GioCities

blogs by Gio

Tagged: platforms

🔹 Verification on Bluesky

  • Posted in tech

Bluesky has very quickly become a serious social media platform. This means it’s having to deal with all the problems social media platforms have to deal with, including impersonation. A lot of people flocked to Bluesky from Twitter, and so recreating something like Twitter’s verification system seems like a natural step.

But you don’t need to do that! Bluesky’s current verification system is actually very good and does what verification is supposed to do.

In 2022 I wrote a retrospective essay about the “verified account” design pattern on Twitter, which tried to preempt this conversation a little bit, but unfortunately got bogged down a little with Elon breaking Twitter verification. This piece will talk about a lot of the same ideas, but applied more specifically to Bluesky’s ecosystem.

đŸ–± Fake Twitter Accounts

  • Posted in cyber

Remember when Elon Musk was trying to weasel out of overpaying for Twitter? During this very specific May 2022-Jul 2022 period, there was a very artificial discourse manufactured over the problem of “fake accounts” on Twitter.

The reason it was being brought up was very stupid, but the topic stuck with me, because it’s deeply interesting in a way that the conversation at the time never really addressed.

So this is a ramble on it. I think this is all really worth thinking about, just don’t get your hopes up that it’s building to a carefully-constructed conclusion. ;)

Argument is stupid§

First, to be clear, what was actually being argued at the time was exceedingly stupid. I’m not giving that any credit.

After committing to significantly overpay to purchase Twitter with no requirements that they do due diligence (yes, really!) Elon Musk tried to call off the deal.

This was a pretty transparent attempt to get out of the purchase agreement after manipulating the price, and it was correctly and widely reported as such.

Scott Nover, “Inside Elon Musk’s legal strategy for ditching his Twitter deal”

Elon Musk has buyer’s remorse. On April 25, the billionaire Tesla and SpaceX CEO agreed to buy Twitter for $44 billion, but since then the stock market has tanked. Twitter agreed to sell to Musk at $54.20 per share, a 38% premium at the time; today it’s trading around $40.

That’s probably the real reason Musk is spending so much time talking about bots.

I don’t want to get too bogged down in the details of why Elon was using this tactic, but fortunately other people wrote pages and pages about it, so I don’t have to.

🎼 Notes on the VRC Creator Economy

  • Posted in gaming

My friend Floober brought some recent changes VRChat is making in chat, and I thought I’d jot down my thoughts.

The problem with the VRC economy is the same problem as with most “platform economies”: everyone is buying lots in a company town.

The Store§

This was the precipitating announcement: VRChat releasing a beta for an in-game real-money store.

Paid Subscriptions: Now in Open Beta! — VRChat Over the last few years, we’ve talked about introducing something we’ve called the “Creator Economy,” and we’re finally ready to reveal what the first step of that effort is going to look like: Paid Subscriptions!

As it stands now, creators within VRChat have to jump through a series of complicated, frustrating hoops if they want to make money from their creations. For creators, this means having to set up a veritable Rube Goldberg machine, often requiring multiple external platforms and a lot of jank. For supporters, it means having to sign up for those same platforms
 and then hope that the creator you’re trying to support set everything up correctly.

(The problem, of course, is that “frustrating jank” was designed by VRChat, and their “solution” is rentiering.)

Currently, the only thing to purchase is nebulous “subscriptions” that would map to different world or avatar features depending on the content. But more importantly, this creates a virtual in-game currency, and opens the door to future transaction opportunities. I’m especially thinking of something like an avatar store.

I quit playing VRChat two years ago, when they started to crack down on client-side modifications (which are good) by force-installing malware (which is bad) on players’ computers. Since then I’ve actually had a draft sitting somewhere about software architecture in general, and how you to evaluate whether it’s safe or a trap. And, how just by looking at the way VRChat is designed, you can tell it’s a trap they’re trying to spring on people.

The Store of Tomorrow§

Currently, the VRC Creator Economy is just a currency store and a developer api. Prior to this, there was no way for mapmakers to “charge users” for individual features; code is sandboxed, and you only know what VRC tells you, so you can’t just check against Patreon from within the game1.

