Search Results for: ostensibly

The Massive Meta Fine in the E.U. Is Really About the NSA techdirt.com

Mike Masnick, Techdirt:

[…] Last year, the US and the EU announced yet another deal on transatlantic data flows. And, as we noted at the time (once again!) the lack of any changes to NSA surveillance meant it seemed unlikely to survive yet again.

In the midst of all this, Schrems also went after Meta directly, claiming that because these US/EU data transfer agreements were bogus, that Meta had violated data protection laws in transferring EU user data to US servers.

And that’s what this fine is about. The European Data Protection Board fined Meta all this money based on the fact that it transferred some EU user data to US servers. And, because, in theory, the NSA could then access the data. That’s basically it. The real culprit here is the US being unwilling to curb the NSA’s ability to demand data from US companies.

As noted, and something which aligns with other examples of GDPR violations.

There is one aspect of Masnick’s analysis which I dispute:

Of course, the end result of all this could actually be hugely problematic for privacy around the globe. That might sound counterintuitive, seeing as here is Meta being dinged for a data protection failure. But, when you realize what the ruling is actually saying, it’s a de facto data localization mandate.

And data localization is the tool most frequently used by authoritarian regimes to force foreign internet companies (i.e., US internet companies) to host user data within their own borders where the authoritarian government can snoop through it freely. Over the years, we’ve seen lots of countries do this, from Russia to Turkey to India to Vietnam.

Just because data localization is something used by authoritarian governments does not mean it is an inherently bad idea. Authoritarian governments are going to do authoritarian government things — like picking through private data — but that does not mean people who reside elsewhere would face similar concerns.

While housing user data in the U.S. may offer protection for citizens, it compromises the privacy and security of others. Consider that non-U.S. data held on U.S. servers lacks the protections ostensibly placed on U.S. users’ information, meaning U.S. intelligence agencies are able to pick through it with little oversight. (That is, after all, the E.U.’s argument in its charges against Meta.) Plenty of free democracies also have data localization laws for at least some personal information without a problem. For example, while international agreements prevent the Canadian government from requiring data residency as a condition for businesses, privacy regulations require some types of information to be kept locally, while other types must have the same protections as Canadian-hosted data if stored elsewhere.

Colorado Catholic Group Bought Data to Out Priests Using Dating Apps washingtonpost.com

Michelle Boorstein and Heather Kelly, Washington Post:

A group of conservative Colorado Catholics has spent millions of dollars to buy mobile app tracking data that identified priests who used gay dating and hookup apps and then shared it with bishops around the country.

[…]

One report prepared for bishops says the group’s sources are data brokers who got the information from ad exchanges, which are sites where ads are bought and sold in real time, like a stock market. The group cross-referenced location data from the apps and other details with locations of church residences, workplaces and seminaries to find clergy who were allegedly active on the apps, according to one of the reports and also the audiotape of the group’s president.

Boorstein and Kelly say some of those behind this group also outed a priest two years ago using similar tactics, which makes it look like a test case for this more comprehensive effort. As they write, a New York-based Reverend said at the time it was justified to expose priests who had violated their celibacy pledge. That is a thin varnish on what is clearly an effort to discriminate against queer members of the church. These operations have targeted clergy by using data derived almost exclusively by the use of gay dating apps.

Data brokers have long promised the information they supply is anonymized but, time and again, this is shown to be an ineffective means of protecting users’ privacy. That ostensibly de-identified data was used to expose a specific single priest’s use of Grindr in 2021, and the organization in question has not stopped. Furthermore, nothing would prevent this sort of exploitation by groups based outside the United States, which may be able to obtain similar data to produce the same — or worse — outcomes.

This is some terrific reporting by Boorstein and Kelly.

Regarding the New York Times kareem.substack.com

Kareem Abdul-Jabbar:

What we need to always be aware of is that how we treat any one marginalized group is how we will treat all of them—given the chance. There is no such thing as ignoring the exploitation of one group hoping they won’t come for you.

This goes for us individually, but especially for a paper with a massive platform like the New York Times, which Abdul-Jabbar is responding to. A recent episode of Left Anchor is a good explanation of why the Times’ ostensibly neutral just-asking-questions coverage of trans people and issues is so unfairly slanted as to be damaging.

It Barely Matters That Apple Missed Its Two-Year Goal for the Apple Silicon Transition 9to5mac.com

Chance Miller, 9to5Mac:

If you view the November [2020] announcement [of the first M1 Macs] as the start of the transition process, Apple would have needed to have everything wrapped up by November 2022. This deadline, too, has passed. This means Apple has missed its two-year transition target regardless of which deadline you consider.

[…]

So that leaves us where we are today. You have Apple Silicon options for every product category in the Mac lineup, with the exception of the Mac Pro. During its March event, Apple exec John Ternus teased that the Mac Pro with Apple Silicon was an announcement “for another day.” That day, however, hasn’t yet come.

Miller also notes that an Intel version of the Mac Mini remains available. But it hardly matters for Apple to have technically missed its goal since all of its mainstream Macs have transitioned to its own silicon, and it has released an entirely new Mac — in the form of the Mac Studio — and begun the rollout of its second generation of chips in that timeframe. Also, it sure helps that people love these new Macs.

