Benj Edwards, Ars Technica:

Microsoft has lowered sales growth targets for its AI agent products after many salespeople missed their quotas in the fiscal year ending in June, according to a report Wednesday from The Information. The adjustment is reportedly unusual for Microsoft, and it comes after the company missed a number of ambitious sales goals for its AI offerings.

Based on Edwards’ summary — I still have no interest in paying for the Information — it sounds like this mostly affects sales of A.I. “agents”, a riskier technology proposition for businesses. This sounds to me like more concrete evidence of a plateau in corporate interest than the surveys reported on by the Economist.

⌥ Permalink

The Financial Times today published an article by Anna Gross, Tim Bradshaw, and Lauren Fedor, in which the three paint a picture of a complex stalemate between investment interests and the U.K. government’s snooping desires:

Sir Keir Starmer’s government is seeking a way out of a clash with the Trump administration over the UK’s demand that Apple provide it with access to secure customer data, two senior British officials have told the Financial Times.

The officials both said the Home Office, which ordered the tech giant in January to grant access to its most secure cloud storage system, would probably have to retreat in the face of pressure from senior leaders in Washington, including vice-president JD Vance.

The writers go on to describe the tension between U.K. and U.S. authorities, with sources telling them the U.K. definitely wants this capability, but feels the weight of the U.S. administration. Here are two things I think are true:

1. The U.K. should not be demanding access to iCloud data end-to-end encrypted by Advanced Data Protection — and certainly not worldwide, as it wants. It is terrible on the merits, it will be misused, and it is ridiculous nobody can talk about it directly because of secrecy requirements.

2. The U.S. continues to abuse its power in worrisome ways. There is no evidence this administration is objecting to the U.K. law on the merits of free speech, given how bad they are on speech in general. There is lots of reason to believe they are simply hostile to any attempts at regulating the massive technology companies that happen to come from the U.S. and reinforce its global power. It is not just the U.K.; the Canadian government pulled a fairly reasonable Digital Services Tax to placate this administration for similar reasons.

Bad faith rationale aside, the U.K. seems to be thinking about retreating from its backdoor efforts, though it has not yet made any moves to do so. Yet Ars Technica, which syndicates the occasional Times story, republished this article under the headline “UK backing down on Apple encryption backdoor after pressure from US”. That is not true — not yet, anyway.

And there is reason to be skeptical of the Times’ sourcing on these matters, too. In 2023, its reporters — including Gross, who also worked on this Advanced Data Protection story — were told the U.K. government would no longer demand the breaking of end-to-end encryption in messaging apps. This was only true in the sense the government no longer demanded impossible backdoors, only possible ones. This was not so much rescinding a demand as it was clarifying it.

Until the U.K. formally withdraws the technical capability notice served to Apple — and maybe Google, too — we should assume they are still pushing for a backdoor. And, because of the secrecy rules, if they do rescind it, it seems we will only find out in a leak to the Times or the BBC, without any official acknowledgement any of this took place.

⌥ Permalink

Anne-Laure Dufeal, Brussels Signal:

The [French] Senate report cited Microsoft France’s legal director, Anton Carniaux, as admitting the company could not guarantee that French data it hosted would not be handed over to foreign authorities.

“Carniaux … was asked by the [French Senate] commission to guarantee that French citizens’ data hosted by Microsoft would never be transmitted to foreign authorities without the agreement of the French authorities. He replied: ‘No, I can’t guarantee that,’” the report stated.

Luis Rijo, PPC Land:

The testimony contradicts years of Microsoft’s security assurances regarding European data hosting. Despite implementing encryption and technical safeguards, the company acknowledged that US legislation ultimately supersedes protective measures when federal agencies issue valid data requests.

[…]

Amazon Web Services, Google Cloud, and other hyperscale providers operate under identical legal frameworks, potentially exposing European data to extraterritorial access. The testimony suggests widespread vulnerability in European digital infrastructure built on American technological foundations.

Ben Werdmuller:

Reliance on US services has become a point of vulnerability for everyone. This should be a concern regardless of American leadership; under the current administration, it’s become a frequent topic of conversation for security leaders both inside and outside of the country.

