Defiant Sloth

A few recent reports on Facebook’s activities should have its users, policy makers, and technologists thinking constructively about how the company’s services should be perceived: is it high time to think about reasonable regulation, or should we let the titans roam free?

Why pick on Facebook? For one, they have nearly two billion active monthly users (according to Facebook, that is, a company whose numbers shouldn’t be accepted without some level of suspicion). That’s an immensely large swath of the planet’s Internet-connected population. And secondly, they — much like Google — earn an extraordinary stream of revenue from paid advertising, oftentimes inscrutable in its nature. To put things into perspective, Facebook netted $8.809 billion in the last quarter of 2016, 98% of which was derived from its advertising product. And I say this revenue is oftentimes inscrutable because while most users understand Facebook earns revenue off ads, little do they know how this product works. Users freely provide Facebook with data about themselves, and Facebook in turn provides that data to advertisers, publishers, and agencies so that these third-parties can target various formats of ads back at you (video, display/banner, post-click ad experiences) via your impressions, interactions, etc. It’s amazing how much money brands will pour into ads just to net an impression (really, an eye-glance) at an image. Money just pours into Facebook’s coffers off this “attention economy” methodology. (How many times a day do you check your news feed?)

Now that there is some context: Technology innovation and its subsequent ramifications for not only our data security and privacy, but also our very own thoughts and brain activity, are ripe for further progress and exploitation by large corporations. It is up to us to decide how far the reach of these technologies go, and what level of acceptability there is in their application and monetization.

Where Facebook Plans to Take Us

Facebook has made significant investments in what it calls Internet.org, a gigantic initiative to connect everyone in the world who doesn’t yet have an Internet connection. According to a profile on this initiative by Wired, the estimates are that 4.9 billion people as of 2016 are not connected. How exactly can Facebook pull this off? As Wired reports:

To reach everyone, Internet.org takes a multipronged approach. Facebook has hammered out business deals with phone carriers in various countries to make more than 300 stripped-down web services (including Facebook) available for free. Meanwhile, through a Google X–like R&D group called the Connectivity Lab, Facebook is developing new methods to deliver the net, including lasers, drones, and new artificial intelligence–enhanced software. Once the tech is built, a lot of it will be open-sourced so that others can commercialize it.

On the surface, this isn’t a conniving project. There are good intentions behind connecting humankind. And Facebook is investing money and resources into this project because they believe the world will be a better ecosystem when everyone is connected to the Internet. They also probably believe that those extra 4.9 billion people will join Facebook and contribute back to the investment by seeing millions of ads and pouring that investment back into Facebook’s pockets. This, too, is fine. It's business. But do the masses who will piggyback off this enterprise know that? And what hardware and software is Facebook aiming to develop for the next generation that will impact us, whether we’re using Facebook explicitly or not?

Let’s start with a simple one: Facebook’s advertising away from Facebook.com. This isn’t new. For about three years, Facebook has provided brands a product called Facebook Audience Network, a mobile platform that delivers ads to mobile apps and mobile sites across digital ecosystems. Google has had something like this for even longer (Google Display Network), but Facebook’s network has already reached second-largest, and has arguably better data to provide to publishers and agencies. Why and how does this correlate to Internet.org? Aside from being an ad service targeting its own users across their Facebook and non-Facebook activities, it’s also inherently built into future users’ Internet activities. This quote from a Business Insider piece says it all — Facebook ad executive Brian Boland describes Facebook Audience Network:

"For years, people externally would ask, 'Why aren't you doing an ad network?' We knew deep down that it was a good, important thing, but we really needed to figure out how to do it in a way that would bring what we did well to the rest of the internet."

Without reading too heavily into this, essentially Facebook, as we would have guessed, simply wants to provide the most personalized ads in the history of humankind to all of humankind wherever they might be. A grand concept with cosmic ambition.

And they aren’t stopping here. The Wall Street Journal reported on Tuesday that Facebook is testing a new means of helping media companies sell video advertising natively (on their own sites) in a smarter and more automatic way. This tool is called Audience Direct, and is Facebook’s push into media publishing houses to help re-affirm their relationships (since Instant Articles hasn’t been panning out all that well). It's also engaging media publishing’s Internet currency: earned attention from readers. We all know that video is an attention blackhole, so it was inevitable that Facebook would bring their personalized ad targeting to the masses through this medium.

As if Facebook following you to the far reaches of your online activities wasn’t enough, they announced at their F8 developers conference just this past week that they are “working to create a brain-computer interface that lets you type with your thoughts”. While Facebook has been throwing a lot of shit at the wall to see what sticks, this doesn’t smell bad to me. But it is one more thing we need to be apprehensive about before fully committing to whatever manifestation it ends up taking.

The brain-computer interface, as described by Facebook’s development team, “could be an ideal way to receive direct input from neural activity that would remove the need for augmented reality devices to track hand motions or other body movements”. It feels silly talking aloud to Siri or Google Assistant — especially in public — and that feeling probably won’t normalize. Facebook’s development in a neural interface is probably partially aimed at removing the public stigma of talking to computer assistants out loud, instead employing a conduit in your brain to do that same thing. As the Verge reports:

Dugan (Regina Dugan is one of the lead Facebook developers for the project) stresses that it’s not about invading your thoughts — an important disclaimer, given the public’s anxiety over privacy violations from social network’s as large as Facebook. Rather, “this is about decoding the words you’ve already decided to share by sending them to the speech center of your brain,” reads the company’s official announcement. “Think of it like this: You take many photos and choose to share only some of them. Similarly, you have many thoughts and choose to share only some of them.”

Being able to pull off this interface seems to require some level of mind-reading, just like Amazon’s Echo devices and Google’s Google Home devices require some level of constant listening in your home to be able to recognize keywords to initiate their services. It is actually a good thing that Facebook is declaring its long-term intentions ahead of this interface becoming reality. We as a people need to understand the ramifications of this kind of progress, and how invasive the future of technology could be.

But let’s remind ourselves that Facebook doesn’t make money off hardware (okay, maybe a tiny amount from Oculus Rift) or services (okay, that 2% of revenue from Facebook games) — they make money from selling ads. And it’s very indicative, at least right now, how Facebook would monetize something like this. Per an investigative piece from Sam Biddle at The Intercept:

Facebook was clearly prepared to face at least some questions about the privacy impact of using the brain as an input source. So, then, a fair question even for this nascent technology is whether it too will be part of the company’s mammoth advertising machine, and I asked Facebook precisely that on the day the tech was announced: Is Facebook able to, as of right now, make a commitment that user brain activity will not be used in any way for advertising purposes of any kind?

Facebook spokesperson Ha Thai replied so esoterically that Sam had to rephrase the question, to which Ha Thai simply reiterated that “privacy will be built into this system, as every Facebook effort” and “that’s the best answer I can provide as of right now”. Sam goes on to ruminate on this technology and Facebook’s somewhat careless response to his inquiry, mockingly pointing out that “Facebook’s announcement made it seem as if your brain has simple privacy settings like Facebook’s website does”. This likely isn’t true, unless they’re trying to build in neural obfuscations to parts of your brain and only permitting activity through the speech center. I’m not a neurologist, so any speculation here is out of my realm. But the idea of sending brain activity to Facebook’s servers for processing is a heavy concession to make when and if we all adopt this invisible interface. It does sound amazing and seamless, but coming from Facebook, the data we provide also sounds ripe for re-application and distribution to third-parties for monetization and security exposure.

Where & How Do We Begin Regulating?

We can’t progress technologically without violating (or re-wiring our perception of) a few privacy concerns here and there. And Facebook, along with many other technology companies, have the right to invest, research, and build solutions that further us culturally and technologically. But there are very important considerations we need to keep in check, primarily with regards to our inherent right to privacy.

In a recent piece on smart homes (starring tech like Amazon’s Alexa and Google’s Google Home) by Paul Sarconi for Wired¹, there is a “note” about privacy:

If your paramount concern in life is privacy, turn back now. Google Home and Amazon Echo are constantly listening, and they send some of what you say back to the mothership. But you know what? This is just another scootch down the slippery slope you stepped on when you signed up for Facebook, bought your first book on Amazon, and typed “symptoms of shingles” into a search box. Tech companies have always asked us to give up a little privacy, a little data, in exchange for their wondrous services. Maybe homebots are the breaking point. But the things Alexa can do — so convenient! One bit of advice: Before the gang shows up to plan the casino heist, hit the device’s mute button.

Sure, it’s a note that reads like: yeah, this is all great but you are no longer in control of your data exhaust, your digital communications, your shared and stored photos, your behavior and spoken words in your own home, but the superpower convenience of kindly asking Alexa to order new deodorant is too tempting to dismiss.

So where and how, indeed, do we begin talking about regulation? This isn’t about stifling innovation. I still dream about hovercrafts². But I am talking about process transparency and clarity of intent. It is inevitable that all companies will continue to mine, test, and use data for all kinds of innovations that make their way into products and services we’ll all use to make our lives better and more convenient. But if we don’t have an understanding of what we’re signing up for in terms and conditions of services we use, the implications of digital storage for notes and photos and communications with friends, or how using a device’s conveniences will require forfeiting our privately spoken words and thoughts, then we put more vulnerabilities into not only the hands of corporations, but also of governments and more malicious groups that could aim to hack and compromise that data. Without transparency into how this data is provided, accessed, secured, and shared, we shouldn’t feel confident in continuing to invest our dollars and attention into these companies’ products and services.

