I am still not convinced that the question of why Apple is making original programming has been answered. The best I can come up with is that Apple is simply doing what big, sprawling companies often do. There’s no use pretending that Apple is ever going back to selling a quadrant of computers and a handful of other products that would, in their entirety, fit on the surface of one desk. Apple is not weeks away from bankruptcy, like it was in the 1990s; it is now one of the biggest companies to have ever existed, and it’s acting more like one. It has the freedom to experiment with new categories and weird ideas. It has the HomePod, a two year old product which is either a home-wide assistant or just a really good speaker, depending on who you ask. It has an in-house editorial staff to help decide what stories should be highlighted in its News app. It is a credit card company and a watch company. Rumour is that it will soon also be selling eyeglasses and cars.

It seems that a perfectly acceptable response to the question of why Apple has become a broadcaster is “why not?”

Jason Kottke Celebrates Fifteen Years of Independent Writing

I’ve been reading Kottke.org for as long as I can remember, and it’s the spark that encouraged me to try my hand at something similar. It’s bittersweet to be reminded of how many other great weblogs it has outlived.

Jason Kottke:

Fast forward to the present day and this little website is still chugging along. In its almost 22 years of existence, kottke.org has never gotten big, but it’s also never gone away, predating & outlasting many excellent and dearly missed sites like Grantland, Rookie, The Toast, The Awl, Gawker, and hundreds of others. I have other people write for the site on occasion, but it’s still very much a one-person production by a reluctant influencer (*barf*) who, as an introvert, still (naively?) thinks about posts on the site as personal emails to individual readers rather than as some sort of broadcast. I’d like to thank those early supporters for having faith in me and in this site — you’re the reason we’re all still here, gathered around this little online campfire, swapping stories about the human condition.

Here’s to many more Kottke-filled years.

Few Artists Have Experimented in Notable Ways With the Unique Characteristics of Digital Music Distribution

Cherie Hu, Complex:

Streaming hypothetically throws this nightmare out the window. Artists no longer need to commit to manufacturing tens of thousands of physical records upfront and hope that they all sell. After all, in a streaming environment, songs and albums are fundamentally just a combination of 0s and 1s that algorithms analyze and spit out as sound, to fans who pay a monthly subscription for access. Not only is the concept of “inventory” irrelevant in this world of infinite shelf space, but the cost of experimentation and modification around artwork, track order, track content, and other features of digital releases also plunges dramatically as a result.

[Kanye West] was the first celebrity to take advantage of this new, fluid technological landscape with The Life of Pablo, which first came out on Valentine’s Day in 2016, but ultimately had multiple versions released to the public. The rapper first premiered a nine-track version of the album four years ago today (February 11, 2016) at his Madison Square Garden fashion show, then made a different, 18-track version available for sale briefly on Tidal with slightly modified lyrics—before taking it down and making a separate “partial version” available to stream as a Tidal exclusive. By the time TLOP was made available on Spotify, Apple Music, and other streaming services nearly two months later, there were yet more changes, most notably some new celebrity features on “Wolves” (which were leaked a few weeks prior anyway).

[…]

Yet, despite this media chatter and fan frenzy, virtually no artists have followed suit in creating a truly dynamic album with content updated over time on streaming platforms. Instead, it’s mostly the same old process as artists opt to release a static album, no modification needed or planned.

Digital music distribution has had a couple of major effects on the way music is listened to: the surprise album drop, something that was nearly impossible when hundreds of thousands of copies of a record needed to be shipped to stores; and increasingly lengthy albums, which are incentivized by the way streaming services calculate popularity and royalty payments.

But few artists seem to be exploiting the unique characteristics of the format in a deliberate way. West’s multi-version album is one; back in 2008, Nine Inch Nails’ “The Slip” featured different covers for each track. But I haven’t seen many other popular artists treat streaming and internet-purchased music as anything more than a slightly different way of obtaining a series of songs.

Charting Price and Performance in Apple’s Hardware Lineup

Speaking of price and performance, Jason Snell has compared those factors on a chart. Sure, Geekbench scores can’t precisely be compared across platforms, but I think this gives a good idea of just how good of a value some of Apple’s products are — the iPhone 11 and the iPad Pro fare well — and the products which are perhaps more money than their power would suggest, like the MacBook Air.

I would love to see a historical comparison of these factors.

A Milli

Joe Maring, Android Central:

I don’t know about you, but I’m growing a little tired of $1000 and up being the new norm for smartphone prices. Apple was the first company to break that threshold in 2017 with the iPhone X, and in the years following that, it’s quickly become something that we now have to expect.

If you want to be pedantic about it — and that is arguably what this globally-connected network of computers is all about — the iPhone X not only was not the first smartphone to get close to the thousand-dollar price tag, it was a dollar short of breaking that barrier in its base configuration.

I’ve mostly grown used to these increased costs as a result of writing about them almost every day, but there’s still part of me that’s annoyed with how much money these companies are asking us to spend these days.

Smartphones are valuable tools and are something a lot of us rely on to live our lives. There’s a valid argument to be made that buying a phone is an investment and a necessary purchase, but the prices being charged for high-end models are climbing at an alarming rate year after year.

I get where this feeling comes from, but I think it’s remarkable just how competitive the mid-range smartphone market has become. I was discussing this a couple of weeks ago in a Slack group and Josh Calvetti pointed out that the iPhone 11, for example, is $300 less than the iPhone 11 Pro, but you get the same processor, the same facial recognition, two of the three cameras, and a greater array of colour choices. Sure, you get a lower-resolution LCD display instead of an OLED, but I think many people would find it difficult to tell the difference.

Compare this to, say, ten years ago, when the flagship iPhone 4 came out — $599 for the base model, without a contract. The iPhone 11 is the second-tier model, and it used to be the case that the non-flagship iPhones were just carry-over devices from previous years in a baseline configuration. Indeed, the iPhone 3GS was available ten years ago in an 8 GB spec for $499. Yes, that’s $200 less than the iPhone 11, but it was the previous year’s phone, not a brand new device. If you want last year’s phone right now, it’s $599 for an iPhone XR and that’s still an entirely capable phone. It will certainly last longer than a 3GS did in 2010, and, ten years later, it’s just $100 more.

Maring points out that this is the case on the Android side, too: there are plenty of terrific smartphone models at similar price points to that which we’ve paid for years. It’s not so much that smartphone prices have, necessarily, gone up; it’s that a new higher-end segment has been added. It turns out that there’s a market for people who are comfortable with spending over a thousand dollars on cutting-edge technology.

Catalina’s Dialog Bureaucracy

A few weeks ago, shortly after completing a clean installation of Catalina on my MacBook Air, I had a funny idea: wouldn’t it be great to reinstall Lion, the operating system it shipped with, and see what it is like to use nearly ten years after it was released?

