#1555: Apple privacy labels, Caller ID authentication, knock-off Sport Loop watch bands, take care when deleting Messages conversations
Fed up with the constant onslaught of spam phone calls? Glenn Fleishman explains that there may soon be a light at the end of the tunnel in the form of the STIR/SHAKEN protocol, which Apple uses to mark verified calls. Be careful when deleting conversations in Messages because it may ask if the messages are spam. Reply in the affirmative too many times, and Apple might lock the sender’s account. Apple has published a list of the privacy labels for all its apps, which has the side effect of showing just how many apps Apple makes. Finally, Adam Engst dips his toes into the world of knock-off Apple Watch bands and discovers that third-party Sport Loop bands are just as good as Apple’s, for a tenth the price. Notable Mac app releases this week include Typinator 8.7, Lightroom Classic 10.2, Acorn 7.0, Rumpus 9.0, Microsoft Office for Mac 16.47, and 1Password 7.8.
Apple Publishes Collection of Privacy Labels for Its Apps
Starting with iOS 14.3, Apple mandated that every developer publish information about what data its apps collect from users (see “Apple Unveils Stringent Disclosure and Opt-in Privacy Requirements for Apps,” 7 January 2021). That information is presented in the App Privacy section in App Store listings. Some data-driven developers have been more willing to go along than others—Facebook updated its app right away, at least acknowledging that it records and uses every possible fact about you, likely including what you sing in the shower. In contrast, Google has dragged its feet, only recently beginning to update some of its iOS apps with privacy labels.
Knowing that it has nothing to hide, given that its business model doesn’t rely on capturing highly personal user data, Apple had no issue publishing data privacy labels for all of its iOS, iPadOS, macOS, watchOS, and tvOS apps in their respective App Stores. New, however, is a Web page that collects the privacy labels for all of Apple’s apps. We’ve never heard of some of these apps before, but now that we know about it, we’re anxious to see if Reality Composer is where Apple gets its distortion field without Steve Jobs at the helm (it’s actually an app for creating augmented reality objects).
Be Careful When Deleting Conversations in Messages
In a Hacker News thread about Dustin Curtis’s locked Apple ID (see “The Mystery of Dustin Curtis’s Locked Apple ID,” 5 March 2021), there were several reports of iMessage accounts being disabled after other users inadvertently marked messages from them as spam during deletion (swipe left on a message and then tap the trash icon).
There’s a UX defect with Messages right now where if you delete some conversations in succession, randomly will a modal popup [sic] and ask you if you want to report the contact as spam.
Some Apple articles will tell you not to worry if you’ve accidentally reported someone as spam, but it actually does something. It’s not a pedestrian crosswalk button.
I found this out the hard way when my wife could no longer send or receive messages nor sign into Messages and we had to contact Apple support. I’ve accidentally reported tons of people as spam because of this stupid Messages experience, and I can only guess that I’ve reported my own wife so many times from clearing all of my Messages conversations that they disabled her Messages account.
He eventually got his wife’s iMessage access restored after Apple Support granted a “one-time exception.”
User rdm_blackhole reported a similar occurrence:
What a coincidence. My wife had the same issue a few months ago. It started with her not being able to send or receive iMessages.
The worst part was that there was no notification nor warning. Some of her friends actually thought that she was mad at them for some reason as they would send her messages and she according to them would not respond at all.
From her perspective though she was responding to every message but they never got them.
He also got her iMessage access restored with another “one-time exception.”
We haven’t seen other reports of this, and we can’t replicate the behavior, so it’s likely a rare issue. Regardless, be aware of the possibility. The spam-reporting prompt seems to appear only when you delete an entire conversation or delete several messages from a single conversation. If you regularly delete messages or conversations in Messages, read the prompts carefully before responding to them.
It’s not unreasonable that Apple would use the reports of spam messages to protect other users from spammers. However, it does open the door to abuse by users who would intentionally mark messages from others as spam to disable their accounts. That could happen only between people who have exchanged a sufficient number of messages, but it’s not hard to imagine it occurring in an unpleasant divorce or with a disgruntled housemate. Let us know in the comments if you’ve seen the spam-reporting prompts or if you or someone you know has had their iMessage account suspended by Apple.
