Pixel Envy

Written by Nick Heer.

Exploring Google’s Flimsy Proposal for Web Privacy Protections

I’m sure many of you have already read this piece by Jonathan Mayer and Arvind Narayanan on Freedom to Tinker regarding Google’s proposal for a “privacy budget” to allow them to keep tracking users with something resembling privacy in mind, but I thought it was worth linking to for this paragraph alone:

Apple and Mozilla have tracking protection enabled, by default, today. And Apple is already testing privacy-preserving ad measurement. Meanwhile, Google is talking about a multi-year process for a watered-down form of privacy protection. And even that is uncertain — advertising platforms dragged out the Do Not Track standardization process for over six years, without any meaningful output. If history is any indication, launching a standards process is an effective way for Google to appear to be doing something on web privacy, but without actually delivering.

Something that occurred to me after I read several articles about this proposal is that Google wins with any outcome, so long as Chrome remains the world’s most popular browser and we exclude the possibility of regulatory action. If it gets stuck in standards processing hell or gets rejected, Google gets to keep abusing users’ privacy in exactly the same way; if it gets approved, Google gets a slightly different way of targeting users with privacy-robbing ads.

Of course, if cookie-blocking practices and technologies similar to Safari’s Intelligent Tracking Prevention were more widespread, and people chose a non-Chrome browser, it could critically impact Google’s business model and perhaps prompt them to think harder about the tradeoffs they’re expecting web users to make.

The Adults in the Room

Today was Megan Greenwell’s last day at Deadspin — a decision she made after the private equity firm that bought the Gizmodo Media websites from Univision tried to change things up in a really stupid way.

Her last piece for the website is brilliant:

There is a version of the story of this company in which idealistic journalists, unconcerned with profit, are posed against ruthless business-doers, concerned about profit above all else. That would be a convenient story, pitching me and my colleagues and friends as people who just care too much about The Truth to yield before the gale-force winds of Capitalism, but it wouldn’t be a true one.

The real and less romantic story is this: The journalists at Deadspin and its sister sites, like most journalists I know, are eager to do work that makes money; we are even willing to compromise for it, knowing that our jobs and futures rest on it. An ever-growing number of media owners, meanwhile, are so exceedingly unwilling to reckon with the particulars of their own business that they refuse to accept our eagerness to help them make money. They’re speaking a language no one else does, proud of their own inability not just to not fail, but to not understand the terms on which they’re failing. The tragedy of digital media isn’t that it’s run by ruthless, profiteering guys in ill-fitting suits; it’s that the people posing as the experts know less about how to make money than their employees, to whom they won’t listen.

Greenwell is moving to Wired, and I imagine that their output will continue to improve because of it. As a daily reader of Deadspin, I sincerely hope that the person who takes her place has a similar approach to the job; I hope they do not cave to management’s wishes that they “stick to sports”.

DoorDash Announces It Will No Longer Skim Tips From Workers

Amrita Khalid, Engadget:

DoorDash drivers will earn 100 percent of tips under a revamped set of rules on pay. The delivery service today announced a new tipping and earnings policy that it claims will lead to drivers earning more on average. The development comes more than a month after news reports exposed the company for pocketing its driver’s tips. In response to the widespread backlash, DoorDash CEO Tony Xu promised it would reevaluate how it pays its workers.

I think tipping is a silly practice that should be abandoned, but barring that, at least a policy like this no longer allows DoorDash to use tips to replace worker wages.

Update: Amazon also announced that it will stop skimming tips, thus also meeting basic ethical expectations.

Google Proposes New Privacy and Anti-Fingerprinting Controls for the Web

Frederic Lardinois, TechCrunch:

What Google basically wants to do here is change the incentive structure for the advertising ecosystem. Instead of trying to circumvent a browser’s cookie and fingerprinting restrictions, the privacy budget, in combination with the industry’s work on federated learning and differential privacy, this is meant to give advertisers the tools they need without hurting publishers, while still respecting the users’ privacy. That’s not an easy switch and something that, as Google freely acknowledges, will take years.

An independent study from earlier this year by Carnegie Mellon found that publishers lose only 4% of their revenue when cookies are blocked by users. Google cites their own study finding that dropping the “behavioural” part of behavioural advertising cost publishers over 50% of their revenue. Those are remarkably different figures, and Google’s result will be tainted by its inherent conflict of interest.

For what it’s worth, the New York Times dropped ad exchanges entirely for European visitors after GDPR took effect, preferring to sell ads directly, and digital advertising revenue grew.

For the time being, though, there’s nothing here for you to try out or any bits being shipped in the Chrome browser. For now, this is simply a proposal and an effort on the Chrome team’s part to start a conversation. We should expect the company to start experimenting with some of these ideas in the near future, though.

Mat Marquis:

Imagine, if you will, a glorious future where Google, the advertising company known for massive privacy violations, building you a special private Google-controlled web where the icky bad guys can’t track you! Lucky you.

There are things in Google’s proposal that require broader support from ad tech companies and browser vendors, but there’s a lot Google could do today with its market dominating position in both industries. Like Facebook, Google is attempting to distort the definition of privacy beyond what any user would expect so that its core business is not impacted by increased scrutiny.

Now AMP Runs Scripts

Google’s AMP Project has announced that the platform will now run arbitrary site-defined scripts in a special <amp-script> tag, albeit with some caveats: scripts are limited to 150 KB each, and redrawing after the page has loaded isn’t possible without a precipitating user action. It says that this is to preserve the speed of an AMP page, and I believe this argument — generally, the less bytes a page transfers, the faster it is. This follows the project’s recent announcement of sending markup to client browsers instead of unpacking pages with a required 100 KB JavaScript file.

The AMP team has not yet confirmed a date at which it expects to entirely replicate HTML in its proprietary language, but all signs point to Google continuing to use its influence to coax publishers into running a second version of their websites entirely tailored for the company’s needs.

Nation Stunned by Support Document Explaning Ways in Which an Apple Card May Not Look New Forever


If your titanium Apple Card comes into contact with hard surfaces or materials, it’s possible that the coating can be damaged.


Some fabrics, like leather and denim, might cause permanent discoloration that will not wash off.

Dr. Drang:

My complaint is not that the Apple Card may lose its luster in a wallet. I’m not sure anything will maintain its looks when put between sheets of leather and compressed by my butt. My complaint is that Apple wrote a support document that looks absurd and invites snarky comments. Everything Apple does generates derision from Apple haters; this generated derision from Apple’s best customers.

There are many reasons to criticize Apple’s credit card, including its very concept. But its propensity for becoming stained is a remarkably silly complaint. Everything that has been in my wallet for more than a few months looks a little worn, and I wouldn’t expect anything sandwiched in leather and sat on for eight hours a day to behave differently.

If you’ve exhausted a list of possible things to do in the world to the point where you’re spending time cleaning your credit cards, this support article is for you.

Teslas Can’t Drive Autonomously Around Parking Lots, but the Company Thinks That It Will Ship Full Automation by Early Next Year

Timothy B. Lee, Ars Technica:

In July, Tesla was still struggling to get the technology working. “Parking lots are a remarkably hard problem,” Musk tweeted. “Doing an in-depth engineering review of Enhanced Summon later today.” Three days later, he announced an August 16 price hike of $1,000 for the full self-driving package, adding, “that’s approximately date when we expect Enhanced Summon to be in wide release.”

But August 16 came and went with no price hike and no release of smart, enhanced, or advanced summon technology. Now Musk admits that the technology is still a month or two away.

Tesla is far from the only company to miss a self-imposed technology deadline — especially in the self-driving sector. We certainly don’t fault the company for delaying release of a safety-sensitive technology that’s not ready for prime time. But we do wonder if Musk should be more cautious about projecting technology release dates.

Elon Musk said in a 2015 interview that self-driving cars are “a much easier problem than people think” they are, and predicted fully-autonomous vehicles would be on the road within two to three years. He has made similar predictions that downplay the difficulty of shipping a car that can accelerate, brake, steer, change lanes, merge, navigate complex intersections, handle tricky terrain, and anticipate the actions of other drivers. Teslas can’t reliably navigate a parking lot in California, let alone the traffic circle around Arc de Triomphe — or worse.

This stuff is obviously hard. It’s possible that a fully-autonomous vehicle is decades away, if one will ever ship. Why does Musk so eagerly promise deadlines that I am sure he recognizes are impossible to meet? After all, it’s not just customers that he needs to avoid misleading.

Opting Out of Binding Arbitration Isn’t Just an Apple Card Thing

Apple Card’s binding arbitration clause is something I’ve written about before, but I wanted to re-up it in the wake of the broader launch of the credit card for two main reasons.

The first thing I think you should know is that, while everyone has been discussing this in the context of the Apple Card, mandatory arbitration is by no means exclusive to that product. It is increasingly likely that most of the contracts you’ve either signed or agreed to electronically have bound you to resolving disputes through arbitration rather than a lawsuit.1 What’s worse, these clauses must be opted out of within a specified time frame from when the agreement became active. For Apple’s credit card, it’s within ninety days (PDF), while American Express gives new cardholders just forty-five days (PDF) to maintain their right to file a class action suit.

It’s not just payment card companies that include an arbitration provision. I found binding arbitration clauses in the terms and conditions documents of various internet service providers, cell carriers, eyewear companies, consumer electronics companies, and subscription boxes for clothing, grooming products, and food. That’s right: food subscriptions have a mandatory arbitration clause. And if you’re a HelloFresh customer and you’d like to retain your right to join a class action lawsuit, you’d have to opt out by mailing a letter to the company within sixty days of agreeing to their terms — which, of course, you had to do when you signed up.

In fact, most of the time, you’ll have to physically mail something to these companies; you usually cannot opt out electronically. Buy some stamps. But, while it may be easier to opt out of the Apple Card arbitration agreement than most others, it does have a caveat, and that’s the second thing I wanted to make note of.

Barbara Krasnoff, the Verge:

[A] couple of readers have reported that if you opt out of the arbitration agreement using Messages, you will not get any type of confirmation. Instead, the representative at the other end of the line will recommend that you take screenshots of your conversation. Needless to say, until the company changes that policy, screenshots are an excellent idea — just in case.

Make sure you keep a record of this conversation in a safe place. Chances are, you’ll never need to use it; but, if you do, it will be for a very good reason and you won’t want to have lost this admittedly minimal documentation.

Update: As Lawrence Velázquez points out, most companies do not provide confirmation of your request to opt out of binding arbitration. Keep a paper trail as best you can.

  1. I think the Economic Policy Institute’s report on mandatory arbitration is a well-rounded explanation of why this is often highly beneficial to companies at huge loss to consumers and employees. ↩︎

The Fate of the iTunes Store in MacOS Catalina

Kirk McElhearn:

In early betas of macOS Catalina, the iTunes Store was visible, but in recent betas it did not show up in the sidebar of the Music app if the user was signed into Apple Music. That seems to be the default now: if a user has an Apple Music account, they won’t see the iTunes Store. You can display it, if you wish, in the Music app’s Preferences, on the General pane, but if you’re a streamer, you won’t see it by default.

This seems like a graceful way to handle the virtually-complete transition of listeners from purchasers to streamers. For those of us who do both, it’s a preference change. Pretty straightforward.

What this means for the future of the iTunes Store seems obvious, but it is not a future I’m willing or eager to accept.

Disinformation Campaigns Targeting Hong Kong Protesters Run Rampant on Twitter

Maciej Cegłowski in a Twitter thread:

Every day I go out and see stuff with my own eyes, and then I go to report it on Twitter and see promoted tweets saying the opposite of what I saw. Twitter is taking money from Chinese propaganda outfits and running these promoted tweets against the top Hong Kong protest hashtags

What China is doing is clear. If these peaceful, extremely self-disciplined protesters who enjoy the clear backing of the overwhelming majority of Hong Kongers can be discredited, it will be easier to crack down. What the fuck Twitter thinks it’s doing is less clear.

Ryan Mac and Rosalind Adams, Buzzfeed News:

The Chinese government has struggled to contain the narrative of the months-long protests, which have seen pro-democracy activists face increasingly aggressive police tactics in the streets. Though Twitter and Facebook are banned in China, the Chinese state media runs several English-language accounts to present its views to the outside world.

“It’s very clear that the Chinese state media is essentially buying ads on Twitter and Facebook for the purpose of reaching an international audience as part of China’s effort to ‘tell its story better,’” said Adam Ni, a China researcher at Macquarie University in Sydney. The Communist Party sees this “as critical in the battle of hearts and minds,” he added.

In a similar vein, Ryan Gallagher of the Intercept reported that the Chinese government was also buying ads on Twitter that served as propaganda against the Uighur people of Xinjiang.

Twitter responded:

Today, we are updating our advertising policies with respect to state media. Going forward, we will not accept advertising from state-controlled news media entities. Any affected accounts will be free to continue to use Twitter to engage in public conversation, just not our advertising products.

This is a global approach and will be enforced across our entire business.

The turnaround on this policy change was just a few days from when Cegłowski began tweeting about it, indicating that Twitter can change quickly when it needs to, and tacitly raising the question of why it takes so long for the company to react to other obvious shortcomings in its product.

Twitter also disclosed today that there was a coordinated astroturfing campaign of propaganda that used a little over 900 accounts in an effort to surreptitiously manipulate opinion and coverage of the demonstrations in Hong Kong.

Facebook has said that it won’t ban state-run media advertisers on its platform.

Media’s Mega-Mergers Are Already Having an Impact on Storytelling

Alex Cranz, io9:

Now imagine what’s happening right this moment. The House of Mouse may already be self-censoring because it has a brand image to uphold. That self-censorship will now be applied to nearly 40 percent all the movies you watch, and between ABC and Hulu and Disney+ it will own a whole heckuva lot of the TV you consume too. AT&T is cutting costs and killing favorites to try and build a popular and inoffensive rival to the other big streamers (and Disney’s looming giant). CBS and Viacom have only just begun their own plans for streaming domination, but already people are noting, and/or hoping, for reboots and continuations of their favorites.

Cranz’s piece illustrates the necessary impact on storytelling when new films and television shows are run through the machinations of a shrinking number of large studio, the largest of which has a particularly sensitive approach to more challenging topics. But because these companies also control many of the distribution channels to the greatest degree since United States v. Paramount, it’s possible that independent films would find themselves shut out of an audience even if they could be financed.

Or, perhaps the combined bureaucratic weight of these mega-studios will cause them to collapse on themselves; they may find it difficult to produce captivating new works. That doesn’t seem to be likely. When all but a couple of the twenty highest-grossing films of the year are either franchise tie-ins or sequels, we’ve demonstrated a booming market for mediocrity.

AT&T, Disney, and CBS haven’t been as explicit in noting their desire for our viewing habits, but it’s absolutely one reason they’re pushing into the streaming space and trying to gobble up as much of the pie as they can. “Basically, sign up as many subscribers as possible and get them into the service, and give them a chance to enjoy the great intellectual property and product that will be part of that service,” Disney CEO Bob Iger told a group of analysts and reporters last week, per a CNBC report.

Nothing would warm my heart and disrupt my stomach more than for “intellectual property” to replace the current miserable term for anything made by anyone in any context.

Server-Side Rendering With AMP

Let me get this straight: Google launched AMP as a way to speed up the web by, somehow, adding a hundred kilobytes of JavaScript as an intermediary for all pages created with its language. It then realized that this was not as fast as serving plain markup, so it’s now extolling the virtues of adding a server-side rendering process, which — and I promise that I am not making this up — breaks the AMP spec. And, somehow, this is all better and more logical than sending some standard HTML down the pipe.

I guess that it must be, so long as Google keeps manipulating search results for mobile users to favour its own AMP project over any normal webpage, even very fast ones.

WebKit Publishes Tracking Prevention Policy

Earlier this week, Apple’s WebKit team announced its strong Tracking Prevention Policy:

This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers. These practices are harmful to users because they infringe on a user’s privacy without giving users the ability to identify, understand, consent to, or control them.


We treat circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities.

This is the correct position. Kudos.

Reflecting on the Targeted Harassment of Women on the Internet, Five Years After ‘Gamergate’

It is very hard to come to terms with the brutality of the tactics honed by abusive people — nearly entirely men — during the “Gamergate” saga, and now used constantly to dehumanize women, queer individuals, and non-white people.

Sarah Jeong was targeted last year for some decontextualized Twitter jokes:

Tucker Carlson did a segment about me on Fox News. The president called me “disgusting” in a tweet. Shortly after the arrest of Mr. Sayoc, the MAGA bomber, the media discovered that he had sent me a death threat on Twitter.

