Start Up No.1355: TikTok halts London HQ plan, how Twitter was hacked, the AI deciding patient care, 32 clipboard-snooping apps, and more

The EU is investigating whether Alexa, Siri and Google Home might threaten consumer rights (not consumers). CC-licensed photo by Stock Catalog on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Unsubstantiated. I’m @charlesarthur on Twitter. Observations and links welcome.

TikTok halts talks on London HQ amid UK-China tensions • The Guardian

Phillip Inman:


The Chinese social media firm TikTok has pulled back from talks to site the headquarters for its non-China business in the UK, threatening the creation of 3,000 jobs, as fears grow of a tit-for-tat trade war between London and Beijing.

Its parent company, ByteDance, which is based in Beijing, had spent months in negotiations with the Department for International Trade and No 10 officials to expand operations in addition to the near 800 employed by TikTok.

It is understood talks were suspended after ByteDance executives cited the “wider geopolitical context” following the UK government’s ban on Chinese telecoms firm Huawei from developing Britain’s 5G mobile phone network.


Pretty much kills off any claim that TikTok isn’t a Chinese company. And that the Chinese government isn’t pushing it hither and thither.
unique link to this extract

Hackers tell the story of the Twitter attack from the inside • The New York Times

Nathaniel Popper and Kate Conger:


four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public.

The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.

The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events on Wednesday. They also presented corroborating evidence of their involvement, like the logs from their conversations on Discord, a messaging platform popular with gamers and hackers, and Twitter.

Playing a central role in the attack was “Kirk”, who was taking money in and out of the same Bitcoin address as the day went on, according to an analysis of the Bitcoin transactions by The Times, with assistance from the research firm Chainalysis.

But the identity of Kirk, his motivation and whether he shared his access to Twitter with anyone else remain a mystery even to the people who worked with him. It is still unclear how much Kirk used his access to the accounts of people like Mr. Biden and Mr. Musk to gain more privileged information, like their private conversations on Twitter.


I do wonder whether Musk, Biden or Obama would do any confidential work by DM. (Biden surely doesn’t run his own account.) Script kiddies’ obsession with getting control of accounts with single or a couple of letters is quite strange, but a real driving force.
unique link to this extract

Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet • The Register

Shaun Nichols:


A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.

This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to stumble upon.

It all came to light this week after Comparitech’s Bob Diachenko spotted 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN.

The silo contained streams of log entries as netizens connected to UFO’s service: this information included what appeared to be account passwords in plain text, VPN session secrets and tokens, IP addresses of users’ devices and the VPN servers they connected to, connection timestamps, location information, device characteristics and OS versions, and web domains from which ads were injected into the browsers of UFO’s free-tier users.


Never ever ever ever ever believe VPN companies which tell you that they don’t keep logs.
unique link to this extract

Siri, Alexa and Google Assistant in the spotlight as Europe launches Internet of Things investigation • ZDNet

Daphne Leprince-Ringuet:


The organization’s commissioner Margrethe Vestager announced the launch of a sector probe to make sure that the companies behind smart products and digital assistants aren’t building monopolies that could threaten consumer rights in the EU.

Vestager named Apple’s Siri, Google’s Assistant and Amazon’s Alexa, but also Deutshe Telekom’s Magenta as the voice assistants “at the centre of it all”. While the technologies have great potential, the commissioner warned that they should be deployed carefully.

“We’ll only see the full benefits – low prices, wide choice, innovative products and services – if the markets for these devices stay open and competitive. And the trouble is that competition in digital markets can be fragile,” said Vestager.

In Europe, the total number of smart home devices was around 108 million at the end of 2019 and is forecast to reach 184 million devices by 2023. The value of the smart home market is expected to almost double in the next four years to more than €27bn ($30.8bn).

With Internet of Things (IoT) products carrying out tasks ranging from fitness tracking to front door unlocking, connected devices are set to become a huge part of users’ everyday lives. Vestager stressed the need to “act in good time” to avoid monopoly from bigger players, which would lead to consumers being denied a fair choice when buying the devices.