Caller ID Authentication May Tame the Scourge of Spam Calls
This morning, my iPhone rang five times. Because I pay Hiya for reverse Caller ID lookups, each number lit up with a name I didn’t know, along with the originating city and state: three from Florida and two from Connecticut. I didn’t answer any of the calls because I didn’t recognize any of the names. When I checked later, I found they lacked a relatively new indicator that I watch out for: a tell-tale checkmark. While tiny, it’s a harbinger of better things to come, particularly with a looming deadline in June 2021 for major phone carriers and Internet telephony providers.
You may not even notice this checkmark—it’s truly very tiny—but it appears in the Recents list in the Phone app on an iPhone and in call details. On some Android phones, a verified indicator appears on the incoming call screen, and telephone carriers have asked Apple to add it there on iPhones, too. Only in the call detail do you get an explanation from Apple: “Calls with a checkmark have been verified by the carrier.”
What Are Those Tiny Checkmarks?
These marks started to appear in iOS 13 in the third quarter of 2019, but usage has accelerated as carriers want to block spam calls from ever reaching their customers. Spam calls cause huge headaches for those who run phone networks. They consume network resources, don’t produce revenue (spammers don’t pay a receiving phone network for the calls they place), and irritate the heck out of a carrier’s customers. Those customers, in turn, spend a lot of time complaining to customer-service operators, on forums, and to the US Federal Communications Commission and Federal Trade Commission.
Those two federal agencies have targeted these spam calls, as they want to reduce the number of people who lose money to scams. These calls might waste a moment of your time, but scammers can exploit vulnerable people in cognitive decline or those with too much trust in others to the tune of hundreds or even tens of thousands of dollars. It’s a rare regulatory initiative that started under the previous hands-off presidential administration.
These tiny checkmarks appear on calls that pass through a new standard implemented on major telephone networks starting in 2019 and gradually being rolled out by smaller ones since. The standard, known as SHAKEN, is an amusingly named expansion of an earlier plan called STIR, and the two are often spoken of together as STIR/SHAKEN. (Best said with a James Bond intonation.) What they do is establish a cryptographic chain of trust for the originating number that you see as a Caller ID message. (If you want to know what they stand for, take a deep breath: STIR is Secure Telephony Identity Revisited; SHAKEN is quite absurdly squeezed into its acronym from Signature-based Handling of Asserted Information Using toKENs.)
Larger companies involved in plain old telephone service (POTS), a loose term for the network that handles phone numbers for calling, must implement STIR/SHAKEN by 30 June 2021. There are a lot of exceptions, as noted in this industry briefing article, but any carrier with 100,000 or more lines has to be ready to go by then. (Smaller carriers have until 30 June 2023.) As we approach that date, we should see a few effects at varying levels:
- Fewer spam and scam calls: Pundits often predict this desirable result whenever there’s a major enforcement action or carriers make changes. But in the past, fraudsters just adapted because call-based financial crimes are low-hanging fruit with little risk. STIR/SHAKEN will bump up the cost of doing business, so crime won’t pay as well.
- More checkmarks: We can train ourselves and vulnerable members of our families, friends, and colleagues to identify recent calls with no checkmark. Apple might not yet put the mark on the incoming call screen, but we can check in the Recents list before treating the source as eventually legitimate. About one-third of my regular incoming calls already have a checkmark.
- Better automated call-blocking: With STIR/SHAKEN as a signal, carrier software—like T-Mobile’s free tier of ScamShield—and third-party apps could more accurately predict unwanted calls. Carriers normally are required to pass all calls placed through to a recipient, but the FCC made clear a few years ago that as long as a telco is appropriately looking for spam signals, they can block these. STIR/SHAKEN provides even more data for that purpose. (Verizon claims it has blocked nine billion unwanted calls as of December 2020 through various techniques that include STIR/SHAKEN.)
- Greater accountability: Because STIR/SHAKEN will force spammers who keep plying their trade to rely more heavily on legitimate originating phone numbers, it will make them (or their providers) a lot more vulnerable, trackable, and arrestable. It could help authorities shut down boiler-room operations much more quickly, too.
How STIR/SHAKEN Will Help
STIR/SHAKEN essentially rectifies a historical failure that resulted from extending phone system technology that assumed few participants who trusted one another, much like email. It’s harder to forge Caller ID than the return address on an email, but Caller ID has been spoofable for decades. You probably already knew that, because you’ve received so many illegitimate calls. In recent years, scammers would even engage in “prefix spam,” calling your number with a fake Caller ID number that used the same three-digit prefix that follows the area code. (That prefix remains tied to local phone exchanges with wireline numbers and regional assignments with wireless carriers.)