But the real jackpot for VRC is an avatar store. Currently, the real VRC economy works by creators creating avatars, maps, and other assets in the (mostly-)interchangeable Unity format, and then selling those to people. Most commonly this is seen in selling avatars, avatar templates, or custom commissioned avatars. Users buy these assets peer-to-peer.

This is the crucial point: individuals cannot get any content in the game without going through VRC. When you play VRChat, all content is streamed from VRChat’s servers anonymously by the proprietary client. There are no URLs, no files, no addressable content of any kind. (In fact, in the edge cases where avatars are discretely stored in files, in the cache, users get angry because of theft!) VRChat isn’t a layer over an open protocol, it’s its own closed system. Even with platforms like Twitter, at least there are files somewhere. But VRChat attacks the entire concept of files, structurally. The user knows nothing and trusts the server, end of story.

đŸ–± Reddit: Your API *IS* Your Product

  • Posted in cyber

Reddit is going the same route as Twitter by making “API access” prohibitively expensive. This is something they very famously, very vocally said they would not do, but they’re doing it anyway. This is very bad for Reddit, but what’s worse is it’s becoming clear that companies think that this is a remotely reasonable thing to do, when it’s very critically not.

It’s the same problem we see with Twitter and other late-capitalist hell websites: Reddit’s product is the service it provides, which is its API. The ability for users to interact with the service isn’t an auxiliary premium extra, it’s the whole caboodle!

I’ll talk about first principles first, and then get into what’s been going on with Reddit and Apollo. The Apollo drama is very useful in that it directly converts the corporate bullshit that sounds technical enough to make sense into something very easy to understand: a corporation hurting them, today, for money.

The API is the product§

Reddit and all these other companies who are making user-level API access prohibitively expensive have forgotten that the API is the product. - The API is the interface that lets you perform operations on the site. The operations a user can do are the product, they’re not auxiliary to it!

“Application programming interface” is a very formal, internal-sounding term for a system that is none of those things. The word “programming” in the middle comes from an age where using a personal computer at all was considered “programming” it.

What an API really is a high-level interface to the web application that is Reddit. Every action a user can take — viewing posts, posting, voting, commenting — goes from the app (which interfaces with the user) to the API (which interfaces with the Reddit server), gets processed by the server using whatever-they-use-it-doesn’t-matter, and the response is sent back to the user.

The API isn’t a god mode and it doesn’t provide any super-powers. It doesn’t let you do anything you can’t do as a user, as clearly evidenced by the fact that all the actions you do on the Reddit website go through the API too.

The Reddit website, the official Reddit app, and the Apollo app all interface with the user in different ways and on different platforms, but go through the same API to interact with what we understand as “Reddit”. The fact that the API is the machine interface without the human interface should also concisely explain why “API access” is all Apollo needs to build its own app.

Right now, you can view the announcement thread at https://www.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits/, and you can view the “API” data for the same thread at https://www.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits.json. It’s not very fun to look at, but it’s easy to tell what you’re looking at: the fundamental representation of the page without all the trappings of the interface.

Public APIs are good for both the user and the company. They’re a vastly more efficient way for people to interact with the service than by automating interaction (or “scraping”). Having an API cuts out an entire layer of expense that, without an API, Reddit would pay for.

The Reddit service is the application, and you interface with it through WHATEVER. Whatever browser you want, whatever browser extensions you want, whatever model phone you want, whatever app you want. This is fundamentally necessary for operability and accessibility.

The API is the service. The mechanical ability to post and view and organize is what makes Reddit valuable, not its frontend. Their app actually takes the core service offering and makes it less attractive to users, which is why they were willing to pay money for an alternative!

