By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: January 9, 2018

Tuesday, 9 January 2018

Pop-Up Mobile Ads Surge as Sites Scramble to Stop Them ★

Lily Hay Newman, reporting for Wired:

These redirects can show up seemingly out of the blue when you’re in a mobile browser like Chrome, or even when you’re using a service like Facebook or Twitter and navigating to a page through one of their in-app browsers. Suddenly you go from loading a news article to wriggling away from an intrusive ad. What enables these ad redirects to haunt virtually any browser or app at any time, rather than just the sketchy backwaters in which they used to roam? Third-party ad servers that either don’t vet ad submissions properly for the JavaScript components that could cause redirects, or get duped by innocent-looking ads that hide their sketchy code. […]

An ad hijacking your browser like that isn’t technically a hack, in the sense that it doesn’t exploit a software vulnerability. Instead, it relies on the attacker’s ability to submit and run ads that contain redirecting JavaScript. But though they aren’t a critical threat to web users yet, redirecting mobile ads could create a jumping off point for attackers. And since you encounter the redirects while browsing on even prominent, legitimate sites, there’s nowhere to hide. Sometimes the ads are even designed to block your “Back” button, or keep redirecting when you try to close them, making it difficult to escape without having to restart the browser.

“I do think it’s new that the ads are so pervasive and are on first-tier publishers,” says Anil Dash, CEO of the software engineering firm Fog Creek. “These things used to be relegated to garbage sites, now it’s happening on the New York Times.”

The fact that ad networks are delivering unvetted JavaScript in their payloads is unsurprising but horrifying. They’re confined to your browser’s sandbox, but JavaScript-based ads are effectively malware at this point: they violate your privacy; consume excessive CPU time, bandwidth, and battery life; and now literally hijack your browsing experience.

(And now with Meltdown and Spectre, we have the added worry that JavaScript might be malware that breaks through browsers’ sandbox protections.)

Google Announces Plan to Improve URLs for AMP Pages, But Even If It Happens, Which Remains Uncertain, AMP Will Still Suck ★

Malte Ubl, tech lead for the AMP Project at Google

Based on this web standard AMP navigations from Google Search can take advantage of privacy-preserving preloading and the performance of Google’s servers, while URLs remain as the publisher intended and the primary security context of the web, the origin, remains intact. We have built a prototype based on the Chrome Browser and an experimental version of Google Search to make sure it actually does deliver on both the desired UX and performance in real use cases. This step gives us confidence that we have a promising solution to this hard problem and that it will soon become the way that users will encounter AMP content on the web.

The next steps are moving towards fully implementing the new web standard in web browsers and in the Google AMP Cache. Our goal is that Web Packaging becomes available in as many browsers as possible (after all Web Packaging has exciting use cases beyond just AMP such as offline pages, ES6 module loading, and resource bundling). In particular, we intend to extend existing work on WebKit to include the implementation of Web Packaging and the Google Chrome team’s implementation is getting started.

We’re super excited about getting this work under way and we expect the changes to first reach users in the second half of 2018. Thanks for all of your feedback on the matter and we will keep you all updated on the progress right here in this blog!

A bunch of readers have forwarded this story to me, based on my previous criticism of AMP. This announcement isn’t bad news, and might be good news, but at this point it’s all conjecture, particularly for browsers other than Chrome. Even if it all works out, it only solves one problem: URLs. It doesn’t solve the deeper problem of content being hosted on Google’s servers, rather than publishers’ own servers. In addition to ceding independence, think about what this means for search engines other than Google. One of AMP’s foundational tenets is that Google Search is the one and only search engine.

And at a technical level AMP still sucks:

I’m on the record as being strongly opposed to AMP simply on the grounds of publication independence. I’d stand by that even if the implementation were great. But the implementation is not great — it’s terrible. Yes, AMP pages load fast, but you don’t need AMP for fast-loading web pages. If you are a publisher and your web pages don’t load fast, the sane solution is to fix your fucking website so that pages load fast, not to throw your hands up in the air and implement AMP.

But other than loading fast, AMP sucks. It implements its own scrolling behavior on iOS, which feels unnatural, and even worse, it breaks the decade-old system-wide iOS behavior of being able to tap the status bar to scroll to the top of any scrollable view. AMP also completely breaks Safari’s ability to search for text on a page (via the “Find on Page” action in the sharing sheet). Google has no respect for the platform. If I had my way, Mobile Safari would refuse to render AMP pages. It’s a deliberate effort by Google to break the open web.

Seven months later and still none of these things work properly for AMP pages displayed on Mobile Safari. And I forgot to mention back in May that Mobile Safari doesn’t automatically show/hide its browser chrome as you scroll, like it does for any normal web page. AMP pages are also incompatible with Safari Reader mode, making them harder to read for some people, and impossible to read for others.

