Start Up No.1,107: Zoom’s bad video plan, Marriott cops GDPR fine, Hollywood v Netflix, will Google’s Pixel survive?, and more

Roger Federer at Wimbledon: does data give him an advantage? CC-licensed photo by Roo Reynolds on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Still fast enough. I’m @charlesarthur on Twitter. Observations and links welcome.

Brain, set and match! How Novak Djokovic and Co invest in intelligence to get edge over Wimbledon rivals • London Evening Standard

Matt Majendie:


In some ways, [Craig] O’Shannessy [head of analysis company Golden Set Analytics] is like David up against Goliath. Golden Set Analytics, which came into being in 2012, is made up of economists, statisticians and mathematicians hailing from Harvard, Yale and Stanford. They are notoriously secretive, with company policy being “not to provide information about current clients or our services to them”.  In contrast, O’Shannessy, also the architect for Wimbledon quarter-finalist Alison Riske’s dismantling of his fellow Australian and world No1 Ashleigh Barty yesterday, said: “I failed maths in high school!”

But he understands percentages and has been a pioneer in research on rally length and the fact that 70% of points are won in rallies of up to four shots, 20% in five to eight and just 10% in nine shots or above. “The implications for the practice court are massive,” he said. “Why grind it out spending 90% of your time on something that only happens 10% of the match? That’s ludicrous. Analytics debunk the old theories of coaching. It’s like players never used to have a fitness coach, right now you don’t see that many players sitting around computers analysing their game and that of opponents. You’re in the job of winning matches and the Grand Slam prize money is massive so why wouldn’t you want to know an opponent’s strengths and weaknesses?

“And for me, I won’t always watch live. In the movie Moneyball, the manager doesn’t watch a lot live. I’ll watch in granular detail after and anyway, when the match is on I’m already looking at the opponent.”


Hmm. When I was spending a lot of time reporting on tennis – which is about 30 years ago – analytics were already growing: forehand winners, backhand winners, and so on. But a single statistic will almost always predict the winner of a match: how many second serve points they win (whether serving or receiving). But how do you train to do that, exactly?

O’Shannessy’s description sounds too simplistic; there’s got to be a lot more to it than that. (A “golden set”, by the way, is one you win without losing a point – 24 straight.) This company, which GSA bought, is clearly doing interesting stuff.
unique link to this extract

DC Attorney General Karl Racine sues Marriott for charging deceptive resort fees and misleading tens of thousands of district consumers • DC OAG


Marriott has charged “resort fees” to tens of thousands of District consumers over the years, totaling millions of dollars. OAG alleges that over the past decade, Marriott has violated the District’s Consumer Protection Procedures Act and harmed District consumers by:

• Hiding the true price of hotel rooms: Marriott conceals the true total price of hotel rooms by advertising one rate, then charging mandatory “resort fees,” “amenity fees,” or “destination fees” on top of the advertised price. At least 189 Marriott properties worldwide charge these hidden fees, which range from $9 to as much as $95 per room per day, and consumers only find out about these fees after they begin to book a room.
• Failing to clearly disclose all booking fees: The room prices Marriott lists on its own website and on third-party hotel-booking sites do not include mandatory resort fees and these fees are not disclosed up front. Consumers do not learn the total price of their hotel rooms until they begin the booking process, and resort fee disclosures are often hidden in obscure areas, confusingly worded, or presented in smaller print than the advertised rates. This leads consumers to believe they will be paying less for a hotel room than the true total cost. It also makes it extremely difficult for consumers to gather all the information they need to compare prices and make informed choices.
• Misrepresenting that resort fees are imposed by the government: In many instances, Marriott includes resort fees near the end of a hotel-booking transaction under the heading “Taxes and Fees.” By combining the amounts that consumers were asked to pay for resort fees with their tax payments under a generic heading, Marriott leads consumers to believe the resort fees were government-imposed charges, rather than additional daily charges paid to Marriott.
• Misleading consumers about what resort fees actually pay for: In some instances, Marriott makes confusing or contradictory representations about why they are charging resort fees and what services or amenities consumers are actually paying for.


Let’s hope they get a huge fine. Speaking of which…
unique link to this extract

Marriott to face £99m GDPR fine from ICO over November 2018 data breach • Computing

Graeme Burton:


The breach revealed in November 2018 involved the leak of 500 million customer records from the guest reservation database of Marriott’s Starwood Hotels and Resorts division. The attackers – who are unknown but believed to have links with China’s Ministry of State Security – appear to have had access to the system since 2014.

The organisation only became aware of the compromise in September 2018 following an alert from an internal security tool over an attempt to gain access to the reservation system. The company claims that it “quickly engaged” a group of security experts to investigate the apparent attack and “learned during the investigation that there had been unauthorised access to the Starwood network since 2014”.

Logs of encrypted communications were uncovered and, when decrypted on 19 November 2018, it was found to contain the contents of the Starwood guest reservation database – 500 million records in total. The compromised customer records included mailing addresses, phone numbers, email addresses, and passport numbers. Payment card details were also found, but these, the organisation claimed, had been encrypted with AES-128 encryption.


