Start Up: the Android (and iOS?) trackers, faking neutrality, getting deregulation wrong, and more

Yup, you just need to learn how to merge in traffic. Photo by wiccked on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you, Man (Person) Of The Year. I’m @charlesarthur on Twitter. Observations and links welcome.

Staggering variety of clandestine trackers found in popular Android apps • The Intercept

Yael Grauer:


Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, rideshare, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising.

Exodus security researchers identified 44 trackers in more than 300 apps for Google’s Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university’s law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers.

Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital “signatures” distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived “hash” summary of the file itself.

The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking…

…Among the Android apps identified by the researchers were, with six or seven trackers each, dating apps Tinder and OkCupid, the Weather Channel app, and Superbright LED Flashlight; the app for digital music service Spotify, which embedded four trackers, including two from Google; ridesharing service Uber, with three trackers; and Skype, Lyft, Accuweather, and Microsoft Outlook.


BoingBoing is not pleased about the lack of availability for iOS:


As Exodus and Yale note, these trackers are almost certainly also present in iOS: the companies that make them advertise their iOS compatibility, for one thing. But iOS is DRM-locked and it’s a felony – punishable by a 5-year prison sentence and a $500,000 fine for a first offense in the USA under DMCA 1201, and similar provisions of Article 6 of the EUCD in France where Exodus is located – to distribute tools that bypass this DRM, even for the essential work of discovering whether billions of people are at risk due to covert spying from the platform.


Would be good to get some info about the Android apps, and then make some suppositions about the iOS ones. (Though I think many more Android apps are ad-supported than iOS ones: people pay for the latter.) Also, “digital signatures for known trackers” is a bit weak. The Exodus page suggests it analyses network traffic on a simulated device.
link to this extract

More than a million pro-repeal net neutrality comments were likely faked • Hackernoon

Jeff Kao:


NY Attorney General Schneiderman estimated that hundreds of thousands of Americans’ identities were stolen and used in spam campaigns that support repealing net neutrality. My research found at least 1.3 million fake pro-repeal comments, with suspicions about many more. In fact, the sum of fake pro-repeal comments in the proceeding may number in the millions. In this post, I will point out one particularly egregious spambot submission, make the case that there are likely many more pro-repeal spambots yet to be confirmed, and estimate the public position on net neutrality in the “organic” public submissions.¹

Key Findings:
• One pro-repeal spam campaign used mail-merge to disguise 1.3 million comments as unique grassroots submissions.
• There were likely multiple other campaigns aimed at injecting what may total several million pro-repeal comments into the system.
• It’s highly likely that more than 99% of the truly unique comments³ were in favor of keeping net neutrality.


Less than 800,000 of the 22m comments (ie about 3%) estimated to be unique. Out of 1,000 sampled, only three were pro-repeal.
link to this extract

Drivers who merge at the last minute may be annoying … but they’re right • HowStuffWorks

Jesslyn Shields:


If you’re old enough to drive, you’re old enough to have some thoughts about the best way to merge into highway traffic when your lane is ending or closing due to a wreck or road work. When you see the big, orange “LANE CLOSED IN 1000 FT” sign, you’ve got a couple of options:

• Immediately turn on your blinker and wait until somebody in the next lane lets you in.
• Just stay in your lane and wait for all the polite people to get out of your way before zooming to the front of the line and merging when the lane closes. Watch as people who merged early rage in your general direction.

To most people, the first option seems more courteous and patient — less selfish. But study upon study proves the upstanding early-mergers among us are just creating a single long, slow line of traffic that’s not only frustrating for drivers, it’s inefficient because it minimizes the amount of usable road — and it even causes accidents.

What we all should be doing is called the “zipper merge,” or Reißverschlusssystem, as the Germans call it. In this system, every car in the lane that’s ending drives all the way up to the front of the line and takes turns merging with the other lane of traffic. (From above, it looks a bit like teeth on a zipper coming together.) Because the system uses all the available road space for as long as possible, it cuts congestion by 40%.


Just putting this aside to read out to my wife for the next time we’re on a motorway. That 40% figure is quite something. Given how bad tailbacks can be from this, why aren’t there signs about it at such merge points?
link to this extract

FBI gave heads-up to fraction of Russian hackers’ US targets • Associated Press

Raphael Satter, Jeff Donn and Desmond Butler:


In the absence of any official warning, some of those contacted by AP brushed off the idea that they were taken in by a foreign power’s intelligence service.

“I don’t open anything I don’t recognize,” said Joseph Barnard, who headed the personnel recovery branch of the Air Force’s Air Combat Command.

That may well be true of Barnard; Secureworks’ data suggests he never clicked the malicious link sent to him in June 2015. But it isn’t true of everyone.

An AP analysis of the data suggests that out of 312 U.S. military and government figures targeted by Fancy Bear, 131 clicked the links sent to them. That could mean that as many as 2 in 5 came perilously close to handing over their passwords.