Of the many threats of rape, dismemberment and murder sent to me and to my workplace, at least one was concerning enough that The New York Times filed a police report. But Mr. Sayoc’s tweet at me — a bizarre, confusing insinuation that my corpse was going to be dumped in the Everglades — barely pinged anyone’s radar, let alone my own, until he made the news for mailing pipe bombs.

Charlie Warzel contributed an article documenting the myriad influences on broader culture that are directly linked to the reaction on Reddit and 4chan to a crappy blog post. But the pieces from Jeong and Brianna Wu reflect on the terrible effects these harassment techniques have had on the women who experience them, and they are absolutely worth your time and reflection.

The Cost of Cross-Platform Code Sharing

Eyal Guthmann of Dropbox:

Until very recently, Dropbox had a technical strategy on mobile of sharing code between iOS and Android via C++. The idea behind this strategy was simple—write the code once in C++ instead of twice in Java and Objective C. We adopted this C++ strategy back in 2013, when our mobile engineering team was relatively small and needed to support a fast growing mobile roadmap. We needed to find a way to leverage this small team to quickly ship lots of code on both Android and iOS.

We have now completely backed off from this strategy in favor of using each platforms’ native languages (primarily Swift and Kotlin, which didn’t exist when we started out). This decision was due to the (not so) hidden cost associated with code sharing. Here are some of the things we learned as a company on what it costs to effectively share code. And they all stem from the same basic issue:

By writing code in a non-standard fashion, we took on overhead that we would have not had to worry about had we stayed with the widely used platform defaults. This overhead ended up being more expensive than just writing the code twice.

Fascinating stuff from a company that is about to launch an Electron-based desktop client.

Amazon’s Bezos Brigade Unleashed On Twitter

Aric Toler, Bellingcat:

On August 14, a Twitter thread that included a small army of “Amazon FC Ambassadors” went viral, bringing to light Amazon’s year-long social media brand ambassador program.


Last year, Amazon rolled out a program where employees at these fulfillment centers (warehouses) are able to also work as brand ambassadors to describe their experiences working at Amazon. A number of media outlets reported on this new program last year after the first wave of Ambassadors sent out bizarre tweets promoting Amazon’s workplace conditions.

Per the 2018 reports, these Ambassadors were given “an extra paid day off and a [$50] gift card” for their efforts in volunteering to defend Amazon from their online detractors.

If employees want to defend their employer against criticism — online or offline, I don’t care — that’s their jam. But they shouldn’t be paid to be a public relations prop when they’re clearly not an official representative. This is a dismal practice that I hope does not spread.

Tech Companies Should Be More Upfront and Plain-Spoken with Practices That Could Violate Users’ Privacy

Nicole Nguyen, Buzzfeed News:

As we found out yesterday, Facebook paid outside contractors to transcribe voice memos from users who turned on chat transcription in the Messenger app. The company is the latest in a string, including Amazon, Google, Apple, and Microsoft, caught sending users’ audio to third-party firms for analysis.


Most folks buying Google Homes and Echos from a mall kiosk aren’t aware. That’s in part because of the products’ “just like that!” marketing, but largely because Amazon, Google, Apple, Microsoft, and Facebook haven’t clearly told consumers what they do with their voice and video information. None of those companies’ data policies state that what we say and do in front of our voice assistants, internet-connected cameras, and messaging apps can be shown to strangers employed by the companies or their contractors.

Plain-language explanations of practices that may be compromising to users’ privacy can be hard to write. I am certain that the opt-in rate would be extremely low if these devices asked users — during the onboarding process, for example — whether a selection of their voice recordings can be retained and later reviewed by a human being.

Nevertheless, it is unquestionably the right thing to do.

Companies should be able to educate customers on why they should opt-in. They should be upfront and direct about what they will do with recordings. They should go to great lengths to explain how recordings will be de-identified, processed anonymously, and removed within days. That builds confidence that users’ recordings will not be exploited, and that a small compromise of their privacy will lead to better results, should they so choose. Of course the opt-in rate for this will be low — but that’s how it should be. Better that then having these shady practices exposed, with users left feeling violated.

Suprema’s Biometrics Database with Fingerprints, Face Photos, and Plain Text Passwords Found to Be Publicly Accessible

Josh Taylor, the Guardian:

The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches.

In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

Biostar 2 is operated by Suprema, a Korean company, which means that this breach should be investigated under the country’s strict Personal Information Protection Act. If this report is true, it’s shocking that they did not bother to encrypt fingerprint data, staff details, or administrative usernames and passwords.

Apple Card’s Targeted Ads May Be Non-Creepy, But They’re Still Unexpected

Steve Moser (via Michael Tsai):

Apple will target users for marketing emails and push notifications based on their transaction history. “For example, Apple may send a message to your device that is relevant to people who typically purchase travel.” Apple might have been able to negotiate reduced fees by agreeing to allow advertising to Apple Card users.

Moser posted a copy of the on-boarding text in full, which describes this in more detail:

Apple may use your Apple Card account status, such as whether you have applied for or have a current Apple Card account, to determine whether a message is relevant to you, including a marketing message. Apple may also send messages to your device, which may use information known only to you and your device, such as your transaction history and location, to help determine whether a message is relevant to you. For example, Apple may send a message to your device that is relevant to people who typically purchase travel. Apple does not need to know whether you purchased travel. Your device can use your transaction history to decide whether the message is relevant to you. This helps to ensure that you receive relevant communications, while protecting your privacy. Apple does not know which messages you see on your device.

Anonymous and aggregate information that cannot be tied to you may also be used for Apple Card marketing and other messaging. You may opt out of marketing messages by clicking the unsubscribe link in a marketing email or by turning off notifications for Apple Card.

Based on what I’m reading here, it sounds like Apple is sending push notification message text to all Apple Card users, but only displaying it if it’s relevant to a specific user. It’s a clever way of doing semi-targeted ads without violating users’ privacy.

I think that’s less relevant to users than whether they expect to receive ads in their email account and on their lock screen because they signed up for Apple’s credit card. The more nihilistic user might, but Apple is supposed to be the company that doesn’t point to some clause in their terms and conditions as a free pass to exploit users.

Apple’s marketing website:

At Apple, we firmly believe in your right to privacy. That’s why we created a unique architecture for Apple Card that generates things like your transaction history and spending summaries right in the Wallet app on your iPhone.

Of course, Goldman Sachs will use your data to operate Apple Card. But they will never share or sell your data to third parties for marketing or advertising.

Apple’s solution is in agreement with the letter of these statements, but certainly not the spirit.1

There is are parts of this product that are distinctly un-Apple-like, but none more so than the use of push notifications to send targeted advertisements. I do not believe that Apple must compromise its advantages and expectations to compete effectively in the services business; but, if it feels like it does, why should I choose its offerings over those from competitors?

  1. Also, I thought that using push notifications to deliver advertisements was against Apple’s policies. It certainly was. But a 2018 rewrite of the App Review policies document indicates a softer stance (italics mine):

    4.5.4 Push Notifications must not be required for the app to function, and should not be used for advertising, promotions, or direct marketing purposes or to send sensitive personal or confidential information. Abuse of these services may result in revocation of your privileges.

    “Must not” indicates an outright ban on app functionality being dependent on enabling push notifications, but “should not” is basically just a recommendation. Gross.

    Update: The allowance of push notification advertising actually dates back to 2016. Thanks, George↩︎

Netflix Is Starting to Behave a Lot More Like a Traditional Big Studio

Natalie Jarvey, Hollywood Reporter:

With a market-leading 152 million global subscribers, 10 percent of TV screen time in the U.S. and a several-year head start, Netflix may be too big to fail. But that hasn’t stopped a growing chorus of questions over how long the “Netflix bubble” can last. Its ballooning costs — analysts estimate that it will spend between $10 billion and $15 billion on content this year — means it burns through cash ($3 billion in 2018). Its current debt load is $12 billion.

Worries ratcheted up July 17 when the company reported its first subscriber loss in the U.S. in eight years. Its high-flying stock came crashing down 15 percent, erasing $24 billion in value in less than a week. “It’s notable that they lost subscribers before they lost a meaningful amount of content and before there was direct competition from their suppliers,” says Wedbush’s Michael Pachter, a noted Netflix bear. “This suggests they will face additional pressure when they lose content later this year and as their current [licensing] contracts with Warner Bros., Fox, Disney and NBCU expire.”

Once the studios figured out that they, too, could sign a contract with AWS and build a streaming media player, they replaced Netflix’s big advantage with an even worse version of the old cable television model. If you’re a film or television buff and want to maintain a moral and legal high ground, there’s no question in my mind that you’ll pay more for a combination of streaming services than you used to for cable.

But if I were an executive at one of these conglomerates, I’m not sure I’d wager too much on the inability for users to remember how their torrent client works.

Automattic Acquires Tumblr

Ursula Perano and Dan Primack, Axios:

Verizon is set to sell the social network Tumblr to Automattic Inc, the owner of online publishing tool WordPress. A source familiar with the deal puts the price-tag “well below” $20 million, while another source puts it below $10 million.

To clarify, Automattic is the owner of WordPress.com, the commercial entity that provides hosting and support of websites powered by WordPress the software; the latter is maintained by the WordPress Foundation, and Automattic’s CEO is Matt Mullenweg, who began developing WordPress alongside Mike Little. It’s quite confusing. I assume his favourite song is “Wilco” off the album Wilco by Wilco.

Primack on Twitter:

Again, just to be clear… emphasis on the “well below” $20 million…

Story updated: Price less than $3 million.

A fire sale for the property, but that excludes the salaries of the two hundred employees they’re also bringing with them. Kudos to Automattic for keeping the staff on board.

Matt Mullenweg formally announced the acquisition on his Tumblr account:

When the possibility to join forces became concrete, it felt like a once-in-a-generation opportunity to have two beloved platforms work alongside each other to build a better, more open, more inclusive – and, frankly, more fun web. I knew we had to do it.


In the underlying technology of our platforms, I think there are some good opportunities to standardize on the Open Source WordPress tech stack, but the front-end user experience on Tumblr will evolve on its own path. It has been so successful already, and we want to keep that going. The Tumblr team also has some exciting functionality they’re eager to unlock once we close the acquisition officially in a few weeks…

Automattic will obviously be a better steward of Tumblr than Yahoo or Verizon were, but I question whether the unique qualities of its communities can experience a resurgence. It has felt for years like it has been dying a protracted death, and its 99% discounted sale price speaks to that.

In Pursuit of Increased and Diversified Revenue Streams, Google’s Internal Culture Eroded

Nitasha Tiku, Wired:

All of those precepts sent Google’s workforce into full tilt after the travel ban was announced. Memegen went flush with images bearing captions like “We stand with you” and “We are you.” Jewglers and HOLA, affinity groups for Jewish and Latinx employees, quickly pledged their support for Google’s Muslim group. According to The Wall Street Journal, members of one mailing list brainstormed whether there might be ways to “leverage” Google’s search results to surface ways of helping immigrants; some proposed that the company should intervene in searches for terms like “Islam,” “Muslim,” or “Iran” that were showing “Islamophobic, algorithmically biased results.” (Google says none of those ideas were taken up.) At around 2 pm that Saturday, an employee on a mailing list for Iranian Googlers floated the possibility of staging a walkout in Mountain View. “I wanted to check first whether anyone thinks this is a bad idea,” the employee wrote. Within 48 hours, a time had been locked down and an internal website set up.


In his short, off-the-cuff remarks to the packed courtyard, Pichai called immigration “core to the founding of this company.” He tried to inject a dose of moderation, stressing how important it was “to reach out and communicate to people from across the country.” But when he mentioned Brin’s appearance at the airport, his employees erupted in chants of “Ser-gey! Ser-gey! Ser-gey!” Brin finally extricated himself from the crowd and shuffled up to the mic, windbreaker in hand. He, too, echoed the protesters’ concerns but tried to bring the heat down. “We need to be smart,” he said, “and that means bringing in folks who have some different viewpoints.” As he spoke, a news chopper flew overhead.

And that was pretty much the last time Google’s executives and workers presented such a united front about anything.

Tiku presents a deep, well-investigated look at an increasingly toxic internal culture as executives pursued morally-challenged money making opportunities.

We’re All Killing Uber Just By Using It

Jamie Powell, FT (registration required):

Uber is a decade old global brand whose core business — ride-sharing — is now growing at just 2 per cent. It is also betting heavily that its smaller business lines, such as food delivery and freight, will be a source of future growth.

In other words, it’s acting less like a start-up, and more like a legacy tech company scrambling for new growth. Think Oracle, IBM or perhaps even the modern-day Apple.

Notice the difference, however. All of these companies have “cash cow” products which help to keep the buybacks and dividends flowing, as well as funding future bets. Uber on the other hand…

Edward Ongweso Jr, Vice:

Typically, this business model would be paid for with passenger fares. But Uber’s passenger fares are artificially low because it uses investor money to subsidize trips, attract customers, and undercut competitors. This means that Uber is losing money on many of its rides. Taxicab companies can’t operate like this because they don’t have the billions in investor capital that Uber does. Simply put, Uber is losing money in part because its fares are too low; it’s long-game is to undercut competitors long enough for them to go out of business so it can jack up prices, or to develop driverless car technology before it completely runs out of money, pushing its expenses on drivers down toward zero.

I keep returning to a 2017 piece in the Economist, which was summarized and expanded upon by Ryan Felton at Jalopnik: in short, the most shocking thing about Uber would be if it had long-term success. It’s worth pointing out that the Economist made this assessment on having losses of a billion dollars a year; Uber just reported five billion dollars of loss in a single quarter. Even if you’re desperate to give them all the benefit of accounting by deducting the losses incurred from paying out shareholders — and have not read Powell’s piece refuting this very argument — that’s still over a billion dollars in a single quarter.

That’s not to say that Uber is an assured failure. But indicators are stacking up that something must fundamentally change for the company to function in the long term.

The FTC Completely Blew Its Settlement With Equifax

The rollercoaster of stories that followed last month’s settlement between the FTC and Equifax was truly something to behold. The FTC touted its value, which critics excoriated as inadequate. Articles soon explained how to get a cash settlement for those who already have a credit monitoring service, but were quickly followed by those arguing that the widely-publicized $125 figure was dependent on the number of claimants for a $31 million pool. Some, like Karl Bode at Vice, said that the “FTC should fine itself for false advertising” after claiming that those affected could be eligible for $125.

I don’t think this fully grasps just how badly the FTC blew this settlement, and primarily for a reason almost entirely unrelated to the confusion about the $31 million fund for credit monitoring payouts.

I was among many who got this wrong when I repeated the claim of the $125 payout, and also in my summary of why that $125 figure may be incorrect, so I thought it would be valuable to go back to the settlement itself to explain why this is a raw deal. In its press release, the FTC summarized the divvying up of the $575–700 million settlement:

  • $100 million is paid as a fine to the Consumer Financial Protection Bureau

  • $175 million is paid to settle cases brought by 48 states, plus Washington D.C. and Puerto Rico

  • $300 million is set aside for a consumer restitution fund, which would compensate individual claimants directly

It’s that last bucket of cash in which two specific piles of money reside. The first is a $31 million pool for alternative payouts for credit monitoring, which the FTC required Equifax provide to claimants. But if a claimant already has credit monitoring, they can opt to be paid up to $125 instead. And we will get to that “up to” in a moment.

A second pool, also of $31 million, is to be used to compensate claimants for time spent dealing with the settlement. For example, if a claimant spent an hour on the phone with an Equifax representative to get their credit frozen, that would be paid out of this second pool.

The remainder of the $300 million is to be set aside for direct out-of-pocket losses arising from the breach, such as those stemming from fraud, identity theft, and so forth. None of the money from this settlement will be given back to Equifax, but the details are not as simple as the FTC portrayed, either.

I want to get the matter of the $31 million buckets out of the way first, and I think Lily Hay Newman of Wired explains it perfectly:

But not all is lost, and there’s still a decent chance that Equifax will pay you all $125. As Slate points out, the $31 million cap will lift, assuming Equifax hasn’t spent all of the $425 million in its “Consumer Fund” — money it has committed to things like covering people who can specifically document losses stemming from the breach — in four and a half years. At that point, whatever’s left of that $425 million will be applied to the $125 payouts, presenting much better, if belated, odds.

Like all things Equifax, this does not come without a caveat. Even if the full $425 million in the consumer restitution bank account goes towards $125 payments for compensation of credit monitoring services, that amount would only support the claims of 3,400,000 people. Over forty-three times that number were affected by this breach.

Also, because this bucket is part of a pile of money with broader scope, those claims will be mixed with requests for compensation of time spent, as well as direct losses from fraud.