Originally, businesses and other institutions could set Caller ID via a PBX (corporate phone exchange), which made sense first when companies were managing oodles of internal lines and later when they started using Voice over IP (VoIP). Back in the late 1990s and early 2000s, when I freelanced for the New York Times, I knew I was getting a call from an editor there when Caller ID reported 1 (111) 111-1111, the number the Times spoofed to protect their internal phone numbers. (The Times changed that a decade ago.)
VoIP carriers have long had the broader capability to set a unique phone number for any outgoing call because their calls don’t originate in the plain old telephone system, and carriers had to offer that flexibility to allow Caller ID to work for VoIP calls at all. While hundreds of millions of VoIP-based calls made with correct identification occur every day, spammers also make a reported 100 million-plus illegitimate calls daily. How do you avoid throwing the baby out with the bathwater?
A call may need to make multiple hops across different carrier and third-party networks from the caller to the person answering. STIR and SHAKEN—the latter technically an implementable and broader version of the former—use public-key cryptography to identify which phone numbers are assigned to which originating parts of the phone network. When a call is placed, it has to pass cryptographic tests that are checked at each hop and that can validate that the number identified from Caller ID originated from the right point in the phone system. (For more technical details, see my 2019 Fast Company article on the early stages of STIR/SHAKEN.)
While STIR/SHAKEN should allow carriers to block the passage of calls that lie about their originating numbers, questions remain unanswered about other elements of the system. How will it affect calls that aren’t properly tagged? How should carriers and smartphone manufacturers present such calls to the dialing public? Although Apple’s display is tremendously subtle right now, I expect more prominent marking and signaling over time, including adding a verified message to the incoming call screen. Validated Caller ID should eventually help legitimate calls evade blocking techniques that snag the unproven.
How long will this take? We can probably draw a lesson from the Web’s fairly rapid switchover from mostly non-secured HTTP sites to nearly all HTTPS-secured ones. While the transition started slowly, once browser makers decided on schedules, they began to identify sites without HTTPS with increasingly aggressive labeling that warned of the lack of security. That changeover was combined with significantly easier and cheaper systems for creating and managing the necessary security certificates, like Let’s Encrypt. Having both the carrot of easy upgrades and the stick of browser warnings prompted site owners to upgrade their security.
Ultimately, companies and carriers will find their calls dropped or blocked unless they fully embrace STIR/SHAKEN as it’s adopted by mobile phone operating systems and the rest of the phone network. For those who have built businesses on unethical practices, we hope STIR/SHAKEN will spell the end for them. Good riddance, and we look forward to the day when we can once again answer the phone without worrying that we’re being targeted by a scammer.
In Praise of the Knock-Off Nylon Sport Loop
One of the hallmarks of the Apple Watch is its selection of watch bands and the ease with which they can be swapped. I got my original Apple Watch with the silicone Sport Band, and while it fit acceptably, I never loved it. When I upgraded to a Series 2 a few years later, I got it with Apple’s woven nylon buckle band, and it too was just okay. I didn’t dislike either enough to buy another band, particularly at the exorbitant prices Apple charges, which start at $49, jump quickly to $99 and, as of this year, max out at an eye-watering $539 for the Hermès Ébène Barénia Leather Single Tour Deployment Buckle. I suspect each of the accent marks adds $100 to the price.
When Tonya replaced her original Apple Watch with a Series 3, we got it with the then-new nylon Sport Loop, which adjusts perfectly to any size wrist and is less sweaty than the Sport Band during runs. I took it over since Tonya was happy with her Sport Band, and I liked it so much that when the time came to upgrade to the Series 5, I got another Sport Loop (see “Upgrading from an Apple Watch Series 2 to a Series 5,” 20 January 2020). I was a little disappointed to discover that Apple had each year introduced and then discontinued various colors, such that I’d missed out on some I preferred from previous years. I mentioned in that article that I’d seen cheap knock-offs on Amazon, but I never got around to buying any.
The main benefit of the Sport Loop is its infinite adjustability, that is, exact sizing to your wrist. With the Sport Band and woven nylon buckle band, I always had to put up with holes not being in quite the right spot. It’s breathable, is easily rinsed when it gets sweaty, dries quickly, and can’t be knocked out of adjustment once you attach the Velcro-like hook-and-loop fasteners. It may not be as elegant as leather or metal, but Apple has always made it in a variety of attractive colors. The only real downside I’ve discovered is that its hook-and-loop fasteners can lose their grip when you’re swimming if you open and close it when it’s wet. Overall, I’ve been extremely pleased with the Sport Loop bands.
