Start Up No.1901: Russian software embedded in apps, do speed traps stop speeders?, FTX v online poker cheating, and more

Attending the World Cup in Qatar might mean installing privacy-invading government apps. Would you? CC-licensed photo by Tsutomu Takasu on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

Coming up Friday: another post, due at the Social Warming Substack at about 0845 UK time.

A selection of 10 links for you. Not an RPC. I’m @charlesarthur on Twitter. Observations and links welcome.

Going to the World Cup? Get ready to have your privacy invaded • TechRadar

Will McCurdy:


Several cybersecurity experts have highlighted potential data security issues ahead for attendees of the FIFA World Cup Qatar 2022.

The Norwegian government’s Head of Security Øyvind Vasaasen told NRK (opens in new tab): “It’s not my job to give travel advice, but personally I would never bring my mobile phone on a visit to Qatar”, likening the scope of official apps to giving someone the keys to your house. 

Those wanting to make a trip to the Middle East to experience the tournament live will need to install a Covid-19 tracker dubbed “Ehteraz” on their smartphones, alongside “Hayya”, a compulsory ticketing and transport app.

Vasaasen alleged that Ehteraz claims access “to several rights on your mobile, like access to read, delete or change all content on the phone, as well as access to connect to WiFi and Bluetooth, override other apps, and prevent the phone from switching off to sleep mode”.

Naomi Lintvedt, a research fellow at the University of Oslo’s Faculty of Law, opined that if she were an employer, she wouldn’t allow employees to work from their phones in Qatar.

In addition, France’s data protection authority CNIL suggested in Politico to “travel with a blank smartphone … or an old phone that has been reset” and that “special care should be taken with photos, videos, or digital works that could place you in difficulty with respect to the legislation of the country visited”.


Cop27 one day, Qatar’s World Cup the next.
unique link to this extract

Exclusive: Russian software disguised as American finds its way into US Army, CDC apps • Reuters

James PEarson and Marisa Taylor:


Thousands of smartphone applications in Apple and Google’s online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

The Centers for Disease Control and Prevention (CDC), the United States’ main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the US capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.

The US Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country’s main combat training bases.

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4m) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in US regulatory filings, however, it presents itself as a US company, based at various times in California, Maryland and Washington DC, Reuters found.

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.

Pushwoosh’s founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. “I am proud to be Russian and I would never hide this.”

…Pushwoosh code has been embedded into almost 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh’s website says it has more than 2.3 billion devices listed in its database.


Never hide it, no, sure, not much. The classic problem of embedded frameworks.
unique link to this extract

The big idea: stopping climate change isn’t enough – we need to reverse it • The Guardian

Zeke Hausfather is director of climate and energy at the Breakthrough Institute:


We have a saying in the climate science world – that CO2 is forever. It will take close to half a million years before a ton of CO2 emitted today from burning fossil fuels is completely removed from the atmosphere naturally. This means that when we try to neutralise or undo fossil fuel emissions – for example, with carbon offsets – those interventions should operate over a similar timeframe: a ton of emissions from cutting down trees can be neutralised by putting more carbon in trees or soils, but CO2 from fossil fuels needs to be balanced by more permanent carbon removal. This is the reason why the respected Science Based Targets initiative only allows measures that permanently remove carbon from the atmosphere to neutralise a company’s remaining fossil fuel emissions in their net-zero standard – and only alongside deep emissions reductions.

We should not oversell the role of carbon removal. The vast majority of the time it is cheaper to reduce emissions than to remove CO2 from the atmosphere after the fact. Models that limit warming to 1.5C show that we need to reduce global CO2 emissions by around 90%, while only using carbon removal for around 10%. But 10% of the solution to a problem as big as climate change is still something we cannot afford to ignore.

In 2021 the world spent a total of $755bn on reducing emissions. We should probably aim to spend about 1% of that money on carbon removal technologies.


$7.5bn? If that amount was put in annually in venture capital, perhaps it would make some difference.
unique link to this extract

Speed traps have no long-term effect on speeding • Strong Towns

Seairra Shepherd:


No one likes to get a speeding ticket, but police hand out citations thousands of times a day throughout the United States. In El Paso, along Delta Drive, law enforcement issued 136 speeding citations to drivers in just six days, in an effort to stop speeding along Delta Drive, where many locals had complained about cars passing by at dangerous speeds. After the six-day citation spree, the police department claimed on their twitter to have successfully slowed down the cars.