Update: The December 18 version of Mark Gurman’s newsletter contains more details about the forthcoming Mac Pro:

An M2 Extreme [Gurman’s own term for two M2 Ultras] chip would have doubled that to 48 CPU cores and 152 graphics cores. But here’s the bad news: The company has likely scrapped that higher-end configuration, which may disappoint Apple’s most demanding users — the photographers, editors and programmers who prize that kind of computing power.

[…]

Instead, the Mac Pro is expected to rely on a new-generation M2 Ultra chip (rather than the M1 Ultra) and will retain one of its hallmark features: easy expandability for additional memory, storage and other components.

I am interested to see how this works in practice. One of the trademarks of Macs based on Apple’s silicon is the deep integration of all these components, ostensibly for performance reasons.

Mark Zuckerberg’s Net Worth has Dropped by $100 Billion in One Year bloomberg.com

Nur Dayana Mustak, Bloomberg:

Zuckerberg, 38, now has a net worth of $38.1 billion, according to the Bloomberg Billionaires Index, a stunning fall from a peak of $142 billion in September 2021. While many of the world’s richest people have seen their fortunes tumble this year, Meta’s chief executive officer has seen the single-biggest hit among those on the wealth list.

As if you needed more reasons to be skeptical of billionaires’ motivations for ostensibly charitable uses of their wealth, here is another. Zuckerberg has tied the success of Meta to his family’s Chan Zuckerberg Initiative by funding it through their personally-held shares in Meta. According to its website, that foundation — an LLC, not a charity — is focused on finding cures for diseases, reducing youth homelessness, and improving education. If you like the sound of those things, you should therefore hope for a skyrocketing Meta stock price. If, on the other hand, shareholders are concerned that Meta’s business model is detrimental to society at large and do not approve of the company’s vision for its future, they are compromising the efforts of Zuckerberg’s foundation.

The Wire Intends to Review Its Reporting on Meta thewire.in

L’affaire the Wire sure has taken a turn since yesterday. First, Kanishk Karan, one of the security researchers ostensibly contacted by reporters, has denied ever doing so:

It has come to my attention that I’ve been listed as one of the “independent security researchers” who supposedly “verified” the Wire’s report on FB ‘Xcheck’ in India. I would like to confirm that I did NOT DO the DKIM verification for them.

Aditi Agrawal, of Newslaundry, confirmed the non-participation of both researchers cited by the Wire:

The first expert was initially cited in the Wire’s Saturday report to have verified the DKIM signature of a contested internal email. He is a Microsoft employee. Although his name was redacted from the initial story, his employer and his positions in the company were mentioned.

This expert – who was later identified by [Wire founding editor Siddharth] Varadarajan in a tweet – told Newslaundry he “did not participate in any such thing”.

Those factors plus lingering doubts about its reporting have led to this un-bylined note from the Wire:

In the light of doubts and concerns from experts about some of this material, and about the verification processes we used — including messages to us by two experts denying making assessments of that process directly and indirectly attributed to them in our third story — we are undertaking an internal review of the materials at our disposal. This will include a review of all documents, source material and sources used for our stories on Meta. Based on our sources’ consent, we are also exploring the option of sharing original files with trusted and reputed domain experts as part of this process.

An internal review is a good start, but the Wire damaged its credibility when it stood by its reporting for a week as outside observers raised questions. This was a serious process failure that stemmed from a real issue — a post was removed for erroneous reasons, though it has been silently reinstated. In trying to report it out, the best case scenario is that this publication relied on sources who appear to have fabricated evidence. This kind of scandal is rare but harmful to the press at large. An internal review may not be enough to overcome this breach of trust.

It Appears the Wire Is Still Getting Duped by Fake Meta Documentation about.fb.com

Last week, New Delhi-based the Wire published what seemed like a blockbuster story, claiming that posts reported by high-profile users protected by Meta’s XCheck program would be removed from Meta properties with almost no oversight — in India, at least, but perhaps elsewhere. As public officials’ accounts are often covered by XCheck, this would provide an effective way for them to minimize criticism. But Meta leadership disputed the story, pointing to inaccuracies in the supposed internal documentation obtained by the Wire.

The Wire stood by its reporting. On Saturday, Devesh Kumar, Jahnavi Sen and Siddharth Varadarajan published a response with more apparent evidence. It showed that @fb.com email addresses were still in use at Meta, in addition to newer @meta.com addresses, but that merely indicated the company is forwarding messages; the Wire did not show any very recent emails from Meta leadership using @fb.com addresses. The Wire also disputed Meta’s claim that instagram.workplace.com is not an actively used domain:

The Wire’s sources at Meta have said that the ‘instagram.workplace.com’ link exists as an internal subdomain and that it remains accessible to a restricted group of staff members when they log in through a specific email address and VPN. At The Wire’s request, one of the sources made and shared a recording of them navigating the portal and showing other case files uploaded there to demonstrate the existence and ongoing use of the URL.