I haven’t touched a truly old version of MacOS in years, and certainly not one called “Mac OS X” in a very long time. For a start, installing an old version of MacOS in 2020 is more difficult than it sounds, especially if you don’t have a copy of the specific or newer version of the operating system that shipped with your Mac because you resolved to become slightly better about your data hoarding habits.

It becomes significantly easier after you recognize that you failed that resolution.

Installing Lion was refreshing — in part because there are far fewer steps in Setup Assistant. There are just eleven screens, the last of which informs users that Lion changes the direction the trackpad scrolls relative to the material onscreen. There’s an animation of this and, cleverly, Apple requires users to scroll to the bottom of a small text area to click the button that finishes the setup process. You may not start using Mac OS X Lion until you have learned how to scroll.

However, perhaps the most notable part of installing Lion was that it was ready to go immediately after completing the steps in Setup Assistant. The last screen appears and confirms that Lion is set up, then the desktop zooms in, and then you can use your computer right away. Sure, Spotlight will be indexing, so it will be slow for a while, but you can get started.

Catalina is different. Many steps have been added to Setup Assistant since Lion, including options to turn on location services, enable Siri, enable various iCloud features, and — for Macs with supported hardware — steps to enrol fingerprints for Touch ID and add credit cards for Apple Pay. Some screens have been removed (remember registering your Mac?) or consolidated (picking the user picture is now done when setting up the admin user account), but the process is still far more expansive than it used to be. I counted at least seventeen screens; some screens have been consolidated as an “express setup” option, and the Apple Pay and Touch ID features are not supported on my Mac.

And that’s just Setup Assistant. After you complete those steps and you see the Catalina desktop for the first time, you have more work ahead of you. Apps need permission to send you push notifications, permission to use your contacts, and permission to use your location. Even though you said you wanted to switch on Location Services and that it was okay for Maps to use your location, Maps will ask for your location the first time you run it. Calendar will ask to use your location immediately after setup finishes. The weather widget in Notification Centre will need to be granted location permission now and probably several times in the future. Notifications will appear that you will need to dismiss.

There’s more, too. If you download apps from a source outside of the Mac App Store, you’ll be asked if you really want to open the app upon its first launch. This has long been a feature of MacOS’ Gatekeeper security software, but Catalina requires apps to be notarized. If the app is not notarized, Catalina will tell you that the app “cannot be opened” and give you the options to cancel opening it or move it to the trash. This is a lie: you can open the app — any app — by visiting the Security & Privacy preference pane, clicking the “Open Anyway” button, and then bypassing another scary-looking warning dialog.

The way that Catalina determines whether an app is safe seems to depend on several factors, and they can collide in comical ways. While writing this piece, I wanted to install a fresh copy of Catalina on a new volume of my MacBook Air’s hard drive to verify the installation procedure above. However, I only had a copy of the installer on my iMac, so I AirDropped it to myself. When I went to run the made-and-signed-by-Apple package, originally downloaded from the Mac App Store, I was told that it could not be opened because it was potentially dangerous.

The path to this present reality more or less began with Lion. It was the first version of the system to be available through the Mac App Store, introduced in a late update to Snow Leopard, and, with it, came the “Allow Apps Downloaded From” section of the Security & Privacy preference pane. It originally contained three options:

  • Mac App Store

  • Mac App Store and Identified Developers

  • Anywhere

That last option has been hidden since MacOS Sierra. It’s still possible to open apps from anywhere, but MacOS now requires you to jump through hoops that weren’t there previously. And these hoops are ratcheted tighter with every recent version of MacOS. Catalina, in particular, is notable for the vast quantity and types of cautions that users are expected to handle.

Want to download a file from a website? Safari will get you to confirm that you actually want to download that file.

Explicitly typed a command in Terminal that accesses your desktop — even something as innocuous as ls ~/Desktop? You’ll have to confirm that you are, indeed, okay with Terminal’s desktop access.

Want to run ls ~/Downloads? You’ll have to okay access to that folder, too. There’s no way to say, in any of these dialogs, that you’re entirely okay with anything Terminal wants to do. You can, however, give Terminal full disk access in a different tab of the Security & Privacy preference pane.

Security & Privacy was one of those things in Preferences that you used to set and forget. It now seems as though it’s something you’re expected to open regularly if you are a technically inclined user.

These security prompts and confirmation dialogs also have the effect of offloading some of the responsibility for a secure environment to the user in a way that, I believe, is unfair. It’s irritating to more technically literate users because it adds work to everyday tasks. For them, it is a regression.

Less technical users, on the other hand, do not have the skillset to determine what is a security concern and what isn’t. It doesn’t help that some of Apple’s own apps, daemons, and background service have inscrutable process names and many of them need some form of permission or password to run. Nor is it helpful that the Gatekeeper warnings change in mysterious and undocumented ways. But, even if everything were perfectly labelled, a user with less technical background wouldn’t have an informed clue about what they should allow and what is genuinely dangerous.

Furthermore, we know that overloading users with permission prompts encourages them to click whatever button will allow them to move on with their task, which means that they are more likely to agree to something unintentionally. We also know that people exposed to alerts and alarms on a frequent basis learn to tune them out, even in cases where those alarms are extremely important, like in hospitals (PDF). The fire alarm in my apartment building has been mistakenly activated so frequently that it is more or less just background noise. I’ll probably burn to death one day. I’ll also probably mistakenly click an “okay” button and unleash some form of minor havoc on my computer because I am inundated with permission prompts.

It’s not just security-related permissions, either. When a MacOS app wants to show push notifications, it must ask the user for consent. It’s the same thing for location, use of the microphone, a Mac’s camera, and accessing contacts, calendars, reminders, and photos. And then there are APIs that allow apps to watch over keystrokes, control other apps, and control the computer. Individually, these permission requests aren’t dreadful, but they quickly accumulate.

I’ve seen various proposed solutions to this onslaught, often centred around the idea that MacOS now needs some sort of “pro mode” — a command line switch or something of the sort that allows an advanced user to disable much of the system’s nanny state policies. That’s not a bad idea, but I don’t think it fully acknowledges how bad this situation is.

Permission consent dialog boxes are a particularly ham-fisted approach towards privacy and security. They are a last-ditch effort; an over-reliance upon them in Windows Vista was famously parodied by Apple in a “Get a Mac” ad. At best, they are irritating. But, at their worst, they are an acknowledgement by the company that builds the platform that they have been defeated in a larger argument.

The reason there are so many privacy-centric requests is because there are basically no limits to the exploitation of personal data. If we had the confidence that allowing an app access to our contacts, for example, would not expose that list to data mining and privacy-invading marketing nonsense, we would not need to spend time granting permissions.