In his last article before retirement, the personal technology writer Walt Mossberg declares a call to action to which we all should attentively listen:

My best answer is that, if we are really going to turn over our homes, our cars, our health, and more to private tech companies, on a scale never imagined, we need much, much stronger standards for security and privacy than now exist. Especially in the US, it’s time to stop dancing around the privacy and security issues and pass real, binding laws.

Footnotes

1. Oddly enough, I can’t seem to locate the article on the Wired site for linking, but it’s in the June 2017 print edition ↩︎
2. Even though their real-life deployment is nearly impossible at this point due to infrastructure. ↩︎

It wasn’t long ago we were witnessing a cosmic shift in web development to accommodate the influx of computational powerhouse smartphones chugging through at-the-time bloatful websites. Those sites back in the mid-2000s were getting chunky with all the 2.0 insanity, and while the iPhone (in its release year of 2007) could render these sites on its 3.5” screen, it still wasn’t a great way to experience web pages. While most websites did have mobile versions of their core, desktop-friendly sites, they were woefully under-designed and lacked modern features to harbor modern conveniences (like ecommerce and rich media).

In the transitional years from the early smartphone era to now, sites tried finding a middle ground in design between too mobile-friendly (stripped down and hardly functioning) and too desktop-reliant (don’t just design sites for a large screen and tons of Internet bandwidth). This middle ground ended up becoming “responsive design”, an approach to web development that attempted to streamline page weight (for mobile) but have the flexibility of displaying the same amount of content, and typically loading the same number of scripts, across device screen sizes. For most circumstances, this was the right path to take. It wasn’t a mobile vs desktop world we were heading towards; it was a mobility world we had already entered, where the only thing that really differentiated access to websites and apps was the size of the screen and the interface accessibly (finger touch vs mouse click).

Unfortunately for everybody, this was (perhaps unintentionally) interpreted by developers that they no longer had to worry about page loading, script-rendering, and other complexities in web design contributing to page speed because an iPhone was just as powerful as your everyday, off-the-shelf laptop. Oh, and don’t mind the increasing complexity of ad networks and the growing inundation of ad placements and tracking scripts to load — any smartphone can handle those, too.

Except that this shift has left the web wounded. Everything seems to take longer to load, websites break easily, taps on mobile don’t register sometimes, and register other times, and so on and so on. I’ve written about site speed and performance before. It’s a growing problem. So much of a problem that the tech titans have taken note. Facebook attempted to remedy this and save the publishing industry by pushing hard on its Instant Articles initiative, a closed-garden approach to offering publishers a speedy alternative to their own laggard websites’ article templates and Facebook-sized reach. Apple built-in an iOS app called ‘News’, offering its take on the age-old RSS feed readers, but layering on pretty templates that were fast. And Google, the all-mighty search behemoth and purveyor of results that include the news, has aggressively pushed publishers, retailers, and websites of all kinds towards its Accelerated Mobile Pages (AMP) initiative, which is essentially an open source project encouraging the creation of streamlined HTML pages to reduce clutter and external JavaScript but while also running Google-only JavaScript and reassuring full reader analytics.

So How are Things Going?

Two years later, Instant Articles don’t seem to be working out as planned, as The Verge contemptuously bemoans:

But it's unclear if any huge advantage ever materialized. Facebook decided from the start that publishing a story using the Instant Articles format would not automatically improve its ranking in the News Feed. In practice, Instant Articles typically do reach more people, because people are more likely to read and share them. But as the format spread, competition increased, and any advantage to using Instant Articles was blunted within months. Given that Instant Articles were designed to carry less advertising than mobile web articles, broad reach was essential to ensure publishers would profit from the format. The reach just never arrived.

Apple’s ‘News’ app was initially off to a rocky start) in usage, but not much has been reported since. While arguments have risen about Apple’s role of gatekeeper in the news ecosystem, it seems that most publishers have welcomed it as an easy secondary publishing platform that permits a “bring your own advertising” model and subscription service options that are hard to ignore.

But what about Google. Google’s AMP project is more controversial than both Facebook and Apple’s forays, as it threatens web development integrity on the open web. A rant from The Register describes the plight as thus:

Announced in 2015, duly open sourced and integrated into Google’s mobile search, Google has pitched AMP as a way to speed the mobile web. It employs something the ads slinger calls AMP HTML that the firm describes as a “new open framework built entirely out of existing web technologies.”

What it is, is a way for Google to obfuscate your website, usurp your content and remove any lingering notions of personal credibility from the web.

If that appeals to you, here's what you need to do. First, get rid of all your HTML and render your content in a subset of HTML that Google has approved along with a few tags it invented. Because what do those pesky standards boards know? Trust Google, it knows what it's doing. And if you don't, consider yourself not part of the future of search results.

Sure, you might say: making the web faster is a noble vision. And yes, we unanimously agree, a faster web is better. But as the Register points out, “as with anything that eschews standards for its own modified version thereof, it's about lock-in. Tons of pages in Google AMP markup mean tons of pages that are optimized specifically for Google and indexed primarily by Google and shown primarily to Google users.” AMP is primarily a way for Google to combat lock-in systems from Facebook and Apple. The tech giants want everybody’s attention. But if you have an app feeding off standards (like Apple News), there isn’t a threat to disrupting the entire Internet’s web standards and rallying them around a controlled framework. We all want the Internet to be decentralized, right? Then you have to look at adopting AMP as an opposite way to do that. AMP is a choice for [Google search] inclusion, and there are monetary and attention-capturing benefits to doing so for brands and publishers. But forking your web development to accommodate a tech company’s recommended framework, a framework that is favored by that tech company’s mysterious organic algorithm for surfacing news results, is something else entirely. We’ve already seen what reckless strains of SEO has done to the web. Let’s not repeat those mistakes with reckless adoption of Google’s AMP HTML framework.

AMP also is a branding nightmare. Tapping a link from Google search results (again, the only way to access these versions of canonical pages) loads the page from Google's cached AMP index nearly instantaneously. Sharing that page simply shares the Google cached URL of the article, and trying to read more from that author/publisher is a frustration in interaction design -- the permalink button to go to the brand's actual domain is an unintuitive icon, and branding itself is obfuscated by the AMP framework's content-first philosophy. So what's in it for brands aside from handing over the keys to Google, and continuing to strain their own websites' development with the same shitty inundation of scripts, ad networks, unfriendly mobile paradigms, and page speed performance?

This debate has only just begun. But several of the Internet’s finest warriors are working on alternative solutions. The first of this anti-AMP movement is brought to you by a thoughtful fuck you project by Pinboard’s founder, Maciej Ceglowski. He basically re-created Google’s original AMP demonstration page without any of the forced Google scripts, and it represents the same performance. Maybe if we encouraged web developers to focus on leaner, cleaner designs (melding the pre-iPhone days with a more careful post-iPhone responsive design mantra) we could get to a better place for everyone. I’ll leave you with Ceglowski’s snarky comment at the bottom of his faux-AMP demo site:

Dozens of publishers and technology companies have come together to create this unfortunate initiative. However, it is 2015, and websites should be small and fast enough to render on mobile devices rapidly using minimal resources. The only reason they are not is because we are addicted to tracking, surveillance, gratuitous animation, and bloated, inefficient frameworks. Requiring a readable version of these sites is a great idea. Let's take it one step further and make it the only version.

Update: May 25, 2017

A mildly-related update here from TechCrunch on Facebook's plans for support for Google AMP and Apple News. Essentially they're trying to make it easier (and their own solution interoperable between competing formats) for publishers to more easily manage these specially-formatted content distribution channels. This comes in the form of an Instant Articles SDK (software development kit), enabling developers to "take the markup that’s used to build Facebook’s Instant Articles and use it to create the code that’s needed to build for AMP and Apple News." Note that Facebook would prefer you start with content distribution and formatting within its ecosystem, and use the Instant Articles SDK to output to competitor ones.

TechCrunch points out:

[T]he extension’s launch also comes at a time when a number of high-profile publishers have begun to abandon Facebook’s format, due to its lack of monetization options.

In April, for example, it was reported that Forbes, Hearst, The New York Times and others have backed out of Instant Articles. Other major media organizations including Bloomberg, The WSJ, ESPN, CBS News, NPR, Financial Times, and VICE News have also been holdouts, running little to no content in Facebook’s format. Others who have used the format have been winding down their support; and last month, The Guardian pulled out of both Facebook’s Instant Articles and Apple News.

Authoring a tech post on the Guardian this past Tuesday, Antonio Garcia-Martinez, a former product manager at Facebook, explains how he "was charged with turning Facebook data into money, by any legal means":

Converting Facebook data into money is harder than it sounds, mostly because the vast bulk of your user data is worthless. Turns out your blotto-drunk party pics and flirty co-worker messages have no commercial value whatsoever.