The U.S. set up a new court to handle European complaints, but it is under the umbrella of the U.S. Privacy and Civil Liberties Oversight Board which currently has a single board member, who happens to be a Republican. That is because the other three members of the board — all Democrats — were told to leave after Donald Trump retook the presidency, thus making it non-functional. Is the court hearing cases? That is a good question; the whole thing is one big secret.

⌥ Permalink

Leah Nylen, Josh Sisco, and Dina Bass, Bloomberg:

The US Federal Trade Commission has opened an antitrust investigation of Microsoft Corp., drilling into everything from the company’s cloud computing and software licensing businesses to cybersecurity offerings and artificial intelligence products.

Seems like a lot of people who thought Microsoft would escape antitrust investigations in the U.S. might have been a little too eager.

This kind of scrutiny is a good thing, and long overdue. Yet one of the unavoidable problems of reducing the influence of these giant corporations now is the pain it is going to cause — almost by definition. If a corporation is abusing its power and scale to such a degree the FTC initiates an investigation, unwinding that will have — to put it mildly — an effect. We are seeing this in the Google case. This is true for any situation where a business or a group of people with too much influence needs correcting. That does not mean it should not happen.

It is true that Microsoft’s products and services are the backbone of businesses and governments the world over. These are delivered through tight integrations, all of which encourages further fealty to this singular solution. For example, it used its dominant position with Office 365 to distribute Teams for free, thereby making it even harder for other businesses to compete. It then leveraged Outlook and Teams to boost its web browser, after doing the same with Windows. If it charged for Teams out of the gate, this would be having a different discussion.

Obviously, the FTC’s concerns with Microsoft’s business practices stretch well beyond bundling Teams. According to this Bloomberg report, the Commission is interested in cloud and identity tying, too. On the one hand, it is enormously useful to businesses to have a suite of products with a single point of management and shared credentials. On the other hand, it is a monolithic system that is a non-starter for potential competitors.

The government is understandably worried about the security and stability risks of global dependence on Microsoft, too, but this is odd:

The CrowdStrike crash that affected millions of devices operating on Microsoft Windows systems earlier this year was itself a testament to the widespread use of the company’s products and how it directly affects the global economy.

This might just be Bloomberg’s contextualizing more than it is relevant to the government’s position. But, still, it seems wrong to me to isolate Windows as the problem instead of Crowdstrike itself, especially with better examples to be found in the SolarWinds breach and its track record with first-party security.

⌥ Permalink

Sarah Krouse, Dustin Volz, Aruna Viswanatha, and Robert McMillan, Wall Street Journal (probably paywalled; sorry):

A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.

For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk. The attackers also had access to other tranches of more generic internet traffic, they said.

Zack Whittaker, TechCrunch:

The 30-year-old law that set the stage for recent backdoor abuse is the Communications Assistance for Law Enforcement Act, or CALEA, which became law in 1994 at a time when cell phones were a rarity and the internet was still in its infancy.

CALEA requires that any “communications provider,” such as a phone company or internet provider, must provide the government all necessary assistance to access a customer’s information when presented with a lawful order. In other words, if there is a means to access a customer’s data, the phone companies and internet providers must provide it.

Bruce Schneier:

For years, the security community has pushed back against these backdoors, pointing out that the technical capability cannot differentiate between good guys and bad guys. And here is one more example of a backdoor access mechanism being targeted by the “wrong” eavesdroppers.

Riana Pfefferkorn:

It is not the ‘90s anymore, when CALEA got enacted, the law requiring telecom wiretappability for law enforcement. China and Russia and DPRK are formidable cyber foes now. DOJ, FBI, etc. want to change CALEA so that encrypted apps like Signal or WhatsApp aren’t exempt from it anymore. But this hack shows that if anything, the law needs to change in the *other* direction. The hack needs to be a wake-up call to law enforcement that as long as they keep opposing encryption for communications, they’re enabling China to smack us in the face with our own hand while saying “stop hitting yourself!”

According to a 2016 paper from Public Safety Canada, “Australia, the U.S., the UK and many other European nations require CSPs [Communications Service Providers] to have an interception capability”; it also notes Canada does not. Such a requirement is understandable from an investigative perspective. But, as Pfefferkorn says, capabilities like these have been exploited before, and it will happen again. These are big targets and there are no safe backdoors.