Meta:

The account was set up externally as a free trial account on Meta’s enterprise Workplace product under the name “Instagram” and using the Instagram brand as its profile picture. It is not an internal account. Based on the timing of this account’s creation on October 13, it appears to have been set up specifically in order to manufacture evidence to support the Wire’s inaccurate reporting. We have locked the account because it’s in violation of our policies and is being used to perpetuate fraud and mislead journalists.

The screen recording produced for the Wire shows the source navigating to internalfb.com to log in. That is a real domain registered to Meta and with Facebook-specific domain name records. Whoever is behind this apparent hoax is working hard to make it believable. It is trivial for a technically sophisticated person to recreate that login page and point the domain on their computer to a modified local version instead of Meta’s hosted copy. I do not know if that is the case here, but it is plausible.

The Wire also produced a video showing an apparent verification of the DKIM signature in the email Andy Stone ostensibly sent to the “Internal” and “Team” mailing lists.1 However, the signature shown in the screen recording appears to have some problems. For one, the timestamp appears to be incorrect; for another, the signature is missing the “to” field which is part of an authentic DKIM signature for emails from fb.com, according to emails I have received from that domain.

The Wire issued a statement acknowledging a personal relationship between one of its sources and a reporter. The statement was later edited to remove that declaration; the Wire appended a note to its statement saying it was changed to be “clearer about our relationships with our sources”. I think it became less clear as a result. The Wire also says Meta’s purpose in asking for more information is to expose its sources. I doubt that is true. When the Wall Street Journal published internal documents leaked by Frances Haugen, Meta did not claim they were faked or forged. For what it is worth, I believe Meta when it says the documentation obtained by the Wire is not real.

But this murky case still has one shred of validity: when posts get flagged, how does Meta decide whether the report is valid and what actions are taken? The post in question is an image that had no nudity or sexual content, yet was reported and removed for that reason. Regardless of the validity of this specific story, Meta ought to be more accountable, particularly when it comes to moderating satire and commentary outside the United States. At the very least, it does not look good for political interference under the banner of an American company.

Update: Alex Stamos tweeted about another fishy edit made by the Wire — a wrong timestamp on screenshots of emails from the experts who verified the DKIM signatures, silently changed after publishing.

Update: Pranesh Prakash has been tweeting through his discoveries. The plot thickens.

  1. There is, according to one reporter, no list at Meta called “Internal”. It also does not pass a smell check of what function an email list would have. This is wholly subjective, for sure, but think about what purpose an organization’s email lists serve, and then consider why a big organization like Meta would need one with a vague name like “Internal”. ↥︎

iOS Apps Can Inject JavaScript on Webpages Loaded in In-App Browsers; TikTok and Instagram May Collect Sensitive Events krausefx.com

Felix Krause:

The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.

This is because apps are able to manipulate the DOM and inject JavaScript into webpages loaded in in-app browsers. Krause elaborated today:

When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click.

[…]

Instagram iOS subscribes to every tap on any button, link, image or other component on external websites rendered inside the Instagram app.

[…]

Note on subscribing: When I talk about “App subscribes to”, I mean that the app subscribes to the JavaScript events of that type (e.g. all taps). There is no way to verify what happens with the data.

Is TikTok a keylogger? Is Instagram monitoring every tap on a loaded webpage? It is impossible to say, but it does not look good that either of these privacy-invasive apps are so reckless with users’ ostensibly external activity.

It reminds me of when iOS 14 revealed a bunch of apps, including TikTok, were automatically reading pasteboard data. It cannot be known for certain what happened to all of the credit card numbers, passwords, phone numbers, and private information collected by these apps. Perhaps some strings were discarded because they did not match the format an app was looking for, like a parcel tracking number or a URL. Or perhaps some ended up in analytics logs collected by the developer. We cannot know for sure.

What we do know is how invasive big-name applications are, and how little their developers really care about users’ privacy. There is no effort at minimization. On the contrary, there is plenty of evidence for maximizing the amount of information collected about each user at as granular a level as possible.

FTC Promises Crackdown on Illegal Misuse of Health Information and Ostensibly De-Identified Data ftc.gov

Kristin Cohen, of the U.S. Federal Trade Commission:

The conversation about technology tends to focus on benefits. But there is a behind-the-scenes irony that needs to be examined in the open: the extent to which highly personal information that people choose not to disclose even to family, friends, or colleagues is actually shared with complete strangers. These strangers participate in the often shadowy ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.

This sounds promising. Cohen says the FTC is ready to take action against companies and data brokers misusing health information, in particular, in a move apparently spurred or accelerated by the overturning of Roe v. Wade. So what is the FTC proposing?

[…] There are numerous state and federal laws that govern the collection, use, and sharing of sensitive consumer data, including many enforced by the Commission. The FTC has brought hundreds of cases to protect the security and privacy of consumers’ personal information, some of which have included substantial civil penalties. In addition to Section 5 of the FTC Act, which broadly prohibits unfair and deceptive trade practices, the Commission also enforces the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.

