The Albergotti Spin
On the whole, I have been impressed with the way media coverage of tech companies has swung in a more critical direction over the past several years. Technocratic cheerleading produced waves of undeserved hype for companies that barely had a product or were committing outright fraud. When Mark Zuckerberg spoke about “connecting the world”, the press used to fawn. In particular, increased mainstream coverage of tech companies makes it possible to have more attention paid to stories about once-niche topics like online privacy.
At an extreme end, though, there is a cynical streak that runs through some reporters’ coverage of the industry that I find squashes nuance and creates inaccuracies. There is one reporter in particular who has embodied this quality as of late: Reed Albergotti of the Washington Post. Previously at the Information and the Wall Street Journal before that, Albergotti has broken great stories about blood doping in cycling and the corrosive culture inside Nest.
But ever since Albergotti landed at the Post, his coverage has seemed increasingly pessimistic — not merely skeptical or journalistically suspicious, just outright negative. That is not to say Albergotti’s reporting is not worth reading — terrific articles about acquisitions in tech and drivers suing Uber spring to mind — but there is a decided lean towards the sensational. When Apple released the first developer preview of the Find My network specification last year, Albergotti mischaracterized it as an especially secretive document and strained to link it to the ultimately fraught Apple–Google joint exposure notification API. A few months later, he said that Apple was trying to “weaken” and “water down” a bill intended to combat forced labour by Uyghurs in China, but the New York Times’ more comprehensive coverage seemed to refute that summary. Then, last month, an article by Albergotti and Ellen Nakashima made it sound like security vulnerabilities in software are mostly fixed because not doing so would be bad P.R.
Which brings us to the latest example. Let’s start with Nick Statt, of Protocol, who has been covering the Epic v. Apple trial. Craig Federighi took the stand today:
When asked about the difference between iOS and macOS security, Federighi said, “Today, we have a level of malware on the Mac that we don’t find acceptable.” Federighi went on to say that malware hidden in apps downloaded from the internet is a “regularly exploited” vulnerability on desktop and that “iOS has established a dramatically higher bar for customer protection,” adding that “the Mac is not meeting that bar today.”
While it is unusual to hear Federighi kind of dis the security of one of Apple’s platforms to defend another, it is also an uncontroversial statement. Of course the Mac is less secure than iPhones and iPads. The Mac is also more capable; those two things kind of go hand in hand — for now, at least. And of course Apple wants to do more to fight malware on the Mac; why would it not want to improve security for its users and, according to Albergotti last month, burnish its reputation?
But check out how Albergotti interpreted this testimony in a couple of tweets:
Craig Federighi, Apple’s own senior vice president of software engineering, just swore under oath that security on Mac computers is unacceptably poor and regularly exploited by malware. Quite surprising to hear coming from one of Apple’s own top officials.
Obviously, this is an attempt to explain why iOS should not be “opened up.” But still there was a time when a key marketing point for Macs was that they are safe and viruses are exceedingly rare. Now, we hear their security is “unacceptable” to the company that makes them.
At no point did Federighi say that MacOS’ security is “poor”, nor did he say that Macs are unsafe. Even in alarmist articles about Mac malware, most reporters are careful to acknowledge that Windows systems are targeted to a degree several orders of magnitude greater. Albergotti’s summary of this part of Federighi’s testimony gives a completely wrong impression, as we can see in the full context posted by Chris Welch of the Verge:
[…] iOS has established a dramatically higher bar for customer protection. The Mac is not meeting that bar today. And that’s despite the fact that Mac users inherently download less software and are subject to a way less economically motivated attacker base. If you took Mac security techniques and applied them to the iOS ecosystem, with all those devices, all that value, it would get run over to a degree dramatically worse than is already happening on the Mac. And as I say, today, we have a level of malware on the Mac that we don’t find acceptable and is much worse than iOS. Put that same situation in place for iOS and it would be a very bad situation for our customers.
A completely acceptable, succinct explanation of how iOS is more secure, and the trade-offs of security and capability.
But it is in the third and final tweet in Albergotti’s thread where things really kick off:
Of course, Apple is making Macs more like iOS, so Apple knocking its own security on Macs could be an attempt to further “lock down” Macs, pushing out competition.
He links this theory — both literally and figuratively — to his coverage from last year of Apple’s WWDC announcement that it would be transitioning Macs to run on processors of its own design:
Mac users have long been accustomed to downloading software directly from developer websites. By contrast, the iPhone has never allowed that level of freedom. Apps in iOS have to be downloaded through the App Store.
With the same processor base across its devices, Apple seems to be moving in the direction of iOS, where things are more tightly controlled by Apple, said Patrick Wardle, a long time developer of Mac software and principal security researcher for Minneapolis-based software maker Jamf.
“It does kind of just unify their computing platform and does make the transition for this more lockdown model easier to comprehend on Mac,” he said. “Unfortunately, we’re just moving down this path where Apple has complete control.”
I have never understood this line of thinking. Mac developers know they are writing software for an operating system that is only sold as part of Apple’s own hardware sales; MacOS is not available separately. I cannot think of a reason why developer freedom depends on MacOS continuing to run on the x86 instruction set or a commodity processor. To the contrary, MacOS’ security model has been edging closer to one informed by the iOS model for a decade now — entirely on Intel’s processors. For what it’s worth, malware runs natively on M1 Macs running the latest version of MacOS as Wardle found earlier this year. These things do not appear to be inherently tied together.
Which brings me back to Albergotti’s theory from his short Twitter thread. His seems to think that Apple is transitioning to its own processors because it will allow the company to make the MacOS application and security model more like iOS, when those things are entirely independent and Apple has repeatedly stated that it will continue to treat the Mac as a separate family of products. The most obvious proof of that is Apple itself. The company runs on MacOS: it writes software for all of its devices on Macs, so it relies on having at least one platform that prioritizes capability and flexibility over a tighter security model. I do not doubt that Apple will also go to greater lengths to fight malware since any malware in the wild is a problem. But these things do not stack to create the narrative that Albergotti is pushing of absolute control and anticompetitive power across all of Apple’s platforms.
Albergotti is far from the only journalist writing articles and tweets like these. I want to see more critical coverage of the tech industry, just as I would for any large industry. But there is critical and there is cynical, and the latter is just as empty as insufficiently skeptical coverage, or basic “both sides” stories. As tech companies become more valuable and influential, we have never needed higher-quality journalism in this area. I just don’t see that here.