A bigger problem still is that this settlement is designed to mitigate the financial damage to consumers. That would be handy if this data were stolen for economically opportunistic reasons, but that doesn’t seem to be the case. A February report from Kate Fazzini at CNBC noted that no Equifax breach data had surfaced anywhere, despite financially-motivated hackers usually publicizing their haul with urgency.

A more likely scenario is that those responsible for exfiltrating Equifax’s files were state actors. A Bloomberg story from September 2017, citing investigators and those briefed on their findings, claimed that China was a likely culprit, though another country could be responsible.1 It is likely that the data stolen — which comes from a financial firm, making it ostensibly more accurate than any old data dump — could be combined with other sources to target specific individuals, per Fazzini’s reporting and Bloomberg’s story.

This settlement does nothing to dissuade state actors from continuing to pilfer sensitive data, nor does it encourage care for those who stockpile information like this. Of course, the FTC has limited scope and powers. It could not accomplish the former, but it certainly could attempt the latter.

Instead, the Commission agreed to a weak deal that barely impacts Equifax’s financial status and does little to encourage better behaviour in data-hoarding industries. Even if this were a financially-motivated crime, this settlement does not protect those affected. But this breach was so much more, and this settlement doesn’t begin to address the far more serious and more likely rationale.

  1. I am obligated to point out that this Bloomberg story bears in its byline the two reporters responsible for the inaccurate “Big Hack” feature.

    By the way, that story just won the Black Hat Pwnie for the most overhyped bug. Congratulations — I guess? — Michael Riley and Jordan Robertson. ↩︎

Uber Lost Over $5 Billion Last Quarter, Including $3.9 Billion in Stock-Based Compensation After IPO

Kate Clark, TechCrunch:

$5.2 billion in net losses represents the company’s largest-ever quarterly loss. Revenue, for its part, is up only 14% year-over-year, igniting concerns over slower-than-ever growth. The company says a majority of 2Q losses are a result of stock-based compensation expenses for employees following its May IPO. Stock compensation aside, Uber still lost $1.3 billion, up 30% from Q1.

Aaron Gordon, Jalopnik:

But you math whizzes out there will note that leaves approximately $1.3 billion in regular ol’ we-just-lost-a-buncha-money losses, up from $1 billion last quarter and $878 million a year ago.


As of this writing, Uber has lost $16.2 billion since 2016.

How is this investor-subsidized pirate taxi operation not considered predatory?

Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials

Kim Zetter, Vice:

For years, U.S. election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can’t be hacked.

But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties — all states that are perennial battlegrounds in presidential elections.

Some of the systems have been online for a year and possibly longer. Some of them disappeared from the internet after the researchers notified an information-sharing group for election officials last year. But at least 19 of the systems, including one in Florida’s Miami-Dade County, were still connected to the internet this week, the researchers told Motherboard.

A reminder that proposals to fund increased election security are being blocked by Senate Republicans. Also, it remains unclear to me what glaring problems exist with paper ballots which are solved by electronic voting machines.

The Grey Fog of Moderating the Web

I’m not sure why, but the hottest topic right now in technology ethics seems to be Section 230 of the Communications Decency Act, and I’m already hearing the snoring of half of the people reading this post. This latest round of discussion was perhaps spurred by the ridiculous bill brought by Josh Hawley, which resulted in horrible articles in mainstream publications — one in the New York Times, and another in Bloomberg.

Moderation powers, more generally, have become newsworthy after Cloudflare dropped 8chan in the wake of revelations that the terrorist responsible for the two-hundred-ninety-first mass shooting of 2019 in the U.S. posted his manifesto on the discussion board. Jennings Brown of Gizmodo found this to be a symbolic and ineffectual gesture.

I think Ben Thompson’s take is well-rounded:

This third point is a valid concern, but one I, after long deliberation, ultimately reject. First, convenience matters. The truly committed may find 8chan when and if it pops up again, but there is real value in requiring that level of commitment in the first place, given said commitment is likely nurtured on 8chan itself. Second, I ultimately reject the idea that publishing on the Internet is a fundamental right. Stand on the street corner all you like, at least your terrible ideas will be limited by the physical world. The Internet, though, with its inherent ability to broadcast and congregate globally, is a fundamentally more dangerous medium. Third, that medium is by-and-large facilitated by third parties who have rights of their own. Running a website on a cloud service provider means piggy-backing off of your ISP, backbone providers, server providers, etc., and, if you are controversial, services like Cloudflare to protect you. It is magnanimous in a way for Cloudflare to commit to serving everyone, but at the end of the day Cloudflare does have a choice.

One nitpick I have with Thompson’s piece is that he compares Cloudflare’s decision to net neutrality:

To be perfectly clear, I would prefer that 8chan did not exist. At the same time, many of those arguing that 8chan should be erased from the Internet were insisting not too long ago that the U.S. needed to apply Title II regulation (i.e. net neutrality) to infrastructure companies to ensure they were not discriminating based on content. While Title II would not have applied to Cloudflare, it is worth keeping in mind that at some point or another nearly everyone reading this article has expressed concern about infrastructure companies making content decisions.

I see these as vastly different concerns. Internet service providers are utility providers. All of your web traffic from the same location goes through the same ISP, so it’s truly infrastructural. Cloudflare is entirely unlike that: it’s something that a web engineer can insert into the technology stack between their web host and incoming connections. It feels infrastructural, but it isn’t.

That nitpick aside, this is an excellent piece.

Despite Tech’s Universal Reach, Mainstream Writers Remain Overwhelmingly White

Shawn Wilkins:

Over the years, I’ve become exceptionally privy to websites that lack depth when it comes to having people of color on their teams. The first site that I noticed was BGR. BGR has put up some questionable articles in the past, but to say their site isn’t one of the smaller-yet-respectable ones around when it comes to tech news, information, leaks, and rumors, would be misguided. As one of the first sites I wanted to explore when applying for jobs, this one hit the worst. Their team lacks any people of color or any other groups outside of “white 20s-30s male”. But this post isn’t just about BGR alone. If you name a tech-based site, chances are you see the same kind of results in various degrees throughout. Some have one or two POC writers, some have a plethora, others have none at all and are absurdly brazen about it to the point of tone-deafness or a lack of awareness – possibly both.

It is bafflingly myopic for the press covering an omnipresent industry to continue to rely upon mostly white and mostly male voices.

A Preview of CarPlay Changes in iOS 13

John Voorhees, MacStories:

When my lease was up earlier this year, CarPlay support was at the top of the list of must-have features when we began looking for a new car. We wound up leasing a Nissan Altima, which has a faster entertainment system, larger touchscreen, and better hardware button support for navigating CarPlay’s UI. The hardware differences took a system I already loved to a new level by reducing past friction and frustrations even though the underlying software hadn’t changed.

Just a few weeks after we brought the Altima home though, Apple announced that it would update CarPlay with the release of iOS 13 this fall. In a jam-packed keynote, CarPlay got very little stage time, but I was immediately intrigued by the scope of the announcement. CarPlay hasn’t changed much since it was introduced in 2014, but with iOS 13, iPhone users can look forward to not only significant improvements in its design, but a new app and other features that make this the biggest leap forward for CarPlay to date.

Like Voorhees, CarPlay support was a primary deciding factor when we were shopping for a car last year. Once you have it, it’s hard to imagine a vehicle replacement without it.

I can testify to the mostly-wonderful updates to CarPlay after spending two months with iOS 13 and, in particular, after a lengthy road trip last week. The new Dashboard view is excellent.

One of the more frustrating aspects of CarPlay was how it would directly mirror whichever app was frontmost on the connected iPhone. If the driver was relying on Maps directions, for example, and the passenger wanted to change the playlist, opening the Music app on the iPhone would switch to the Music app in CarPlay, too. That’s solved in iOS 13; CarPlay runs more independently of the iPhone, which is a boon on a road trip.

One limitation that still exists is that turn-by-turn directions still take over the Maps app in both CarPlay and on the connected phone. When we wanted to find a gas station or restaurant in the next town, the passenger would have to end turn-by-turn directions before being able to search Maps. I kind of understand the technical limitation here and, on a highway, it’s not a big deal to keep driving in a straight line, but it still feels like something that should be possible.

Also in Maps, I’ve found that its ability to recognize a likely next destination is spotty at best. I added motel bookings as calendar events with addresses, but Maps never once suggested these as destinations, even though CarPlay now includes a Calendar app.

Siri still has problems. I have cellular data disabled in Music because I only want to use my local library with my metered plan. Asking Siri to play a particular album or artist within my local library would always fail with the same message of needing to connect to WiFi first, suggesting that it was only searching Apple Music. It’s frustrating if you want to safely change your playlist.

Otherwise, I think that iOS 13 presents plenty of improvements to CarPlay. If you have a car and it supports CarPlay, you’re going to love these changes when the update ships next month.

‘Mastered for iTunes’ Becomes ‘Apple Digital Masters’

Chris Eggertsen, Billboard:

On Wednesday (August 7) Apple Music announced the launch of Apple Digital Masters, a new initiative by the streaming giant that combines all of its “Mastered for iTunes” offerings into one global catalog. This is the company’s first public acknowledgement of the initiative, which it has been quietly unveiling for some time.

Eggertsen was first to report this, and it was picked up by MacRumors, 9to5Mac, iMore, and others, who all seem to have been confused by the last couple of paragraphs in Billboard’s story:

Apple Music isn’t the first streaming service to offer premium audio.

On its 2015 launch, Tidal offered a “HiFi” subscription tier for $19.99 month ($10 more than a regular subscription) that allowed users to stream lossless audio; two years later, the service upgraded its HiFi tier to stream even higher-quality sound files created with Bob Stuart’s Master Quality Authenticated (MQA) technology. Deezer and Qobuz also offer lossless audio plans for $19.99 a month, with the latter recently unveiling a higher-quality “Studio” subscription tier for $5 more. Spotify has also flirted with a hi-fi tier in the past.

The way this is written makes it sound like Apple Digital Masters is equivalent to the lossless files offered by other platforms, but it is not. It is a rebranding of the Mastered for iTunes spec — probably because Apple is no longer using the soiled “iTunes” branding to refer to their music products, with the exception of the iTunes Store. This spec is important because it helps labels deliver music that is mastered specifically for a compressed audio format, not just a conversion from the CD or vinyl master. This is great.

However, based on everything I’ve read, that seems to be all this announcement is: a mastering specification with a new name, which — according to a screenshot posted last month on Reddit — will still output songs as 256kbps lossy AAC files, which is exactly the same format and bitrate as “regular” Apple Music and iTunes tracks. I feel compelled to point out that there is nothing wrong with this.

It’s a mistake to conflate lossless audio files and better mastering. One will noticeably improve the way your music sounds; the other simply requires far more disk space.

In Yelp Partnership, Grubhub Is Taking Extortionate Commission Fees from Restaurants by Substituting Phone Numbers Without Their Knowledge

In a new episode of the Underunderstood podcast, Adrianne Jeffries investigated the partnership of Yelp and Grubhub. From the transcript:

So I noticed recently, when I went to order from my favorite sushi place, for some reason — I don’t remember what it was, maybe I was thinking I would just call the restaurant and order with them directly. Whatever reason, I ended up clicking on the phone number for the restaurant and it popped up a little box that said, do you want to call for takeout or delivery, or do you want to call with general questions?

And I was like, huh, weird. I clicked on takeout or delivery and then the phone started ringing and this perky recording said, “this call may be recorded to ensure awesomeness.”


I think that means it’s the Grubhub number. And the other number is the real number. And if you can find the restaurants actual website, the number that is the real number is the number listed for general questions. So even though it is possible to call most of these restaurants directly and order food with the person who picks up, Yelp is kind of trying to make you think that it’s not. At least that’s my theory.

Jeffries also wrote a companion piece for Vice:

Robert Guarino, CEO of the Manhattan restaurant group 5 Napkin Burger and a board member at the New York City Hospitality Alliance, was also not aware that Grubhub numbers were showing up in Yelp for two of his four restaurants.

“We’re working with these companies to help generate orders, but so many times, we’re put in a position where we need to compete against them to get access to our customers,” he said. “So many of these practices make it hard to trust the companies. To not have all the practices clearly spoken about and understood by the businesses is really scary in my eyes.”

Grubhub offers a “marketing” service to restaurants, which includes being listed on the Grubhub platform, for between 15 percent and 20 percent of each order total. It also offers a physical delivery service, which costs restaurants another 10 percent. Grubhub says it provides phone numbers for restaurants that sign up for marketing but not delivery in order to capture all orders that could be eligible for its fees.

I used the word “extortionate” in the title of this post for two reasons. First, because it’s synonymous with exorbitant, which it is: the profit margin for restaurants is notoriously slim. Across Canada, margins are between –1% and less than 8%, and data from Aswath Damodaran of NYU records a profit margin of about 12%. At a minimum of 15%, Grubhub’s marketing service eliminates a restaurant’s profits on a single meal; at the high end of the marketing service and with its delivery service, Grubhub wants to take financial credit for a full third of an order’s value. Not only can a restaurant not expect any profit on orders made through Grubhub, it can anticipate losing twice what it would have made had that order been placed in its restaurant.

The second reason I wrote “extortionate” is because this practice feels somewhat usurious, in that many restaurants can’t afford not to be listed in delivery apps. I’ve seen a few people on Twitter suggesting, in response to this article, that people order from the restaurant directly instead of going through a delivery app. I’ve tried to do that ever since I found out about the egregious fees these apps take and, occasionally, I’ll be told I must place the order through an app. It’s easy to see why — while pizza chains are known for delivery and can afford to have their own system and drivers, your local sushi joint or donair place probably can’t. Delivery apps like Grubhub provide a useful service to fill this void, of course. But it won’t all be worth it if they continue to charge high fees that threaten to put restaurants out of business, and reroute phone numbers to take a commission — in some cases, even charging restaurants when no order was placed — without telling restaurateurs.

Apple Suspends Human Analysis of Siri Responses in Response to Privacy Concerns

Matthew Panzarino, TechCrunch:

“We are committed to delivering a great Siri experience while protecting user privacy,” Apple said in a statement to TechCrunch. “While we conduct a thorough review, we are suspending Siri grading globally. Additionally, as part of a future software update, users will have the ability to choose to participate in grading.”


An explicit way for users to agree to the audio being used this way is table stakes in this kind of business. I’m glad Apple says it will be adding one.

It also aligns better with the way that Apple handles other data like app performance data that can be used by developers to identify and fix bugs in their software. Currently, when you set up your iPhone, you must give Apple permission to transmit that data.

What’s truly bizarre to me is that there is already a way to prevent Siri logging — it’s just not user exposed. What good reason is there for this to not be something users can choose whether to participate in?

For what it’s worth, if I had been presented the option to allow Apple to maybe use my Siri requests to improve the service overall, I’d have at least considered it; but, since this was done in such a sneaky way, I’m more eager to switch it off. The net result is the same, but the integrity of Apple’s communications matters.

Similarly, this response is far better than their first.

Elon Musk’s ‘Boring Company’ Plans for Underwhelming Las Vegas Transit System for CES 2021

Mark Harris, TechCrunch:

In May, the Las Vegas Convention and Visitors Authority approved a $48.7 million contract for The Boring Company (TBC) to design and build a short underground transit system at the city’s Convention Center, using Tesla electric vehicles running through narrow tunnels.

The ambitious contract calls for the system, called the LVCC Loop, to be up and running in time for the city’s biggest trade show, CES, in January 2021. Over the next 18 months, TBC has to construct one pedestrian tunnel, two 0.8-mile vehicle tunnels and three underground stations, as well as modify and test seven-seater Tesla cars to carry up to 16 people.

Aaron Gordon, Jalopnik:

Musk vs. The Monorail is absolutely the transit fight Americans deserve. But another part of the report jumped out at me: even these Teslas, running through a short, dedicated tunnel that is not set to open until 2021 at the earliest, will have human drivers:

Although TBC’s website states that the system would use autonomous vehicles, presumably using Tesla’s Autopilot technology, Labanowski [TBC’s government relations executive] said the LVCC Loop vehicles would actually also have human drivers “for additional safety.”

So, we’re supposed to believe Teslas will be capable of full-self driving in all conditions by next year even though, by the following year, a safety driver will be needed for a .8-mile tunnel with a dedicated right-of-way, the single simplest application of self-driving that could possibly exist.

When public transit works, it works really fucking well — so well that I threw a profanity in there to emphasize just how borderline magical it is that we’ve invented a way to efficiently transport many thousands of people every hour of the day in big cities. There are gripes that people have with their city’s transit system; if you live in a larger city, I’m sure you’re grumbling right now. But these problems are fixable through better funding and more effective city planning policies.

