By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: December 6, 2023

Wednesday, 6 December 2023

23andMe Confirms Hackers Stole Ancestry Data on 6.9 Million Users ★

Lorenzo Franceschi-Bicchierai, reporting for TechCrunch:

On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access “a significant number of files containing profile information about other users’ ancestry.” But 23andMe would not say how many “other users” were impacted by the breach that the company initially disclosed in early October.

As it turns out, there were a lot of “other users” who were victims of this data breach: 6.9 million affected individuals in total.

In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

Here’s a real shocker: 23andMe has updated their terms of service in attempt to prevent a class action lawsuit. Good luck with that.

Apple Requires Only a Subpoena to Turn Over Push Notification Tokens to Law Enforcement; Google Requires a Court Order ★

Drew Harwell, reporting for The Washington Post:

Apple said in a statement that “the federal government had prohibited us from sharing any information” about the requests and now that the method had become public, it was updating its upcoming transparency reports to “detail these kinds of requests.”

Apple’s Law Enforcement Guidelines, the company’s rules for how police and government investigators should seek user information, now note that a person’s Apple ID, associated with a push-notification token, can be “obtained with a subpoena or greater legal process.”

Neither Wyden nor Apple detailed how many notifications had been reviewed, who had been targeted, what crimes were being investigated or which governments had made the requests.

Law enforcement agents can issue subpoenas on their own, so there’s no oversight here. Google, on the other hand, requires a court order:

For U.S. requests of push notifications and other non-content information, Google said it requires a court order, not just a subpoena, that is subject to judicial oversight. With such orders, federal officials must persuade a judge that the requested data is relevant and material to an ongoing criminal probe.

Score one for Google here.

Update, 11 December 2023: Apple has updated its guidelines and now requires a court order as well.

Senator Ron Wyden: Governments Are Spying on Apple and Google Users Through Push Notifications ★

Raphael Satter, reporting for Reuters:

Unidentified governments are surveilling smartphone users via their apps’ push notifications, a U.S. senator warned on Wednesday. In a letter to the Department of Justice, Senator Ron Wyden said foreign officials were demanding the data from Alphabet’s Google and Apple. Although details were sparse, the letter lays out yet another path by which governments can track smartphones. [...]

In a statement, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications. “In this case, the federal government prohibited us from sharing any information,” the company said in a statement. “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Google said that it shared Wyden’s “commitment to keeping users informed about these requests.”

From Wyden’s letter to Attorney General Merrick Garland:

Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data. These companies should be permitted to generally reveal whether they have been compelled to facilitate this surveillance practice, to publish aggregate statistics about the number of demands they receive, and unless temporarily gagged by a court, to notify specific customers about demands for their data. I would ask that the DOJ repeal or modify any policies that impede this transparency.

See also: Joseph Cox, reporting at 404 Media: “Here’s a Warrant Showing the U.S. Government is Monitoring Push Notifications”.

The Standalone iTunes Movies and TV Shows Apps Are Discontinued in tvOS 17.2 ★

Benjamin Mayo, 9to5Mac:

As first reported in October, Apple will discontinue the standalone iTunes Movies and iTunes TV Shows apps on the Apple TV box, starting with tvOS 17.2 The warning message seen above has started appearing in the release candidate version of tvOS 17.2 beta, released yesterday.

Apple directs users to the TV app instead to manage their purchases, and buy and rent from the store. At least as far as Apple’s video content is concerned, the iTunes brand is on the way out.

Apple has updated the TV app in 17.2 in preparation of the migration away from the standalone iTunes videos app, bringing across some functionality that was previously missing in TV. That includes things like filtering by genre in purchased tab, and the inclusion of box sets in the store listings. The TV app also features a new sidebar design in this update, which includes a dedicated store and purchases tab for quick navigation.

It’s the updates to the TV app that make this possible. It’s a good simplification overall: Apple’s own content — both iTunes purchases and TV+ streaming content — is in the TV app.