It’s not clear how many gave up their credentials in the end or what the hackers may have acquired.

Some of those accounts hold emails that go back years, when even many of the retired officials still occupied sensitive posts.

Overwhelmingly, interviewees told AP they kept classified material out of their Gmail inboxes, but intelligence experts said Russian spies could use personal correspondence as a springboard for further hacking, recruitment or even blackmail.


link to this extract

Inside the X moonshot factory: Where Google’s ideas fly high (or fizzle) • GeekWire

Alan Boyle:


“We’re very bullish about Loon, and they have significant work still to do — call it two or three minor miracles that they still need in order to be a thriving business,” [Google X chief Astro] Teller said. “But unlike some projects, they have about 10 different levers that they can pull, so they can spread that need for two or three small miracles across a lot of different things. … We have great confidence that they’re going to do it.”

Teller voiced great confidence in X’s future as well. More than a year ago, there were rumblings that the moonshot factory was getting bogged down in organizational inertia, but the emergence of Waymo and other graduates seems to have turned the tide.

Idea factories are turning into a growth industry — thanks in part to new entrants in the Seattle area such as BlueDot, Intellectual Ventures’ ISF Incubator and the Allen Institute for Artificial Intelligence’s startup incubator. The way Teller sees it, all that interest validates the approach that he’s been pioneering for years.

“I feel like we’re in competition with the problems, not in competition with other people trying to solve problems,” he told GeekWire. “I’m so happy to see other groups trying to solve some of humanity’s problems.”


Because there’s nothing new to say about Google X (it’s been written up scores of times), whenever you see a profile of it and/or Astro Teller, the question to ask is “what perceived problem does Google PR want this article to solve?” The answer’s in that “organisational inertia” quote: make it seem zippy again.
link to this extract

Australian coalition could allow firms to buy access to facial recognition data • The Guardian

Elise Thomas:


The Australian federal government is considering allowing private companies to use its national facial recognition database for a fee, documents released under Freedom of Information laws reveal.

The partially redacted documents show that the Attorney General’s Department is in discussions with major telecommunications companies about pilot programs for private sector use of the Facial Verification Service in 2018. The documents also indicate strong interest from financial institutions in using the database.

The government has argued that the use of facial recognition is necessary for national security and to cut down on crimes such as identity fraud. The Attorney General’s Department says private companies could only use the service with the person’s consent.

But experts and civil society advocates have expressed concerns over lack of transparency and oversight of facial recognition programs.

Monique Mann, a director of the Australian Privacy Foundation and a lecturer at the faculty of law at the Queensland University of Technology, said that requiring companies to ask for consent may not be enough to protect consumers’ rights or mitigate the risks involved with biometric data, and would encourage firms to store more data.


Where have Australians voted for this?
link to this extract

ZTE Axon M review: double trouble – The Verge

Chaim Gartenberg on ZTE’s phone which gives you two side-by-side portrait screens, so basically a small Android tablet with a fold (or you can run two phone apps side-by-side):


The Axon M isn’t the first attempt at a dual-screen Android phone. The benefit of time and more powerful hardware means that the Axon M can actually follow through on some of the promises, like running multiple apps and full-screen integration, that precursors like the Kyocera Echo simply weren’t able to do.

But if the Axon M is the first dual-screen phone that can actually execute the idea of a two-screened device, using it in practice has me doubting whether the idea actually has practical merit. It is cool, on a purely technical level, to be able to unfold your phone and run a giant version of Alto’s Adventure or two apps side by side. But between the hacked-together software execution and the overall lack of productive application for it, it’s hard to look at the Axon M as anything more than a fun gimmick. And with the hefty $725 price tag and a plethora of more powerful, better-designed, and cheaper Android flagships out there, it’s probably worth sticking to one screen for now.


link to this extract

Security advice for Congressional campaigns • Tech Solidarity

Maciej Ceglowski (who runs Pinboard) is advising Congressional teams on how to avoid being hacked, or leaving private information where it will become public:


Thank you for attending a training session! We covered a lot of ground, so these notes are meant to serve as a reference and reminder of the advice we gave you.

Remember that as a Congressional campaign, you are at exceptionally high risk. The guidelines below are intended to protect you against the kind of threats we saw in 2016. They are ranked in rough descending order of priority.

The good news is, if you follow these guidelines, you will have a high level of protection against being ‘Podesta-ed’. The easiest way to get this protection is to form good security habits before you need them.


The main thrust: trust Google for the content and software, iPhones and iPads for the hardware, two-factor everything. “The least safe way to open an attachment is to double-click it on your laptop. Never do this.” Advice for the ages.
link to this extract

Fixing the MacBook Pro •

Marco Arment:


Despite my love for the previous Retina MacBook Pro, I won’t be able to use it forever. The best laptop to ever exist should be in the future, not the past.