⚖ Netflix's Big Double-Dip

Netflix is finally turning the screws on multi-user accounts. That “finally” is exasperation in my voice, not relief. Netflix is demanding you pay them an extra surcharge to share your account with remote people, and even then caps you at paying for a maximum of two. It’s been threatening to do something like this for a long, long time:

Since 2011, when the recording industry started pushing through legal frameworks to criminalize multi-user account use by miscategorizing “entertainment subscription services” as equivalent to public services like mail, water, and electricity for the purposes of criminal prosecution,

Since similar nonsense in 2016 exploiting the monumentally terrible Computer Fraud and Abuse Act,

Since 2019, when Netflix announced (to its shareholders) that it was looking for ways to limit password sharing,

Since 2021, when Netflix started tracking individual users by location and device within a paying account,

Since 2022, when it started banning group use in Portugal, Spain, and New Zealand, to disastrous consequence. Also, Canada, but temporarily. And, of course, then threatened to “crack down” on “password sharing” in “Early 2023”,

Since January, when it threatened to roll out “paid password sharing” in the “coming months”,

Since February, when it released a disastrous policy banning password sharing, then lied about the policy being an error and made a big show of retracting it due to the massive backlash, but then went ahead and did it in Canada anyway,

And finally now since just now, as it’s finally, really, for-realsies banning password sharing this quarter.

Netflix threatening this for so long was a mistake on its part, because that’s given me a long, long time for these thoughts to slowly brew in the back of my head. And there’s a lot wrong here.

the teat one this is a real graphic Netflix made!

Netflix’s pricing model§

So, first, what are multi-user accounts in the first place, and how does “password sharing” relate to that?

đŸ–± Lies, Damned Lies, and Subscriptions

  • Posted in cyber

Everybody hates paying subscription fees. At this point most of us have figured out that recurring fees are miserable. Worse, they usually seem unfair and exploitative. We’re right about that much, but it’s worth sitting down and thinking through the details, because understanding the exceptions teaches us what the problem really is. And it isn’t just “paying people money means less money for me”; the problem is fundamental to what “payment” even is, and vitally important to understand.

woah! that’s a big one

Human Agency: Why Property is Good§

or, “Gio is not a marxist, or if he is he’s a very bad one”

First: individual autonomy — our agency, our independence, and our right to make our own choices about our own lives — is threatened by the current digital ecosystem. Our tools are powered by software, controlled by software, and inseparable from their software, and so the companies that control that software have a degree of control over us proportional to how much of our lives relies on software. That’s an ever-increasing share.

đŸ–± The Failure of Account Verification

  • Posted in cyber

The “blue check” — a silly colloquialism for an icon that’s not actually blue for the at least 50% of users using dark mode — has become a core aspect of the Twitter experience. It’s caught on other places too; YouTube and Twitch have both borrowed elements from it. It seems like it should be simple. It’s a binary badge; some users have it and others don’t. And the users who have it are designated as
 something.

In reality the whole system is massively confused. The first problem is that “something”: it’s fundamentally unclear what the significance of verification is. What does it mean? What are the criteria for getting it? It’s totally opaque who actually makes the decision and what that process looks like. And what does “the algorithm” think about it; what effects does it actually have on your account’s discoverability?

This mess is due to a number of fundamental issues, but the biggest one is Twitter’s overloading the symbol with many conflicting meanings, resulting in a complete failure to convey anything useful.

xkcd twitter_verification

History of twitter verification§

Twitter first introduced verification in 2009, when baseball man Tony La Russa sued Twitter for letting someone set up a parody account using his name. It was a frivolous lawsuit by a frivolous man who has since decided he’s happy using Twitter to market himself, but Twitter used the attention to announce their own approach to combating impersonation on Twitter: verified accounts.

⚖ people who know more than me talk about Epic acquiring Bandcamp

March 2, 2022: Bandcamp puts out a press release about their “joining” Epic Games. This follows in a line of eerily similar acquisitions of companies catering to indies, namely Sketchfab and ArtStation.

There are lots of interesting topics intersecting here:

  • Venture capital and the associated perverse incentives
  • Antitrust and general issues with corporate consolidations
  • The takeover of existing institutions, especially technical infrastructure
  • The false narrative of corporations as indie and non-corporate
  • Epic vs Apple and problems of platform monopoly
  • Bandcamp’s correct but rare approach to piracy, which is endangered

I’ll talk more about those some day, don’t worry. For now, though, have some tweets.