But occasionally, if used very cleverly, with lots of machine-learning iteration and systematic trial-and-error, the canny marketer can find just the right admixture of age, geography, time of day, and music or film tastes that demarcate a demographic winner of an audience. The “clickthrough rate”, to use the advertiser’s parlance, doesn’t lie.

Yadda yadda, we've heard this all before. It's how most ad platforms operate these days -- harnessing machine-learning and all sorts of other [likely] hobbled together algorithms that provide conduits for proprietary data to advertisers and agencies to use in various campaigns to micro-target audiences and potential customers.

This is probably where privacy advocates should come shouting that this is a misuse of personal data. But is it? Facebook has provided its users a free service monetized by users' own tenacity to share and provide Facebook (and, subsequently, its advertisers) everything about themselves. While you could argue that some of the data provided is "personally identifiable information" (PII), Facebook hasn't forced you to share that information. And since users provide that information, Facebook can more or less do what it wants with it. Garcia-Martinez tends to agree, arguing that processing profile traits and post contents to inform demographic and audience triggers can easily be done with programming, so should its application matter to the masses?

The hard reality is that Facebook will never try to limit such use of their data unless the public uproar reaches such a crescendo as to be un-mutable. Which is what happened with Trump and the “fake news” accusation: even the implacable Zuck had to give in and introduce some anti-fake news technology. But they’ll slip that trap as soon as they can. And why shouldn’t they? At least in the case of ads, the data and the clickthrough rates are on their side.

There's also a link to another Guardian post that discusses how Facebook shares teens' emotional states with advertisers (likely derived by some kind of algorithm-based sentiment model). If we've learned anything at all about algorithms, it's that they can misinform as often as they can inform. A user uproar could certainly change the fate of data sharing with advertisers, but I don't see this happening until something truly offensive occurs, probably akin to Target's mishap a few years ago. And even that won't stop the use of data to inform advertising campaigns and the marketing of products/services on these platforms. The temptation (and intrinsic need) to use data is too fierce. And the rate of engagement on these platforms, with the amount of information being provided on a daily basis, is unprecidented by anything similar in human history.

While platforms like Facebook continue to require our attention to survive, they increasingly also need us to provide data to feed its monetary engine. The two are almost inexplicably tied together. Time and tolerance will tell how this shakes out.

Uber's public image has had a hell of a first quarter. I can't recall the last tech company in recent history that ran into shitstorm after shitstorm as reliably and as damningly as they have. In today's New York Times, there's a profile on Uber CEO Travis Kalanick by Mike Isaac that details some of these tribulations, among them them a confrontation with Apple's CEO, Tim Cook. Notably, Uber had attempted to obfuscate from Apple its nefarious practices around user location-tracking and device-identifying (called "fingerprinting"). This practice would allow Uber to identify an individual iPhone even after the app was deleted and/or the phone reset. If it sounds egregious, it is. As The Verge points out, this is more of the same deceptive bullshit Uber has pulled off in recent years, including “evad[ing] government regulators and track[ing] rival drivers, track[ing] customers without permission, and being sued for allegedly stealing proprietary information regarding self-driving cars from Alphabet’s Waymo. “

Can most of this be blamed on the CEO? According to that profile, probably:

But the previously unreported encounter with Mr. Cook showed how Mr. Kalanick was also responsible for risk-taking that pushed Uber beyond the pale, sometimes to the very brink of implosion.

Crossing that line was not a one-off for Mr. Kalanick. According to interviews with more than 50 current and former Uber employees, investors and others with whom the executive had personal relationships, Mr. Kalanick, 40, is driven to the point that he must win at whatever he puts his mind to and at whatever cost — a trait that has now plunged Uber into its most sustained set of crises since its founding in 2009.

As long as deleting apps and still having the potentiality of being tracked by the deleted company is a threat to privacy and security, I hope technology gate companies like Apple continue to fight the good fight.

Update (APRIL 24, 2017)

Additional speculation (and clarification) from the fallout of the New York Times profile article from John Gruber (Apple pundit extraordinaire):

That sounds like Uber was doing the identifying and “tagging” (whatever that is) after the app had been deleted and/or the device wiped, but I think what it might — might — actually mean is merely that the identification persisted after the app had been deleted and/or the device wiped. That’s not supposed to be technically possible — iOS APIs for things like the UDID and even the MAC address stopped reporting unique identifiers years ago, because they were being abused by privacy invasive ad trackers, analytics packages, and entitled shitbags like Uber. That’s wrong, and Apple was right to put an end to it, but it’s far less sensational than the prospect of Uber having been able to identify and “tag” an iPhone after the Uber app had been deleted. The latter scenario only seems technically possible if other third-party apps were executing surreptitious code that did this stuff through Uber’s SDK, or if the Uber app left behind malware outside the app’s sandbox. I don’t think that’s the case, if only because I don’t think Apple would have hesitated to remove Uber from the App Store if it was infecting iPhones with hidden phone-home malware.

John's whole piece is worth reading if you want much clarity on what Uber was presumably doing. Curious what their tactics were/are for other phone manufacturers.

<div
    class="
      image-block-outer-wrapper
      layout-caption-below
      design-layout-inline
      
      
      
    "
    data-test="image-block-inline-outer-wrapper"
>

  

  
    <figure
        class="
          sqs-block-image-figure
          intrinsic
        "
        style="max-width:1752px;"
    >
      
    
    

    
      
        
      <div
          
          
          class="image-block-wrapper"
          data-animation-role="image"

data-animation-override

      >
        <div class="sqs-image-shape-container-element
          
      
    
          has-aspect-ratio
        " style="
            position: relative;
            
              padding-bottom:47.909969329833984%;
            
            overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
          "
          >
            
              <noscript><img src="https://cdn.uploads.micro.blog/25423/2023/5fb825a639.jpg" alt="delete_uber" /></noscript><img class="thumb-image" src="https://cdn.uploads.micro.blog/25423/2023/5fb825a639.jpg" data-image="https://cdn.uploads.micro.blog/25423/2023/5fb825a639.jpg" data-image-dimensions="1752x1536" data-image-focal-point="0.5,0.5" alt="delete_uber" data-load="false" data-image-id="58fcefafdb29d6860932ec8c" data-type="image" />
            
        </div>
      </div>
    
      
    

    
  
    </figure>
  

</div>

1: https://www.nytimes.com/2017/04/23/technology/travis-kalanick-pushes-uber-and-himself-to-the-precipice.html?_r=1

We heard some fighting words from US Rep. Jim Sensenbrenner (R-Wis.) this week, a stocky old man defending why he contributed to the elimination of privacy rules for Internet Service Providers (ISPs), which affect all Americans living in this country. I quote: "Nobody's got to use the Internet."

He went on to say that if you regulated the Internet like a utility, "we wouldn't have the Internet". His nonsensical retort to his constituents proves an incredulous disconnect between our elected officials and the reality of our country's people. This is typical Republican rhetoric applied to what should be a nonpartisan issue. The Internet is woven into the fabric of our society, and throwing blanket statements like it's optional for anyone in this country to use it is unfathomably stupid. Perhaps for an old man, using the Internet is not nearly as intrinsic to living day-to-day as it is for the rest of us, but it is concerning that such a man is contributing to the rules that govern our privacy and the public utility that is the Internet.

The ruling is disappointing, and comes at a crucial time in our democracy where the intersection of connected devices, surveillance, and our right to privacy and dignity has become an increasing important fork in political decision-making. It will continue to be an area requiring, justifiably, government regulation. No one is saying choice is a bad thing here, but applying such rationale to ISPs' clamoring for advertising "innovation" is ridiculous. ISPs are feeling pressure from advertising giants like Facebook and Google, and are begging (sorry, lobbying) to gain a foothold to justify their existence as something more meaningful than being an expensive pipe to the Internet. We also can see how well this strategy is working for Verizon and AT&T, both telecommunications behemoths that are investing heavily in content and lobbying hard against net neutrality to justify business expansion to their shareholders since they've sunken into a similar dilemma.

The bullshit doesn't end here.

<div
    class="
      image-block-outer-wrapper
      layout-caption-below
      design-layout-inline
      
      
      
    "
    data-test="image-block-inline-outer-wrapper"
>

  

  
    <figure
        class="
          sqs-block-image-figure
          intrinsic
        "
        style="max-width:1024px;"
    >
      
    
    

    
      
        
      <div
          
          
          class="image-block-wrapper"
          data-animation-role="image"

data-animation-override

      >
        <div class="sqs-image-shape-container-element
          
      
    
          has-aspect-ratio
        " style="
            position: relative;
            
              padding-bottom:75%;
            
            overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
          "
          >
            
              <noscript><img src="https://cdn.uploads.micro.blog/25423/2023/91165187d7.jpg" alt="US Rep Jim Sensenbrennar (R-Wis)" /></noscript><img class="thumb-image" src="https://cdn.uploads.micro.blog/25423/2023/91165187d7.jpg" data-image="https://cdn.uploads.micro.blog/25423/2023/91165187d7.jpg" data-image-dimensions="1024x768" data-image-focal-point="0.5,0.5" alt="US Rep Jim Sensenbrennar (R-Wis)" data-load="false" data-image-id="58fb76c329687f66cf2739a2" data-type="image" />
            
        </div>
      </div>
    
      
    

    
  
    </figure>
  

</div>

Remember the Apple iPhone / San Bernardino case from early 2016? Here’s a recap:

The F.B.I. has been unable to get into the phone used by Syed Rizwan Farook, who was killed by the police along with his wife after they attacked Mr. Farook’s co-workers at a holiday gathering. Reynaldo Tariche, an F.B.I. agent on Long Island, said, “The worst-case scenario has come true.”

