Diatribes of Jay

This blog has essays on public policy. It shuns ideology and applies facts, logic and math to social problems. It has a subject-matter index, a list of recent posts, and permalinks at the ends of posts. Comments are moderated and may take time to appear.

07 January 2019

Mac Browser Wars: A Letter from the Front Lines


[For a review of Speaker Pelosi’s superb qualifications to lead the Democratic Party, click here. For reasons why natural-gas and electric cars are essential to national security, click here. For additional reasons, click here. For the source of Facebook’s discontents and how to save democracy from it, click here. For Democrats’ core values, click here. The Last Adult is Leaving the White House. Who will Shut Off the Lights? For how our two parties lost their souls, click here. For the dire portent of Putin’s high-fiving the Saudi Crown Prince, click here. For updated advice on how to drive on the Sun’s power alone, or without fossil fuels, click here. For a 2018 Thanksgiving Message, click here. For a list of links to recent posts in reverse chronological order, click here.]

(Nerd alert: This is one of my occasional essays on the computer industry. It gets down into the weeds. But once in a while it’s nice to think of something besides the vomit that spews daily from our president’s mouth.)

One of the saddest fates of computer users is becoming “collateral damage” in a war among big companies for desktop “turf” and market share. When the big boys go at it, even the experts take cover. Users like me—with over half a century’s experience in computers and software, including occasional programming—are mostly SOL. They either knuckle under, suffer terminal annoyance and gross waste of time and effort, or move on from the big boys to smaller, weaker firms that still care about their customers. But in an industry utterly dominated by the so-called “Big Five”—Amazon, Apple, Facebook, Google and Microsoft—where can they really turn?

The problem is easy to state but hard to resolve. There is no end to the little tricks that a software platform’s programmers can play on a rival firm whose software uses the platform, and on that firm’s customers. The tricks can make it inconvenient, annoying or time consuming to use the rival’s product on the platform, even if it mostly works better than the platform purveyor’s own similar product.

Blame is not always easy to assign because the “tricks” can occur both by omission and commission. The rival’s product may have some genuine idiosyncrasies that the platform could easily accommodate but doesn’t. The platform’s programmers may say, in effect, “let them accommodate to us,” while making accommodation difficult or neglecting to make it easy. Or they may deliberately change the platform (sometimes continuously) in ways that they know, or should know, will cause users of the rival product trouble. “Let our competitor’s users eat cake,” they seem to say.

This sort of thing is becoming increasingly common with Apple. Unlike Google, with its transparent Android operating system, Apple holds its OS X operating system pretty close to its vest. For almost two decades, OS X has been the premiere vehicle for consumers, i.e., teachers, artists, ordinary people, and anyone who is not a computer-industry professional. OS X and its stripped-down version for mobile devices have elevated Apple, for a short time, to the heights of human history’s most valuable public company, worth over a trillion dollars.

In contrast to Google’s “open” Android platform, OS X and its mobile counterparts are a “closed garden.” Apps on them have to be vetted and accepted by Apple’s closed store to gain any purchase at all. There’s an obvious rationale for this approach: controlling everything that interfaces with the OS allows Apple to monitor and control the quality of its devices and how they work. Yet things get dicier when the “app” is not just a narrow, specialized product, but part of the computer industry’s basic infrastructure. Then Apple’s closed garden can have unfortunate and even appalling effects on users.

Older examples involve Adobe’s Flash (video) Player and Reader of the Portable Document Format (PDF). For a time, the late Steve Jobs tried to avoid “entanglement” with these rival products, though they even then dominated huge chunks of the computer industry’s infrastructure. The result was very unhappy customers and something of a users’ rebellion. After Jobs’ demise, Apple CEO Tim Cook seems to have taken a more accommodative approach. This essay discusses an even more difficult case: Apple’s apparent recalcitrance in accommodating a gigantic rival from the “Big Five,” namely, Google (Alphabet), with its Chrome web-browser and related cloud services.