Unfortunately, there isn’t a comparable fight for security vulnerabilities. Users’ trust is an infinitely exploitable resource and it is the primary job of malware creators to do just that.

Yet I return to my argument that requiring users to determine which processes are safe is a demand that is overwhelming to most and disruptive to the comparatively few users who are equipped to handle such a decision.

Of course, there are other protections built into the system that help prevent malware and other problematic software from running. Apple explains several of these on its marketing page for Catalina, and there are other technologies like sandboxing and the antivirus protection offered by XProtect and MRT. But if security is, as with so many things in life, like an onion, the dialog boxes are like individually wrapping a bag of the things in clingfilm: it ends up being something that gets in the way for pseudo protection. These seemingly endless permission requests disrupt the Mac’s balance of capability and user friendliness.

The future of the Mac — a friendly face atop a powerful Unix core with an amazing software ecosystem — should not be a bureaucracy that cripples its finest qualities, nor one which users are responsible for fidgeting with.

Update: The Mac App Store was introduced in an update to Snow Leopard, not Lion, as previously and incorrectly stated.

Microsoft Says That It Is Bringing Defender, Its Security and Antivirus Software, to iOS and Android

Jordan Novet, CNBC:

Microsoft will soon offer its Defender antivirus software for phones and other devices running Google’s Android and Apple’s iOS mobile operating systems, the company announced Thursday.

[…]

Apple and Google have sought to police their app stores from instances of malware. That hasn’t stopped Microsoft from jumping in.

“They’re pretty safe, but pretty safe is not the same as safe,” Rob Lefferts, a Microsoft corporate vice president, said in an interview at company headquarters in Redmond, Washington, last week. “Malware does happen on those platforms.”

The closest thing to malware on iOS is probably targeted attacks, primarily for spying, that rely on unreported vulnerabilities. It is unclear how Microsoft’s antivirus software will scan an iPhone’s apps at all, given the sandboxing restrictions on the platform, let alone find ones that use novel ways of surreptitiously scraping users’ data.

Microsoft already offers the Intune software that IT administrators can use to manage employees’ PCs, smartphones and tablets. The Defender software coming to Android and iOS is about security, rather than management. It’s designed to prevent people from visiting online destinations that Microsoft deems unsafe, Lefferts said.

This makes it sound like Microsoft Defender for iOS will, ultimately, be a Safari content blocker, or perhaps a VPN. Microsoft says that more details will be revealed at next week’s RSA Conference. I question whether it will meaningfully address how a sandboxed antivirus scanner is supposed to work platform-wide.

Update: I forgot about that ring of click fraud apps that ran invisible ads.

Larry Tesler Dies Aged 74

Andrew Liszewski, Gizmodo:

In addition to his contributions to some of Apple’s most famous hardware, [Larry Tesler] was also known for his efforts to make software and user interfaces more accessible. In addition to the now ubiquitous “cut,” “copy,” and “paste” terminologies, Tesler was also an advocate for an approach to UI design known as modeless computing, which is reflected in his personal website. In essence, it ensures that user actions remain consistent throughout an operating system’s various functions and apps. When they’ve opened a word processor, for instance, users now just automatically assume that hitting any of the alphanumeric keys on their keyboard will result in that character showing up on-screen at the cursor’s insertion point. But there was a time when word processors could be switched between multiple modes where typing on the keyboard would either add characters to a document or alternately allow functional commands to be entered.

Last year, Riccardo Mori published a transcription of a 1997 talk given by Tesler and Chris Espinosa. It’s a talk worth reading for its depth of thought. For example:

The reason we [preferred CUT/COPY/PASTE over MOVE/COPY/DELETE] is that [while] it is two steps to do CUT and PASTE, there are a lot of advantages. […] Another reason is that you don’t have to be able to see the destination when you are copying or cutting the source. That’s the most important thing. And on a screen of limited size, when you have windows overlapping, it’s sometimes very hard to get things all lined up so you can specify two targets; or you have windows popping up and down, and you get very confused.

The other thing is that I had a secret agenda: I thought that the machine should be used not for what they talked about (office systems) — well, that was good, but I didn’t want it to be used just for that. I thought it would be a great machine for publishing and that it would be able to do cut & paste into page layouts, which was my own personal interest; and so I was advocating that because that was definitely the way you’d want to do page makeup. But we did user testing, and the users slightly preferred the CUT and PASTE model.

This, too:

Brief interpolation on keyboard shortcuts — Now, as you know, you can do command keys [command key combinations] on the Mac; you can invoke commands from the keyboard, and we knew it was important to reserve some for the most common commands. […] We wanted to make sure that CUT, COPY, PASTE, UNDO were the same for everybody. [Same for] BOLD, ITALIC, UNDERLINE, and NORMAL.

Why the Z X C V keys? — They were close on the keyboard. We did X because it was a cross out (CUT). We did V because it pointed down like this [he makes a ‘V’ shape with his hands], and you were inserting; it was like an upside-down caret (PASTE). And Z was the closest one, because we figured you’d UNDO a lot. And C for COPY — that was easy.

It’s obvious to see why Tesler’s contributions to computing are so profound: they’ve barely changed in the last forty years. He put a big dent in the universe.

Folding Flip Phones Flopping

Dieter Bohn of the Verge on the new Motorola Razr:

That is the Razr’s first major trade-off. I’m harping on the $1,500 price, but not because it’s too high for any phone. Phones are our primary computers, and many people could reasonably justify that price or something even higher for the right phone. The problem with the Razr is that it delivers so few of the things you’d expect at that — or any — price.

[…]

The Razr’s screen is made of plastic, and it was recently one-upped by Samsung’s Galaxy Z Flip, which has the first folding glass display ever. Tough break. In general, though, folding screens are so new that it’s hard to know exactly what standard to judge them by. Clearly, they require trade-offs, but which trade-offs are reasonable and which are dumb won’t be clear until we use more of them.

What I don’t like: the soft plastic is likely to pick up nicks, dings, and indentations from use — and I think fairly normal use, at that. It feels slightly more robust than the Galaxy Fold’s screen, but that may just be because it’s smaller. Motorola’s main innovation with the screen is how it constructed the hinge to minimize any creasing and allow the phone to close completely flat. There are two parts to this story.

[…]

Since we’ve talked about the hinge so much, we need to get to another trade-off. Maybe you’ve heard about it, or maybe you’ve literally heard it. The creak.

Bad luck. Maybe that glass screen in the Galaxy Z Flip will fare better?

Raymond Wong, Input:

The Galaxy Z Flip — at least according to Samsung — shouldn’t have the same issues that doomed its first foldable, the Galaxy Fold. At Unpacked, Samsung made sure to highlight all the ways it improved durability in the Z Flip. The display is made of “Ultra Thin Glass” instead of plastic (it’s better, but still pretty prone to scratching). The “hideaway hinge” has fibers inside of it to keep particles out. The hinge doesn’t creak when the phone is folded. There are two little bumpers on the bottom corners to absorb hard closures. The foldable display can handle up to 200,000 folds before it breaks; 100,000 more folds than the Razr.