That brings me — for the second time today — to the need for comprehensive privacy legislation basically everywhere but, in particular, in the United States, the hub of the world’s communications. Protecting private data would dramatically curtail this kind of access violation by removing backdoors, restrict one aspect of TikTok panic, and reduce the exploitation of our behavioural data by creepy ad tech businesses. It is not a panacea and I am sure there are worrisome side effects for law enforcement, but it would likely be more effective than tackling these problems on an individual basis.

⌥ Permalink

Pavan Davuluri, of Microsoft:

Today, we are communicating an additional update on the Recall (preview) feature for Copilot+ PCs. Recall will now shift from a preview experience broadly available for Copilot+ PCs on June 18, 2024, to a preview available first in the Windows Insider Program (WIP) in the coming weeks. Following receiving feedback on Recall from our Windows Insider Community, as we typically do, we plan to make Recall (preview) available for all Copilot+ PCs coming soon.

Microsoft has always struggled to name its products coherently, but Microsoft Copilot+ PCs with Recall (preview) available first through the Windows Insider Program (WIP) has to take the cake. Absolute gibberish.

Anyway, it is disappointing to see Microsoft botch the announcement of this feature so badly. Investors do not seem to care about how untrustworthy the company is because, face it, how many corporations big and small are going to abandon Windows and Office? As long as its leadership keeps saying the right things, it seems it is still comfortable to sit in the afterglow of its A.I. transformation.

⌥ Permalink

Renee Dudley and Doris Burke, reporting for ProPublica which is not, contrary to the opinion of one U.S. Supreme Court jackass justice, “very well-funded by ideological groups” bent on “look[ing] for any little thing they can find, and they try[ing] to make something out of it”, but is instead a distinguished publication of investigative journalism:

Microsoft hired Andrew Harris for his extraordinary skill in keeping hackers out of the nation’s most sensitive computer networks. In 2016, Harris was hard at work on a mystifying incident in which intruders had somehow penetrated a major U.S. tech company.

[…]

Early on, he focused on a Microsoft application that ensured users had permission to log on to cloud-based programs, the cyber equivalent of an officer checking passports at a border. It was there, after months of research, that he found something seriously wrong.

This is a deep and meaningful exploration of Microsoft’s internal response to the conditions that created 2020’s catastrophic SolarWinds breach. It seems that both Microsoft and the Department of Justice knew well before anyone else — perhaps as early as 2016 in Microsoft’s case — yet neither did anything with that information. Other things were deemed more important.

Perhaps this was simply a multi-person failure in which dozens of people at Microsoft could not see why Harris’ discovery was such a big deal. Maybe they all could not foresee this actually being exploited in the wild, or there was a failure to communicate some key piece of information. I am a firm believer in Hanlon’s razor.

On the other hand, the deep integration of Microsoft’s entire product line into sensitive systems — governments, healthcare, finance — magnifies any failure. The incompetence of a handful of people at a private corporation should not result in 18,000 infected networks.

Ashley Belanger, Ars Technica:

Microsoft is pivoting its company culture to make security a top priority, President Brad Smith testified to Congress on Thursday, promising that security will be “more important even than the company’s work on artificial intelligence.”

Satya Nadella, Microsoft’s CEO, “has taken on the responsibility personally to serve as the senior executive with overall accountability for Microsoft’s security,” Smith told Congress.

[…]

Microsoft did not dispute ProPublica’s report. Instead, the company provided a statement that almost seems to contradict Smith’s testimony to Congress today by claiming that “protecting customers is always our highest priority.”

Microsoft’s public relations staff can say anything they want. But there is plenty of evidence — contemporary and historic — showing this is untrue. Can it do better? I am sure Microsoft employs many intelligent and creative people who desperately want to change this corrupted culture. Will it? Maybe — but for how long is anybody’s guess.