I am no lawyer, so it would be ridiculous for me to try to interpret these laws. But what is there sure seems limited in scope — in order: personal information entrusted to financial companies, security breaches of health records, and children under 13 years old. This seems like the absolute bottom rung on the ladder of concerns. It is obviously good that the FTC is reiterating its enforcement capabilities, though revealing of its insipid authority, but what is it about those laws which will permit it to take meaningful action against the myriad anti-privacy practices covered by over-broad Terms of Use agreements?

Companies may try to placate consumers’ privacy concerns by claiming they anonymize or aggregate data. Firms making claims about anonymization should be on guard that these claims can be a deceptive trade practice and violate the FTC Act when untrue. Significant research has shown that “anonymized” data can often be re-identified, especially in the context of location data. One set of researchers demonstrated that, in some instances, it was possible to uniquely identify 95% of a dataset of 1.5 million individuals using four location points with timestamps. Companies that make false claims about anonymization can expect to hear from the FTC.

Many digital privacy advocates have been banging this drum for years. Again, I am glad to see it raised as an issue the FTC is taking seriously. But given the exuberant data broker market, how can any company that collects dozens or hundreds of data points honestly assert their de-identified data cannot be associated with real identities?

The only solution is for those companies to collect less user data and to pass even fewer points onto brokers. But will the FTC be given the tools to enforce this? Its funding is being increased significantly, so it will hopefully be able to make good on its cautionary guidance.

U.S. Consulting Firm Targeted Victory Likely Driver of Misguided Spam Filter Bias Bill techdirt.com

Cristiano Lima, Washington Post:

An academic study finding that Google’s algorithms for weeding out spam emails demonstrated a bias against conservative candidates has inflamed Republican lawmakers, who have seized on the results as proof that the tech giant tried to give Democrats an electoral edge.

[…]

That finding has become the latest piece of evidence used by Republicans to accuse Silicon Valley giants of bias. But the researchers said it’s being taken out of context.

[Muhammad] Shahzad said while the spam filters demonstrated political biases in their “default behavior” with newly created accounts, the trend shifted dramatically once they simulated having users put in their preferences by marking some messages as spam and others as not.

Shahzad and the other researchers who authored the paper have disputed the sweeping conclusions of bias drawn by lawmakers. Their plea for nuance has been ignored. Earlier this month, a group of senators introduced legislation to combat this apparent bias. It intends to prohibit email providers from automatically flagging any political messages as spam, and requires providers to publish quarterly reports detailing how many emails from political parties were filtered.

According to reporting from Mike Masnick at Techdirt, it looks like this bill was championed by Targeted Victory, which also promoted the study to conservative media channels. You may remember Targeted Victory from their involvement in Meta’s campaign against TikTok.

Masnick:

Anyway, looking at all this, it is not difficult to conclude that the digital marketing firm that Republicans use all the time was so bad at its job spamming people, that it was getting caught in spam filters. And rather than, you know, not being so spammy, it misrepresented and hyped up a study to pretend it says something it does not, blame Google for Targeted Victory’s own incompetence, and then have its friends in the Senate introduce a bill to force Google to not move its own emails to spam.

I am of two minds about this. A theme you may have noticed developing on this website over the last several years is a deep suspicion of automated technologies, however they are branded — “machine learning”, “artificial intelligence”, “algorithmic”, and the like. So I do think some scrutiny may be warranted in understanding how automated systems determine a message’s routing.

But it does not seem at all likely to me that a perceived political bias in filtering algorithms is deliberate, so any public report indicating the number or rate of emails from each political party being flagged as spam is wildly unproductive. It completely de-contextualizes these numbers and ignores decades of spam filters being inaccurate from time to time for no good reason.

A better approach for all transparency around automated systems is one that helps the public understand how these decisions are made without playing to perceived bias by parties with a victim complex. Simply counting the number of emails flagged as spam from each party is an idiotic approach. I, too, would like to know why many of the things I am recommended by algorithms are entirely misguided. This is not the way.

By the way, politicians have a long and proud history of exempting themselves from unfavourable regulations. Insider trading laws virtually do not apply to U.S. congresspersons, even with regulations to ostensibly rein it in. In Canada, politicians excluded themselves from unsolicited communications laws by phone and email. Is it any wonder why polls have showed declining trust in institutions for decades?

A Profile of PimEyes, Which Performs Facial Recognition on Public Photos nytimes.com

Kashmir Hill, New York Times:

For $29.99 a month, a website called PimEyes offers a potentially dangerous superpower from the world of science fiction: the ability to search for a face, finding obscure photos that would otherwise have been as safe as the proverbial needle in the vast digital haystack of the internet.

A search takes mere seconds. You upload a photo of a face, check a box agreeing to the terms of service and then get a grid of photos of faces deemed similar, with links to where they appear on the internet. The New York Times used PimEyes on the faces of a dozen Times journalists, with their consent, to test its powers.

PimEyes found photos of every person, some that the journalists had never seen before, even when they were wearing sunglasses or a mask, or their face was turned away from the camera, in the image used to conduct the search.

You do not even need to pay the $30 per month fee. You can test PimEyes’ abilities for free.

PimEyes disclaims responsibility the results of its search tool through some ostensibly pro-privacy language. In a blog post published, according to metadata visible in the page source, one day before the Times’ investigation, it says its database “contains no personal information”, like someone’s name or contact details. The company says it does not even have any photos, storing only “faceprint” data and URLs where matching photos may be found.