But in order to unlock the iPhone, which Apple couldn’t simply “do” because of the passcode implementation used by Farook, a legal dispute ensued whereby the FBI demanded Apple build a backdoor to the “single” device.

Behind the scenes, relations were tense, as lawyers for the Obama administration and Apple held closely guarded discussions for over two months about one particularly urgent case: The F.B.I. wanted Apple to help “unlock” an iPhone used by one of the two attackers who killed 14 people in San Bernardino, Calif., in December, but Apple was resisting.

When the talks collapsed, a federal magistrate judge, at the Justice Department’s request, ordered Apple to bypass security functions on the phone. The order set off a furious public battle on Wednesday between the Obama administration and one of the world’s most valuable companies in a dispute with far-reaching legal implications.

There were two binary sides to this case.

1. Apple’s case: To some, this was the pro-privacy side of the case. Why not create a quick backdoor to the phone for the US government, and then close it up? In Apple own words: “Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.” You create one backdoor for the US Government, then what? You’ve created a backdoor for all iPhone iOS users of the same version, and it could be used over and over again. It also sets what should be obvious: a dangerous precedent for the security of iPhone users and the power of the US Government. As the Washington Post makes explicitly clear,¹ “This is an existing vulnerability in iPhone security that could be exploited by anyone.”
2. The US Government’s case:² Create a “key”, essentially a backdoor into the terrorist’s iPhone, to unlock whatever data is in there (if there’s anything to find at all), and as with #1’s concerns, endanger one of the most used mobile devices on the planet. If the data helps the case, great. If, that is.

Okay, so what happened again? The FBI lost the chance to decrypt the phone via Apple, but apparently “may have found way to unlock San Bernardino shooter's iPhone” anyway. Specifically, this single iPhone and not the other ones. Whatever technical means was found, it isn’t clear, but this maneuver spared a massive security risk across all iPhones.

If the FBI would have gotten its way, though, the most recent news about both the NSA and CIA would have hit even harder. And that’s saying something, because there are a few massive pieces of news that crept out recently that are entirely related to the FBI’s request from last year.

As we’ve been finding out, when US Government agencies aim to have tools to monitor terrorists or its own citizens, they rely heavily on finding (or buying) vulnerabilities in software and devices, or creating exploits (essentially malware) for physical exploitation of such devices. This unraveling began in March of this year, when WikiLeaks began positing redacted documents freshly acquired. Without getting into the weeds (you can read up on it if you so desire), the NSA leaks have been confirmed as legitimate, and they keep unspooling concern to security experts and software developers the world over.

<div
    class="
      image-block-outer-wrapper
      layout-caption-below
      design-layout-inline
      
      
      
    "
    data-test="image-block-inline-outer-wrapper"
>

  

  
    <figure
        class="
          sqs-block-image-figure
          intrinsic
        "
        style="max-width:1024px;"
    >
      
    
    

    
      
        
      <div
          
          
          class="image-block-wrapper"
          data-animation-role="image"

data-animation-override

      >
        <div class="sqs-image-shape-container-element
          
      
    
          has-aspect-ratio
        " style="
            position: relative;
            
              padding-bottom:75%;
            
            overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
          "
          >
            
              <noscript><img src="https://cdn.uploads.micro.blog/25423/2023/5535e78029.jpg" alt="" /></noscript><img class="thumb-image" src="https://cdn.uploads.micro.blog/25423/2023/5535e78029.jpg" data-image="https://cdn.uploads.micro.blog/25423/2023/5535e78029.jpg" data-image-dimensions="1024x768" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="58f2539ac534a52c8267d998" data-type="image" />
            
        </div>
      </div>
    
      
    

    
  
    </figure>
  

</div>

The latest concerns coming out of this are a series of newly found exploits deployed by the NSA to attack computers using pre-Windows 10 operating systems (roughly 65%+ of all desktops on the planet). There is one in particular, called FUZZBUNCH, that can automate the deployment of NSA malware and would allow a member of the agency to easily (from their desk) infect a target computer. As reported by the Intercept:

According to security researcher and hacker Matthew Hickey, co-founder of Hacker House, the significance of what’s now publicly available, including “zero day” attacks on previously undisclosed vulnerabilities, cannot be overstated: “I don’t think I have ever seen so much exploits and 0day exploits released at one time in my entire life,” he told The Intercept via Twitter DM, “and I have been involved in computer hacking and security for 20 years.” Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches.

“This is as big as it gets,” Hickey said. “Nation-state attack tools are now in the hands of anyone who cares to download them…it’s literally a cyberweapon for hacking into computers…people will be using these attacks for years to come.”

Yes, the cybertools used by our government’s agencies have been compromised, and are now available to anyone. While we’re sure Microsoft is working on patches, this is what happens when governments have access to exploits and backdoors into software that can, sequentially, endanger people’s most valuable information. While this is still about digital privacy, it’s also about security. What will it take for citizens to take notice of monumental weight of these leaks, these compromises? An attack on their credit cards? Their mortgage? Their identities?

This Doesn’t Seem Fine

A great piece by Vice’s Motherboard further extrapolates on this topic, essentially warning that it’s foolish and naive to assume any government official or contractor can keep cybertools safe. Here’s another way of thinking about this: let’s turn to the master key TSA agents have, granting them the ability to unlock any piece of luggage (with a TSA-approved lock). Well, as you may know, that key was compromised, and you can now download CAD files to get your own version 3D-printed. Imagine that. Anyone can get into anyone else’s luggage. But who would take the time to print one of these keys? Probably someone with malicious intent. And if you apply this same concept to master keys for software, apps, banking systems, etc., would you still trust the US Government (or any other government) to keep that key safe? To not misuse it?

Security and privacy in a digital context are becoming more intrinsically attached, as nearly every compromise to the former affects the latter. As my friend Eric mentioned in a recent email exchange, we may be seeing privacy become a third-rail issue in Washington. As unfathomable as it may seem, privacy doesn’t appear to be a non-partisan issue. We’ve already seen recently the reversal of ISP data privacy restrictions, even though Comcast tries to reassure us that they won’t sell our “individual” data (they will likely sell pools of data so advertisers can create look-a-like models and advertise to individuals anyway, or target individuals with their own ad network based on browsing history), Republicans seem to be more prone to manipulation by telecommunications lobbyists. Or maybe they just don’t give a shit about the digital privacy and security of the American people.

Let’s hope the recent leaks of cyber tool information makes enough headlines to reach the (mostly) non-news reading American populace, and that they take the time to understand the consequences of what can happen when we put too much trust and power in the hands of our governments.

Update

Microsoft has reported that "most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products", and "of the three remaining exploits [...] none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk".

As always, keep your software and operating system updated to the latest version.

1. This article is a good read, as it complements Apple’s letter and explains the intricacies of what is really being requested ↩︎
2. No, I didn’t complete the reading of this article, but we’ll assume it covers “both sides of the story”, amiright. ↩︎

We should have seen this coming.

That online scammers are now attempting to piggyback on the confusion caused by the Donald Trump and the Republican Party's wholesale selling out of your online privacy shouldn't be too surprising: in the days after Congress passed the legislation, numerous outlets, including Motherboard, published guides on how to select and properly configure a VPN to minimize the risk of your private data being sold to the highest bidder (even if they can sometimes be difficult to use).

Satnam Narang, the Norton by Symantec security response manager, told me that "users should be skeptical on social media and via email of scammers looking to capitalize on their interest in VPNs." For a list of VPNs trusted by Motherboard, you can check out our guide here.

Motherboard's guide is right here. Lots of sites are SEOing the shit out of VPN guide pages (good luck), so I encourage you to find a few trusted sources to guide your usage decisions. Just keep in mind that if you choose to use a VPN, the company that provides it to you can see your browsing data and other Internet activity that you're obfuscating from ISPs. FYI.

It'll be illuminating to see how the VPN business fares over the next year, as using one is still a mostly confusing series of steps and setups for most consumers to navigate. And at the end of the day, will it be worth it? Which data will be sold by ISPs, and to whom, exactly? Curious not a peep has been made about this from advertisers or ISPs (probably because selling this data for direct response TV has been going on for a while now), and no one has really noticed or cared up until this point.

According to the New York State Senate, there is new state legislation in motion that would combat the Internet Service Provider data privacy reversal that Trump just signed into law.