It does not confuse me why Elon Musk has started this company: it’s a billionaire fantasy business that allows him to sell more Teslas. What baffles me is that some cities have begun seriously considering his ridiculous car tunnel instead of refining the transportation methods we’ve already arrived at. What we have is imperfect, but it works; or, at least, it can work. What the Boring Company has consistently proposed is untenable to the point of mockery.

The FTC Pleads With Claimants to Accept Credit Monitoring After Pitiful Equifax Money Pot Empties

As I wrote earlier this week, the settlement between the FTC and Equifax left only a $31 million money pot for consumers to share if they already have credit monitoring services. Well, it seems that the pot has run dry already, just a week after the settlement was announced.

Robert Schoshinski of the FTC:

The public response to the settlement has been overwhelming, and we’re delighted that millions of people have visited ftc.gov/Equifax and gone on to the settlement website’s claims form.

But there’s a downside to this unexpected number of claims. First, though, the good: all 147 million people can ask for and get free credit monitoring. There’s also the option for people who certify that they already have credit monitoring to claim up to $125 instead. But the pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.

Consumers could never be fully compensated for the impact of this breach, but announcing this as a settlement of over $575 million with $300 million going towards credit monitoring services is misleading at best. Equifax also did not have to admit culpability, and the CEO responsible retired with a compensation package with a minimum $18 million value — more than half this $31 million pot that could be split between 147 million affected consumers.

This settlement is infuriating and insulting.

Tim Cook’s Comments on Manufacturing and Supply Chain Questions

From Jason Snell’s transcript of Apple’s third-quarter 2019 conference call:

Wamsi Mohan, Bank of America/Merrill Lynch: Tim, the China trade situation remains sort of fluid over here and more recently you asked for some tariff exceptions, were not granted those. How are you thinking about the longer term footprint for manufacturing and can you talk about any potential alternatives that you’ve looked at and considered in moving parts of production potentially out of China.

Tim Cook: Yeah I know there’s been a lot of speculation around the topic of different moves and so forth. I wouldn’t put a lot of stock into those, if I were you. The way I view this is, the vast majority of our products are kind of made everywhere. There’s a significant level of content from the United States, and a lot from Japan to Korea to China, and the European Union also contributes a fair amount. And so that’s the nature of a global supply chain. Largely, I think that will carry the day in the future as well. In terms of the exclusions, we’ve been making the Mac Pro in the U.S., we want to continue doing that. And so we’re working and investing currently in capacity to do so, because we want to continue to be here. And so that’s what’s behind the exclusions. And so we’re explaining that and hope for a positive outcome.

Apple’s earnings call was held on the same day that the New York Times published an article speculating that upcoming generations of iPhone would be manufactured, in part, in Vietnam. Last month, the Wall Street Journal reported that the new Mac Pro would be made in China and, last week, the objectively racist American president1 said that tariff waivers would not be granted to Apple for Mac Pro production. He also said in an interview that Apple might announce a new factory in Texas, but the new Mac Pro ships this autumn, so I don’t see how that’s immediately relevant.

Cook’s answer to this question seems like it contradicts that reporting somewhat, but he’s very careful to hedge his language. I don’t think he’s being cagey, though. A reasonable interpretation of this might be an acknowledgement that a small percentage of iPhones might be made in India, Vietnam, and Brazil for some markets, but not necessarily the U.S., and not necessarily indicating a large geographic shift in manufacturing.

  1. That’s not strictly relevant to this post; I just thought I’d remind you that he is, in fact, broadcasting openly racist statements from among the world’s most powerful offices. ↩︎

Over 100 Million Capital One Customers in U.S. and Canada Compromised

Lily Hay Newman, Wired:

On Monday, the FBI and the bank Capital One disclosed a data breach of 106 million credit card applications that compromised information like names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data. It’s one of the biggest breaches of a major financial institution ever. Four months after the incident occurred, within just 10 days of Capital One discovering it, the FBI has already made an arrest in connection with the crime.

Without a doubt, an enormous data breach, described by Capital One in the slimiest possible way in their press release:

No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of our credit card customers

  • About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

Only in an era of gigantic security breaches can the disclosure of over a hundred thousand Social Security Numbers and tens of thousands of bank account numbers be rounded down to none.

The Canadian acknowledgement feels like an insulting throwaway. This breach is, for me, a natural extension of a deeply irritating customer service experience. In my early twenties, I was offered what was pitched to me as a rewards and discount card for Hudson’s Bay; it was actually a credit card, despite repeated denials from the customer service representative. That credit card — which I cancelled a few minutes after realizing what it was — was provided through Capital One.


Seattle resident Paige A. Thompson, 33, was charged Monday with one count of computer fraud and abuse, according to the FBI and court records. Thompson, the criminal complaint alleges, went by the hacker name “erratic” in many online accounts and forums. She allegedly exploited a misconfigured firewall to access a Capital One cloud repository and exfiltrate data sometime in March. On April 21, the FBI says, Thompson posted the data to her GitHub account, which included her full name and resume. It is unclear whether anyone downloaded the data after she allegedly posted it, but they very well may have given that Thompson allegedly talked openly about stealing the data, even on Slack.

It’s pretty terrible that this data was exfiltrated in March and was made public in April, but wasn’t reported to Capital One until July — this intrusion apparently wasn’t detected.

Note: This post has been edited.

Fast Software, the Best Software

Craig Mod:

It feels — intuitively — that software (beyond core functionality) should aim for speed. Speed as a proxy for efficiency. If a piece of software is becoming taurine-esque, unwieldy, then perhaps it shouldn’t be a single piece of software. Ultimately, to be fast is to be light. And to be light is to lessen the burden on someone or some task. This is the ultimate goal: For our pocket supercomputers to lesson burdens, not increase them. For our mega-powered laptops to enable a kind of fluency — not battle, or struggle — of creation.

This essay speaks to me on a gut level; I’m sure many of you will have a similar appreciation for it.

Mod’s essay is positive and delightful. I will say — in a more negative and grouchy tone — that slow software invariably irritates me, in a very thousand cuts kind of way. I use Windows at work and I wince every time I click on the Start menu and have to wait for the second-long superfluous render-blocking animation to play. Some of the very slow animations in tvOS make me feel the same way — for example, when exiting the screen saver. Don’t get me wrong — animation adds expected polish — but it should not be an impediment.

Slow software feels imprecise and untrustworthy. Fast software feels implicitly more reliable and cared-for. I have a top-of-the-line iMac; not only should I not feel sluggishness in any day-to-day task, everything ought to feel instantaneous. I wish this were a higher priority for all software firms at an organizational level. For me, at least, it determines what I use.

Contractors Also Listen to Some Siri Audio Without Users’ Explicit Knowledge

With Amazon and Google’s voice assistants confirmed to have humans listening to recordings, it was only a matter of time before it was known whether anyone does the same for Siri.

Alex Hern, the Guardian:

Apple says the data “is used to help Siri and dictation … understand you better and recognise what you say”.

But the company does not explicitly state that that work is undertaken by humans who listen to the pseudonymised recordings.

Apple told the Guardian: “A small portion of Siri requests are analysed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. Siri responses are analysed in secure facilities and all reviewers are under the obligation to adhere to Apple’s strict confidentiality requirements.” The company added that a very small random subset, less than 1% of daily Siri activations, are used for grading, and those used are typically only a few seconds long.

A whistleblower working for the firm, who asked to remain anonymous due to fears over their job, expressed concerns about this lack of disclosure, particularly given the frequency with which accidental activations pick up extremely sensitive personal information.

Hern confirmed to me that their source works for a third party, not Apple directly. That’s similar to the way Google does it, while Bloomberg describes the people who listen to Amazon’s recordings as “employees and contractors”. I think it matters whether these individuals are employed directly or through third parties like Apex — both for the sake of the employees as well as the inherently private nature of what they’re dealing with.

I also think it matters what kind of company is using this data. Amazon and Google use users’ behavioural data to sell targeted advertisements. While they’ve denied that they use voice data for targeting, I still find it slightly more uncomfortable that they may keep records of users’ voice recordings than I do for Apple which doesn’t build huge user data profiles for advertising purposes. In other words, while it’s reasonable to be upset by similar revelations, there are different reasons to be concerned.

Even so, there should surely be a way to opt out entirely and not allow any of your Siri conversations to be selected for review. It’s absurd that there seemingly isn’t a way to do this — turning off Siri entirely is not a solution — though I’ve reached out to confirm if disabling the analytics sharing options in Settings would opt users out. Also, as with Google, I have to question why users are not first asked whether a human can review their audio recording. Less than one percent is a very small proportion, but is still probably a lot of recordings per day given the half-billion devices it’s used on.

It’s pretty strange to me that this is an issue at all for Apple. I’m reminded of their introduction of object recognition in Photos. As Craig Federighi said on the Talk Show in 2016, “if you want to get pictures of mountains, you don’t need to get [them] out of people’s personal photo libraries. We can find some pictures of mountains”. Why should audio recorded in users’ homes, workplaces, schools, and gyms not be treated with a similar or greater level of sensitivity?

T-Mobile and Sprint Merger Approved by Justice Department, FCC Expected to Concur

Makena Kelly, the Verge:

The United States Justice Department has approved the $26 billion merger deal between T-Mobile and Sprint. After over a year in regulatory limbo, the merger received the green light from the last federal agency to hold out, with the Federal Communications Commission already signaling that it will approve the deal.

Karl Bode, Vice:

The DOJ says it will impose requirements offsetting the competitive harm of the deal. More specifically, the DOJ says that T-Mobile and Sprint will need to offload Sprint’s Boost Mobile and some spectrum to Dish Network, who’ll then attempt to build a new, viable fourth competitor from these scraps to offset the elimination of Sprint from the market.


But experts consulted by Motherboard say the proposal isn’t likely to work, and the end result of the merger will still very likely be higher prices and worse service for all.

For one thing, Dish has been promising to build a wireless network for the better part of the last decade with little to show for it. The company has routinely been accused of “spectrum squatting,” or buying spectrum it doesn’t use in a bid to turn around and sell it later when it’s more valuable. Even T-Mobile made this complaint when Dish initially criticized the merger.

Bode on Twitter:

At risk of being redundant, it would be cool if even 10% of the hyperventilation over Facebook and “big tech” was also applied to big telecom and dumb megamergers.

I’m Canadian, so I can attest to the drop in overall quality and increased prices that Americans can expect as their telecom options continue to deteriorate. It’s bad now in the United States; I can only imagine how awful it will become with the combined results of no net neutrality legislation, and the conglomeration of telecom and entertainment companies.

One last thing from Kelly:

T-Mobile’s connections to the Trump administration have come under heightened scrutiny as the deal has progressed. In March, The Washington Post reported that the company had spent over $195,000 at the Trump Hotel in Washington, DC while lobbying for the merger.

There’s a long list of legal, moral, ethical, and cultural grievances with this administration, but the ease and openness of its corruption is a revolting spectacle.

You Have a Moral Obligation to Claim Your Portion of the Equifax Breach Settlement

Josephine Wolff, Slate:

Go claim your $125 from Equifax. Right now. Even if $125 isn’t a sum of money that matters to you, even if you don’t feel you were really directly affected by the breach. Even if the prospect of filling out a relatively brief online form fills you with more dread than the theft of all your personal data.

Consider it a part of your civic duty: driving up the costs of data breaches for corporations so they have an incentive to invest more heavily in security.

Keep in mind that $125 is the minimum you are owed if your data was part of the Equifax breach. There are other categories of remediation that you can claim for, and I highly recommend that you get as much as you can. Whatever you’ll get, it won’t be enough, but at least you’ll do your part to make events like these costly for the companies involved until meaningful changes are made to eliminate the surveillance economy.

By the way, Wolff suggests in this piece that the Equifax breach may have been the product of a financial decision:

I think the costs of security breaches should, in some sense, be the costs of doing business, as opposed to an existential threat that drives the breached company into the ground. That way companies can weigh those costs against the costs of larger security investments and adjust their budgets accordingly. But I would like for those breach costs to be high enough to drive significant investment, and for that to happen, you have to do your part.

Earlier this week, I listened to an excellent two-part episode of the Malicious Life podcast (via Roee), in which the host, Ran Levi, argued that Equifax’s CEO was among the most aware of security risks, and worked hard to mitigate them. I am loathe to empathize with a CEO who oversaw among the most disastrous breaches of trust in corporate history only to be allowed to retire, but Levi’s argument is compelling and worth a listen, if you have the time.

Update: Rufo Sanchez actually read the settlement agreement unlike me and, presumably, everyone sharing the advice to claim your cash settlement. From the settlement (PDF):

If there are more than $31 million in claims for Time Spent made during the Initial Claims Period […], all payments for Time Spent will be reduced and distributed on a proportional basis.


If you already have some other kind of credit monitoring or protection services, and do not claim the free Credit Monitoring Services available through the settlement, you may file a claim for Alternative Reimbursement Compensation for up to $125. […]

If there are more than $31 million claims for Alternative Reimbursement Compensation, all payments for Alternative Reimbursement Compensation will be lowered and distributed on a proportional basis.

There are two pools of $31 million here. One pool is for people taking $125 instead of credit monitoring services; the other $31 million is for people claiming time spent.

As Sanchez calculated, if all 147 million affected people claim the cash payment instead of credit monitoring, everyone gets $0.21. Of course, there’s no way that every impacted person will claim the cash payment — or, indeed, claim anything at all — but I would not be surprised if more than 248,000 people claim cash, given the publicity it has received, so everyone might get less than $125.

Apple Acquires ‘Majority’ of Intel’s Cellular Modem Business

From the joint press release:

Intel and Apple have signed an agreement for Apple to acquire the majority of Intel’s smartphone modem business. Approximately 2,200 Intel employees will join Apple, along with intellectual property, equipment and leases. The transaction, valued at $1 billion, is expected to close in the fourth quarter of 2019, subject to regulatory approvals and other customary conditions, including works council and other relevant consultations in certain jurisdictions.

It’s been an open secret that Johny Srouji’s team at Apple has been working on modems for the iPhone, iPad, Apple Watch, and future devices that need smaller and more efficient cellular connections. I’m sure the acquisition of Intel’s hardware will help somewhat, but this is decidedly an intellectual property and talent acquisition for the value of one Instagram.

Amazon Has Entered Into Agreements With U.S. Police Departments to Push Their Ring Doorbell Cameras with Kickbacks

Caroline Haskins, Vice:

Amazon’s home security company Ring has enlisted local police departments around the country to advertise its surveillance cameras in exchange for free Ring products and a “portal” that allows police to request footage from these cameras, a secret agreement obtained by Motherboard shows. The agreement also requires police to “keep the terms of this program confidential.”

Dozens of police departments around the country have partnered with Ring, but until now, the exact terms of these partnerships have remained unknown. A signed memorandum of understanding between Ring and the police department of Lakeland, Florida, and emails obtained via a public records request, show that Ring is using local police as a de facto advertising firm. Police are contractually required to “Engage the Lakeland community with outreach efforts on the platform to encourage adoption of the platform/app.”

At best, this is a gross partnership; more realistically, it’s a way to privatize a surveillance state through bribery. Amazon’s doorbell cameras have questionable privacy practices, too, and the company wants to be its own crime news broadcaster to further justify the existence of its products.

Joshua Benton, NiemanLab:

So think about this managing editor job. The places where Ring wants to be “covering local crime” are… everywhere, down to the house and neighborhood level. So one managing editor, plus however many other people are on this team, are supposed to be creating a thoughtful, non-exploitative editorial product that is sending journalistically sound “breaking news crime alerts,” in real time, all across the country. Will they really be delivering news or just regular pulses of fear in push-notification form? If that’s the job, it is literally impossible to do responsibly.


But what bugs me about this is that it wants to bring in the credibility of journalism as a layer on top of the state of constant fear it promotes. A company that relies on people feeling unsafe to sell its products will now be able to take whatever trust professional journalism has left and put it to work toward that end. It’s like relying on the people who make antivirus software to tell you about the latest cybersecurity issues: Even when the reporting is sound, it’s still prone to exaggerating the scale of the threat and still aimed at making you so afraid that you give them money.

Partnering with police departments is a logical next step for this deeply cynical product.

Update: Sam Kimbrel:

[…] Amazon is basically using this to drive down package loss, by giving police heatmaps of where lost Amazon packages are reported, then asking for sting ops.

