It’s time for another round of security updates for Apple’s active operating systems. Two of the fixed vulnerabilities have been exploited in the wild, so install soon. Also this week, Adam Engst explores the cautionary tale of a Canadian contract dispute that hinged on the interpretation of the thumbs-up emoji. He also looks at the small business payment service Melio, which has simplified the process of paying TidBITS writers. Finally, we have brief bits about Elon Musk renaming Twitter to X and what we did with in-between time before smartphones. Notable Mac app releases this week include GrandPerspective 3.4.1, CleanMyMac X 4.14, Lunar 6.2.1, and Final Cut Pro 10.6.7, Compressor 4.6.5, and Motion 5.6.5.
Apple has once again updated all its active operating systems to address numerous security vulnerabilities, two of which have been exploited in the wild. One of those is the WebKit vulnerability previously discussed in “Rapid Security Responses for iOS/iPadOS 16.5.1 (c) and macOS Ventura 13.4.1 (c)” (13 July 2023), and the other is a kernel vulnerability that Apple says may have been exploited against versions of iOS before iOS 15.7.1. Consider that if you’re still using an iOS device that can’t update to iOS 15.
The number of vulnerabilities ranges from 8 (tvOS) to 29 (macOS), and most are shared by all the operating systems. The details linked below don’t matter much; we advise installing these updates soon so you’re protected.
The affected operating systems include:
- iOS 16.6 and iPadOS 16.6
- iOS 15.7.8 and iPadOS 15.7.8
- macOS Ventura 13.5
- macOS Monterey 12.6.8
- macOS Big Sur 11.7.9
- watchOS 9.6
- tvOS 16.6
- HomePod Software 16.6
The only functional change Apple mentions is the addition of Siri support for Hebrew in Israel to tvOS 16.6.
A picture is said to be worth a thousand words, implying you’d need a thousand words to describe a single image. Emoji are much simpler—maybe just ten words would suffice. But there’s still plenty of room for interpretation within the picture/text exchange rate, as a recent Canadian court case shows.
A grain buyer in Saskatchewan, Canada, texted farmers asking to buy flax at $17 per bushel, and one farmer indicated he could deliver on that. The buyer texted a photo of the contract, as it had done numerous times before, and asked, “Please confirm flax contract.” The farmer replied with a thumbs-up 👍 emoji. But when prices for flax jumped to $41 per bushel and the farmer failed to deliver on the less-lucrative contract, the buyer sued for breach.
The facts of the case aren’t in question; the nut of the issue is whether the farmer’s 👍 response had the legal meaning of “I accept the contract that you just texted me” or merely implied “I’m acknowledging receipt of the contract.” Judge Timothy Keene ruled that the farmer’s 👍 counted as a signature and the farmer had thus breached the contract:
This court readily acknowledges that a 👍 emoji is a non-traditional means to “sign” a document but nevertheless under these circumstances this was a valid way to convey the two purposes of a “signature” – to identify the signator (Chris using his unique cell phone number) and as I have found above – to convey Achter’s acceptance of the flax contract.
This emoji-driven ruling didn’t come out of thin air. The grain buyer’s attorney said in documents filed in the case that the farmer had previously agreed to contract at least four other times in text by replying “looks good”, “ok”, or “yup”.
More generally, the farmer’s lawyer argued that:
…allowing a simple 👍 emoji to signify identity and acceptance would open up the flood gates to allow all sorts of cases coming forward asking for interpretations as to what various different emojis mean – for example what does a 👊 emoji mean or a 🤝 emoji mean, etc.
The judge wasn’t swayed, responding:
This appears to be a sort of public policy argument. I agree that this case is novel (at least in Saskatchewan) but nevertheless this Court cannot (nor should it) attempt to stem the tide of technology and common usage – this appears to be the new reality in Canadian society and courts will have to be ready to meet the new challenges that may arise from the use of emojis and the like.
This story has been making the rounds based primarily on its humor value, often missing the fact that the farmer had laconically agreed to contracts before. But I’ve long been perturbed about the use of emoji in text communications when there’s room for interpretation. It’s one thing to toss in a smiley or frowning face to add emotional color to text, but entirely another to rely on an image to convey something significant. Sometimes a cigar is just a cigar, but an 🍆 isn’t always just an eggplant.