Hotels are terrible hoarders of data, and they’re so remiss with it, and they have security that doesn’t expect they’ll face aggressive hackers. Perhaps they will now: that size of fine is sure to concentrate minds, and it wouldn’t cost £99m to install good security.

GDPR’s a year old, and now its teeth are showing.
unique link to this extract

The slow death of Hollywood • Substack

Matthew Stoller:


In the old system, studios sold content, often over-priced, often shoddy, but they sold it to people who bought it. The end network, either theaters or TV stations, had to choose from distributors what content to offer to customers. They had to make money to say alive. They have to follow one of the basic rules of pre-1981 American competition policy, which is that combining inputs into a final output should create a profit, an indication that the business agent has in some way generated something of value. This means that if you build a better mouse trap, or in this case, a movie or show people want to see, you can get it to market and sell it.

But Netflix violates this rule. Despite its claims of accounting profits, Netflix is a massive money-loser, projecting it will burn through $3.5bn in cash just this year. Netflix is taking inputs and combining them into something that is of less value than those original inputs. But the company doesn’t really care if people watch its content, because it doesn’t sell content. The company is selling a story to Wall Street, that, like Amazon, it will achieve dominant market power. The story is that users will buy Netflix streaming services and it will be too much trouble to switch to a different service, which is a variant of a phenomenon called “lock-in.” So no one will be able to compete, the company will be able to raise prices and lower costs, and voila, another Amazon-style monopoly. It will be one of the few left standing after the inevitable shake-out.


Stoller tells this tale via comparison with old successes such as Back To The Future and The Hangover. Certainly, Hollywood is struggling – because as he says (higher in the essay) the distribution system chokes films more tightly.

And yes, the funding bubble has to burst at some point. Quite how close that point is? That’s tougher.
unique link to this extract

Teen hate crime: Swatiskas, racist graffiti divide a Maryland high school • Washington Post

Jessica Contrera on a night that got boozily out of hand for some American kids:


It took only one question: “What happened?”

“Things got out of hand,” Seth recalls telling him. “I was under the impression we were going to do a prank, and it got bad.”

He started to cry. He would be the only one who immediately admitted what they did. The others, court records show, would deny it. Tyler wished Willingham good luck in finding out who did it.

Eventually they were told: The school’s WiFi system requires students to use individual IDs to get online. After they log in once, their phones automatically connect whenever they are on campus.

At 11:35 p.m. on May 23, the students’ IDs began auto-connecting to the Wi-Fi. It took only a few clicks to find out exactly who was beneath those T-shirt masks.

“You have the right to remain silent,” an officer said to Seth before long. “Anything you say or do . . . “

They told him to remove his graduation cap and gown. They cuffed his arms behind his back.

Seth realized they were about to march him outside, past the windows of the cafeteria. By now it would be filled with students eating lunch.

“Can you cover my face so that the kids don’t videotape me?” he asked.

“No,” an officer replied. “You deserve this.”


The passive surveillance society; sometimes a benefit.
unique link to this extract

Samsung shuts down its AI-powered Mall shopping app in India • TechCrunch

Manish Singh:


Samsung has quietly discontinued an app that it built specifically for India, one of its largest markets and where it houses a humongous research and development team. The AI-powered Android app, called Samsung Mall, was positioned to help users identify objects around them and locate them on shopping sites to make a purchase.

The company has shut down the app a year and a half after its launch. Samsung Mall was exclusively available for select company handsets and was launched alongside the Galaxy On7 Prime smartphone. News blog TizenHelp was first to report the development.

At the time of launch, Samsung said the Mall app would complement features of Bixby, the company’s virtual assistant. Bixby already offers a functionality that allows users to identify objects through photos — but does not let them make the purchase.


Amazon had something similar on the Fire Phone. Strange, because it seems like a useful app, yet keeps dying a death.
unique link to this extract

Google hardware: paging Dr. Porat • Radio Free Mobile

Richard Windsor thinks Ruth Porat, Google’s CFO, is going to run her knife over its hardware division, particularly for the Pixel phones:


Samsung has done a much better job at taking on Apple given its scale, brand, distribution and the fact that its core competence is to take the innovations of others and make them smaller, better and cheaper.

In exactly the same vein, I have also argued that Samsung’s investments in Bixby and software and services represent different symptoms of the same affliction.

This is why I have argued that Samsung and Google should stop wasting money on each other’s core competence and throw their lot in together.

The problem for Google hardware is that the days of underperforming businesses hiding under the skirts of the giant search cash machine are coming to an end. We have already seen this as in March, the Pixel Slate and Pixelbook team was cut back due to the lacklustre sales of the product. The three versions of the Google Pixel have sold in paltry volumes with market share never reliably exceeding 0.3% with 4.5m units sold in 2018.

Given the low volume, I would estimate the gross margin of this product is around 20% in the best instance which after product development costs and marketing leaves very little if anything left over.

This is not the kind of performance that Google is used to which combined with an apparent inability to really get the hardware right means that Dr. Porat will be asking some very hard questions of this division this year. Consequently, I think that Google needs to see a significant step up in performance with the Pixel 4, otherwise, it too may fall under the surgeon’s knife.