A month after this, Strong Towns member and El Paso Community College civil engineering student Zachary Staggs wondered if the speed trap really did put a stop to speeding. 

Deciding to conduct a speed study, Staggs placed himself in an inconspicuous spot away from school zones or intersections that may have influenced the results. He spent two hours tracking oncoming traffic speed from both directions to collect the study data. 

“My takeaway is that whatever the police did, it didn’t work,” said Staggs. “At all.” 

On a sunny October day, eight out of ten drivers exceeded the posted speed limit of 35 mph. One out of four drivers sped 10 mph or more over the limit. Some vehicles were caught going as fast as 60 mph.

“It was insane,” said Staggs. “I felt I could count the people who were going under the speed limit on my fingers, and that didn’t feel right to me.”

Staggs’s results are a striking demonstration of a basic truth about driving: The typical driver does not select their speed based on the posted speed limit. Rather, they rely on visual and other physical cues that intuitively communicate to them how fast it feels safe to go on a given roadway.

This is what’s known as “design speed,” and it may be substantially higher than the legal speed limit. Engineers often use the 85th percentile speed (the speed that 85% of drivers are going at or under) as an indication of design speed. According to Staggs’s findings, on Delta Drive, the 85th percentile speed falls at 45 mph, a full ten miles per hour over the posted speed limit.


If you look at the picture in the article, it’s obvious why vehicles don’t drive along it at 35mph: it’s a long, straight dual carriageway with wide pavements and no houses on either side. The question isn’t why people disobey the speed limit; it’s why anyone thought a speed limit of 35mph could make sense. The headline isn’t supported by finding. As Staggs says later in the story, the problem is the road design, if they really want to enforce that limit.
unique link to this extract

FTX collapse, Tether operations have links to infamous online-poker cheating scandals •

Haley Hintze:


While many mainstream reports on FTX’s collapse have focused on the failed deals between the billionaire owner-founders of FTX, Sam Bankman-Fried, and Binance, Changpeng “CZ” Zhao, the story also includes the involvement of at least one dark figure in online poker history, Daniel S. Friedberg, who serves as FTX’s Chief Regulatory Officer. Friedberg is positioned in a central role in assuring that FTX remains in compliance with financial exchanges and licensing regimes around the globe.

Friedberg played a prominent and infamous role in the coverup of the insider-cheating scandal at UltimateBet in the mid-2000s, and he helped orchestrate some of the questionable legal moves that allowed the Portland, Oregon-based site evade US law enforcement efforts throughout its existence. Those business and legal moves included the creation of a false-front office in Canada which in turn allowed for an IPO on the London Stock Exchange, a faked sale of the company to Tokwiro Enterprises (an entity created by the former chief of the Kahnawake nation, Joseph Tokwiro Norton), licensing in various offshore “rubber stamp” jurisdictions, and ultimately, a shadowy merger with another online-poker company, Absolute Poker, which was also riddled with insider fraud and crippled by its own cheating scandal.

Friedberg, who served as FTX’s general counsel before taking on the company’s regulatory role, was recently described by Coingeek’s Steven Stradbrooke as being “almost comically inappropriate” for the job. The description appears apt, given Friedberg’s long history of not complying with various jurisdictions’ regulations, but rather, evading them.


Oh now you tell us. Though actually this stuff was obvious for anyone who took the trouble to look at the backgrounds of people like Friedberg. But crypto boosters wouldn’t pay attention to that. FTX (or Alameda) though was essentially self-funded by Bankman-Fried’s real trading skills doing arbitrage on Korean crypto exchanges. After that, though, things went bad. Very bad.
unique link to this extract

Google agrees to $392m privacy settlement with 40 states • The New York Times

Cecilia Kang:


In the location privacy settlement, the state attorneys general claimed that Google gave the false impression that when users turned off location tracking services, the company no longer collected geolocation data about them. But through Google’s broad array of other services like search, maps and apps that connect to Wi-Fi and cellular phone towers, the company continued amassing and storing an intricate history of users’ movements, according to the states.