Gurman Predicts Big March for Apple: New iPads Pro and Air, M3 MacBook Airs, and New iPad Peripherals ★

Mark Gurman, reporting for Bloomberg:

The iPad Air, which is the company’s mid-tier tablet, currently comes with a 10.9-inch screen. For next year’s release, the company will add a version that’s about 12.9 inches, matching the size of what’s currently the biggest iPad Pro.

The company is also preparing revamped versions of the Apple Pencil and Magic Keyboard accessories, which it will sell alongside the new iPad Pro. The new Pencil — codenamed B532 — will represent the third generation of the product. The company released a new low-end model in November.

The new Magic Keyboards — codenamed R418 and R428 — will make the iPad Pro look more like a laptop and include a sturdier frame with aluminum.

A big iPad Air is interesting, and I suspect will prove popular. No word, alas, on a new iPad Mini though. (I wish Apple would drop the “Mini” brand and just make the iPad Air in three sizes: mini, regular, and large, with identical specs.)

Gurman offers no details about the form factor for the updated iPad Pro models. Given that last year’s 10th-generation regular iPad moved the front-facing camera to the long side of the device — the appropriate location for a camera when the iPad is being used laptop-style — it seems like a safe guess that Apple will do the same with these next-gen iPad Air and Pro models. But the spot where that camera would go is currently the same spot where current iPad Pros have the magnetic attachment for a 2nd-gen Apple Pencil. So I think that’s why Apple is going to introduce a 3rd-gen Pencil — they might need an altogether new way of pairing, charging, and attaching Pencils if they move the front-facing camera to the long side. (Well, that’s one reason to create a 3rd-gen Pencil. Other reasons, of course, would include various ways of making a better stylus — the current 2nd-gen Pencil is now over 5 years old.)

I’m also quite curious about the purported reimagined Magic Keyboards. The current ones are transformative for iPads, functionally, but the rubbery surface material just isn’t durable enough — especially the white ones. MacBooks are remarkably durable; iPad Magic Keyboards demand to be treated carefully. On mine, the rubber is peeling away around my most-used keys. That shouldn’t happen with any keyboard, but it definitely shouldn’t happen with one that costs $300-350.

Bloomberg: ‘Apple Set to Avoid EU Crackdown Over iMessage Service’ ★

Samuel Stolton, reporting for Bloomberg:^*

Apple Inc.’s iMessage service looks set to win a carve out from new European Union antitrust rules to rein in Big Tech platforms after watchdogs tentatively concluded that it isn’t popular enough with business users to warrant being hit by the regulation. [...]

In order to fall under the scope of the rules, a service must be deemed an “important gateway” for business users. EU enforcers now consider this is not the case for iMessage, according to the people.

If iMessage ended up being targeted by the Digital Markets Act, Apple would have faced potentially onerous obligations to make iMessage work with rival online messaging services, such as Meta Platforms Inc.’s WhatsApp or Facebook Messenger — a move that Apple has already strongly contested.

The elephant in the room with this particular issue is that the interoperability demands of the DMA between E2EE messaging platforms make no technical sense whatsoever. It’s all just hand-waving on the part of the EU bureaucrats who are demanding it. They have no idea what E2EE really means. They just want to demand that a WhatsApp user should be able to send a message to someone on iMessage or Facebook Messenger. Just make it happen.

Who would run key exchange, and manage the discovery and distribution of said keys, for E2EE messages sent across platforms? Key exchange and discovery is essential, and a difficult problem to solve within each platform itself. I think it’s impossible across platforms. Within each platform, the platform owner is in charge and handles these things. With this EU fantasy of mandatory interop across messaging platforms, who would be in charge?

Apple getting exempted from this, I think, will mainly benefit Apple by letting them ignore an impossible mandate. I don’t think this interop will ever come to fruition, no matter what the EU demands, because I don’t think it can, nor do I think it should. Would be nice to just avoid the debate.

* You know.