[…]

Realist me remains skeptical foldable phones will ever be more than a short-lived fad. (Prove me wrong phone makers!) I keep waiting to be convinced that there’s a meaningful purpose for a foldable phone other than “it folds in half!” Samsung is on the right track with the Z Flip. The hardware is getting better and all that’s left is a killer use case. As it is, the Z Flip is an expensive toy and not a smartphone you can rely on day in and day out. It’s still too expensive and its durability is uncertain. If bleeding edge tech is a way of life for you, then this phone has your name written all over. But if you need a phone you can count on that gives you the best of everything, trust me: you can do better.

I’m not sure why anyone would buy one of these prototypical devices today, unless you have a couple thousand dollars burning a hole in your pocket. And, anyway, wouldn’t you feel better sending that money to me instead?

Apple Music Now Groups Different Versions of the Same Album

Federico Viticci:

Looks like Apple has brought back one of the best features from Beats Music with Apple Music: Other Versions of the same album.

This section collects remasters, reissues, remixes, demos, deluxe editions, and explicit/clean versions of the same album.

Because this appears to be automated, it also cleans up instances of multiple copies of the same album on artist pages. I’m still not sure why Apple Music had five copies of “First Impressions of Earth”; it now has only two, though I still can’t understand why.

This appears to be slightly conservative in its approach, too. While it groups the clean and explicit versions of Kendrick Lamar’s “Damn”, it does not group the “collector’s edition”, which has a reversed tracklist. By the way, there are at least nine copies of “good kid, m.A.A.d city” on Apple Music. Again, I am not sure why there would be more than four — clean and explicit versions of each the original release and the deluxe edition — but at least they’re all grouped together now.

Apple Promotes Its Services Through Pervasive and Often Disruptive In-App Advertising

Next month will mark a year since Apple publicly pivoted itself in the direction of a services-oriented company. As far as the company’s revenue is concerned, it has been extremely successful — but it has not come easily.

Steve Streza:

If you don’t subscribe to these services, you’ll be forced to look at these ads constantly, either in the apps you use or the push notifications they have turned on by default. The pervasiveness of ads in iOS is a topic largely unexplored, perhaps due to these services having a lot of adoption among the early adopter crowd that tends to discuss Apple and their design. This isn’t a value call on the services themselves, but a look at how aggressively Apple pushes you to pay for them, and how that growth-hack-style design comes at the expense of the user experience. In this post, I’ll break down all of the places in iOS that I’ve found that have Apple-manufactured ads. You can replicate these results yourself by doing a factory reset of an iPhone (backup first!), installing iOS 13, and signing up for a new iCloud account.

Michael Tsai has collected even more examples of where Apple has aggressively pushed users to subscribe to its services.

Streza calls iOS “adware”, which I think is hyperbolic. But there’s no denying that using Apple’s products is starting to feel like visiting a department store that’s more intent on pushing its credit card than selling you a pair of shoes.

For me, the result has been plainly obvious: I treat many of Apple’s first-party apps as mere containers for the company’s subscription services. Ever since it has become an advertisement for Apple News Plus, I have almost never opened News. It’s the same with the TV app — particularly on my Apple TV — which I previously used to watch purchased and downloaded media.

As for Music? Tyler Hall:

To date, that’s $4,755 I’ve legally paid for digital music.

[…]

I don’t have the foggiest clue where that amount of money places me as a music customer. Surely not the low end of consumers? But I doubt the high side either. I’m guessing I’m somewhere in the upper-middle compared to what most digital natives have spent on music.

But my point is this.

I happily and enthusiastically paid for all that music. But now? Every time I see the $14.99 charge for our Apple Music family plan hit my checking account, I wince. I pay it begrudgingly because I feel like I have no other choice.

In my head, I bucket all monthly charges under the category of “bills”. I pay my rent, I pay my phone bill, I pay for internet, I pay for insurance, I pay for iCloud, and I pay for Apple Music. Some of these things are utilities; music shouldn’t feel like a utility, but it does now.

Of course, I could — and do — pay to download music in much the same way Charles Avison used to. But I also pay for Apple Music every month in part because, if I didn’t, the Music app would be a portal to advertising.

I don’t think it’s necessarily wrong for Apple to use its platform owner advantage to push its services, but I do think that, currently, it is making those products worse. And there’s something else, too: if it were possible to set non-Apple apps as defaults and third-party developers were able to offer subscriptions without going through in-app purchases, would Apple’s services be so successful? I’m not sure they would.

2020 State of Mac Malware

Michael Tsai put together a collection of links that, in summary, present a more sober picture of the 2020 State of Malware Report (PDF) from Malwarebytes than some headlines have suggested.

From the report:

Macs differ drastically from Windows in terms of the types of threats seen. Where we found several different categories and families in our top detections of Windows threats that classify as traditional malware, especially those aimed at businesses, most Mac threats, and certainly the most prevalent ones of 2019, are families of adware and potentially unwanted programs (PUPs). The most common Mac malware family, OSX.Generic.Suspicious, fell well down the list at 30th place in Mac-specific detections, and hundreds of spots down on a cross-platform threat list.

[…]

Of all the [Mac] threats seen this year, only one incident involved anything other than tricking the user into downloading and opening something they shouldn’t. That is the incident in which Coinbase, and several other cryptocurrency companies, were targeted with malware that infected systems through a Firefox zero-day vulnerability.

So the chance of experiencing malware — not adware or what Malwarebytes calls “potentially unwanted programs”, but malware — on a Mac actually fell in 2019, according to this report. Meanwhile, as Ben Lovejoy points out, the primary reason adware became more prevalent on the Mac in 2019 is down to a single app.

Workers for Shipt, an Instacart-Like Company Owned by Target, Describe a Culture of Unrealistic Expectations, Retaliation, and Fear

Lauren Kaori Gurley, Vice:

When Target bought the company for $550 million in 2017, Shipt rapidly expanded its same-day delivery to half of its stores. Today, Shipt has more than 100,000 gig workers, according to the company. The company has tripled its geographic reach since 2017.

Shipt workers told Motherboard that customers who order from Target often seem surprised when independent contractors in plain clothes driving their personal cars show up at their homes with massive deliveries from Target. Because Shipt classifies its workers as contractors, not employees, workers pay for all of their expenses — including gas, wear and tear on their cars, and accidents — out of pocket. They say the tips on large orders from Target, sometimes with hundreds of items, can be meager.