Setting aside the question of whether a “faceprint” ought to be considered personal information — it is literally information about a person, so I think it should — perhaps you have spotted the sneaky argument PimEyes is attempting to make here. It can promote the security of its database and its resilience against theft all it wants, but its real privacy problems are created entirely through its front-end marketed features. If its technology works anywhere near as well as marketed, a search will lead to webpages that do contain the person’s name and contact details.

PimEyes shares the problem found with any of these people finding tools, no matter their source material: they do not seem dangerous in isolation, but it is their ability to coalesce and correlate different data points to create a complete profile. Take a picture of anyone, then dump it into PimEyes to find their name and, perhaps, a username or email address correlated with the image. Use a different people-based search engine to find profiles across the web that share the same online handle, or accounts registered with that email address. Each of those searches will undoubtedly lead to greater pools of information, and all of this is perfectly legal. The only way to avoid being a subject is to submit an opt-out request to services that offer it. Otherwise, if you exist online in any capacity, you are a token in this industry.

Hill:

PimEyes users are supposed to search only for their own faces or for the faces of people who have consented, Mr. Gobronidze said. But he said he was relying on people to act “ethically,” offering little protection against the technology’s erosion of the long-held ability to stay anonymous in a crowd. PimEyes has no controls in place to prevent users from searching for a face that is not their own, and suggests a user pay a hefty fee to keep damaging photos from an ill-considered night from following him or her forever.

This is such transparent bullshit. Gobronidze has to know that not everybody using its service is searching for pictures of themselves or those who have consented. As Hill later writes, it requires more stringent validation of a request to opt out of its results than it does a request to search.

Update: On July 16, Mara Hvistendahl of the Intercept reported on a particularly disturbing use of PimEyes:

The online facial recognition search engine PimEyes allows anyone to search for images of children scraped from across the internet, raising a host of alarming possible uses, an Intercept investigation has found.

It would be more acceptable if this service were usable only by a photo subject or their parent or guardian. As it is, PimEyes stands by its refusal to gate image searches, permitting any creep to search for images of anyone else through facial recognition.

The CDC Paid for Location Data From Millions of Phones Collected by Safegraph vice.com

Joseph Cox, Vice:

The Centers for Disease Control and Prevention (CDC) bought access to location data harvested from tens of millions of phones in the United States to perform analysis of compliance with curfews, track patterns of people visiting K-12 schools, and specifically monitor the effectiveness of policy in the Navajo Nation, according to CDC documents obtained by Motherboard. The documents also show that although the CDC used COVID-19 as a reason to buy access to the data more quickly, it intended to use it for more general CDC purposes.

Location data is information on a device’s location sourced from the phone, which can then show where a person lives, works, and where they went. The sort of data the CDC bought was aggregated — meaning it was designed to follow trends that emerge from the movements of groups of people — but researchers have repeatedly raised concerns with how location data can be deanonymized and used to track specific people.

Remember, during the early days of the pandemic, when the Washington Post published an article chastising Apple and Google for not providing health organizations full access to users’ physical locations? In the time since it was published, the two companies released their jointly-developed exposure notification framework which, depending on where you live, has either been somewhat beneficial or mostly inconsequential. Perhaps unsurprisingly, regions with more consistent messaging and better privacy regulations seemed to find it more useful than places where there were multiple competing crappy apps.

The reason I bring that up is because it turns out a new app that invades your privacy in the way the Post seemed to want was unnecessary when a bunch of other apps on your phone do that job just fine. And, for the record, that is terrible.

In a context vacuum, it would be better if health agencies were able to collect physical locations in a regulated and safe way for all kinds of diseases. But there have been at least stories about wild overreach during this pandemic alone: this one, in which the CDC wanted location data for all sorts of uses beyond contact tracing, and Singapore’s acknowledgement that data from its TraceTogether app — not based on the Apple–Google framework — was made available to police. These episodes do not engender confidence.

Also — and I could write these words for any of the number of posts I have published about the data broker economy — it is super weird how this data can be purchased by just about anyone. Any number of apps on our phones report our location to hundreds of these companies we have never heard of, and then a government agency or a media organization or some dude can just buy it in ostensibly anonymized form. This is the totally legal but horrific present.

Reports like these underscore how frustrating it was to see the misplaced privacy panic over stuff like the Apple–Google framework or digital vaccine passports. Those systems were generally designed to require minimal information, report as little externally as possible, and use good encryption for communications. Meanwhile, the CDC can just click “add to cart” on the location of millions of phones.

Meta’s Dirty Tricks Campaign Against TikTok washingtonpost.com

Taylor Lorenz and Drew Harwell, the Washington Post:

Facebook parent company Meta is paying one of the biggest Republican consulting firms in the country to orchestrate a nationwide campaign seeking to turn the public against TikTok.