We start with two basic facts. First, a web browser is an essential part of any modern, general-purpose computer, as well as most tablets and smart phones. Without it, no device can surf the Web, view or download news or information, or download additional software or “apps” to make it do more. Second, Chrome already has won the browser wars, at least insofar as Apple’s rival product Safari is concerned. As the following table shows, Chrome and Firefox (an independent product) are duking it out for leadership. Apple’s rival browser Safari is today no more than an also-ran.

Leading Browsers’ Market Shares
BrowserTypical Daily Share
on My Blog		Statista Market Share
August 2018
Chrome38%68%
Firefox31%11%
Internet Explorer22%7%
Safari7%5%

I discovered this second fact purely by accident. I love tabbed browsing. As I go through my daily e-mail newsletters, I seldom have time to read every post of interest. So I open many posts in separate tabs for reading later—often as many as twenty or thirty per window. And as the days or weeks run on, and as I inevitably fail to drink fully from the firehose of daily information, I can have as many as five or ten open windows with as many as thirty open tabs each. That’s up to 300 open tabs.

As websites began to get more complex and intrusive, with self-starting audio and video clips, my Apple computers (a 2011 Mac Book Air laptop and a late-2012 Mac mini) began to bog down. At random intervals and sometimes for minutes, their cooling fans would run hard and their reactions would drop to the speed of molasses in winter.

After months of suffering this, I downloaded Google’s Chrome browser, which had a reputation for speed, reliability and security. (We’ll get to the security soon.) The switch was well worth the effort. Apparently, Chome’s separate tabs are more independent than Safari’s and run less in the background, so they rob fewer CPU cycles when not activated. I noticed an immediate improvement in the speed and stability of my browser’s operation with many tabs open. I also noticed an increase in the number of tabs I could keep open before my computers bogged down.

But then the annoyances began. Multiple times per hour, a popup window would flash in my face, right in the center of my screen, asking for permission to load and use some obscure program or routine with a name like “ksfetch,” “ksinstall,” “GoogleChromeUpdater” or “CromeHelper.”

The reasons why these screens pop up get down into the weeds. But they’re important because: (1) they relate to online security and (2) they illustrate how a platform, by both sins of omission and sins of commission, can make users’ lives miserable when they prefer rivals’ products. (To see just how miserable, search for “ksfetch” and see how many hits you get. A prominent one—an extended forum discussion—bears the title “ksfetch Nightmare.”) So please bear with me.

Since before abandoning Microsoft’s Windows forever in 2003, I have never done day-to-day work on any of my computers under an administrative user account. I always use a restricted account that can load or run no software without special permission, except programs I specify in advance. (Apple’s OS X files these restrictions under “parental controls.”) I always deny permission for things like “Terminal,” “Console” and “Script Editor,” which expose the operating system’s command line.

Of course any security precaution can be circumvented. But in theory this strategy gives me control over what executable software can run under my restricted user account—the one I use for routine work. When I first set up that account, I read carefully through the list of programs that come with the computer and check off permission only for those I know I will use. I revisit the list occasionally to add new programs or remove those I haven’t in fact used.

Apple’s popup requests for permission are supposed to be a useful feature. Whether you need an excluded program just once or just didn’t think its exclusion through in the first place, a popup lets you grant permission for its use without having to switch to your administrative account and run through the permissions list yet again.

But there are two “gotchas.” First, you have to restart the computer before each new permission takes effect; it you don’t, the popups keep appearing at random intervals. (This “gotcha” appears to apply only to recent OS X upgrades. It took me literally months to figure it out by trial and error. Apple’s popups don’t warn you of this requirement; its screens only warned me of it when I was installing an OS X upgrade after wiping my laptop’s main drive.) Second, in the case of Chrome, all the popup requests for permission involved auxiliary or “helper” programs that don’t appear in Apple’s lists of programs or utilities under “parental controls.”

So there’s no way, even in theory, you could permit these programs’ use in advance, on setting up your restricted account, even if you knew about them beforehand. And since you don’t know about them in advance, unless you program for Google, the only way to permit all of them is to wait for all four or five popup requests for permission to appear randomly on your screen, grant the programs permission one by one, and restart the computer each time. What an incredible nuisance, let alone from a firm renowned for its “intuitive” software!