đŸ–± Ethical Source is a Crock of Hot Garbage

  • Posted in cyber

There’s this popular description of someone “having brain worms”. It invokes the idea of having your mind so thoroughly infested with an idea to the point of disease. As with the host of an infestation, such a mind is poor-to-worthless at any activity other than sustaining and spreading the parasite.

A “persistent delusion or obsession”. You know, like when you think in terms of legality so much you can’t even make ethical evaluations anymore, or when you like cops so much you stop being able to think about statistics, or the silicon valley startup people who try to solve social problems with bad technology, or the bitcoin people who responded to the crisis in Afghanistan by saying they should just adopt bitcoin. “Bad, dumb things”. You get the idea.

And, well.

Okay, so let’s back way up here, because this is just the tip of the iceberg of a story that needs years of context. I’ll start with the most recent event here, the Mastodon tweet.

The Mastodon Context§

The “he” Mastodon is referring to is ex-president-turned-insurrectionist Donald Trump, who, because his fellow-insurrectionist friends and fans are subject to basic moderation policies on most of the internet, decided to start his own social network, “Truth Social”. In contrast to platforms moderated by the “tyranny of big tech”, Truth Social would have principles of Free Speech, like “don’t read the site”, “don’t link to the site”, “don’t criticise the site”, “don’t use all-caps”, and “don’t disparage the site or us”. There are a lot of problems here already, but because everything Trump does is terrible and nobody who likes him can create anything worthwhile, instead of actually making a social networking platform, they just stole Mastodon wholesale.

Mastodon is an open-source alternative social networking platform. It’s licensed under an open license (the AGPLv3), so you are allowed to clone it and even rebrand it for your own purposes as was done here. What you absolutely are not allowed to do is claim the codebase is your own proprietary work, deliberately obscure the changes you made to the codebase, or make any part of the AGPL-licensed codebase (including your modifications) unavailable to the public. All of which Truth Social does.

So that’s the scandal. And so here’s Mastodon poking some fun at that.

🔹 The Joy of RSS

  • Posted in tech

During the years when Homestuck updated regularly, I usually had some sort of update notifier that pinged me when a new page was posted. But since Homestuck usually updated daily, I ended up just keeping a tab open and refreshing it. And that’s pretty much how I kept up with other serial media on the internet, for years. A writing blog that posts regular updates? Keep a dedicated tab open and refresh it occasionally. Comic? Tab. To this day, I have a “serial” browser window that’s just tabs of sites I check regularly. (Or imagine I might want to check regularly, at least.)

a lot of tabs please don’t tell anyone how I live

Of course, this is terrible. The biggest problem is browser tabs are expensive. If you have a tab open, that takes up a dedicated chunk of memory, even when you’re not reading anything. CPU too, probably, if the site has JavaScript running on it (which is to say, is either decades out of date, or this one). Not to mention the clutter.

Unfortunately, dedicated browser tabs fit specific use case of keeping up with serial media well. Social media feeds — all of them, Twitter, Facebook, Tumblr, Reddit, YouTube — are explicitly “media aggregators”, services that combine multiple media sources into one feed. This is no good for serial media. If you’re following multiple sources, they likely update on different schedules, and updates from the more active ones will bury updates from those slower. Even email updates have this problem. No, you need a dedicated space for each source (but not each update), which a dedicated browser tab will get you.

There is a good system for this, though: RSS.

RSS (Really Simple Syndication) is a fantastic technology that has fallen out of favour in the mainstream lately. It works like this: the media source puts up a small file somewhere that notes the dates, titles, and (optionally) content of posts. And that’s it. There’s no API, it’s just a file people can read if they want. It’s like traditional syndication, but instead of selling articles to multiple distributors (as with syndicated cartoons), you’re distributing articles to many consumers directly.

đŸ–± YouTube broke links and other life lessons

  • Posted in cyber

This morning YouTube sent out an announcement that, in one month, they’re going to break all the links to all unlisted videos posted prior to 2017. This is a bad thing. There’s a whole lot bad here, actually.

Edit: Looks like Google is applying similar changes to Google Drive, too, meaning this doesn’t just apply to videos, but to any publicly shared file link using Google Drive. As of next month, every public Google Drive link will stop working unless the files are individually exempted from the new security updates, meaning any unmaintained public files will become permanently inaccessible. Everything in this article still applies, the situation is just much worse than I thought.