The campaign includes placing op-eds and letters to the editor in major regional news outlets, promoting dubious stories about alleged TikTok trends that actually originated on Facebook, and pushing to draw political reporters and local politicians into helping take down its biggest competitor. These bare-knuckle tactics, long commonplace in the world of politics, have become increasingly noticeable within a tech industry where companies vie for cultural relevance and come at a time when Facebook is under pressure to win back young users.

Employees with the firm, Targeted Victory, worked to undermine TikTok through a nationwide media and lobbying campaign portraying the fast-growing app, owned by the Beijing-based company ByteDance, as a danger to American children and society, according to internal emails shared with The Washington Post.

Zac Moffatt, Targeted Victory’s CEO, disputed this reporting on Twitter, but many of his complaints are effectively invalid. He complains that only part of the company’s statement was included by the Post, but the full statement fits into a tweet and is pretty vacuous. The Post says the company refused to answer specific questions, which Moffatt has not disputed.

Moffatt also says the Post called two letters to the editor a “scorched earth campaign”, but the oldest copy of the story I could find, captured just twenty minutes after publishing and well before Moffatt tweeted, does not contain that phrasing, and neither does the current copy. I am not sure where that is from.

But one thing Moffatt does nail the Post on, a little bit, is its own reporting on TikTok moral panics. For example, the “slap a teacher challenge” was roundly debunked when it began making headlines in early October 2021 and was traced back to rumours appearing on Facebook a month earlier, but that did not stop the Post from reporting on it. It appears Targeted Victory used the Post’s reporting, among that from other publications, to further concerns about this entirely fictional story. That is embarrassing for the Post, which cited teachers and school administrators for its story.

The Post should do better. But it is agencies like Targeted Victory that the Post and other media outlets should be steeling themselves against, as well as in-house corporate public relations teams. When reporters receive a tip about a company’s behaviour — positive or negative — the source of that information can matter as much as the story itself. It is why I still want more information about the Campaign for Accountability’s funders: it has been successful in getting media outlets to cover its research critical of tech companies, but its history with Oracle has muddied the waters of its ostensibly pure concern. Oracle also tipped off Quartz reporters to that big Google location data scandal a few years ago. These sources are not neutral. While the stories may be valid, readers should not be misled about their origin.

Everything We Are Told About Website Identity Assurance Is Wrong troyhunt.com

Troy Hunt on Twitter:

Why are you still claiming this @digicert? This is extremely misleading, anyone feel like reporting this to the relevant advertising standards authority in their jurisdiction? https://www.digicert.com/faq/when-to-use-ev-ssl.htm

The linked page touted some supposed benefits of Extended Verification SSL certificates. Those are the certificates that promise to tie a company’s identity to their website, which was ostensibly confirmed by the company’s name appearing in a web browser’s address bar alongside the HTTPS icon.

Troy Hunt:

I have a vehement dislike for misleading advertising. We see it every day; weight loss pills, make money fast schemes and if you travel in the same circles I do, claims that extended validation (EV) certificates actually do something useful:

[…]

Someone had reached out to me privately and shared the offending page as they’d taken issue with the false claims DigiCert was making. My views on certificate authority shenanigans spinning yarns on EV are well known after having done many talks on the topic and written many blog posts, most recently in August 2019 after both Chrome and Firefox announced they were killing it. When I say “kill”, that never meant that EV would no longer technically work, but it killed the single thing spruikers of it relied upon – being visually present beside the address bar. That was 2 and a half years ago, so why is DigiCert still pimping the message about the green bar with the company name? Beats me (although I could gue$$), but clearly DigiCert had a change of heart after that tweet because a day later, the offending image was gone. You can still see the original version in the Feb 9 snapshot on archive.org.

Website identity is a hard thing to prove, even to those who are somewhat technically literate. Bad security advice is commonplace, but it is outrageous to see companies like DigiCert using such frail justifications for marketing fodder.

Meta Launders Its Reputation Through Small Businesses

Jeran Wittenstein, Bloomberg:

Meta Platforms Inc. has tumbled out of the world’s 10 largest companies by market value, hammered by its worst monthly stock decline ever.

Once the world’s sixth largest company with a valuation in excess of $1 trillion, the Facebook parent closed on Thursday with a value of $565 billion, placing it in 11th place behind Tencent Holdings Ltd., according to data compiled by Bloomberg.

Please accept my condolences.

Huge changes in market value like Meta is currently experiencing can partly be attributed to the massive market capitalization reflected in today’s top ten. The Economic Research Council published a chart in 2019 showing the ten most valuable publicly traded companies for twenty years prior and, as recently as 2014, only one was worth more than a trillion dollars. That is not the world we live in any more. Even normal day-to-day fluctuations reflect billions of dollars that ostensibly reflect investors’ confidence.

But there is also an undeniable loss of confidence in Meta’s ability to maintain the success of its core product — targeted advertising — in the face of increasing regulatory scrutiny, and changes made by operating system vendors. Meta’s virtual reality efforts, with which it is hoping to become an operating system owner itself, are still far away, and I do not think the company has yet demonstrated a compelling case for its existence.

For now, it has ads to sell across its platforms, and that is getting harder as public pressure mounts against its business practices. Unfortunately, as Meta’s empire is increasingly scrutinized, small businesses that depend on it are feeling the squeeze.