So Amazon uses Prime Day to deeply discount their Ring cameras, contractually obligates police departments to promote sales of those cameras, and runs their own pseudo news division to emphasize the apparent need for cameras — all to cut down on losses due to Amazon package theft.

Samsung Swears That It Has Fixed the Galaxy Fold

Ina Fried, Axios:

The company said it made several changes, including

  • Extending the top protective layer of the phone’s inner displays so users know that it is not a removable screen protector.

  • “Additional reinforcements” to better protect the device from external particles.

  • The top and bottom of the hinge have been straightened and additional layers placed underneath the display.

So a refined prototype is what they’re shipping? Got it.

I would be shocked if in, I presume, several months of testing before its announcement, not a single Samsung Galaxy Fold unit exhibited any of the myriad problems reviewers found within days. Why not sort that stuff out before having such an embarrassing launch?

Details of Facebook Penalty Released by FTC

The FTC’s press release:

The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. It is one of the largest penalties ever assessed by the U.S. government for any violation.

The settlement order announced today also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.

The graphic the FTC uses to illustrate the scale of this fine is also an unintended acknowledgement that the $275 million fine levied against Equifax is pitiful.

Kurt Wagner and Sarah Frier, Bloomberg:

But the deal won’t do much to alter Facebook’s main business. The company will be able to make product decisions as it always has, and will also still be able to collect the same data from users. For the most part, Facebook will be able to continue targeting ads in the same way it does today.

Bryan Menegus, Gizmodo:

In what may be the most insulting paragraph of Stretch’s note, which Facebook published exactly when it knew news of former special counsel Robert Mueller’s testimony would drown out any other news item, he writes, “the agreement will require a fundamental shift in the way we approach our work […] It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”

I don’t know how Facebook approaches its work. What I do know is how it approaches its users — which is to incrementally, and more often after being caught doing something untoward — placate them with promises of fundamental changes in how it’s thinking about or implementing privacy; how it’s empowering us, the consumers, to control our privacy; and how privacy, privacy, privacy. Why would we trust Zuckerberg’s sign-off on quarterly data privacy assessments when he and his team have consistently published statements claiming Facebook will protect our privacy, which we can say in light of Cambridge Analytica turned out to be broadly untrue.

All of Facebook’s transgressions since 2012 have been conducted after they promised the FTC they would stop abusing users’ data without their knowledge. They kept doing that anyhow. But they’ll really stop this time — they promise.

Attorney General William Barr Really Wants to Read Your iMessages

Kate Cox, Ars Technica:

US Attorney General William Barr today launched a new front in the feds’ ongoing fight against consumer encryption, railing against the common security practice and lamenting the “victims” in its wake.

“The deployment of warrant-proof encryption is already imposing huge costs on society,” Barr claimed in remarks at a cybersecurity conference held at Fordham University Tuesday morning. Barr added that encryption “seriously degrades” law enforcement’s ability to “detect and prevent a crime before it occurs,” as well as making eventual investigation and prosecution of crime more difficult.


He also accused tech firms of “dogmatic” posturing, saying lawful backdoor access “can be and must be” done, adding, “We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement, without materially weakening the security provided by encryption.”

It is almost impressive how people with no clue about how encryption works have, time and time again, ignored the advice of actual experts in it. If Barr were in charge of NASA, he’d demand a faster-than-light Space Shuttle even after being told that it is impossible.

Plex Makes Piracy Just Another Streaming Service

One thing about the film and television industry that I find endlessly fascinating — and it really helps that I am fascinated by probably-mundane esoteric things — is how differently they approach licensing and ownership rights compared to the music industry, despite often shared parent companies.

There are plenty of historical examples, but I wanted to look at just two. First, the use of DRM couldn’t be more starkly contrasted. In 2007, Apple negotiated with EMI to offer DRM-free music on iTunes; less than two years later, every major label got on board. But a similar switch has never happened for video distribution.

A few years after the DRM-free iTunes Store debuted came the next radical shift in music consumption: streaming services. Now, you can pay ten dollars a month to listen to virtually all of the music that has ever been recorded. You can choose which company you’re giving your money to — Apple, Google, Spotify, Tidal, and others — but the cost and catalogues are basically the same across the board. Again, nothing like this has ever existed for streaming video; and, with increased exclusivity agreements and conglomerate protectionism, that’s unlikely to change.

Well, legally, anyway. Bijan Stephen, the Verge:

Plex servers function a little like secret societies or private clubs. They can be large (like Liz’s), small (like Shawn’s), or any size in between, but they have a single purpose: to simplify the experience of streaming media and make it feel human. Every Plex server’s media catalog is different. They go beyond licensing agreements (because piracy) and anonymous algorithmic curation (because a person is choosing what’s on there) to make the streaming experience personal.

“The Plex mission is to provide a unified media experience that allows users to bring together the media they care about into one app, available on just about anything with a screen,” a spokesperson for Plex wrote in a statement. The one thing they carefully don’t mention is why.

Ethically, much of this article leans toward the defensive; it largely skates around the legal issues. I don’t see that as a flaw, necessarily, because many of these Plex servers are used largely by friends — kind of like lending out VHS tapes and DVDs to friends twenty years ago.

WatchOS 5.3 Enables ECG Support for Canadian and Singaporean Users

Speaking of the Apple Watch, Apple shipped WatchOS 5.3 today, which allows the ECG function to be used in Canada and Singapore.

Apple’s focus on health capabilities with the Watch is one of their most impressive product directions I can remember from any major company. I know there are cynics who view it as a cash grab on the back of health worries — and, without digressing too much, I think that’s a valid criticism of much of the broader medical industry. But there is also room to interpret this as a genuinely good thing for humanity. It is one of the few Silicon Valley things that can be described as life-changing without hyperbole.

Bloomberg: Apple Sold ‘Low Tens of Thousands’ of Gold Watches

Bloomberg’s Mark Gurman published a portrait today of Jeff Williams, painting him as a spiritual sibling to Tim Cook. It’s full of those de rigueur Gurman insider vignettes, but the nugget that has made some news surrounds the estimated sales figures of the solid gold Apple Watch.

Joe Rossignol, MacRumors:

As for the $10,000-plus, 18-karat gold Apple Watch Edition, the report claims Apple’s sales were “in the low tens of thousands” of units, with “few after the first two weeks.” The line was discontinued in September 2016 after just 16 months and, humorously, the gold models are now stuck on watchOS 4 and below.

Even with the lowest possible numbers within this framing — 10,000 units sold of a minimum $10,000 product — that still means Apple made a hundred million dollars on the first-generation Edition. I’m not making a judgement on whether this is good, obviously, but it’s noteworthy.

Anecdotally, I occasionally search eBay and Chrono 24 out of idle curiousity. I’ve never seen a gold Edition for sale.

Equifax to Pay $100 Million CFPB Fine and Set Aside Hundreds of Millions to Compensate Consumers

The FTC announced Equifax’s settlement this morning:

As part of the proposed settlement, Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.

The company also has agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties.

It seems to me that no fine and no penalty — no matter how great — can ever fully compensate the 147 million Americans who are now subject to a heightened risk of identity theft and fraud. This is certainly a lot of money, but Equifax’s stock price rose today when this news was announced, and it has nearly fully recovered to its pre-breach high. Equifax also continues to be one of only three companies that provides credit reports in the United States in a highly mature and noncompetitive market.

The lesson that has surely been learned here is that a company can have lax security, fail to notify customers for months about a breach, issue new revelations in drips, and be borderline useless through the entire process as long as that company participates in a market with few competitors, retains shocking amounts of personal data, and faces few consequences to its financial position as a result.

By the way, the CFPB fine is far more than I expected. That Bureau used to be run by Mick Mulvaney who, before he became the President’s Chief of Staff, tried to curtail the Equifax investigation and generally rob the Bureau of its duty.

A Reporter Spent a Few Days as a Gig Economy Food Courier

Andy Newman, New York Times:

Delivering restaurant food has always been a hard, thankless job. With the apps, it is becoming more flexible and better paying — but in some ways less stable.

This, said Niels van Doorn, an assistant professor of new media and digital culture at the University of Amsterdam who spent six months in New York studying app riders last year, “is what happens with an already precarious work force — what happens to an already invisibilized work force — when these platforms come to town.”

My own 27 hours on a borrowed electric bike, alternately hellbent and ping-starved as I navigated chaotic streets and clattering restaurant kitchens and sleek apartment towers, were an immersion in the paradoxes and perils of a job in which making more than minimum wage requires the physical daring of a bullfighter and the cognitive reflexes of a day trader. (I have neither.)

Being any kind of courier seems like a harrowing job, but that seems particularly so in the case of apps like Uber Eats, Foodora, and DoorDash. The latter has a unique tipping policy:

DoorDash offers a guaranteed minimum for each job. For my first order, the guarantee was $6.85 and the customer, a woman in Boerum Hill who answered the door in a colorful bathrobe, tipped $3 via the app. But I still received only $6.85.

Here’s how it works: If the woman in the bathrobe had tipped zero, DoorDash would have paid me the whole $6.85. Because she tipped $3, DoorDash kicked in only $3.85. She was saving DoorDash $3, not tipping me.

There is no way that customers believe that, when they tip, they’re helping DoorDash pay their workers. DoorDash does explain its tipping model on its website, but only in the most opaque language possible. How is this legal?

Newman also wrote an extended first-person report about how the article was put together:

Another unpleasant surprise: For almost two-thirds of my 43 deliveries, I got no tip. You may think the delivery fee takes care of the rider, but the apps’ pay structure leaves riders dependent on tips to make a living wage.

A friend of mine who has been delivering for three years, Wilder Selzer, called the job “a great window into our stratification.” Quite a few times, he said, he has delivered to people — men and women alike — who answered the door in their underwear, but not in a sexy way.

“It goes back to the class thing,” he said. “You’re like a eunuch — it’s O.K. to be naked in front of you because you’re not a person person.”

Aziz Shamim famously tweeted several years ago that Silicon Valley is obsessed with creating services that do what twenty-somethings’ moms did for them before they moved away from home, but I’ve always thought that interpretation wasn’t quite right. I think these services jealously attempt to replicate conveniences available to people who work several pay grades above them. There is a — and please forgive me for the phrasing here — trickling down of conveniences; on the other hand, it is at the expense of the livelihoods of a greater number of individuals needed to do these jobs.

Alexis Madrigal of the Atlantic described these services earlier this year as the “servant economy”, and I think he’s entirely correct.

See Also: Why Paris Marx doesn’t use Uber (via Michael Lopp).

NSO Group Spyware Can Exfiltrate Individual Users’ Cloud-Stored Data Using Credentials Stored On Targeted Devices

The headline for this linked item is deliberately not snappy, for reasons that should quickly become apparent.

Mehul Srivastava and Tim Bradshaw, Financial Times:

NSO Group’s flagship smartphone malware, nicknamed Pegasus, has for years been used by spy agencies and governments to harvest data from targeted individuals’ smartphones. 

But it has now evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration. 

The documents raise difficult questions for Silicon Valley’s technology giants, which are trusted by billions of users to keep critical personal information, corporate secrets and medical records safe from potential hackers. 

This report produced headlines claiming that the software “spies on Apple, Google and Facebook cloud data”, for example, which isn’t entirely accurate.

Dare Obasanjo sums it up nicely:

This is an incredibly misleading headline.

If your phone is compromised by malware then bad actors can access all data any apps on your phone can access including iCloud, Gmail, FB, etc.

This isn’t a cloud service problem but a compromised client issue.

Zack Whittaker:

[…] But it’s worth remembering that it’s in NSO’s best interests to ham up its abilities and stretch the truth in sales meetings. Also don’t forget that NSO malware targets only a few types of people, so don’t panic either.

Joseph Cox of Vice downplayed this story even more:

NSO’s malware can log into Facebook, Amazon etc, download content. FT has bizarrely framed this as an issue for the cloud services, when it’s really about how end devices secure auth tokens. You own the device, you are the device. This will get dumb hyped.

It seems that the Financial Times story is exaggerating the capabilities of this spyware, but I think Cox’s summary may be inaccurate as well. For example, the report leaves the impression that a lot of iCloud data can be pilfered from targeted users’ accounts, but I’m not sure how that squares with the multilayered encryption mechanisms described in Apple’s iOS security guide. Perhaps the data that can be pulled from iCloud is rather limited, and the report mixes iCloud-specific claims with the malware’s more general data-collecting abilities from all services.

I hope more in-depth reporting will be produced on how, exactly, this spyware works and what specifically it can collect. Alas, I don’t see that happening, given how tightly NSO Group controls access to it.

Six Popular Chrome and Firefox Extensions Funnelled User Browsing Data to Nacho Analytics

Dan Goodin, Ars Technica:

When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.

DataSpii begins with browser extensions — available mostly for Chrome but in more limited cases for Firefox as well — that, by Google’s account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.”

I’d be willing to bet that most people don’t think twice after installing a browser extension, and don’t fully consider the implications of its level of access. Extensions are a security and privacy risk, especially when you consider how much work is done through web browsers by employees with elevated access.

For their part, the CEO of Nacho Analytics responded weakly:

In an interview, Nacho Analytics founder and CEO Mike Roberts reiterated that the service is fully GDPR compliant and that the millions of people whose data is collected have expressly agreed to this arrangement.

“You absolutely do” click an agree button, Roberts said of all users whose data is published. What’s more, he said, “we spend quite a bit of time processing every URL that we see to remove all the personally identifiable information.” Ars has confirmed that in many cases, the URLs published by Nacho Analytics have had names, Social Security numbers, and other personal information removed. However, Ars was also able to find numerous instances of names and other personal information remaining in published URLs.


But Roberts defended the basic practice of publishing links that, when clicked, lead to private data — so long as that data isn’t viewable in the URL itself as published by Nacho Analytics.

I truly don’t believe Roberts intends to do wrong here, but the ease with which his company’s product can be abused at scale suggests that he underestimated the risk of anyone doing so. It also reinforces my contention that the valuation of collecting and exchanging data like this is a deeply corrosive industry.

Tesla Workers in Describe Pressure Meet Goals by Building Model 3s in Tents

Lora Kolodny, CNBC:

Current and former Tesla employees working in the company’s open-air “tent” factory say they were pressured to take shortcuts to hit aggressive Model 3 production goals, including making fast fixes to plastic housings with electrical tape, working through harsh conditions and skipping previously required vehicle tests.

For instance, four people who worked on the assembly line say they were told by supervisors to use electrical tape to patch cracks on plastic brackets and housings, and provided photographs showing where tape was applied. They and four additional people familiar with conditions there describe working through high heat, cold temperatures at night and smoky air during last year’s wildfires in Northern California.

Their disclosures highlight the difficult balance Tesla must strike as it ramps up production while trying to stem costs.

I love the idea of everything Tesla ostensibly stands for. Bringing reasonably-priced and reliable electric transport to the masses is a fantastic achievement. But there is so much to dislike about Tesla the company that it compromises my impression of the product. Tesla’s poor manufacturing conditions, offensive labour practices, misleading pricing, and unfocused strategy all make it hard to trust the company to stand by products that are supposed to last several years.

Into the Abyss

Dara Sharif, the Root:

Donald Trump ramped up his efforts Wednesday night to demonize the four progressive, freshman congresswomen informally known as “the Squad,” reveling in a raucous crowd’s chants of “Send her back! Send her back!” in reference to his latest target, Rep. Ilhan Omar (D-Minn.).

Despite a House vote Tuesday to condemn racist comments Trump made telling Omar and her fellow “Squad” members to “go back” where they came from, Trump, during a Wednesday night “Make America Great Again” rally in Greenville, N.C., continued to lob the same refrain.

Goldie Taylor, the Daily Beast:

The president is a racist, in his words and his actions.

Before you go clutching your pearls and extolling the virtues of “civility,” let me say this: Put a sock in it.

Adam Serwer, the Atlantic:

[…] In the face of a corrupt authoritarian president who believes that he and his allies are above the law, the American people are represented by two parties equally incapable of discharging their constitutional responsibilities. The Republican Party is incapable of fulfilling its constitutional responsibilities because it has become a cult of personality whose members cannot deviate from their sycophantic devotion to the president, lest they be ejected from office by Trump’s fanatically loyal base. The Democratic Party cannot fulfill its constitutional responsibilities because its leadership lives in abject terror of being ejected from office by alienating the voters to whom Trump’s nationalism appeals. In effect, the majority of the American electorate, which voted against Trump in 2016 and then gave the Democrats a House majority in 2018, has no representation.