The Basics§

YouTube has three kinds of videos: Public, Unlisted, and Private. Public videos are the standard videos that show up in searches. Private videos are protected, and can only be seen by specific YouTube accounts you explicitly invite. Unlisted videos are simply unlisted: anyone with the link can view, but the video doesn’t turn up automatically in search results.

Unlisted videos are obviously great, for a lot of reasons. You can just upload videos to YouTube and share them with relevant communities — embed them on your pages, maybe — without worrying about all the baggage of YouTube as a Platform.

What Google is trying to do here is roll out improvements they made to the unlisted URL generation system to make it harder for bots and scrapers to index videos people meant to be semi-private. This is a good thing. The way they’re doing it breaks every link to the vast majority of unlisted videos, including shared links and webpage embeds. This is a tremendously bad thing. I am not the first to notice this.

See, I just kind of sighed when I saw this, because this isn’t the first time I’ve lived through it. On March 15, 2017, Dropbox killed their public folder. Prior to that, Dropbox had a service where you could upload files to a special “Public” folder. This let you easily share links to those files with anyone — or groups of people — without having to explicitly invite them by email, and make them register a Dropbox account. Sound familiar?

đŸ–± Twitter Blue is a late-stage symptom

  • Posted in cyber

Twitter Blue! $5/mo for Premium Twitter. It’s the latest thing that simply everyone.

News articles about twitter blue

I have an issue with it, but over a very fundamental point, and one Twitter shares with a lot of other platforms. So here’s why it’s bad that Twitter decided to put accessibility features behind a paywall, and it isn’t the obvious.

Client/Server architecture in 5 seconds§

All web services, Twitter included, aren’t just one big magic thing. You can model how web apps work as two broad categories: the client and the server. The client handles all your input and output: posts you make, posts you see, things you can do. The server handles most of the real logic: what information gets sent to the client, how posts are stored, who is allowed to log in as what accounts, etc.

📣 Trouble a-brewin' at Redbubble

  • Posted in fandom

Homestuck is once again lit up over fan merch. Homestuck and fan merch have a long and troubled history, but this latest incident is between artists, Redbubble, and Viz media. Here are my thoughts on that!

In late May 2021, artists who sold Homestuck merch on Redbubble got this email:

Dear [name],

Thank you for submitting your fan art for Homestuck and/or Hiveswap as part of Redbubble’s Fan Art Partner Program.

At this time, our partnership with the rights holder VIZ Media has come to an end. When a partnership expires, we are required to remove officially approved artworks from the marketplace. This means that your Homestuck and/or Hiveswap designs will be removed from Redbubble soon.

Here are a couple of things to keep in mind:

  • It is important to know that licensors do not allow previously approved designs once sold on Redbubble to be sold on any other platform, even after the program ends.
  • Because this removal is not in response to a complaint, your account will not be negatively impacted.

Partnerships come and go, but don’t worry. We’re looking forward to partnering with more awesome brands in the future.

Check out our Current Brand Partnerships list to see all the properties that are actively accepting submissions. For additional information, we recommend checking out the Fan Art Partner Program FAQ.

Thank you, Redbubble

This hit a lot of people, and hit them hard:

Rut-roh!

Unfortunately for Twitter and brevity this is actually the intersection of a couple different complicated issues, which I’ll try to summarize here.

Just gonna get this one out of the way right off the bat. Copyright law gives IP owners a tremendous amount of power over what’s done with their characters and designs, even extending far into derivative fanart. If you own Homestuck, you actually can take someone to court over selling merch of their fantroll, and probably win. That’s not a great starting point, but it’s the truth.

Eevee has a great write-up of why this is bad. I’d also point you to Tom Scott’s video about how copyright law isn’t designed for intermediate platforms like Redbubble, but suffice it to say, yeah, copyright law really sucks for fanartists, actually.

This is the most complex thing going on here, certainly, but it’s not new and interesting. What is new and interesting, though, is

Redbubble forcing predatory licensing on people§

Now, copyright law sucks for fanartists, but that doesn’t explain what happened here.