Start Up No.1,077: leaky data apps on iOS, Google settles cold fusion question, how to secure politicians, the concerns over Chrome, and more

Google Wave: the Voynich manuscript of user interfaces was introduced 10 years ago – and killed nine years ago. CC-licensed photo by Panagiotis Giannakopoulos on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. I voted for Spartacus! I’m @charlesarthur on Twitter. Observations and links welcome.

Apple promises privacy, but iPhone apps share your data with trackers, ad companies and research firms • The Washington Post

Geoffrey Fowler:


You might assume you can count on Apple to sweat all the privacy details. After all, it touted in a recent ad, “What happens on your iPhone stays on your iPhone.” My investigation suggests otherwise.

IPhone apps I discovered tracking me by passing information to third parties — just while I was asleep — include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Channel. One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy.

And your iPhone doesn’t only feed data trackers while you sleep. In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic. According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That’s half of an entire basic wireless service plan from AT&T.

“This is your data. Why should it even leave your phone? Why should it be collected by someone when you don’t know what they’re going to do with it?” says Patrick Jackson, a former National Security Agency researcher who is chief technology officer for Disconnect. He hooked my iPhone into special software so we could examine the traffic. “I know the value of data, and I don’t want mine in any hands where it doesn’t need to be,” he told me.

In a world of data brokers, Jackson is the data breaker. He developed an app called Privacy Pro that identifies and blocks many trackers. If you’re a little bit techie, I recommend trying the free iOS version to glimpse the secret life of your iPhone.


Certainly worth a try. That’s a dismaying lot of trackers (hellooo Washington Post, for which Fowler writes). Expect Apple to try to crack down on this in a future iOS release – though the US could try something like GDPR. I wonder what those apps do in Europe.
unique link to this extract

Google revives controversial cold-fusion experiments • Nature

Elizabeth Gibney:


Google’s team was made up of 30 researchers who had no strong opinions on cold fusion. All had access to each other’s data and apparatus, and could review each other’s work.

The researchers pursued the three experimental strands that they deemed sufficiently credible. In one, they tried to load palladium with amounts of deuterium hypothesized to be necessary to trigger fusion. But at high concentrations the team was unable to create stable samples.

A second strand followed up on 1990s work by US physicists who claimed to have generated anomalous levels of tritium — another heavy hydrogen isotope, created only through nuclear reactions — by bombarding palladium with pulses of hot deuterium ions. Google’s analysis of nuclear signatures showed no tritium production from this experiment.

A final strand involved heating up metallic powders in a hydrogen-rich environment. Some current proponents of cold fusion claim that the process produces excess and unexplained heat, which they theorize is the result of fusing elements. But across 420 tests, the Google-funded team found no such heat excess.

But the researchers say that both palladium experiments warrant further study. The hypothesized effects in the tritium experiment could be too small to measure with current equipment, they suggest. The team also says that further work could produce stable samples at extremely high deuterium concentrations, where interesting effects might occur.


They revived it, but only to put a stake through it. It’s 99.9999% certain that cold fusion isn’t a thing.
unique link to this extract

Intel’s Project Athena could make laptops better, if only it had teeth • The Verge

Sean Hollister:


Project Athena isn’t going to be a meaningless marketing campaign. In fact, Intel has set its sights on killing off one of the biggest lies the PC industry ever told laptop buyers: battery life.

Intel says Project Athena laptops will need to deliver 9 hours of real-world battery life, browsing the web over Wi-Fi, with their screen set to a level of brightness (250 nits) that a user might actually have in the real world. This is important, because today’s laptop benchmarks are anything but — when a PC maker says your new machine gets 24 hours of battery life, they’re typically measuring that by playing back a video that barely taxes the processor, with Wi-Fi off, and low screen brightness to boot. Who uses a laptop like that?