Senator Tim Kennedy (D-Buffalo) has introduced legislation that would ban this practice in New York State. The common-sense legislation would prohibit ISPs from selling customer browsing history and other personal information to third parties. As a public utility regulated by New York State, internet service providers must comply with state laws and regulations. This legislation would ensure that New Yorkers continue to benefit from the privacy laws that were implemented under President Obama’s administration.

If this goes through, it'll be great for New Yorkers. Perhaps other states will follow as well. But now, perhaps a larger question looms: if the Internet is classified as a public utility by the FCC, should the data be collected by ISPs in the first place? If they are the providers, sure, they probably have a right to collect the data, and yes, this New York legislation is a solid move on preventing them from selling your personal behavioral data for monetary/strategic gain. But someone, somewhere could argue this is akin to a shopping mall monitoring how many times you've taken a leak in their restroom, or how often you visit city parks and what you do there, or, perhaps, your electric company installing video cameras in your home to watch how you use their electricity.

The Last Bastion of Privacy-Conscious Advertising is Dead

Back when the Internet was breaking out and expanding rapidly, with a chorus of new voices stretched across the globe, excitement around how to both monetize blogging and curate wonderful work was at a pitch high. I’m talking about the early-to-mid 2000s, arguably the beginning of solo writing as a serious format, the proliferation of sharing (dare I say “social sharing” before the social network explosion), and the collaboration of minds beyond physical barriers. Very cool projects, voices, and technologies came out of this period, and continue to thrive today. One such solution to monetization of all this activity was a small little advertising network called The Deck, run by Chicago design company Coudal Partners. It operated as an income haven for smart, tech-angled writers and curators, and continued operating until just this past week, when founder Jim Coudal pulled the plug. What kind of impact might this small, hardly known network have on the rest of the advertising and privacy-conscious world?

Let’s first step back a sec and orient ourselves. Started in 2006, The Deck was, and always remained, a small-format display advertising network (you know, the kind with small, static images placed somewhere somewhat prominent on a web page that featured a creative message to incentivize a click-through or just to make you aware of some kind of product or event). It was built with Coudal-selected or self-recommended sites within its walled ecosystem, which is to say that it was kind of an exclusive members-only club for a while. Early on, these members included The Morning News (an online magazine of essays, art, humor, and culture), John Gruber’s Daring Fireball (one of the first Apple-centric blogs), A List Apart (a long-standing institute for web developers and designers), Basecamp’s Signal V. Noise (formerly operated under 37signals, a design studio that built Basecamp and actually shared office space with Coudal Partners back in the day), and, of course, the great Kottke.org, one of the oldest blogs on the Internet, which covers essential people and ideas, and still serves to this day as one of the best resources for daily linkage. It went on to include more than 50 sites.

<div
    class="
      image-block-outer-wrapper
      layout-caption-below
      design-layout-inline
      
      
      
    "
    data-test="image-block-inline-outer-wrapper"
>

  

  
    <figure
        class="
          sqs-block-image-figure
          intrinsic
        "
        style="max-width:1157px;"
    >
      
    
    

    
      
        
      <div
          
          
          class="image-block-wrapper"
          data-animation-role="image"

data-animation-override

      >
        <div class="sqs-image-shape-container-element
          
      
    
          has-aspect-ratio
        " style="
            position: relative;
            
              padding-bottom:100%;
            
            overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
          "
          >
            
              <noscript><img src="https://cdn.uploads.micro.blog/25423/2023/6156f49b22.jpg" alt="Sorrow ensues" /></noscript><img class="thumb-image" src="https://cdn.uploads.micro.blog/25423/2023/6156f49b22.jpg" data-image="https://cdn.uploads.micro.blog/25423/2023/6156f49b22.jpg" data-image-dimensions="1157x1157" data-image-focal-point="0.5,0.5" alt="Sorrow ensues" data-load="false" data-image-id="58e1942bb3db2bb290401e05" data-type="image" />
            
        </div>
      </div>
    
      
    

    
      
      <figcaption class="image-caption-wrapper">
        <div class="image-caption"><p>Sorrow ensues</p></div>
      </figcaption>
    
  
    </figure>
  

</div>

Eclectic beginnings? Perhaps. But I remember visiting the Deck’s website a decade ago and mining its growing members for writers and bloggers and companies to follow via RSS and eventually Twitter. In a way, through The Deck’s members’ sites, I grew up on the Internet, pouring over all the amazing projects, ideas, and products being written about. To this day, I still follow several of these writers, have consistently linked to a number of their posts, and have bought my fair share of Field Notes Brand notebooks from Coudal’s other side project.

A few fairly critical things set The Deck apart from other growing (and less specialized) ad networks.

1. The Deck was fairly exclusive, and aimed at a certain kind of audience. Yes, other networks did tend to do this sort of thing, but many have been gobbled up and rolled into larger ones, with segmentation based on attributed demographic/interest models. Essentially, things got algorithmic, less special, and more data-driven.
2. The Deck never tracked users or personally-identifiable information (PII), something that every other ad network does without shame. They served ads in what they claimed as “useful and unobtrusive” ways. On a technical level, the Deck never issued cookies, which in most circumstances would have tracked readers in a specific way to allow for other actions/recognition elsewhere on the internet. The only data they collected and reported to site owners hosting their ad network was gross impressions, which are the number of times an ad has been served (essentially seen) during a period of time.
3. The only thing they ever collected about their “users” (what they mean by this is a visitor or reader of a site in their network) was an occasional, completely anonymous survey. Referral traffic tracking is a pretty simple thing to analyze for any of the site owners that were part of the Deck network, so beyond impressions tracking, there probably wasn’t much else to build around this. Kept things clean and simple, I’m sure.
4. Display ads were low fidelity. This may sound boring, but it was a godsend, particularly when the Internet went mobile. Each Deck ad was a small little square, static image, with a short text message and link beneath it. Page load speed was not compromised because it was such a small little thing, and they were oftentimes placed in unobtrusive places (sure, you can probably owe this to the fact that most sites in its network were run by authors with some design-savvy, but still). Compare this with the godawful display/programmatic networks today, with auto-playing videos, banners covering every corner of the screen (look, I update this exhibit of sites that should be slapped in the face for their atrocities in ad placements), and tracking you in every conceivable way possible — yeah, we’re going to miss the ambitious, reasonable vision Coudal Partners had.

So what happened? According to Jim’s farewell note, a few trends around the major mobile/social shifts in the way people engaged on the Internet are mostly to blame. We can probably assume the more invasive ad networks, breadth of connected sites, and their clarity of data probably became too tempting for most advertisers to ignore, even though I always thought the Deck attracted really great companies peddling their wares. When investing in media, it tends to come down to measurable return on investment, and this might have been something the Deck struggled to compete with “on paper.”

<div
    class="
      image-block-outer-wrapper
      layout-caption-below
      design-layout-inline
      
      
      
    "
    data-test="image-block-inline-outer-wrapper"
>

  

  
    <figure
        class="
          sqs-block-image-figure
          intrinsic
        "
        style="max-width:1016px;"
    >
      
    
    

    
      
        
      <div
          
          
          class="image-block-wrapper"
          data-animation-role="image"

data-animation-override

      >
        <div class="sqs-image-shape-container-element
          
      
    
          has-aspect-ratio
        " style="
            position: relative;
            
              padding-bottom:63.56340408325195%;
            
            overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
          "
          >
            
              <noscript><img src="https://cdn.uploads.micro.blog/25423/2023/2631e568be.jpg" alt="Example of a Deck ad network ad placement." /></noscript><img class="thumb-image" src="https://cdn.uploads.micro.blog/25423/2023/2631e568be.jpg" data-image="https://cdn.uploads.micro.blog/25423/2023/2631e568be.jpg" data-image-dimensions="1016x657" data-image-focal-point="0.5,0.5" alt="Example of a Deck ad network ad placement." data-load="false" data-image-id="58e19457bf629afc2622ba18" data-type="image" />
            
        </div>
      </div>
    
      
    

    
      
      <figcaption class="image-caption-wrapper">
        <div class="image-caption"><p>Example of a Deck ad network ad placement.</p></div>
      </figcaption>
    
  
    </figure>
  

</div>

Jim states that “in 2014, display advertisers started concentrating on large, walled, social networks,” which is primarily true — in-app display ad networks are also extremely rampant now. Let’s not forget, this is where mass attention is. Additionally, the “indie ‘blogosphere’ was disappearing”. In part, this too, is true. I have to constantly remind myself I’m probably in the minority of folks who still follow writers and bloggers via RSS, and the rest of the world is getting their kick inside Facebook, Instagram, and Twitter. The breadth of ad networks shows no sign of ceasing its advancement across and inside every platform imaginable, and the complexity of data tracking is not going to relent any time soon. Solutions like Google’s Display Network and Facebook’s Advertising apparatus are significantly more nuanced, with ever-smarter audience and demographic targeting, and available in various formats (including video and, more recently, interactive, like Facebook’s Canvas). Their data-sharing abilities also span audience and data management platforms, something advertisers, agencies, and brands are clinging to as part of major organizational maturity models moving into this year and the next ten years. These “innovations” and platform-specific advantages make competitors like The Deck extremely fragile, and less appealing, to both small and large advertisers.