Workers say Shipt customers often live in gated and upscale communities and that the app encourages workers to tack on gifts like thank you cards, hot cocoa, flowers, and balloons onto orders (paid for out of their own pocket) and to offer to walk customer’s dogs and take out their trash, as a courtesy. Shipt calls this kind of service “Bringing the Magic,” which can improve workers’ ratings from customers that factor into the algorithm that determines who gets offered the most lucrative orders.

If this “gig economy” nonsense is to have a quality of employment greater than that of a freelance servant, workers need rights, reasonable expectations, benefits, and real income. This nonsense of paying people according to a black box algorithm should not be legal.

Apple’s History of Colour-Matched Wallpapers

Jared Sorge:

I worked at an Apple Authorized Service Center and had been doing service on the iMacs with slot loading optical drives (like the one pictured above). Whenever I would need to erase a hard drive and restore the operating system I noticed that the desktop wallpaper color matched the color of the case. So a Ruby iMac would get a Ruby colored desktop, and same with Sage green, Indigo blue, and so on. How did they pull this off?

Most iPhones since the 5S and 5C have used colour-matched wallpapers by default, too, but those are highly-integrated devices. Sorge says that virtually every interior component of the iMac G3 could be swapped and it would still know which colour to use for the wallpaper. I love details like these.

A Look Inside the ‘Ghost Kitchens’ That Are Operating Out of 60 Morris Street in San Francisco

I’ve posted before about “ghost kitchens” — delivery-only restaurants that operate with little more than a range and a refrigerator. But, until today, I hadn’t seen what one looks like.

Joe Kukura, writing for Broke-Ass Stuart (via Andy Baio):

We popped by one of San Francisco’s most prominent ghost kitchen facilities, and Jesus is this place dirty and depressing. Though Business Insider gave 60 Morris a glowing write-up, we found the place looks like a combination of 850 Bryant and the kind of SRO lobby where the check-in counter has bulletproof glass. It is operated by disgraced Uber CEO Travis Kalanick’s new venture CloudKitchens, but their $400 million in VC funding from dirty Saudi Arabian money is not evident in the facility’s hand-written signs, bare bones interior, and general below-minimum-wage dystopian chic.

Surely some of the negative impression of this place comes down to the poorly-exposed nighttime cellphone photography in this article. There are no photos of the kitchen; it could be spotless, for all we know.

Yet it is hard to imagine that this is the future of food, where this is a derelict industrial building masquerading as two dozen different restaurants where, inside, workers create meals to be stashed in a locker for an underpaid delivery driver to ferry, at great expense, to its destination. After decades of lame jokes in stand-up comedy routines about the quality of airline food, it sure seems like that shouldn’t be what we aspire toward.

Meet Makan Delrahim, the Lawyer Who Leads the Antitrust Division at the U.S. Department of Justice

Speaking of the T-Mobile and Sprint merger, Eriq Gardner of the Hollywood Reporter wrote a profile of Makan Delrahim:

In addition, the Antitrust Division has in recent months raised eyebrows about politicization of competition law. During the trial of a multistate challenge to the proposed T-Mobile/Sprint merger, which federal regulators approved, text messages emerged that showed Delrahim laboring behind the scenes during the government’s review last summer to save a deal that would shrink competitors in the wireless arena, helping to arrange the sale of the two companies’ mobile spectrum to a third party, Dish Network, and offering its chairman, Charlie Ergen, advice on how to lobby the FCC and lawmakers. “Why Is the Justice Department Treating T-Mobile Like a Client?” asked a New York Times editorial in December. (On Tuesday, a judge rejected the states’ antitrust challenge and approved T-Mobile’s Sprint acquisition.)

Delrahim is notable for leading the antitrust investigations of large tech companies, disputing the AT&T and Time Warner merger, and his opposition to the Paramount Consent Decree. He has a bizarre view of antitrust law: big tech companies are scary to him, but ISPs and entertainment conglomerates — which are increasingly the same thing — are not. Oh, except for AT&T and Time Warner, which he disputed for ostensibly good reasons, only to lose that case and find that the newly-merged AT&T and Time Warner conglomerate is doing exactly what it said it wouldn’t.

T-Mobile and Sprint Were Allowed to Merge Because Sprint Sucks

Laurel Wamsley, NPR:

T-Mobile is closer to taking over Sprint after a federal judge rejected arguments by several states that the merger would stifle competition and lead to higher prices for consumers.

The deal would combine the country’s third- and fourth-largest wireless carriers. The new company, to be called T-Mobile, would still be the third-largest, after AT&T and Verizon.

U.S. District Court Judge Victor Marrero concluded that the proposed merger “is not reasonably likely to substantially lessen competition” in the wireless market.

Nilay Patel of the Verge read the decision and put together a terrific explanation of how Judge Marrero arrived at that conclusion:

And… it turns out that Judge Marrero thinks CEO John Legere and the rest of T-Mobile’s executives are extremely cool and smart and that Dish Network is definitely trustworthy and that everything is going to work out great.

Also, the judge thinks that Sprint sucks. Really, if there’s one major takeaway here, it’s that Victor Marrero, a federal judge selected by Bill Clinton for a lifetime appointment on the federal judiciary, thinks that Sprint is a bad company with a crap network run by dummies. This is the law now.

In Canada, our three major carriers operate in near lockstep. The United States is now down to three major carriers. Should be fine, right?

Essential Is Shutting Down

The history of Essential is blessedly short, yet dramatic and inherently entwined with the personal life of its founder and CEO Andy Rubin. Its first product, announced in May 2017, was supposed to be out in June of the same year, and missed that deadline for a week before journalists realized that it hadn’t started shipping yet. It ultimately wasn’t available until August, then received a price cut in October.

In November — this is all in 2017 — Rubin took a leave of absence after the Information reported that he had what they deemed an “inappropriate relationship” with a subordinate at Google. It took until the following year for the New York Times to report that Rubin was asked to resign from Google after being credibly accused of sexually assaulting the employee. He was given $90 million to leave, leading employees to walk off the job in protest of the way Google has protected men accused of sexual assault. Oh, and Rubin was also accused, in court papers, of running a sex ring.

After it cancelled work on a successor to its first phone, Essential tried to sell itself, found no buyers, and instead bought an email startup. A few months ago, it showed off a prototype of a tall and skinny smartphone.

Essential today:

In October, we introduced Project GEM, a new mobile experience that our hardware, software and cloud teams have been building and testing for the past few years. Our vision was to invent a mobile computing paradigm that more seamlessly integrated with people’s lifestyle needs. Despite our best efforts, we’ve now taken Gem as far as we can and regrettably have no clear path to deliver it to customers. Given this, we have made the difficult decision to cease operations and shutdown Essential.

The email app is also shutting down, effective April 30. I feel bad for the employees who were understandably excited to work for a unique company, only to find it subject to the distractions of its CEO’s wrongdoing and the company not publicly communicating a clear path to relevance.