“We have seen this type of conduct before,” said Vestager. “This is not new. So we know there’s a risk that some of these players could become gatekeepers of the Internet of Things, with the power to make or break other companies.”


Already thinking hard about Google’s takeover of Fitbit.
unique link to this extract

Facebook beats NSO’s attempt to crush WhatsApp malware suit • MSN

Malathi Nayak:


WhatsApp and its parent Facebook can press ahead with a lawsuit accusing Israeli spyware maker NSO Group of creating accounts to send malware to mobile phones of 1,400 people to snoop on them.

US District Judge Phyllis Hamilton on Thursday denied NSO’s request to dismiss the lawsuit. NSO unsuccessfully argued the court lacked jurisdiction because the company was immune to legal action as a contractor of foreign governments. NSO is an agent of the Kingdom of Bahrain, the United Arab Emirates, and Mexico, according to Facebook’s complaint.

Hamilton did, however, grant NSO’s request to dismiss a claim that NSO wrongfully interfered with WhatsApp servers.

“The complaint does not detail any actual harm caused by defendants’ program or access to WhatsApp’s computers or servers,” she said. But she gave Facebook 21 days to revise and refile that allegation in Oakland federal court.

Hamilton also disagreed with NSO’s argument that Facebook didn’t include its foreign customers as parties to the suit.

WhatsApp welcomed the ruling. “The decision also confirms that WhatsApp will be able to obtain relevant documents and other information about NSO’s practices,” a spokesperson for the company said.


Could get juicy if WhatsApp gets a close look at NSO’s documents; that’s the company that has hacked a number of activists for authoritarian regimes. The FBI has been investigating NSO since at least 2017.
unique link to this extract

Patients aren’t being told about the AI systems advising their care • Stat News

Rebecca Robbins:


At a growing number of prominent hospitals and clinics around the country, clinicians are turning to AI-powered decision support tools — many of them unproven — to help predict whether hospitalized patients are likely to develop complications or deteriorate, whether they’re at risk of readmission, and whether they’re likely to die soon. But these patients and their family members are often not informed about or asked to consent to the use of these tools in their care, a STAT examination has found.

The result: Machines that are completely invisible to patients are increasingly guiding decision-making in the clinic.

Hospitals and clinicians “are operating under the assumption that you do not disclose, and that’s not really something that has been defended or really thought about,” Harvard Law School professor Glenn Cohen said. Cohen is the author of one of only a few articles examining the issue, which has received surprisingly scant attention in the medical literature even as research about AI and machine learning proliferates.

In some cases, there’s little room for harm: Patients may not need to know about an AI system that’s nudging their doctor to move up an MRI scan by a day, like the one deployed by M Health Fairview, or to be more thoughtful, such as with algorithms meant to encourage clinicians to broach end-of-life conversations. But in other cases, lack of disclosure means that patients may never know what happened if an AI model makes a faulty recommendation that is part of the reason they are denied needed care or undergo an unnecessary, costly, or even harmful intervention.


Although is this so very different from the doctors who they don’t see deciding, whose biases aren’t known?
unique link to this extract

How to lie with data visualisation • (seen on Twitter)

Andisheh Nouraee:


In just 15 days the total number of #COVID19 cases in Georgia is up 49%, but you wouldn’t know it from looking at the state’s data visualization map of cases. The first map is July 2. The second is today. Do you see a 50% case increase? Can you spot how they’re hiding it?


Click through and have a look at the graphics. A crime against data visualisation. Georgia’s state government says that “this chart is meant to aid understanding [of] whether the outbreak is growing, leveling off or declining”. In fact it does nothing of the sort. It’s almost possible to think that the error is due to the software automatically assigning numbers each time to create five “buckets” while keeping the colours the same – meaning the growing numbers of cases in specific places don’t show up.

But given that Georgia’s governor essentially wants to open the place up even as cases are soaring, I’ll go with “intentional”.