Until May 2018, Google even tracked the location of users who had logged out of Google apps, an action that could lead a consumer to believe location tracking had been disabled, the attorneys general said.

“For years, Google prioritized profit over the privacy of people who use Google products and services,” said Ellen Rosenblum, the Oregon attorney general, who led the case along with Nebraska. “Consumers thought they had turned ‘off’ their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers.”

In addition to paying the monetary sum, which will go to state coffers, Google has promised to make clearer how it collects location data, including what kinds of data it can still accumulate when location tracking is disabled for one setting but not for others. The company must also notify users about how to disable location tracking, delete the data collected by the settings and set data retention limits. Users will be notified by pop-up boxes and more detailed information on Google’s informational page about location technologies.

The states’ investigation began after a 2018 Associated Press article on Google’s misleading location tracking practices.


Note that little bit at the end. Journalism can actually make a difference to these behaviours. Recall that the whole issue about location tracking (and, later, address uploading) began with journalists writing about the topic, which then came to wider notice, and then to legislators’ notice.
unique link to this extract

DeviantArt upsets artists with its new AI art generator, DreamUp • Ars Technica

Benj Edwards:


On Friday, the online art community DeviantArt announced DreamUp, an AI-powered text-to-image generator service powered by Stable Diffusion. Simultaneously, DeviantArt launched an initiative that ostensibly lets artists opt out of AI image training but also made everyone’s art opt-in by default, which angered many members.

DreamUp creates novel AI-generated art based on text prompts. Due to its Stable Diffusion roots, DreamUp learned how to generate images by analyzing hundreds of millions of images scraped off sites like DeviantArt and collected into LAION datasets without artists’ permission, a potential irony that some DeviantArt members find problematic.

As we’ve reported frequently on Ars in the past, Stable Diffusion’s web-scraping nature ignited a huge debate earlier this year among artists that challenge the ethics of AI-generated artwork. Some art communities have taken hard stances against any AI-generated images, banning them completely.

Perhaps anticipating a backlash, DeviantArt is making overtures to pacify artists who might be upset about their work being used to train AI image generators. The site is providing a special “noai” flag that artists can check in their image settings to opt out of third-party image datasets. (Whether third-party image scrapers will honor this flag, however, remains to be seen.)


“NoAI” is reminiscent of the “nofollow” tag that emerged a couple of decades ago when spam in blog comments began to be a problem: it told Google (and other search engines took the scheme up too) essentially to ignore the linked site. Perhaps that’s going to be the next step in this debate.
unique link to this extract

Here’s how a Twitter engineer says it will break in the coming weeks • MIT Technology Review

Chris Stokel-Walker:


“Sometimes you’ll get notifications that are a little off,” says one engineer currently working at Twitter, who’s concerned about the way the platform is reacting after vast swathes of his colleagues who were previously employed to keep the site running smoothly were fired. (That last sentence is why the engineer has been granted anonymity to talk for this story.) After struggling with downtime during its “Fail Whale” days, Twitter eventually became lauded for its team of site reliability engineers, or SREs. Yet this team has been decimated in the aftermath of Musk’s takeover. “It’s small things, at the moment, but they do really add up as far as the perception of stability,” says the engineer.

The small suggestions of something wrong will amplify and multiply as time goes on, he predicts—in part because the skeleton staff remaining to handle these issues will quickly burn out. “Round-the-clock is detrimental to quality, and we’re already kind of seeing this,” he says. 

Twitter’s remaining engineers have largely been tasked with keeping the site stable over the last few days, since the new CEO decided to get rid of a significant chunk of the staff maintaining its code base. As the company tries to return to some semblance of normalcy, more of their time will be spent addressing Musk’s (often taxing) whims for new products and features, rather than keeping what’s already there running.