⌥ Permalink

“Conspirador Norteño” in January 2023:

BNN (the “Breaking News Network”, a news website operated by tech entrepreneur and convicted domestic abuser Gurbaksh Chahal) allegedly offers independent news coverage from an extensive worldwide network of on-the-ground reporters. As is often the case, things are not as they seem. A few minutes of perfunctory Googling reveals that much of BNN’s “coverage” appears to be mildly reworded articles copied from mainstream news sites. For science, here’s a simple technique for algorithmically detecting this form of copying.

Kashmir Hill and Tiffany Hsu, New York Times:

Many traditional news organizations are already fighting for traffic and advertising dollars. For years, they competed for clicks against pink slime journalism — so-called because of its similarity to liquefied beef, an unappetizing, low-cost food additive.

Low-paid freelancers and algorithms have churned out much of the faux-news content, prizing speed and volume over accuracy. Now, experts say, A.I. could turbocharge the threat, easily ripping off the work of journalists and enabling error-ridden counterfeits to circulate even more widely — as has already happened with travel guidebooks, celebrity biographies and obituaries.

See, it is not just humans producing abject garbage; robots can do it, too — and way better. There was a time when newsrooms could be financially stable on display ads. Those days are over for a team of human reporters, even if all they do is rewrite rich guy tweets. But if you only need to pay a skeleton operations staff to ensure the robots continue their automated publishing schedule, well that becomes a more plausible business venture.

Another thing of note from the Times story:

Before ending its agreement with BNN Breaking, Microsoft had licensed content from the site for MSN.com, as it does with reputable news organizations such as Bloomberg and The Wall Street Journal, republishing their articles and splitting the advertising revenue.

I have to wonder how much of an impact this co-sign had on the success of BNN Breaking. Syndicated articles on MSN like these are shown in various places on a Windows computer, and are boosted in Bing search results. Microsoft is increasingly dependent on A.I. for editing its MSN portal with predictable consequences.

“Conspirador Norteño” in April:

The YouTube channel is not the only data point that connects Trimfeed to BNN. A quick comparison of the bylines on BNN’s and Trimfeed’s (plagiarized) articles shows that many of the same names appear on both sites, and several X accounts that regularly posted links to BNN articles prior to April 2024 now post links to Trimfeed content. Additionally, BNN seems to have largely stopped publishing in early April, both on its website and social media, with the Trimfeed website and related social media efforts activating shortly thereafter. It is possible that BNN was mothballed due to being downranked in Google search results in March 2024, and that the new Trimfeed site is an attempt to evade Google’s decision to classify Trimfeed’s predecessor as spam.

The Times reporters definitively linked the two and, after doing so, Trimfeed stopped publishing. Its domain, like BNN Breaking, now redirects to BNNGPT, which ostensibly uses proprietary technologies developed by Chahal. Nothing about this makes sense to me and it smells like bullshit.

⌥ Permalink

If you had just been looking at the headlines from major research organizations, you would see a lack of confidence from the public in big business, technology companies included. For years, poll after poll from around the world has found high levels of distrust in their influence, handling of private data, and new developments.

If these corporations were at all worried about this, they are not much showing it in their products — particularly the A.I. stuff they have been shipping. There has been little attempt at abating last year’s trust crisis. Google decided to launch overconfident summaries for a variety of search queries. Far from helping to sift through all that has ever been published on the web to mash together a representative summary, it was instead an embarrassing mess that made the company look ill prepared for the concept of satire. Microsoft announced a product which will record and interpret everything you do and see on your computer, but as a good thing.

Can any of them see how this looks? If not — if they really are that unaware — why should we turn to them to fill gaps and needs in society? I certainly would not wish to indulge businesses which see themselves as entirely separate from the world.

It is hard to imagine they do not, though. Sundar Pichai, in an interview with Nilay Patel, recognised there were circumstances in which an A.I. summary would be inappropriate, and cautioned that the company still considers it a work in progress. Yet Google still turned it on by default in the U.S. with plans to expand worldwide this year.

Microsoft has responded to criticism by promising Recall will now be a feature users must opt into, rather than something they must turn off after updating Windows. The company also says there are more security protections for Recall data than originally promised but, based on its track record, maybe do not get too excited yet.

These product introductions all look like hubris. Arrogance, really — recognition of the significant power these corporations wield and the lack of competition they face. Google can poison its search engine because where else are most people going to go? How many people would turn off Recall, something which requires foreknowledge of its existence, under Microsoft’s original rollout strategy?