See Also: Daisuke Wakabayashi and Erin Griffith’s report for the New York Times.

The Vinyl Pause of 2020

Chris Eggertsen, Billboard:

The manufacturing and storage facility for Apollo Masters Corp. — a Banning, Calif.-based manufacturing plant that supplies the lacquer used for making master discs, which are then used to create vinyl records — has burned down in a massive fire, the company confirmed in a statement posted to its official website.

[…]

The fire, which was first reported around 8 a.m. PT Friday morning (Feb. 7), broke out while employees were inside the building, though all escaped safely, according to The Desert Sun, which first reported the blaze. But the loss of the plant — which, along with MDC in Japan, is one of only two worldwide that produces the lacquers needed to create vinyl records — comes as a difficult blow to the booming vinyl record industry. Billboard reported just last month that 26% of all physical albums sold in the U.S. in 2019 were vinyl.

While vinyl may be on an upswing relative to ten or twenty years ago, its sales are nowhere near the 1970s and 1980s.

Still, I’ve long been one of those buyers. While I’m glad all of the employees of Apollo Masters are safe, I’m gutted by the likely fallout from this fire.

Steady State Sea” (via Coudal):

You will be able to buy new vinyl titles in 2020 — or most of 2020, anyway. Ironically, the long waiting time to get a respective record pressed after cutting its master may be critical in delaying the consequences of low supply of vinyl offerings. That waiting time to press can take several months — and that’s assuming all money needed for the pressing is gathered and ready to spend. (Incidentally, before the mid 2000s, the waiting time used to be dramatically shorter.) Many new albums coming out in 2020 already had their respective masters cut in 2019.

[…]

However, from the end of 2020 onward will be the big question mark regarding vinyl supply in retail.

And it wouldn’t be surprising if labels began to start a more conservative release schedule effective ASAP. If any label does have a stash of lacquers, they will likely be reserved for releases that the label would consider low-risk in sales — such as legacy artists or hot new acts.

I listen to music in two formats: for convenience, a large local library of digital files mixed with streaming; and, for a more relaxed, immersive experience, vinyl. I love spending a couple of hours in a decent record store, walking my fingers along the shelves until I find something I like. This fire has the possibility to make all of that a rare occasion. It is going to be tough to recover from, but not impossible — it sounds like direct metal mastering is a good way out.

All Your Favorite Brands Are on Amazon, From BSTOEM to ZGGCD

John Herrman, New York Times:

Mostly, you’ll notice gloves from brands that, unless you’ve spent a lot of time searching for gloves on Amazon, you’ve never heard of. Brands that evoke nothing in particular, but which do so in capital letters. Brands that are neither translated nor Romanized nor transliterated from another language, and which may contain words, or names, that do not seem to refer to the products they sell. Brands like Pvendor, RIVMOUNT, FRETREE and MAJCF. Gloves emblazoned with names like Nertpow, SHSTFD, Joyoldelf, VBIGER and Bizzliz. Gloves with hundreds or even thousands of apparently positive reviews, available for very low prices, shipped quickly, for free, with Amazon Prime.

Gloves are just one example — there are at least hundreds of popular searches that will return similar results. White socks: JourNow, Formeu, COOVAN. iPhone cables: HOVAMP, Binecsies, BSTOEM. Sleep masks: MZOO, ZGGCD, PeNeede.

These “pseudo-brands,” as some Amazon sellers call them, represent a large and growing portion of the company’s business. These thousands of new product lines, launched onto Amazon by third party sellers with minimal conventional marketing, stocking the site with disparate categories of goods, many evaporating as quickly as they appeared, are challenging what it means to be a brand.

They’ve also helped overwhelm the United States Patent and Trademark Office, which, not unlike an Amazon shopper, has for years found itself mystified by pseudo-brands as it continues to approve them. Maybe they’re the future of shopping. They’re certainly part of the now.

This is a fascinating exploration of how the combination of a handful of Amazon’s seller policies and fewer barriers between customers and manufacturers has changed the nature of what a brand is, at least in terms of household consumer goods.

The Era of Widely-Peddled Fake Products

Ganda Suthivarakom, the Wirecutter:

The rise of counterfeit goods and other phony products sold on the Internet has been swift — and it has largely gone unnoticed by many shoppers. But make no mistake: The problem is extensive. Most people don’t realize this, but the majority of listings on Amazon aren’t actually for items sold by Amazon — they’re run by third-party sellers. And even though many, many third-party sellers are upstanding merchants, an awful lot of them are peddling fakes.

A major Wall Street Journal investigation recently revealed that Amazon has listed “thousands of banned, unsafe, or mislabeled products,” from dangerous children’s products to electronics with fake certifications. The Verge reported that even Amazon’s listings for its own line of goods are “getting hijacked by impostor sellers.” CNBC found that Amazon has shipped expired foods — including baby formula — to customers, pointing to an inability to monitor something as basic as an expiration date. Because of the proliferation of counterfeits and what Birkenstock describes as Amazon’s unwillingness to help it fight them, Birkenstock won’t sell on Amazon anymore. Nike announced that it is also pulling out of Amazon. “Many consumers are … unaware of the significant probabilities they face of being defrauded by counterfeiters when they shop on e-commerce platforms,” reads a January 2020 Department of Homeland Security report (PDF) recommending measures that would force e-retailers to take counterfeits even more seriously. “These probabilities are unacceptably high and appear to be rising.”

Counterfeits, overwhelming choice, Prime Day, poor-quality recommendations, deceptive advertising, and its myriad private labels combine to make Amazon feel increasingly like a low grade flea market mixed with a liquidation store.

Here’s a true and dumb story about your silly writer: last Wednesday, as I was trying to put my MacBook Air on the coffee table, I missed and instead allowed gravity to place it directly onto my foot. My laptop is fine. One of my toes, however, is broken. I got it checked out on Thursday just to be safe — universal health care is a very good thing — and was told that I could keep buddy taping it; it’s not a serious break. They recommended I pick up a cohesive bandage, which they said could best be found on Amazon. So I tried finding it, and spent a solid hour poking around the Amazon storefront. It’s not that there’s a shortage of choice; it’s quite the opposite problem. I just wanted to find a small quantity of the narrowest bandage available. I ended up frustrated and buying a six-pack with multiple sizes made by a company I’ve never heard of. It was, oddly enough, the best choice, but not even close to the correct one.

U.S. Officials Say Huawei Can Covertly Access Telecom Networks Through Law Enforcement Backdoors

Bojan Pancevski, Wall Street Journal:

When telecom-equipment makers build and sell hardware such as switching gear, base stations and antennae to carriers — who assemble the networks that enable mobile communication and computing — they are required by law to build into their hardware ways for authorities to access the networks for lawful purposes.