Apparently Chrome uses these helper programs to do its automatic updating. And therein lies another wonky tale of security.

If you search for solutions to this popup problem on the Web, you will find many sets of more or less clear instructions for killing the program calls that produce the popups, i.e., killing Google Chrome’s automatic self-updating process. You can kill it entirely or just slow it down so, for example, it only starts automatically once a day. This post has one of the clearest explanations of methods for doing both, neither of which I have tested.

But why would you want to kill your browser’s automatic self-updating process? As far as I can tell, Chrome’s self-updating is a crucial security feature. Turn it off or slow it down, and you may become vulnerable to malware.

To see why, let’s analyze the three main aspects of browser security: (1) control of executables, (2) control of Javascript, and (3) tab siloing. As far as I can tell, Safari and Chrome do each of these three tasks in different ways.

If you run Safari under an administrative account, Katie bar the door! There is no restraint on what downloaded executables can run. They could include all sorts of malware. Your only defense is a generic popup that warns you that a program has been downloaded from the Internet and asks your permission to run it.

Chrome running under OS X appears to work the same way: the warning popups come from OS X just the same. If you run Safari under a restricted user account, as I do, a popup will warn you that a program lacks permission and ask you to grant it using an administrative account. In every case you have control, but an administrative account may bore you with so many requests for permission for things you deliberately downloaded that you may get sloppy and inadvertently grant permission for something you didn’t.

Control of Javascript works differently in Safari and Chrome. Safari only lets you control Javascript globally (under Preferences: Security). You can turn it on or off for everything, but not website by website. Chrome lets you do the same (under Settings: Advanced: Privacy and Security: Content Settings). But if you block Javascript generally, it lets you add websites, one by one (by URL) for which you permit it. Furthermore, when denying Javascript makes mush of a Website, as it usually does, Chrome will warn you with a little red-starred white star at the right of the URL field. By clicking on the white star, you can enable Javascript for that Website alone, without going into the bowels of settings. This makes it much easier to add permission site by site as needed.

The differences between Safari and Chrome in tab siloing are less transparent, but they appear to be significant. Modern versions of Safari claim to have siloed tabs, but their operation only partially verifies that claim. If tabs were truly siloed, having a hundred of them open wouldn’t, in theory, slow down the computer and get the cooling fan racing. In contrast, Google claims that Chrome’s tabs are so strongly siloed that a virus or malware in one tab won’t affect the rest. It’s hard to verify that claim without extensive testing, but the general appearance and handling of tabs in the two browsers does suggest that siloing is more robust in Chrome.

So both Safari and Chrome have reasonable, if not especially convenient, protection against random downloaded executables running, at least when running under OS X. Where they differ is in Chrome’s detailed site-by-site permitting for Javascript, and Crome’s apparently stronger siloing of tabs.

While permitting Javascript (or not!) for every website is something of a chore, it’s probably more reliable than knowing when (and remembering!) to turn Javascript off globally for suspect websites and then turning it on again globally after visiting them. Since online malefactors have no way of knowing in advance what operating system your device is running, and since virtually every website uses Javascript, Javascript is the key to your inner sanctum that most malefactors will use. Since detailed blocking is easier under Chrome, I give it the nod on that point.

As for siloing, it all depends on the browser’s detailed programming, doesn’t it? With Chrome now in the market-share lead, it’s in the same position as Windows for malware: the biggest target. Although doing so is a real nuisance, you can control Javascript in Safari by turning it off globally for any suspect website and remembering to turn it on again globally for the rest. But there is no way you can make up for any deficiencies of siloing in Safari as compared to Chrome; you’d have to reprogram it.

So strong siloing is Chrome’s best comparative advantage in security over Safari. But because Chrome is the Windows of browsers, it’s under constant threat of attack. Then do you really want to turn off or slow down Google’s automatic security updates? I sure don’t.