Suzanne Vranica, Patience Haggin, and Salvador Rodriguez, Wall Street Journal:

Martha Krueger, who runs a gift-basket business called Giften Market, used to spend her entire advertising budget on Meta Platforms Inc.’s Facebook and Instagram. She picked up a new customer for every $14 she spent.

When Apple Inc. introduced a privacy feature for mobile devices last year that restricts user tracking, she said, her costs to acquire such customers rose 10-fold. In October, she shifted her whole ad budget to search ads on Alphabet Inc.’s Google.

I empathize with the owners and marketers who work with businesses like these, which have depended on precisely targeting advertising to lower their marketing costs and get more customers. However, I think we have lost sight of how Meta was able to be so successful in the first place: it tracked users’ behaviour without their explicit consent or knowledge. What I find so frustrating about this is how Meta defends its practices by invoking the trust these businesses have placed in it:

Meta said in a written statement that it has more than 10 million advertisers. “Apple’s harmful policy is making it harder and more expensive for businesses of all sizes to reach their customers,” it said. “We believe Facebook and Instagram remain the best platforms for businesses to grow and connect with people, and we’ll always keep working to improve performance and measurement.”

Meta constructed a fundamentally unethical business model that allowed it to offer cheap ads, and it is laundering that scummy behaviour through the much better reputation of coffee shops, and florists, and travel agents, and other small business owners. Entrepreneurs should not be blamed for taking advantage of the marketing opportunities available to them.

This is a complex problem with a simple root: in a more just world, where the privacy of individuals is truly respected, Meta would never have offered these kinds of ads in the first place. But the company recognized that it was on legally firm ground to follow users’ activity across the web and through third-party apps, and it built its entire business around milking that strategy for everything it could give. It gave small business owners the ability to buy better advertising at lower rates, but has cost all of us our privacy online with little in the way of notice, consent, or control.

So that is how we got into this mess, and lawmakers in many regions around the world are trying various ways of getting us out of it. But Apple, having a business model more conducive to privacy and being an operating system vendor, realized it could also do something about tracking without due consent. It asks a simple question when apps want to track a user: do you want to permit this? Most people answer in the negative.

This naturally leads to the question of what business it is of Apple’s to have a say in other companies’ practices. It has a long history of doing so and a familiar future ahead. That is a discussion way too long for a single post, especially one I am publishing on a Friday evening. But there is one argument I think can be addressed in short order: all Apple did to push Meta’s buttons is that it now requires explicit consent for tracking. If Meta’s business model cannot handle a simple question of permissions, that is a pretty crappy business model. It should have been better prepared for a day when lawmakers started asking questions. But it was not. Meta’s best move has been to use the plight of small businesses, lured by its short-term promises, to excuse its unethical practices. Shame.

Apple’s Rules for External Payment Mechanisms in iOS Apps developer.apple.com

After millions of Euros in fines for its delinquency, Apple has announced its rules for developers of dating apps who wish to use external payment mechanisms in the Netherlands. While ostensibly straightforward, they are not easy to comply with, but likely form a template for other circumstances where apps will be permitted to use non-IAP mechanisms.

Developers are required to apply for the entitlement allowing them to use a non-Apple payment flow. This includes fields for the payment processor’s information. Apple says developers must “demonstrate that your PSP meets the criteria of having a secure payment processing system and an established track record of protecting user privacy”. Apple lists several other privacy and security requirements for payment processors. Then, in the separate app binary developers must produce solely for the Dutch App Store, they must also include a message which “must exactly match” the following (shown in English and Dutch on Apple’s website; I am only quoting the English here):

Title: This app does not support the App Store’s private and secure payment system

Body: All purchases in the <App Name> app will be managed by the developer “<Developer Name>.” Your stored App Store payment method and related features, such as subscription management and refund requests, will not be available. Only purchases through the App Store are secured by Apple.

Learn More

Action 1: Continue

Action 2: Cancel

Just look at the striking twist in language here. The title and final sentence the body text literally say that the app’s payment mechanism is different from Apple’s, and that Apple’s is “private and secure”. But it implies the payment standard used by the developer is less private and has inferior security to Apple’s own — even though Apple requires all developers to use a private and secure payment processor. Apple is selling asbestos-free cereal, while requiring all other cereals to be asbestos-free but not allowing them to label themselves as such.

I wonder how Dutch regulators will feel about that.

Apple also says that it is entitled to a commission of 27% on all sales, which is about what I expected. The App Store commission is not solely a payment processing fee and never has been. It is a profit margin for Apple, plain and simple. I am not for a moment arguing that this is a good thing or that it is acceptable, but I do not think developers should hope for a dramatically different commission unless lawmakers intervene.

Update: If I am reading this right, Apple’s 27% commission does not appear to differ for third-party subscriptions after the first year, while subscriptions sold through the App Store drop to a 15% commission.

Technology Trade Group Issues Statement on the ‘Banning Surveillance Advertising Act’ itif.org

This statement from Information Technology and Innovation Foundation VP Daniel Castro is a ride:

Online advertising pays for the vast majority of free online services. Banning targeted ads would make online advertising much less effective, so advertisers will pay less for them and those who display ads — including app developers, media companies, and content creators — will earn significantly less revenue. Faced with a budget shortfall, many online services will have few options other than to either reduce the quality of their services or charge their users fees.