Hamilton Nolan, Splinter:

This evolution in our national tone, I assumed, was a permanent one. The battle was no longer mostly against explicit, legal racism, but rather against implicit racism and racist structures and inequality rooted and racism — all of which would always be denied, because racism itself was no longer considered respectable. The most obvious manifestation of this is the fact that “racist” seems to the one of the last things that white people genuinely object to being called. Even a powerful person who constantly speaks and acts in ways that are racist, and who pursues policies that will inarguably achieve racist ends, will bristle and wail at being branded a racist. It carries the power of a word that was forged in a social justice struggle spanning centuries. Those who explicitly embraced racism were pushed to the fringes; the price of staying in the mainstream was raised by a token amount, to the disavowal of racist ideals even if you in fact operated in a way that furthered oppression.

I’m afraid that even the very thin layer of perceptual progress that seemed to be permanent may be eroding after all. […]

I cannot imagine being part of a marginalized group in the United States at any point in history; but, in particular, I cannot imagine the gut-churning anxiety of the last four years and, in particular, the past several days. An election is not until next year, and this language will only get darker and more explicit until then. The oppressors are wearing their vilest of beliefs as badges of honour. As a neighbour, I urge my Amercian readers to stand against this with all they can muster. In Canada, we must do the same — we’re sliding into the abyss, too.

The First Generation of 5G Phones Are Half-Baked

Remember how bad the battery life was in the first LTE phones? That’s nothing compared to the problems Joanna Stern saw in this first wave of 5G devices. When it works, it’s wildly impressive, but getting it to work presently requires an extraordinarily narrow set of circumstances.

A reminder that pundits have spent the past year or so claiming that Apple just has to introduce a 5G iPhone in 2019 or they’ll fall behind. It remains unclear what they should be so eager to catch up to.

The NYT Wonders If We’ve Hit ‘Peak Podcast’

Jennifer Miller of the New York Times wrote about the eruption of podcasting popularity — a seemingly evergreen topic. Nieman Lab wondered in 2017 if we had hit “peak podcast”, while Wired thought the same in 2015. Podcasts were “back” in 2012, according to Social Media Examiner, and also in 2014, according to the Washington Post. 2005 was the “year of the podcast”, according to Slate. Podcasting seems perpetually mainstream and, also, simultaneously on the verge of death.

Much as I think this story subject is well worn, there’s plenty of research in Miller’s article that helps provide a sort of status update on the podcasting industry. One stat she quotes near the end of the piece is particularly eye-opening: less than 20% of podcasts tracked by Blubrry issued a new episode between March and May. Unlike blogs, there doesn’t seem to be innumerable episodes of podcasts that begin with an apology for a lack of updates.

But Miller begins her piece with this curious anecdote:

In 2016, Morgan Mandriota and Lester Lee, two freelance writers looking to grow their personal brands, decided to start a podcast. They called it “The Advice Podcast” and put about as much energy into the show’s production as they did the name. (After all, no one was paying them for this. Yet.) Each week, the friends, neither of whom had professional experience dispensing advice, met in a free room at the local library and recorded themselves chatting with an iPhone 5.

“We assumed we’d be huge, have affiliate marketing deals and advertisements,” Ms. Mandriota said.

But six episodes in, when neither Casper mattresses nor MeUndies had come knocking, the friends quit.

I’m not sure what this part of the story is communicating, other than sounding like an Onion article. Is it that the world of podcasting is not a surefire way to a product endorsement deal? And, if so, is that supposed to be surprising, especially after a handful of weak attempts? Is it just a given assumption that the aspiration of every podcaster is a product pitch person, or even that they’re looking for a career in internet broadcasting?1

Two excerpts that I think are warranted, though:

Call him cynical, but Jordan Harbinger, host of “The Jordan Harbinger Show” podcast, thinks there is a “podcast industrial complex.” Hosts aren’t starting shows “because it’s a fun, niche hobby,” he said. “They do it to make money or because it will make them an influencer.”


“So many of these are just painful,” said Tom Webster, the senior vice president of Edison Research, which tracks consumer media behavior. “We revere the great interviewers, but it’s an incredible skill that nobody has. What did Terry Gross do before she had her own show? Well, she was an interviewer, not a marketer for a software company.”

I don’t mean to denigrate software marketing podcasts or more conversational styles of episodes — everyone likes something different, and these are clearly enjoyable for lots of people. But these excerpts illustrate what makes some podcasts work for me: well-edited storytelling or interviews by enthusiastic hosts. Aching to be an “influencer” is like aspiring to be a QVC host.

  1. For what it’s worth, I’ve been writing this website for about nine years now as a labour of love, and I bet that it will stay that way. I’m okay with that. If you’d like to send me tens of thousands of dollars, though, I won’t say no. ↩︎

Bloomberg: Apple Plans to Fund Original and Exclusive Podcasts

Lucas Shaw and Mark Gurman, Bloomberg:

Apple Inc. plans to fund original podcasts that would be exclusive to its audio service, according to people familiar with the matter, increasing its investment in the industry to keep competitors Spotify and Stitcher at bay.

Executives at the company have reached out to media companies and their representatives to discuss buying exclusive rights to podcasts, according to the people, who asked not to be identified because the conversations are preliminary. Apple has yet to outline a clear strategy, but has said it plans to pursue the kind of deals it didn’t make before.

Avi Salzman, Barron’s:

Podcasting could become a lot more like television — with shows siloed on different services and companies competing to host must-have content. That means you might have to pay up — or at least listen to extra ads — to hear your favorite podcasters.

Manton Reece:

No one is too alarmed by this Apple rumor, because maybe nothing will come of it. But a good way to think about it is to imagine if the popularity of Apple and Spotify were reversed. Imagine if Spotify was the one with 60% of the podcast app market and then they decided to release Spotify-only exclusive “podcasts”. It would be an obvious threat to the openness of podcasts.

This is an understandable, predictable, and inauspicious direction to take. Is anyone — aside from executives, of course — excited about an increased siloing of media? I doubt it.

Dropbox Widely Distributed Their New Shittier Desktop App Today

You probably noticed the new app when it self-importantly plopped its icon into your MacOS dock today and jumped to the foreground on its own volition. It’s a very rude new app that occupies several times as much hard drive space because it includes a full copy of the Chromium embedded framework.

The poor folks running the Dropbox Support Twitter account have spent the day telling MacOS users that it is not possible to hide or remove the dock icon in MacOS, and helping users disable the new app. Always a good sign on launch day.

Turns out that you can remove the dock icon by disabling the new app. Go to Dropbox Preferences and, under the General tab, change the “Open Folders In” option to “Finder”. Then quit the Dropbox app and drag that icon out of the dock; it should remain in the menu bar and continue syncing.

Also, consider getting rid of your Dropbox account, because this is a symptom of a company with rotten priorities.

Update: Dropbox says that the wide release of the new app was inadvertent and they’re rolling users back to the previous version. A more cynical writer might see this as a way for the company to cover their ass in the wake of a poorly-received update, but I have no evidence to support such an assertion.

Update: Ben Sandofsky:

Quitting the new Dropbox file manager from the dock just hides it. It’s still sitting in the background, consuming resources for no reason. Your only option is to kill all of Dropbox, which includes syncing.

Gross. This app is part of a completely misguided shift in strategy towards an enterprise focus, and I can’t imagine it will be successful.

Dieter Bohn Reviews the 2019 MacBook Air

The MacBook Air should be the Volkswagen Golf of computers: everything the vast majority of people need with no easily-discovered compromises. It’s the thing you buy unless there’s a specific reason not to. Apple knocked it out of the park for years by shipping fast, thin, and light notebooks that lasted all day and didn’t cost a fortune. Truly, the 2010–2016 MacBook Air will be remembered as a category-defining product on the level of the iPhone or the iPad.

The 2018 revision didn’t quite hit the same mark. It received welcome refinements drawn from Apple’s modern notebook strategy — Retina display, simplified unibody construction, and USB-C and Thunderbolt 3 connectors — but with noticeable compromises, most obviously with the unreliable “butterfly” keyboard design and the product’s higher cost.

Based on Bohn’s review, it seems like this year’s revision gets closer to correcting the balance. Get a decent keyboard in these things again and there ought to be no reason for most people with the money to spend to even consider buying anything else.

How Many Kinds of USB-C to USB-C Cables Are There?

Benson Leung counts six:

Why did it come to this? This problem was created because the USB-C connectors were designed to replace all of the previous USB connectors at the same time as vastly increasing what the cable could do in power, data, and display dimensions. The new connector may be and virtually impossible to plug in improperly (no USB superposition problem, no grabbing the wrong end of the cable), but sacrificed for that simplicity is the ability to intuitively know whether the system you’ve connected together has all of the functionality possible. The USB spec also cannot simply mandate that all USB-C cables have the maximum number of wires all the time because that would vastly increase BOM cost for cases where the cable is just used for charging primarily.

Thunderbolt 3 makes this even more complicated, as it fits yet more functionality into a connector of exactly the same size and shape. USB 4 will merge the two standards, but I can’t work out whether that will make for more or less confusion.

The Effects of Errors in Foundational Radio Wave Research Are Still Being Felt in the 5G Era

William J. Broad, New York Times:

In 2000, the Broward County Public Schools in Florida received an alarming report. Like many affluent school districts at the time, Broward was considering laptops and wireless networks for its classrooms and 250,000 students. Were there any health risks to worry about?

The district asked Bill P. Curry, a consultant and physicist, to study the matter. The technology, he reported back, was “likely to be a serious health hazard.” He summarized his most troubling evidence in a large graph labeled “Microwave Absorption in Brain Tissue (Grey Matter).”

The chart showed the dose of radiation received by the brain as rising from left to right, with the increasing frequency of the wireless signal. The slope was gentle at first, but when the line reached the wireless frequencies associated with computer networking, it shot straight up, indicating a dangerous level of exposure.


Except that Dr. Curry and his graph got it wrong.

According to experts on the biological effects of electromagnetic radiation, radio waves become safer at higher frequencies, not more dangerous. (Extremely high-frequency energies, such as X-rays, behave differently and do pose a health risk.)

This is a great piece about how poorly-conducted research robbed of context can badly skew understanding for decades to come. I still think that Broad muddies his decent science reporting by ascribing too much weight to weak Russian propaganda efforts, though. There’s plenty of clear-headed reporting here that sufficiently debunks the meritless claims of a few.

Amazon.com Remains a Mess

Brian Feldman, New York magazine:

We are now entering the final hours of Prime Day, an alleged sales “event” from Amazon that is actually two days long. The catalyzing idea of Prime Day is ostensibly to conjure a shopping holiday out of thin air, which manifests in reality as “let’s just choose two days in which we bombard people with things they might impulse buy.” The problem with this is that Amazon.com, as far as I can tell, was designed by madmen who were challenged by the richest man on earth to build the most insane website on the planet.

Amazon is starting to remind me of one of those liquidation store brands that I remember being super popular in the late 1990s to early 2000s, or some surplus warehouse. Its inventory is a mix of knockoff items, high fashion next to suspiciously-branded goods, obvious crap, and genuine deals — all piled together, and staffed by overworked and underpaid employees in unsanitary and unsafe conditions.

Apple’s 2019 256GB MacBook Air Includes a Slower SSD Than 2018 Model

Juli Clover, MacRumors:

The 2019 MacBook Air, refreshed last week, appears to have a slower SSD than the 2018 MacBook Air, according to testing by French site Consomac. Using testing with the Blackmagic Disk Speed benchmarking test, the site found that the read speeds of the new SSD are lower.

A test of the 2019 MacBook Air with 256GB of storage demonstrated write speeds of 1GB/s and read speeds of 1.3GB/s. An equivalent model released in 2018 featured write speeds of 920MB/s and read speeds of 2GB/s. While write speeds are on par with the older machine (and are even slightly better), read speeds have dropped 35 percent.

As far as compromises go, I think this is a pretty good one: very few people will notice this and, if it’s what allowed Apple to reduce prices, it’s beneficial to anyone who wants a larger internal drive and doesn’t want to remortgage their home.

State DMVs Earn Millions by Selling Personal Data to Brokers and Marketing Firms

Adam Walser, ABC Tampa Bay:

I-Team Investigator Adam Walser obtained records showing the state sold information on Florida drivers and ID cardholders to more than 30 private companies, including marketing firms, bill collectors, insurance companies and data brokers in the business of reselling information.

The Florida Department of Highway Safety and Motor Vehicles raked in more than $77 million for driver and ID cardholder information sales in fiscal 2017.

The I-Team wanted to know how much of that money came from marketing firms, but the agency in charge of driver information estimated it would take 154 hours of research and cost nearly $3,000 for the state to give taxpayers an answer.

TechCrunch reporter Sarah Perez pointed to several similar stories from South Carolina, Pennsylvania, Alabama, and other states.

It’s no wonder policymakers are loathe to strictly regulate the use and dissemination of private data — they’re in on the grift.

The Cranberry Caucus Is Insanely Powerful

Dan Nosowitz, Modern Farmer:

So the cranberry industry is saying that it is unfair for them to have to correctly label their added sugars, because a product, like, say, raisins naturally have a high sugar content, and thus (correctly) do not need to use the “added sugar” phrasing. But dried cranberries — WHICH HAVE SUGAR ADDED TO THEM BECAUSE OTHERWISE THEY TASTE BAD — should not be penalized. After all, cranberry producers are only adding sugar to them so they can taste as good as products like raisins, which have no sugars added to them because they taste good as they are.

You may remember previous discussion about the power of the cranberry lobby in a Last Week Tonight segment that aired nearly five years ago. I don’t know why you would choose to eat cranberries when currants exist, but that’s just me.

FTC Expected to Hand Facebook the World’s Most Expensive Speeding Ticket

Emily Glazer, Ryan Tracy, and Jeff Horwitz broke the news for the Wall Street Journal:

The Federal Trade Commission has endorsed a roughly $5 billion settlement with Facebook Inc. over a long-running probe into the tech giant’s privacy missteps, according to people familiar with the matter.

FTC commissioners this past week voted 3-2 in favor of the agreement, with the Republican majority backing the pact while Democratic commissioners objected, the people said. The matter has been moved to the Justice Department’s civil division and it is unclear how long it will take to finalize, one of the people said. Justice Department reviews are part of FTC procedure but typically don’t change the outcome of a decision by the commission.

Cecilia Kang, New York Times:

In addition to the fine, Facebook agreed to more comprehensive oversight of how it handles user data, according to the people. But none of the conditions in the settlement will restrict Facebook’s ability to collect and share data with third parties. And that decision appeared to split the five-member commission. The two Democrats who voted against the deal sought stricter limits on the company, the people said.

Mike Isaac:

[T]he fact that [Facebook] shares surged instead of sank on the FTC news is the story.

This fine is at the upper bound of what Facebook estimated earlier this year, but it’s still pretty weak. The company booked $15 billion in revenue last quarter alone. This is a cost of doing business and, combined with the company’s cynical efforts to redefine “privacy”, will likely have little effect on their ability to exploit users’ behaviour at a global scale.

AT&T Does the Obvious Thing Its CEO Said It Wouldn’t Do and Restricts Its Valuable Media Properties

Jon Brodkin, Ars Technica:

WarnerMedia, the division AT&T created when it bought Time Warner, today announced a new online streaming service called “HBO Max.” HBO Max will debut in the spring of 2020 and include exclusives that will no longer be available on other streaming platforms.

HBO Max will have exclusive streaming rights to all episodes of Friends, The Fresh Prince of Bel Air, and Pretty Little Liars. Friends and Pretty Little Liars are currently available on Netflix, so they’ll both leave that service by the time HBO Max launches.


AT&T is making Time Warner shows exclusive to HBO Max even though it told government officials that it would continue to distribute Time Warner content as widely as possible.

Karl Bode, Techdirt:

On its surface this doesn’t seem like that big of a deal. After all, Friends is an old show, and most users probably won’t care. And it’s certainly not the only show getting this treatment (Comcast NBC Universal just made The Office exclusive to its streaming platform, and Disney is also pulling Netflix content for exclusive use on its own looming Disney+ service). But more broadly, the more essential content AT&T makes exclusive to its own platform (especially and likely inevitably, HBO), the more difficult it will be to compete with AT&T. Knowing AT&T, there’s going to be far more exclusives where this came from.

This is all before you even get to net neutrality and AT&T’s domination in broadband, which has allowed it to behave anti-competitively in different, even more problematic ways (like only imposing arbitrary usage caps if you use a competitor’s service). Letting companies like Comcast NBC Universal and AT&T Time Warner dominate both the conduit and the content will ultimately result in a universe of headaches for competitors and consumers alike. And Judge Leon’s failure to see (or acknowledge) this will be a “gift” that keeps on giving for the next decade.