It was in this context that I read about the draft Emoji 15.1 list that contains recommendations for new emoji that will likely become final in September 2023, alongside the release of Unicode 15.1. (Apple would likely integrate them into its operating systems in early 2024.) This batch of emoji is very particular—most are new sequences that combine existing characters. Of the 118 candidates, 108 merely change directionality, so a slew of emoji that currently only face left will now be available facing right as well. That seems uncontroversial, but meaning still rears its ugly head with the proposed Head Shaking Horizontally and Head Shaking Vertically emoji. Emojipedia says:
Designs for the 🙂↔️ Head Shaking Horizontally and 🙂↕️ Head Shaking Vertically may pose some semantic difficulties for emoji designers, given that they can have inverted meanings in different cultures. For example, while a nodding head such as intended to be depicted in the 🙂↕️ Head Shaking Vertically emoji is a positive “yes” in the United States, in Bulgaria it conveys a negative “no” meaning.
There’s no stuffing emoji back into the bottle, though I suspect relatively few TidBITS readers use emoji heavily to stand in for true textual communications, rather than as simple reactions or emotional color. Even if you know what you intend an emoji to mean, there’s no telling how someone else will interpret it. And the next time you’re selling flax, perhaps stick with saying what you mean in actual words until the powers that be develop a Signature emoji.
TidBITS has long paid our writers. That’s easy to say, but when you have to send money to a number of people in varying amounts each month, the mechanics of how the payments actually happen matter.
In the early days, we wrote checks. Or, rather, Tonya did, as part of her CFO duties. Between TidBITS writing and Take Control royalties, we were paying up to 25 people per month. At the time, we relied on MYOB AccountEdge for our accounting, and it made sense for Tonya to handle everything within the app, which could also print checks on our blanks. I still remember her sitting down with the stack of envelopes and a little tube she could use to moisten the glue strips because she hated licking 25 envelopes.
After we sold Take Control to Joe Kissell, the number of people we had to pay each month dropped to just TidBITS writers. Tonya kept writing checks for a while but eventually discovered that the CFCU credit union where we bank allowed her to do direct deposit payments via ACH (Automated Clearing House, a system banks use to transfer funds electronically) using a free service called Popmoney. Its interface was old and ugly, but it did what it promised, and direct deposits made life easier for our writers, who didn’t need to handle physical checks. Plus, before Tonya moved to direct deposits, a check would occasionally go missing or be ignored for a while, and resolving such issues generated even more work for her.
Throughout all this, I was largely and blissfully ignorant of the payment mechanics. However, once Tonya got a job at Cornell and we moved our financial books to Xero (see “Switching to Xero from AccountEdge,” 10 May 2021), she delegated all the regular payroll work to me. That’s when I discovered that Popmoney had an odd limitation of $1000 per day. If we had multiple payments that exceeded $1000, we had to schedule some of them for the future. It wasn’t just the next day—Popmoney wouldn’t let us schedule the additional payments until the first ones had time to clear, usually 3 business days.
I realize this sounds like a first-world problem, but for a while, the Popmoney interface made me guess which date would be open for payments. That was annoying and forced me to pick who would get paid later and alert them separately as to when the money would arrive. The limitation made no sense—these were ACH transfers we were initiating from our account to known people, so it seemed unnecessary for CFCU or Popmoney to protect us from spending too much. I tried to get the limit raised, but CFCU’s support referred me to Popmoney, and then Popmoney said it was a CFCU setting, and I eventually gave up.
My problem was eventually “solved” by CFCU dropping Popmoney entirely, with a vague claim that it would be replaced in the future. (That hasn’t happened yet.) We considered moving to another bank that offered such a service, but that’s more easily said than done, given how many auto-deposits and auto-withdrawals we have.