Now, we’re learning that battery life is just the beginning. Project Athena laptops will need to wake from sleep in under a second, be ready to browse the web in under two seconds thanks to connected standby, and have the same sort of responsiveness on battery that they have when plugged into the wall — plus come with touchscreen displays, precision touchpads (trust us, it’s a must), the latest Wi-Fi 6 and Thunderbolt 3 connectivity, and enough RAM (8GB) and speedy NVMe solid state storage (256GB) to tackle the basics for most users.

And Intel isn’t just going to leave these things up to the manufacturers. It’s going to test the crap out of some of these things itself, namely battery life and responsiveness, because Intel believes they’re the basis for PCs that actually satisfy modern users’ needs.


Nice, but as Hollister points out, without a brand like “Ultrabook” (from 2011) it will struggle. And there’s also ARM processors – which will improve battery life enormously – coming up.
unique link to this extract

What I learned trying to secure Congressional Campaigns • Idle Words

Maciej Cieglowski spent a lot of last year helping candidates lock down their accounts against hackers:


There are two big areas of sensitive information around a political campaign. Let’s call them ‘Bucket A’ and ‘Bucket B’.

Bucket A is the stuff that is campaign-specific and needs to be kept confidential. This includes fundraising numbers and mailing lists, campaign memos on issue positions, research on opponents, strategy documents, media buys, correspondence with the national party, unflattering photos of the candidate and so on. The training materials the Democratic Party provides to campaigns are meant to keep this stuff safe.

Bucket B is what lives in people’s personal accounts. This includes every email they’ve written, their social media history, complete access (via password reset) to all the online services they’ve signed up for, their chat history, creepy DMs, sexts to minors, plus all the stuff they’ve forwarded to their personal accounts from the campaign account, the Dropbox folder they keep their passwords in, and so on.

As an attacker, I would be drawn to bucket B. There is nothing interesting in a campaign’s financials or strategy. The strategy is always ‘talk about health care’, and the financials have to be disclosed every quarter by law. Everything juicy lives in the personal accounts, and moving laterally between those accounts will eventually give you access to bucket A anyway, because people are terrible at keeping this stuff separate.

Targeting Bucket B means you can also target more people, like the candidate’s spouse and family, who the people defending Bucket A consider out of scope.

In our training, we worked off the assumption that the Podesta hacks were a template for what might happen to campaigns, and that securing campain-adjacent personal accounts was more important than worrying about campaign data.


As ever, he’s hilarious, wry, and laser-accurate.
unique link to this extract

Google’s Chrome becomes web ‘gatekeeper’ and rivals complain • Bloomberg

Gerrit De Vynck:


Google won by offering consumers a fast, customizable browser for free, while embracing open web standards. Now that Chrome is the clear leader, it controls how the standards are set. That’s sparking concern Google is using the browser and its Chromium open-source underpinnings to elbow out online competitors and tilt entire industries in its favor.

Most major browsers are now built on the Chromium software code base that Google maintains. Opera, an indie browser that’s been used by techies for years, swapped its code base for Chromium in 2013. Even Microsoft is making the switch this year. That creates a snowball effect, where fewer web developers build for niche browsers, leading those browsers to switch over to Chromium to avoid getting left behind.

This leaves Chrome’s competitors relying on Google employees who do most of the work to keep Chromium software code up to date. Chromium is open source, so anyone can suggest changes to it, but the majority of programmers who approve contributions are Google employees, and any major disagreements get settled by a small circle of senior Google employees.

Chrome is so ascendant these days that web developers often don’t bother to test their sites on competing browsers. Google services including YouTube, Docs and Gmail sometimes don’t work as well on rival browsers, sending frustrated users to Chrome. Instead of just another ship slicing through the sea of the web, Chrome is becoming the ocean.