The gutless lack of enforcement of American antitrust laws is going to make everyone beg for the days of paying eighty bucks a month for a hundred cable channels you didn’t need so that you could get the six you actually wanted.

Update: The calculus here is that Friends is worth more than $100 million per year to AT&T for its HBO Max platform.

Google Confirms Audio Recordings from Home Devices Are Reviewed by Humans

Lente Van Hee, Ruben Van Den Heuvel, Tim Verheyden, and Denny Baert, VRT:

It is true that Google does not eavesdrop directly, but VRT NWS discovered that it is listening in. Or rather: that it lets people listen in. We let ordinary Flemish people hear some of their own recordings. ‘This is undeniably my own voice’, says one man, clearly surprised.

A couple from Waasmunster immediately recognise the voice of their son and their grandchild.

What did we do? VRT NWS was able to listen to more than a thousand excerpts recorded via Google Assistant. In these recordings we could clearly hear addresses and other sensitive information. This made it easy for us to find the people involved and confront them with the audio recordings.

David Monsees of Google:

We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data. Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again.

We apply a wide range of safeguards to protect user privacy throughout the entire review process. Language experts only review around 0.2 percent of all audio snippets. Audio snippets are not associated with user accounts as part of the review process, and reviewers are directed not to transcribe background conversations or other noises, and only to transcribe snippets that are directed to Google.

Surely, with such a low proportion of audio clips that humans review, Google could ask for permission before the review process begins, right? This is particularly important for any of these smart assistant appliances that are scattered throughout the home.

Lobbying Organization for Google and Facebook Launch Nonsense Campaign Arguing for User Tracking Across the Web

Jason Kint:

I’m not sending link but Google and Facebook’s reps (called the Internet Association), just launched a propaganda site intended to undermine new California privacy law (CCPA) by confusing public into thinking their surveillance advertising is necessary to fund free content. Lies.

This is the same strategy Google and Facebook backed in Europe. Efforts like this show the insincerity, if not lies, of their CEOs Pichai and Zuckerberg when they write op-eds stating they embrace privacy and try to gaslight lawmakers and the public. Unlike Microsoft and Apple.

The campaign is called Keep the Internet Free, and it’s a crock of shit. The new privacy laws enacted in California do not prohibit advertising, nor do they prohibit data collection outright. But the Internet Association — members of which include Google, Facebook, Airbnb, Uber, Reddit, Twitter, and Microsoft — is deliberately conflating advertising and behaviourally-targeted surveillance. If user tracking is prohibited, it will not outlaw advertising on the web or in apps, nor will it kill the tech landscape as we know it. It will just mean ads that are less creepy.

Facebook Begins Disclosing Data Brokers and Targeting Information for Advertisements

Katie Notopoulos, BuzzFeed News:

Facebook launched a transparency tool this week that will give people a little more information about how their targeted ads work (good!). Now you can see more details about why you’re seeing an ad in your feed, how it is linked to an ad agency or data broker, and how to opt out of interest-based ad campaigns run by businesses that have your information. The bad news is that looking at it may end up just making you feel worse about how your data is passed around by third-party data brokers — credit reporting bureaus and marketing agencies — like Halloween candy.

This should at least partially solve the mysterious presence of cross-country car dealerships and furniture stores — typically, other clients associated with these data brokers — appearing on the advertising settings page for many users. But this doesn’t go far enough. If we’re going to put up with behaviourally-targeted advertising — and we should not, because it is deeply corrosive to our privacy, unethical, and not particularly effective — but if we are, then these ads should be required to list every single targeting method they’re using, plus all of the companies that had a hand in placing that ad on your screen.

‘Reply All’ Investigates YouTube’s Metrics for Recommendations

One thing that keeps nagging at me — and which is supported by the reporting in this episode — is the concentration of toxicity enabled by metrics-optimized platforms. This detrimental environment is exacerbated by the scale and anticompetitive network effects of these platforms. It’s worrying how easily the most vile of fringe views can be elevated by seemingly-benign features when they’re applied at the scale of YouTube or Facebook.

Apple Uses Its Malware Removal Tool to Block Vulnerable Versions of Zoom and Its Hidden Local Server

Zack Whittaker, TechCrunch:

Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.

Apple said the update does not require any user interaction and is deployed automatically.

Howard Oakley:

According to information given to TechCrunch this evening, Apple says that this update removes the hidden web server installed by previous versions of the Zoom client. If this is the case, it is the first known deployment of MRT to remove a vulnerable product like this, rather than malware. However, TechCrunch doesn’t mention the use of MRT.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

Even if users don’t update their copy of Zoom to the newest version that lacks the silently-installed web server, this step should mean that this serious vulnerability has been closed off.

It’s also notable that Apple now has several avenues by which it can disable software without any user interaction.

Foxconn Says It Will Create 1,500 Jobs in Wisconsin, 11,500 Fewer than Promised

This project is right on track for Foxconn. The company has also not elaborated upon their denial of having a bunch of empty buildings, despite reporting and photography from the Verge in April confirming that these buildings are, truly and actually, empty.

Update: A Foxconn rep finally replied to Nilay Patel in one of the most bizarre press releases I’ve ever seen. They write “leave us alone” three times in the email — twice in uppercase letters — and quoted a bunch of nonsense from the end of the project’s concept video. I can’t decide what my favourite bit of this is. It might well be the caption “smart safety and security through 8K technology” paired with a pseudo-Face ID icon. I’m not entirely certain how displays with very high pixel counts are supposed to improve facial recognition, or whatever, but I guess if you throw enough buzzwords at someone, they’ll respond by giving you billions of dollars in tax incentives.

Unsuccessful Moderation at YouTube’s Scale

Neima Jahromi, the New Yorker:

Schaffer told me that hate speech had been a problem on YouTube since its earliest days. Dealing with it used to be fairly straightforward. YouTube was founded, in 2005, by Chad Hurley, Steve Chen, and Jawed Karim, who met while working at PayPal. At first, the site was moderated largely by its co-founders; in 2006, they hired a single, part-time moderator. The company removed videos often, rarely encountering pushback. In the intervening thirteen years, a lot has changed. “YouTube has the scale of the entire Internet,” Sundar Pichai, the C.E.O. of Google, which owns YouTube, told Axios last month. The site now attracts a monthly audience of two billion people and employs thousands of moderators. Every minute, its users upload five hundred hours of new video. The technical, social, and political challenges of moderating such a system are profound. They raise fundamental questions not just about YouTube’s business but about what social-media platforms have become and what they should be.

YouTube’s monopoly position means that their moderation decisions can be a massive if controversial force for good, but they will also have a high likelihood of flagging non-offending videos. Like I’ve been saying about Facebook and its inept moderation, this is a direct result of the platform’s scale.

As it is, YouTube is taking little meaningful action while still recommending videos that will keep users watching as they crawl further into a narrowing tunnel of viewpoints, thereby radicalizing users while simultaneously claiming that they are neutral.

The broad failure of U.S. authorities to take seriously the antitrust threat of tech companies remains among the biggest policy mistakes of the last twenty years.

WannaCry, Two Years Later

Zack Whittaker, TechCrunch:

Marcus Hutchins and Jamie Hankins, who were working from their homes in the U.K. for Los Angeles-based cybersecurity company Kryptos Logic, had just stopped a global cyberattack dead in its tracks. Hours earlier, WannaCry ransomware began to spread like wildfire, encrypting systems and crippling businesses and transport hubs across Europe. It was the first time in a decade a computer worm began attacking computers on a massive scale. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Hours after the disruption began to break on broadcast news networks, Hutchins — who at the time was only known by his online handle @MalwareTech — became an “accidental hero” for inadvertently stopping the cyberattack by registering a web domain found in the malware’s code.

The internet, still reeling from the damage, had gotten off lightly. The two researchers, at the time both in their early 20s, had saved the internet from a powerful nation-state attack launched by an enemy using hacking tools developed by the West.

But the attack was far from over.

Hutchins and Hankins knew if the kill switch went down, the malware would pick up where it left off, infecting thousands of computers every minute. Puffy eyed and sleep deprived, they knew the domain had to stay up at all costs. The researchers fended off several attacks from an angry operator of a botnet trying to knock the domain offline with junk internet traffic. And, at one point, law enforcement seized two of their servers from a datacenter in France amid confusion that the domain was helping to spread WannaCry and not preventing it.

Whittaker reports that the “kill switch” domain prevented around sixty million deployments of the WannaCry malware in the last month alone — a staggering figure for a two year old piece of malware. It’s surely spreading daily, but remaining dormant solely because this single domain is being kept up. It’s digital HPV.

MacBook Apparently Discontinued, MacBook Pro Gains Touch Bar on All Models


Apple today updated MacBook Air, adding True Tone to its Retina display for a more natural viewing experience, and lowering the price to $1,099, with an even lower price of $999 for college students. In addition, the entry-level $1,299 13-inch MacBook Pro has been updated with the latest 8th-generation quad-core processors, making it two times more powerful than before. It also now features Touch Bar and Touch ID, a True Tone Retina display and the Apple T2 Security Chip, and is available for $1,199 for college students.

This simplifies the lineup dramatically. No longer are there three similar yet purportedly different computers within $200 of each other; now, there’s a simple choice of consumer models and professional models, and at respectably lower price points to boot.

What goes unmentioned in this press release, however, is that Apple has seemingly discontinued the MacBook. Visiting apple.com/macbook redirects to the Mac section, where the model does not appear in the navigation bar at the top. It was last updated two years ago. Despite that, it was easily one of my favourite Mac models — a light, simple, fan-less portable Mac sounds ideal for travelling — so I’m a bit saddened to see it go, even though it conceptually overlaps the MacBook Air considerably. I have to wonder whether the name will be recycled for use in that future ARM-powered Mac.1

Also starting today, Apple no longer sells the legacy non-Retina MacBook Air. They’ve nearly achieved an entirely Retina lineup, with just a single non-Retina iMac model remaining.

Update: As noticed by Mitchel Broussard at MacRumors, Apple has dropped SSD prices pretty much across the board. Also, Jordan Kahn of 9to5Mac obtained an internal memo stating that today’s new MacBook Air and Pro models will be eligible for free keyboard repairs. Just terrific news all around, as far as I can tell, apart from the keyboards themselves.

  1. For what it’s worth, the redirect from apple.com/macbook to apple.com/mac returns the permanently moved status code, meaning that this redirect will be cached in users’ browsers and would be harder to revert. ↩︎

Zoom Teleconferencing Software Has a Vulnerability That Allows an Attacker to View a User’s Webcam

Jonathan Leitschuh discovered the vulnerability:

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

This is shockingly easy to exploit and, thankfully, fairly easy to protect against as a user.

However, I’d recommend removing Zoom entirely if you do not rely upon it. The company’s blasé attitude towards Leitschuh’s report of this bug would make me reluctant to trust them with my camera and microphone in the future.

Tim Wu Explains Why He Thinks Facebook Should Be Broken Up

I thought this was a well-articulated perspective on the dangers of unchecked industry domination, and a firm rebuttal of Facebook’s familiar talking points.

I’ve been saying for a while now that I think Facebook’s inability to keep obviously objectionable materials off its platform — whether through traumatizing human moderators or relying upon automated filters — is a symptom of a broader design flaw. The sheer scale of the company’s products exacerbates this, too. I’m not saying that a company with a few hundred million users would be easier to moderate — Twitter proves that in spades — but I do think that trying to police materials of all types across virtually every country on Earth is an impossible task. Furthermore, globe-spanning monopolies are incentivized to avoid moderation.

Dark Patterns Across a Sample of 11,000 Shopping Websites

I recently booked some hotel rooms using a few different travel websites and I’m pretty sure I encountered nearly all of these. Dark patterns are shockingly unethical. They are deceptive, crass, and borderline fraudulent in the case of patterns that sneak unwanted items into a shopper’s cart.

Scrutiny Is the Prize of Success

David Heinemeier Hansson expanded upon Mike Davidson’s post about privacy problems with Superhuman’s read receipts:

Davidson’s point about the ethical trajectory of a company is spot on. But it goes even further than the single company. There’s an ethical trajectory of a whole ecosystem, and the one in Silicon Valley is in need of some serious recalibration. Springing to the defense of appalling privacy abuses with excuses like “well, everyone else does it” only reveals just how dire the need is for that recalibration. A process that has to start with one company at a time.

But even if Silicon Valley was a beacon of ethical behavior, you’d still want successful startups on a strong trajectory to have their business model and practices subjected to scrutiny in proportion to their success. The more people are using something, the greater the potential for harm (and good). This isn’t rocket science.

Scale radically alters the dynamic of a company’s impact. Consider, for example, how the scale of companies like Uber and Airbnb have made their services as commonplace as the categories they disrupt without similar oversight for safety or ethical business practices.

Scrutiny is a force for good; it should be embraced.

Customs and Border Protection Have Bought Themselves a GrayKey

Yesterday, I linked to a story about the use by guards of the border between China and Kyrgyzstan using a device to exfiltrate iPhone users’ data. Though it is a tangential issue, I did not mention that, last year, I sent a FOIA request to the Department of Homeland Security to ask if they owned a GrayKey or had any of its marketing materials. I received a response at the time stating that they did not have anything of the sort.

Now, though, they do. Thomas Brewster noted today that Customs and Border Protection acquired a GrayKey last month. Brewster has written extensively about the capabilities of the GrayKey system. I think it is also notable that, since last month, applicants for U.S. visas have been required to reveal five years’ worth of social media profiles, phone numbers, and email addresses.

FaceTime Attention Correction in iOS 13 Fixes Apparent Eye Positioning During Video Calls

Rachel England, Engadget:

The feature, called FaceTime Attention Correction, is part of the latest iOS 13 beta, and appears to use advanced image manipulation to make video-based eye contact appear more natural. It was discovered by app designer Mike Rundle, who tested it out with tech enthusiast Will Sigmon. You can see the feature in action below. It looks like it’s only available on the new iPhone XS and iPhone XS Max, but that likely means future iterations of the iPhone will get it as standard, helping you to completely maximise your FaceTime game.

Video calling always looks a bit unnatural, whether on a smartphone or on a desktop computer, because you’re either looking at the participant onscreen or at the camera — you can’t do both. It’s the kind of thing that can make it feel like participants are not paying attention to each other. This is one of those apparently simple but profound changes that feels very Apple-y.

Chinese Border Guards Are Conducting Surveillance on Tourists’ Phones

Hilary Osborne and Sam Cutler, the Guardian:

An investigation by the Guardian and international partners has found that travellers are being targeted when they attempt to enter the region from neighbouring Kyrgyzstan.

Border guards are taking their phones and secretly installing an app that extracts emails, texts and contacts, as well as information about the handset itself.

Tourists say they have not been warned by authorities in advance or told about what the software is looking for, or that their information is being taken.

Moritz Contag and Cure53 (PDF) published technical analyses of the Android spyware, which appears to dump a fairly comprehensive summary of the phone’s contents and user activity. Raymond Zhong reports for the New York Times that iPhones are connected with a cable to a box that performs a similar task. Presumably, this is something like a GrayKey.

This is obviously intrusive, and points to an increasingly urgent need to make mobile devices as secure as possible. There’s no reason why, in a more authoritarian world, capabilities like this would be used less. Why would China want to restrict this to its borders with just one country? Why would this be restricted only to China?

Meanwhile, American officials have met to discuss outlawing end-to-end encryption, and Australia already has a law that allows them to compel companies to help them with surveillance.

Apple Sans Ive

Whenever a public-facing executive leaves their job, there will inevitably be a series of stories — typically in business publications — which try to ascertain why they left. Such stories are full of anecdotes and rumours, and it’s sometimes hard to know what to trust or who is grinding what axe.

So, I assume, many of you did the same thing I did for part of this weekend by catching up on a flurry of stories ostensibly giving some background to why Jony Ive is leaving Apple — Mark Gurman and Tripp Mickle wrote the two high-profile pieces, and I also read responses to try to get a handle on their accuracy.

After all that, I was left with the feeling that neither story was entirely convincing. Matthew Panzarino of TechCrunch has written a particularly good piece distilling what he’s heard independently, as well as reflecting on Ive’s legacy:

Even though Jony is a ‘unicorn’ designer, Apple has always thrived on small teams with decision makers, and they’re not all one person. The structure of Apple, which does not rely on product managers, still leaves an enormous amount of power in the hands of the people actually doing the work. I’m not as concerned as a lot of people are that, with Jony leaving, there will suddenly be a slavish hewing to the needs of ‘ops over all’. It’s not in the DNA.