They are also required to build equipment in such a way that the manufacturer can’t get access without the consent of the network operator.

Only law-enforcement officials or authorized officials at each carrier are allowed into these “lawful interception interfaces,” generally with the carrier’s permission. Such access is governed by laws and protocols specific to each country.

U.S. officials say Huawei has built equipment that secretly preserves the manufacturer’s ability to access networks through these interfaces without the carriers’ knowledge. The officials didn’t provide details of where they believe Huawei is able access networks. Other manufacturers don’t have the same ability, they said.

The only attribution that Pancevski uses for the claims throughout this article is “U.S. officials”, aside from a single time when he quotes Robert O’Brien. There is no more specific attribution for the overall thrust of the article — not even whether they entirely represent the U.S. intelligence apparatus, nor how many officials described this vulnerability.

Nevertheless, I note that these “U.S. officials”, now worried about the abuse of law enforcement backdoors, somewhat undercut the arguments made by their colleagues in the Department of Justice, who are adamant that every cellphone, tablet, and computer needs a law enforcement backdoor that they promise will not be abused.

See Also: Last year’s still-questionable report from Bloomberg Businessweek about Telnet being left on in Huawei equipment used in Vodafone’s Italian network.

Despite Charges Against Chinese Spies, Equifax and U.S. Regulators Are Not Off the Hook

Karl Bode, Techdirt:

A lack of any meaningful US privacy law for the internet era means there’s repeatedly no real punishment for companies that fail to secure the vast troves of data they’re now collecting on your every waking moment. Nor is there any real compensation for consumers who may not have wanted this data collected, stored, and sold to every nitwit with a nickel. There are so many points of failure here — from corporations that treat privacy and security as an afterthought to captured regulators too feckless to do anything about it — that focusing too extensively on national security risks us learning absolutely nothing from the experience.

The key thing to be learned from this saga is not that spies are seeking extremely high-profile targets, nor that U.S. companies’ security policies are ill-equipped to keep them out. It is that there is no reason that this cannot happen again because Equifax has no incentive or obligation to change, but neither does any other company operating in a oligopoly, or any of the thousands of companies that few people have heard of despite them vacuuming up every detail of our electronic lives.

Popular Free Email Apps Such as Edison and Cleanfox Skim Users’ Inboxes for Marketing Data

Joseph Cox, Vice:

The popular Edison email app, which is in the top 100 productivity apps on the Apple app store, scrapes users’ email inboxes and sells products based off that information to clients in the finance, travel, and e-Commerce sectors. The contents of Edison users’ inboxes are of particular interest to companies who can buy the data to make better investment decisions, according to a J.P. Morgan document obtained by Motherboard.

On its website Edison says that it does “process” users’ emails, but some users did not know that when using the Edison app the company scrapes their inbox for profit. Motherboard has also obtained documentation that provides more specifics about how two other popular apps — Cleanfox and Slice — sell products based on users’ emails to corporate clients.

Slice is owned by Rakuten, a Japanese e-commerce conglomerate that also owns Unroll.me. A few years ago, the latter company was at the centre of a similar controversy over the appropriateness of scraping users’ inboxes for marketing data that can be sold.

At the time, Karissa Bell wrote a particularly good piece for Mashable about Unroll.me’s shady policies:

Even if you took the time to read their privacy policy — and, let’s be real, no one does — it doesn’t explicitly spell this out. “We may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners,” it says. But in no way does it make clear that Unroll.me is literally in the business of selling data.

While Unroll.me’s website was updated to include information about the company’s invasive practices so users can make a more informed choice, Slice’s website is not as forthcoming, but the app was described in a 2012 story as “creepy”.

Edison and Cleanfox are not owned by Rakuten and do not appear to have any relationship with that company. The website for the former was updated some time between September last year and today to include a disclosure; the website for Cleanfox contains no clear explanation.

People used to be worried about Google’s since discontinued policy of scraping Gmail inboxes for targeted ads. How times have changed.

Comparing Film and Digital Cinematography Is a Silly Debate, Argues Steve Yedlin

As I read this today, I couldn’t help but think of it as related to the audiophile argument that analogue processes are inherently superior to digital.

My main takeaway is that we have decades of knowledge about how different kinds of film stock and developing processes transform footage, but we have comparatively limited knowledge of equivalent digital processes. Yedlin has figured out how to convincingly simulate film with an entirely digital workflow, but there’s no reason that a 35mm lookalike should be the only goal. That’s his argument, too.

The MacBook Keyboard Saga Has Gone on for Long Enough That It’s Being Referenced During an Oscars Question Period

Sam Byford, the Verge:

Speaking with journalists after winning his first Oscar for Best Adapted Screenplay, Jojo Rabbit and Thor: Ragnarok director Taika Waititi had other things on his mind. When asked what he thought writers should be demanding in the next round of discussions with producers, Waititi put Apple’s controversial laptop keyboards on blast.

“Apple needs to fix those keyboards,” he said. “They are impossible to write on — they’ve gotten worse. It makes me want to go back to PCs. Because PC keyboards, the bounce-back for your fingers is way better. Hands up who still uses a PC? You know what I’m talking about. It’s a way better keyboard. Those Apple keyboards are horrendous.”

Daniel Jalkut:

It’s only because Apple allowed the MacBook Pro keyboard problem to go on SO LONG that it could possibly have become a talking point in an Oscar awards interview. I hope some lessons have been learned.

Apple may now be shipping a laptop with a good keyboard, but its two most popular Macs — the MacBook Air and the 13-inch MacBook Pro — still include the painful butterfly keyboard. People keep laptops for years, too. This is going to be a decade-long reputation problem.

Corp.com Domain, a Default in Active Directory and Massive Security Risk, Goes Up for Sale

Brian Krebs:

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

One of the things we are slowly learning is that our ten-, twenty-, and thirty-year-old bad security decisions are biting us hard. Consider, for example, how infrequently anyone but the most security-conscious people gave even a passing thought to password re-use just a few years ago. Dozens of high-profile breaches involving billions of accounts later, it’s something we’re only beginning to take seriously.

French Competition Bureau Fines Apple €25 Million for Not Communicating Slowing Effects of Battery-Preserving iOS Update

In December 2017, Apple acknowledged that an iOS update introduced a feature which prevented iPhones with degraded batteries from stability problems caused by CPU spikes. The peak performance of CPUs was reduced in iPhones with poor battery capacity.

Apple failed to communicate any of this to users; it only issued statements to the press after they reported on a Reddit post explaining that a fresh battery improved an iPhone’s performance. At the time, I wrote that this was a needless betrayal of trust which made a reasonable engineering decision look nefarious, and gave credence to conspiracy theories that the company intentionally slows down older devices to encourage users to purchase new devices.