Fast-forward to the present. I recently replaced my 5-year-old Garmin Forerunner 620 with a new Forerunner 645 because the battery on the 620 was starting to fail on longer runs, especially in the cold. The new Forerunner 645 came with a horrible, plasticky-feeling buckle band that was difficult to put on and seemingly impossible to fit correctly. After a minor brainstorm—“Maybe I could get a sport loop band for it?”—and a quick Amazon search, I discovered that for a mere $8.99 (now down to $6.99), I could buy a new Nylon Sport Quick Release band that worked just like Apple’s Sport Loop. That was too cheap to pass up, so I put it in my cart.
Emboldened by my success at such a bargain price, I decided to introduce Tonya to the wonders of the Sport Loop with a pretty purple band for a Valentine’s Day present (hey, it wasn’t a chainsaw!) and match it with a new red one for myself. The knock-offs I linked to in the previous article were no longer available on Amazon, nor was the company in general. I thus couldn’t get away with buying five bands for $25, but I did find a reseller called Ruiboo that sold the bands for $12.99 each. All the bands came a few days later, they were as easy to install as Apple’s versions, and Tonya and I have been using them happily ever since.
I waited too long to write this article, and just six weeks later, Ruiboo has essentially disappeared from Amazon, just like the previous knock-off reseller I had identified. I can find only a couple of resellers on Amazon with similar products now, but they seem rather sketchy, with few or no reviews. I wonder if some of these resellers exist only as long as they have a line on some stock or a connection with a particular contract manufacturer. Or Apple and Amazon are playing whack-a-mole with such companies—perhaps Apple has some intellectual property rights involved.
eBay may be a better source for these watch bands—a search on “nylon sport loop Apple Watch band” turns up over 1200 hits. The top hit is accplus, a vendor that has supposedly sold over 36,000 units and is pricing identical-looking bands at $5.29, currently on sale for $3.29 with a “buy 2, get 1 free” deal. With free shipping. Seriously.
For prices as low as $5 to $10, could these knock-off bands be as good as Apple’s $49 bands? I can speak only to the units I’ve gotten, but the simple answer is yes. The nylon band material feels the same, the parts that attach to the Apple Watch are sized perfectly and work identically, and even the plastic band end has the same squared-off cylinder design. The only difference I can discern is in the color of the little plastic hook pads that you slap down on the band to fasten it. On my old Midnight Blue band from Apple, the pads are a light purple, whereas on Tonya’s new purple band (which turned out to be nearly identical to the Midnight Blue), the pads are black. On my red band, the pads are white. Since you see the pads only when you’re fastening the band, this is the most trivial of differences.
As much as I like the Sport Loop design, once I thought of writing this article, I thought that perhaps I should see if knock-offs of other band styles might be good as well. I’ve long considered Apple’s stainless steel mesh Milanese Loop to be highly elegant, but I could never bring myself to spend $99 on a watch band. As with the Sport Loop, it took no time to find a knock-off reseller that would sell me a faux Milanese Loop for just $9.99. I wore it for a week and generally liked it. However, I’ve now switched back to the knock-off sport loop for everyday wear. I don’t have a genuine Apple Milanese Loop to compare it to, but the knock-off’s magnet wasn’t quite strong enough to resist being loosened if I caught it on clothing or some other object, so I found myself retightening it a few times during the day. It also tended to snag my arm hair on occasion. It wasn’t bad, but I’ll reserve it for dress-up occasions, if those ever become a thing again. I’d provide a link, but that reseller has disappeared from Amazon too. Spooky.
I obviously can’t speak for all knock-off band manufacturers, but I’ve now tried four knock-off bands (including the one for my Forerunner 645) and have been pleased with all of them. All while spending less than a single $49 replacement band from Apple. I’m somewhat surprised this is the case because I’m generally dubious of cheap knock-offs. You often get what you pay for, and maybe the low cost is worth the tradeoffs, or maybe it isn’t. But with these knock-off bands, I simply can’t see enough differences to justify Apple’s stratospheric markups. If a company can make money selling these things for $5, it’s hard to recommend spending ten times that to buy from Apple.