You can also read a blogpost insisting “no, it’s not intentional, this critique is totally unfair”. I disagree with it: any competent person producing dataviz will know how their software works, and avoid misleading people.
unique link to this extract

TikTok and 32 other iOS apps still snoop your sensitive clipboard data • Ars Technica

Dan Goodin:


Recent headlines have focused particular attention on TikTok, in large part because of its massive base of active users (reported to be 800 million, with an estimated 104 million iOS installs in the first half of 2018 alone, making it the most downloaded app for that period).

TikTok’s continued snooping has gotten extra scrutiny for other reasons. When called out in March, the video-sharing provider told UK publication The Telegraph it would end the practice in the coming weeks. Mysk said that the app never stopped the monitoring. What’s more, a Wednesday Twitter thread revealed that the clipboard reading occurred each time a user entered a punctuation mark or tapped the space bar while composing a comment. That means the clipboard reading can happen every second or so, a much more aggressive pace than documented in the March research, which found monitoring happened when the app was opened or reopened.


I’ve thought more about this. By its nature, the clipboard has to be open to everything on the system without having to be given permission – as John Gruber said on a recent episode of the Dithering podcast, the keystroke you use to paste is just that, a keystroke to achieve something, not a granting of permission in its own right.

Maybe it makes better sense to treat the clipboard as always potentially unsafe, and so not put your password on there. (Though I’d like to know how iOS’s password autofill on web pages functions: does that populate the clipboard? In which case that’s bad.)

The list of apps eagerly grabbing content off the clipboard with gay abandon is pretty alarming, though. Games apps particularly, but also a meditation app. Why, exactly?
unique link to this extract

Explaining the Cloudflare outage on July 17, 2020 • Cloudflare blog

John Graham-Cumming is CTO of Cloudflare :


Today a configuration error in our backbone network caused an outage for Internet properties and Cloudflare services that lasted 27 minutes. We saw traffic drop by about 50% across our network. Because of the architecture of our backbone this outage didn’t affect the entire Cloudflare network and was localized to certain geographies.

The outage occurred because, while working on an unrelated issue with a segment of the backbone from Newark to Chicago, our network engineering team updated the configuration on a router in Atlanta to alleviate congestion. This configuration contained an error that caused all traffic across our backbone to be sent to Atlanta. This quickly overwhelmed the Atlanta router and caused Cloudflare network locations connected to the backbone to fail.


In financial markets, this would be called “fat finger trouble”. There it loses millions of pounds/euros/dollars (ever noticed how fat fingers never make huge profits?); here it knocks out the internet. Should we give the job to GPT-3 in future?
unique link to this extract

Inside Trump’s failure: the rush to abandon leadership role on the virus • The New York Times

Michael D. Shear, Noah Weiland, Eric Lipton, Maggie Haberman and David E. Sanger:


On April 14, the country passed what the group saw as a milestone, administering its three millionth test. Inside the West Wing, Mr. Kushner was insistent on that point: Given their assumption that infections would not surge again until the fall, there was enough testing ability out there.

Those outside experts who disagreed were largely brushed off. In mid-April, Dr. Ashish K. Jha, director of the Harvard Global Health Institute, urged a top administration official to embrace his call for conducting 500,000 coronavirus tests a day — far more than was happening at the time.

The official, Adm. Brett P. Giroir, the administration’s testing czar, who had been delivering upbeat descriptions of the nation’s growing testing capacity, eventually conceded to Dr. Jha that his plan seemed to be needed. But he made clear the federal government was not prepared to get there quickly.

“At some point down the road,” is what Dr. Jha said Admiral Giroir told him.

“My take is that Jared Kushner believes that this is not something that the White House should get too involved in,” Dr. Jha recalled. “And then the president believes that it is better left up to the states.”


Trump, Kushner and all the other fools are completely out of their depth on any normal day; on this, they’re so utterly unsuitable to the job they might as well be trying to swim the Atlantic. Deborah Birx’s reputation will never recover from her Pollyanna role. Meanwhile, people are dead who could otherwise be alive.
unique link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.