So now we get back to the main point of this essay: the tricks that platforms and products can play on each other. Who’s responsible for making it such a grand pain in the ass to allow Chrome’s automatic updating on OS X? Apple could make it easier by: (1) putting all the names of Chrome’s helper programs in its list of programs and utilities under “parental controls;” (2) permitting them all under the single heading of “Google Chrome Automatic Updating” in those lists; and (3) simply rewriting the permissions popups so you didn’t have to restart the whole computer after each one. Google could make it easier, if Apple’s OS X allowed, by consolidating all the helper programs under a single heading or under the main Chrome program itself. Then there would be only a single, blanket permission, and you’d have to restart the computer only once.

Apple is probably more at fault here, probably for requiring certain sensitive operations like automatic updating to be spread over several specialized parts of its operating system files. If so, then isn’t Apple also at fault, by a sin of omission if nothing else, for making automatic updating of Chrome on OS X such a pain in the ass?

This is not just an idle question of computer-industry morality or customer friendliness. It’s also a legal question. For mobile devices, Google’s Android operating system is a fierce competitor to Apple’s OS. But for computers, Google is barely in the game, notwithstanding its putting a toe in the water with its Pixelbook (which I now own) as a rival to Mac laptops. Apple probably has dominance, if not a monopoly, in the market for operating systems for consumer computers, as distinguished from those used by enterprises. And as anyone who’s ever tried to make a complex airline reservation or compose a complex document on a mobile device knows, you don’t send one of them to do a computer’s job.

It would, of course, take far more evidence than this informed speculation to prove a case of tying by exclusion, attempting to monopolize or monopolization against Apple on these facts. The European offense of “abuse of dominant position” seems more apt.

But an open question of law and policy remains. Do giants with monopoly or near-monopoly positions have legal liability when they try to take unfair advantage of each other, in the process doing harm to consumers?

Antitrust law in the United States has a history of gross negligence in addressing the software industry. A clueless private “superlawyer” went for the gold against Microsoft (a breakup on grounds of monopolization) and lost it badly, while neglecting a good claim against Microsoft that was almost a sure winner: tying its own browser to its monopoly OS, thereby crushing Netscape, the very inventor of web browsing. (I discuss this negligence at length in my treatise on licensing in a chapter abstracted here.) The EU Commission did better in bringing and winning a tying case and imposing a huge fine on similar ground.

Of course Facebook’s (mostly inadvertent) subversion of democracy is much more important, both politically and practically. But the centrality of network effects in computers, mobile devices and software portends that everything the Big Five do will be writ large. So will the pain they needlessly cause consumers, as indicated by the many complaints about the “ksfetch Nightmare.”

Do we want to have some legal standards to protect customers against needless hassle, frustration, inefficiency and waste of time? Or do we want to leave everything to the law of the marketplace, which often seems like the law of the jungle to people who have to cope with products and systems designed more for competitive advantage than ease of use? These questions, too, deserve answers, lest the vast mass of Internet users worldwide become nothing more than digital serfs erecting their pitiful huts around the Big Five’s Internet moats.

Footnote 1: I have no idea why my blog’s shares differ so dramatically from Statista’s. Perhaps my blog’s visitors are topheavy in the international category, which has yet to fully embrace Google Chrome. But my blog and Statista both agree on one thing: Safari’s market share is practically down in the noise.

Footnote 2: The number of posts and comments, many on Apple user forums, suggesting that users shut off or reduce Chrome’s automatic self-updating is notable. Do they reflect a subtle wish for Chrome to fail, due to some unforeseen but massive security breach caused by many users having disabled automatic security updates just to keep those pesky popups away? Or am I too cynical?

Whatever the answers to those questions, the whole experience has induced me to buy a Google Pixelbook and learn how to use it, as a possible prelude to jettisoning OS X, just as I jettisoned Windows in 2003, for cause.

Links to Popular Recent Posts

 permalink

posted by Jay Dratler, Jr., Ph.D., J.D. @ 1/07/2019 12:11:00 AM  

0 Comments:

Post a Comment

<< Home