But with the recent mounting concerns around privacy and data-sharing, it’s surprising to see this ad network cease to operate. If anything, it seems like the time is ripe to build a privacy-conscious ad network, get a great many influential writers and influencers onboard, and proliferate the good word. Maybe that’s something we can all work together toward?

So why, exactly, did The Deck just go quietly into the night, and not sell its platform to another owner?

John Gruber’s recent lament on the end of the Deck had probably the best anecdote as to why:

I was chatting with Jim earlier this evening. Someone wrote to him to ask, “Why didn’t you sell the network instead of shutting it down?” Jim’s answer: “The Deck was built exclusively on close, personal relationships. I don’t think those are mine to sell.”

With that remark, we can safely say The Deck went out with dignity, upholding its highest principles. Can’t blame them for that. I just hope the example they set will inspire a new torch-bearer in the darkening days of the Internet ecosystem. Somebody has to be listening…

So Much for Draining the Swamp

It's official. In what should have been a non-partisan issue and civil stance on our human right to privacy in the modern era, the Republicans instead sold us out to Internet Service Providers (ISPs).

Round-up of informative articles about this:

• BBC: Anger as US internet privacy law scrapped
• NYT: How the Republicans Sold Your Privacy to Internet Providers
• The Verge: The 265 members of Congress who sold you out to ISPs, and how much it cost to buy them
• WSJ: House Approves Bill to Overturn FCC Privacy Rule

Of note is The Verge's article, which outlines all 265 members of Congress (again, for a non-partisan issue, all Republican) who sold us out, and what their take was. For such a monumental retraction of a previous privacy law, the net intake is petty. Between Representatives and Senators, the total intake of donations from telecommunications lobbyists was a paltry $9mm ($9,056,912, to be exact). Perhaps most disappointing is John McCain's name on this, the guy we all thought was tossing punches for the good of democracy.

As the Wall Street Journal Reports:

FCC officials say they will continue for the foreseeable future to oversee the internet-service providers, including their privacy practices.

“We want to recognize and vindicate consumers’ uniform expectation of privacy,” Mr. Pai said last week. FCC officials are working with the FTC to make the two agencies’ standards basically the same.

But consumer advocates say the privacy regulation that Congress rolled back was the only interpretation of exactly what obligations the telecommunications companies have under federal statute. Without the rules, there is not much to guide the companies.

Other questions remain as well. For example, under federal law, the congressional rollback means the FCC cannot adopt “substantially similar” regulations in the future—a concept that is little-tested and subject to debate. That could weaken the FCC’s hand in adopting a replacement rule.

So much for draining the swamp.

In another unsurprising feat by the Republican-led Congress, "lawmakers moved to dismantle landmark internet privacy protections for individuals". It's the first move against telecommunication, Internet, and technology regulations that were established during the Obama administration.

The move means a company like Verizon or Comcast can continue tracking and sharing people’s browsing and app activity without asking their permission. An individual’s data collected by these companies also does not need to be secured with “reasonable measures” against hackers. The privacy rules, which had sought to address these issues, were scheduled to go into effect at the end of this year.

Thursday’s vote begins a repeal of those regulations. Next week, the House is expected to mirror the Senate’s action through the same Congressional Review Act procedure that allows Congress to overturn new agency rules. The House is expected to pass the resolution, which would then move to President Trump to sign.

This move clearly comes as an alarm for anyone who gives a shit about their privacy online, specifically around the behaviors of visiting websites, sharing files, updating your status, etc. And it equally came as a slap to the face to consumer advocates and "other" partisan lawmakers. Why? Because this could mean, if it's set into motion as law (and why wouldn't it?), broadband providers like Comcast would soon have the broadest view into the online habits of Americans. Without previous rules in place, these mostly technical monopoly companies would more easily be able to collect data on their customers and sell varying levels of personal/sensitive information to advertisers, health care companies, financial institutes, and other bidders. And they'd be able to do this without asking permission.

For your own sanity, I'm in the midst of drafting a guide on using a VPN (virtual private network), which is really the only practical way to safeguard against this kind of abuse. VPNs and TOR-like browsing networks allow you to visit sites and skirt surveillance and subsequent data-selling from providers by masking DNS (domain name server) queries.

As redditor ijustdobooks notes, "Even if one sticks to purely HTTPS sites, without a VPN or TOR-alike, the ISP [like Comcast] will at least know what site they visit and when. Even just that info is of great value to advertisers." Trust me, it is. Upstream/downstream traffic (which site do you visit, which site afterwards/before?) is immensley helpful in advertising, and up to this point, advertisers have typically had to rely on opt-in panel solutions like Comscore, whereby a few million people willingly allow the tracking of their online behaviors as a sample set against which to weigh larger trends. Without the previous privacy provisions, the entire US population becomes inadvertent members of an ubiquitous study by marketers and advertisers (and healthcare companies and financial institutes and, let's not forget, the government), and negates the need for a sample set entirely.

As a former Minnesotan, this story piqued my attention over the weekend. Police in Edina, which is one of the metropolitan suburbs of Minneapolis, were granted a warrant that permitted them to collect information on any of the city's residents who used specific search terms (on Google's search engine), all in the spirit of locating a thief who stole $28,500.

Why, exactly, did this happen? According to the Edina police:

The complicated investigation stems from the fact the Edina police believe someone used the victim's name, date of birth, social security number and a forged passport to illegally wire the money.

That fake passport included an incorrect photo only attainable by searching the victim's name in Google images. No other search engine allegedly reveals it.

Apart from this raising considerable concerns over privacy voilations for everyone who isn't the thief, Google is taking a stand as well. The broadness of probable cause definitions is at the heart of the controversy, as this kind of thing could set dangerous precedents moving forward. A lot of information is being demanded for residents associated with looking up the name:

In addition to basic contact information for people targeted by the warrant, Google is being asked to provide Edina police with their Social Security numbers, account and payment information, and IP (internet protocol) and MAC (media access control) addresses.

A spokesperson for Google, which received the warrant, said Friday: “We will continue to object to this overreaching request for user data, and if needed, will fight it in court. We always push back when we receive excessively broad requests for data about our users.”

An important heads-up to anyone using Gmail (particularly on the domain itself):

Here's how the swindle works. The attacker, usually disguised as a trusted contact, sends a boobytrapped email to a prospective victim. Affixed to that email, there appears to be a regular attachment, say a PDF document. Nothing seemingly out of the ordinary.

But the attachment is actually an embedded image that has been crafted to look like a PDF. Rather than reveal a preview of the document when clicked, that embedded image links out to a fake Google login page. And this is where the scam gets really devious.

Google is aware of the problem, and is investigating it further. As always, it's very important that you become accustomed to protecting yourself online when clicking on email links or other malicious ads by always keeping an eye on the URL address bar in your web browser, and checking that a now-standard lock symbol appears before you enter usernames/passwords. Also an equally good idea to check the root domain listed in the address bar (i.e., the core domain listed in the URL, like [domain].com).

If you know me at all, there's a particular grammatical deployment of the comma I prefer when it comes to serial sentences. A few years ago, I wrote at length about it in my piece, Defending & Deflating the Use of the Oxford Comma. And so it is only fate that I stumble upon this gem of an article on the Times about how the misuse of the comma could cost a Maine dairy company millions of dollars in an overtime dispute from truckers.

How did this exactly come about?

The debate over commas is often a pretty inconsequential one, but it was anything but for the truck drivers. Note the lack of Oxford comma — also known as the serial comma — in the following state law, which says overtime rules do not apply to:

The canning, processing, preserving, freezing, drying, marketing, storing, packing for shipment or distribution of:

(1) Agricultural produce;

(2) Meat and fish products; and

(3) Perishable foods.

Does the law intend to exempt the distribution of the three categories that follow, or does it mean to exempt packing for the shipping or distribution of them?

Delivery drivers distribute perishable foods, but they don’t pack the boxes themselves. Whether the drivers were subject to a law that had denied them thousands of dollars a year depended entirely on how the sentence was read.

Apparently, the Maine Legislative Drafting Manual prohibits the use of the Oxford comma. While I'd argue against that directive, perhaps there is simply a clearer way to describe the contentious language in question so as to avoid misunderstanding?

Crooked Media's newish podcast, Pod Save the World, has a great 45 minute interview with The Intercept's Glenn Greenwald, who has been a long-time journalist and constitutional lawyer. His biggest journalist contribution of recent note, of course, was the work he did to sift through and communicate the files and intel Edward Snowden brought to bear. Much of the interview focuses on the Snowden situation and his book, No Place to Hide, but there are some amazing nuggets about how and why Snowden did what he did, national security, and privacy in the modern era.

Of note:

[Snowden's] overwhelming priority was to make sure he meet with the journalists with whom he had selected and safely provide that material to us and review that material with us to make certain we that understood what we needed to understand, and start reporting it.