It is more or less an admission they are all comfortable gambling with their customers’ trust to further the perception they are at the forefront of the new hotness.

None of this is a judgement on the usefulness of these features or their social impact. I remain perplexed by the combination of a crisis of trust in new technologies, and the unwillingness of the companies responsible to engage with the public. There seems to be little attempt at persuasion. Instead, we are told to get on board because this rocket ship is taking off with or without us. Concerned? Too bad: the rocket ship is shaped like a giant middle finger.

What I hope we see Monday from Apple — a company which has portrayed itself as more careful and practical than many of its contemporaries — is a recognition of how this feels from outside the industry. Expect “A.I.” to be repeated in the presentation until you are sick of those two letters; investors are going to eat it up. When normal people update their phones in September, though, they should not feel like they are being bullied into accepting our A.I. future.

People need to be given time to adjust and learn. If the polls are representative, very few people trust giant corporations to get this right — understandably — yet these tech companies seem to believe we are as enthusiastic about every change they make as they are. Sorry, we are not, no matter how big a smile a company representative is wearing when they talk about it. Investors may not be patient but many of the rest of us need time.

Kevin Beaumont:

At a surface level, it [Recall] is great if you are a manager at a company with too much to do and too little time as you can instantly search what you were doing about a subject a month ago.

In practice, that audience’s needs are a very small (tiny, in fact) portion of Windows userbase — and frankly talking about screenshotting the things people in the real world, not executive world, is basically like punching customers in the face. The echo chamber effect inside Microsoft is real here, and oh boy… just oh boy. It’s a rare misfire, I think.

Via Eric Schwarz:

This fact that this feature is basically on by default and requires numerous steps to disable is going to create a lot of problems for people, especially those who click through every privacy/permission screen and fundamentally don’t know how their computer actually operates — I’ve counted way too many instances where I’ve had to help people find something and they have no idea where anything lives in their file system (mostly work off the Desktop or Downloads folders). How are they going to even grapple with this?

The problems with Recall remind me of the minor 2017 controversy around “brassiere” search results in Apple’s Photos app. Like Recall, it is entirely an on-device process with some security and privacy protections. In practice, automatically cataloguing all your photos which show a bra is kind of creepy, even if it is being done only with your own images on your own phone.

⌥ Permalink

Yusuf Mehdi of Microsoft:

Now with Recall, you can access virtually what you have seen or done on your PC in a way that feels like having photographic memory. Copilot+ PCs organize information like we do – based on relationships and associations unique to each of our individual experiences. This helps you remember things you may have forgotten so you can find what you’re looking for quickly and intuitively by simply using the cues you remember.

[…]

Recall leverages your personal semantic index, built and stored entirely on your device. Your snapshots are yours; they stay locally on your PC. You can delete individual snapshots, adjust and delete ranges of time in Settings, or pause at any point right from the icon in the System Tray on your Taskbar. You can also filter apps and websites from ever being saved. You are always in control with privacy you can trust.

Recall is the kind of feature I have always wanted but I am not sure I would ever enable. Setting aside Microsoft’s recent high-profile security problems, it seems like there is a new risk in keeping track of everything you see on your computer — bank accounts, a list of passwords, messages, work documents and other things sent by a third-party which they expect to be confidential, credit card information — for a rolling three month window.

Microsoft says all the right things about this database. It says it is all stored locally, never shared with Microsoft, access controlled, and user configurable. And besides, screen recorders have existed forever, and keeping local copies of sensitive information has always been a balance of risk.

But this is a feature that creates a rolling record of just about everything. It somehow feels more intrusive than a web browser’s history and riskier than a password manager. The Recall directory will be a new favourite target for malware. Oh and, in addition to Microsoft’s own security issues, we have just seen a massive breach of LastPass. Steal now, solve later.

This is a brilliant, deeply integrated service. It is the kind of thing I often need as I try to remember some article I read and cannot quite find it with a standard search engine. Yet even though I already have my credit cards and email and passwords stored on my computer, something about a screenshot timeline is a difficult mental hurdle to clear — not entirely rationally, but not irrationally either.

⌥ Permalink