Instead, we started looking for a third-party service that would allow us to send ACH payments to our writers. They tended to be expensive, such as the case-challenged Bill (compare its lowercase logo to its uppercase text branding), which charges $45 per month. I’m not opposed to paying for such a service, but it wasn’t worth much to prevent me from having to write four or five checks per month.
Then we found Melio, which promises ACH payments for free and has no transaction limits (banks may have their own). Melio makes its money by charging for rush payments, credit card payments, paper checks, and what are essentially payment loans. While those upsell opportunities are always visible in the interface, there’s no problem with using it purely with ACH for free. Note that Melio doesn’t do wire transfers.
Using Melio to pay people is simple after a one-time account setup and configuration step to connect your bank account. First, you create a vendor for each person, which requires a company name and optional contact name, email address, and phone number. The email address may be optional, but it’s necessary if you want Melio to send them email requesting their bank information to set up the ACH connection. You can also import vendors using a simple CSV file that collects the same information.
Everyone I pay regularly said entering the necessary routing and account numbers to receive payments was easy, although they were all in the US. When I looked into paying Kirk McElhearn, who lives in the UK, I found that Melio supports international payments, but that requires getting the recipient’s SWIFT or IBAN number and costs $20 per transaction. (I resorted to PayPal to pay Kirk for a recent article.)
Once you have your vendors set up, you create bills to pay. Because I’m paying only a handful of people a variable amount once per month, that’s most easily done by hand. Melio also lets you upload a PDF invoice or image, then parses it to create a bill, which is quite slick, or you can sync with QuickBooks. A quick search revealed that there’s also a Melio Payments integration with Xero, but reviews suggest it has synchronization problems. I don’t need more integration with Xero than seeing the payment come out of my CFCU checking account, so I haven’t looked into that more.
Creating a manual payment is easy, if a little chatty, with a six-step process that collects small amounts of information at each step.
- Enter the vendor name, amount, payment frequency, and due date. I always choose the next day as the due date, even though I know that won’t be the date the money actually transfers, as you’ll see.
- Specify how you want to fund the payment. Again, funding the payment from your bank account is free; the other options trigger a charge.
- Set when you want the payment to be deducted. Regardless of when you said it should be due, Melio gives you the upsell option of deducting right away for a fee. I always go for the free 3 business days option.
- Enter an optional memo. I’m a sucker for metadata, even though I haven’t noticed any benefit to entering information here.
- Confirm the details of everything you’ve entered so far to ensure you haven’t made a mistake.
- Acknowledge that you’re done.
Melio’s chattiness extends to email, too. Immediately after you schedule a payment, you receive an email confirming it, and once the funds transfer, Melio sends you another message telling you that the payment has been processed successfully. You can turn off different types of notifications.
However, Melio’s notifications and other options would likely be welcome for larger companies. You can add collaborators with admin, accountant, or contributor permissions. Payment approval workflows let organizations decide who needs to approve payments and can even separate them by payment size, so, for instance, the CEO would approve payments over $1000 and the office manager everything smaller.
I’m ignoring the other half of Melio’s feature set, which offers a similarly simple approach to getting paid. You can create customers and invoices, and when you link your bank account, your customers’ payments flow in directly. On this side, too, Melio provides the option for you to get paid earlier in exchange for a 1% transaction fee. I’ve long used Stripe when I’ve needed to generate invoices for occasional consulting or other work, but I might try Melio next time to see if its promise of free ACH transactions pans out or if people prefer to pay using credit cards.
Finally, I’ve focused on the Melio website here, but the free Melio iPhone app appears to provide the same capabilities for creating vendors and making payments (but not getting paid), with the advantage of letting you use the iPhone camera to scan invoices. The app also lets you track what you’ve done, so it might be worth downloading even if you plan to set up most of your payments on a computer.
Other payment services may also offer ACH payments for free, but I have no complaints about Melio that would encourage me to switch. My only slight concern is that I would prefer Melio to offer two-factor authentication for its website in addition to the two-step verification that it employs at account setup. (The iPhone app does allow biometric login using Face ID or Touch ID.) Otherwise, the company’s security stance sounds good.
If you need to make regular payments to contractors, freelancers, or other small businesses, I encourage you to try Melio.