Chrome has 63% of the market; Safari, the next biggest, 15%. Wonder if the EC will find that monopolistic.
unique link to this extract

What in the hell was Google Wave trying to be anyway? • Gizmodo

Catie Keck:


Wave [introduced ten years ago] was extraordinarily ambitious in its quest to do damn near everything, including reimagining the limits and functionality of email. But in spite of itself, and primarily because its tools were confusing as hell, Wave wasn’t long for this world. Just a year after announcing the product at its annual Google I/O developers conference, Google announced that it was putting the tool out of its misery. The company said in a blog post at the time Wave had “not seen the user adoption we would have liked,” adding that parts of Wave would remain available open source “so customers and partners can continue the innovation we began.” In December of 2010, Google announced that the product would enter the Apache Software Foundation’s incubator program and would henceforth be known as Apache Wave.

Google may have been right to call Wave a “radically different kind of communication,” though, it did not do so particularly well, and it didn’t successfully convert people to its vision. Wave was not the first communications app that Google decided to mercy kill, and it definitely will not be the last. That said, even if somewhat confused about its identity, Wave seemed to have a good idea of where the communications space was going. Many of us would be hard-pressed to do our jobs without the help of Wave’s modern-day equivalent in Slack (even if Slack means that we’re never truly logged off anymore).


Wave was a terrible thing; throwing the kitchen sink in, rather than taking Slack’s approach of building the kitchen piece by piece. A classic example of putting everything in because you can, not because you should.
unique link to this extract

WhatDoTheyKnow Pro helps Bureau of Investigative Journalism get the whole picture on council sales • mySociety

Myfanwy Nixon:


In a major new inquiry, The Bureau of Investigative Journalism made Freedom of Information requests across all 353 councils in England.

Their aim? To build up a full picture of the public places and spaces sold by councils across the country, as they struggle to make up funding shortfalls.

The Bureau used WhatDoTheyKnow Pro‘s batch functionality to help them in this mass investigation, which has resulted in an important report for Huffington Post as well as an interactive public database where you can search to see what your own local council has sold.

In total, councils’ responses have confirmed the sale of over 12,000 assets since 2014. The report goes on to prove that in many cases, the proceeds have been used to fund staff redundancies as authorities are forced to cut back.


Hacking for good. (WhatDoTheyKnow is a site which makes it easy to make freedom of information requests; a godsend for journalists, and everyone else.)
unique link to this extract

Samsung Galaxy Fold reportedly won’t ship in June • Android Police

Taylor Kerns:


The integrity of the Samsung Galaxy Fold’s design was shown to be questionable (at best) shortly after pre-release models reached the hands of the first round of reviewers. Debris made its way into their screens, causing several early hardware failures, and release was delayed from April 26 to an unspecified later date. AT&T made it seem like the new date would be mid-June, but a new report out of Korea contradicts that.

According to the report, quality control is taking longer than Samsung expected. An unnamed official with the company is quoted as saying the release date is still undecided, and that the company will make an announcement to that end in the next few weeks. The report also notes that with Huawei’s ongoing difficulties caused by US sanctions, Samsung isn’t as concerned about beating that company’s foldable phone, the Mate X, to market.


I think the Huawei saga has a lot of Samsung engineers breathing huge sighs of relief. There’s really no pressure on them to hurry this, and they ought to take the time to get it right. (Mumble mumble Apple keyboard designs mumble mumble.)
unique link to this extract

HP adds real wood to its latest Envy laptops • Android Authority

John Callaham:


Today, HP announced new versions of the Envy laptop and x360 convertible PCs, and all of them have real wood as part of their materials. HP says that the convertible Envy notebooks are the first ones ever release with authentic wood in their designs.

The wood on the new Envy laptops are either natural walnut or pale birch and are used for the area below the keyboard, including the top of the Microsoft Precision Touchpad that are used in all of the Envy notebooks. HP says the wood material retains its natural texture and feel, while at the same time is also highly durable. HP added that the wood used in the Envy is environmentally friendly as it comes from a sustainable forest.