This can be seen in the way the French government responded, according to an un-bylined BBC report from January 2018:

French prosecutors have launched a probe over allegations of “planned obsolescence” in Apple’s iPhone.

Under French law it is a crime to intentionally shorten lifespan of a product with the aim of making customers replace it.

[…]

It follows a legal complaint filed in December by pro-consumer group Stop Planned Obsolescence (Hop).

Hop said France was the third country to investigate Apple after Israel and the US, but the only one in which the alleged offence was a crime. Penalties could include up to 5% of annual turnover or even a jail term.

Romain Dillet, TechCrunch:

France’s competition watchdog DGCCRF announced earlier today that Apple will pay a $27.4 million (€25 million) fine due to an iOS update that capped performance of aging devices. The company will also have to display a statement on its website for a month.

I don’t know — or, frankly, care — if €25 million is a fine that is too small, too big, or not worth issuing at all. What I do know is that it is ridiculous to defend Apple’s decision not to explain this to users at the time.

Stephen Warwick, iMore:

But do you really think that people would have been understanding if Apple had been forthcoming about its plans? This is Apple after all. And people love to hate Apple. Can you imagine the headlines? ‘Apple announces it will intentionally slow down older iPhones‘ – ‘Apple forces customers to upgrade by ruining their old devices‘. Or worse, imagine if Apple had taken no action, and left us to our own highly unstable devices – ‘Negligent Apple lets older phones randomly shut off‘ – ‘Why hasn’t Apple issued an update to patch iPhone shutdowns?‘.

Of course it would not have been easy for Apple to explain why this decision made sense — Warwick alone spent about a thousand words retelling this saga. But it would have been right, and avoided accusations that the company was being underhanded and sneaky.

Instead of getting those make-believe headlines, we got very real headlines like “Apple: Yes, We’re Slowing Down Older iPhones”, “Apple Admits It Deliberately Slows Down iPhones as They Get Older”, and “Apple Really Does Slow Down Some Older iPhones”.

Yes, perhaps Apple could have taken the decision to be more forthcoming about its plans to enable performance management in iOS. It could have told the world that it was about to intentionally slow down its older iPhones. But would the world have been understanding about it? I think not.

In addition to the above headlines and this week’s French penalty, two U.S. government agencies investigated Apple for securities law violations, users in several states sued the company, and regulators around the world — including in South Korea, China, and Italy — assessed whether the company’s lack of communication violated any local laws.

That is the level of understanding the world had because Apple did not tell users that they should replace their battery to improve their iPhone’s performance. Instead of a difficult week for its PR team, trying to explain an engineering decision, they reinforced a dumb conspiracy theory. Was all that worth it?

To be clear, there’s no indication that this wasn’t publicized at the time to avoid poor PR; that’s something Warwick implied. If anything, this seems like an example of stupidity, not malice. But this was an indefensible mistake by Apple. There’s no reason to pretend otherwise.

Apple News Warns Publishers About Channel Removal if They Are Inactive for Three Months

Daniel Jalkut:

Apple did, in fact, accept my news sources, and for the past several years these articles have been available through the service.

I guess I’ve dropped the ball a bit as a blogger, though, because this week I received a terse email from Apple:

Dear Daniel Jalkut,

We noticed that you have not published to your Bitsplitting channel in three months or more. Your channel will be removed in one week.

Regards,

The Apple News Team

Regards, indeed. Apple will drop me in one week if I don’t publish something, or maybe even if I do; the wording is ambiguous. I’m a little annoyed at this, but I’m also a little annoyed at myself for not blogging more frequently, so I guess I’ll just say: “thanks, Apple News!”

Via Manton Reece, who writes in response:

If you hadn’t heard, Apple News dropped RSS support for new blogs, and it sounds like they rarely approve personal blogs anymore. Weeding out inactive blogs could be the first step to removing them altogether.

I haven’t found another public copy of this email posted by anyone else, and I wonder if this is something new that Apple is doing. I also couldn’t find a requirement to publish at least every three months within Apple’s News Publisher support section; I’m not saying it’s not there, just that I could not see where it might be.

Nevertheless, it seems like it’s still possible — according to that News Publisher site — to create a new channel based on RSS. Existing RSS-based channels also appear to be functional still; this one is, at least. However, it is no longer possible to subscribe to an RSS feed as a user with Apple News. iOS still declares that News is the handler for feed:// URLs, but it no longer supports them. A month ago, I asked a couple of people at Apple for clarity on this and neither has gotten back to me. I assumed it could be a bug at the time, but if it’s a policy change, it’s sloppy and poor.

Update: Reece confirms that it’s still possible to create a Apple News channel based on an RSS feed, but that it is discouraged during setup.

Reflective Satellite Clusters Created by Private Companies Are Impeding Astronomers’ Work and Altering the Night Sky

Marina Koren, the Atlantic:

Before Starlink launched, SpaceX coordinated with the National Science Foundation and its radio-astronomy observatories to make sure there wouldn’t be any overlap. Unfortunately for optical astronomers, there is no such framework when it comes to the brightness of satellites — no international body in Geneva, let alone a dedicated agency in the United States. The Federal Communications Commission’s regulatory realm spans communication networks across multiple industries, which means its oversight includes, oddly enough, both satellites and offensive Super Bowl commercials. But while American satellites need the agency’s permission to launch, the FCC does not regulate the appearance of those satellites once they’re in orbit.

[…]

In the months since they first launched, the Starlink satellites have been essentially photobombing ground-based telescopes. Their reflectiveness can saturate detectors, overwhelming them, which can ruin frames and leave ghost imprints on others. Vivienne Baldassare’s work depends on comparing images taken night after night and looking for nearly imperceptible variations in light; the slightest shifts could reveal the existence of a black hole at the center of a glittering, distant galaxy. Baldassare, an astronomer at Yale, can’t see behind the streak of a satellite. “You can’t just subtract that off,” she says. Some objects, such as comets, are better viewed during dawn and dusk, when there’s just enough sunlight to illuminate them. But because they orbit close to Earth, the Starlink satellites can be seen during these hours, too; imagine missing a comet as it passes uncomfortably close to Earth because of too many satellites.

Koren says that SpaceX will launch over a thousand satellites just this year, while Amazon wants to launch over three thousand in the coming years, and OneWeb is launching a little over six hundred. There are presently only about two thousand artificial satellites orbiting the Earth right now; the additions from just the three aforementioned companies would triple the number of orbiting satellites, and that doesn’t count the ones that SpaceX has already launched.

It is impressive that it is somehow becoming increasingly trivial to get a robot orbiting the Earth. But I’m tangentially reminded of the incident at WWDC 2010 where there were hundreds of spontaneous WiFi networks that interrupted Steve Jobs’ iPhone 4 demo. What happens when we blanket the globe in private satellites with little accountability for their live operation and eventual death as space junk?