Sharing canonical URLs rather than google.com/amp URLs is just one of many problems with AMP, and the “fix” proposed here requires updated versions of every web browser in the world to work.

North Carolina Congressional Map Ruled Unconstitutionally Gerrymandered ★

Alan Blinder, reporting for The New York Times:

A panel of federal judges struck down North Carolina’s congressional map on Tuesday, declaring it unconstitutionally gerrymandered and demanding that the Republican-controlled General Assembly redraw district lines before this year’s midterm elections.

The ruling was the first time that a federal court had blocked a congressional map because the judges believed it to be a partisan gerrymander, and it deepened the political chaos that has enveloped North Carolina in recent years.

More good news on the voting front.

New Bill Aims to Eliminate Paperless Voting Machines ★

Timothy B. Lee, writing for Ars Technica:

“With the 2018 elections just around the corner, Russia will be back to interfere again,” said co-sponsor Sen. Kamala Harris (D-Calif.).

So a group of senators led by James Lankford (R-Okla.) wants to shore up the security of American voting systems ahead of the 2018 and 2020 elections. And the senators have focused on two major changes that have broad support from voting security experts.

The first objective is to get rid of paperless electronic voting machines. Computer scientists have been warning for more than a decade that these machines are vulnerable to hacking and can’t be meaningfully audited. States have begun moving away from paperless systems, but budget constraints have forced some to continue relying on insecure paperless equipment. The Secure Elections Act would give states grants specifically earmarked for replacing these systems with more secure systems that use voter-verified paper ballots.

I don’t know of a single voting or computer security expert who is in favor of paperless voting machines. The sooner we get rid of them, the better.

Update: Electronic voting machines in the U.S. are far less regulated and easier to rig than slot machines in Las Vegas.

Regarding This Open Letter From Two Investor Groups to Apple Regarding Kids’ Use of Devices ★

David Gelles, reporting for The New York Times:

Now, two of the biggest investors on Wall Street have asked Apple to study the health effects of its products and to make it easier for parents to limit their children’s use of iPhones and iPads. […]

Jana, an activist hedge fund, wrote its letter with Calstrs, the California State Teachers’ Retirement System, which manages the pensions of California’s public-school teachers. When such investors pressure companies to change their behavior, it is typically with the goal of lifting a sagging stock price. In this case, Jana and Calstrs said they were trying to raise awareness about an issue they cared deeply about, adding that if Apple was proactive about making changes, it could help the business.

This open letter is getting a lot of attention, but to me, the way to limit your kids’ access to devices is simply, well, to limit their access to devices. I’m sure iOS’s parental controls could be improved (and in a statement, Apple claims they have plans to do so), but more granular parental controls in iOS are no substitute for being a good, involved parent.

See also: the open letter from Jana and Calstrs.

AT&T Drops Huawei’s New Smartphone Amid Security Worries ★

Paul Mozur, reporting for The New York Times:

AT&T walked away from a deal to sell the Huawei smartphone, the Mate 10, to customers in the United States just before the partnership was set to be unveiled, said two people on Tuesday familiar with the plans, who spoke on the condition of anonymity because the discussions were not public. The Wall Street Journal reported earlier that AT&T had changed plans.

The reasons that led to AT&T’s shift were not entirely clear. But last month, a group of lawmakers wrote a letter to the Federal Communications Commission expressing misgivings about a potential deal between Huawei and an unnamed American telecommunications company to sell its consumer products in the United States. It cited longstanding concerns among some lawmakers about what they said are Huawei’s ties to the Chinese government.

The letter, which was reviewed by The New York Times, said Congress has “long been concerned about Chinese espionage in general, and Huawei’s role in that espionage in particular.”

This sounds bad, but without any specific accusations regarding what Huawei might actually be doing to collaborate with the Chinese government — let alone actual evidence — I’m not sure what to make of this.

Ad Tracking Companies Complain About Safari’s Intelligent Tracking Prevention ★

Alex Hern, in a decidedly-pro-ad-industry report for The Guardian:

Internet advertising firms are losing hundreds of millions of dollars following the introduction of a new privacy feature from Apple that prevents users from being tracked around the web.

Advertising technology firm Criteo, one of the largest in the industry, says that the Intelligent Tracking Prevention (ITP) feature for Safari, which holds 15% of the global browser market, is likely to cut its 2018 revenue by more than a fifth compared to projections made before ITP was announced.

With annual revenue in 2016 topping $730m, the overall cost of the privacy feature on just one company is likely to be in the hundreds of millions of dollars.

If this is accurate, it goes to show the outsize influence Safari has. Criteo is claiming that a new feature in Safari, a browser with only 15 percent of global share, resulted in more than a 20 percent drop in their revenue. This, despite the fact that Intelligent Tracking Prevention — the feature in question — doesn’t block ads per se. It only prevents certain methods of privacy-invasive tracking. I fail to see how this is a bad thing.