They photograph well; I guess that the inevitable darkening from your palms’ sweat will make them look more real, rather than less. It’s quite a nice idea: a more natural design. Watch out for the recall when they discover woodworm.
unique link to this extract

For a longer, healthier life, share your data • The New York Times

Luke Miner is “a data scientist”:


There are a number of overlapping reasons it is difficult to build large health data sets that are representative of our population. One is that the data is spread out across thousands of doctors’ offices and hospitals, many of which use different electronic health record systems. It’s hard to extract records from these systems, and that’s not an accident: The companies don’t want to make it easy for their customers to move their data to a competing provider.

But there is also a fundamental problem with our health care privacy protections, primarily the Health Insurance Portability and Accountability Act, known as Hipaa.

Hipaa was passed in 1996, when artificial intelligence was largely the realm of science fiction movies and computer science dreams. It was intended to safeguard the privacy and confidentiality of patient records (as well as to improve the portability of health coverage when patients switched jobs).

But today one of the main effects of the law is to make it much harder for doctors and hospitals to share data with researchers. The fees they would have to pay for legal experts, statisticians and the other consultants needed to ensure compliance with the law are just too steep to bother.

Julia Adler-Milstein, the director of the Center for Clinical Informatics and Improvement Research at the University of California, San Francisco, told me that “the costs associated with sharing data for research purposes in a Hipaa-compliant way are beyond what many hospitals can justify.” She added, “The fines associated with a potential data breach are also a deterrent.”

These fines are a blunt instrument that don’t correspond to varying levels of harm, creating a climate of fear that discourages sharing.


Obviously, the temptation is to say “you first, Luke.” Show us how harmless having your health data shared with the world is, because this is a one-way valve: once the data goes in, it doesn’t come out.
unique link to this extract

Errata, corrigenda and ai no corrida: thanks to the many people who pointed out that yesterday’s lead item from the NY Times about Facebook was by Kara Swisher, not Charlie Warzel. (He wrote a similar, but different article, also at the NYT.)

5 thoughts on “Start Up No.1,077: leaky data apps on iOS, Google settles cold fusion question, how to secure politicians, the concerns over Chrome, and more

  1. re. Chrome. a couple of points though:
    1- Chrome being FOSS not only means that anyone can contribute to it in theory with the huge “must pass curation” (mostly by Googlers) caveat; it also means anyone can fork it and completely bypass Google-Chrome maintainers. That’s what pretty much everyone is the browser business is doing, famously MS now but also Opera, Vivaldi… Firefox has its own completely independent code, Apple started off the same engines but has diverged strongly, I’m not sure about the minor and OEM-specific browsers. This lowers the bar for making a browser by a couple degrees of magnitude.
    2- Contrary to iOS, Android doesn’t ban alternative browsers/engines. iOS browsers are only a different UI tacked onto Apple’s WebView (Apple used to limit 3rd-party browsers to a more limited engine than Safari, not sure if they still do that); Android browsers are the Real Thing, with whatever engine they want. I’m using Firefox/Android, which supports addons just like its desktop incarnation, which neither Chrome/Android nor Safari/iOS do.

  2. re. Privacy.

    I’m increasingly thinking that the only way to achieve satisfactory, reliable, cheap results is to set up a PiHole Raspberry Pi server. This costs less than $50 w/ no monthly charge, and lets you monitor or block both incoming and outgoing domains, connections, and transfers, for all devices including Mobiles via their VPN.

    On the plus side, it makes you fully independent of what your carrier, Apple/Google/MS, and apps do. On the minus side, it makes all traffic go through your home connection (I’m still on DSL, fiber coming Real Soon Now), and I’m not sure if it can fail silently and fallback to non-VPN, and encrypted traffic from apps is still un-auditable. And it’s not a real VPN, whatever traffic does go trough is still linked to your home IP, though mobile-to-home traffic is both encrypted and obfuscated. I’m curious if it’s still fast enough, and rock solid. Must try it soon.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.