Remember, you heard it here first. Unless you get his newsletter, which is often provocative.
unique link to this extract

Superhuman’s superficial privacy fixes do not prevent it from spying on you • Mike Industries

Mike Davidson:


[Rahul Vohra’s response to last week’s criticisms] also establishes that Superhuman is keeping the feature working almost exactly as-is, with the exception of not collecting or displaying actual locations. I’ve spoken with several people about how they interpreted Rahul’s post on this particular detail. Some believed the whole log of timestamped read events was going away and were happy about that. Others read it the way Walt, Josh, and I did: you can still see exactly when and how many times someone has opened your email, complete with multiple timestamps — you just can’t see the location anymore. That, to me, is not sufficient. “A little less creepy” is still creepy.

Also worth noting, “turning receipts off by default” does nothing to educate customers about the undisclosed surveillance they are enabling if they flip that switch. If they’ve used read receipts at all in the past, they will probably assume it works just like Outlook. At the very least, Superhuman should display a message when you flip that switch saying something like “by turning on Read Receipts, you are monitoring your recipients’ actions without their knowledge or permission. Are you sure you want to do this?”

Rahul’s fifth and final fix [building an option to disable remote image loading in Superhuman users’ emails] is also good in that they now realize pixel spying is a threat that they need to protect their own users from. This introduces a moral paradox, however: if the technology you are using on others is something you need to protect your own users from, then why are you using it on others in the first place? These are all questions I’ve asked Rahul publicly in this series of tweets, which I’m still waiting for a response on, four days later:


unique link to this extract

Zoom Zero Day: 4+ Million Webcams + maybe an RCE? Just get them to visit your website! • Medium

Jonathan Leitschuh:


This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.


Zoom puts a server with an open port on your machine, and doesn’t wipe it if the app is deleted, all so you won’t have to click “OK” to access your camera. It can re-download the app if you delete; a host can force your video camera on when you join a meeting. It’s an unbelievable hot mess of security vulnerabilities, to which it responded with a mea not so much culpa (“There is only one scenario where a Zoom user’s video is automatically enabled upon joining a meeting. Two conditions must be met: 1) The meeting creator (host) has set their participants’ video to be on AND 2) The user has not checked the box to turn their video off” 🙄). Zoom really doesn’t understand it. But it’s a publicly traded company whose mission is “make video communications frictionless”; notice that “frictionless” doesn’t have to mean “secure”, nor does it contain any concern about collateral damage in getting rid of friction.

unique link to this extract

Pi4 not working with some chargers (or why you need two cc resistors) • The blog of Tyler Ward (aka scorpia)

The aforesaid Ward:


The new Raspberry Pi has been released and it has a USB Type-C connector for power however people are finding some chargers are not working with it (notably macbook chargers). Some have speculated that this is due to a manufacturer limitation on the power supplies however it is actually due to the incorrect detection circuitry on the Pi end of the USB connection.

For those looking for a solution for the problem and and aren’t interested in the technical details a set of potential solutions are given at the end of this post

The root cause of the problem is the shared cc pull down resistor on the USB Type-C connector. looking at the reduced pi schematics we can see it as R79 which connects to both the CC lines in the connector.


The RPi’s schematics are available, which means people can point out what they’ve got wrong. USB-C remains a thicket, and lots of people get tripped up.
unique link to this extract

Errata, corrigenda and ai no corrida: none notified

2 thoughts on “Start Up No.1,107: Zoom’s bad video plan, Marriott cops GDPR fine, Hollywood v Netflix, will Google’s Pixel survive?, and more

  1. Re: RPi USB-C goof-up! at least the problem is identified, acknowledged, documented, with a dirty fix for current models and a clean fix planned.
    What’s a bit sad is that such good, frank, ethical issue-handling seems the exception not the norm, nowadays. Apple has really warped our sense of what is acceptable. With hindsight, Apple kind of invented the FAKE BUG !!! concept, even before fake news.

  2. Aaaannndddddd Google discontinued another random service, in the most user-adverse way: the Google Photo – Google Drive shared folder. You used to be able to see your Photos both in Google Photos and in a Google Photo folder in Google Drive. Basically the gDrive\Photos folder just showed your Google Photo files as… well, files. Now you can’t and Google Photos is purely standalone. This sucks because:
    1- Google Photos’ UI is a dysfunctional new-age thing. I want files and folders and access via Windows Explorer, thank you.
    2- There’s no tool to be 100% sure everything in gDrive’s Google Photo folder is indeed in also Google photo, so I don’t dare delete the thousands of pics in .\gDrive\Google Photo.
    3- I’m not sure my Synology can back up Google Photo. It can back up Google Drive automatically.
    4- So I’m not even sure where I should upload my new photos. Stick with gDrive and get automatic backups to my NAS and a good UI; or switch to gPhotos and get a bad UI but automatic backups from Phone to Cloud ?

    This is a mess. At least let us double-check you made a clean cut and past pics are indeed in both, and give us the excellent gDrive ‘file’ UI in gPhotos !

    Looks like I’ll have to move my main photo store to my NAS, where I actually understand and control what’s going on ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.