This is particularly problematic, says [highly experienced SRE Ben] Krueger, for a site like Twitter, which can have unforeseen spikes in user traffic and interest. Krueger contrasts Twitter with online retail sites, where companies can prepare for big traffic events like Black Friday with some predictability. “When it comes to Twitter, they have the possibility of having a Black Friday on any given day at any time of the day,” he says. “At any given day, some news event can happen that can have significant impact on the conversation.” Responding to that is harder to do when you lay off up to 80% of your SREs—a figure Krueger says has been bandied about within the industry but which MIT Technology Review has been unable to confirm. The Twitter engineer agreed that the percentage sounded “plausible.”


This article appeared a week ago, and things have just started to fray at the edges. The World Cup’s now starting: that’s going to load-test Twitter in multiple non-Western countries at once. Interesting times.
unique link to this extract

Fake Eli Lilly account may cost Twitter millions • The Washington Post

Drew Harwell:


Inside the real Eli Lilly, the fake sparked a panic, according to two people familiar with the matter who spoke on the condition of anonymity because they weren’t authorized to speak publicly. Company officials scrambled to contact Twitter representatives and demanded they kill the viral spoof, worried it could undermine their brand’s reputation or push false claims about people’s medicine. Twitter, its staffing cut in half, didn’t react for hours.

The aftermath of that $8 spoof offers a potentially costly lesson for Musk, who has long treated Twitter as a playground for bawdy jokes and trolls but now must find a way to operate as a business following his $44bn takeover.

By Friday morning, Eli Lilly executives had ordered a halt to all Twitter ad campaigns — a potentially serious blow, given that the $330bn company controls the kind of massive advertising budget that Musk says the company needs to avoid bankruptcy. They also paused their Twitter publishing plan for all corporate accounts around the world.

“For $8, they’re potentially losing out on millions of dollars in ad revenue,” said Amy O’Connor, a former senior communications official at Eli Lilly who now works at a trade association. “What’s the benefit to a company … of staying on Twitter? It’s not worth the risk when patient trust and health are on the line.”


Later in the day Musk tweeted that verification would be done…by Twitter.
unique link to this extract

Dan O’Dowd is the rich tech CEO spending millions to stop Elon Musk • The Washington Post

Gerrit de Vynck:


O’Dowd, who made his fortune selling software to military customers, has been using the [Tesla] Model 3 to test and film the [car’s] self-driving software. He’s documented what appear to be examples of the car swerving across the centerline toward oncoming traffic, failing to slow down in a school zone and missing stop signs. This summer, he triggered an uproar by releasing a video showing his Tesla — allegedly in Full Self-Driving mode — mowing down child-size mannequins.

“If Tesla gets away with this and ships this product and I can’t convince the public that a self-driving car that drives like a drunken, suicidal 13-year-old shouldn’t be on the road, I’m going to fail,” O’Dowd said in an interview from his Santa Barbara office, where glass cases display his collection of ancient coins and auction-bought mementos from NASA moon missions.

O’Dowd has run nationwide TV ads with the videos and even launched an unsuccessful campaign for the U.S. Senate as part of his one-man crusade to challenge what he sees as the cavalier development of dangerous technology. For O’Dowd and other skeptics, the program is a deadly experiment foisted on an unsuspecting public — a view underscored by a recently filed class-action lawsuit and a reported Department of Justice investigation into the tech.

Despite O’Dowd’s high-profile campaign, and the concern from some regulators and politicians, Tesla is charging ahead with what it claims is world-changing technology. The company and its supporters argue their approach will help usher in a future in which death from human errors on roadways is eliminated. At the end of September, during a four-hour event in which Tesla showed off its latest artificial intelligence tech, Musk said Full Self-Driving is already saving lives and keeping it off public roads would be “morally wrong.”

“At the point of which you believe that adding autonomy reduces injury and death, I think you have a moral obligation to deploy it even though you’re going to get sued and blamed by a lot of people,” Musk said. Musk and Tesla, which does not typically answer media inquiries, did not respond to requests for comment.


How nice – a Musk story that’s about screwups at a company that isn’t Twitter. Except.. if this is wrong, then people die.
unique link to this extract

• Why do social networks drive us a little mad?
• Why does angry content seem to dominate what we see?
• How much of a role do algorithms play in affecting what we see and do online?
• What can we do about it?
• Did Facebook have any inkling of what was coming in Myanmar in 2016?

Read Social Warming, my latest book, and find answers – and more.

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.