It will not surprise you to know that this group is funded by basically every major technology company, including Amazon, Apple, Facebook, Google, and Microsoft.

But let us engage with this argument on its merits, and not which ostensibly independent voices are making it. One reason highly-targeted ads cost more than less targeted ones is because there are more companies involved in their delivery and each one gets its cut. Another reason is, allegedly, because Google overcharged advertisers, paid publishers a lower rate, and kept the difference.

And while some wealthier households might be willing to pay for ad-free Internet services, millions of American families would be hurt by this policy as they find themselves cut off from key parts of the digital economy. Indeed, this policy would be equivalent to telling the millions of American households who watch ad-supported broadcast television that, to protect them from advertising, they will have to sign up for premium cable and streaming subscriptions instead.

This is some race-to-the-bottom nonsense that conflates less-targeted advertising with a ban on ads altogether — a confused argument this industry loves to make because its actual practices are indefensible. Non-creepy advertising is completely fine. Just do that.

It is worth Americans’ time to question the efficacy of the bill’s text and look for unintended consequences. But this trade group assumes everyone is a sucker and will fall for its misleading arguments.

User-Friendly Diagnostics Should Be a Core Part of Any System eclecticlight.co

Howard Oakley:

Software engineers are hopeless optimists when they design and code only for success. There’s much more to handling errors than displaying a couple of phrases of in-house jargon and fobbing the user off with a magic number. It’s high time that designing error-handling to help the user became a central tenet of macOS.

My only quibble with Oakley’s conclusion here is that it should not be limited to MacOS; I expect better diagnostics across all of Apple’s operating systems. Otherwise, this is spot on.

It is bananas that the best error messages users will encounter are those with an inscrutable code — “the best” because it is at least something which can begin a web search for answers. But a Mac is not a microwave; it has a very large display and can display more information than an error code of a few characters. Worse still are errors which have no information — Oakley’s example is a MacOS installer with the error “This copy of the Install macOS Big Sur.app application is damaged, and can’t be used to install macOS.” has only an “OK” button, as though that is an acceptable response1 — or silent failure where no message is displayed to the user at all.

There is no way this is the best that can be done, nor is it what we should expect out of our ostensibly modern families of operating systems.

  1. Since this is a MacOS installer, a better error message would have an option to fix the application, or at least re-download it in full. ↥︎

That Secret TikTok Document Obtained by the New York Times Has Been Circulating Publicly for a Year Under a Different Name protocol.com

In his Sunday “Media Equation” column in the New York Times, Ben Smith said he obtained an internal document created for new TikTok employees:

The document, headed “TikTok Algo 101,” was produced by TikTok’s engineering team in Beijing. A company spokeswoman, Hilary McQuaide, confirmed its authenticity, and said it was written to explain to nontechnical employees how the algorithm works. The document offers a new level of detail about the dominant video app, providing a revealing glimpse both of the app’s mathematical core and insight into the company’s understanding of human nature — our tendencies toward boredom, our sensitivity to cultural cues — that help explain why it’s so hard to put down. The document also lifts the curtain on the company’s seamless connection to its Chinese parent company, ByteDance, at a time when the U.S. Department of Commerce is preparing a report on whether TikTok poses a security risk to the United States.

What is interesting to me is the lengths the Times went to so that it could obscure this relatively mild piece of internal documentation. Unlike many other artifacts obtained by the Times, a copy was not linked within the article, and even embedded diagrams were reproduced instead of the originals being shown.

Whether those were precautions borne of a secrecy promise, or perhaps because the original documents had legibility problems, I feel like Smith buried the lede. After wading through an overwrought exploration of the file’s contents, Smith reports on the many lingering connections the ostensibly independent TikTok has with its predecessor app Douyin:

TikTok’s development process, the document says, is closely intertwined with the process of Douyin’s. The document at one point refers TikTok employees to the “Launch Process for Douyin Recommendation Strategy,” and links to an internal company document that it says is the “same document for TikTok and Douyin.”

It turns out the Douyin version of that shared internal document has been circulating publicly for months.

Protocol’s Zeyi Yang, writing in the Source Code newsletter:

In fact, another closely related app uses the same secret sauce. In January, a document titled “Guide to a Certain Video APP’s Recommendation (Algorithm)” was released on several Chinese platforms. While it intentionally obscured which app it’s referencing, there are plenty of hints that it’s about Douyin, TikTok’s Chinese version.

For one, the Chinese document describes how it makes recommendations in the exact same formula and language (yes, word for word) as the document leaked to the Times. They also used the same challenge to the algorithm as a case study.

And in a Q&A entry about competitors, the document mentioned three other major Chinese apps — Toutiao, Kuaishou and Weibo — that rely on recommendation algorithms, but not Douyin, the app that does it the best.

The link above is now dead, but you can find plenty of copies on Chinese social networks — one that was uploaded to CSDN, for instance. It is in Chinese, but it appears to be exactly the same file.