The fear of being detained before he could get the materials into the journalists hands was felt in both of the recent films about him (Snowden and Citizenfour, the latter of which Greenwald plays a significant role). But the extrapolation of this narrative by Greenwald is fascinating to listen to all over again. The places Snowden goes to, how he instructs the journalists to secure their communication, and the delivery of only some of the materials after he poured over them himself -- essentially, the high-level decision-making around how, why, and with whom to share such sensitive, earth-rattling intel is still to this day underreported and underappreciated. As Greenwald notes, he could have dumped the entirety of the files to Wikileaks and had the whole thing publicly revealed, but instead he took the time to read, understand, and to the best of his ability, share the right kinds of files that we as Americans must trust are the most important aspects of what he had access to that infringe upon our rights as US citizens.

Round-up for March 11-12

Machine Bias: ProPublica's ongoing investigation into machine/data-driven usage for criminal risk assessments and crime predictions.

What should you think about when using Facebook?: Facebook logs drafts of posts/keystrokes before you post, or even if you don't post.

Apple says it’s already patched ‘many’ iOS vulnerabilities identified in WikiLeaks’ CIA dump Title says it all, but it’s a hopeful reassurance that Apple has detected and patched many of the alleged CIA exploits brought forth in the Wikileaks unraveling.

Your Own Facts: A great essay/book review on the “filter bubbles” we continue to create ourselves or sign up for with external apps and services. Essentially, author Eli Pariser argues that “this is not to deny that Silicon Valley engineers […] have responsibilities that extend far beyond their job descriptions. But their modest quests to improve relevance, alleviate information overload and suggest books that may interest us — rather than to engage in algorithmic paternalism and assume a more critical social role — may be the lesser of two evils”.

Internet Censorship and What We’re Doing About It: A leading encryption-based email service provides a rundown of why we should care about internet censorship, and what some of its plans are in terms of helping the wider world. Of course, this is leading up to a release later this summer of their ProtonVPN service, set to compete against other VPNs (virtual private networks) that can assist in black boxing your internet traffic and behaviors.

This happened just a short while ago, but an important development nonetheless. According to the New York Times:

The initial release, which WikiLeaks said was only the first part of the document collection, included 7,818 web pages with 943 attachments, the group said. The entire archive of C.I.A. material consists of several hundred million lines of computer code, it said.

Among other disclosures that, if confirmed, would rock the technology world, the WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”

And here's the link to the vault of documents on WikiLeaks. Haven't had a chance to read through anything yet, but will update as needed over the next week.

Update | March 07, 2017 11:42AM CT

Edward Snowden posted an update on Twitter regarding one of the big call-outs, thus far, from the leak: "first public evidence USG secretly paying to keep US software unsafe."

<div
    class="
      image-block-outer-wrapper
      layout-caption-below
      design-layout-inline
      
      
      
    "
    data-test="image-block-inline-outer-wrapper"
>

  

  
    <figure
        class="
          sqs-block-image-figure
          intrinsic
        "
        style="max-width:840px;"
    >
      
    
    

    
      
        
      <div
          
          
          class="image-block-wrapper"
          data-animation-role="image"

data-animation-override

      >
        <div class="sqs-image-shape-container-element
          
      
    
          has-aspect-ratio
        " style="
            position: relative;
            
              padding-bottom:59.404762268066406%;
            
            overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
          "
          >
            
              <noscript><img src="https://cdn.uploads.micro.blog/25423/2023/529a26eee7.jpg" alt="From Edward Snowden's tweet" /></noscript><img class="thumb-image" src="https://cdn.uploads.micro.blog/25423/2023/529a26eee7.jpg" data-image="https://cdn.uploads.micro.blog/25423/2023/529a26eee7.jpg" data-image-dimensions="840x499" data-image-focal-point="0.5,0.5" alt="From Edward Snowden's tweet" data-load="false" data-image-id="58bef0caff7c50a1c83ce2bb" data-type="image" />
            
        </div>
      </div>
    
      
    

    
      
      <figcaption class="image-caption-wrapper">
        <div class="image-caption"><p><em>From Edward Snowden's tweet</em></p></div>
      </figcaption>
    
  
    </figure>
  

</div>

Round-up for March 4-5

New Bill Would Force NYPD to Disclose Surveillance Tech Playbook: Though not as pressing as other privacy disclosures, this is a timely local-level one that could predicate other states/cities following a similar line. What's notable here is that we are all essentially under a watchful eye from city security cameras, other citizen's cameras, and a myriad of tactics alluded to in the bill (including facial recognization). The New York Civil Liberties Union's statement on this being "critical to democracy" is rather obvious.

How to Keep Messages Secure: Friendly rundown of why teens (ahem, anyone) should avoid using popular chatting apps like Snapchat, et al, for serious communication or for chatting at all. Surprising editorial source, too.

Is There a Business Model For Serious Journalism in the Age of Trump?: Comprehensive analysis on the state of serious journalism.

Smart Condom to Track Your Sex: Here we go with another invasive Internet of Things product. At this point we're just turning ourselves into constantly-monitored subject matter for government, medicinal, and corporate overlords.

Government's Privacy Watchdog is Basically Dead, Emails Reveal: Should we have seen this one coming? "[T]he agency, known as the Privacy and Civil Liberties Oversight Board, is down to just a single voting member — which means it has been stripped of nearly all its powers, according to emails obtained by The Intercept." Important to note: it appears that this didn't start with Trump, and it's been "been withering away for almost a year."

That Free Health Tracker Could Cost You: Handing out Fitbits is something my agency recently did, and I've seen a number of health insurance providers do the same thing -- not sure if all circumstances are leading to more risk pooling bullshit, but this is certainly where it starts.

Want to Improve Data Quality, Reduce Liability, and Gain Consumer Trust? Try Deleting: In its latest white paper, CDT "explores th[e] disconnect and the reasons why commercial data stores have grown. We make the case that it is neither in a company’s nor a customer’s best interest to hold onto large amounts of data." Deleting old, unusable, or irrelevant data is absolutely a consideration to make, especially if you don't plan to use it anymore.

Great piece from The Guardian on how no one reads terms of service for apps/services/hardware they sign up for, and points to solutions in the way of redesigning them.

[T]here’s a lot in click-to-agree contracts that would give many people pause if they knew about them. For example, users give web-based services – and third parties the services contract with, about which users know nothing – the right to keep, analyze and sell their data. Increasingly often, too, people click away their right to go to court if anything goes wrong. “There’s a real concern that consumer protection law is basically being swallowed by click-by-agree clauses,” said David Hoffman, a professor at the University of Pennsylvania Law School, who researches the law and psychology of contracts.

Hoffman is among the legal scholars who believe the no-reading problem isn’t new. After all, he points out, few people read the fine print even when it was literally in print.

However, it’s possible that the design of click-to-accept pages makes the problem worse. A few years ago Rainer Böhme of UC Berkeley and Stefan Köpsell of Dresden’s Technische Universität tested alternative wordings of a simple consent form on more than 80,000 internet users. Some were told their consent was required and presented with highlighted “I agree” button. They went along 26% more often than did other users, who had been politely asked to participate (with phrases like “we would appreciate very much your assistance” and both “yes” and “no” options represented by lookalike buttons).

In other words, when design invites people to consider their options, at least some do. If the design nudges them instead to follow a habit that years of click-to-agree has instilled, then they’ll do that instead. “Ubiquitous EULAs [end user license agreements] have trained even privacy-concerned users to click on ‘accept’ whenever they face an interception that reminds them of a EULA,” Böhme and Köpsell wrote.

This kind of thing has been pointed out ad nauseum, but it is a vital struggle to acknowledge and consider. There is a great site out there called Terms of Service; Didn't Read that operates as a user rights initiative rating and scoring websites' terms of services/privacy policies from Class A (good) to Class E (miserable). A wise read for anyone who has clicked or tapped away on agreeing to walls of unreadable text before engaging with software.

There was once a time when human societies were truly free from mass surveillance — at liberty to say, do, and think as they pleased within mutually-agreed upon, reasonable constraints. And yes, could feel safe doing so in their own homes. Few, if any, of our ancestors could have anticipated how quickly our societies pushed forward in technological and political complexity. Our progressive willpower in these areas has overwhelmed global culture and political infrastructures with exponential innovation in data-driven decisions, Internet plus hardware application, and laws (or lack thereof). Now we enter an era with the ubiquity of connected technologies — in our cars, in our homes, in our pockets, on our bodies. And due to our inexhaustible tenacity to produce data and content, our inherent right to liberty and privacy is under constant siege. At the rate these technologies evolve, paired with the menace of terrorism, international hacking, and the nearly incomprehensible extensiveness of government surveillance, our liberties and privacy have been inextricably compromised.

As citizens, we have the ability and right to understand the repercussions of technology we use or other agents surround us with, and most importantly, the spirit to challenge these conveniences, compromises, and innovations. We should not sit idly while legalese in terms of services obfuscate or bewilder us, surrendering our privacy and data to those who would use it against us or for their own ends. We should not, for want of convenience, ignore modern practices of safe password management, profile protection, and behavioral tracking. We should be concerned with the reckless abandon organizations have built, maintained, and even stagnated on core communications technologies that affect our everyday lives, imperiling privacy in email, messaging, social networks, voice-over-internet, web browsing, and file-syncing services. We should care about the way our data, communications, and media are stored, maintained, and protected. And we also should know where our data is stored -- not all countries share the same privacy and security standards. This isn’t asking much, but it does beckon you and our fellow citizens to pay attention. To be willing to learn. And to be willing to share and educate.