That doesn’t mean however, that there aren’t still question marks. Jony was an enormous force in this company. It is completely natural to be curious, excited and, hell yeah even worried about what his departure will do to the design focused Apple people love to love.

I have intentionally held off on posting much about Ive’s announced departure for the aforementioned reasons, but this is worth reading.

Update: I also think MG Siegler’s piece is wise.

Update: John Siracusa’s take is typically thoughtful and worth your time. This, in particular, bears worth repeating:

As the leader of design at Apple, Ive inevitably receives acclaim for work done by other people on his team. This is what it means to be the public face of a collaborative endeavor involving hundreds of people. Ive himself is the first to credit his team, always using the word “we” in his appearances in Apple’s design videos. One gets the impression that Ive has historically used “we” to refer to the design team at Apple, rather than Apple as a whole, but he certainly never meant it to refer to himself.

While I think it’s been fairly clear that design at Apple is a huge team endeavour — and though many of the pieces published after last week’s news acknowledge that Ive has taken a reduced role in the day-to-day activity of designing for several years — it remains odd to me that the single arbiter of product taste at the company is now Jeff Williams. Nothing against the guy, but it’s strange for Apple that it’s an MBA in that role.

Xiaomi Introduces Familiar-Looking Mimoji

Nick Statt, the Verge:

Now, Apple doesn’t own the concept of virtual avatars. It also doesn’t even own the trademark for Memoji. So it’s not fair to say Xiaomi is stomping all over the iPhone maker’s intellectual property; as VentureBeat notes, the concept behind and the use of the phrase memoji existed prior to Apple’s introduction of it into iMessage last summer at WWDC. Additionally, Samsung beat both companies to cartoon AR avatars with its slightly more horrifying Galaxy S9 AR Emoji feature back in February of last year.

There is a lot of prior art here, but it’s pretty clear what Xiaomi is aping with Mimoji. The Ripoff Express seems to keep chugging through Xiaomi’s station. It’s kind of their thing.

A Deep Deconstruction of a Surveillance Feature in One Email Client

Mike Davidson wrote about the widespread implications of the sender-controlled read receipts that are enabled by default in Superhuman:

What I see in Superhuman though is a company that has mistaken taking advantage of people for good design. They’ve identified a feature that provides value to some of their customers (i.e. seeing if someone has opened your email yet) and they’ve trampled the privacy of every single person they send email to in order to achieve that. Superhuman never asks the person on the other end if they are OK with sending a read receipt (complete with timestamp and geolocation). Superhuman never offers a way to opt out. Just as troublingly, Superhuman teaches its user to surveil by default. I imagine many users sign up for this, see the feature, and say to themselves “Cool! Read receipts! I guess that’s one of the things my $30 a month buys me.”

When products are introduced into the market with behaviors like this, customers are trained to think they are not just legal but also ethical. They don’t always take the next step and ask themselves “wait, should I be doing this?” It’s kind of like if you walked by someone’s window at night and saw them naked. You could do one of two things: a) look away and get out of there, realizing you saw something that person wouldn’t want you to see, or b) keep staring, because if they really didn’t want anyone to see them, they should have closed their blinds. It’s two ways of looking at the world, and Superhuman is not just allowing for option B but actively causing it to happen. It’s almost as if Superhuman is aiming a motion-sensitive camera outside people’s windows and sending alerts when there is motion. It’s automated and designed to capture info when your family, your friend, your co-worker, or your victim is not aware. You may think “victim” is too harsh of a word to use here, but remember, we aren’t talking about you. We are talking about anyone who might use Superhuman.

This piece is fantastic. It’s not just about read receipts in one not-very-popular email app; it’s about how the ethical decisions that are made early in a company’s life impact its ongoing commitments.

Anyway, always disable images in your email client.

Update: Superhuman CEO Rahul Vohra says that read receipts will now be disabled by default. I think this response is terrific, but as Nilay Patel points out, this mess wouldn’t exist for Superhuman — nor any other app that may be less willing or quick to course-correct — with strong user-centric privacy legislation.

Ignoring Opposition, ICANN Eliminates Price Caps on .org Domain Names

Kevin Ohashi, Review Signal:

ICANN, which regulates the domain name system, is reviewing the renewal of the .ORG registry contract with Public Interest Registry (PIR). It’s also running an identical process for .BIZ/INFO/ASIA, but they are of less concern to most people and don’t have the long history of existing pre-ICANN that .org does. The proposal was already discussed between PIR and ICANN staff before being put out for comment from stakeholders. This alone is worrisome that the contract is negotiated behind closed doors and without input beforehand.


Not only is there virtually no support for this policy, the only people making any argument in favor of removing price caps have captured an ICANN constituency to do it, one that is supposed to represent business interests broadly (not registry interests).

ICANN voted to eliminate the $8.25 per year price cap on .org domains — that is, domains that are for not-for-profit organizations, charities, and other organizations that count on precise budgeting. It’s no wonder there was so much opposition to this; it’s completely mysterious why ICANN would choose to ignore overwhelming support for .org price caps for a slightly different contract.

Politico: American Officials Met to Discuss Outlawing Encryption

Eric Geller, Politico:

Senior officials debated whether to ask Congress to effectively outlaw end-to-end encryption, which scrambles data so that only its sender and recipient can read it, these people told POLITICO. Tech companies like Apple, Google and Facebook have increasingly built end-to-end encryption into their products and software in recent years — billing it as a privacy and security feature but frustrating authorities investigating terrorism, drug trafficking and child pornography.

“The two paths were to either put out a statement or a general position on encryption, and [say] that they would continue to work on a solution, or to ask Congress for legislation,” said one of the people.

But the previously unreported meeting of the NSC’s so-called Deputies Committee did not produce a decision, the people said.

Mike Masnick, Techdirt:

It’s been said before, but this is not a debate. There is no debate. There is no “on the one hand, on the other hand.” There is no “privacy v. security.” This is “no privacy and weakened security v. actual privacy and actual security.” There’s literally no debate to be had here. If you understand the issues, encryption is essential, and any effort to take away end-to-end encryption is outlawing technology that keeps everyone safe.

You can either have encryption that ensures the safety and privacy of the information it protects, or you have no encryption and everything is compromised. There is no middle ground.

Ive Is, Apparently, Irreplaceable

Shortly before Jony Ive was promoted to Chief Design Officer, the New Yorker ran a truly excellent piece about him and the company as a whole. An excerpt:

In 2007, the year of the iPhone launch, the Ives bought an eleven-bedroom seventeenth-century house, with a lake, in rural Somerset, in the West of England. Ive had been at Apple for fifteen years; his children were nearing school age. When Ive and his wife were photographed among the tanned and lacquered guests at San Francisco fund-raisers, they looked palely handsome and a little puzzled, as if misdirected from the set of a Jane Austen adaptation. At the time, Michael Ive hoped that the Somerset house presaged a permanent return. He told me that he had learned not to ask three questions: “When are you coming back to England?”; “What are you working on?”; “Planning any more kids?”

According to Clive Grinyer, Ive had by then considered returning to the U.K., entering a “magnificent early retirement” in which he worked on “luxury items with Marc.” As Grinyer recalls his conversations with Ive, Apple’s success, and Jobs’s worsening health, revised such plans. Apple sold six million phones in the first year. By 2012, the company was selling more than a hundred million a year. In the same period — during which Apple launched the iPad and the MacBook Air — the company’s valuation quadrupled. “The iPhone just seemed to change the entire world,” Grinyer said. “I think he is burdened by it. He’s got no choice, the poor guy. He really has to see it out, and I know it wasn’t his plan. Which is not to say he’s not enjoying it.” By the spring of 2011, the Somerset house was back on the market. (Ive’s former guesthouse — limestone flooring, double Neff oven — is available for short-term rentals.)

For what it’s worth, Ive denied that he was considering moving.

In linking to it, I wrote:

Ive certainly has a lot of pressure on his shoulders. After Steve Jobs resigned his CEO post, and again after he died, Apple’s stock price was — perhaps surprisingly — unaffected. But if and when Jony Ive leaves Apple, I can’t imagine their share price and their perceived future viability would be unaffected to the same or greater extent. Jobs left a willing and public successor, Tim Cook, in his wake; Ive doesn’t have anyone like that. He is both irreplaceable, and yet he must eventually be replaced.

I don’t know what I was doing with the italics in this paragraph, but I stand by my assessment that Ive’s departure is likely greater than that of Jobs’. But I was wrong in my very last sentence — Apple has not announced a true replacement:

Design team leaders Evans Hankey, vice president of Industrial Design, and Alan Dye, vice president of Human Interface Design, will report to Jeff Williams, Apple’s chief operating officer. Both Dye and Hankey have played key leadership roles on Apple’s design team for many years. Williams has led the development of Apple Watch since its inception and will spend more of his time working with the design team in their studio.

At Apple — Apple, of all companies — there will likely be nobody on the leadership page with “design” in their title for the first time since 2006.

While we’re thinking about that that New Yorker profile and Jeff Williams, just one more thing:

Ive would prefer an unobserved life, but he likes nice things. He also has an Aston Martin DB4. He acquired his first Bentley, a two-door model, ten years ago, after an inner zigzag between doubt and self-justification. “I’ve always loved the big old-school square Bentleys,” he said. “The reasons are entirely design-based. But because of the other connotations I resisted and resisted, and then I thought, This is the most bizarre vanity, because I’m concerned that people will perceive me to be this way—I’m not. So I’m going to—” A pause. “And so I am uncomfortable about it.” Jeff Williams, Apple’s senior vice-president of operations, drives an old Toyota Camry. Ive’s verdict, according to Williams, is “Oh, God.”

“Oh, God,” indeed.

Jony Ive Is Leaving Apple


Apple today announced that Sir Jony Ive, Apple’s chief design officer, will depart the company as an employee later this year to form an independent design company which will count Apple among its primary clients. While he pursues personal projects, Ive in his new company will continue to work closely and on a range of projects with Apple.


Design team leaders Evans Hankey, vice president of Industrial Design, and Alan Dye, vice president of Human Interface Design, will report to Jeff Williams, Apple’s chief operating officer. Both Dye and Hankey have played key leadership roles on Apple’s design team for many years. Williams has led the development of Apple Watch since its inception and will spend more of his time working with the design team in their studio.

Tim Bradshaw, of the Financial Times, scored an interview with Ive on his departure. In Ive’s words:

“There was an employee meeting a number of years ago and Steve [Jobs] was talking . . . He [said] that one of the fundamental motivations was that when you make something with love and with care, even though you probably will never meet . . . the people that you’re making it for, and you’ll never shake their hand, by making something with care, you are expressing your gratitude to humanity, to the species.

I so identified with that motivation and was moved by his description. So my new company is called ‘LoveFrom’. It succinctly speaks to why I do what I do.

I think there has long been an expectation that Ive would one day leave Apple to pursue other endeavours, but it is no less stunning to see it happen. I’m intrigued to see what he does next; I have my apprehensions about what it means for the company’s design teams to be led by the COO.

It’s very strange to think that Apple’s design will once again be partly outsourced, even if it is to someone whose career has defined Apple.

Amazon’s Major Role in Universal Surveillance

Will Oremus, writing for Medium’s OneZero publication:

But Amazon’s public image as a cheerfully dependable “everything store” belies the vast and secretive behemoth that it has become  —  and how the products it’s building today could erode our privacy not just online but also in the physical world. Even as rival tech companies reassess their data practices, rethink their responsibilities, and call for new regulations, Amazon is doubling down on surveillance devices, disclaiming responsibility for how its technology is used, and dismissing concerns raised by academics, the media, politicians, and its own employees.


While the outcome of that case remains to be seen, the complaint represents just the tip of the iceberg. The Amazon of today runs enormous swaths of the public internet; uses artificial intelligence to crunch data for many of the world’s largest companies and institutions, including the CIA; tracks user shopping habits to build detailed profiles for targeted advertising; and sells cloud-connected, A.I.-powered speakers and screens for our homes. It acquired a company that makes mesh Wi-Fi routers that have access to our private Internet traffic. Through Amazon’s subsidiary Ring, it is putting surveillance cameras on millions of people’s doorbells and inviting them to share the footage with their neighbors and the police on a crime-focused social network. It is selling face recognition systems to police and private companies.

I am shocked at how unregulated markets tend to produce monopolies operating in unethical but profitable business categories with impunity.

Most Mapping Products Are Insufficient for Cyclists

Tom MacWright:

This might be because HERE, the number two provider of map technologies, was bought by a bunch of car companies. Or because Google is headquartered in the suburbs. Or that the financial world is fixated on opening the pandora’s box of self-driving cars.

But the end result is the same: bicycle and multimodal routing continues to be a toy, and driving directions keep getting better. We have nearly real-time reports of car crashes so that drivers can shave a few minutes off their commute. Blocked bike lanes are invisible to the system. Even lanes that are redirected into street traffic because of construction that lasts for months – they’re all the same. Google Maps lets you avoid tolls and highways in your car. It sees no difference between a sharrow, a protected bicycle lane, or a so-called bicycle-friendly road.

It could be worse — Apple doesn’t display cycling routes in their Maps app, and there are no options for mixed-mode transportation.

It’s telling of the differences in real-world priorities that cycling is among the most popular modes of transportation in much of the world, yet tech companies treat it as a niche issue for a handful of customers.

Scripting Languages to Be Removed in a Future Version of MacOS

From Apple’s Xcode 11 beta release notes:

Scripting language runtimes such as Python, Ruby, and Perl are included in macOS for compatibility with legacy software. In future versions of macOS, scripting language runtimes won’t be available by default, and may require you to install an additional package. If your software depends on scripting languages, it’s recommended that you bundle the runtime within the app.

Via Michael Tsai, who has put together a typically fantastic roundup of perspectives on this change:

This is a big deal in terms of philosophy; Apple once touted the built-in Unix tool suite as a Mac advantage. And it also means lots of practical changes; installers and AppleScripts can no longer lean on other scripting languages.

I’m not a Mac doom-and-gloomer; I think Apple is truly demonstrating that they are increasingly committed to the future of the Mac. But this is the sort of thing that shakes my confidence. So far, they have provided no justification for why they will one day no longer preinstall scripting languages. I guess there are perhaps some security benefits to their decision, and many developers assuredly took care of installing the requisite packages for themselves.

But something about this feels both arbitrary and inherently wrong. The beautiful thing about MacOS is that there’s a visually coherent interaction layer that most users spend most of their time in, but anyone — including a lunkhead like me — can fire up the Terminal at any time and run a script. Having that capability at one’s fingertips just below the surface, as well as programs like Homebrew and MacPorts, makes the Mac feel limitless. Making scripting a separate feature is limiting, even if only a little bit.

Update: Nicolas Zinovieff:

xcode-select —install

installs ruby on catalina

apparently the “extras” (python, ruby and the rest) are shipped with the other “dev” tools, like git

It would be really nice if this were a simple checkbox when installing a future version of MacOS, rather than requiring users to download and install Xcode, then run a shell command.

Piracy Could Make a Comeback in the Streaming Age

Brian Feldman, New York magazine:

Look, I’m not saying piracy is good, or even justifiable. I’m noting that the pop-culture industry is once again re-creating the conditions that allowed piracy to flourish in the first place. Piracy declined because the legal options for consuming media became easier than the illegal options. iTunes aggregated all of music within one storefront and eventually sold it DRM-free, and it made digital film rentals cheap. Before it started making its own stuff, Netflix aggregated thousands of films and shows and made them watchable at the push of a button (between 2010 and 2018, the number of films available on Netflix dropped 40 percent). Now the legal options for media consumption are once again becoming overly burdensome in both a financial and logistical sense. Even paying for a cable subscription won’t fix it. The best centralized place to find media is, once again, through piracy.

For a while there, it seemed like media companies had figured out what worked. They kept making music and movies and TV shows, and tech companies distributed them in a customer-friendly way. People loved it and paid for media again. But now that studios want to cut out the middle man — and since many of them are owned by ISPs who have cut out that middle man, too — they’re going to shoot themselves in the foot. They’re once again trying to control and restrict the whole stack, and it will have predictable results.

Update: I published too quickly here. Feldman doesn’t provide any evidence that piracy is coming back, only that it likely will due to the increasingly isolationist distribution policies of media companies. I have updated my headline accordingly.

One more thought that I had after publishing is that the media environment of 2019 is vastly different than that of 2009 in large part because of YouTube. Making videos for YouTube is, far more now than then, a legitimate career choice, with bigger budgets and audiences, and more credibility, than ever before. While people are unlikely to pirate public YouTube shows, channels that operate paid memberships with exclusive videos — whether through YouTube itself or a third-party platform like Patreon — might now be pirated as well.