There’s a lot to like about the new MacBook Pros, but they need some changes to be truly great and up to Apple’s standards.

Here’s what I’m hoping to see in the next MacBook Pro that I believe is technically possible, reasonable, widely agreeable, and likely for Apple to actually do, in descending order of importance:

1) Magic Keyboard

Butterfly keyswitches are a design failure that should be abandoned. They’ve been controversial, fatally unreliable, and expensive to repair since their introduction on the first 12” MacBook in early 2015. Their flaws were evident immediately, yet Apple brought them to the entire MacBook Pro lineup in late 2016.

After three significant revisions, Apple’s butterfly keyswitches remain as controversial and unreliable as ever. At best, they’re a compromise acceptable only on the ultra-thin 12” MacBook, and only if nothing else fits. They have no place in Apple’s mainstream or pro computers.

The MacBook Pro must return to scissor keyswitches. If Apple only changes one thing about the next MacBook Pro, it should be this. It’s far more important than anything else on this list.


And it’s quite a long list. I really like the butterfly keys when they’re covered in fabric, on the iPad Pro keyboard – it’s one of the nicest keyboards I’ve ever used: pretty quiet, lovely feel.

But on a MacBook pro, they’re really noisy, as in spouse-pointed-remark noisy, and that is never good.
link to this extract

Unfriendly skies • American Prospect

David Dayen on how deregulating airlines in the US after 1978 (they used to be guaranteed 12% profit on a flight that was 55% full) has had unintended consequences, for flyers and airlines:


After deregulation, the system of delivering air travel also changed, from nonstop point-to-point service to a hub-and-spoke setup, with more connections from airports dominated by a single carrier. “It’s an efficient way to market their product because it allowed a larger array of destinations,” said Dempsey. “But it’s an inefficient way to provide the product.” Centralizing activity in hubs maximized pricing power and added airport congestion. The environment suffered from extra takeoffs and landings and out-of-the-way detours to hub cities. Startup airlines gradually found open slots at hub airports hard to come by. Even the hub cities did not benefit greatly from becoming hubs; passengers just changed planes at the airport rather than experiencing the city.

As the old CAB guarantee of a national network ended, airlines dropped unprofitable routes and smaller cities became virtually frozen out of air service. A hundred cities fell off the commercial aviation map in just the first two years of deregulation. By the 1980s, the only way to fly into state capitals like Dover, Delaware, or Salem, Oregon, was by private plane. Inaccessibility made these outposts less attractive to business, with jarring effects to local economies.

Before long, the burst of competition led to a washout. Just in the 1980s, 200 airlines went bankrupt, including majors like Eastern and Braniff. Competition turned destructive, as price wars quickly crippled businesses with large fixed costs like airplanes. CAB had denied additional city routes; critics liked to bring up the horror story of Continental waiting eight years to get approval to fly from Denver to San Diego. But CAB based its determinations on customer demand. Without bureaucrats holding the reins, competitors rushed into unprofitable routes and imploded…

…Today we’re down to three legacy carriers: United, American, and Delta. Southwest maintains its reputation as a “low-cost” disruptor but has begun to control certain airports as well. “When they dominate, they don’t leave money on the table either,” says economics professor John Kwoka. Four out of every five passengers in America flies with one of these four companies. And in 93 of the top 100 airports, either one or two airlines control a majority of all seats.


This is before we get to the effects on airline staff, repair crews, and pensions. Guess how that went.
link to this extract

Errata, corrigenda and ai no corrida: none notified

5 thoughts on “Start Up: the Android (and iOS?) trackers, faking neutrality, getting deregulation wrong, and more

  1. ” (Though I think many more Android apps are ad-supported than iOS ones: people pay for the latter.)”
    Then again, if there’s no way to know iOS apps track, why woudln’t they track too, with impunity ?

    • We don’t know whether App Store checking includes examination for that sort of tracking; but we do know that iOS has lots of protections against slack use of tracking – there’s cookie bans, requirement for location permission to be granted, and the fact that some of those apps mentioned above use Google trackers (so you wouldn’t be able to opt out if you were on Android no matter what).
      It’s not unreasonable to expect that the same tracking might be in the software if they’re using common libraries, but given the noise the ad industry has made about inability to track people across sites on iOS 11’s Safari, there might be more safeguards on iOS.
      Also, if they say that they find the trackers by scanning the APKs, I don’t know why they don’t try to download the apps and run it against those. The DMCA has academic or similar exceptions, I thought. (Seth F would know.)

  2. The A629 going into Halifax from Huddersfield has signs exhorting you to “USE BOTH LANES” and then “MERGE IN TURN 200yds” followed by “MERGE IN TURN NOW” right as the two lanes end. People seem to obey them and I think it makes smoother traffic flow.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.