This isn't to say that we can't still enjoy the delights, conveniences, and usefulness of technology. At this point, we're in too deep for any government or corporation to start reversing the saturation of all this technology. So while we should continue to invest in this future, we need to let our concerns be known to leaders, corporations, and peers around the world -- the union of hardware and software can make our lives better, but shouldn't at the expense of inherent human dignities. We have to tread cautiously. And smartly. After all, this progression has made life better for many people and businesses around the world. I am not suggesting we retreat to Internet-free zones, removing ourselves from connectivity, smartphones, and Internet of Things devices. But I am suggesting that we take the considered time and effort to become more informed about the current privacy climate, that we acknowledge that our privacy has been irreversibly compromised, that companies and governments should be held accountable to the tremendous changes in communications in our modern civilization, and that we as a people can do something about it. Democracy and fairness cannot reign unless we are able to speak, act, create, and litigate freely. If everything we say, write, or do is tracked and archived, how else can we possibly feel other than creeping ever closer to a police state, worried about potentially irresponsible or libelous use of that data? As many have said before, would you feel comfortable with an advertising agency or government reading and storing your personal letters, your physical journals, your bank statements, your doctor visits, your bodily functions, your every movement on this planet? The likelihood they have access to most of this is already great. And for those who say they have "nothing to hide" are woefully ignorant of the larger consequences of this movement. As Edward Snowden so astutely declared, "arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."

Defending our privacy and data will continue to be an important movement as we make progress as a society. The perseverance of surveillance back doors in software and hardware can compromise our financial and personal security, domestically and abroad, if exploited by ill-doers. And the big business of technology, security, and surveillance will continue to slither forward as an ouroboros of corporations and government. And there is no end in sight of the application of algorithms for everything in our lives -- you don't need to turn to an episode of Black Mirror to see this in action because it's already happening all around us (search engines, social media, advertising, economics, wellness, prisons, education, you name it). But if creators and users of these algorithms are not transparent, are not willing to cede to constructive collaboration with others to iteratively improve these action-driving usages of data in meaningful ways for society and civil liberties, we could be in for a very challenging time ahead. And let’s not forget that algorithms are only the first step. The machine-learning era of artificial intelligence will further compound the use of algorithms and could end up instructing us (or bypassing us entirely) on how to apply the insights for efficiencies and actions across the board, all based on the blueprints of an algorithm programmed by a misinformed coder years ago.

As such, the purpose of this site is to inform readers of the large-scale movements in data use, algorithms, advertising technologies, privacy risk, and state surveillance. I hope to make it a trustworthy, if at times facetious (because how can it not be?) resource for methods to safeguard your personal information, secure communications, and productively collaborate without unwarranted intrusions. Together, we can keep a discerning eye on the ever-watchful governments, health organizations, insurance companies, advertising agencies, and technology corporations who continue to benefit society with their inventiveness but simultaneously solicit us to normalize always-on, active Internet products and services that can and are used for self-interest and disingenuous means. Don't get me wrong -- I love technology. My smartphone is a miraculous device that saves me time, provides me nearly unlimited access to information, and allows me to accomplish things I could only dream about in my childhood. I’ve read, watched, written, and captured the most important events in my life through its omnipresent screen, camera lens, and microphone. But I also expect that these moments, this data, this usage is inherently mine. As soon as it does not become mine, I’m likely the product, or the subject, or the variable in some larger scheme. If you're comfortable with that, fine. But I'm not. And I’m not alone.

Instead of leaving you with a reminder of the lofty aims of the Fourth Amendment (of which whose authors at the time couldn’t even have fathomed the technological progress of the modern era), I will leave you with this quote from long-time cryptographer and computer security specialist, Bruce Schneier, who warns on the misappropriation of the debate for privacy:

Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.

Thanks for your time. I hope this is a compelling enough beginning for you to continue reading in the weeks to come, and at the very least, a resource to check in on every once and a while for your own sake.

Hello readers.

It was inevitable that this day would come, particularly if you’ve been reading the tea leaves on where our technology culture and data-wielding organizations are moving towards. We are living in a present climate that permits the break-down of individual citizens’ privacy, and the propagation of mass surveillance and advertising systems driven by hardware and data engineering.

And so I am relaunching Defiant Sloth as a site dedicated to the advocacy of privacy in the modern era, and will be keeping tabs on organizations and institutions of technological and data-wielding power. It’s not enough to stand by and watch as citizens continue to use the latest smartphones, download the latest apps, upgrade software with infinitely more convoluted terms and conditions, disregard username and password housekeeping, sign up for services with little background into why they are free to use, and roam the planet (or their own country) knowingly, and perhaps willfully, permitting traceability and monitoring without clear consent. We also need to wise up to the use of this data, which can in turn by used for both good and misdirected intentions, including “weapons of math destruction” that can lead to dangerous revisions to laws, education, prison systems, advertising, and government.

So please think about continuing to follow this site. Its name will remain the same — Defiant Sloth, a credo that hints at our laziness to be as proactive about the data we create and share with organizations, government, and advertising behemoths. I hope to see you back at the end of this month to join it on a new, forward journey through technology, government, and advertising with a lens (and dare I say panache) for the defense of our right to privacy. As a nation, we can’t be lazy about the speed of change in this arena — we need to be defiant.

Jonathan Irons writes about his defense of using ad blockers on news sites and how these companies shouldn’t place the blame on users — “How newspapers voluntarily gave away their online income”.

The newspapers (with very few exceptions) bet all their online revenue on pay-per-click ads. They swallowed the promises of the ad companies, above all Google. They believed them, and they remarkably failed as a complete industry to come up with any more nuanced and niche alternatives. Now the revenue is falling away, and the newspapers are struggling. At the same time, the revenues of the likes of Google are skyrocketing. And now it’s my fault.

Also of note are the screenshot-shaming of several news sites with layouts usurped by ad placements. Right in line with my Hostile Reading Experiences.

And here's a nice accompanying graph to further extrapolate the view:

Advertising revenue 1950-2014. US newspapers vs. Google, Facebook. In bn. US$, inflation adjusted. Data source: NAA, Statista. via Chris Lüscher of IA.

This is a brief bit about hostile reading experiences. I've been keeping a reference gallery of hostile reading sites (mostly screenshots) from around the web for a few years, but have been slow in updating it. But today I had to update it. An article linked to on Time was so fucking over-ridden with ads, the actual article didn't begin until scrolling below the fold. It also had two video ads auto-play upon arrival. Possibly the worst experience you can have trying to read actual content besides the derided "timed overlay" ads.

Here's what I saw when I visited the site in my work PC's Chrome browser.

<div
    class="
      image-block-outer-wrapper
      layout-caption-below
      design-layout-inline
      
      
      
    "
    data-test="image-block-inline-outer-wrapper"
>

  

  
    <figure
        class="
          sqs-block-image-figure
          intrinsic
        "
        style="max-width:1359px;"
    >
      
    
    

    
      
        <button
            class="
              sqs-block-image-button
              lightbox
              
      
    
            "
            data-description=""
            data-lightbox-theme="dark"
        >
          <span class="v6-visually-hidden">View fullsize</span>
          
      <div
          
          
          class="image-block-wrapper"
          data-animation-role="image"

data-animation-override

      >
        <div class="sqs-image-shape-container-element
          
      
    
          has-aspect-ratio
        " style="
            position: relative;
            
              padding-bottom:77.40985870361328%;
            
            overflow: hidden;-webkit-mask-image: -webkit-radial-gradient(white, black);
          "
          >
            
              <noscript><img src="https://cdn.uploads.micro.blog/25423/2023/5481e2e06d.jpg" alt="" /></noscript><img class="thumb-image" src="https://cdn.uploads.micro.blog/25423/2023/5481e2e06d.jpg" data-image="https://cdn.uploads.micro.blog/25423/2023/5481e2e06d.jpg" data-image-dimensions="1359x1052" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="57d18fe2d2b857cb88fe4444" data-type="image" />
            
        </div>
      </div>
    
        </button>
      
    

    
  
    </figure>
  

</div>

Due to the nature of my work, I don't block ads in-browser (though I do use 1Blocker on my Mac at home and all my iOS devices). Either way you look at it, this is a ludicrous way to make money off content on your site, particularly when the only use-case scenario for Time.com is reading its content.

I don't need to rehash my thoughts on privacy and the advertising marketplace, but this is just another testament to how the publishing industry should change or modify some of its practices to allow for a better experience with its readers and customers. They have a right to choose the advertising networks and technologies on their website, and this is a call to evaluate that without compromising on their bottom line.

For what it's worth, the article is pretty good (interview with Shigeru Miyamoto on Nintendo bringing Super Mario to iOS, which was announced at the iPhone 7/Apple Watch Series 2 event on September 7).